The United States has announced plans for an automated system to track all foreign visitors on U.S. soil. Details of the system, called US Visitor and Status Indication Technology, or US VISIT, will be released in November and the government hopes to have it up and running by 2005. The tracking system is designed to prevent terrorists and criminals from obtaining visas but has broad privacy implications.
At various times, representatives of the telemarketing industry have claimed that telemarketing is responsible for over $600 billion in annual sales and five million jobs. However, these statistics are clearly inflated. First, the industry groups numbers are generated from closed studies, and the public cannot view the raw data from which the conclusions are drawn. The telemarketing studies cannot be subjected to meaningful peer review because they are drafted in secrecy. Second, if in fact $600 billion in annual sales were made with telemarketing, that would mean that the average US household buys $6,000 of goods and services from telemarketers each year.
Furthermore, the 1997 US Economic Census shows that telemarketing only contributes $20 billion to the economy and just over 500,000 jobs.
The FTC last Friday appealed a federal judge's decision declaring the do-not-call plan a violation of free speech and hence unconstitutional. Officials said that for now telemarketers will not have to comply with the Oct. 1 starting date for the do-not-call list. However, the Direct Marketing Association announced that it is urging its members to abide by the rules voluntarily and cease calling numbers on the registry this week.
The ACLU has filed suit in Massachusetts arguing that Boston College should not be forced to reveal that name of a BC student accused by the RIAA of being a large-scale file trader. The RIAA says that the issues raised in the case have already been addressed by the courts in a challenge brought by Verizon.
The Senate today passed a $368 billion Pentagon spending measure that eliminates funding for the Total Information Awareness office.� The office, headed until recently by retired admiral John M. Poindexter, was responsible for the controversial Total Information Awareness surveillance program as well as a proposed terrorism futures market. Its elimination, along with the postponement of CAPPS II implementation, show Congress is prepared to take strong steps to protect privacy.�
In a series of twists and turns, the Federal Trade Commission's Do Not Call list went from off to on to off again in a span of 24 hours. Late yesterday, Congress quickly passed a resolution overturning an Oklahoma federal court decision that had invalidated the registry earlier in the day. However, just minutes later a U.S. District Court in Colorado found that the Do Not Call list violated the First Amendment, throwing the status of the registry into disarray once again. Judge Edward W. Nottingham, ruling in favor of the American Teliservices Association, found the registry unconstitutional because it discriminated based on type of speech, allowing charitable organizations to call while banning telemarketers. It is unclear what the registry's fate will now be.
A U.S. District Court in Oklahoma struck down the Federal Trade Commission's provisions for a national Do-Not-Call registry, stating that the federal commission lacked the authority to develop the list. Telemarketing experts said that the Do-Not-Call list, which was supposed to prevent telemarketers from calling individual numbers starting October 1, may not be able to take effect unless the agency wins an appeal or Congress gives the agency the power to implement the list. Rep. W.J. "Billy" Tauzin (R-La.), chairman of the House Energy and Commerce Committee, and Rep. John D. Dingell (D-Mich.), the committee's ranking minority member, issued a joint statement this morning saying they "will take whatever legislative action is necessary to ensure consumers can stop intrusive calls from unwanted telemarketers."
Comptroller of the Currency John Hawke declared Monday that banks have not done enough to protect personal information since the Gramm-Leach-Bliley Act of 1999. In a speech to the American Bankers Association at its annual meeting, Hawke stated that, "Progress toward self-regulation and standard-setting in the privacy area since GLBA has not been what one would have hoped for."
Despite the multitude of cautionary tales, identity theft remains a real problem for millions of Americans, and government has been slow to react. Although consumers can take steps to protect themselves, victims argue that banks and businesses that extend credit should be more accountable. As the Kansas City Star reports, "experts say a major reason for the surge in identity theft is that
more businesses have made credit easier to get. The Internet makes purchases possible without a photo or even a signature. Many stores now offer instant credit." As a result, consumers are easy targets for identity theft, and they are left cleaning up the mess.
The Electronic Privacy Informatin Center filed a complaint with the Federal Trade Commission about JetBlue and Acxiom in response to the airline's recent admission of divulging passenger information to the government contractor, in clear violation of its own privacy policy. EPIC alleged that JetBlue and Acxiom violated federal consumer law when they transferred information on passengers. EPIC also filed expedited Freedom of Information Act requests with several federal agencies to discover more about the uses of the JetBlue data.
