Loaded Question
- From March 2008 newsletter
The death of conservative commentator William F. Buckley, Jr., in February recalls this story he told about himself in 1978, when the moderator of a panel asked him and others whether they had ever been victims of an invasion of privacy.
On a recent trip, Buckley said, a hefty woman at airport security was rummaging through his carry-on baggage. She pulled out a package of Preparation H, a tonic for hemorrhoids, and held it up. Within hearing range of several fellow passengers, she bellowed to the urbane Buckley, “Do these work?”
TV Monitoring in Public Places:
Effectiveness Not Determined
- From the March 2008 issue
Does installation of video surveillance in public places work? There has been a dearth of studies in the U.S. addressing that crucial question. The federal government and hundreds of local governments simply assume that the answer is yes, aided by hundreds of vendors who insist that high-tech equipment will indeed reduce or deter crime.
A report entitled "Video Surveillance of Public Places" issued in 2006 by the Office of Community Oriented Policing of the U.S. Department of Justice “notes that while there is a general perception among system managers and the public that video surveillance cameras are effective in preventing crime, actual evidence of crime reduction is more difficult to find,” according to a review of the literature by the Office of the Information and Privacy Commissioner in Ontario, Canada.
The Ontario report, "Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation," “found numerous studies on the effectiveness of video surveillance on crime, in a broad range of settings. These studies varied substantially, however, in terms of their methodological rigor.”
The report cited only two from the U.S.: The Department of Justice study, conducted by criminologist Jerry Ratcliffe at Temple University, and one conducted by Marcus Nieto of the California Research Bureau in 1997. . .
For the full story, ask for a sample copy of our Msrch 2008 issue.
Order back issues. Ask for our discounted rates.
Need a speaker or an expert witness on privacy, surveillance, ID theft, medical confidentiality, credit reporting? Call us, 401/274-7861.
"What about Life Lock? Is it worth it?" asks a reader.
- From the February issue
LifeLock is the “identity-theft protection service” whose chief executive, Todd Davis, announces his own Social Security number just to show how confident he is that his company will protect him and others from identity theft.
For a monthly fee, these companies merely monitor your credit record to look for abnormal activity and place a “security freeze” (or “fraud alert”) on your credit record. That means that the credit bureau must check with you before issuing a credit report.
Abnormal activity on your credit file is often a sign of identity theft, but some forms of ID theft do not alter your credit record. In some forms of identity theft, an undocumented immigrant uses the victim’s SSN to get a drivers license or birth certificate. In other forms, a stranger uses the victim’s ID when committing a crime. Checking credit reports will not detect these forms. And, the companies like LifeLock that monitor credit activity are known to miss signs of ID theft in credit reports.
By federal law, you are entitled to one look at your credit report per year without charge; after that the fee is nominal. And in most instances you can get a fraud alert without charge.
No company can guarantee against ID theft, as LifeLock claims it can.
LifeLock admitted that a crook has used Davis’ Social Security number to obtain a $500 check-cashing loan from a business in Ft. Worth, Tex. Davis said that the check-cashing company didn’t pull a credit check and therefore LifeLock’s methodology didn’t prevent this theft of identity.
Similarly, the host of “Top Gear” on British Broadcasting System TV, Jeremy Clarkson, wrote a newspaper column dismissing the threat of identity theft after the British government admitted losing two compact discs with personal data on more than 25 million persons. He published his bank account information and hinted at his home address, defying anyone to abuse it. The most anyone can do, he wrote, is put funds into my account. A week later, a hacker set up a $1000 monthly debit from his account to a diabetes charity, and Barclay’s Bank isn’t sure that it can stop it. “I was wrong and I was punished,” Clarkson said afterwards
Dems Favor Clinton on Anti-Terror vs. Rights;
GOP Prefers Giuliani, in Harris Survey
- From January 2008 issue
When asked which Presidential candidates “you trust the most” to strike the right balance between protecting civil liberties and combating potential terrorism, 39 percent of Democrats said Hillary Clinton and 24 percent said Barack Obama, according to a Harris Poll conducted last month.
Among Republicans, 27 percent selected Rudy Giuliani, 17 percent chose John McCain, and 12 percent said Mike Huckabee. Nineteen percent of Republicans is not sure which of their candidates is stronger on this issue, and an identical percentage of Democrats is not sure about their candidates.
Only four percent said Mitt Romney was equipped to get the balance right between civil liberties and terrorism). Thus, voters’ rankings in this one-issue poll roughly tracked voters’ preferences in national polls for each candidate.
For the full story write to us and ask for the January 2008 issue free.
LOOK: From a Surveillance Camera Viewpoint
- From the December 2007 issue
Citizens have been accepting of surveillance cameras everywhere, but there are signs of intolerance. Attitudes may be shaped in the most significant ways by an innovative Hollywood film set for release in December.
Writer and director Adam Rifkin shot the entire new film Look from the perspective of security cameras. “That’s what makes Rifkin’s acclaimed new film so shocking,” said Newsweek. The scenes in the film seem at first to be intrusive, but random shots – now commonplace in our surveillance society. But in the end they form a chilling tale about real peoples’ lives.
“We’re not taking sides,” the co-producer of the film Barry Schuler told PRIVACY JOURNAL. “Privacy and security are far too complex. But the cameras are everywhere, and it’s not just government surveillance; there is ‘citizen video’ everywhere.” Schuler, a former chief executive of America Online and framer of many of its early traits, added, “This is just not on people’s radar screen yet. And the default position is it keeps growing.”
Call or send an email for a free copy of the full story in our December 2007 issue.
Passport Office Gets FBI Access
- From the November 2007 issue
Since the inception of the National Crime Information Center in 1967, the FBI’s automated database of wanted persons and multiple offenders, the bureau has insisted that the data would be available only to law-enforcement agencies. Gradually that assurance has been chipped away.
The latest non-law enforcement agency to have access is the Passport Services Office in the U.S. Department of State.
Still, the FBI in its required notice about the NCIC system states, “Data stored in the NCIC is documented criminal justice agency information and access to that data is restricted to duly authorized criminal justice agencies.” With access only to the wanted persons sector of NCIC, the passport office will be required to confirm any “hit” with the originating police department, which must send a substantive response promptly or send back a “negative confirmation” The system is plagued with a rate of errors or incomplete records far in excess of 33 percent.
(For more, ask us for a copy of our November 2007 issue.)
ID Theft Precaution: Free 'Shredathon'
- From November 2007 issue
As part of his campaign against identity theft, Rob McKenna, the attorney general of the State of Washington, has organized a series of "shredathons" around the state. A private company in the shredding business provides the community shredder and a local organization provides the publicity. Citizens are invited to bring boxes of their sensitive documents to the site for secure shredding.
Lost or stolen mail and other documents with Social Security numbers and credit-card data on them are one source for identity thieves to get the information they need to co-opt someone’s credit accounts, but they are probably not the predominant source.
The first shredathon was held last April 18 at 29 locations around Washington State.
(For more, ask us for a copy of our November 2007 issue.)
Scary Stuff - Excerpts
-- From the October 2007 issue
As the government officials responsible for enforcing privacy laws worldwide met in September in Montreal, there was little of the traditional talk about the nuts and bolts of data protection like opt-in, transparency, or transborder data flows.
Instead, there were urgent and distressed discussions about uberveillance, ambient technology, ubiquitous computing, ingestible bugs, and nanotechnology.
The terms may be overlapping and may in fact be somewhat synonymous. They all refer to an environment in which electronic media are everywhere, gathering and processing information in a seamless way, beyond the control of each human being.
The discussions began a few years ago with recognition of a coming Internet of things, much as public awareness of the Internet began in the 1980s with talk of an information super highway. . . .
One prime speaker, Ian Kerr, Canada Research Chair in Ethics, Law and Technology at the University of Ottawa, noted that the Canadian Supreme Court had established a hierarchy of privacy values: bodily or personal privacy (highest level of protection), territorial privacy, and informational privacy (less protection).
The technology, as well as the law, has “smudged” the traditional hierarchy, said Kerr. He cited as evidence new human-area networking technology that permits the human body to be the conduit for electronic transmissions – of information, instructions, behavior and a lot more. See www.redtacton.com.
A co-panelist with Kerr cited Eastman-Kodak’s announcement this year that it has developed an RFID identifying chip that may be swallowed by humans – an ingestible bug. The patent filing suggested potential uses, including monitoring “bodily events,” tracking how a person’s digestive track is absorbing medicine, or verifying how a specific medicine is interacting with other drugs in one’s body. The RFID tag would disintegrate eventually, the company said.
Other futurists used the terms ubiquitous computing and pervasive or invasive computing. Some European privacy officers believe that that ambient intelligence is an even greater challenge to European privacy enforcers than terrorism. Ambient intelligence refers to an environment in which electronic devices support human beings in their daily activities.
Michael G. Michael, a theologian and technology historian at the University of Wollongong, in New South Wales, Australia, warned that uberveillance, a term he is said to have created, will lead to increased cases of insanity and mental distress. “Mental illness will become an increasingly confronting factor as these issues develop,” he frowned.
