You are here:
WorldLII >>
Databases >>
EPIC Alert >>
2003 >>
[2003] EPICAlert 16
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
EPIC Alert 10.16 [2003] EPICAlert 16
EPIC ALERT
Volume 10.16 August 6, 2003
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_10.16.html
Table of Contents
[1] TSA Issues CAPPS II Notice; Expands System
[2] Data Privacy Bill Introduced; Admiral Poindexter To Resign
[3] Bill Introduced to Reverse PATRIOT Act Provisions
[4] GAO Privacy Act Report Indicates Need for Better Compliance
[5] Researchers Find Flaws in Electronic Voting
[6] News in Brief
[7] EPIC Bookstore: Secure Coding: Principles & Practices
[8] Upcoming Conferences
[1] TSA Issues CAPPS II Notice; Expands System
The Transportation Security Administration (TSA) has released asupplementary Privacy Act notice outlining its plans to administer
theEnhanced Computer Assisted Passenger Profiling System (CAPPS II). Theagency claims that CAPPS II will enhance transportation
security byrelying upon private-sector database companies to identify passengers,
and a set of secret procedures to perform a risk assessment ontravelers. Passengers will be assigned a risk score by CAPPS thatcould
subject them to heightened security screening or detention.
The notice is more specific about the TSA's planned collection, use,
and storage of personal information than an earlier release in January2003, but fundamental privacy problems with CAPPS remain. The
systemestablishes a government checkpoint on almost all commercial aviationthat could be extended to other forms of transportation,
or even tosecurity at government buildings.
In a significant expansion of the program, TSA announced that CAPPS IIwill not only scan for suspected terrorists, but also for those
wantedfor violent crimes.
The notice announces TSA's plans to allow a "passenger advocate" toprovide access to information in CAPPS, along with an appeals processto
address errors. However, the notice exempts CAPPS II from a numberof Privacy Act requirements, including duties to grant access
topersonal information, duties to make an accounting of disclosures ofpersonal information, provisions that limit the scope of informationthat
can be maintained by the agency, and accountability provisionsthat apply criminal penalties for misuse of personal information.
Any member of the public can comment on the CAPPS II notice untilSeptember 30, 2003.
The TSA CAPPS II Notice is available at:
http://www.epic.org/redirect/capps_notice.html
More information about CAPPS II and air travel privacy is available atEPIC's Air Travel Privacy Page:
http://www.epic.org/privacy/airtravel
[2] Data Privacy Bill Introduced; Admiral Poindexter To Resign
Senator Ron Wyden (D-OR) has introduced S. 1484, the Citizens'
Protection in Federal Databases Act. The bill would require theDepartments of Justice, Defense, Homeland Security, Treasury, CentralIntelligence
Agency, and the Federal Bureau of Investigation to submita report to Congress on use of private-sector databases, or losefunding
for purchasing personal information from companies such asChoicePoint and Lexis-Nexis.
The report must give a detailed description of the contracts that theagencies have with private sector profilers. The report will
alsocover how the agencies access personal information, how data mining isbeing employed, the type of data purchased, the purposes
for which theinformation is used, whether there are security or audit mechanisms inplace, and data retention practices.
The bill prohibits using data mining without some suspicion ofcriminal wrongdoing. That provision was included to prohibit the useof
so called "red teams" that would invent hypothetical scenarios forpossible terrorists attacks and then search databases to detect
tracesof their fabricated plans.
In a separate development, Admiral John Poindexter, chief of theDefense Advanced Research Projects Agency's Information AwarenessOffice,
will resign. Controversy surrounded Poindexter's appointmentto the office, where he spearheaded research projects that had highlyinvasive
applications, such as Total Information Awareness (TIA) andHuman ID at a Distance. Poindexter was well known in the computersecurity
community for his involvement in National Security DecisionDirective Number 145, a 1984 policy that would have given the NationalSecurity
Agency control over security for all government computersystems containing "sensitive but unclassified" information. This wasfollowed
by a second directive that extended military authority overall computer and communications security for the federal governmentand
private industry.
