EPIC DIGEST 06.06.02

 
--------------------------------------------------------------- 
EPIC DIGEST AT PRIVACY.ORG

EPIC-DIGEST is an update of news, information, and action items 
posted on privacy.org.

March 27, 2002-June 6, 2002

TOC------------------------------------------------------------

NEWS
Proposed Doubleclick Settlement 
New Privacy Policy Survey 
EPIC Carnivore Case Moves Forward 
Yahoo Changes Privacy Policy 
Battling Spam 
Blank Birth Certificates Stolen: Illustrates Weakness in Proposed 
National ID 
NCSU Seeks Participants for Privacy Study 
Juno Forced To Provide Clear Notice to Changes in Contract Terms 
How Smart are Smart Cards? 
New International Privacy Law Survey 
Yahoo Gets Away With Privacy Switch 
Ford Credit ID Theft 
Interim Report on Face Recognition from Palm Beach 
Gumming Up Fingerprint Identification 
TV Studios Want Surveillance of Viewers 
EC Investigates MS Passport

NEWS-----------------------------------------------------------

Proposed Doubleclick Settlement 

A New York district court has announced a proposed settlement in 
litigation concerning Doubleclick, the company that sought to secretly 
profile Internet users. The settlement would affect all Internet users 
who "had Doubleclick cookies placed upon their computers or browsers 
between Jan 1, 1996 and March 28, 2002." The agreement will, among 
other things, require future DoubleClick cookies to expire within 5 
years, two years after the typical user has changed computers.   
DoubleClick has also agreed to give consumers clear notice and choice 
of any data-collection practices within its privacy policy.  Among 
other provisions, the settlement requires DoubleClick to obtain 
permission from consumers before combining any personally identifiable 
data with Web surfing history.

Proposed Settlement.
http://settlement.doubleclick.net/settlement/ 

DoubleClick nearing privacy settlements, CNET News, Mar. 29, 2002.
http://news.com.com/2102-1023-871654.html 
---------------------------------------------------------------

New Privacy Policy Survey 

Internet sites appear to be collecting less personal information from 
consumers and doing a slightly better job explaining how Web sites use 
such sensitive data, according to a survey by an opponent of new 
privacy laws.

The Progress and Freedom Foundation, a Washington think tank, said 
Wednesday that its survey of 300 Web sites picked at random and 85 more 
of the Internet's most-popular sites showed about eight in 10 of the 
most-popular collected personal information from consumers other than e-
mail addresses. A similar study in 2000 showed a higher number. The 
study suggests that firms are responding to consumer concerns and that 
they may also have overestimated the economic value of collecting 
personal information.

Progress & Freedom Foundation Report (pdf).
http://www.pff.org/publications/privacyonlinefinalael.pdf  

Survey: Web Sites Collect Less Data, Associated Press, March 27, 2002
http://www.washingtonpost.com/wp-dyn/articles/A25056-2002Mar27.html 

Survey: Internet Users Have More Control Over How Data Is Used 
Washington Post, March 27, 2002.
http://www.washingtonpost.com/wp-dyn/articles/A25920-2002Mar27.html 

FTC Report from May 2000.
http://www.ftc.gov/os/2000/05/index.htm#22 
---------------------------------------------------------------

EPIC Carnivore Case Moves Forward 

EPIC has succeeded in its effort to compel the FBI to conduct a more 
complete search for documents concerning the Carnivore Internet 
surveillance system. U.S. District Judge James Robertson issued an 
order on March 25 in EPIC's FOIA lawsuit directing the Bureau to 
initiate a new search for responsive documents. The search must be 
conducted in the FBI's offices of General Counsel and Congressional & 
Public Affairs, and be completed no later than May 24, 2002. 

Court Order.
http://www.epic.org/privacy/carnivore/court_order.html 

EPIC's Carnivore FOIA page.
http://www.epic.org/privacy/carnivore/ 

FBI to divulge more Carnivore details, CNET News, March 27, 2002. 
http://news.com.com/2100-1023-870028.html 
---------------------------------------------------------------

Yahoo Changes Privacy Policy 

In what has become a trend among profitable large Internet companies, 
Yahoo announced that it is resetting consumer privacy preferences so 
that they can market their personal information, including selling 
telephone numbers and e-mail addresses to telemarketers and other 
marketing firms.  Consumers will have 60 days to overturn Yahoo's 
preferences.  There has been widespread protest from consumers 
regarding this change.  

