========================================================================
E P I C A l e r t
========================================================================
Volume 12.22 November 4, 2005
------------------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_12.22.html
========================================================================
Table of Contents
========================================================================
EPIC, Patient Privacy Rights Launch Effort to Protect Medical Records
EPIC Testifies on Registered Traveler
New Passports Still to have RFID
EPIC Documents Show Possible Abuses of Intelligence Powers
EPIC, Others Challenge Internet Wiretap Order
News in Brief
EPIC Bookstore: Renee Marlin-Bennett's "Knowledge Power"
Upcoming Conferences and Events
========================================================================
EPIC, Patient Privacy Rights Launch Effort to Protect Medical Records
========================================================================
On October 26th, EPIC joined with Patient Privacy Rights in an effort to
establish stronger protections in the United States for patients' medical
information.
"2005 is the year that the American public learned that massive security
breaches of personal information have made identity theft the number one
crime in America. We must not allow the most sensitive personal records
that exist, our medical records, to go online without adequate privacy
safeguards," said EPIC Executive Director Marc Rotenberg.
Congress is rushing to pass legislation to establish a national Health
Information Network without patient privacy protections. Yet recent
surveys show that Americans consider the privacy of medical records to be
a major concern. A Harris poll this past February found that 69 percent of
adults do not believe strong enough data security will be installed in the
system. An earlier Gallup survey found that 78 percent of the American
public feel it is very important that their medical records be kept
confidential. And the Markle Foundation found that more than three out of
four respondents (79%) supported the right for a patient to control who
can access his health information.
"No one should be able to see or use your medical records without your
permission," said Dr. Deborah Peel, founder and chairman of the Patient
Privacy Rights Foundation. "Americans must have confidence in the privacy
and security of their online medical records."
As part of the effort to protect patients' privacy rights, the two groups
are circulating an online petition calling for strong medical privacy
safeguards.
The petition states simply:
-- I want to decide who can see and use my medical records
-- I do not want my medical records or those of my family's to be
seen or used by my employer
-- I should never be forced to give up my right to privacy in order
to get medical treatment.
Patient Privacy Rights is an Austin, Texas-based national consumer
organization devoted to medical privacy.
"I Want My Medical Privacy!" petition:
http://www.patientprivacyrights.org/petition
Patient Privacy Rights site:
http://patientprivacyrights.org
========================================================================
EPIC Testifies on Registered Traveler
========================================================================
On November 3, the House of Representatives' Subcommittee on Economic
Security, Infrastructure Protection, and Cybersecurity held hearings on
the Transportation Security Administration's Registered Traveler program.
The program allows travelers who submit to intensive background screening
to pass through airport security screening more quickly.
EPIC Executive Director Marc Rotenberg testified on the problems with the
proposed program. He noted the security watchlists that form the basis for
the passenger pre-screening are riddled with inaccuracies that are often
extremely difficult to correct. Documents released to EPIC under the
Freedom of Information Act revealed that over a hundred complaints of such
errors were made to the Transportation Security Administration in aperiod
of less than a year.
Rotenberg also said that the program lacked the necessary privacy
protections of the Privacy Act of 1974. This is due to the fact that
Registered Traveler databases are either owned by private companies that
are not regulated by the Act, or the government databases are exempted
from federal laws at the request of the Transportation Security
Administration.
Finally, Rotenberg cited the risk of "mission creep" within the Registered
Traveler program. Using Registered Traveler IDs in situations other than
aviation security, as some vendors have suggested, would lead to travelers
being allowed or denied access to any number of venues based not upon
their risk to that venue, but on their supposed risk to aviation. EPIC
recommended that the plan not go forward until these flaws were fixed.
Also testifying before the Committee was Kip Hawley, Director of the
Transportation Security Administration. Participants on a second panel
with Rotenberg were Charles Barclay of the American Association of Airport
Executives, Steven Brill of Verified Identity Pass, Larry Zmuda of Unisys.
Despite these concerns, representatives on the subcommittee were eager to
implement the system and questioned Director Hawley on the program's slow
development. They also had many questions for the industry members on the
second panel about the role that private businesses would play in the
system. Registered Traveler has been conceived as being run by private
companies, with the Transportation Security Administration providing the
background checks for registered travelers and performing the screening at
airports. The involvement of both the Administration and private companies
raised privacy concerns with several Subcommittee members.
