EPIC logo

                           E P I C  A l e r t
Volume 14.02                                            January 24, 2007

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] EPIC Urges Accountability and Privacy for Identity Theft Prevention
[2] Genetic Privacy Bill Introduced
[3] White House Backs Off Warrantless Surveillance Program
[4] DHS's Proposed Traveler Redress Program Does Not Help Passengers
[5] Australia Hosts APEC Meetings
[6] News in Brief
[7] EPIC Bookstore: "Digital Destiny"
[8] Upcoming Conferences and Events

[1] EPIC Urges Accountability and Privacy for Identity Theft Prevention

In comments to the Federal Identity Theft Task Force, EPIC said that
addressing the problem of identity theft requires strong preventative
measures and meaningful privacy rights for individuals. Identity theft
is a major threat to consumers, costing the economy 50 billion dollars a
year. The President created the Identity Theft Task Force in 2006 to
develop recommendations on the federal government's activities in the
areas of identity theft awareness, prevention, detection, and

The Task Force published Interim Recommendations that propose a
set of reforms aiming to limit the use of social security
numbers, improve authentication methods, and support victim recovery.
The Task Force requested comments prior to its concluding report.

EPIC stated in its comments that a scheme that requires the collection
of additional personal information with which to identify consumers
would only lure identity thieves by creating databases of high value as
well as further impairing victim recovery.  Instead, EPIC submitted that
an effective approach should address the root causes of identity theft:
excessive data collection and lax security practices. EPIC urged that
the task force promote responsible data collection practices, minimize
the amount of data collected, require security for personal data
warehouses and give consumers rights in the personal data that others

EPIC concluded that minimizing the risk of identity theft is most
effectively achieved by attaching costs to the collection and retention
of personal data. This internalization can be brought about by
comprehensive data security regulation and the use of privacy enhancing
technologies that would minimize or eliminate the collection of
personally identifiable information. EPIC further urged the Task Force
to act upon the comments in order to protect the privacy, identity and
economic livelihoods of American consumers. The public comment period is
now closed, and the Task Force's concluding report is soon to be
submitted to the President.

President's Identity Theft Task Force:
ID Theft Task Force Interim Recommendations (pdf):

EPIC's page on Identity Theft:

EPIC's Comments on Identity Theft (pdf):

[2] Genetic Privacy Bill Introduced

In a statement at the National Institutes of Health, President Bush
called on Congress to pass legislation to protect genetic privacy, so
that "medical research can go forward without an individual fearing
personal discrimination". A genetic privacy bill, which passed the
Senate in 2003 but died in the House, was reintroduced as the "Genetic
Information Nondiscrimination Act of 2007" in the House on January 16.

The bill states that Congress finds that as advances in genetics open
new opportunities for medical progress, these advances will also give
rise to the potential misuse of genetic information to discriminate,
particularly in the areas of health insurance and employment. The bill
seeks to establish a national standard to prohibit genetic
discrimination by health insurance providers and employers. Under the
bill, these entities cannot require genetic testing, cannot determine
premiums or eligibility for insurance or employment based on genetic
information, and are limited in their collection and use of genetic

In the health insurance context, the bill prevents the collection of
genetic information by group health plans and health insurance issuers,
as well as requiring conformance with pre-existing confidentiality
standards. The genetic information protected extends to the
individually-identifiable genetic information of individuals and his or
her family members, and includes information about requests for or
receipt of genetic services.

The bill also prohibits employment discrimination on the basis of
genetic information, making it unlawful for employers to use genetic
information to refuse to hire, discharge or discriminate against any
employee. Employers are also prohibited from collecting genetic
information on employees. Exceptions exist for inadvertent collection,
employer health or genetic services with employee consent, employer
purchase of commercially and public available documents that do not
include medical databases or court records, and genetic monitoring of
biological effects of toxic substances in the workplace. Importantly,
any information collected under these exceptions may not violate
employment discrimination and confidentiality of genetic information.

EPIC has filed several amicus briefs in several cases in which it has
argued for stronger privacy protection for genetic information.

White House News and Policies: Press Release

H.R. 493, the Genetic Information Nondiscrimination Act of 2007:

EPIC's page on genetic privacy:

[3] White House Backs Off Warrantless Surveillance Program

This week the Bush administration said that it would no longer rely on
Presidential authorization for the warrantless monitoring of American
citizens in the United States. The controversial program, run by the
National Security Agency, was secretly approved by President Bush
following 9/11. For more than a year the administration defended the
legality of the domestic surveillance program and contested the
possibility of court oversight.

