EPIC logo

                           E P I C  A l e r t
Volume 14.04                                           February 23, 2007

                            Published by the
               Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


Table of Contents
[1] EPIC Warns Maryland Senate of REAL ID's Security Risks
[2] Voting Reports: Accessibility, Identification and Voter Turnout
[3] EPIC Urges Privacy and Security Safeguards for Traveler Program
[4] New Privacy Bills Introduced
[5] EU Countries Begin Looking at Data Retention Proposals
[6] News in Brief
[7] EPIC Bookstore: "Identity Crisis"
[8] Upcoming Conferences and Events

[1] EPIC Warns Maryland Senate of REAL ID's Security Risks

At a public hearing of the Maryland Senate's Judicial Proceedings
Committee concerning a bill calling for repeal of the federal REAL ID
Act, EPIC testified about the privacy and security risks of the national
ID scheme. The REAL ID Act mandates federal requirements for state
driver's licenses and requires state DMVs to verify identification
documents, such as birth certificates.

Melissa Ngo, Director of EPIC's Identification and Surveillance Project,
explained that the privacy and security risks of REAL ID remain
unresolved. The federal legislation would create a national database
with the personal data of 245 million license and state ID cardholders,
yet there is no plan for adequate privacy and security safeguards, EPIC
said. EPIC said another significant security risk, besides that of
attacks by unauthorized users, is that of authorized users misusing or
abusing their power. For example, in a case in Maryland just last year,
three people - including a Maryland Motor Vehicle Administration
official - were indicted on charges of "conspiring to sell unlawfully
produced MVA-issued Maryland identification cards."

There is also the threat that REAL ID is ostensibly trying to protect
against: forged identification cards. "No matter how unforgeable we make
it, it will be forged. We can raise the price of forgery, but we can't
make it impossible. REAL IDs will be forged," security expert Bruce
Schneier has said. This means that people with evil intent will get
legitimate REAL ID cards in fake names, or even in the names of real
people whose identities have been stolen, he said.

EPIC also pointed to the adverse impact on victims of domestic violence.
The REAL ID Act requirement that state driver's licenses and
identification cards must list a person's actual address is a grave
threat Maryland's address confidentiality program. Including data
collection requirements without adequate privacy safeguards would put
Maryland's domestic violence victims at risk.

The Maryland bill under consideration would refuse to implement the REAL
ID Act, protest the actions of the Congress and the President in passing
and signing the legislation, request the repeal of REAL ID, and notify
the Maryland Congressional delegation, governor, president of Senate of
Maryland, and speaker of the House of Delegates of the resolution. EPIC
supported the bill, stating that "it is a sensible response by Maryland
to an ill-conceived federal law."

Maryland S.J. 5: REAL ID Act of 2005: Protest and Repeal:


Bruce Schneier, Real-ID: Costs and Benefits:


EPIC's Testimony at Feb. 15, 2007, Hearing of the Maryland Senate
Judicial Proceedings Committee (pdf):


EPIC's page on Domestic Violence:


EPIC's page on National ID Cards and the REAL ID Act:


[2] Voting Reports: Accessibility, Identification and Voter Turnout

Election reform continues to see significant contributions from the
research and election integrity communities.  A recently released Demos
report on the accessibility of touch screen voting systems found that
there are doubts that direct recording electronic or touch screen voting
machines are providing access to voters with disabilities. The report
found that although touch screen voting systems were once considered
essential to private voting booth access for voters with disabilities,
they often do not work as promised.

The Help America Vote Act mandated accessible voting systems for the
disabled and for language minorities.  The law explicitly directed that
"at least one direct recording electronic voting system or other voting
system equipped for individuals with disabilities at each polling place"
be made available.  Further accessibility included non-visual
accessibility for the blind and visually impaired, in a manner that
provides the same opportunity for access and participation (including
privacy and independence).” The report findings raise questions about
whether this goal of equal voting rights for the disabled and language
minority voters have been satisfied.

