======================================================================= E P I C A l e r t ======================================================================= Volume 10.19 September 18, 2003 -----------------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.http://www.epic.org/alert/EPIC_Alert_10.19.html
====================================================================== Table of Contents ======================================================================
[1] EPIC Lawsuit Compels Release of Passenger Profiling Info [2] U.S. and EU Debate Handling of Passenger Data [3] EPIC Files FTC Complaint over Experian¹s Deceptive Ads [4] White House Pushes to Expand Patriot Act [5] EPIC Joins Coalition to Urge Protection of Health Info [6] News in Brief [7] EPIC Bookstore: Pole Star - Human Rights in the Information Society [8] Upcoming Conferences and Events
====================================================================== [1] EPIC Lawsuit Compels Release of CAPPS II Passenger Profiling Info ======================================================================
Just a day after EPIC asked a federal court to issue an emergency court order requiring the Transportation Security Administration (TSA) to release information concerning the Computer Assisted Passenger Prescreening System (CAPPS II), the agency agreed to process the documents for potential release. In a submission filed with the court, the TSA stated that it will complete processing the material by September 25, five days before public comments are due on the TSA's proposed Privacy Act notice for the controversial air passenger profiling system.
The agreement requires the TSA to disclose "Capital Asset Plan and Business Case" (Exhibit 300) materials on CAPPS II that the agency has prepared for the Office of Management and Budget (OMB), and any privacy impact assessments the TSA has conducted on CAPPS II. OMB requires agencies seeking funding for projects to submit an Exhibit 300, which requires, among other things, an evaluation of privacy and security risks that a project might pose. Furthermore, the E-Government Act of 2002 requires agencies to prepare a privacy impact assessment before developing or procuring information technology that collects, maintains or disseminates identifiable information.
These documents potentially include crucial information on the privacy implications of CAPPS II. While the TSA has repeatedly assured the public that the profiling system will respect the privacy rights of air passengers, it has not disclosed any internal documents assessing the potential privacy or civil liberties impact of the program. In March, EPIC requested from the TSA any privacy assessments of CAPPS II, as well as information from the Department of Defense (DOD) concerning Pentagon involvement in the screening system. Neither agency processed the requests within the time frame set out by the Freedom of Information Act, despite their agreement to "expedite" the process. In response, EPIC filed an earlier lawsuit in June against the TSA and DOD, which is still pending in federal court.
EPIC's request for an emergency court order is available at:
http://www.epic.org/privacy/airtravel/capps-tro-memo.pdf
TSA's formal agreement to release the documents is available at:
http://www.epic.org/privacy/airtravel/capps-tro-praecipe.pdf
The TSA CAPPS II Notice is available at:
http://www.epic.org/redirect/capps_notice.html
More information about CAPPS II is available at EPIC's Air Travel Privacy Page:
http://www.epic.org/privacy/airtravel
====================================================================== [2] U.S. and EU Debate Handling of Passenger Data ======================================================================
The United States is working diligently to convince the European Union to participate in the proposed Computer Assisted Passenger Profiling System (CAPPS II), the airline passenger security system created to prevent suspected terrorists from boarding airplanes. If the EU does choose to participate in the system as proposed, all travelers entering or flying through the U.S. will be required to provide their name, address, birth date, and home telephone number when purchasing a plane ticket. Each passenger's information would then be shared with the US government and then checked against various private databases, terrorist watch lists, and felony warrant lists. Passengers would be assigned a color code to inform screeners whether to allow them to board the flight, or question, detain or arrest them.
Since March 5, 2003, the EU has cautiously allowed the U.S. access to the Passenger Name Records (PNRs) of its citizens. But the CAPPS II program will not be accepted so simply by the European Commission, which has rejected the demands of the currently proposed program and insisted on "adequate protection." Despite its initial concession of PNR data, the EU continues to press for a framework that is legally secure. Frits Bolkestein, the EU Commissioner in charge of customs issues, has written a letter to U.S. authorities demanding improvements and warning of a confrontation. He noted some improvements from the original CAPPS II proposal, but stands steadfast on the charge that there are too many other privacy threats that lie unprotected by this system. Bolkestein is scheduled to discuss the issue further with representatives of the US Department of Homeland Security on September 22.
Other countries around the world may side with the EU in their demands. A resolution was passed at the International Conference of Data Protection and Privacy Commissioners last week in Sydney, calling for "an international agreement stipulating adequate data protection requirements, including clear purpose limitation, adequate and non-excessive data collection, limited data retention time, information provision to data subjects, the assurance of data subject rights and independent supervision."