According to the White House, the program monitors international
telephone and e-mail communications of individuals in the U.S. who are
suspected of having links to terrorist groups. While proponents of
warrantless eavesdropping claim it does not infringe on legitimate
privacy rights and is a vital tool in the fight against terrorists,
opponents state that the eavesdropping program gives the government far
too much power with virtually no oversight, authorizing email and
telephone intercepts by U.S. intelligence officers without the
involvement of any court or judge. A number of privacy advocates have
declared the warrantless eavesdropping illegal.

Attorney General Alberto Gonzales told the leaders of the Senate
Judiciary Committee on January 17 that the Foreign Intelligence
Surveillance Court, created by the Foreign Intelligence Surveillance Act
(FISA) of 1978 in response to intelligence-gathering abuses that arose
in the Vietnam War era, will supervise the government's clandestine
eavesdropping operations from now on. The court will oversee
eavesdropping on telephone calls and e-mails to and from the United
States when there is probable cause to believe that one of the parties
is a member of a terrorist group.

White House and Justice officials asserted that the President was not
retreating from his stance that he has the constitutional and
legislative authority to order warrantless surveillance on international
calls, but that he is satisfied that the FISA process can move quickly
in order to authorize necessary surveillance.

Many remain critical of yesterday's announcement, indicating that while
a move from warrantless surveillance to secret court oversight was a
positive step, it does little to increase the transparency of government
surveillance for the American public, nor does the new plan address the
legality of the government's actions under the Domestic Surveillance
Program over the past four and a half years.

Letter from Attorney General Gonzales to Senators Leahy and Specter

EPIC Spotlight on Surveillance:

EPIC's page on Foreign Intelligence Surveillance Act:

[4] DHS's Proposed Traveler Redress Program Does Not Help Passengers

The Department of Homeland Security recently announced that it will
launch the Traveler Redress Inquiry Program on February 20, 2007. DHS
described the program as "a central gateway to address watch list
misidentification issues, situations where individuals believe they have
faced screening problems at immigration points of entry, or have been
unfairly or incorrectly delayed, denied boarding or identified for
additional screening at our nation's transportation hubs." There are
significant problems with the current redress process for travelers
mistakenly matched to watch lists, but EPIC's Spotlight on Surveillance
report explains that this system does not solve them.

The Transportation Security Administration (TSA) administers two lists
of names of individuals suspected of posing "a risk of air piracy or
terrorism or a threat to airline or passenger safety": a "no fly" list
and a "selectee" list. The lists are sent to the airlines, which run
passenger names against the lists. When a passenger checks in for a
flight, he may be labeled a threat if his name matches an entry on one
of the watch lists, even if he is not the person actually on the list. A
match to the "no fly" list requires the airline to notify TSA and to
call a law enforcement officer to detain and question the passenger. In
the case of a Selectee, an "S" or special mark is printed on the
individual's boarding pass and the person receives additional security
screening. Customs and Border Protection also uses the lists to screen

There have been myriad stories about mistakes associated with the watch
lists, with sometimes chilling results. An April 2006 report by the
Department of Homeland Security's Privacy Office on the impact of the
watch lists explained that "individuals who are mistakenly put on watch
lists or who are misidentified as being on these lists can potentially
face consequences ranging from inconvenience and delay to loss of
liberty." The report described complaints "alleg[ing] misconduct or
disrespect by airline, law enforcement, TSA or CBP officials" toward
people mistakenly matched. According to the Privacy Office, "Some
complaints alleged that officers […] told another traveler that he and
his wife and children were subjected to body searches because he was
born in Iraq, is Arab, and Muslim."

The watch lists, which the National Counterterrorism Center says include
325,000 names, are rife with mistakes and "false positives". In December
2005, the director of TSA's redress office revealed that more than
30,000 people who are not terrorists have asked TSA to remove their
names from the lists since September 11, 2001. Earlier this month, the
head of TSA said that the watch lists were being reviewed, and he
expected to cut the list of names in half.

