You are here:
WorldLII >>
Databases >>
EPIC Alert >>
2005 >>
[2005] EPICAlert 23
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
EPIC Alert 12.22 [2005] EPICAlert 23
EPIC ALERT
Volume 12.22 November 4, 2005
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/EPIC_Alert_12.22.html
Table of Contents
[1] EPIC, Patient Privacy Rights Launch Effort to Protect Medical Records
[2] EPIC Testifies on Registered Traveler
[3] New Passports Still to have RFID
[4] EPIC Documents Show Possible Abuses of Intelligence Powers
[5] EPIC, Others Challenge Internet Wiretap Order
[6] News in Brief
[7] EPIC Bookstore: Renee Marlin-Bennett's "Knowledge Power"
[8] Upcoming Conferences and Events
[1] EPIC, Patient Privacy Rights Launch Effort to Protect Medical Records
On October 26th, EPIC joined with Patient Privacy Rights in an effort toestablish stronger protections in the United States for patients'
medical information.
"2005 is the year that the American public learned that massive securitybreaches of personal information have made identity theft
the number onecrime in America. We must not allow the most sensitive personal recordsthat exist, our medical records, to go online
without adequate privacysafeguards," said EPIC Executive Director Marc Rotenberg.
Congress is rushing to pass legislation to establish a national HealthInformation Network without patient privacy protections. Yet
recentsurveys show that Americans consider the privacy of medical records tobe a major concern. A Harris poll this past February
found that 69percent of adults do not believe strong enough data security will beinstalled in the system. An earlier Gallup survey
found that 78 percentof the American public feel it is very important that their medicalrecords be kept confidential. And the Markle
Foundation found that morethan three out of four respondents (79%) supported the right for apatient to control who can access his
health information.
"No one should be able to see or use your medical records without yourpermission," said Dr. Deborah Peel, founder and chairman of
the PatientPrivacy Rights Foundation. "Americans must have confidence in theprivacy and security of their online medical records."
As part of the effort to protect patients' privacy rights, the twogroups are circulating an online petition calling for strong medicalprivacy
safeguards.
The petition states simply:
-- I want to decide who can see and use my medical records
-- I do not want my medical records or those of my family's to be seenor used by my employer
-- I should never be forced to give up my right to privacy in order toget medical treatment.
Patient Privacy Rights is an Austin, Texas-based national consumerorganization devoted to medical privacy.
"I Want My Medical Privacy!" petition:
http://www.patientprivacyrights.org/petition
Patient Privacy Rights site:
http://patientprivacyrights.org
[2] EPIC Testifies on Registered Traveler
On November 3, the House of Representatives' Subcommittee on EconomicSecurity, Infrastructure Protection, and Cybersecurity held hearings
onthe Transportation Security Administration's Registered Travelerprogram. The program allows travelers who submit to intensivebackground
screening to pass through airport security screening morequickly.
EPIC Executive Director Marc Rotenberg testified on the problems withthe proposed program. He noted the security watchlists that
form thebasis for the passenger pre-screening are riddled with inaccuracies thatare often extremely difficult to correct. Documents
released to EPICunder the Freedom of Information Act revealed that over a hundredcomplaints of such errors were made to the Transportation SecurityAdministration in aperiod of less than
a year.
Rotenberg also said that the program lacked the necessary privacyprotections of the Privacy Act of 1974. This is due to the fact
thatRegistered Traveler databases are either owned by private companies thatare not regulated by the Act, or the government databases
are exemptedfrom federal laws at the request of the Transportation SecurityAdministration.
Finally, Rotenberg cited the risk of "mission creep" within theRegistered Traveler program. Using Registered Traveler IDs insituations
other than aviation security, as some vendors have suggested,would lead to travelers being allowed or denied access to any number
ofvenues based not upon their risk to that venue, but on their supposedrisk to aviation. EPIC recommended that the plan not go forward
untilthese flaws were fixed.
Also testifying before the Committee was Kip Hawley, Director of theTransportation Security Administration. Participants on a second
panelwith Rotenberg were Charles Barclay of the American Association ofAirport Executives, Steven Brill of Verified Identity Pass,
Larry Zmudaof Unisys.