Another threatening term often used in these contexts is nanotechnogy, which refers to a miniaturization of technology allowing applications originally deemed impossible. Still another term is biobanking, which, in the words of an IBM developer, aims to empower researchers to have access within the human body to a chip that has data on a person's clinical records combined with his or her molecular make-up.
For more on this, including current practices of manipulating children on commercial Web sites primarily of interest to kids, ask us for a sample copy of our October 2007 issue. 401/274-7861.
20 Minutes
- From August 2007
This regular feature provides ways to use 20 minutes of your life each month to protect your privacy or the privacy of others.
The Federal Trade Commission is seeking comments on uses of Social Security numbers in the private sector that may contribute to the epidemic of identity theft. The FTC also plans to host one or more public forums on the issue in the coming months. It is following up on a report by the President’s Identity Theft Task Force, led by Attorney General Alberto Gonzales and FTC Chair Deborah Platt Majoras.
Include this information: “SSNs in The Private Sector – Comment, Project No. P075414.” Need more information? Call the FTC at 877/382-4357. Need suggestions, ask us.
Is Googling Fair?
-- From June 2007 issue (excerpt)
A well-known psychotherapist in western Canada has been permanently denied entry to the U.S., where his two grown children live. Why? Because of Google.
The man was detained at a border crossing in the State of Washington when the guard took his passport, turned to his computer, and Googled the traveler's name, “Andrew Feldmar.”
Google produced a link to an article that Feldmar wrote in a journal called Janus Head in 2001, which mentioned his use of LSD almost 40 years ago.
Feldmar had crossed the U.S.-Canadian border many times, but this crossing turned quickly into a nightmare. And he is no stranger to harsh treatment by security guards. . . .
Is Googling fair? The main unfairness is that Google does not vouch for the accuracy of the information it uncovers, nor does the Web site that displays the material. A new generation has come of age thinking that if it’s on a computer, it’s true. They rely on what they read on untested Web sites. Employers – and law enforcement – increasingly use search engines and social-networking sites to check out persons of interest.
On the other hand, getting information by a search engine is little different than stumbling upon it in a daily newspaper – just a lot easier and a lot more inclusive.
A year ago an informal hearing officer in the U.S. Department of Commerce Googled an employee facing termination for repeated and admitted misuse of government vehicles and expense accounts. On appeal, David Mullins complained, “She Google-searched my name. . . and came across my alleged prior removal from the Air Force.” He appealed again, saying among other things that his firing was based on information from an ex parte Google search. The Court of Appeals for the Federal Circuit in the District of Columbia ruled May 4, 2007, that there was plenty of other evidence – admitted by Mullins – to support the firing and that the information from Googling did not influence the firing decision because it had been revealed earlier.
For the full story, ask for a sample copy of our June 2007 issue.
'Fusion Centers' Now Consolidate
Data - With No Accountability
- From July 2007 issue
"In developing our country's response to the threat of terrorism, public safety leaders from all disciplines have recognized the need to improve the sharing of information and intelligence across agency borders. Every law enforcement, public safety, and private sector official involved in information and intelligence sharing has a stake in this initiative. Leaders must move forward with a new paradigm on the exchange of information and intelligence."
From this statement in a report by the grantsmaking office of the U.S. Department of Justice came the impetus for creation of “fusion centers” in urban regions.
"What Is a Fusion Center?" asks the same document. “A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to fight crime and terrorism by merging data from a variety of sources."
Fusion centers are also a consolidation of personal information in the hands of federal, state, and local law enforcement agencies and even private-sector security with often no oversight, no accountability, and no guidelines concerning the accuracy of and the use of personal information in its possession.
When the governor established such a fusion center in Massachusetts in 2005, Carol Rose, executive director of the American Civil Liberties Union there, wrote, "[The problem with the idea] could be that it provides one-stop shopping for identity theft. Or that it diverts millions from community policing, while Boston struggles with a rising homicide rate and 239 fewer cops on the beat than six years ago. Or maybe that history and the 9/11 Commission showed that gathering piles of data doesn’t equal sound law enforcement.
“
"No, the biggest problem with the Commonwealth Fusion Center is that Governor Romney's system has no accountability, at a time the feds are abusing their power by spying on progressive U.S. activists." There have been similar complaints in Texas, where the fusion center will amass lots of personal information under the control of the governor. "In the fusion center, the governor will have at his disposal both public and private databases on Texans. This could potentially include everything from what magazines you read to traffic tickets and arrests," wrote Jake Bernstein, executive editor of the progressive watchdog publication The Texas Observer.
There are fusion centers in an estimated 38 states plus a half-dozen at the regional level like the widely heralded Joint Regional Intelligence Center (or "Jay-Rick") in Los Angeles. Fusion centers were designed as a mechanism to share information, maximize resources, streamline operations, and improve the ability to fight crime and terrorism by merging data from a variety of sources, including anonymous tips.
Thomas E. McNamara, of the National Intelligence Office, appears to be spearheading the effort, although the Department of Justice funds the centers.
Justice has made noises about requiring privacy-protection standards but without specifics, according to Carol Rose.
"We just met with Governor Deval Patrick with an eye towards developing privacy protections," she told PRIVACY JOURNAL. "Perhaps what Massachusetts develops can be a model for the other fusion centers around the country."
For more on "fusion center," ask for a sample copy of our June 2007 issue.
It's Gonna Costa Ya'
- Excerpt from a longer story chronicling Federal Trade Commission fines for privacy violations
From the April 2007 issue
Microsoft helped the FTC nail a tech-savvy Hawaii couple sending hard-to-trace pornography over the Internet; the FTC secured an order freezing the assets of their operation, called Net Everyone. Another company, ICE.com, had to give up $6,500, roughly $1 per email sent to persons who had requested to receive no more. In January the FTC staff announced that it would collect a total of $1.624 million from five small online porn operations for not labeling their electronic mail as “sexually explicit.”
After complaining to a court that an online marketer named Jumpstart offered free movie tickets to consumers in exchange for the names and email addresses of five or more of their friends, the FTC secured a penalty of $900,000 a year ago. The problem with the marketing plan, the FTC alleged, was that Jumpstart disguised its commercial email messages as personal messages, and that is a deceptive trade practice.
Kodak Imaging Network, formerly Ofoto, Inc., paid a modest $32,000 penalty to the FTC, for the modest transgression of not providing an opt-out mechanism in its commercial emails. The amount represented the estimated proceeds from the mailings. In November a small outfit called Yesmail, Inc., operating as @Once Corp. forfeited $50,717.
A credible commercial book club called Bookspan, a Doubleday affiliate, forfeited $680,000 last year after the trade commission staff caught it dialing sales calls to persons who had already said, “No thanks” on the national do-not-call list.
Credit Foundation of America Inc., a debt-management firm marketing to consumers, paid up even more last year, nearly $1 million, for making deceptive pre-recorded calls to residents. And last June a seller of discount health and prescription drug cards and its telemarketer agreed to pay civil penalties of $300,000 and $50,000 to settle Federal Trade Commission charges that they have been violating the do-not-call law. A Southern California-based mort-gage broker forked over $50,000, and a similar operation was originally assessed nearly $500,000.
For the full story, ask for a free sample copy of our April 2007 issue. Specify hard copy or email edition. orders@privacyjournal.net. 401/274-7861
The Case of the Telltale Foreheads
- From February 2007 issue
All is fair in politics – at least to the staff of a TV program in Italy called Le Iene (The Hyenas).
The program, which satirizes personalities of the establishment, found a way to poke fun at Members of Parliament who had sponsored Europe’s most restrictive national anti-drug law last February. Here is what they did:
A “reporter” from the program invited 50 members of the Lower House to discuss the budget on camera. At a break in the taping, an assistant would pat the forehead of each interviewee, presumably to replenish make-up.
In fact, the staff was gathering perspiration samples. They tested the sweat samples for drug use in the past 32 hours.
Le Iene announced that its upcoming program would show that a third of the members tested positive; 12 out of the 50 would show marijuana use and four cocaine. “One MP in three enjoys a spliff or a snort,” chortled one staff member.
There was outrage immediately. One Member of Parliament sued and demanded the immediate seizure of his sample (yet insisting he “had nothing to hide”). The staff vouched for the reliability of the sweat test. FOR THE REST OF THE STORY, ASK FOR A FREE COPY OF OUR FEBRUARY 2007 ISSUE.
New Federal Law Bans Pretexting
To Get Phone-Call Information
- From the January 2007 issue
Congress at the end of its 2006 session approved a bill to punish anyone who through fraud buys or acquires or receives or sells or attempts to sell “confidential telephone information” about customers.
The new law defines protected "confidential telephone information" as data concerning the type or destination of calls or data “contained in any bill, itemization, or account statement provided to a customer.” It protects calling information in Internet Protocol-enabled voice services.
The law will not preempt 15 state laws that already punish acquiring telephone-calling records by pretext (pretending to be someone else). [See PJ Dec 06.]