The watch list errors and "false positive" problems arise currently not
because there are three agencies processing redress requests, but
because the records themselves are not subject to the Privacy Act. The
lack of enforcement of Privacy Act obligations means that individuals
are not given the opportunity to inspect, correct or limit the
dissemination of inaccurate information. Greater transparency in the
watch list process would lead to greater accuracy of the lists

Department of Homeland Security Press Release about TRIP:
Department of Homeland Security Privacy Office, Report (Apr. 27, 2006)
Government Accountability Office, "GAO-06-1031: Terrorist Watch List
Screening: Efforts to Help Reduce Adverse Effects on the Public" (Sept.
2006) (pdf):
EPIC's Spotlight on Surveillance on TRIP:
EPIC's page on Passenger Profiling:

[5] Australia Hosts APEC Meetings

Australia's hosting of 2007 Asia-Pacific Economic Cooperation (APEC)
events began with a series of Senior Officials Meetings in Canberra this
month. The protection of transborder flows of personal data received
considerable attention as an issue that is important for the ongoing
economic health and development of the Asia-Pacific.

On January 22, the APEC Electronic Commerce Steering Group held a Data
Privacy Seminar on the International Implementation of the APEC Privacy
Framework. The seminar focused on the development of Cross-Border
Privacy Rules that would satisfy the nine privacy principles articulated
in APEC's Privacy Framework.

The Cross-Border Privacy Rules are intended to assist businesses to
provide certainty to their customers on how their personal information
will be protected.  The Privacy Framework stresses clear accountability
in the flow of information among APEC countries, and sets out
recommended practices concerning the collection and use of personal
information, as well as notice, security, access and correction

This year's Australian meetings also include the first review in a
decade of whether new countries should be admitted to APEC.  Although
APEC has no treaty obligations required of its participants, the
adequacy of countries' data protection schemes may become an important
factor as APEC considers lifting the membership moratorium. In a recent
visit to India, the country leading the APEC membership bid, Australia's
Attorney-General "pointed to the protection provided in Australia under
the Privacy Act for personal information" and stressed that the "same
protection should exist for data that is sent to India as part of
outsourcing deals".

India's Commerce and Industry Minister promised that if the
self-regulatory regime proved inadequate, New Delhi would consider
further legislation.  Despite this assurance, Australia's
Attorney-General reiterated his concerns at the beginning of the APEC
Electronic Commerce Steering Group's Data Privacy Seminar, and stated
that Australian officials would be conducting further study into the
adequacy of India's and other countries' data protection legislation as
compared to Australia's.

APEC 2007 news release:
APEC Privacy Framework (pdf):
Government of Australia Attorney-General's Office: Data Privacy at APEC
Privacy and Human Rights 2005: Transborder Data Flows and Data Havens:

[6] News in Brief

Congress Introduces New Privacy Bills

Several new bills have been introduced this month, including the Federal
Agency Data Privacy Protection Act in the House and the Federal Agency
Data Mining Reporting Act of 2007 in the Senate. The House bill requires
the encryption of all "sensitive data" held by the federal government,
such as social security numbers and medical, financial and criminal
records, and limits the types and amounts of information that may be
accessed by federal government employees and contractors. The Senate
bill requires the head of each federal department or agency to publish a
report on any use or development of data mining activities.

H.R.516, the Federal Agency Data Privacy Protection Act:
S.236, the Federal Agency Data Mining Reporting Act of 2007:

Court Finds Right of Informational Privacy

A New Jersey appeals court has held that Internet subscribers have a
reasonable expectation of "informational privacy", which the court
defined as "the ability to control the acquisition or release of
information about oneself" or "to control the terms under which personal
information is acquired, disclosed, and used". The decision was grounded
on the New Jersey Constitution's implied right of privacy and on
precedents the court termed "highly protective" of that right, even as
to data in third parties' hands. The recognition of the right to privacy
in this case will allow a challenge to a subpoena that led to an
indictment for computer-related theft.

State v. Reid, A-3424-05 (pdf):

Recent Data Breaches in Canada and the US

The Canadian Privacy Commissioner, Jennifer Stoddart, announced on
January 18th that her office has launched an investigation into a recent
data breach at Talvest Mutual Funds, a subsidiary of the Canadian
Imperial Bank of Commerce (CIBC). The breach allegedly occurred when a
CIBC hard drive disappeared while being moved from Montreal to Toronto. 
The investigation will assess whether the loss of the hard drive
containing the financial records of 470,000 Talvest clients was in
contravention of the Personal Information Protection and Electronic
Documents Act (PIPEDA).

On January 17, the retailer that operates T. J. Maxx and Marshall's
stores revealed that tens of millions of credit and debit cards might
have been compromised by a security breach of its computer systems.
According to TJX's press release, the breach involved customers' credit
card, debit card, check, and merchandise return information collected at
its U.S., Canadian and Puerto Rican stores, and may involve customers of
its stores in the U.K. and Ireland.