In a separate action, a group of JetBlue passengers, incensed that the low-fare airline gave away their personal information, filed a class action lawsuit in Utah on behalf of 5 million passengers. The lawsuit, filed in 3rd District Court by five passengers, alleges the airline violated its own confidentiality policies in turning the information over, as well as claims breach of contract, invasion of privacy and violations of Utah consumer laws against deceptive business practices.
California has firmly established itself as a trailblazing state when it comes to privacy protections. Just this week, Governor Gray Davis signed into law two bills addressing consumer privacy concerns. The first law, A.B. 213, takes effect July 1 and regulates the use of data recorders known as "black boxes" that come equipped in some cars. The law requires carmakers to disclose the existence of such devices and forbids access to the data without either a court order or the owner's permission, unless it is for a safety study in which the information cannot be traced back to the car.
The second law, signed today by Davis, represents the most far-reaching of any anti-spam legislation in the U.S. The law, which is set to take effect on Jan. 1, outlaws sending most commercial e-mail to or from the state that the recipient did not explicitly request. It stipulates fines of $1,000 for each unsolicited message sent up to $1 million for each campaign.
In an editorial today, the New York Times spoke out on the need for restraint regarding Patriot Act measures and called on the Bush administration to heed the concerns of the act's critics.
The European Union commissioner in charge of data protection issues, Frits Bolkestein, is holding a meeting in Brussels with Asa Hutchinson, the under secretary for border and transportation security at the Department of Homeland Security, to discuss the sharing of international passenger data. At issue is whether European airlines should be compelled to hand over information on their passengers to the U.S. government for use in American anti-terrorism passenger profiling systems. The transfer of such information currently violates many European privacy laws.
Senators Boxer (D-CA) and Feinstein (D-CA) have called upon the Senate Banking Committee to place limits on affiliate sharing in legislation that will amend the Fair Credit Reporting Act. Specifically, the Senators requested that the bill contain "privacy language consistent with the spirit of California�s new privacy law, SB 1." The Senators explain in the letter that affiliate sharing can lead to unwanted marketing, profiling, the creation of internal credit reports that are not regulated by federal law, and even homeland security risks.
Canada's Interim Federal Privacy Commissioner has released his office's 2002-03 annual report. The report highlights the Office's activities under both private sector and public sector privacy legislation.
One of the primary bills in Congress to crack down on spam contains a new provision that would shield bulk e-mailers from penalties if they agree to police themselves. According the revised draft of the bill, bulk mailers could form a self-regulatory group that would voluntarily maintain anti-spam standards - and exempt members from legal penalties. The idea of a self-governing organization has been supported by several of the big Internet e-mail account providers, most particularly Microsoft. Consumer advocates decry the proposal, saying it severely weakens anti-spam efforts.
Britain has become the second country in Europe to criminalize spam. Under the new British law, spammers face an $8,057 fine if convicted in a magistrates court. The fine from a jury trial would be unlimited. Spammers would not face prison, according to the new law.
JetBlue Airways has confirmed that in 2002 it had provided 5 million passenger itineraries to a defence contractor for proof-of-concept testing of a Pentagon project unrelated to airline security, without the passengers' consent. The contractor, Torch Concepts, then augmented that data with Social Security numbers and other sensitive personal information, including income level, to develop what looks to be a study of whether passenger-profiling systems such as CAPPS II are feasible. JetBlue clearly violated its own privacy policy by transferring its passenger data. Such a violation could be grounds for an investigation of unfair business practices by the Federal Trade Commission, which has the authority to fine companies and issue injunctions.
A House GOP policy committee met last week to discuss implementing minimum uniform standards for the issuance of drivers licenses. House Select Committee on Homeland Security Chair Christopher Cox (R-CA) argued that driver's licenses can be easily falsified and proposed requiring Social Security Number's to receive a license. The committee also discussed state-to-state sharing of license information. While Cox denied any desire to establish a national ID system, such measures might set a precedent in this direction.
GOP Policy Committee Looks to SSN's for Minimum State Licensing Standards
Privacy & Security Law Report, September 15, 2003
A coaltion of banks, credit card companies and retailers have banded together to combat efforts by states and inviduals to impose strict privacy standards. Using their considerable financial sway, they have thrown their support legislation reauthorizing the Fair Credit Reporting Act, which preempts state regulations, trying to convince legislators and the public that allowing states (such as California) to implement their own financial privacy standards would hamper consumer credit. But as consumer advocates and privacy groups stricter privacy regulations will help, not hurt, consumers.
