You are here:
WorldLII >>
Databases >>
EPIC Alert >>
2003 >>
[2003] EPICAlert 15
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
EPIC Alert 10.15 [2003] EPICAlert 15
EPIC ALERT
Volume 10.15 July 22, 2003
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_10.15.html
Table of Contents
[1] Senate Requires Reporting For CAPPS II; Extends TIA Moratorium
[2] EPIC Testifies on Credit Reporting Privacy, Inaccuracy
[3] First HIPAA Privacy Enforcement Details Reported
[4] U.S. Park Police Releases Video Surveillance Policy
[5] RFID PR Revealed; Wal-Mart Cancels Major RFID Effort
[6] EPIC Testifies on Use and Misuse of the Social Security Number
[7] EPIC Bookstore: "Censorship Inc."
[8] Upcoming Conferences and Events
[1] Senate Requires Reporting For CAPPS II; Extends TIA Moratorium
On July 10, the Senate voted to withhold funding for the ComputerAssisted Passenger Prescreening System (CAPPS II) until theTransportation
Security Administration (TSA) provides more informationabout procedural and technological safeguards in the program. Theprovision
is included in the Senate version of the Homeland Securityappropriations bill.
CAPPS II would allow the government to evaluate the security threat anindividual poses by analyzing personal information about that
person.
Information could be collected from credit reports, public records,
and criminal records, among other sources. Passengers labeled a highthreat would not be permitted to fly.
The Senate version of the bill prohibits the TSA from using anyfunding from the Act "for testing (other than simulations),
deployment, or implementation of [CAPPS II]." The Senate prohibitionwould remain in effect until the TSA reports to the GovernmentAccounting
Office and Congress on the status of the following aspectsof the program: any system of due process for correcting erroneousinformation;
the error rate of the system; evidence of "efficiency andaccuracy"; an internal board to oversee development; safeguardsagainst abuse;
safeguards against hackers; policies providingeffective oversight of the implementation of the program; and absenceof any privacy
concerns with the technology employed.
The House version of the spending bill contains no specific referenceto CAPPS II; a conference committee must reconcile the two versions.
The Senate has also voted to suspend funding for the equallycontroversial Terrorism Information Awareness (TIA) program as part ofthe
Department of Defense appropriations bill. TIA is intended tocapture every person's "information signature" through the collectionand
compilation of records regarding their activities. With vastdatabases of information signatures, the government would usealgorithms
to track potential terrorists and criminals.
While the Senate version of the spending bill would provide nofunding for TIA, the House version instead would ban the use of suchtechnology
on U.S. citizens without congressional authorization. Aconference committee will work out the differences between the Senateand
House versions of the spending bill.
The Senate version of the Homeland Security appropriations bill isavailable at:
http://www.epic.org/redirect/senate_2555.html
More information about CAPPS II is available at EPIC's Air TravelPrivacy Page:
http://www.epic.org/privacy/airtravel
More information on Terrorism Information Awareness is available atEPIC's TIA Page:
http://www.epic.org/privacy/profiling/tia
[2] EPIC Testifies on Credit Reporting Privacy, Inaccuracy
On July 9, the House Committee on Financial Services held an extensivehearing on H.R. 2622, the Fair and Accurate Credit Transactions
Act(FACT Act). EPIC Deputy Counsel Chris Hoofnagle was among thewitnesses who testified at the hearing.
EPIC's testimony focused on preserving state legislative andenforcement authority in credit regulation. Hoofnagle argued thatstates
have historically enacted the best privacy protection, andtreating the FCRA as a federal ceiling is an aberration. As"laboratories
of Democracy," states are in an advantageous position tocreate innovative privacy protections, and they are better situatedthan Congress
to quickly address problems. An additional area offocus was affiliate sharing, as large banks can now exploitinformation inside
their "corporate families." Because affiliatesharing allows financial institutions to share personal informationabout their customers
without restrictions, it directly increases riskof identity theft and fraudulent marketing.
Consumer advocate Stephen Brobeck of the Consumer Federation ofAmerica also argued that the bill does not adequately address themajor
problems in credit reporting, such as the mismerged file thatoccurs when two individuals files are combined into one report.