In other voting related news, the New York Times disclosed that the
Election Assistance Commission had contracted a study on the impact of
voter ID requirements on voter participation.  Although the Commission
has not released the final report, disclosed research revealed that
Hispanic voters were 10% less likely to vote under those requirements
for signatures or greater identification. African Americans were 5.7%
less likely to vote under these conditions.

A paper published by one of the study's chief contributors, Dr. Tim
Vercellott, explores some of the issues outlined in the final report to
the Commission.  The paper, "Protecting the franchise, or restricting
it? The effects of voter identification requirements on turnout," found
that his research provided "evidence that as voter identification
requirements vary, voter turnout does as well."

Demos Accessibility Report:


Help America Vote Act:


EPIC's page on Voting:


National Committee for Voting Integrity:


[3] EPIC Urges Privacy and Security Safeguards for Traveler Program

In comments to the Department of Homeland Security, EPIC urged the
agency to fully apply Privacy Act requirements of notice, access, and
correction to the new traveler redress program and its underlying system
of watch lists. EPIC explained that full application of the Privacy Act
requirements to government record systems is the only way to ensure that
data is accurate and complete, which is especially important in the
context of watch lists, where mistakes and misidentifications are

The Traveler Redress Inquiry Program is described as "a central gateway
to address watch list misidentification issues, situations where
individuals believe they have faced screening problems at immigration
points of entry, or have been unfairly or incorrectly delayed, denied
boarding or identified for additional screening at our nation's
transportation hubs." However, because the program provides a central
system for submitting, directing and tracking, but not for resolving
complaints, it fails to address the significant problems in current
traveler redress procedures, EPIC said.

EPIC explained that the federal watch lists are full of errors. In
December 2005, the director of TSA's redress office revealed that more
than 30,000 people who are not terrorists have asked TSA to remove their
names from the lists since September 11, 2001. Last month, the head of
TSA said that the watch lists were being reviewed, and he expected to
cut the list of names in half.

The Department of Homeland Security proposes to exempt the program from
Privacy Act of 1974 requirements of access to, correction of, and
accuracy of personal information. Instead of the Privacy Act
obligations, the agency asks citizens to rely on its "internal quality
assurance procedures" to ensure their files are accurate and complete.
EPIC explained that these procedures aren't working, as evidenced by the
many "false positives" and the difficulty citizens have when attempting
to clear their names.

The reasons for exempting the program and the underlying watch list
systems from Privacy Act requirement are specious, EPIC said. The
deliberate obfuscation of information does not help the terrorists, but
instead frustrates the innocent citizens who apply for redress because
they are mistakenly matched to or mistakenly listed on the watch lists,
EPIC said.

In the Privacy Impact Assessment for the redress program, the Department
of Homeland Security discussed the accuracy of data collected from
individuals seeking redress. "Because the individual provides the
information about him or herself directly, the likelihood of erroneous
[Personally Identifiable Information] is greatly reduced." EPIC agreed,
and said the only way to ensure the accuracy, timeliness, relevance and
completeness of the data used is to allow individuals to access, review
and correct their records.

Department of Homeland Security Press Release about TRIP:


Department of Homeland Security Privacy Office Privacy Impact Assessment
of TRIP (Jan. 18, 2007) (pdf):


Department of Homeland Security Privacy Office Report on Watch Lists
(Apr. 27, 2006) (pdf):


EPIC's Comments to the Department of Homeland Security about TRIP (pdf):


EPIC's November 2006 Spotlight on Surveillance on TRIP:


EPIC's page on Passenger Profiling:


[4] New Privacy Bills Introduced

Several consumer protection bills have been introduced.  The Protecting
Children in the 21st Century Act (S.49) prohibits the purchase or sale
of personal information of individuals who are known to be under the age
of 16 for the purposes of marketing to that individual.  H.R. 1015
requires automobile dealers to disclose to consumers the presence of
event data recorders, or `black boxes', on new automobiles, and requires
manufacturers to provide the consumer with the option to enable and
disable such devices on future automobiles. The Protecting Consumer
Phone Records Act (S.92) prohibits providers of commercial mobile
services from providing wireless phone numbers to directories without
notice and consent. H.R. 964 criminalizes unfair/deceptive practices
involving computers, including accessing or hijacking another's computer
to damage it or another.