Representative Dicks (D-WA) questioned Hawley about accuracy of the
security watchlists. Using language from Rotenberg's written statement,
Congressman Dicks noted that the lists have demonstrated errors (such as
listing Senators Kennedy and Young for additional screening) and major
obstacles to correcting them (Senator Kennedy had to appeal directly to
then-Homeland Security head Tom Ridge). Hawley said that there was a
redress process, with a special number added to the erroneous files, and
that the process was "very quick." He did not give additional specifics.
As for Privacy Act protections, Brill said that his company would
voluntarily abide by all Privacy Act safeguards, which do not ordinarily
apply to private companies. Regarding private companies' record with
regard to consumers' privacy, Representative DeFazio (D-OR) had "two words
for that: Choice Point."
Testimony of Witnesses:
http://homeland.house.gov/release.cfm?id=442
TSA's Registered Traveler site:
http://www.epic.org/redirect/tsa_reg_trav.html
EPIC's Spotlight on Registered Traveler:
http://www.epic.org/privacy/surveillance/spotlight/1005/
EPIC FOIA Note #8:
http://www.epic.org/foia_notes/note8.html
========================================================================
New Passports Still to Have RFID
========================================================================
The State Department announced it will move forward with plans to require
new passports to be equipped Radio Frequency Identification (RFID) chips.
The recently issued final rule also attempts to address deficiencies in a
previous proposal, which would have made personal data contained in the
hi-tech passports vulnerable to unauthorized access.
The previous design would have stored information in the remotely readable
passports in unencrypted form. Tests had shown that the passports' RFID
chips could be read from two feet or more, posing a significant risk of
unauthorized access. The program was widely criticized as unnecessary and
insecure by EPIC and other civil liberties groups. The previous design was
also criticized by privacy and security experts and the travel industry.
The State Department now plans to cover the passport booklet with metallic
shielding that effectively blocks transmission of information when the
booklet is not open. The Department also called for the implementation of
Basic Access Control, a practice in which the data contained in the RFID
chip is stored in encrypted form, and is only decrypted by RFID readers
that optically read and decode a key printed on the inside of the
passport's cover. This key is also used to encrypt all communications
between the passport and the reader.
The State Department, in conjunction with the National Institute of
Standards and Technology, will also add shielding to the RFID readers in
an attempt to prevent the interception of signals between authorized
readers and passports. The State Department did not, however, provide any
details concerning this effort.
While these proposed changes should mitigate the most significant risks of
skimming and eavesdropping, they invalidate the main justification that
the State Department used to promote the use of RFID technology - to save
time at Customs by distance scanning with no physical contact required.
Computer Security expert Bruce Schneier has also said that "collision
avoidance ID" in the chip still creates serious privacy risks and should
be fixed. He writes in a recent column for Wired, "the real issue is how
many other problems like this are lurking in the details of its design? We
don't know, and I doubt the State Department knows either. The only way to
vet its design, and to convince us that RFID is necessary, would be to
open it up to public scrutiny.
Final Rule:
http://edocket.access.gpo.gov/2005/05-21284.htm
EPIC, EFF et al, Comments on RFID passports (pdf):
http://www.epic.org/privacy/rfid/rfid_passports-0405.pdf
EPIC's RFID page:
http://www.epic.org/privacy/rfid
========================================================================
EPIC Documents Show Possible Abuses of Intelligence Powers
========================================================================
Documents obtained by EPIC under the Freedom of Information Act describe
thirteen cases of possible government misconduct in intelligence
investigations. The documents, written by the FBI's Office of General
Counsel, describe Bureau investigations conducted for months without
proper reporting or oversight, an FBI agent's seizure of financial records
in violation of federal privacy law, and an unidentified intelligence
agency's unlawful physical search.
Most matters discussed in the documents were reported to the Intelligence
Oversight Board, which is tasked with reviewing intelligence activities.
Under an executive order, inspectors general and general counsel
throughout the intelligence community must inform the board about
"intelligence activities that they have reason to believe may be unlawful
or contrary to Executive order or Presidential directive." The board then
reports these activities to the President and Attorney General.