William Springs of the National Urban League and Hillary Shelton ofthe NAACP also testified on behalf of consumers. Mr. Shelton arguedthat,
under the current credit scoring system, minorities in alleconomic categories are disproportionately targeted with predatory andsub-prime
lending.
In a separate letter to the Senate Banking Committee, EPIC presentedevidence that systemic inadequacies at the Credit Reporting Agencies(CRAs)
contribute to inaccuracy and consumer frustration. Forinstance, at one CRA, representatives are required to complete 100consumer
inquiries a day, giving them just four minutes per inquiry.
The letter urges Congress to give consumers free and complete accessto their reports.
EPIC's Testimony on H.R. 2622 is available at:
http://www.epic.org/privacy/fcra/2622testimony.html
EPIC's Letter on CRA Inaccuracy is available at:
http://www.epic.org/privacy/fcra/crainaccuracy7.10.03.html
[3] First HIPAA Privacy Enforcement Details Reported
Three months after the Health Insurance Portability and AccountabilityAct (HIPAA) Privacy Rule became effective, the first updates
onenforcement activities reflect the law's early implementationdifficulties.
On June 24, the Office for Civil Rights (OCR), which is responsiblefor the enforcement of the Privacy Rule within the Department ofHealth
and Human Services, provided an update to the NationalCommittee on Vital and Health Statistics (NCVHS), a public advisorybody to
the Secretary of Health and Human Services. StephanieKaminsky of OCR testified that the office received 637 complaintsprior to the
hearing date. Of those, OCR had closed 124 cases and 513remained open. A total of 260 cases were accepted for investigationafter
OCR determined that the complaint dealt with an issue, timeframe and entity over which OCR has proper jurisdiction. No caseshave
been referred to the Justice Department for criminal prosecution.
Complaints to the OCR have raised such issues as the inability ofindividuals to access their information, inadequate safeguards forhealth
information, deficient provision of Notice of PrivacyPractices, and insufficient minimum necessary procedures to limitdisclosure
in provider offices and facilities.
OCR has repeatedly stated that its enforcement goals are to promotevoluntary compliance within the health care sector and to handle
mostcomplaints by providing technical assistance to the entity involved.
Despite assurances that such assistance will be the primary means ofenforcement, many health care organizations have become wary aboutdisclosing
information when civil and criminal penalties might follow.
In an early July congressional briefing sponsored by the HealthcareLeadership Council, some organizations stated that they are delayingthe
use of e-mail and other communication technologies fortransmitting information to patients. The delays are apparentlycaused by the
need to have appropriate verification procedures andencryption in place to ensure that the information does not go astray.
Privacy Rule compliance and enforcement will remain prominent issuesover the next year as OCR refines the substantive portion of theEnforcement
Rule. The interim procedural Rule is set to expire inSeptember 2004.
Office for Civil Rights in the Department of Health and HumanServices:
http://www.hhs.gov/ocr/hipaa
National Committee on Vital and Health Statistics:
http://ncvhs.hhs.gov
For more information, see EPIC's Medical Privacy Page at:
http://www.epic.org/privacy/medical
[4] U.S. Park Police Releases Video Surveillance Policy
The U.S. Park Police (USPP) recently released guidelines on the use ofits video surveillance system in Washington, DC. The policy
wasformulated in response to critiques by Congress and the DC CityCouncil more than a year ago that the USPP was not forthcoming
aboutits use of video cameras, and should make public a policy on itscamera surveillance of Monumental Core of the nation's capital.
Formore than a year, the USPP has been constantly monitoring federalpublic spaces with undisclosed cameras without notifying the
public,
with few privacy safeguards in place and with little public oversight.