Despite these concerns, representatives on the subcommittee were eagerto implement the system and questioned Director Hawley on the
program'sslow development. They also had many questions for the industry memberson the second panel about the role that private
businesses would play inthe system. Registered Traveler has been conceived as being run byprivate companies, with the Transportation
Security Administrationproviding the background checks for registered travelers and performingthe screening at airports. The involvement
of both the Administrationand private companies raised privacy concerns with several Subcommitteemembers.
Representative Dicks (D-WA) questioned Hawley about accuracy of thesecurity watchlists. Using language from Rotenberg's written statement,Congressman
Dicks noted that the lists have demonstrated errors (such aslisting Senators Kennedy and Young for additional screening) and majorobstacles
to correcting them (Senator Kennedy had to appeal directly tothen-Homeland Security head Tom Ridge). Hawley said that there was aredress
process, with a special number added to the erroneous files, andthat the process was "very quick." He did not give additionalspecifics.
As for Privacy Act protections, Brill said that his company wouldvoluntarily abide by all Privacy Act safeguards, which do not ordinarilyapply
to private companies. Regarding private companies' record withregard to consumers' privacy, Representative DeFazio (D-OR) had "twowords
for that: Choice Point."Testimony of Witnesses:
http://homeland.house.gov/release.cfm?id=442
TSA's Registered Traveler site:
http://www.epic.org/redirect/tsa_reg_trav.html
EPIC's Spotlight on Registered Traveler:
http://www.epic.org/privacy/surveillance/spotlight/1005/
EPIC FOIA Note #8:
http://www.epic.org/foia_notes/note8.html
[3] New Passports Still to Have RFID
The State Department announced it will move forward with plans torequire new passports to be equipped Radio Frequency Identification(RFID)
chips. The recently issued final rule also attempts to addressdeficiencies in a previous proposal, which would have made personal
datacontained in the hi-tech passports vulnerable to unauthorized access.
The previous design would have stored information in the remotelyreadable passports in unencrypted form. Tests had shown that thepassports'
RFID chips could be read from two feet or more, posing asignificant risk of unauthorized access. The program was widelycriticized
as unnecessary and insecure by EPIC and other civil libertiesgroups. The previous design was also criticized by privacy and securityexperts
and the travel industry.
The State Department now plans to cover the passport booklet withmetallic shielding that effectively blocks transmission of informationwhen
the booklet is not open. The Department also called for theimplementation of Basic Access Control, a practice in which the datacontained
in the RFID chip is stored in encrypted form, and is onlydecrypted by RFID readers that optically read and decode a key printedon
the inside of the passport's cover. This key is also used to encryptall communications between the passport and the reader.
The State Department, in conjunction with the National Institute ofStandards and Technology, will also add shielding to the RFID readers
inan attempt to prevent the interception of signals between authorizedreaders and passports. The State Department did not, however,
provideany details concerning this effort.
While these proposed changes should mitigate the most significant risksof skimming and eavesdropping, they invalidate the main justificationthat
the State Department used to promote the use of RFID technology -
to save time at Customs by distance scanning with no physical contactrequired.
Computer Security expert Bruce Schneier has also said that "collisionavoidance ID" in the chip still creates serious privacy risks
and shouldbe fixed. He writes in a recent column for Wired, "the real issue is howmany other problems like this are lurking in the
details of its design?
We don't know, and I doubt the State Department knows either. Theonly way to vet its design, and to convince us that RFID is necessary,would
be to open it up to public scrutiny.
Final Rule:
http://edocket.access.gpo.gov/2005/05-21284.htm
EPIC, EFF et al, Comments on RFID passports (pdf):
http://www.epic.org/privacy/rfid/rfid_passports-0405.pdf
EPIC's RFID page:
http://www.epic.org/privacy/rfid
[4] EPIC Documents Show Possible Abuses of Intelligence Powers
Documents obtained by EPIC under the Freedom of Information Act describethirteen cases of possible government misconduct in intelligenceinvestigations. The documents, written by the FBI's Office
of GeneralCounsel, describe Bureau investigations conducted for months withoutproper reporting or oversight, an FBI agent's seizure
of financialrecords in violation of federal privacy law, and an unidentifiedintelligence agency's unlawful physical search.