Find this law, Public Law 109-476, already listed in the 2006 Supplement to our Compilation of State and Federal Privacy Laws. Essential for anyone who follows privacy happenings.
Do You Believe in Redemption?
In the Privacy Field, You Must.
-- Take, for example, these examples from our December 2006 issue:
* In 2004, ChoicePoint, which sells personal data on consumers, discovered that thieves posing as legitimate businesses were able to access ChoicePoint profiles that include Social Security numbers, credit histories, criminal records and other sensitive personal information. It paid $15 million in penalties.
In 2006, ChoicePoint appointed a chief privacy officer and a consumer advocate office under its vice president and chief public and consumer affairs officer as “another great enhancement to our privacy and information security portfolio.” This month, it sent its president, Doug Curling, out to sit down with privacy advocates. * * *
* Throughout most of the Twentieth Century Russia trampled on the privacy and autonomy of its citizens. In July 2006, Russia joined the European data protection club of nations by enacting a European-style data-privacy protection law and another law permitting access to government documents.
* The Electronic Privacy Information Center filed a privacy complaint in 2001 with the Federal Trade Commission about Microsoft’s Passport scheme, which permits users to enter personal information into a packet on their PCs and thereby allow them to complete application forms later easily (and mindlessly). In 2006, Microsoft Chief Privacy Strategist Peter Cullen unveiled a “global online identity system” [see PJ Nov 06] that generally won praise from privacy activists, including EPIC.
* In May 2006, the Department of Veterans Affairs experienced a huge scare when a laptop with sensitive data on 26.5 million veterans and active military personnel was stolen from a staff member at home. As penance, the department has embarked on a bold campaign pushed by its secretary to create what it calls “the Gold Standard for data protection.”
For the full stories, ask for a sample copy of our December 2006 issue.
States Prohibit Pretext to Get Phone Records
- From the October 2006 issue
California is the latest of 15 states to prohibit using pretext or deceit to get a list of the telephone numbers you have dialed or a list of the telephone numbers dialing into your telephone.
Each of these laws has come in 2006, prior to the revelations about Hewlett-Packard's corporate snooping. Ask us for a copy of our October issue for the full story and to see whether your state is included. Call 401/274-7861. Fax 401/274-4747.
Rules for Uniform Drivers License Coming
- From the September 2006 issue
State officials – not to mention privacy lobbyists – are dreading the imminent publication of draft regulations to implement the REAL ID Act.
The law, part of the intelligence reform law in December 2004, requires precise identity documents and personal information to be presented to state motor vehicle departments in order to get a driver’s license that will be accepted for federal purposes. It requires date of birth, physical address, and signature on all such licenses, but leaves other required items to a negotiated rulemaking.
The law creates a de facto national identity card. Strictly speaking it would be required only to enter federal buildings, hold a federal job, or get federal benefits; but law enforcement, state and local governments and businesses are likely to insist on the card.
The Department of Homeland Security was designated to draw up regulations, which reportedly have been approved by the department’s privacy officer and legal counsel. The Office of Management and Budget and the Homeland Security policy office must also sign off on them before they are published for comments by the public.
Those who have seen the draft say that Homeland Security officials did not welcome the task. They are three months past their deadline. They are proposing “a federated system” in which a task force will be appointed to arbitrate the hard questions, like exceptions to the general requirements, the precision of ID documents needed, the data required on the license itself, and costs of implementation. At present the DHS drafters are promising to have civil liberties and business representatives on the arbitration body.
Some states, like Arizona, embraced the idea of a uniform driver’s license and moved to implement the law, which goes into effect in 2008. Others find it outrageously expensive and have resisted it. Elected officials in New Hampshire went so far as to vote nearly to ignore the federal mandate totally, and risk having its citizens object when their state drivers license is not accepted for federal purposes.
The National Governors Association, National Conference of State Legislators, and American Association of Motor Vehicle Administrators have completed a study of the costs and will release it Sept 21. Bonnie Rutledge, DMV commissioner in Vermont, heads the motor vehicle administrator’s REAL ID steering group. FOR MORE, ask for a free copy of our September issue, by email or phone.
Do You Still Have an Expectation of Privacy?
By Robert Ellis Smith
From Privacy Journal June 2006
Do you have a reasonable expectation of privacy? In the identity of the phone calls you make and receive? In your bank records? In your travels from place to place? In your medial records? Your phone conversations? Your Social Security number? Your Internet browsing? (Careful, it’s a trap question.)
What if the government or a private agency begins getting access to personal information that you previously assumed was reasonably confidential? Does that obliterate your “reasonable expectation of privacy”?
It took a Canadian to raise the question. At a conference on privacy at Carleton University in Ottawa last fall, Stephanie Perrin, now with the federal Privacy Commissioner’s office, rose to say that talking about an expectation of privacy in these times is a trap. “We should be talking about a reasonable need for privacy.” She went on to point out that we have a need for privacy in many areas even though that privacy has been eroded. In other words, governmental and business practices ought not eliminate a “reasonable expectation of privacy” on the part of the individual.
Other Needs, Not Expectations
Can’t the same be true about environmental protection? We may not expect clean air and clean water, but we do need them and are entitled to them. Or consider personal safety. We may not expect safe neighborhoods and cities, but we need them.
In 1967, when the U.S. Supreme Court ruled that the Constitution protects “people, not places” a lot of people and a lot of judges came to believe that the court had set a standard that the Constitution protects “a reasonable expectation of privacy” – and apparently only a reasonable expectation of privacy. But there is no basis for this in case law over the years.
The term never appeared in the court’s opinion in Katz v. U.S. (The court spoke of “the privacy upon which he justifiably relied.”) The idea of “reasonableness” comes from the concurring opinion by Justice John Marshall Harlan. He was characterizing the majority opinion saying that for a Constitutional violation “first, that a person must have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’”
The Reality
What the majority opinion actually said was that notions of private property and trespass were not really relevant in protecting the Constitutional right to privacy. What matters is what a person “seeks to preserve as private, even in an area accessible to the public.”
It is important in these times to recall that the Supreme Court in its 1967 decision invalidated the kind of government wiretapping that had been unchecked virtually since the invention of the telephone system. In the Katz decision, the court found a privacy interest against a practice that had been commonplace until then.
Yet, privacy advocates are constantly confronted with proclamations from government and corporate lawyers that there can be no reasonable expectation of privacy against practices that we have known about for years. Sometime this is morphed into a “legitimate expectation.”
Under that reasoning, we had a reasonable expectation of privacy in our bank transactions only until the Bank Secrecy Act was enacted in 1970, or only since passage of the Gramm Leach Bliley Act in 1999.
We had a reasonable expectation that credit bureaus wouldn’t sell information in our credit reports without protections of the Fair Credit Reporting Act until they began to do so in the early 1990s.
We had an expectation that credit bureaus would not use Social Security numbers to confirm the identity of credit applicants until they began to do so in the early 1990s (and gave rise to an epidemic of identity theft).
We had a reasonable expectation of privacy in the contents of our medical files until a regulation under a 1996 law, HIPAA, removed much of that.
We had a reasonable expectation in the confidentiality of our records held by libraries, travel agents, real-estate agents, brokerages, retail stores, and private clubs. Did that disappear with Section 215 of the PATRIOT ACT, enacted in 2001 and renewed in 2006? (Much of that act requires that a terrorism investigation be a predicate for governmental demands into these files, but not all of it.)
We had a reasonable expectation of privacy in overseas phone conversations – at least if there was no probable cause of criminal activity or a need to gather foreign intelligence – until that was taken away by the Bush Administration.
We had a reasonable expectation of privacy in the numbers we dialed and the numbers of persons who phoned us – at least if we didn’t create any suspicion in our activities – until that was taken away by the Bush Administration.
We had an expectation that our Internet browsings would be confidential until the Department of Justice decided in 2006 that it would be a fine idea for Internet service providers to preserve that information for later government access.
A Loser for Citizens
What’s left? Under the “reasonableness” formulation (a loser every time for individual rights), we still have an expectation of privacy that our transactions at automatic bank teller machines in our neighborhoods and around the world will not be used to track our movements and prevent our making withdrawals. But do we forfeit that as soon as the government decides that it needs to use the ATM network for that purpose? Will it be said, “Americans cannot really expect that their ATM transactions won’t become known to investigators when this capability has existed for years and when the transactions take place in public”? (The Right to Financial Privacy Act of 1978 seems to require that customers get advance notice when federal agents get such access, but the PATRIOT Act may override that.)
Under the “reasonableness” formulation, we still have an expectation of privacy in a secret ballot. But where does that come from?
No law requires a secret ballot, no Constitutional provision, no court decision. And the secrecy of the ballot has been compromised from time to time when courts are investigating allegations of fraud. Yet we rely on it. Will the Bush Administration discover that this element of democracy is protected only by tradition, thereby allowing it to probe into the way each of us votes? The wedge has already been provided in the Help America Vote Act, which requires a driver’s license or portion of a Social Security number in order to vote. It creates state databases to keep track of voters and their identifying numbers. Experts testified just last month that the creation of these databases significantly increases the possibilities that hackers will be able to penetrate voting records.