Two bills in the House and one in the Senate aim to protect Social
Security numbers. H.R. 220 would prohibit the establishment in the
Federal Government of any uniform national identifying number, while
H.R. 948 and S. 238 would prohibit the display, purchase or sale of
Social Security numbers.

The Ensuring Implementation of the 9/11 Commission Report Act (S.328)
strengthens the Privacy and Civil Liberties Oversight Board. This
provision is comparable to Title VIII of H.R. 1, the bill passed by the
House in early January.

The Senate is considering the genetic privacy bill (S.358) that is
identical to a House bill on the same topic, and the House has
introduced a security breach notification bill, H.R. 836, that is
similar to a Senate bill introduced last month by Senator Leahy.

The Intelligence Authorization Act, S.372, has been reported on twice in
the Senate.  The bill increases intelligence information sharing between
federal agencies while limiting the application of the Privacy Act to
that information and exempting files of the Office of the Director of
National Intelligence from the search and review requirements of the
Freedom of Information Act.

With regard to travel privacy, H.R. 1061 would require Homeland Security
and one State to conduct a pilot program to determine if the driver's
license of such State may be enhanced so as to satisfy the requirements
of the `Western Hemisphere Travel Initiative') with respect to land and
sea travel, and S.330 would establish a biometric identification card
program so employers can verify immigrants' status.

Protecting Children in the 21st Century Act (S.49):


To require automobile dealers to disclose to consumers the presence of
event data recorders, or "black boxes", on new automobiles, and to
require manufacturers to provide the consumer with the option to enable
and disable such devices on future automobiles (H.R. 1015):


Protecting Consumer Phone Records Act (S. 92):


Identity Theft Prevention Act of 2007 (H.R. 220):


Social Security Number Protection Act of 2007 (H.R. 948):


Social Security Number Misuse Prevention Act (S. 238):


Ensuring Implementation of the 9/11 Commission Report Act (S. 328):


Genetic Information Nondiscrimination Act of 2007 (S. 358):


Cyber-Security Enhancement and Consumer Data Protection Act of 2007
(H.R. 836):


Intelligence Authorization Act for Fiscal Year 2007 (S.372):


To implement the Western Hemisphere Travel Initiative and other
registered traveler programs of the Department of Homeland Security
(H.R. 1061):


Border Security and Immigration Reform Act of 2007 (S. 330):


[5] EU Countries Begin Looking at Data Retention Proposals

Several European countries are looking at different ways of implementing
data retention following a recent EU directive.  Internet providers,
wired and wireless carriers will have to maintain location and traffic
data for up to two years. Retained data will be used for investigating
terrorism and organized crime, rather than a more far-reaching proposal
of “preventing” crime.

Different countries have until August of 2007 to sort out how to locally
implement the directive. A German proposal would prohibit pseudonymous
Internet usage. A Dutch proposal would mandate retaining the exact
location of a cell phone user during their call. Meanwhile the United
Kingdom is proposing to follow a voluntary system where the government
funds the costs of data retention by participating telecommunications
carriers and ISPs.

In the United States, Rep. Lamar Smith has introduced a bill on Internet
exploitation of children that includes data retention requirements for
Internet Service Providers (H.R.837). Attorney General Gonzales has
called on ISPs to retain data for a “reasonable time,” in order to
facilitate law enforcement prosecutions, but no requirement has yet been
implemented.  Currently, US ISPs retain user data voluntarily and to
different extents. They are only legally required to retain data when
specifically ordered to by courts.