Most matters discussed in the documents were reported to theIntelligence Oversight Board, which is tasked with reviewingintelligence
activities. Under an executive order, inspectors generaland general counsel throughout the intelligence community must informthe
board about "intelligence activities that they have reason tobelieve may be unlawful or contrary to Executive order or Presidentialdirective."
The board then reports these activities to the Presidentand Attorney General.
The documents obtained by EPIC raise the troubling possibility thathundreds of allegations of unlawful investigations are reported
fromvarious agencies to the board each year. Yet there is no requirementthat Congress is notified of these allegations or how these
matters areultimately resolved. In response to the documents, EPIC has written aletter to the Senate Judiciary Committee highlighting
the need for theAttorney General to report to Congress on potentially unlawfulintelligence investigations.
The documents were released by the Bureau in response to an EPIC opengovernment request filed in March for information about the FBI's
use ofsunsetting provisions of the PATRIOT Act, many of which gave the FBIexpanded investigative powers. EPIC filed suit in federal
court in Mayto force the FBI to release the information while Congress isconsidering renewal of the sunsetting provisions. Congressionalconferees
are expected to meet soon to reconcile the differences betweenPATRIOT renewal legislation passed by the House and Senate.
EPIC FOIA documents on possible intelligence abuses (pdf):
http://www.epic.org/privacy/terrorism/usapatriot/foia/iob.pdf
EPIC's FOIA request (pdf):
http://www.epic.org/redirect/fbi_foia_request.html
Letter to the Senate Judiciary Committee:
http://www.epic.org/privacy/terrorism/usapatriot/judiciary_102405.pdf
EPIC's PATRIOT FOIA Page:
http://www.epic.org/privacy/terrorism/usapatriot/foia
EPIC's PATRIOT Sunset Page:
http://www.epic.org/privacy/terrorism/usapatriot/sunset.html
[5] EPIC, Others Challenge Internet Wiretap Order
EPIC joined a coalition of public interest and business groups onOctober 25 in challenging a Federal Communications Commission orderthat
requires broadband Internet and certain voice-over-InternetProtocol (VoIP) providers to design their systems to ease governmentwiretapping.
The order expands the reach of the 1994 CommunicationsAssistance for Law Enforcement Act.
The law grew out of concerns that, as telephone networks became moreadvanced, law enforcement agencies would have an increasingly
difficulttime intercepting and deciphering the communications of suspects undersurveillance. In 1994, Congress drafted a law that
required telephonecompanies to provide this assistance to the government. In passing theact, Congress removed from its coverage
e-mail and “informationservices” like America Online and Prodigy.
The Commission's expansion of the law will apply it to broadbandInternet providers and to "interconnected VoIP" providers, whose systemsare
capable of interfacing with the traditional telephone network. TheCommission also claimed that the wiretap law covered VoIP services
thatdid not connect to regular telephones, but that it would address thosetechnologies in a later ruling.
The groups contend that the law specifically prohibits the FCC'sexpansion of its scope, and that applying it to these other technologieswill
lead to privacy and security flaws. To challenge the Commission'sorder, they filed a petition for review, which brings the issue
beforethe federal Circuit Court of Appeals for the D.C. Circuit. EPIC isjoined in the challenge by the American Library Association,
theAssociation of Research Libraries, the Center for Democracy andTechnology, COMPTEL, the Electronic Frontier Foundation, pulver.com,
andSun Microsystems.
Petition for Review (pdf):
http://www.epic.org/privacy/wiretap/calea/petition102505.pdf
The FCC's order (pdf):
http://ftp.fcc.gov/FCC-05-153A1.pdf
Text of the wiretap law:
http://www.epic.org/privacy/wiretap/calea/calea_law.html
EPIC's wiretap page:
http://www.epic.org/privacy/wiretap/
[6] News in Brief
Alito Paper on Privacy
EPIC has obtained a copy of the final report prepared by Supreme Courtnominee Samuel Alito for a 1972 conference on "The Boundaries
of Privacyin American Society." The paper proposes far-reaching protections forthe right of privacy, and specifically addresses
such topics as the useof census data, polygraphs, domestic surveillance, communicationsprivacy, computer security and encryption,
consumer protection, andhomosexuality.