Governmental Justification
If the government regarded a resolution to “fight terrorism in Iraq” as authority to monitor overseas telephone calls without regard to the federal law already on the books (as it did), will it regard the PATRIOT Act as authority to track citizens through their ATM usage? Will it regard the Help America Vote Act as authority to probe into the way we are voting? Will we then say collectively, “Gee, we thought that information was private. We had a reasonable expectation of privacy in that information.” And the government will say, paraphrasing Justice Harlan, “That was not an expectation that society is prepared to recognize as ‘reasonable’ under this administration. Just last month experts testified that hackers can get into voting information.”
Copyright © 2006 Robert Ellis Smith
Medical Theft of Identity
- From July 2006 issue
The World Privacy Forum warns about the emergence of theft of medical identity. Fraud artists are getting medical treatment in the name of a victim. The victim has no knowledge of the transaction until he or she discovers in the patient record mysterious entries for medical procedures he or she did not have.
Sometimes only insurance or payments information is used, not names or Social Security numbers.
One victim was told that he couldn’t have access to the information in his own medical file because it doesn’t pertain to him, it pertains to an impostor.
It is said that the former wife of Rep. Joe Barton, R-Tex., has had a stranger get medical treatment under her name in their hometown of Ennis, Tex. Barton is chair of the House Energy and Commerce Committee, which held hearings on theft of identity (the original version) in March.
The University of Connecticut Health Center reports a dozen attempts each week of persons trying to impersonate beneficiaries, sometimes to secure prescription drugs. Across the nation, this has resulted in additional requirements for patients to show identification documents before getting treatment. Blue Cross has begun warning its subscribers about medical ID theft.
For the full story, ask for a sample of our July 2006 issue.
Or ask for our June 2006 issue for a blockbuster article pointing out how some ill-informed lawyers' notions about "an expectation of privacy" actually diminishes your privacy. We will send you a free copy of the issue, if you send an email or U.S. mail request. Or call us, 401/274-7861.
Don’t Believe the Number
Of Laptop Losses of Personal Data?
See page three of our July 2006 issue for a complete listing of the losses of laptops with personal data in them.
Ask for a sample copy.
Another Credit Score to Decipher
- From May 2006
Just when you got used to figuring out your “FICO score” and its importance to determining your credit-worthiness, the Big Three credit bureaus want to change all that.
For years the benchmark for rating consumer-credit applicants has been the FICO score developed by Fair Isaac from data supplied by each of the Big Three. Each of the credit bureaus used its own data and formulas to score consumers and each credit grantor had different criteria for assessing a FICO score.
After a long battle [by PRIVACY JOURNAL and others], consumers finally got access to their own scores, which range from 300 to 850, with 720 generally regarded as the cut-off for acceptable risk. About 80 percent of the major lenders use the FICO score.
But Experian, Equifax, and Trans Union, which are supposed to be competing with each other, got together and did an end-run around Fair Isaac. They created their own credit score, based on a lettering system, A through F. The new product is to be called VantageScore. (The letter grades are backed by a numbering system roughly equivalent to academic grades; 901 or higher equals an A, 801 to 900 equals a B, etc. This means that a 720 as a VantageScore is so-so, but from Fair Isaac is a respectable credit score.)
“This will only cause confusion in the marketplace,” said Travis Plunkett, legislative director for the Consumer Federation of America. The three separate national credit bureaus will use the same methodology but will issue different scores for the same person. They will charge perhaps $5 for a consumer to see his or her own score, beginning next month. By federal law, consumers are entitled to see their own credit scores.
One analyst of the industry, Bill Hardekopf of LowCards.com, said that this scheme is a way for the major credit bureaus to recoup revenue
that they lost when Congress in 2003 required free credit reports for any consumers who ask.
“This isn’t about making credit easier for the little guy,” writes Liz Pulliam Weston, personal finance columnist for MSN Money. “This is business.”
For more about credit reports, ask us for a sample copy of PRIVACY JOURNAL with information about credit bureaus. orders@privacyjournal.net
Most Trusted Federal Agencies
- From March 2006
Ponemon Institute asked respondents in a survey which federal agencies they trust the most in handling personal information. Some of the results, showing the percentage of persons with confidence in the agency:
U.S. Postal Service 78 percent
Department of Veteran Affairs 76
Internal Revenue Service 75
Social Security Administration 70
Federal Trade Commission (FTC) 70
Bureau of Consumer Protection 68
National Institutes of Health 68
Federal Court System 67
Census Bureau 66
Military (Army, Navy, Air Force, Marines) 62
Bureau of Labor Statistics 62
Federal Emergency Management Agency 58
AMTRAK 58
Department of Commerce 57
Department of Health & Human Services 56
Small Business Administration 55
Department of Education 55 * * *
GOVERNMENT AVERAGE 52 * * *
LEAST TRUSTED:
Federal Bureau of Investigation (FBI) 42
Immigration and Customs Enforcement 40
Bureau of Citizenship & Immigration 39
Drug Enforcement Agency (DEA) 38
Transportation Security Administration 30
National Security Administration (NSA) 29
Department of Homeland Security 27
Central Intelligence Agency (CIA) 27
Department of Justice 24
Office of the Attorney General 22
ASK FOR A FREE SAMPLE OF OUR MARCH 2006 ISSUE FOR THE REST OF THE STORY
Personal Phone Number for ID
- From February 2006
Presenting a Social Security number is offensive to many people and it’s a publicly known number. It was never intended as an all-purpose ID. Microchip implants and tattooed bar codes may finally stretch the acceptability of the American public to the breaking point. (But who’s to say?)
Industry apologists herald “biometrics” as the best method for establishing identity. They regard matching of fingerprints, voices, eye characteristics, or facial geometry as impeccable methods for confirming a person’s identity. But every biometric identifier has false positives, sometimes 10 percent or more.
Latanya Sweeney has a better idea. Why not issue an individualized “identity telephone” to everyone?
She stresses that the idea is no more than an “academic exercise,” not a pragmatic proposal.
She and her computer science students at Carnegie Mellon University in Pittsburgh have been studying the possibility of issuing a tiny cell phone at birth that would combine elements of a camera, a fingerprint reader, geographical positioning (GPS), perhaps recognition software, and wireless technology.
To charge a purchase or enter a secure facility, a person would provide his or her “ID number/phone number.” The person seeking verification would call the number and the holder of the phone would acknowledge the call by pressing a key. That return signal would also verify the location where the person is at the present time.
Credit-card companies would bill directly to the phone number, perhaps with the use of an additional PIN. “There’s no extra information floating around,” says Sweeney; “the phone really just packages the needed information for a particular transaction. It separates people from the information about them. There’s no need for a central database.”
If the phone is lost, it is simply deactivated. Sweeney’s scheme would allow a government office to disable phones and reissue new phones.
For more on this story, ask us for a free copy of the February 2006 issue.
Cell Phone Numbers Called - Get 'Em Online
- From December 2005 issue
A mother of two children living in central Massachusetts was shocked to discover that her estranged husband could easily get a list of the telephone numbers she had dialed form her cell phone. “I’m sure he wanted to make sure I wasn’t seeing anyone,” says the woman. “He found a cell phone number that he didn’t recognize, called it and left threatening messages.”
For about $100 at several Internet sites, the husband and many others like him can purchase lists of numbers dialed from a targeted person’s cell phone. The same is true of land-line phone calls.
Is it legal? No state or federal laws restrict telephone companies from disclosing such information about customers, although most have policies against disclosure. How do the Internet brokers get the information? It’s possible that they pay a person within the phone company to provide the data – a disgruntled employee, a former detective now in the company security department, or a clerk who applied for a job precisely to feed the data brokers and make some extra money. Or perhaps it’s simpler than that: A security consultant in Quebec City reported that he was able to get call records faxed to him from major phone companies merely by knowing the targeted person’s postal code. Another method: Hackers can use special software to make their own number appear on call displays regardless of where they are calling from. Phone companies rely on the call display as confirmation of the caller’s identity and then provide the information to the imposter, according to the Quebec consultant. . . . ASK US FOR A FREE SAMPLE OF THE DECEMBER 2005 ISSUE, FOR THE FULL STORY.
Rosa Parks of Privacy Protection?
A 50-year-old mother of four children living in Denver faces minor federal charges this month for declining to provide personal identification while on a city bus on her way to work. One of her kids is soldiering in Iraq.
The RTD (Regional Transportation District) bus that Deborah Davis took to work in September happens to pass through the Denver Federal Center in Lakewood, Col. As she was sitting reading a book, a federal guard climbed aboard and demanded to see her identification. . . . what happened to her? ASK FOR THE JANUARY 2006 ISSUE FREE.
Quotable
- From November 2005 issue
“Fifty million consumers have had their data compromised this year, though I don’t think the sky
is falling.”
- Michael Turner, president of the Information Privacy Institute (whatever that is).