Last year the Metropolitan Police Department of the District ofColumbia (MPDC) was also urged by Congress, the DC City Council andcivil
liberties groups to establish a video surveillance policy thatwould address privacy and freedom of speech concerns after the MPDCinstalled
cameras without notifying the public or obtaining budgetapproval. Although the USPP's current guidelines constitute a goodstarting
point, they are generally more invasive than the MPDC'sguidelines, providing for 24-hour, seven-day-a-week surveillance, andretention
of records for six months. The USPP guidelines are lessdetailed than those implemented by the MPDC and do not provide for anyeffective
oversight and accountability mechanisms. The USPPguidelines also do not exclude later use of face recognitiontechnologies.
Furthermore, the USPP guidelines are based on the assumption thatvideo surveillance is effective to detect and prevent terroristattacks,
as well as deter criminal activity -- a claim which has neverbeen proved to be true. In fact, a reference meta-study conducted onthe
effectiveness of law enforcement use of video surveillance in theUnited Kingdom and the United States clearly shows no strong evidencethat
cameras in center city and residential areas deter criminals oroffer any value as a crime-fighting tool. Further, the UnitedKingdom,
which originally justified the installation of video camerasin response to a terrorism threat, has never caught a singleterrorist,
even after installing more than 1,500,000 camerasthroughout the country during the last ten years.
A recent report from the General Accounting Office questions thesecret surveillance by the Park Police and points to the USPP's lackof
public transparency and openness. The USPP's guidelines aresubject to public comments.
USPP's CCTV Policy (June 2003) is available at:
http://www.epic.org/redirect/uspp_surveillance_policy.html
EPIC's Video Surveillance Page is available at:
http://www.epic.org/privacy/surveillance/
The UK government study on law enforcement use of video surveillanceis available at:
http://www.homeoffice.gov.uk/rds/pdfs2/hors252.pdf
The General Accounting Office's recent report on video surveillance isavailable at:
http://www.gao.gov/new.items/d03748.pdf
[5] RFID PR Revealed; Wal-Mart Cancels Major RFID Effort
Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN)
recently located internal public relations documents detailing howRadio Frequency Identification (RFID) developers plan to offset
publicopposition to the widespread implantation of the tracking devices inconsumer products. The documents, prepared by Fleishman-Hillard,
apublic relations consultancy, detail how such a campaign may unfold.
First, the documents outline the obstacles that hinder widespreadimplementation of RFID technology, including the desire of consumersto
protect their privacy and cynicism about public and private sectorconcern for consumer privacy. The documents cite the need for
thedevelopment of a proactive plan that would "neutralize opposition" and"mitigate possible public backlash." One proposed method
of doing sois through the creation of a Privacy Advisory Council made up of "wellknown, credible, and credentialed experts" who may
be "potentiallyadversarial advocates." The documents cite EPIC as an example of apotential council member.
In related news, retail giant Wal-Mart announced on July 9 that it isshelving plans to tag consumer products with RFID chips, after
it hadurged 100 of its top suppliers to begin tagging products by 2005.
Wal-Mart had joined forces with Gillette to develop a "smart-shelf"
system, where shelves outfitted with RFID readers would track Gilletteproducts. The RFID sensors would alert a store manager when
inventoryran low or a high-theft item was removed from the shelf. A Wal-Martspokesperson said the smart-shelf system, expected to
launch at astore in Brockton, MA, was never fully installed, and materials fromthe project have been removed.
Although Wal-Mart says the move simply reflects a corporate decisionto implement RFID technology in warehouses and distribution centersinstead
of retail stores, concerns about the misuse of data gleanedfrom the tracking devices have prompted a public outcry against thetechnology.
Wal-Mart is not the only corporation to forego implantingconsumer products with RFID tags in the wake of public pressure.
Italian clothier Benetton halted plans to tag its apparel afterprivacy advocates called for a worldwide boycott of the company'sproducts.
RFID systems enable data to be transmitted by a portable device,
called a tag, which is read by an RFID reader and processed accordingto the needs of a particular application. The data transmitted
by thetag may provide identification or location information, or specificsabout the product tagged, such as price, color, date of
purchase, etc.
Chips integrated into commonplace products such as floor tiles, shelfpaper, cabinets, appliance, exercise equipment, and grocery
andpackaged products would allow even our most intimate activities to bemonitored. Many technology experts already predict the development
ofa seamless network of millions of RFID receivers strategically placedaround the globe in airports, seaports, highways, distributioncenters,
warehouses, retail stores, and consumers' homes, all of whichare constantly reading, processing, and evaluating consumers'
behaviors and purchases.