The U.S. faced another setback in its plans for monitoring foreign air travel recently. The government announced it is postponing new passport rules requiring citizens of 27 countries that have never before been required visas to now obtain new scan-friendly passports. Despite the problems, the US continues its work to implement the CAPPS II system. JetBlue Airlines is reported to have agreed to share its passenger data in an effort to test the program, even after the original test airline, Delta, cancelled its agreement due to public boycott pressure.
View the text of Bolkestein's speech at:
http://www.epic.org/news/bolkestein.html
View the text of the Data Commissioners Resolution at:
http://www.epic.org/news/Comm03.html
View EPIC's passenger data page:
http://www.epic.org/privacy/intl/passenger_data.html
Read the New York Times article on the new passport requirements:
http://nytimes.com/2003/09/09/politics/09PASS.html
====================================================================== [3] EPIC Files FTC Complaint Over Experian¹s Deceptive Ads ======================================================================
This week EPIC filed a complaint with Federal Trade Commission (FTC) concerning the marketing practices of Experian, one of the three major credit reporting agencies. The September 16 complaint alleges that Experian engages in deceptive marketing practices, a violation of 15 U.S.C. Section 45(a)(1), by advertising ³free² credit reports to consumers that come with hidden obligations.
According to the complaint, Experian broadly disseminates offers for "free" credit reports over television and the Internet, but the offers are tied to hidden obligations which are not prominently disclosed. Experian only provides a "free" credit report by permitting consumers to access an expensive credit monitoring service that they are automatically charged for if they do not notify the company within 30 days. The complaint states that not only is Experian's advertising misleading, but it also plays on fears of inaccuracy in credit reports in order to drive up sales of the company's products - inaccuracy for which the company itself may be responsible.
The FTC requires that products advertised as ³free² must not have hidden strings attached. Any company advertising products as ³free² must disclose to potential consumers any conditions or obligations up front. While Experian does refer to the service in small print on its Web site above the button to accept the offer, EPIC points out that the notice is not prominent nor disclosed on the television advertisement, as required by the FTC.
EPIC urges the FTC to act immediately to investigate and stop Experian¹s deceptive advertising practices. Furthermore, EPIC asks the FTC to require all credit reporting agencies ‹ not just Experian ‹ to provide credit monitoring services to consumers without charge in order to assure the maximum possible accuracy in credit reports, assurance that credit reporting agencies are required to provide under the Fair Credit Reporting Act, 15 U.S.C. Section 1681(e)(b).
EPIC¹s complaint is available at:
http://www.epic.org/privacy/experian/
Experian offer is available at:
http://www.FreeCreditReport.com
====================================================================== [4] White House Pushes to Expand Patriot Act ======================================================================
Using the second anniversary of the 9/11 attacks to broach new policy, the President pressed for greater Patriot Act law enforcement powers in a speech at the FBI Academy on September 10. The President's proposed changes would allow federal law enforcement agencies to issue subpoenas, thus bypassing judicial oversight altogether. He also pushed to extend the death penalty to terrorism-related crimes, and permit judges to deny bail to those arrested and held as terrorist suspects. All three measures were represented in early drafts of the Patriot Act, but struck before the law's passage.
Coinciding with White House's speech were the introduction of three bills in Congress that would carry out its proposals. H.R. 3037 would allow the Attorney General to issue subpoenas in terrorism investigations without court approval, and place a gag order on recipients of such subpoenas if the Attorney General deems that a danger to national security could result from disclosure. H.R. 3040 would permit a judge to detain a terrorism suspect without bail before trial, and would broaden the scope of individuals subject to lifetime supervision after release from prison for terrorism-related acts. S. 1604 would allow imposition of the death penalty for terrorist crimes that result in death, as well as deny federal benefits to convicted terrorists.
The White House's push for greater Patriot Act powers follows in the wake of allegations that law enforcement agencies increasingly use Patriot Act tools to capture and punish run-of-the-mill criminals rather than terrorists. The Justice Department concedes that it has applied its expanded powers to smugglers, defrauders, bookies, con artists, and drug dealers.