Credit References for Renters
- From November 2005 issue
The Federal Trade Commission has identified three new credit bureaus that attempt to provide credit information on tenants and low-income consumers whose present credit transactions don’t show up in the credit reports of the major bureaus, Equifax, Trans Union, and Experian.
One is PayRentBuildCredit based in Annapolis, Md., www.prbc.com. The founder concedes that getting credit data from millions of landlords is formidable, and so he has “verification partners” like mortgage brokers and insurance companies report the data.
At no cost, consumers may take receipts, cancelled checks, and utility bills to one of these “partners” to verify rent or utility payments. The
businesses then report the information to Pay-RentBuildCredit, to create a record of the person’s credit history.
Fair Isaac, which creates credit scores from traditional credit-bureau data, has another score for those with thin credit. "The FICO Expansion" score gathers information from non-traditional sources. www.ficoexpansionscore.com/Lender
Value.aspx. But among the sources are “payday loans,” intended to bridge the borrower’s cash-flow gap between paydays. Consumer advocates disapprove of using pay-day loan information because they believe this type of borrowing is not in a consumer’s best interests.)
First American Credco, which first offered consolidated credit reports (“Instant Merge”) based on reports from the Big Three, has begun selling a supplement called NTReport, which includes data from non-traditional sources like rent and utility payments. www.credco.com/emerging
markets.
For the full story, ask us for a free copy of our November 2005 issue.
Spend 20 Minutes for Your Kids
- From October 2005 issue
You may have thought that personal information possessed by your child’s school is protected, but that is not always so. The Department of Defense has a pervasive program for harvesting 4.5 million students’ addresses, dates of birth, even cell-phone numbers and e-mail addresses. The data file also includes Social Security numbers, in apparent violation of the federal Privacy Act. This is part of the Joint Advertising, Market Research and Studies program (JAMRS) in the Pentagon.
The infamous No Child Left Behind law, 20 U.S. Code 7908(a)(1), requires schools to turn over this data to military recruiters. It also provides parents with a chance to opt-out and demand that schools not disclose the information. But parents have to act to make this happen.
It is best to make a request in writing, and be sure to state whether you want your option to apply only to military recruiting or to all requests for directory information about your child (name, grade level, etc.).
Parents and students may also take advantage of the Defense Department’s own “name-suppression” database. Write JAMRS Opt-Out, 4040 N. Fairfax Dr., Suite 200, Arlington, Va. 22203. For more information, go to www.pta.org/documents/military.pdf.
The Pentagon has contracted with a marketing company named BeNow in Wakefield, Mass., to collect and massage the data. The system also collects similar data on 4.6 million college students and data on other young people from other sources. Two of the sources are American Student List, which has long compiled marketing lists on students, and Student Marketing Group. The Federal Trade Commission has cited the first company for deception in its data collection, and the New York State Attorney General has cited the second company for collecting data on students through phony survey forms.
Best advice: Insist that your child bring home any survey form before filling it out. Under the No Child Left Behind Act, ask that your school not release data on your children. Complain to 703/601-4722, Records Management Section, Pentagon 1155, Washington D.C. 20301-1155, that you think that the Defense Department’s operation of this information collection violates the federal Privacy Act.
Entire contents of this Web site:
Copyright © 2005 Robert Ellis Smith
U.S. Court Reverses Self on E-Mail Intercepts
- From September 2005 issue
In a 5-2 decision, the full Court of Appeals for the First Circuit has ruled that the interception of e-mail temporarily stored while en route to its final destination violates the federal law on electronic surveillance.
This reversed an earlier ruling by a panel of three judges on the same federal appeals court that an e-mail service provider did not violate the law by acquiring users' incoming e-mails without their knowledge or consent to gain a commercial advantage over a competitor. The original decision caused great consternation among privacy advocates, including Sen. Patrick Leahy, ranking member of the Senate Judiciary Committee, and prosecutors.
Judge Kermit V. Lipez, writing for the majority of the full First Circuit, concluded that the federal wiretap act definition of an electronic communication that may be intercepted to include “transient electronic storage that is intrinsic to the communication process for such communications." However, the court stopped short of deciding whether an electronic communication can be intercepted within the meaning of the law "after a message has crossed the finish line of transmission." U.S. v. Councilman (1st Cir. Aug. 11). Send an e-mail or phone for a free sample copy of the September issue with the full article.
Find a typo, spelling error or other mistake on this Web site and win a free book of your choice.
Letter to the Editor
- From August 2005 issue
From St. Paul, Minn.: Awesome articles on the cover and on page three of the July issue [RFID tags required of elementary students in California and parallel efforts to impose a national ID card]. “Scarifying,” as usual.
Would you provide a discussion of, or references to, solid and specific information about privacy implications (if any) of switching phone service to Voice Over Internet Protocol (VOIP)? Specifically, privacy implications for employees when the employer makes the change to VOIP?
For example, I assume that a record of outgoing calls (date, time, destination, length) is captured “in-house” and thus more easily accessible to the employer than records kept by a phone service provider – especially for local calls. Is the source of an incoming calls recorded anywhere other than on the telephone set (called ID, etc.)? As computer keystrokes can be recorded, can phone set “pulses” be tracked also? And what is the system’s ability (if any) to record or monitor the content of the calls as voices are “digitized” and sent over the Internet?
Response: Employers and others indeed have the capability of monitoring, logging, and tracking conversations transmitted via VOIP, as they do over existing telecommunications technologies. Your inquiry is timely. Phil Zimmermann, the man behind the popular and accessible Pretty Good Privacy encryption program for e-mail, has just announced that he is launching a new program that aims to provide the same security for Internet phone calls.
Like PGP and PGPfone, which he created as human rights tools for people around the world to communicate without fear of eavesdropping, Zimmermann’s new program, zfone, is intended for everyday users and for businesses seeking to combat corporate espionage. Whether employees will be permitted to use the product at work is another question.
VOIP, or Internet telephony, allows people to speak to each other through Internet connections. VOIP uses broadband networks, making conversations vulnerable to eavesdropping.
Need to know the states with "security breach laws" and the specifics? In our June 2005 issue. [Updated now in the 2008 Supplement to our book Compilation of State and Federal Privavy Laws." Ask for it. $35.]
The Specter of Surveillance
in One City
- From June 2005 issue
If you look out the windows of the downtown Boston offices of the American Civil Liberties Union of Massachusetts, you see surveillance systems closing in on you.
“Even in Massachusetts – the nation’s historic ‘cradle of liberty’ – civil liberties are under threat in ways that don’t necessarily make us more secure,” says Carol Rose, executive director of the Massachusetts ACLU. The surveillance cameras and other high-tech devices installed for the Democratic National Convention in August have found a permanent home in Boston.
One of the greatest threats, in Rose’s mind, is a new automated fare collection system on the subway line that has no anonymous option if transit riders purchase their fare cards with a credit card or debit card. The purchase is linked to an individual’s identity, as is use of the Fast Lane toll option on the Massachusetts Turnpike and on most toll roads in the U.S.
In Boston senior citizens, students, or those who are disabled must now show identification documents and have personal information linked to their fare cards to get discounted rates.
The transit system (called “The T” or the MBTA) will document the identity of riders and time, date and location where they board a bus or trolley or pass through a subway turnstile. Because of the vagaries of Boston’s aging system, there are no card-reading devices or turnstiles at many disembarking points, and so the system doesn’t always record when a person leaves.
The new “smart card” is called a “Charlie Card,” named after “the man who never returned” when he got lost on the Boston subway, in the political song of the 1940s popularized by The Kingston Trio in 1959. (Charlie got lost be-cause of a complicated fare system.)
MBTA officials see the Charlie Card as allowing it to track riders and ridership, cut down on fare evasion, and create a more efficient transit operation.
"It will be a magnet for identity thieves seeking to get this information, and the worst thing is that consumers have no idea this is going to happen to them,” said State Senator Jarrett T. Barrios of Cambridge, who has been urging the transit authority to strengthen its privacy protections.
For the complete story, e-mail or call 401/274-7861 and ask for a free sample of the June 2005 issue.
Careless Record Keeping:
The Cumulative Effect
- From May 2005
To appreciate THE CUMULATIVE EFFECT, Privacy Journal newsletter compiled the following list of breaches of sensitive personal information, disclosed just since January. It's not an atypical list for a three-month period, but breaches are obviously getting more press attention.
* Tepper School of Business at Carnegie Mellon University reported that a hacker had access to Social Security numbers and other sensitive personal information relating to 5000 or more students, staff, and alumni.
* Tufts University notified 106,000 alumni, warning of "abnormal activity" on its fund-raising computer system listing names, addresses, phone
numbers, and, in some cases, Social Security numbers and credit-card account numbers.
* ChoicePoint, the "information broker" based in Georgia, sold personal data on 100,000 or more persons to fraud artists posing as legitimate businesses.
* DSW Shoe Warehouse experienced a hacking incident involving access to an estimated 1.4 million credit-card numbers and names, 10 times more than investigators estimated at first.
* HSBC North America, which issues GM's MasterCard, urged all customers to replace their cards as quickly as possible because personal data was compromised. The customer records of Polo Ralph Lauren Corp., were involved.