The documents obtained by EPIC raise the troubling possibility that
hundreds of allegations of unlawful investigations are reported from
various agencies to the board each year. Yet there is no requirement that
Congress is notified of these allegations or how these matters are
ultimately resolved. In response to the documents, EPIC has written a
letter to the Senate Judiciary Committee highlighting the need for the
Attorney General to report to Congress on potentially unlawful
intelligence investigations.
The documents were released by the Bureau in response to an EPIC open
government request filed in March for information about the FBI's use of
sunsetting provisions of the PATRIOT Act, many of which gave the FBI
expanded investigative powers. EPIC filed suit in federal court in May to
force the FBI to release the information while Congress is considering
renewal of the sunsetting provisions. Congressional conferees are expected
to meet soon to reconcile the differences between PATRIOT renewal
legislation passed by the House and Senate.
EPIC FOIA documents on possible intelligence abuses (pdf):
http://www.epic.org/privacy/terrorism/usapatriot/foia/iob.pdf
EPIC's FOIA request (pdf):
http://www.epic.org/redirect/fbi_foia_request.html
Letter to the Senate Judiciary Committee:
http://www.epic.org/privacy/terrorism/usapatriot/judiciary_102405.pdf
EPIC's PATRIOT FOIA Page:
http://www.epic.org/privacy/terrorism/usapatriot/foia
EPIC's PATRIOT Sunset Page:
http://www.epic.org/privacy/terrorism/usapatriot/sunset.html
========================================================================
EPIC, Others Challenge Internet Wiretap Order
========================================================================
EPIC joined a coalition of public interest and business groups on October
25 in challenging a Federal Communications Commission order that requires
broadband Internet and certain voice-over-Internet Protocol (VoIP)
providers to design their systems to ease government wiretapping. The
order expands the reach of the 1994 Communications Assistance for Law
Enforcement Act.
The law grew out of concerns that, as telephone networks became more
advanced, law enforcement agencies would have an increasingly difficult
time intercepting and deciphering the communications of suspects under
surveillance. In 1994, Congress drafted a law that required telephone
companies to provide this assistance to the government. In passing the
act, Congress removed from its coverage e-mail and "information services"
like America Online and Prodigy.
The Commission's expansion of the law will apply it to broadband Internet
providers and to "interconnected VoIP" providers, whose systems are
capable of interfacing with the traditional telephone network. The
Commission also claimed that the wiretap law covered VoIP services that
did not connect to regular telephones, but that it would address those
technologies in a later ruling.
The groups contend that the law specifically prohibits the FCC's expansion
of its scope, and that applying it to these other technologies will lead
to privacy and security flaws. To challenge the Commission's order, they
filed a petition for review, which brings the issue before the federal
Circuit Court of Appeals for the D.C. Circuit. EPIC is joined in the
challenge by the American Library Association, the Association of Research
Libraries, the Center for Democracy and Technology, COMPTEL, the
Electronic Frontier Foundation, pulver.com, and Sun Microsystems.
Petition for Review (pdf):
http://www.epic.org/privacy/wiretap/calea/petition102505.pdf
The FCC's order (pdf):
http://ftp.fcc.gov/FCC-05-153A1.pdf
Text of the wiretap law:
http://www.epic.org/privacy/wiretap/calea/calea_law.html
EPIC's wiretap page:
http://www.epic.org/privacy/wiretap/
========================================================================
News in Brief
========================================================================
Alito Paper on Privacy
EPIC has obtained a copy of the final report prepared by Supreme Court
nominee Samuel Alito for a 1972 conference on "The Boundaries of Privacy
in American Society." The paper proposes far-reaching protections for the
right of privacy, and specifically addresses such topics as the use of
census data, polygraphs, domestic surveillance, communications privacy,
computer security and encryption, consumer protection, and homosexuality.
Copy of Alito's 1972 report:
http://www.epic.org/privacy/justices/alito/report110205.pdf
Spotlight: Facial Recognition Systems Don't Picture Privacy
This month, Spotlight focuses on facial recognition systems. The
Department of Homeland Security has spent millions of dollars on these
"smart" cameras that attempt to identify people based on their facial
images. However, several tests show the systems are not reliable. Facial
recognition systems also create significant privacy risks: the cameras are
often hidden and there are no laws to prevent abuse.