The text of H.R. 3037, Antiterrorism Tools Enhancement Act of 2003, is available at:
http://thomas.loc.gov/cgi-bin/query/z?c108:H.R.3037:
The text of H.R. 3040, Pretrial Detention and Lifetime Supervision of Terrorists Act of 2003, is available at:
http://thomas.loc.gov/cgi-bin/query/z?c108:H.R.3040:
The text of S. 1604, Terrorist Penalties Enhancement Act of 2003, is available at:
http://thomas.loc.gov/cgi-bin/query/z?c108:S.1604:
More information about the Patriot Act is available at EPIC's Patriot Act Page:
http://www.epic.org/privacy/terrorism/usapatriot/
====================================================================== [5] EPIC Joins Coalition to Urge Protection of Health Info ======================================================================
EPIC, the Health Privacy Project and 28 other health care advocacy, labor, consumer, disability rights, and health care provider groups sent a letter to Health and Human Services Secretary Tommy Thompson urging him to affirm that protected health information sent through the banking network must be accessible only to providers and health plans for whom it is intended. Financial institutions have expressed interest in data mining electronic transactions that flow through the banking system in order to gain information for use in marketing and credit risk evaluation. Once banks gain this information through data mining, they can use and share it without limitation.
The transaction at issue is the Electronic Remittance Advice (ERA). The ERA standard adopted by the Department of Health and Human Services permits electronic funds transfer instructions and the ERA to be sent within a single transaction. Instructions for electronic funds transfer contain no protected health information, but the ERA does. The Preamble to the Privacy Rule makes it clear that the receiving bank is the intended recipient of the electronic funds transfer instructions and a provider or health plan is the intended recipient of the ERA. The Preamble further states that the protected health information in the ERA is not necessary for the performance of the funds transfer function by banks and that covered entities may not disclose protected health information to banks for this purpose.
The banking industry has been asking the Office for Civil Rights to revise or retract this earlier guidance, claiming that the ERA is part of the payment function performed by banks. Organizations that signed the letter to Secretary Thompson relied on the Preamble and legislative history to urge the Department to affirm the position it took in the Preamble to the Privacy Rule.
View the letter sent by the coalition:
http://www.epic.org/privacy/medical/hhsletter.pdf
View EPIC's Medical Privacy Page:
http://www.epic.org/privacy/medical
====================================================================== [6] News in Brief ======================================================================
HILL SPEAKS OUT FOR INTELLIGENCE RELYING ON OPEN SOURCES
Eleanor Hill, the Staff Director for the Joint Inquiry Committee of the Senate and House that investigated the failings of U.S. intelligence to foresee the September 11 terrorist attack, testified before the House Select Homeland Security Committee on September 10, 2003. Hill told the committee that one of the main reasons why the U.S. Intelligence Community failed to see what Al Qaeda was planning was not a lack of intelligence but the failure by the intelligence and law enforcement agencies to piece together what was already available, including "public documentation and open source information." Hill also told the committee that too much information about the threat of Al Qaeda was withheld from the American public before 9/11 and pointed out that a well-informed public can actually help in the war against terrorism. Hill recommended that classification procedures be overhauled to ensure that as much real-time information can be made to the public, as well as to law enforcement and state and local authorities.
Read Eleanor Hill's Statement:
http://hsc.house.gov/schedule.cfm
View the 9-11 Joint Inquiry Report:
http://www.epic.org/redirect/9-11inquiry.html
FOIA REQUESTS SURGED IN 2002
The number of Freedom of Information Act and Privacy Act requests to federal government agencies reached a record high in 2002, according to a new report from the Justice Department Office of Information and Privacy. The total number of requests increased by seven percent over the previous year to a new high of 2,402,938. The Department of Veterans Affairs received the most requests (1,496,191); something called the Inter-American Foundation received the least (one). Agencies invoked 142 different nondisclosure statutes to withhold information under FOIA exemption. Personal privacy was the most frequently cited single exemption.
View the Justice Department's Report:
http://www.usdoj.gov/oip/foiapost/2003foiapost31.htm
GAO ISSUES FIVE SECURITY REPORTS
The U.S. General Accounting Office released five reports on various aspects of domestic security last week. The reports cover the subjects of smart cards, biometrics, maritime security, ID fraud, and transportation security.