* Ameritrade Holding Corp., the online discount broker, informed about 200,000 current and former customers that a back-up computer tape was lost during shipping.
* Canadian Imperial Bank of Commerce, CIBC, one of Canada's leading banks, misdirected confidential faxes sent to outside parties over a three-year period. Bank of Montreal, Royal Bank of Canada, Scotiabank, TD Bank, and National Bank have also misdirected faxes with customer information.
* Motor vehicle departments in four states have lost personal data. The Texas Department of Public Safety mailed to 500 to 600 licensed drivers
renewal documents that pertained to other persons. In March, burglars rammed a vehicle through a back wall at a Nevada Department of Motor Vehicles and drove off with files on about 9000 people, including Social Security numbers. In April police arrested 52 people, including three examiners at the Florida Department of Motor Vehicles, in a scheme involving the sale of more than 2000 fake driver's licenses. Also, Maryland police arrested three people, including a DMW worker there, in a plot to sell about 150 fake licenses.
* A Boston-based storage company named Iron Mountain Inc., lost Time Warner Inc.'s computer back-up tapes with Social Security numbers and names of 600,000 employees and dependents. This is the fourth time this year that Iron Mountain has lost tapes during delivery to a storage facility, according to The Wall Street Journal.
* Someone gained access to the personal information of 59,000 students at California State University, Chico, the university revealed in March.
* A laptop that contains about 100,000 Social Security numbers of students and personnel at the University of California, Berkeley was stolen from the school's campus.
* Someone hacked into a database at the Kellogg School of Management at Northwestern University, possibly exposing data pertaining to 21,000 individuals.
* More than 1600 parents discovered in January that records in the Colorado State Health Department relating to an autism study were lost.
* * *A free copy of the current issue of Privacy Journal is available through orders@privacyjournal.net. Specify e-mail copy or hard copy (and include a mailing address).
A press interview
with Publisher Robert Ellis Smith
- From April 2005 issue
1. Issuing your special report on ChoicePoint is interesting timing. Do you really think it’s a good idea to kick a good company like ChoicePoint when it’s down? In football, piling on draws a penalty.
Robert Ellis Smith: I’m a journalist. Everybody needs to know about this company. It has been in the headlines but people do not realize that it grew out of Equifax, that it has been out of compliance with FTC orders for years, and that it is closely allied with the voter-list purge in Florida in 2000 and the development of “Matrix.” If mere words can crumble a company, it deserves not to survive. [To download the report on ChoicePoint, click below.]
2. Did you decide to issue your special report before the revelations about the loss of data made earlier this year?
Response: I issued it because of the many inquiries I have received wanting to know about the company and its nature. No one has covered Equifax more than I have.
3. What were some of its problems when it was Equifax? How did the company respond to privacy concerns before it became Equifax?
Response: When ChoicePoint was the insurance reporting division of Equifax, the FTC found it out of compliance with Fair Credit Reporting Act accuracy and correction requirements. Continually. ChoicePoint acquired an “information broker” that was known to be in-accurate, irresponsible and out of compliance with the FCRA (CDB Infotek).
Equifax was formerly known as Retail Credit
Co. It was abuses in the insurance and employment “consumer investigation” part of Retail Credit Co. that alone led to passage of the Fair Credit Reporting Act. That, in short, is why an act with “credit” in the title also regulates consumer investigations for insurance and employment purposes. See my book Ben Franklin’s Web Site for documentation of this. Within three years after the FCRA was enacted, the part of Retail Credit Co. now known as ChoicePoint was found by the FTC and a federal court to be out of compliance with the act in serious ways.
For the rest of the story, ask for a free sample of our April 2005 issue.
ID Theft Mainly in America. Why?
- From March 2005 Privacy Journal
Theft of identity is largely an American phenomenon.
There are reasons for that. Other nations don’t rely on an identifying number – like a number to keep track of pension accounts or government benefits – for other purposes, like identifying consumers in credit reports.
Since the early 1990s credit bureaus in the U.S. have been collecting Social Security numbers and relying on the numbers to confirm a match when a lender requests a credit report on an applicant. By the same token, credit bureaus usually ask a consumer who wants to see his or her own credit report, as permitted by law, to provide a Social Security number to confirm his or her identity. The Federal Trade Commission, which regulates credit bureaus, actually encouraged this in the 1990s.
Strangers can get Social Security numbers from payroll records or buy them from Internet sites.
Thus, it’s not hard to see why theft of identity is easy in the U.S. A stranger need only get a Social Security number to match a name and then ask a credit bureau to provide a copy of “his” credit report. The impostor changes addresses on the credit accounts listed on the credit report.
For the full story, ask us for a sample copy of our March 2005 issue.
Choicepoint, A Corporate History
- From March 2005 Privacy Journal
In our March 2005 issue, we published a timeline of the ignoble history of ChoicePoint, a former division of Equifax that is now known mainly for massive sales of personal information in its files to ID thieves. Here is an excerpt:
1996 CDB Infotek advertises that it will sell information at the top of a credit report – “header information” like Social Security number, date of birth, phone number, and “a/k/a’s.” It offers access to Social Security account information, the change-of-address lists of the Postal Service, lists of registered voters (in violation of state laws in California and elsewhere), and data on personal assets. It sells criminal and civil-court records, demographics of a target’s closest neighbors, California driving records, employment reports, and much more. In 1992 CDB had been cited by the FTC for major violations of the credit-reporting law. CDB did not challenge the FTC findings.
1996 Seven months after CDB’s ad appears, Equifax purchases 70 percent of CDB Infotek and folds it into its Insurance and Special Services unit.
1997 An Equifax shareholder, in a formal demand for due diligence by the parent company, cites “law-breaking, fraud and unethical conduct” by CDB.
1997 Alarmed by its negative reputation with the acquisition of Infotek, its FTC cease-and-desist orders, and consumer lawsuits, Equifax spins off its Insurance and Special Services unit and calls it ChoicePoint. The new unit absorbs CDB’s files. It also takes in driver and motor-vehicle, divorce, marriage, corporate, property-ownership, and other data of questionable reliability owned by a company called Database Technologies, Inc., in Boca Raton, Fla. ChoicePoint’s independence is questionable. The chair of Equifax, Inc.is chair of the executive committee of ChoicePoint’s board of directors. ChoicePoint’s new president was executive vice president of Equifax.
For the full story of ChoicePoint from 1970 to the present, ask for a sample copy of our March 2005 issue.
For a report collecting all of Privacy Journal's past stories about this company (13 pages, $8.50), click above.
Uniform Drivers License = National ID Card
- From January 2005 issue
Tucked away in the intelligence reform act enacted in December is Section 7212, requiring federal standards for state drivers licenses and identification cards.
While previous Congresses and Administrations flatly rejected similar proposals because implementation amounts to a national identification system, the 108th Congress overwhelmingly passed the bill containing this provision.
After the standards are finalized through regulations, states must certify they are in compliance, and the Secretary of Transportation may conduct audits to guarantee compliance. After a specified date, no state drivers license that fails to conform to the minimum standards may be used for any federal “official purpose.” This means a nonconforming license may not be used for such things as boarding an airplane, buying a firearm, obtaining federal benefits, or entering a federal building.
Section 7212 specifies some items that must be on a drivers license (name, date of birth, gender, drivers license number, digital photograph, physical address of principal residence, signature) but leaves other items to a negotiated rulemaking. The final requirements will be set forth in a regulation that must be published within 18 months.
From a privacy perspective, placing your physical address on a license or identification card advertises that information to anyone viewing the license. FOR THE REST OF THE STORY, ask for a free copy of our January 2005 issue.
A National ID by Bureaucratic Stealth?
- From November 2004 issue
Congress is about to give Homeland Security Chief Tom Ridge the sole authority to create the equivalent of a national identity document.
Under an amendment added to a current proposal to create an intelligence czar (S 2845), Congress gives to the Secretary of Homeland Security the authority to issue a regulation for a uniform national driver’s license. But under the legislation, the document would be far more than a driver’s license. It would be required to board an airplane, a train or a bus, if Ridge so decides. It could be required to enter a federal building or to get federal benefits, and perhaps to vote. And the document will include fingerprints or eye scans, if Ridge so decides.
The provision does not require states to adopt the national uniform driver’s license, but by requiring it as ID in disparate non-driving contexts, Congress, or the Department of Homeland Security, will coerce the states into adopting it.
The House-approved version, part of HR 10, calls for creation of a national databank for storing and sharing personal information on all drivers. Congress would allocate about $100 million to assist the states in the conversion. It is the high price tag, not the civil liberties consequences, that has led many Members of Congress to offer timid opposition. Residents of blue states can’t blame this on a conservative trend among voters; the amendments creating a uniform driver’s license have bipartisan support, including from the expected Number Two Democratic leader in the Senate, Richard Durbin of Illinois.
Can Software Defeat 'Phishing'?
- From October 2004
New software tools to combat the intrusive on-line practice of “phishing” may require monitoring your Internet traffic in a way that is possibly more intrusive than the scourge of phishing itself.
