EPIC logo

                           E P I C  A l e r t
Volume 14.01                                            January 12, 2007

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] House Passes Homeland Security Bill
[2] Pentagon to Restrict Data Used in Teen Recruiting
[3] ICANN Seeks Public Comment on Whois Privacy
[4] EPIC Urges State Dept. to Drop Plan for Flawed ID System
[5] Privacy Office: Secure Flight Violated Federal Privacy Law
[6] Bush 'Signing Statement' May Allow Warrantless Search of Mail
[7] News in Brief
[8] EPIC Bookstore: "Encyclopedia of Privacy"
[9] Upcoming Conferences and Events

[1] House Passes Homeland Security Bill

The new Congress this week passed a measure intended to implement
recommendations of the 9/11 Commission. Among other provisions, the bill
aims to strengthen the the oversight powers of government civil
liberties and privacy officers and mandates inspection of all land and
sea cargo entering the US.

The bill removes the Privacy and Civil Liberties Oversight Board from
the White House and turns it into an independent agency. Board members
must be approved by the Senate, and the Board must report directly to
Congressional oversight committees. The bill also directs other
government agencies to appoint Privacy and Civil Liberties Officers who
will be accountable to Congress and to the Privacy and Civil Liberties
Oversight Board, and expands the powers of the Chief Privacy Officer of
the Department of Homeland Security.

The new setup for the Board includes many of the recommendations
advanced by EPIC in its 2006 report on privacy oversight in the
post-9/11 world, which emphasized that the Board must act in the public
eye in order to increase its transparency and accountability. EPIC also
called for the Board to have the authority to issue subpoenas, a power
conferred by the new bill, in order to make its oversight activities
more meaningful.

The new structure for the Privacy and Civil Liberties Board addresses
several of the concerns regarding the inability of the current board to
provide meaningful oversight and to ensure compliance with federal law.
The bill is likely to encounter opposition from the White House and may
be subject to a veto or a court challenge on the grounds that requiring
executive branch officials to report to Congress may be viewed as an
encroachment on presidential power.

The new bill also includes a commitment to improve the inspection of
cargo carried on passenger aircraft and ships destined for the U.S.  The
legislation mandates inspection of all air cargo and requires that every
sea cargo container be  screened before reaching U.S. shores.

EPIC has supported the use of improved screening procedures for cargo
entering the United States, but opposed the use of these techniques,
such as the Automated Targeting System, to screen individuals by
conducting secret background checks.

New York Times, "Under-the-Rug Oversight," Dec. 29, 2006:

Implementing the 9/11 Commission Recommendations Act of 2007:

EPIC Testimony Before 9/11 Commission (pdf):

EPIC Report on Oversight:

EPIC's Automated Targeting System Page:

[2] Pentagon to Restrict Data Used in Teen Recruiting

In May 2005, the Department of Defense announced that it had created a
massive database for recruiting. The "Joint Advertising and Market
Research" system proposed to combine student information, Social
Security Numbers, and information from state motor vehicle repositories
into a mega database of all those 16-25 years of age.  The information
would be housed at a private direct marketing firm. In June 2005, EPIC
and eight privacy and consumer groups objected to the creation of the
database, arguing that it violated the Privacy Act and was unnecessarily

It was announced this week in the settlement of a lawsuit brought by the
New York Civil Liberties Union that the Department of Defense has agreed
to limit access to the recruitment database. The lawsuit charged that
the system was in violation of a 1982 recruitment law that prohibited
the collection of information on individuals under the age of 17. In
2005, when the database was disclosed, it contained records on an
estimated 30 million individuals. Although the database was purportedly
created for recruitment purposes, its information was also being shared
with law enforcement, intelligence, and other government agencies.

EPIC comments brought public scrutiny to the Department of Defense's
database. Problems identified with the database included the sources of
the information being used to build the database, an inability to opt
out the data retention plan, and the clear illegality in the creation of
the database. The federal Privacy Act requires that before an agency
creates or alters a system of records that public notice be provided
through the Federal Register. The Department of Defense failed to
fulfill its obligations of public notice by waiting 2 years to make
public that it had created the database.