EPIC's Spotlight on Surveillance page:
http://www.epic.org/privacy/surveillance/spotlight/1105/
EPIC's Facial Recognition page:
http://www.epic.org/privacy/facerecognition/
Public Voice Privacy Symposium: Debut of Privacy and Human Rights
2005
Government data protection authorities, academics, and human rights and
privacy groups gathered at the university of the Andes in Bogota, Colombia
on October 20-21 to hold the Public Voice Symposium on Privacy and Data
Protection in Latin America: Analysis and Perspectives. The symposium gave
experts from Latin America and the United States an opportunity to analyze
and debate the most current public policy issues and recent developments
in privacy in Latin America. The meeting also marked the introduction of
the first Spanish-language edition of EPIC's annual Privacy & Human Rights
survey.
Symposium website (in English and Spanish):
http://www.thepublicvoice.org/events/bogota05/
Presentations available at:
http://www.cpsr-peru.org/eventos/privacidad2005/presentaciones
47 Attorneys General Urge Congress to Protect Data Security
47 Attorneys General urged party leaders in the House and Senate to pass a
strong security breach notification law. The letter is in response to a
series of bills that have been introduced to address security breaches and
identity theft at the federal level, many of which are substantially
weaker than existing state law. The Attorneys General argued quick
notification of is necessary because Federal Trade Commission statistics
show that the cost and severity of identity theft are reduced when victims
are informed shortly after their information is misused.
The Attorneys General also called for the ability of consumers to freeze
their credit report. Freezing a credit report makes it very difficult for
identity thieves to open new accounts in another's name. The Attorneys
General specified that credit freeze should be low cost for consumers,
free for identity thieves, and easy to "thaw" so that consumers can take
advantage of credit offers.
The Attorneys General letter is online at (pdf):
http://www.naag.org/news/pdf/20051028-signon-InfoSecurityIDTheftLetter.pdf
Putting Identity Theft on Ice: Freezing Credit Reports to Prevent
Lending to Impostors:
http://ssrn.com/abstract=650162
ID Thieves Prey on Financial Aid
According to the Wall Street Journal, identity thieves have found a new
target for fraud: the government. Identity thieves are posing as students
in order to collect federal student financial aid. One thief profiled by
the Journal assumed 43 identities and stole $316,000 in federal aid. The
thief committed the crime by purchasing a list of names of prison inmates,
and using their personal information for fraud.
The article is online at:
http://online.wsj.com/article/SB113019456857878139.html
========================================================================
EPIC Bookstore: Renee Marlin-Bennett's "Knowledge Power;
Intellectual Property, Information & Privacy"
========================================================================
http://www.powells.com/partner/24075/biblio/71-1588262812-0
Where are the lines between privacy, intellectual property, and
information flows?
Renee Marlin-Bennett offers perspective on the central question: How do
the ability to own intellectual property and information and the ability
to control how information flows become a source of power? This book
provides a good review of the history of Intellectual Property and the key
changes in information technology that elevated the discussion of privacy
in cyberspace to the forefront of public discourse.
One interesting reminder that the publication offers is that the rules
regarding intellectual property were established in the West and are
quickly being adopted by the developing world. Intellectual property
rights are dictating the global commercial exchange of goods and services.
The rules that define property rights are called "Commodification." These
legal protections are based solely on human invention and not strict
ownership definitions. The author asserts that what has followed under the
regime of intellectual property is a good indication of where we are
going.
This book reminds readers that computers and more importantly the Internet
have changed the dynamics of personal information flow. Digital
information presents challenges to privacy and information transaction
control. With the speed and easy of sending personally identifiable
information globally the stakes are high on getting privacy over the
Internet wrong. Today in appropriate or illegal information transactions
can and do happen.
Renee Marlin-Bennett's book "Knowledge Power; Intellectual Property,
Information & Privacy," should be read by those just learning or well
versed on the topics of intellectual property, information, and privacy.