Phishing accounted for an estimated $500 million in fraud in the past year, according to TRUSTe, a non-profit privacy group. TRUSTe’s new study also found that three-quarters of online users had experienced an increase in incidents in the past few months.
Phishing is the sending of an e-mail falsely claiming to be a legitimate enterprise, even using the logos of the enterprise, to tempt a user into visiting a site and surrendering personal information, which can then be used for identity theft and fraud.
Prominent victims include Bank of America, Best Buy, Citigroup, eBay, and their customers.
People are directed to Web pages that look identical to the companies' sites. Most ignore the “fishing” bait, but many bite. The practice is also called brand spoofing or carding.
The Securities and Exchange Commission warned this month about a scam in which phony e-mails purportedly sent by Smith Barney [pictured in our hard copy edition], a stock-brokerage unit of Citigroup, Inc., seek recipients’ account information.
In response, developers have created new forms of anti-phishing software; Microsoft has pro-posed new security standards directed at stop-ping the phenomenon. But are the new tools also intrusive? The first line of defense that companies such as MasterCard have used against phishing is simple, “intelligent” online monitoring. The electronic asset protection company NameProtect, for example, offers a service to MasterCard and others that scours millions of Web pages, domain names, chat rooms, and the like for indicators of online fraudulent activity.
For the REST OF THE STORY, call or write for a free sample of our October 2004 issue.
The ABCs of RFID
By Mikhail Zolikoff
- From August 2004
Beginning next year, observant consumers will notice an additional logo stamped on the products they purchase from retailers. This logo will indicate that the product carries an RFID (or “radio frequency identification”) tag.
RFID electronic chips are capable of storing unique identifying information about a product and then remotely transmitting that information to a tag reader by use of radio waves. Manufacturers will be using these miniature embedded tags to keep track of materials in production and distribution. Retailers are implementing this technology with the hope that the checkout experience will be shortened, inventory costs will reduced, and product theft and shrinkage (the loss of product between the manufacturer and the shelf) will be eliminated.
Eventually these tags, also known as “Electronic Product Codes” (EPCs), will replace the familiar but outdated UPC, the Universal Product Code, or bar code. Distinct RFID tags would be assigned to each individual item; by contrast, a bar code is assigned to all identical items. RFID tags identify a particular item purchased at a particular time; bar codes merely identify a category of individual items. RFID tags have the capacity to transmit large amounts of data about an individual item. Bar codes, by contrast, can reflect only the identity of the generic product, brand, size, and pricing.
Privacy activists have repeatedly expressed their concerns that the RFID labels in consumer goods could potentially be used for tracking the possessor of the item without consent. While the electronic chip embedded within each tag has the capability of being “killed” or deactivated and therefore no longer able to transmit its identifying information, this has not been established as a default when consumers purchase their items and leave the store. As such, anyone with a tag reader – the devices are readily available on the Internet and the price is quickly dropping – could scan you, your car, or your home without your permission to determine which products you’ve purchased and have in your possession.
Hewlett-Packard, one of the corporate sponsors of the 27-mile Boston Marathon, sponsored a project in which RFID tags were embedded in the shoelaces of each runner in the event last April. As the runner ran across special mats placed along the route to Boston the transponder reported each competitor’s place and the running time to a Web site. Family members and news reporters could then access the information in real time.
Privacy critics of the technology ask us to imagine the consequences when the highly personal items we carry around day to day are identifiable without our consent.
For the full text of this story, ask us for a sample copy of our August 2004 issue.
Why Are Fingerprints Demeaning?
- From June 2004
Letter to the Editor
From Minneapolis: How can we explain, in a language the average American can understand, why fingerprinting foreigners is a bad idea? I have lots of theoretical arguments, but nothing visceral.
Response: We are familiar with fingerprints in a criminal context. That’s why it is an indignity to be asked for a fingerprint, in order to cash a check, cross a border, get public assistance, or hold a job. Getting fingerprinted is stigmatizing. It connotes suspicion. In addition, in the electronic age, the print image goes beyond the control of the individual who provides it, and probably beyond the control of the organization gathering it.
There is a real possibility that the electronic image could be affixed to a crime scene, to a piece of evidence, or other object, either maliciously or in error. The same is true of electronically stored signatures. Wise citizens know to refrain from providing such sensitive biometric bits of themselves before the technology has been fully tested for reliability and trustworthiness.
Further, providing a fingerprint in a law-abiding context increases the chances that an individual’s prints will be stored in the databases that are checked when latent prints are found at a crime scene - like the National Crime Information Center or the FBI’s automated fingerprint database. This increases the chances that the innocent individual will be identified by an erroneous match. These false positives are not frequent, but persons whose prints are not in the database have a zero chance of being the victim of a false match.
A component of privacy is autonomy – the ability to make personal choices – and to control sensitive personal information, even if it is accurate. Within that definition, the collection of fingerprints from masses of law-abiding individuals is a loss of privacy.
Video Voyeurism Bill Advances
The House of Representatives is expected to pass a bill making it a federal crime to capture an “improper image” of an individual nude or in undergarments without consent, where there is “a reasonable expectation of privacy.” The so-called “video voyeurism” bill, S 1301, matches laws enacted in 32 states in the past five years but does not preempt or invalidate them. The federal bill, approved by unanimous consent by the Senate last September, exempts law enforcement and intelligence. Michael DeWine, R-Ohio, introduced the bill a year ago; in his home state prosecutors had difficulties trying to charge or convict a man accused of using a hid-den video camera in his home to record unsuspecting female cheerleaders changing clothes to use his swimming pool.
For the complete story, ask for a sample copy of our June 2004 issue.
Nearly Half of Us Add Content
- From March 2004
About 44 percent of Americans who access the Internet have contributed content to it, in the form of photographs on Web sites (21 percent), or text (17 percent), like blogs or personal on-line journals. Thirteen percent have their own personal Web sites and 15 percent contribute to sites operated by their businesses or volunteer organizations. Users in their twenties are the most active, according to a new survey and re-port from the Pew Internet & American Life Project called “Content Creation Online,” www.pewinternet.org/reports/toc.asp?Report=113.
Among 3300 adults surveyed this year, 91 per cent were aware of the federal Do-Not-Call list and 57 per cent had registered with it; 25 per cent of those registered said that cold calling had stopped completely, while 53 per cent said they had received fewer calls. Humphrey Taylor, the chair of Harris Interactive, which conducted the survey, said: “It is rare to find so many people benefiting from a relatively inexpensive government program. This successful initiative now raises questions about the desirability of [permissive do-not-spam legislation enacted last December] when, according to other surveys by Harris Interactive, the overwhelming majority of those online find spam very annoying.”
Privacy Journal publishes up-to-the-minute news on meetings, new publications, polling, and legislative proposals each month. Write us for a free sample.
20 Minutes
- From January 2004 issue
This monthly feature advises you how to protect your own privacy, by taking 20 minutes a month.
Dispose of any documents or correspondence that show your Social Security number, credit-card numbers, or other sensitive personal information only after shredding, either by hand or machine. If you tear off the portion with account numbers by hand, dispose of the pieces in a separate trash can and place it for collection on a separate day.
Or you can purchase a shredder, now a necessity in most homes.
The Man Who Just Said 'No'
- From December 2003 issue
He’s been called an “unemployed cowboy with no assets beyond a few head of cattle and a pickup truck.”
A newspaper article called him a grouchy farm hand. An article on the Web site of the Clark County (Las Vegas) Bar Association, which should know the libel laws, calls him “a drunk in rural Nevada.”
A national newspaper columnist said that his name should be Obstinate.
And that’s the whole point. Dudley Hiibel declined to give his name when approached by a police officer just outside the limits of his hometown of Winnemucca, Nev. (pop. 9400). A witness had reported to the deputy seeing a man strike a woman with whom he was riding in a pickup truck. The deputy found Hiibel standing by his vehicle at the side of the road. He assumed that Hiibel had been drinking. Eleven times the officer asked Hiibel to identify himself, and 11 times Hiibel declined. And so the officer arrested him on charges of violating a state law that requires a person to identify himself when police stop him or her with reasonable suspicion of criminal activity. The woman he was with was his daughter.
Hiibel engaged the public defender in Humboldt County, Robert Dolan, to defend him. Hiibel – known as Larry D. Hiibel in court documents – was convicted of obstructing and delaying a police officer, a misdemeanor worth a $250 fine.
When a higher court affirmed the conviction, Hiibel immediately turned to his lawyer and said, “I’m being treated like I’m in a communist country.”
Dolan sued the court on his client’s behalf, and the case of Hiibel v. Sixth Judicial District Court soon came before the State Supreme Court of Nevada. Hiibel, 54, was not seen at the oral arguments, but he managed to get three of the seven members of the high court to agree with him. But a four-person majority ruled against him. Now the U.S. Supreme Court has scheduled oral arguments for January in his appeal to the highest court in the land.
For the full story, and to learn what this has to do with personal privacy, send an e-mail or call us for a free sample copy of our December 2003 issue.