Privacy Commissioner's Press Release:

TJX Customer Alert:

EPIC's Resources on the Veterans Affairs Data Breach:

EPIC's Testimony before the House Committee on Energy and Commerce on
Data Security (2005):

EPIC's Choicepoint Page:

DOJ Weighs Widespread DNA Collection

The Department of Justice is reported to be exploring the collection of
DNA from noncitizens detained by the federal government.  Under a
provision of the Violence Against Women Act of 2005 -- the Kyl Amendment
-- federal agencies may collect DNA from non-U.S. persons who are
detained by the federal government. This provision could extend beyond
terrorism detainees and include noncitizens stopped, no matter how
briefly, by federal officials.  DNA from immigration violators would
remain on file permanently. Genetic profiles from people arrested for
federal crimes could be removed from the database if they are not

Violence Against Women and Department of Justice Reauthorization Act of

EPIC's Genetic Privacy Page:

OECD Information Technology Outlook 2006

The OECD has published its Information Technology Outlook. The 2006
edition looks at the increasing importance of digital content in
selected industries and how it is transforming value chains and business
models. The potential of technological developments is examined:
ubiquitous networks, location-based services, natural disaster warning
systems, the participative web and the convergence of information
technology with nanotechnology and biotechnology.

OECD Information Technology Outlook 2006 Announcement:

Cato Book Forum: "Identity Crisis: How Identification Is Overused and
Misunderstood" by Jim Harper

The Cato Institute held a book forum on Thursday, January 18, at which
Jim Harper, the Director of Information Policy Studies at Cato discussed
his new book “Identity Crisis: How Identification Is Overused and
Misunderstood”. The noontime forum featured author Jim Harper, Director
of Information Policy Studies, Cato Institute; with comments by James
Lewis, Director and Senior Fellow, Technology and Public Policy Program
Center for Strategic and International Studies; and Jay Stanley, Public
Education Director, Technology and Liberty Project American Civil
Liberties Union.

In Identity Crisis, Jim Harper argues that identification does not
provide the security often assumed, and the overuse of identification
harms Americans' interests in a variety of ways. Harper's solution is to
replace the uniform national identity system being advanced by the REAL
ID Act with a diverse, competitive identification and credentialing
marketplace.  REAL ID calls for states to issue nationally uniform
drivers' licenses and ID cards by May 2008, and has been met with
opposition from state legislators and the American people, who condemn
what may be an $11 billion, unfunded surveillance mandate.  Legislation
to repeal REAL ID has already been introduced.

Cato Institute - Jim Harper:

EPIC's page on Real ID:

[7] EPIC Bookstore: "Digital Destiny"

"Digital Destiny: New Media and the Future of Democracy" by Jeff Chester
(The New Press 2007).


It comes as no surprise that communications lobby groups have ensured
that they are better funded, better organized, and better positioned to
shape media policy than their civil society counterparts. What is
shocking is the degree to which industry goals been achieved through
this tightly knit network of actors, and the resounding silence that has
resulted. Jeff Chester's book, Digital Destiny: New Media and the future
of Democracy, presents a thoroughly detailed look at how the “media
crisis” has been largely and deliberately ignored, or at least kept from
public scrutiny. Chester traces the contacts and credentials of nearly
every policy player to big industry ties, and states that the Federal
Communications Commission and others have been engaged in a dishonest
intellectual effort in their research of the issues and (lack of)
regulation. According to Chester, the history of print, radio, and then
television monopolization threatens to repeat itself in the formulation
of Internet policy:

"That the self-serving interests of a few giants could end up
threatening the potential of the Internet to serve democracy and fair
competition illustrates the corruption and intellectual bankruptcy of US
communications policymaking. Industry and its political supporters have
hijacked the policy process, using the rhetoric of deregulation, to
relegate the public into the passive role of consumers, reduced to
whether they might have more channels to watch or pay a few cents less
for them."

Chester responds with a call to arms for activists working on community
broadband, equitable access, nondiscriminatory internet, noncommercial
commons, electoral communications, and privacy to continue to organize
in order to guarantee a brighter future for the democracy of new media.

     -- Allison Knight


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Annual Privacy Coalition meeting. January 26-27, 2007. Washington DC.
For more information: http://www.privacycoalition.org

Assessing Current Privacy Issues. Riley Information Services, Inc.
February 21, 2007. Ottawa, Ontario, Canada. For more information:

National FOI Day Conference. March 16, 2007. Washington DC. For more
information: http://www.firstamendmentcenter.org

5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the United
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007.  Montreal, Canada. For more

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.02 -------------------------