Yahoo's Updated Policy.
http://privacy.yahoo.com/privacy/us/ 

Yahoo! sneaks in yet more spam, MSNBC, March 29, 2002.
http://www.msnbc.com/news/731517.asp?0dm=C11JT 

Yahoo's 'Opt-Out' Angers Users, Wired News, April 2, 2002.
http://www.wired.com/news/privacy/0,1848,51461,00.html 
---------------------------------------------------------------

Battling Spam 

The LA Times ran an excellent story on the problem with spam and with 
the solutions to tackle the issue.  The Cato Institute recently hosted 
a forum on the subject as well with representatives from the FTC, EPIC, 
Truste, and the Direct Marketers Association.  Spam is a growing 
problem and presents a number of novel technical and policy challenges 
to combat the scourge successfully.

State Spam Laws Rarely Enforced, LA Times, April 1, 2002.
http://www.latimes.com/technology/la-000023286apr01.story 

The Spam Wars: What Can Be Done about the Annoying, Unsolicited E-mail 
That Is Driving Us Crazy?, Cato Policy Forum, March 27, 2002.
http://www.cato.org/events/020327pf.html 

Spam Laws web site run by law professor David Sorkin that tracks Spam 
legislation.
http://www.spamlaws.com/ 
---------------------------------------------------------------

Blank Birth Certificates Stolen: Illustrates Weakness in Proposed 
National ID 

The Denver County Vital Statistics Office recently discovered that it 
lost a large number of blank birth certificates, death certificates, 
and an electric city and county seal.  This equipment could be used to 
create false breeder documents for the purposes of obtaining a National 
ID card.  This theft illustrates why even a total overhaul of the state 
driver's license system would do little to increase security.

Branch Theft section of the AAMVA Web site.
http://www.aamva.org/weekinreview/branchtheftnotices.asp  

EPIC National ID Page.
http://www.epic.org/privacy/id_cards 
---------------------------------------------------------------

NCSU Seeks Participants for Privacy Study 

Researchers at North Carolina State University (NCSU) are conducting an 
online survey about privacy.  The survey is supported by a National 
Science Foundation research grant.

The Privacy Place Survey, NCSU.
http://www.theprivacyplace.org/privacySurvey/surveyPage1.php 
---------------------------------------------------------------

Juno Forced to Provide Clear Notice to Changes in Contract Terms 

New York State Attorney General Eliot Spitzer today announced a 
settlement with Juno, an Internet Service Provider that requires the 
company to provide its subscribers with clear, conspicuous, and advance 
notice of all material changes to its service agreement.  The Attorney 
General's investigation found that during February and March 2001, in 
an effort to establish a "Virtual Supercomputer Project" that would 
potentially link subscribers to a vast, distributive computing system, 
Juno failed to provide its subscribers with sufficient notice of 
several controversial and unorthodox amendments to its service 
agreement. Among these were terms stating that subscribers authorized 
Juno to download so-called "computational software" onto their 
computer, change the screen saver, and permit Juno to require 
subscribers to leave their computers on at all times to allow remote 
access by Juno. Likewise, according to the new contractual terms, 
consumers would be liable for all costs, expenses, and maintenance or 
technical issues resulting from continuous operation of the computer. 

Attorney General Press Release May 7, 2002
http://www.oag.state.ny.us/press/2002/may/may07b_02.html 

Juno's controversial plan to rent space on your PC Wall Street Journal 
Online, February 1, 2001
http://zdnet.com.com/2100-11-527858.html?legacy=zdnn 
---------------------------------------------------------------

How smart are Smart Cards? 

Two University of Cambridge computer security researchers plan to 
describe on Monday an ingenious and inexpensive attack that employs a 
$30 camera flashgun and a microscope to extract secret information 
contained in widely used smart cards. The newly discovered 
vulnerability is reason for alarm, the researchers said, because it 
could make it cost-effective for a criminal to steal information from 
the cards.

Smart cards are used for dozens of different applications, including 
electronic identity protection, credit and debit cards and cellular 
phone payment and identity systems.  They are being touted by 
Representatives Moran and Davis of Virginia for use in their national 
identification system.

Vulnerability Is Discovered in Security for Smart Cards New York Times, 
May 13, 2002
http://www.nytimes.com/2002/05/13/technology/13SMAR.html 
 
Modernizing the State Identification System Progressive Policy Institute
http://www.ppionline.org/ppi_ci.cfm?knlgAreaID=140&subsecID=290&contentI
D=250175? 