The text of the Citizens' Protection in Federal Databases Act isavailable at:
http://thomas.loc.gov/cgi-bin/query/z?c108:S.1484:
Information about how private sector profilers use public recordsinformation is available at EPIC's Public Records Page:
http://www.epic.org/privacy/publicrecords
FBI Documents Detailing Use of Private Sector Databases are availableat:
http://www.epic.org/privacy/publicrecords/cpfbippt.pdf
The text of NSDD 145 is available at:
http://www.fas.org/irp/offdocs/nsdd145.htm
Information about Total Information Awareness is available atEPIC's Total Information Awareness Page:
http://www.epic.org/privacy/profiling/tia
[3] Bill Introduced to Reverse PATRIOT Act Provisions
Senator Lisa Murkowski (R-AK) has introduced a bill meant to addressrisks to civil liberties posed by the USA PATRIOT Act. The Protectingthe
Rights of Individuals Act (PRIA), cosponsored by Senator Ron Wyden(D-OR), is intended to curtail considerable law enforcement search
andseizure powers now permitted under the USA PATRIOT Act.
If enacted, the PRIA would require law enforcement agencies to obtaincourt orders to conduct electronic surveillance, and would heightenjudicial
oversight of law enforcement monitoring of certain telephoneand Internet communications. Law enforcement officials could delaynotification
of an issued warrant or court order only when immediatenotification might jeopardize an investigation or threaten thephysical safety
of an individual. Law enforcement agencies attemptingto place roving wiretaps on telephones would have to demostrate to ajudge that
a crime has been, or will be, committed. The PRIA wouldalso limit the Federal Bureau of Investigations's ability to accesssuch personal
information as an individual's medical, library, andInternet records without demonstrating probable cause that theindividual is an
agent of a foreign power.
In addition, the PRIA would forbid data-mining without explicitauthorization from Congress, and would require the Office of theAttorney
General to publish annual reports disclosing certain aspectsof its search activities under the USA PATRIOT Act. Further, the billwould
restrict law enforcement requests to libraries to turn overinformation regarding Internet use by library patrons to theinvestigation
standards provided in the Foreign IntelligenceSurveillance Act (FISA).
In related news, the American Civil Liberties Union (ACLU) recentlyfiled the first legal challenge to the USA PATRIOT Act. In MCA,
etal. v. Ashcroft and Mueller, the ACLU alleges that the broad scope ofFBI search power authorized by the USA PATRIOT Act violates
the First,
Fouth, and Fifth Amendments of the Constitution.
The text of the Protecting the Rights of Individuals Act is availableat:
http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s1552:
Information about the USA PATRIOT Act is available at EPIC's USAPATRIOT Act Page:
http://www.epic.org/privacy/terrorism/usapatriot
Additional information about USA PATRIOT Act developments is availableat EPIC's PATRIOT II Page:
http://www.epic.org/privacy/terrorism/patriot2.html
Information about the Foreign Intelligence Surveillance Act (FISA) isavailable at EPIC's FISA Page:
http://www.epic.org/privacy/terrorism/fisa
The ACLU's Complaint in MCA, et al. v. Ashcroft and Mueller isavailable at:
http://www.aclu.org/Files/getfile.cfm?id=13247
[4] GAO Privacy Act Report Indicates Need for Better Compliance
On July 30, the General Accounting Office (GAO) released a reportfinding that compliance with the Privacy Act by government agencies
isinconsistent and, as a result, individuals cannot be assured thattheir privacy rights are being protected. The report, "Privacy
Act:
OMB Leadership Needed to Improve Agency Compliance," was initiated atthe request of Sen. Joseph Lieberman (D-CT), Ranking Minority
Memberof the Senate Committee on Governmental Affairs.