Consumers Against Supermarket Privacy Invasion and Numbering(CASPIAN):
http://www.nocards.org
RFID Developers Internal Public Relations Documents are available at:
http://cryptome.org/rfid-docs.htm
EPIC's RFID Page is available at:
http://www.epic.org/privacy/rfid
[6] EPIC Testifies on Use and Misuse of the Social Security Number
On July 10, the House Subcommittee on Social Security of the Committeeon Ways and Means held a hearing on the need to prevent SocialSecurity
Number (SSN) misuse. Led by Chairman E. Clay Shaw, Jr.
(R-FL), the hearing focused on the widespread use and misuse of SSNsin the public and private sectors. Chairman Shaw announced that
thecommittee would be introducing new legislation shortly addressing avariety of SSN issues. The hearing also examined legislativeproposals
aimed at combating SSN misuse and protecting privacy, aswell as the potential ramifications of these proposals on businesses,
consumers, and the government.
In his testimony, EPIC Deputy Counsel Chris Jay Hoofnagle reviewedhistorical and recent attempts to regulate the use of the SSN. Statingthat
there is ample legislative and judicial support for imposinglimitations on the collection and use of the SSN, Hoofnagle assertedthat
consumers are often forced to reveal their SSNs to obtain goodsand services, a practice called "coercive disclosure." Hoofnagle thendescribed
trends involving the SSN, including the statistical rise inidentity theft complaints, the increasing occurrence of large-scaleidentity
thefts, and the frequent use of the SSN in the privatesector. He argued that the SSN use regulation is the key topreventing identify
theft.
Hoofnagle recommended that the Committee consider the Social SecurityNumber Privacy and Identity Theft Protection Act of 2001, 107
H.R.
2036, a guide to limiting the use of the SSN.
Other panelists included Barbara Bovbjerg, the Associate Director ofthe General Accounting Office; James G. Huse, Jr., the InspectorGeneral
of the Social Security Administration; Theodore Wern of theIdentity Theft Resource Center, and Steve Edwards of the GeorgiaBureau
of Investigations.
Bovbjerg testified on the public and private sector use of the SSN,
and explained how easy it is to obtain false identification throughthe SSN by citing a study in which the GAO acquired a false statedriver's
license and a false social security card. Bovbjerg alsoemphasized the fact that replacement SSN cards are easily obtained andcan
be sold. Congressman Becerra discussed the possibility ofthird-party verification of personally identifying documents such asthe
social security card and the driver's license to protect againstfraudulent documents. Inspector General Huse encouraged limiting
theavailability of the SSN on public documents, and stressed that the useof the SSN as a personal identifier for the private sector
isunnecessary (an idea that proved to be a recurring theme throughoutthe hearing). Wern testified on various forms of identity theft
hehas seen through his resource center, focusing on the theft ofchildren's identities and those of military personnel. Wern arguedthat
the SSN is the "golden piece of information" for identitythieves, and with a name and birth date, one can easily destroy anindividual's
credit.
EPIC's Testimony on SSN Misuse is available at:
http://www.epic.org/privacy/ssn/testimony7.10.03.html
July 10 Ways and Means Hearing on Use and Misuse of SSN:
http://www.epic.org/redirect/ssn_misuse_hearing.html
[7] EPIC Bookstore: "Censorship Inc."
Lawrence Soley, Censorship Inc., The Corporate Threat to Free Speechin the United States (Monthly Review Press 2002).
http://www.powells.com/cgi-bin/biblio?inkey=62-1583670661-0
In his review of First Amendment cases, Lawrence Soley argues that theSupreme Court has created a broad bundle of free speech rights
againstgovernment suppression of expression. Now lawmakers and the courtsshould turn to the private sector to grant limited First
Amendmentprotections against business censorship. He catalogs the broad arrayof censorial powers possessed by private entities --
including productdefamation lawsuits, massive retailers that ban books and music fromstores, and the lack of expressive rights at
properties open to andsubsidized by the public. "Because such tactics are widely used torestrict speech," Soley argues, "businesses
now pose a greater threatto free speech than government."