EPIC's Biometric page
http://www.epic.org/privacy/biometrics 
---------------------------------------------------------------

New international privacy law survey 

White & Case, a global law firm, has conducted a survey of national 
privacy laws in 15 commercially prominent jurisdictions around the 
world, which documents the rapid growth and diverse range of laws and 
regulations aimed at protecting privacy and controlling the use of data 
in the information economy. The survey aims to inform business 
interests about  “[the] rising tide of legal and regulatory measures 
addressing how companies may aggregate and disseminate one of their 
most valuable commercial assets - business data.” The survey found that 
all 15 jurisdictions have some form of privacy law in place, and eight 
of them have active proposals for significant changes to their current 
laws. In only one jurisdiction - Hong Kong - have the privacy laws 
remained largely unchanged since 1996. “These survey results reflect 
the general feeling among consumers that they want more privacy and 
stronger legal protection of it, coupled with the perception among 
consumer-oriented companies that their businesses will thrive only if 
their customers feel secure,” says the lead author of the survey.

Full Report (pdf)
http://www.whitecase.com/report_global_privacy.pdf 

White & Case press release
http://www.whitecase.com/pr_wc_privacy_law_survey.html 

Multinationals Face Rise in Complex Privacy Laws Financial Times, May 
3, 2002
http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT3SEMSYQ0D
&live=true&tagid=IXLMS1QTICC&subheading=global%20economy 

EPIC’s Privacy & Human Rights Survey 2001
http://www.epic.org/bookstore/phr2001/ 
---------------------------------------------------------------

Yahoo Gets Away With Privacy Switch 

The New York Times reports on data released by comScore on Yahoo’s 
privacy switcheroo.  The data shows that Yahoo's changes got users' 
attention. In the four weeks from March 25 to April 21, nearly a 
million Internet users in the United States looked at Yahoo's new 
privacy policy. That figure represents 1 percent of Internet users in 
the United States and was up sharply from the preceding four weeks, 
when only 0.3 percent of Yahoo users read its privacy policy. Slightly 
more people, 1.1 million, visited the page Yahoo had set up where users 
could "opt out" by telling the site not to send e-mail or other 
messages (subscribe.yahoo com/showaccount). That page did not exist 
before the portal's policy change. But only 73,000 users, comScore 
projects, considered ending their relationship with Yahoo by visiting 
the page that actually cancels their Yahoo accounts, which can include 
e-mail and other services. That was fewer, even, than the month before, 
when 114,000 users went to the page. (ComScore is unable to tell if the 
visitors to the page actually do push the button to close out their 
Yahoo accounts.)

The Yahoo Privacy Storm That Wasn't, New York Times, May 13, 2002
http://www.nytimes.com/2002/05/13/technology/ebusiness/13YAHO.html 

comScore
http://www.comscore.com
---------------------------------------------------------------

Ford Credit ID Theft 

Ford Motor Credit Co. is warning 13,000 people that they may be 
vulnerable to identity theft because their credit reports were 
illegally accessed. FBI's Detroit office is investigating how computer-
savvy thieves posed as Ford Credit personnel -- possibly using company 
pass codes -- to gain access to a database used by Experian, a credit 
reporting agency, and download the personal information of 13,000 
consumers. Only about 400 of the 13,000 individuals were customers of 
Ford Credit, and about 610 of the victims lived in Michigan, the 
company said. The 13,000 customers were apparently targeted because 
they live in affluent areas and were likely to have good credit 
ratings. In some cases, the credit reports of every homeowner on a 
given street was downloaded, indicating the thieves were fairly 
sophisticated. The credit files included social security numbers, 
addresses, account numbers, creditor names and payment history -- 
everything needed to commit credit fraud.

Ford Credit discovers ID theft 13,000 left exposed in computer fraud, 
The Detroit News, May 16, 2002.
http://detnews.com/2002/autosconsumer/0205/16/a01-491275.htm 

Ford Credit Warns of Identity Theft Associated Press, May 16, 2002
http://www.nytimes.com/aponline/business/AP-Ford-Credit.html 

Privacy Right’s Clearinghouse ID Theft Resources
http://www.privacyrights.org/identity.htm 
---------------------------------------------------------------
 
Interim Report on Face Recognition from Palm Beach 

Interim results of a test of face-recognition surveillance technology 
obtained by the American Civil Liberties Union from Palm Beach 
International Airport confirm previous results showing that the 
technology is ineffective. According to documents released to the ACLU 
pursuant to a request under Florida's open-records law (the "Sunshine" 
law), the system failed to match volunteer employees who had been 
entered into the database 503 out of 958 times, or 53 percent of the 
time. Even with recent, high quality photographs and subjects who were 
not trying to fool the system, the face-recognition technology was less 
accurate than a coin toss. 