Copy of Alito's 1972 report (pdf):
http://www.epic.org/privacy/justices/alito/report110205.pdfSpotlight: Facial Recognition Systems Don't Picture PrivacyThis month, Spotlight focuses on facial recognition systems. TheDepartment
of Homeland Security has spent millions of dollars on these"smart" cameras that attempt to identify people based on their facialimages.
However, several tests show the systems are not reliable. Facialrecognition systems also create significant privacy risks: the camerasare
often hidden and there are no laws to prevent abuse.
EPIC's Spotlight on Surveillance page:
http://www.epic.org/privacy/surveillance/spotlight/1105/
EPIC's Facial Recognition page:
http://www.epic.org/privacy/facerecognition/
Public Voice Privacy Symposium: Debut of Privacy and Human Rights 2005Government data protection authorities, academics, and human
rights andprivacy groups gathered at the university of the Andes in Bogota,Colombia on October 20-21 to hold the Public Voice Symposium
on Privacyand Data Protection in Latin America: Analysis and Perspectives. Thesymposium gave experts from Latin America and the
United States anopportunity to analyze and debate the most current public policy issuesand recent developments in privacy in Latin
America. The meeting alsomarked the introduction of the first Spanish-language edition of EPIC'sannual Privacy & Human Rights survey.
Symposium website (in English and Spanish):
http://www.thepublicvoice.org/events/bogota05/
Presentations available at:
http://www.cpsr-peru.org/eventos/privacidad2005/presentaciones
47 Attorneys General Urge Congress to Protect Data Security
47 Attorneys General urged party leaders in the House and Senate to passa strong security breach notification law. The letter is
in response toa series of bills that have been introduced to address security breachesand identity theft at the federal level, many
of which are substantiallyweaker than existing state law. The Attorneys General argued quicknotification of is necessary because
Federal Trade Commission statisticsshow that the cost and severity of identity theft are reduced whenvictims are informed shortly
after their information is misused.
The Attorneys General also called for the ability of consumers to freezetheir credit report. Freezing a credit report makes it very
difficultfor identity thieves to open new accounts in another's name. TheAttorneys General specified that credit freeze should be
low cost forconsumers, free for identity thieves, and easy to "thaw" so thatconsumers can take advantage of credit offers.
The Attorneys General letter is online at (pdf):
http://www.naag.org/news/pdf/20051028-signon-InfoSecurityIDTheftLetter.pdf
Putting Identity Theft on Ice: Freezing Credit Reports to PreventLending to Impostors:
http://ssrn.com/abstract=650162
ID Thieves Prey on Financial Aid
According to the Wall Street Journal, identity thieves have found a newtarget for fraud: the government. Identity thieves are posing
asstudents in order to collect federal student financial aid. One thiefprofiled by the Journal assumed 43 identities and stole $316,000
infederal aid. The thief committed the crime by purchasing a list ofnames of prison inmates, and using their personal information
for fraud.
The article is online at:
http://online.wsj.com/article/SB113019456857878139.html
[7] EPIC Bookstore: Renee Marlin-Bennett's "Knowledge Power;
Intellectual Property, Information & Privacy"
http://www.powells.com/partner/24075/biblio/71-1588262812-0
Where are the lines between privacy, intellectual property, andinformation flows?
Renee Marlin-Bennett offers perspective on the central question: How dothe ability to own intellectual property and information and
the abilityto control how information flows become a source of power? This bookprovides a good review of the history of Intellectual
Property and thekey changes in information technology that elevated the discussion ofprivacy in cyberspace to the forefront of public
discourse.
One interesting reminder that the publication offers is that the rulesregarding intellectual property were established in the West
and arequickly being adopted by the developing world. Intellectual propertyrights are dictating the global commercial exchange of
goods andservices. The rules that define property rights are called"Commodification." These legal protections are based solely
on humaninvention and not strict ownership definitions. The author asserts thatwhat has followed under the regime of intellectual
property is a goodindication of where we are going.