To learn more about the reports:
Electronic Government: Challenges to the Adoption of Smart Card Technology, by Joel Willemssen, managing director, information technology, before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform. GAO-03-1108T, September 9.
http://www.gao.gov/cgi-bin/getrpt?GAO-03-1108T
Information Security: Challenges in Using Biometrics, by Keith A. Rhodes, chief technologist, before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform. GAO-03-1137T, September 9.
http://www.gao.gov/cgi-bin/getrpt?GAO-03-1137T
Maritime Security: Progress Made in Implementing Maritime Transportation Security Act, but Concerns Remain, by Margaret T. Wrightson, director, homeland security and justice, before the Senate Committee on Commerce, Science, and Transportation. GAO-03-1155T, September 9.
http://www.gao.gov/cgi-bin/getrpt?GAO-03-1155T
Security: Counterfeit Identification and Identification Fraud Raise Security Concerns, by Robert J. Cramer, managing director, Office of Special Investigations, before the Senate Committee on Finance. GAO-03-1147T, September 9.
http://www.gao.gov/cgi-bin/getrpt?GAO-03-1147T
Transportation Security: Federal Action Needed to Enhance Security Efforts, by Peter Guerrero, director, physical infrastructure, before the Senate Committee on Commerce, Science, and Transportation. GAO-03-1154T, September 9.
http://www.gao.gov/cgi-bin/getrpt?GAO-03-1154T
EPIC PARTICIPATES IN PRIVACY & FOI LAW PROJECT
The EPIC Alert is now being featured as a resource with the Privacy & FOI Project, a division of the World Legal Information Institute that aims to make searchable from one location all of the databases specializing in Privacy and FOI law and make them available through any of the Legal Information Institutes across the globe. Other sites included in the project are databases of cases from the Canadian Privacy Commissioner, Federal Privacy Commissioner of Australia, and New Zealand Privacy Commissioner, and the Privacy Law & Policy Reporter from Australia.
Visit the Privacy & FOI Law Project at:
http://www.worldlii.org/int/special/privacy/
===================================================================== [7] EPIC Bookstore: Pole Star ======================================================================
Deborah Hurley: Pole Star - Human Rights in the Information Society (International Centre for Human Rights and Democratic Development, 2003)
http://www.ichrdd.ca/frame2.iphtml?langue=0
Deborah Hurley's essay, Pole Star - Human Rights in the Information Society, provides an excellent introduction to the relationship between information technology and human rights. Written in preparation for the World Summit on the Information Society set to convene in Geneva this December, Hurley calls on international leaders to make human rights a central consideration when forming information technology policy. She declares that without a strong foundation in human rights - what she deems, ³the keystone in the arch of civilization² - the information society will not be viable.
Pole Star underscores the challenges, as well as opportunities, at hand to ingrain human rights values into developing technology and standards. Information technology, Hurley points out, is still decentralized and largely unregulated and the policy pertaining to it immature. There are vast opportunities to impose structure. Within the proper framework, she adds, new technologies represent an invaluable resource to people in developing nations. Hurley touches upon several significant policy issues relating to technology and human rights, including a thoughtful and convincing examination of privacy rights and their relevance. She further iterates that, ³It is axiomatic that privacy and security are compatible and can be mutually reinforcing,² a principle that is important to reinforce.
The essay concludes with a list of six recommendations, foremost among them that a World Commission on the Information Society should be formed. Hurley also calls on the United States to adopt national privacy legislation based upon the OECD Privacy Guidelines and the Council of Europe Convention. While several of the recommendations are quite broad and somewhat vague, overall they provide a good objective for nations and leaders to work toward.
--Emily Cadei
================================
EPIC Publications:
"The Privacy Law Sourcebook 2002: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2002). Price: $40. http://www.epic.org/bookstore/pls2002/
The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of U.S. and International privacy law, as well as a comprehensive listing of privacy resources.
================================
"FOIA 2002: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price: $40. http://www.epic.org/bookstore/foia2002/
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 21st edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
================================
"Privacy & Human Rights 2003: An International Survey of Privacy Laws and Developments" (EPIC 2002). Price: $35. http://www.epic.org/bookstore/phr2003/
This survey, by EPIC and Privacy International, reviews the state of privacy in over fifty-five countries around the world. The survey examines a wide range of privacy issues including data protection, passenger profiling, genetic databases, video surveillance, ID systems and freedom of information laws.
================================
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0/
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
================================
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy," Sarah Andrews, editor (EPIC 2000). Price: $40. http://www.epic.org/cls/
The Consumer Law Sourcebook provides a basic set of materials for consumers, policy makers, practitioners and researchers who are interested in the emerging field of electronic commerce. The focus is on framework legislation that articulates basic rights for consumers and the basic responsibilities for businesses in the online economy.
================================
"Cryptography and Liberty 2000: An International Survey of Encryption Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20. http://www.epic.org/bookstore/crypto00&/
EPIC's third survey of encryption policies around the world. The results indicate that the efforts to reduce export controls on strong encryption products have largely succeeded, although several governments are gaining new powers to combat the perceived threats of encryption to law enforcement.