Lillie Coney
================================
EPIC Publications:
"Privacy & Human Rights 2004: An International Survey of Privacy Laws and
Developments" (EPIC 2004). Price: $50.
http://www.epic.org/bookstore/phr2004
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy law
in the United States and around the world. It includes the full texts of
major privacy laws and directives such as the Fair Credit Reporting Act,
the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date
section on recent developments. New materials include the APEC Privacy
Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
================================
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/foia2004
This is the standard reference work covering all aspects of the Freedom of
Information Act, the Privacy Act, the Government in the Sunshine Act, and
the Federal Advisory Committee Act. The 22nd edition fully updates the
manual that lawyers, journalists and researchers have relied on for more
than 25 years. For those who litigate open government cases (or need to
learn how to litigate them), this is an essential reference manual.
================================
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the
Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for future
action, as well as a useful list of resources and contacts for individuals
and organizations that wish to become more involved in the WSIS process.
================================
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.
http://www.epic.org/bookstore/pls2004/
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need an
up-to-date collection of U.S. and international privacy law, as well as a
comprehensive listing of privacy resources.
================================
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
================================
"The Consumer Law Sourcebook 2000: Electronic Commerce and the Global
Economy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls
The Consumer Law Sourcebook provides a basic set of materials for
consumers, policy makers, practitioners and researchers who are interested
in the emerging field of electronic commerce. The focus is on framework
legislation that articulates basic rights for consumers and the basic
responsibilities for businesses in the online economy.
================================
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, authors (EPIC 2000). Price: $20.
http://www.epic.org/bookstore/crypto00&;
EPIC's third survey of encryption policies around the world. The results
indicate that the efforts to reduce export controls on strong encryption
products have largely succeeded, although several governments are gaining
new powers to combat the perceived threats of encryption to law
enforcement.
================================
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
http://www.powells.com/features/epic/epic.html
================================
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the Freedom
of Information Act.
Subscribe to EPIC FOIA Notes at:
https://mailman.epic.org/cgi-bin/control/foia_notes
========================================================================
Upcoming Conferences and Events
========================================================================
Contours of Privacy: Normative, Psychological, and Social Perspectives.
Carleton University. November 5-6, 2005. ottowa, Canada. For
moreinformation: http://www.carleton.ca/cove/contours/
12th ACM Conference on Computer and Commnuications Security. Association
for Computing Machinery: Special Interest Group on Security, Audit, and
Control. November 7-11, 2005. Alexandria, VA. For more Information:
http://www.acm.org/sigs/sigsac/ccs/CCS2005/
Regulating Identity Theft and Data Breaches. American Bar Association
Section of Administrative Law and Practice. November 17, 2005. Washington,
DC. For more information:
http://www.abanet.org/adminlaw/conference/2005/home.html
The Federal Bank Regulator's Approach to Data Security. American Bar
Association Section of Administrative Law and Practice. November 17, 2005.
Washington, DC. For more information:
http://www.abanet.org/adminlaw/conference/2005/home.html
The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:
http://www.itu.int/wsis
Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For more information:
http://www.icann.org
Fifth International Conference on Data Mining. IEEE Computer Society.
November 27-30, 2005. Houston, TX. For more information:
http://www.cacs.louisiana.edu/~icdm05/
First International Conference on Availability, Reliability and Security.
Vienna University of Technology. April 20-22, 2006. Vienna, Austria. For
more inofrmation: http://www.ifs.tuwien.ac.at/ares2006/
======================================================================
Subscription Information
======================================================================
Subscribe/unsubscribe via web interface:
https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news
Back issues are available at:
http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
========================================================================
Privacy Policy
========================================================================
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from
this list, please follow the above instructions under "subscription
information."
========================================================================
About EPIC
========================================================================
The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the Digital
Telephony proposal, national ID cards, medical record privacy, and the
collection and sale of personal information. EPIC publishes the EPIC
Alert, pursues Freedom of Information Act litigation, and conducts policy
research. For more information, see http://www.epic.org or write EPIC,
1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483
1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks should
be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200,
Washington, DC 20009. Or you can contribute online at:
http://www.epic.org/donate
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
Thank you for your support.
------------------------- END EPIC Alert 12.22 -------------------------
================== HURIDOCS-Tech listserv =====================
Send mail intended for the list to < >.
Archives of the list can be found at:
{http://www.hrea.org/lists/huridocs-tech/markup/maillist.php }
[Reply to this message] [Start a new topic] [Date Index] [Thread Index] [Author Index] [Subject Index] [List Home Page] [HREA Home Page]