EU Directive on Data Retention (Directive 2006/24/EC) (pdf):


Internet Stopping Adults Facilitating the Exploitation of Today's Youth
Act (SAFETY) of 2007 (H.R. 837):


EPIC's Page on International Data Retention:


Privacy International's page on EU Data Retention:


[6] News in Brief

Federal Judge Restricts New York Police Surveillance of Protests

A federal judge limited New York Police Department's ability to tape
record lawful political protests. According to the decision,
surveillance of protests is limited to when unlawful activity may occur
and after an application has been made to a police intelligence
commissioner. NYPD surveillance operates under a settlement agreement
reached in 1985 in a case originally filed in 1971. The ruling clarified
a 2003 interpretation of that agreement. The judge did not say that the
NYPD violated the First Amendment, rather that it had violated that
settlement agreement. Further violations of the clarified interpretation
of the agreement could be met with contempt charges.

EPIC's page on Video Surveillance:


Handschu v. Special Services Division, 71 Civ. 2203 (CSH) (S.D.N.Y.
2007) (pdf):


Phoenix Airport Begins 'Backscatter X-Ray' Field Tests on Travelers

Beginning this Friday, Sky Harbor International Airport in Phoenix,
Ariz., will be field testing a new "backscatter X-ray" system intended
to screen passengers before boarding airplanes. This method of screening
passengers would reveal not only prohibited items but also medical
details such as prosthetic devices and old injuries. The $100,000
refrigerator-size machines use "backscatter" technology, which bounces
low-radiation X-rays off of a passenger to produce photo-quality images
of metal, plastic and organic materials underneath clothes. The machines
were to debut in December, but was postponed while the Transportation
Security Administration attempted to answer the privacy concerns. Now,
the agency says machine operators see an image that "obscures" a
person's private areas; however, the machines still capture
photo-quality images so detailed as to show genitalia. The fact that the
machines have the capacity to record and store these detailed,
unobscured images raises questions about secondary uses of the data.

EPIC's June 2005 Spotlight on Surveillance About Backscatter X-Ray


EPIC's Backscatter X-Ray Screening Technology Page:


Symposium on Attorney General's Report on Criminal History Background

SEARCH, the National Consortium for Justice and Information Statistics
held a symposium on the Attorney General's Report on Criminal History
Background Checks. Among the reports recommendations are that FBI
criminal records be available to employers and private agencies
conducting background checks and that privacy safeguards such as rights
to appeal and informed consent be built into these background checks.
EPIC's comments to the report preparers stressed that limits should be
placed on the time that the information is available, and the
individuals should have the rights to correct their records, whether in
private or government hands. It is expected that Congress will hold
hearings on this report in the coming months.

SEARCH homepage:


Report on Criminal History Background Checks (pdf):


EPIC's Comments on Criminal History Beckground Checks:


Ponemon 2007 Privacy Trust Study of the United States Government

The Ponemon Institute has released its 2007 Privacy Trust Study of the
United States Government, to understand the level of confidence
Americans have in government agencies that routinely collect and use the
public's personal information. The overall trend suggested a decline in
public trust since the think tank first studied the issue in 2004.
Interestingly, survey showed diminishing public trust for the National
Security Agency and particularly the Department of Veterans Affairs. The
National Security Agency's domestic surveillance program, which operated
without any legal authority, contributed to a significant loss of
support for the agency, and the Department of Veterans of Affairs, an
agency that many Americans would otherwise support, recently lost the
records of almost 27 million military personnel.

Ponemon 2007 Privacy Trust Study (pdf):

UPI-Zogby Poll on Health Privacy Concern

Over 50 percent of U.S. respondents in a UPI-Zogby International poll
expressed privacy concerns regarding their medical records and
information. African-Americans were the most likely to express concern
as 34.5 percent of those participants gave an answer of “highly
concerned.” Some 30.9 percent of Hispanics in the poll also said they
were "highly concerned" with the privacy of their medical records.

EPIC's page on Medical Records Privacy:


Patient Privacy Rights:


Privacy and Human Rights 2006 Call for Contributions

The Privacy and Human Rights report provides an overview of key privacy
topics and reviews the state of privacy in over 70 countries around the
world. The report outlines legal protections, new challenges, and
important issues and events relating to privacy. Privacy and Human
Rights 2005 is the most comprehensive report on privacy and data
protection ever published.