================================
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore/
"EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html
====================================================================== [8] Upcoming Conferences and Events ======================================================================
Human Rights Caucus Report Launch. September 19, 2003. Geneva, Switzerland. For more information: http://www.iris.sgdg.org/actions/smsi/hr-wsis
Making Intelligence Accountable, September 19-20, 2003. Oslo, Norway. The Geneva Centre for the Democratic Control of Armed Forces. For more information: http://www.dcaf.ch/news/Intel%20Acct_Oslo%200903/ws_mainpage.html
Communication, Information and Internet Policy. September 19-21. Arlington, VA. For more information: http://www.tprc.org
Crime Prevention & Security: Pro-Active. September 24-26. Amsterdam, Netherlands. For more information: http://radburn.rutgers.edu/andrews/projects/ssit/istas.html
The State of Accountable Government in a Surveillance Society. Office of the Information and Privacy Commissioner for British Columbia. September 25-26, 2003. Victoria, British Columbia. For more information: http://www.oipc.bc.ca/anniversary/
Privacy2003. Technology Policy Group. September 30-October 2, 2003. Columbus, Ohio. For more information: http://www.privacy2000.org/2003/index.html
Localizing the Internet: Ethical Issues in Intercultural Perspective. International Center for Information Ethics. October 4-6, 2004. Karlsruhe, Germany. For more information: http://icie.zkm.de/congress2004
UbiComp 2003 Privacy Workshop. October 12, 2003. Seattle, WA. For more information: http://guir.berkeley.edu/pubs/ubicomp2003/privacyworkshop/
Security Laws and Privacy Seminar. Riley Information Service Inc. October 20, 2003. Ottawa, Canada. For more information: http://www.rileyis.com/seminars/index.html
8th Symposium on Privacy and Security - Identity and Anonymity in an Increasingly Interconnected World. Swiss Federal Institute of Technology. October 21-22, 2003. Zurich, Switzerland. For more information: www.privacy-security.ch
Getting the Technology You Deserve: Community Participation in Regional Cable Franchise Policy. Computer Professionals for Social Responsibility. October 25, 2003. Seattle, Washington. For more information: http://www.cpsr.org/conferences/annmtg03/
ICANN Meeting. Internet Corporation for Assigned Names and Numbers. October 27-31, 2003. Carthage, Tunisia. For more information: http://www.icann.org/carthage/
IAPP Privacy and Data Security Academy and Expo. October 29-31, 2003. Chicago, IL. For more information: http://www.privacyassociation.org
Business for Social Responsibility Annual Conference - Building and Sustaining Solutions. November 11-14. Los Angeles, CA. For more information: http://www.bsr.org
RFID Privacy Workshop. Massachusetts Institute of Technology. November 15, 2003. Boston, Massachusetts. For more information: http://www.rfidprivacy.org
American Society of Access Professionals Workshop. November 18-19, 2003. St. Louis, Missouri. For more information: http://www.acesspro.org
Media Freedoms and the Arab World. The Arab Archives Institute. December 6-8, 2003. Amman, Jordan. For more information: email [EMAIL PROTECTED] or see http://www.ijnet.org/FE_Article/newsarticle.asp?UILang=1&CId=115794&; CIdLang=1.
WHOLES - A Multiple View of Individual Privacy in a Networked World. Swedish Institute of Computer Science. January 30-31, 2004. Stockholm, Sweden. For more information: http://www.sics.se/privacy/wholes2004.
====================================================================== Subscription Information ======================================================================
Subscribe/unsubscribe via Web interface:
http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news
Subscribe/unsubscribe via e-mail:
To: [EMAIL PROTECTED]
Subject: "subscribe" or "unsubscribe" (no quotes)Automated help with subscribing/unsubscribing:
To: [EMAIL PROTECTED]
Subject: "help" (no quotes)Problems or questions? e-mail < [EMAIL PROTECTED]>
Back issues are available at: http://www.epic.org/alert/
The EPIC Alert displays best in a fixed-width font, such as Courier.
====================================================================== Privacy Policy ======================================================================
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information". Please contact [EMAIL PROTECTED] if you would like to change your subscription e-mail address, if you are experiencing subscription/unsubscription problems, or if you have any other questions.
====================================================================== About EPIC ======================================================================
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail [EMAIL PROTECTED], http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
http://www.epic.org/donate/
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.
---------------------- END EPIC Alert 10.19 ----------------------
.