The Privacy Act requires that a governmental agency observe certainprocedures when it is collecting personal information that isretrieved
by a personal identifier. These procedures call for theagency to collect only necessary information, provide public noticewhen creating
or altering record-keeping systems, and safeguard theinformation.
The GAO, studying a cross section of 25 agencies and systems rangingfrom files of five persons to 290 million persons, found thatrespondents'
compliance with the Privacy Act ranged from 70 percent to100 percent. The GAO estimates that for 10 percent of the systemskept,
agencies allow individuals to access personal information overthe Internet. Privacy officers at the subject agencies explained theneed
for more oversight and guidance by the Office of Management andBudget (OMB) in order to increase compliance. As a result, GAO'soverarching
recommendation was for increased OMB oversight. The OMB,
charged with setting forth guidelines and regulations for agencyimplementation of the Privacy Act, disagreed with the report'sconclusion
and recommendations, finding the statements "reckless andirresponsible" based on the compliance data.
While the GAO was careful to conclude that the lack of compliance doesnot mean that the government will not protect individuals' privacyrights,
it did make clear that, under these circumstances, privacyprotection cannot be assured.
The GAO report, "Privacy Act: OMB Leadership Needed to Improve AgencyCompliance," is available at:
http://www.gao.gov/new.items/d03304.pdf
The text of the Privacy Act is available at:
http://thomas.loc.gov/cgi-bin/bdquery/z?d093:SN03418:
[5] Researchers Find Flaws in Electronic Voting
A recent study conducted by computer science researchers at JohnsHopkins University has found that electronic voting systems contain"significant
security flaws" that may subject election results tofraud by both voters and those involved in election administration.
process.
The researchers conducted the study using source code found on theInternet that is believed to be the proprietary code of theAccuVote-TS
touch-screen voting system produced by Diebold ElectionSystems.
The study found that the voting machines' use of "smartcards" rendersthe system vulnerable to tampering by voters as well as "insiders
suchas poll workers, software developers and even janitors," all of whomcould cast multiple votes due to the voting system's failure
toprovide a means to track such misconduct. The report was alsocritical of the system's failure to provide a paper "audit trail"
thatcan be reviewed by voters for accuracy. The researchers conclude that"there appears to have little quality control in the [softwaredevelopment]
process."
The researchers' report urges openness in the software developmentprocess to facilitate the creation of better quality electronic
votingsoftware. Alternatively, the researchers recommend that electronicvoting systems include a voter-verifiable paper audit trail
to ensureaccuracy in the voting process.
Diebold voting machines have already been used in elections inMaryland, Georgia, California, and Kansas, among other locations.
Maryland election officials recently ordered $55.6 million worth oftouch-screen voting equipment from Diebold in preparation for theimplementation
of electronic voting throughout the state.
The Johns Hopkins researchers' report "Analysis of an ElectronicVoting System" is available at:
http://www.avirubin.com/vote.pdf
More information about electronic voting is available at:
http://www.verifiedvoting.org
To sign a petition urging voter-verifiable ballot trails, see:
http://www.verifiedvoting.org/resolution.asp
[6] News in Brief
CA Fed. Court Rules that FCRA Preempts Local Privacy Law
In a serious setback to privacy rights, a federal district court inthe Northern District of California has ruled that the Fair CreditReporting
Act preempts city ordinances that established certainheightened privacy protections. The ordinances, enacted in severalCalifornia
cities and counties, required financial institutions toobtain opt-in consent before sharing personal information amongstaffiliated
and non-affiliated entities. The ordinances were intendedto supplement the federal Gramm-Leach-Bliley Act (GLBA), which setsweak,
opt-out standards for information sharing among non-affiliates,
and does not allow any choice in regards to affiliate sharing. Thecourt invalidated opt-in requirements for affiliate sharing, butupheld
an opt-in standard for non-affiliate information sharing. Thecourt's decision is likely to be appealed, as Congress clearlyintended
to allow states to regulate information sharing in passingthe GLBA.