Editors of Privacy and Human Rights are interested in expanding their
list of contributors. They are specifically interested in news and
information from academics, experts and government officials from around
the world regarding recent laws, initiatives, threats to privacy, NGO
activities and other significant developments. Contributions can be
submitted, using the template below, to Allison Knight at

Privacy and Human Rights Contribution Template:


Privacy and Human Rights 2005:


Privacy and Human Rights online at Privacy International:


[7] EPIC Bookstore: "Identity Crisis"

"Identity Crisis: How Identification is Overused and Misunderstood" by
Jim Harper (Cato Institute 2006).


This book offers a snapshot of the identification landscape, where we
have been, where we are, and where we might choose to go. Harper's book
provides a great outline of the issues surrounding identification as
well as a glossary of terms and definitions to get a novice up to speed.
He breaks down identification categories into three areas: something you
are (color of hair, height, weight), something you know (mother's maiden
name, SSN, birth date), and something you have (access card, attire, or
other token). Each chapter begins with an amusing or interesting piece
of history or instance where identity and identification was relevant. 
The underlying theme of the book is the value of identity and the
advantages of identification in situations where it is beneficial to the

Harper makes some important observations about risk assessment analysis
to determine the likelihood and the consequences of system failures.
Having predetermined the level of risk that a system can withstand and
the probability of success helps to develop balance in identification
systems that encourages secure systems that are still useful in a
practical commercial sense.

Harper distinguishes between government and private sector
identification systems and notes that in government bad systems tend to
be rewarded, while identification systems used by commercial entities
have incentives to weed out bad systems of identification. Harper
concludes that promoting the ability of the marketplace to reward good
systems of identification, and penalize bad systems of identification
may be the best road to follow. However, the book offers only mild
treatment of the willingness of the private sector to open its identity
systems to government agencies upon request. The book is well written
and a great read with lots of insightful and humorous observations about
identification and identification systems such as how they came into
being and how they are used in large and small ways in our daily life.
We are now in the digital information age and being aware of these
important considerations about identity and identification systems is
everyone's concern.

-- Lillie Coney


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
70 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2005 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price:

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 22nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Privacy Coalition Meeting. February 23, 2007. Washington DC. For more
information contact Lillie Coney at: coney@epic.org

Internet Privacy Symposium: Research Findings from the OPC Contributions
Program. Privacy Commissioner of Canada and Law and Technology Group,
University of Ottawa. February 23, 2007. Ottawa, Ontario. For more

Working Group Discussion on Federal Government Outsourcing of
Intelligence Gathering and Law Enforcement Duties. EPIC and Liberty
Coalition. February 28, 2007. Washington DC.  For more information
contact Melissa Ngo at: ngo@epic.org

RFID and Ubiquitous Computing. Trans Atlantic Consumer Dialogue. March
12, 2007. Brussels, Belgium. For more information:

4th Annual Electronic Health Records Conference. Insight Information. 
March 13, 2007. Vancouver, Canada. For more information:

Consumer Authentication: How Do You Know It Is Really Me? American Bar
Association, Section of Business Law. March 16, 2007. Washington, DC.

National FOI Day Conference. March 16, 2007. Washington DC. For more
information: http://www.firstamendmentcenter.org

5th Conference on Privacy and Public Access to Court Records. Center for
Legal and Court Technology and Administrative Office of the United
States Courts. March 22-23, 2007. Williamsburg, Virginia. For more

The Policy Challenges of Electronic Privacy.  European Parliamentary
Technology Assessment organization.  March 28, 2007.  Brussels, Belgium.
For more information contact viwta@vlaamsparlement.be

CFP2007: Computers, Freedom, and Privacy Conference. Association for
Computing Machinery. May 2007. Montreal, Canada. For more information:

Privacy Compliance Conference. The Canadian Institute.  May 30-31, 2007.
Toronto, Canada.  For more information:

29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007.  Montreal, Canada. For more

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.04 -------------------------