EPIC Memo on Department of Defense Database (pdf):


Coalition Letter to the Department of Defense:


[3] ICANN Seeks Public Comment on Whois Privacy

On November 24, 2006, the Internet Corporation for Assigned Names and
Numbers (ICANN) invited public comments on its Preliminary Task Force
Report on WHOIS services. The report highlights two different
approaches to limitations on the public availability of WHOIS data.

The first proposal, supported by the Registrar, Registry, and
Non-Commercial Users Constituencies, removes registrants' mailing
addresses, phone and fax numbers and email addresses from the Whois
database, and requires the use of an "operational point of contact," an
intermediary who would contact the registrant in the case of an issue
with the domain name. WHOIS would continue to publish the registrant's
name and country.

The second proposal, supported by the Intellectual Property and Business
Constituencies, retains the current data fields required under WHOIS,
but allows individuals who can demonstrate reasonable concern that
public access to their contact data would jeopardize their personal
safety or security to substitute contact details of the registrar for
their data.

ICANN's current policy requiring the publication of personal information
violates the privacy rights of registrants and may violate international
laws and the privacy rights in the UN's Universal Declaration of Human
Rights. In its preliminary report, the Task Force agrees that new
mechanisms to restrict some contact data from publication should be
adopted to address privacy concerns.

EPIC has prepared comments for submission to ICANN on the Preliminary
Report. EPIC supports the Operational Point of Contact proposal's
removal of registrants' postal addresses, phone and fax numbers and
email addresses from the Whois database, but pushes for the deletion of
registrants' names and countries of origin from the Whois public
database as well. As explained in Privacy and Human Rights 2005,
concealing actual identity may be critical for political, artistic, and
religious expression on the Internet.

The public comment period runs until January 15, 2007. The task force
will consider the public comments received and prepare a final report
for submission to the Generic Names Supporting Organization Council.

ICANN Launches Public Comments on WHOIS Task Force Report:


ICANN Preliminary Task Force Report on WHOIS Services:




[4] EPIC Urges State Dept. to Drop Plan for Flawed ID System

In comments to the State Department, EPIC warned that a proposed People
Access Security Service (PASS) card for travel between the United
States, Canada, Mexico, and the Caribbean would jeopardize the privacy
and security of US travelers. EPIC urged the State Department to reject
the use of "vicinity read" (long-range) radio frequency identification
(RFID) technology, because it contains substantial privacy and security
risks, such as "skimming" and "eavesdropping", and it does not contain
Basic Access Control.

The data on the PASS card would include the personal information
currently displayed in passports, "bearer's facial image, full name,
date and place of birth, passport card number, dates of validity and
issuing authority." The card will use RFID technology to "store and
transmit" a unique reference number to the border official so that she
may access the traveler's information in a large federal database,
"which could include additional information, for example, information
about the bearer's membership in one of [Customs and Border
Protection's] international trusted traveler programs," according to the
State Department.

Although the State Department states that the tags will only carry a
unique reference number, and not personally identifiable information,
the numbers are linked to data files and are subject to interception.
EPIC explained that anytime a U.S. citizen is carrying his RFID-enabled
PASS card, his unique reference number, which is linked to his
individual biographic information, could be accessed by unauthorized
individuals. And because the RFID wireless technology is unseen, the
person would not know that his information was intercepted. Privacy and
security risks associated with RFID-enabled identification cards include
"skimming", or reading of RFID data from an unauthorized reader, and
"eavesdropping", interception of data as it is being read by an
authorized reader. These problems are exacerbated by "vicinity read"
RFID technology that will the passport card data to be read at a
distance of up to 20 feet from the reader.

Because the PASS cards, like U.S. passports, will be valid for 10 years,
it is certain that new means of attack will be developed, EPIC said.
While the distance necessary to read RFID tags was initially thought to
be a few inches, tests have shown they can be read from 70 feet or more.
 If the Department of State does implement the long-range RFID-enabled
PASS card proposal, it should at least incorporate Basic Access Control
or equivalent security features, into the cards, EPIC urged. Basic
Access Control would require the receiving device to authenticate itself
before gaining access to the data contained on the card.