Privacy advocates report that the U.S. Government will test its new anti-terrorism passenger profiling system, dubbed CAPPS II, using old passenger itineraries from JetBlue Airlines. JetBlue allegedly will replace Delta Airlines as the testing company, after Delta backed out due to public pressure earlier this year. Brian Turmail, a Transportation Security Administration spokesman, denied that any such agreement had been reached and said that to date CAPPS II had not been tested on any historical travel data.
A consortium of retailers and consumer goods companies that make up the the Auto-ID Center at MIT will unveil new product-tracking technology at a meeting of the center's sponsors in Chicago. The center will release the Electronic Product Code Network, a replacement for the traditional bar code, that track product codes and serial numbers, as well as demonstrate radio frequency identification tags that can identify a product's location. Protesters from consumer groups and privacy advocates plan demonstrations in Chicago at McCormick Place, where the technology will be unveiled.
The Associated Press reports that the new authority given law enforcement by the Patriot Act is being used more against common crime than combatting actual terrorism. Federal prosecutors have brought more than 250 criminal charges under the law, with more than 130 convictions or guilty pleas. Stefan Cassella, deputy chief for legal policy for the Justice Department's asset forfeiture and money laundering section, said that while the Patriot Act's primary focus was on terrorism, lawmakers were aware it contained provisions that had been on prosecutors' wish lists for years and would be used in a wide variety of cases. However, civil liberties and legal defense groups are bothered by the string of cases, and say the government soon will be routinely using harsh anti-terrorism laws against run-of-the-mill lawbreakers.
President Bush announced a three-point plan to expand government's counterterrorism powers. In the plan, the administration is seeking broad new authority to allow federal agents to demand private records and compel testimony without the approval of a judge or even a federal prosecutor. Bush also wants to expand the use of the death penalty in crimes like terrorist financing, and he wants to make it tougher for defendants in such cases to be freed on bail before trial. These proposals would divest the Justice Department, already under mounting criticism for the originial Patriot Act, with a wealth of new power and discretion, causing concerns among privacy and civil liberties advocates, as well as many legislators.
Software maker interMute has introduced SpySubtract, an application to combat spyware. Spyware is software that can track which websites a computer user visits, and is implanted by marketing interestes to better tailor their online advertising. Intermute's software would combat spyware by scanning a user's PC for spyware, or adware, and automatically removing it. It is specially constructed to fight software from Gator, one of the major producers of spyware.
The U.S. has decided to postpone enforcement of new antiterrorism regulations that require travelers from 27 countries to have new, computer-coded passports to enter the States. They said the new passport rules, which were supposed to take effect on Oct. 1, will not be enforced until October 2004. The State Department decided to delay implementation of the rules by more than a year because of the chaos that could have resulted next month when travelers unaware of the new rules tried to enter the United State with old-style passports. Many of the countries, including France, Spain, and Switzerland, were not on track to have all their passports in compliance by the original deadline.
Police in Britain have called for debate on the possibility of collecting genetic codes from every U.K. resident. Kevin Morris, chairman of the Police Superintendents' Association, proposed the idea in a speech at the group's annual conference on Tuesday, arguing that it would help tackle unsolved crimes. Britian's foremost civil liberties group, Liberty, has already come out in opposition to the proposal. Barry Hugill, Liberty's spokesperson, said, "We find the idea of a DNA database covering a (British) population of 60 million a frightening scenario."
As the second anniversary of the Sept. 11, 2001, attacks approaches, the Bush administration's war on terror has produced a secondary battle: fierce struggles in Congress, the courts and communities such as these over how the war on terror should be carried out. At the heart of this debate is the USA Patriot Act, the law signed by President Bush 45 days after the terror strikes that enhanced the executive branch's powers to conduct surveillance, search for money-laundering, share intelligence with criminal prosecutors and charge suspected terrorists with crimes. As Attorney General John Ashcroft and the Bush administration continue to assert the necessity of the Patriot Act, and increasing number of individuals and organizations, including EPIC, are voicing concerns over the power the act bestows upon government and the secrecy in which it operates.
The number of Freedom of Information Act and Privacy Act requests to federal government agencies reached a record high in 2002, according to a new report from the Justice Department Office of Information and Privacy. The total number of requests increased by seven percent over the previous year to a new high of 2,402,938. Agencies invoked 142 different nondisclosure statutes to withhold information under FOIA exemption. Personal privacy was the most frequently cited single exemption.