The opinion in Bank of America v. Daly City, Nos. 02-4343 & 02-4943(N.D. Cal. July 29, 2003) is available at:
http://www.epic.org/privacy/glba/boavdalycity.pdfHomeless Tracking System Announced
The Department of Housing and Urban Development announced itsguidelines for "Homeless Management Information Systems" (HMIS). HMISis
a standard system for tracking homeless persons and the servicesrendered to them. Entities that provide services would collect theirnames,
Social Security Numbers, dates of birth, race, gender, healthstatus (including HIV, pregnancy, and domestic violence), veteranstatus,
and income information.
Although the plan does not call for a national, centralized database,
the information collected could easily facilitate the creation of anational database in the future. Furthermore, law enforcement,
SecretService, and National Security access to the database would be nearlyunlimited. The guidelines are open to public comment
until September22, 2003.
HUD Homeless Management Information Systems webpage:
http://www.hud.gov/offices/cpd/homeless/hmis
Colleges Seek to Quash P2P Subpoenas Under FERPA
Boston College and the Massachusetts Institute of Technology arerelying upon the Federal Educational Rights and Privacy Act (FERPA)
toinvalidate subpoenas directed to the institutions that seek theidentity of students using peer-to-peer file sharing systems. TheRecording
Industry Association of America issued the subpoenas in anattempt to bring suit against students operating popular file sharingsystems
on the campuses. The subpoenas, issued under the DigitalMillennium Copyright Act (DMCA) present a serious risk to privacy asthey
allow a copyright holder to determine the identity of an Internetuser without meaningful due process.
The EPIC Letter on P2P Monitoring in Higher Education is available at:
http://www.epic.org/privacy/student/p2pletter.html
More information about education privacy is available at EPIC's FERPAPage:
http://www.epic.org/privacy/student
[7] EPIC Bookstore: Secure Coding: Principles & Practices
Mark G. Graff and Kenneth R. van Wyk, Secure Coding: Principles &
Practices (O'Reilly 2003).
http://www.powells.com/cgi-bin/biblio?inkey=4-0596002424-0
Attacks on computer systems and networks occur today at an alarmingrate. Worms, malevolent mail, and distributed denial of serviceattacks
undermine systems around the globe
--
from banks to majore-commerce sites to critical infrastructure computers. Despite theirmany manifestations and targets, nearly all
attacks have onefundamental cause: the code underlying these computers and networks isnot secure.
Finally, a book takes aim at the fundamental problem challenging thevery future of the Internet. Packed with expert advice based
on theauthors' decades of experience, Secure Coding sheds light on theeconomic, psychological, and practical reasons why securityvulnerabilities
are so ubiquitous today. Much more than a technicaltome, this concise and engaging book is a call to arms, a challenge toall of
us to finally make a commitment to building secure code. Thefuture of technology may very well depend on our heeding the call.
EPIC Publications:
"The Privacy Law Sourcebook 2002: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2002).
Price: $40. http://www.epic.org/bookstore/pls2002/
The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists
who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.
"FOIA 2002: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Mark Zaid, editors (EPIC 2002). Price:
$40.
http://www.epic.org/bookstore/foia2002/
This is the standard reference work covering all aspects of theFreedom of Information Act, the Privacy Act, the Government in theSunshine Act, and the Federal Advisory Committee Act. The 21stedition fully updates the manual
that lawyers, journalists andresearchers have relied on for more than 25 years. For those wholitigate open government cases (or
need to learn how to litigatethem), this is an essential reference manual.
"Privacy & Human Rights 2002: An International Survey of Privacy Lawsand Developments" (EPIC 2002). Price: $25.
http://www.epic.org/bookstore/phr2002/
This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey
examinesa wide range of privacy issues including data protection, telephonetapping, genetic databases, video surveillance, location
tracking, IDsystems and freedom of information laws.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0/
A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens
free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls/
The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested
in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand
the basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price:
$20. http://www.epic.org/bookstore/crypto00&/
EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption
products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption
to law enforcement.
EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore/
"EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html
[8] Upcoming Conferences and Events
Chaos Communication Camp 2003: The International Hacker Open AirGathering. Chaos Computer Club. August 7-10, 2003. Paulshof,
Altlandsberg, Germany. For more information: http://www.ccc.de/camp/
1st Global Conference: Visions of Humanity in Cyberculture, Cyberpunkand Science Fiction. August 11-13, 2003. Prague, Czech Republic.
For more information:
http://www.inter-disciplinary.net/vhccsf03cfp.htm
NSF Cyber Trust Point Meeting. Johns Hopkins University InformationSecurity Institute. AUGUST 13-15, 2003. Baltimore, Maryland.
Formore information: http://www.jhuisi.jhu.edu/institute/cybertrust.html
Voting Machines: A Threat To Democracy? The Ethical Society.
September 7, 2003. Philadelphia, Pennsylvania. For more information:
http://www.phillyethics.net
Surveillance and Privacy 2003: Terrorists and Watchdogs. Baker &
McKenzie Cyberspace Law and Policy Centre and Univeristy of New SouthWales Law Faculty. September 8-9, 2003. Sydney, Australia.
For moreinformation: http://www.bakercyberlawcentre.org/2003/Privacy_Conf/
25th International Conference of Data Protection and PrivacyCommissioners. September 10-12, 2003. Sydney, Australia. For moreinformation:
http://www.privacyconference2003.org/
WWW2003: 5th Annual Conference on World Wide Web Applications.
Department of Information Studies, Rand Afrikaans University, and theDepartment of Information Systems and Technology, University
ofDurban-Westville. September 10-12, 2003. Durban, South Africa. Formore information: http://www.udw.ac.za/www2003/
Making Intelligence Accountable, September 19-20, 2003. Oslo, Norway.
The Geneva Centre for the Democratic Control of Armed Forces. Formore information:
http://www.dcaf.ch/news/Intel%20Acct_Oslo%200903/ws_mainpage.html
Privacy2003. Technology Policy Group. September 30-October 2, 2003.
Columbus, OH. For more information:
http://www.privacy2000.org/2003/index.html
Getting the Technology You Deserve: Community Participation inRegional Cable Franchise Policy. Computer Professionals for SocialResponsibility.
October 25, 2003. Seattle, Washington. For moreinformation: http://www.cpsr.org/conferences/annmtg03/
ICANN Meeting. Internet Corporation for Assigned Names and Numbers.
October 27-31, 2003. Carthage, Tunisia. For more information:
http://www.icann.org/carthage/
Subscription Information
Subscribe/unsubscribe via Web interface:
http://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news
Subscribe/unsubscribe via e-mail:
To: epic_news-requestmailman.epic.org
Subject: "subscribe" or "unsubscribe" (no quotes)
Automated help with subscribing/unsubscribing:
To: epic_news-requestmailman.epic.org
Subject: "help" (no quotes)
Problems or questions? e-mail <infoepic.org >
Back issues are available at: http://www.epic.org/alert/
The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or
share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do
not enhance (linkto other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under"subscription
information". Please contact infoepic.org if you wouldlike to change your subscription e-mail address, if you areexperiencing subscription/unsubscription
problems, or if you have anyother questions.
About EPIC
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus
public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord
privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail infoepic.org, http://www.epic.org or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140(tel),
+1 202 483 1248 (fax).
If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible.
Checks should be made out to "EPIC" and sent to 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you cancontribute
online at:
http://www.epic.org/donate/
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation
ofencryption and expanding wiretapping powers.
Thank you for your support.
END EPIC Alert 10.16
.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2003/16.html