Airport Face Scanner Failed Wired News, May 16, 2002
http://www.wired.com/news/privacy/0,1848,52563,00.html 

Palm Beach Report (pdf)
http://www.aclu.org/issues/privacy/FaceRec_data.pdf 

ACLU Face Recognition Page
http://www.aclu.org/issues/privacy/FaceRec_Feature.html  

Richard Smith’s Expert Report on Face Recognition Fall 2001
http://www.computerbytesman.com/facescan/presentation/index.htm 
---------------------------------------------------------------
 
Gumming up fingerprint identification 

Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look 
at biometric fingerprint devices. These are security systems that 
attempt to identify people based on their fingerprint. For years the 
companies selling these devices have claimed that they are very secure, 
and that it is almost impossible to fool them into accepting a fake 
finger as genuine. Matsumoto, along with his students at the Yokohama 
National University, showed that they can be reliably fooled with a 
little ingenuity and $10 worth of household supplies.

Fun with Fingerprint Readers Counterpane’s Crypto-Gram
http://www.counterpane.com/crypto-gram-0205.html#5 

Gummi bears defeat fingerprint sensors The Register, May 16, 2002
http://www.theregister.co.uk/content/55/25300.html 

Impact of Artificial "Gummy" Fingers on Fingerprint Systems (report) 
http://cryptome.org/gummy.htm 
---------------------------------------------------------------

TV Studios Want Surveillance of Viewers 

Two weeks ago, numerous television studios persuaded a judge to issue 
an order requiring SONICblue to electronically monitor and record the 
TV uses of its customers. The ReplayTV 4000 is a personal video 
recorder (PVR) that allows users to digitally store television 
programming to hard disks for later viewing. SONICblue had never before 
collected viewing data from ReplayTV 4000 users because of privacy 
concerns. In an amicus brief civil liberties and consumer groups argue 
that the court order infringes on individuals' privacy rights and 
intellectual freedom. A federal court has put on hold the previously 
ordered product re-engineering of the ReplayTV pending a hearing on 
June 3rd, 2002.

EPIC’s amicus brief.
http://www.epic.org/privacy/replaytv/amici_brief_eick_order.pdf  

Judge Freezes Order To Snoop On SonicBlue Customers Newsbytes, May 15, 
2002
http://www.newsbytes.com/news/02/176603.html  

Sonicblue granted stay in "spying" order CNET News, May 15, 2002.
http://news.com.com/2100-1040-914370.html?tag=fd_top  

EPIC Press Release May 13, 2002.
http://www.epic.org/privacy/replaytv/press_release_051302.html  

"Fair Use" Is Getting Unfair Treatment Business Week May 14, 2002
http://www.businessweek.com/technology/content/may2002/tc20020514_1528.h
tm  
---------------------------------------------------------------

EC Investigates MS Passport 

The European Commission is investigating the Microsoft Passport online 
identification and authentication system.  EPIC filed complaints with 
the Federal Trade Commission in July and August 2001 alleging that the 
system is designed to profile users and that the company engaged in 
unfair and deceptive trade practices.  Testimony in the Microsoft 
antitrust trial demonstrated that the company intended to build the 
largest databases of profiles on the planet for ad targeting.  

Microsoft in EU Commission Privacy Probe, New York Times (Reuters), May 
25, 2002.
http://www.nytimes.com/reuters/business/business-tech-microsoft-
eu.html  

Complaint and Request for Injunction, Request For Investigation and for 
Other Relief (PDF), In Re Microsoft.
http://www.epic.org/privacy/consumer/MS_complaint.pdf

Supplemental Materials in Support of Pending Complaint and Request for 
Injunction, Request     for Investigation and for Other Relief (PDF), 
In Re Microsoft.
http://www.epic.org/privacy/consumer/MS_complaint2.pdf

EPIC Sign Out of Passport Page.
http://www.epic.org/privacy/consumer/microsoft/
--------------------------------------------------------------- 

How to unsubscribe from EPIC-DIGEST:

You can leave the EPIC-DIGEST by entering the subscription e-mail 
address at 
http://www.privacy.org/digest.php and 
selecting "unsubscribe." There is also an administrative page for 
changes to 
your subscription at 
https://mailman.epic.org/cgi-bin/control/epic_digest Or, you can send a 
blank e-mail message to epic_digest-
request@mailman.epic.org from the subscribed address with the following 
text 
in the subject line: unsubscribe

If you experience difficulty with subscription issues, send a message 
to 
digest-editor@privacy.org.
---------------------------------------------------------------

Privacy.org is a joint project of the Electronic Privacy Information 
Center 
(http://www.epic.org) and Privacy International 
(http://www.privacyinternational.org). For more information, e-mail 
Chris 
Hoofnagle at digest-editor@privacy.org. 
---------------------------------------------------------------

EPIC-DIGEST Privacy Policy: http://www.privacy.org/privacy.php 
--------------------------------------------------------------- 
END EPIC-DIGEST