We live in a world with increasingly powerful private entities, onesthat operate our meeting places and communities. For instance,
today's equivalent of the Forum is the modern shopping mall. But mostmall operators do not allow free speech, and courts in most
statesdon't require it. Further, mall owners can surround their buildingswith massive parking lots, insulating the shopper from
the possibilityof being exposed to the inconvenient ideas presented by protestors.
We should consider whether we have lost something as a society whenour principal meeting places are insulated from all messages exceptthe
commercial.
Soley gives special attention to the censorial efforts of theadvertising industry. He introduces the topic with a quote fromlegendary
journalist and editor George Seldes. I've never heard amedia lawyer ever utter his name, but he should be on our mindsbecause he
accepted no advertising and, as a result, was free to fullycover the misdeeds of big business and tobacco long beforead-dependent
mass media could. Soley shows that large advertiserseffectively place prior restraints on content by pulling accountswhere publications
even mentioned cancer, spoke of the availability ofnon-smoking flights, or covered homosexual lifestyles. Revlon evenpulled advertising
in an issue of one magazine because the cover borethe faces of women sans makeup. Addressing these issues is difficultbecause the
modern newspaper now contains more advertising than news,
and derives its profits from advertising rather than subscriptions.
Nevertheless, we could have a freer future with limited FirstAmendment protections against private actors. Soley's book pushes usin
that direction, towards greater employee rights, free expressionfor artists and musicians, and for political organizing.
--
Chris Jay Hoofnagle
EPIC Publications:
"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/
The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists
who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.
"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price:
$40.
http://www.epic.org/bookstore/foia2002/
This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual
that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or
need to learn how to litigatethem), this is an essential reference manual.
"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.
http://www.epic.org/bookstore/phr2002/
This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey
examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location
tracking, IDsystems and freedom of information laws.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0/
A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens
free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls/
The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested
in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand
the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price:
$20. http://www.epic.org/bookstore/crypto00&/
EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption
products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption
to law enforcement.
EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore/
"EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html
[8] Upcoming Conferences and Events
1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunkand Science Fiction. August 11-13, 2003. Prague, Czech Republic.
For more information:
http://www.inter-disciplinary.net/vhccsf03cfp.htm
Chaos Communication Camp 2003: The International Hacker Open AirGathering. Chaos Computer Club. August 7-10, 2003. Paulshof,
Altlandsberg, Germany. For more information: http://www.ccc.de/camp/
WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and theDepartment of Information Systems and Technology, University
ofDurban-Westville. September 10-12, 2003. Durban, South Africa. Formore information: http://www.udw.ac.za/www2003/
Making Intelligence Accountable, Oslo, Norway September 19-20, 2003.
The Geneva Centre for the Democratic Control of Armed Forces. Formore information:
http://www.dcaf.ch/news/Intel%20Acct_Oslo%200903/ws_mainpage.html
Privacy2003. Technology Policy Group. September 30-October 2, 2003.
Columbus, OH. For more information:
http://www.privacy2000.org/2003/index.html
Subscription Information
Subscribe/unsubscribe via Web interface:
http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news
Subscribe/unsubscribe via e-mail:
To: epic_news-requestmailman.epic.org
Subject: "subscribe" or "unsubscribe" (no quotes)
Automated help with subscribing/unsubscribing:
To: epic_news-requestmailman.epic.org
Subject: "help" (no quotes)
Problems or questions? e-mail <infoepic.org >
Back issues are available at: http://www.epic.org/alert/
The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or
share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do
not enhance (linkto other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription
information". Please contact infoepic.org if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription problems, or if you
have anyother questions.
About EPIC
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus
public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord
privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible.
Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute
online at:
http://www.epic.org/donate/
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation
ofencryption and expanding wiretapping powers.
Thank you for your support.
END EPIC Alert 10.15 .
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2003/15.html