The LA Times has urged Congress to protect financial privacy by applying a new California law to the entire nation. The law is SB 1, which passed last month and allows individuals to opt-out of some affiliation sharing, and requires opt-in for 3rd party use of personal information. The editors argue that the federal Fair Credit Reporting Act doesn't protect financial privacy, and that "Americans are fed up with and want curbs on banks, insurers and telemarketers that swap and profit from their personal financial data."
The editors argue that "Stronger, not weaker, regulation is needed because identity theft is rampant and total outstanding consumer credit has soared from $556 billion in 1970 to an estimated $7 trillion now."
A new Wisconsin state bill would prohibit state government agencies from posting personal information such as social security numbers, birth dates, and work telephone numbers on the Internet. Similar information could still be obtained by visiting a government agencies office.
The California Assembly will consider Senate Bill 27, new legislation that would require businesses to disclose whether they sell personal information for direct marketing. The California Senate has already passed the bill, which was introduced by Senator Figueroa (D- Fremont).
If passed, Californians could write to companies to request whether their information is sold and to whom it is sold. In most circumstances under current law, businesses can sell personal information for junk mail and telemarketing with no notice or right of opt-out for the individual. The law would take effect in January 2005, and allow individuals to sue for violations.
The Federal Trade Commission released a report on the phenomenon of identity theft in the United States. The report is based on a survey of more than 4,000 U.S. adults on the topic and the related experience of victims. According to the FTC, 300 million hours and $5 billion were wasted last year by victims trying to clear their name of fraudulent actions done by others. Despite limiting the survey to credit card identity theft only, the FTC survey shows that in all 27.3 million Americans were affected by identity theft over the past five years, including 9.9 million people in the last year alone. Identity theft also hurt the corporate world, with businesses and financial institutions tallying losses nearing $48 billion. Although constantly reminded of the threat posed by ID theft by groups such as EPIC, the FTC have �never been clear as to the scale of the problem�, and were greatly surprised by the findings.
In a U.S. News and World Report cover story, the magazine details the rise of tracking devices in consumer goods. GPS chips, capable of tracking individuals' whereabouts, are being installed in cell phones and cars. And retailers are experimenting with RFID tags to monitor merchandise. While this new location technology promises an array of benefits - emergency services that respond better, real-time driving directions to avoid traffic jams, and better-stocked store shelves offering cheaper goods - left unchecked, such technologies "will allow corporations or the government to constantly monitor what individual Americans do every day," warns the American Civil Liberties Union in a recent report.
Internet retailers and security companies have formed a group, called the Coalition on Online Identity Theft, to battle online identity theft. The coalition will focus on four main goals: expanding public education campaigns; promoting technology and tips for preventing and dealing with online theft; documenting and sharing non-personal information about emerging online fraudulent activity to prevent future scams; and working with the government to ensure effective enforcement of criminal penalties against cyber thieves.
The groups' approaches are not likely to address the problem of identity theft. Many of the groups actively lobby against privacy legislation, and have opposed security laws that would require companies to notify consumers when security breaches occur.
Lawyers for a New York woman accused of unlawfully sharing music over the Internet suggested yesterday that the recording industry violated state and federal laws by intercepting the woman's Internet address as its investigators scoured file-sharing networks looking for songs to download.
The South African Law Commission has issued a series of reports including one focusing on privacy and data collection. The issue paper devoted a special attention to information privacy. The commission is currently considering proposals for possible law reform regarding, among other things, whether privacy and data protection should be regulated by legislation, and how the general principles of data collection could be developed and incorporated into legislation. Comments are due by December 1st.
The number of privacy complaints filed with Australia's Privacy Commissioner has skyrocketed over the past year as the Commissioner's office struggles to deal with the deluge. The Office received more than 30,000 inquiries and 1000 written complaints this year, hundreds of which required a formal investigation.
The U.S. government has been cut-off from a major source of data on Latin American citizens. The U.S. had purchased access to a database containing the personal information of 65 million voting-age Mexican citizens, allowing three dozen U.S. agencies to use it to track and arrest suspects inside and outside the U.S. However, the data vendor, Atlanta-based ChoicePoint Inc. recently erased its files on citizens in Mexico, Argentina and Costa Rica after an outcry from these countries and others in Latin America regarding the company's means of obtaining this information. In particular, the Mexican government complained that its federal voter rolls were the source of ChoicePoint's data, and were likely obtained illegally by a Mexican company that sold them to the vendor. All told, Choice Point has collected personal information on residents of 10 Latin American countries - apparently without their consent or knowledge.