EPIC Comments on the Western Hemisphere Travel Initiative Proposal (pdf):


State Department's Federal Register PASS Card Proposal:

EPIC's Spotlight on Surveillance: "Homeland Security PASS Card:
Leave Home Without It":



[5] Privacy Office: Secure Flight Violated Federal Privacy Law

A report from the privacy office of the Department of Homeland Security
has found that information provided by DHS about the airline screening
system was misleading and incomplete. The privacy office report follows
a Government Accountability Office report and testimony earlier this
year that the Transportation Security Administration approved Secure
Flight to become operational in September, despite inconclusive risk
assessments and 144 known security vulnerabilities. Congress suspended
the Secure Flight program earlier this year.

Secure Flight was introduced as a successor to the now-abandoned second
generation Computer Assisted Passenger Prescreening System (CAPPS II).
Many of the problems with CAPPS II that led to its demise continued to
plague Secure Flight in its test phase. The controversial program has
been the focus of two government investigations. On February 9, the
Government Accountability Office testified that "TSA may not have proper
controls in place to protect sensitive information", and that the
documents underlying the program "contained contradictory and missing

The report from the DHS privacy office found a sharp "disparity between
what TSA proposed to do and what it actually did in the testing
program". This "resulted in significant privacy concerns being raised
about the information collected to support the commercial data test as
well as about the Secure Flight program." The privacy office concluded
that, "Privacy missteps such as these undercut an agency's effort to
implement a program effectively, even one that promises to improve

EPIC has criticized the Secure Flight program in the past. Documents
obtained by EPIC in 2004 under the Freedom of Information Act revealed
that the government airline screening system would make extensive use of
commercial data without informing the public, as required by law. EPIC
also criticized Secure Flight's initial efforts to use inaccurate
commercial data in making passenger threat determinations.

DHS Privacy Office report on Secure Flight (Dec. 2006) (pdf):


Government Accountability Office Testimony on Secure Flight on Feb. 9,
2006 (pdf):


FOIA documents obtained by EPIC in 2004:


EPIC's page on Secure Flight:


[6] Bush 'Signing Statement' May Allow Warrantless Search of Mail

When President Bush signed the Postal Accountability and Enhancement
Act, he included a 'signing statement' that may give the government the
power to open citizens' mail without a warrant. Under the law, the
government must get warrants to open first-class letters, but in the
signing statement, Bush said he would construe the provision, "in a
manner consistent, to the maximum extent permissible, with the need to
conduct searches in exigent circumstances," which Bush defined as
protecting against hazardous materials and "the need for physical
searches specifically authorized by law for foreign intelligence

President Bush has issued at least 750 signing statements, more than all
other presidents combined, according to the American Bar Association. 
The very use of signing statements remains controversial for their
modification of duly enacted laws.  A 2006 report by the ABA emphasized
that signing statements "undermine the rule of law and our
constitutional system of separation of powers".

This most recent authorization comes less than a year after President
Bush admitted to approving the warrantless surveillance of international
telephone and Internet traffic by the National Security Agency. While
the program was ruled illegal in ACLU v. NSA, a decision of the Detroit
District Court, this decision has been stayed pending appeal. EPIC had
previously raised questions regarding the legality and the cost of the
domestic surveillance program. Despite high profile resignations and a
prolonged public outcry, President Bush has continued his support of the
NSA's surveillance program.

The postal amendment signing statement expands the executive right for
warrantless surveillance to include both digital and physical

Postal Accountability and Enhancement Act (pdf):

White House Signing Statement:

ABA Blue-Ribbon Task Force on Signing Statements:

ACLU v. NSA No.06-CV-10204 (pdf):

EPIC Spotlight on NSA Eavesdropping Program:

EPIC's Wiretapping Page:

[7] News in Brief

Senate Judiciary hearing on data mining

This week the Senate Judiciary Committee, now under new leadership,
turned its attention to government data mining efforts. Senator Leahy,
the committee chair, announced the introduction of the Federal Agency
Data Mining Reporting Act of 2007 -- previous versions were introduced
in 2003 and 2005. Concerned that data mining is practically ineffective
and represents data collection on millions of Americans, the bill aims
to provide some oversight over the practice. Agencies will have to
report their uses of data mining to Congress.