This book reminds readers that computers and more importantly theInternet have changed the dynamics of personal information flow.
Digitalinformation presents challenges to privacy and information transactioncontrol. With the speed and easy of sending personally
identifiableinformation globally the stakes are high on getting privacy over theInternet wrong. Today in appropriate or illegal
informationtransactions can and do happen.
Renee Marlin-Bennett's book "Knowledge Power; Intellectual Property,Information & Privacy," should be read by those just learning
or wellversed on the topics of intellectual property, information, and privacy.
Lillie Coney
EPIC Publications:
"Privacy & Human Rights 2004: An International Survey of Privacy Lawsand Developments" (EPIC 2004). Price: $50.
http://www.epic.org/bookstore/phr2004
The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for
students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It
includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy
Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism
Prevention Act, and theCAN-SPAM Act.
"FOIA 2004: Litigation Under the Federal Open Government Laws," HarryHammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
Price:
$40.
http://www.epic.org/bookstore/foia2004
This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual
that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed
to learn how to litigate them), this is an essential referencemanual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit onthe Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook
This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS).
Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals
forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved
in theWSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
Price:
$40.
http://www.epic.org/bookstore/pls2004/
The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists
who needan up-to-date collection of U.S. and international privacy law, as wellas a comprehensive listing of privacy resources.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet ContentControls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0
A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens
free expression.
"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.
http://www.epic.org/cls
The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested
in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumers andthe
basic responsibilities for businesses in the online economy.
"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price:
$20.
http://www.epic.org/bookstore/crypto00&
EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption
products have largely succeeded, although several governmentsare gaining new powers to combat the perceived threats of encryption
tolaw enforcement.
EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Bookshttp://www.powells.com/features/epic/epic.html
EPIC also publishes EPIC FOIA Notes, which provides brief summaries ofinteresting documents obtained from government agencies under
theFreedom of Information Act.
Subscribe to EPIC FOIA Notes at:
https://mailman.epic.org/cgi-bin/control/foia_notes
[8] Upcoming Conferences and EventsContours of Privacy: Normative, Psychological, and Social Perspectives.
Carleton University. November 5-6, 2005. ottowa, Canada. For moreinformation:
http://www.carleton.ca/cove/contours/
12th ACM Conference on Computer and Commnuications Security. Associationfor Computing Machinery: Special Interest Group on Security,
Audit, andControl. November 7-11, 2005. Alexandria, VA. For more Information:
http://www.acm.org/sigs/sigsac/ccs/CCS2005/
Regulating Identity Theft and Data Breaches. American Bar AssociationSection of Administrative Law and Practice. November 17, 2005.
Washington, DC. For more information:
http://www.abanet.org/adminlaw/conference/2005/home.html
The Federal Bank Regulator's Approach to Data Security. American BarAssociation Section of Administrative Law and Practice. November
17,
2005. Washington, DC. For more information:
http://www.abanet.org/adminlaw/conference/2005/home.html
The World Summit on the Information Society. Government of Tunisia.
November 16-18, 2005. Tunis, Tunisia. For more information:
http://www.itu.int/wsis
Internet Corporation For Assigned Names and Numbers (ICANN) Meeting.
November 30-December 4, 2005. Vancouver, Canada. For more information:
http://www.icann.org
Fifth International Conference on Data Mining. IEEE Computer Society.
November 27-30, 2005. Houston, TX. For more information:
http://www.cacs.louisiana.edu/~icdm05/
First International Conference on Availability, Reliability andSecurity. Vienna University of Technology. April 20-22, 2006. Vienna,Austria.
For more inofrmation:
http://www.ifs.tuwien.ac.at/ares2006/
Subscription Information
Subscribe/unsubscribe via web interface:
https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news
Back issues are available at:
http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or
share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do
not enhance (link toother databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."
About EPIC
The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus
publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national ID cards, medical record
privacy,and the collection and sale of personal information. EPIC publishes theEPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, see http://www.epic.org or writeEPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible.
Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute
online at:
http://www.epic.org/donate
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation
of encryption andexpanding wiretapping powers.
Thank you for your support.
.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/EPICAlert/2005/23.html