Data Mining Hearing Webpage:

Previous Version of Federal Agency Data Mining Reporting Act (2005):

Supreme Court rejects opportunity to review secret travel ID

The Supreme Court on Monday, January 8th, refused to hear a challenge to
secret Transportation Security Administration (TSA) rules on passenger
identification. The case, Gilmore v. Gonzales, was filed after John
Gilmore was refused the ability to board a plane without showing ID. The
TSA also refused to reveal the "secret" regulations governing passenger
identification. Gilmore sued, claiming his right to travel anonymously
and a due process right to know the regulations he was expected to

EPIC's Amicus Brief in Favor of Gilmore's cert petition (pdf):

EPIC's Air Travel Privacy Page:

Gilmore Case Website:

OneDOJ program attempts to broaden data sharing

Over the past year and a half, the Justice Department has been
assembling a database of millions of case files in order to facilitate
information-sharing between law enforcement officials.  The OneDOJ
database already provides uniform access to over 1 million case records
from Justice's five main agencies: FBI; Bureau of Alcohol, Tobacco,
Firearms and Explosives; Drug Enforcement Administration; U.S. Marshals
Service and the Federal Bureau of Prisons. Currently, OneDOJ is allowing
local and state law enforcement regional access to Justice's records,
but plans to expand to allow local and state law enforcement to exchange
data nationally.

Deputy Attorney General's OneDOJ memorandum (pdf):

FTC seeks comments on ID theft

On December 28, 2006, the Federal Identity Theft Task Force announced it
"is seeking public comment on ways to improve the effectiveness and
efficiency of federal government efforts to reduce identity theft". The
Identity Theft Task Force is responsible for developing a strategic plan
to better prevent identity theft, coordinate prosecution, and ensure
recovery for victims. Comments must be filed on or before January 19,
2007. EPIC is in the process of drafting a response to the Identify
Theft Task Force.

Federal Trade Commission: Identity Theft Task Force Seeks Public

Federal Trade Commission: The President's Identity Theft Task Force web

EPIC's Federal Trace Commission Page:

Federal Trade Commission - President's Identity Theft Task Force Summary
of Interim Recommendations (pdf):

U.S. Securities and Exchange Commission Press Release: Federal Identity
Theft Task Force Seeks Public Comment:

January 28 is EU data protection day

The Council of Europe, with the support of the European Commission, will
be celebrating Data Protection Day on January 28, 2007. The aim of Data
Protection Day is to give European citizens the chance to understand
what personal data is collected and processed about them and why, and
what their rights are with respect to this processing. The day also
aims to educate individuals on the risks associated with the illegal
mishandling and unfair processing of their personal data. Each
interested member state, international and national body is organizing
events at a local level, such as panel discussions, media campaigns and
education programs.

Council of Europe Data Protection Day Page:

The Public Voice Page:

[7] EPIC Bookstore: "Encyclopedia of Privacy"

"Encyclopedia of Privacy" (in 2 volumes) edited by William G. Staples
(Greenwood Press 2007).


The Encyclopedia of Privacy takes a comprehensive look at the issue of
privacy in the United States today and throughout history. Edited by
William G. Staples, professor and chair of the Department of Sociology
at the University of Kansas, the Encyclopedia of Privacy is a useful
tool for laypersons and experts alike. Its 226 detailed but
accessibly-written entries, authored by over 100 privacy scholars and
experts, include topics as general as wiretapping and as specific as
Carnivore software.  The volumes also provide summaries of key cases,
brief biographies of notable personalities, a chronology of major
privacy-related events, and a short section on general privacy
resources.  Each entry also provides a list of resources for further

     -- Allison Knight


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:

5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the United
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 13.25 -------------------------