Privacy Tip
- From October 2003 issue
Credit-card company rules require merchants to accept a card charge without demanding additional ID or other information as long as the signature on the back of the card bears a "reasonable likeness" to the signature you provide on the credit slip. Report merchants requiring additional ID (or setting a minimum charge) to MasterCard at www.mastercard.com. (However, American Express allows some firms like WalMart and K-Mart to require you to provide your billing address Zip code in a digital key pad). In CA, DE, DC, FL, GA, KA, MD, MA, MN, NJ, NY, ND, PA, RI, and WI, it is illegal for merchants to record any extra information on credit slips like phone numbers, addresses, or ID numbers. For more on this tip for protecting your privacy, ask us for a sample copy of the October 2003 issue.
Federal Regulations for Ferry Travel
- From September 2003 issue:
All ferry companies in the U.S. must develop security plans by the end of the year that may lead some of them to demand photo IDs for passengers.
An interim Coast Guard regulation requiring new security precautions on maritime vessels does not require or even suggest demanding IDs; in fact, it says that a ticket is adequate proof that a person belongs on a vessel. But any ferry company is free to use the regulation to initiate a photo ID requirement for passengers, and the regulation recognizes the seagoing tradition that a boat captain may deny passage to anyone for any reason.
On a separate matter, the authority to search passengers, the interim regulation requires boat companies to “conspicuously post signs that describe security measures currently in effect and clearly state that . . . boarding the vessel is deemed valid consent to screening or inspection; and failure to consent or submit to screening or inspection will result in denial or revocation of authorization to board.”
However, the vessel operator must also “ensure vessel personnel are not required to engage in or be subjected to screening, of the person or of personal effects, by other vessel personnel, unless security clearly requires it. Any such screening must be conducted in a way that takes into full account individual human rights and preserves the individual’s basic human dignity.”
On IDs, the same section of the rule says that vessel operators must “check the identification of any person seeking to board the vessel, including vessel passengers and crew, facility employees, vendors, . . and visitors. This check includes confirming the reason for boarding by examining at least one of the following: (i) joining instructions; (ii) passenger tickets; (iii) boarding passes; (iv) work orders, pilot orders, or surveyor orders; (v) government identification; or (vi) visitor badges issued in accordance with an identification system required [by the regulation].” Further, the vessel operator must, “deny or revoke a person’s authorization to be on board if the person is unable or unwilling, upon the request of vessel personnel, to establish his or her identity.” * * *
For the full story, call or write for a free sample of our September issue.
Complaints Lead to New Air Travel Proposal
- From August 2003 issue
In response to complaints from privacy activists and advocacy groups for Middle Eastern ethnic minorities, the Transportation Security Administration in the U.S. Department of Homeland Security narrowed somewhat its proposal to gather and search out personal data on airline passengers.
The proposed CAPPS II program is to detect passengers who may raise suspicions that require heightened searches at airports. Originally TSA wanted to keep its data for 50 years; that has been curtailed to a day or two after a flight unless there is suspicion. Originally, TSA wanted to query credit records. That element has been left out of the latest, revised proposal. www.tsa.gov/public/display?theme=8&content=631, 68 Federal Register 45265, Aug. 1.
Still, the new proposal now calls for demanding date of birth from airline customers and for passenger records to be “run against commercial databases.” That usually means using ChoicePoint, a discredited database company that has been cited repeatedly for selling erroneous data. ChoicePoint has Social Security numbers, and home addresses, along with phone numbers of millions of individuals and some arrest data. (Attorneys in Florida have filed a class-action lawsuit against ChoicePoint and the parent company of Lexis-Nexis for allegedly obtaining drivers’ records in violation of the Driver’s Privacy Protection Act. Levine v. ChoicePoint, 03-80491 (S.D. Fla. 2003).)
If you object to providing a date of birth every time you make an airline reservation and object to a federal agency promoting use of the dubious databases of ChoicePoint, send comments to the Privacy Office, ATTN: Yvonne L. Coates, U.S. Department of Homeland Security, Washington, DC 20528. You must identify the docket number DHS/TSA-2003-1 at the beginning of your comments, and you should submit two copies. You may also submit comments via e-mail to privacy@dhs.gov.
Twenty Minutes a Month
- from the May 2003 issue
This monthly feature advises you how you can campaign for privacy protection or protect your own privacy, by taking 20 minutes a month. If you subscribe within the next month, ask us for a copy of all of these tips, and we'll send it to you free.
One simple way to dramatically reduce your risk of identity theft and secondary use of personal information is to opt-out from prescreened credit card offers. These offers are sent to individuals whose credit reports match criteria desired by credit issuers. The problem with these offers is that they can be intercepted in the mail by a fraud artist and then used to obtain credit in your name. Prescreened offers are delivered not only by mail; there is a growing movement to transmit them by e-mail, which implicates even greater security risks.
You can opt-out of prescreening from Experian, Trans Union, and Equifax by calling one phone number: 1-888-5-OPTOUT. Pay careful attention to the options on the phone menu. The first option on the menu will remove your information for only two years. The second option places you back on prescreening lists! The last option is the one that you want – it will remove your information from prescreened list permanently. In order to exercise this last option, you will have to complete a form that will be mailed to you after you complete the telephone call.
Other ways to reduce the risk of identity theft: Provide your Social Security number only when the transaction has tax consequences or involves Medicaid or Medicare. Do not provide it to apply for credit, employment, or insurance. Don’t provide it by telephone to strangers or to anyone by fax. Check your own credit report for accuracy, perhaps once a year. Before disposing of documents with credit-card numbers or Social Security numbers on them, tear them in half, splitting the identifying numbers, and then deposit the pieces in separate trash containers.
Just Published
From the April 2003 issue
In a new study, the Center for Democracy and Technology advises a couple of tricks to lessen the amount of unwanted e-mail advertising (spam). List your address on Web sites and newsgroups as username at isp.com. for example. Listing your real address, like username @isp.com makes it easy for marketers to harvest it automatically and add it to their lists. Another idea: use a second e-mail address as the “public address” that you make available on-line and in commercial transactions. Information from Ari Schwartz, 202/637-9800, www.cdt.org/speech/spam/030319spamreport.shtml.
CDT has also published a handsome collection of papers from advocates and corporate officials on issues before the current session of Congress, Considering Consumer Privacy, A Resource for Policymakers and Practitioners, edited by Paula J. Bruening (102 pages). www.cdt.org.
In each issue, Privacy Journal provides tips like this and a listing of new publications and upcoming events relevant to protection of personal privacy.
20 Minutes
From the March 2003 edition
This monthly feature in Privacy Journal advises you how you can change the world, or at least one part of it, by taking 20 minutes a month. This suggestion is submitted by Chris Hoofnagle of EPIC.
Customer proprietary network information (CPNI) is data collected by telephone companies about your phone calls. It includes the time, date, duration, and destination number of each local call on your account. Telephone companies wish to sell this information for marketing purposes and have mounted legal challenges to laws that increase privacy protections for your calling information.
Currently, the Federal Communications Commission is allowing telephone companies to use opt-out as a method for allowing consumers to end CPNI sharing. To protect the information about your calls, call your phone company and specifically request that CPNI not be shared. The telephone companies bet that you won’t call. In challenging stronger privacy protections, the Qwest Corporation described consumers as “uneducated, inattentive adults.” Let’s opt-out of CPNI sharing, and prove Qwest wrong!
The next time you receive a phone bill, be sure to call your telephone service provider, and request to opt-out of all CPNI sharing. The opt-out system varies among carriers, and in some cases, depending on the state in which you reside. Also, be warned that one company, Verizon, has established a toll-free opt-out system (866/483-9600), but the process is confusing and Verizon describes your right to opt-out as placing a “restriction” on your account.
A New Fashion Statement?
- From February 2003 edition
There a “ChipMobile” moving about the nation – or at least about communities in Florida. It’s Applied Digital Solutions’ “state-of-the-art, fully equipped mobile unit to spread awareness about the benefits of VeriChip to wide audiences.”
VeriChip, first announced in December 2001, is a miniaturized radio-frequency identification device (RFID) that can be used in “a variety of security, financial, emergency, identification and health-care applications,” according to the company. It now has seven authorized VeriChip centers in Florida, Washington, D.C., and elsewhere in the U. S.
Back in September 1994, PRIVACY JOURNAL reported, “Entrepreneurs in the microchip-implant business who are eager to sell their products to ‘the human market’ have said that implanting identity chips in Alzheimer’s patients would be the most benign and publicly acceptable use of human implants with which to begin.”
Indeed, doctors for Applied Digital Solutions
first implanted the tiny VeriChip transponder in a memory-impaired patient on May 10, 2002. Now there are 20 Americans walking around with them, including the company’s public relations consultant, who proudly wears an implant in his upper right arm. The new chips are inert demos right now because the reading devices for them are scarce and because the chips do not locate the individual or store medical information.
For the complete story, ask us for a sample copy of the February 2003 edition:
Virginia Citizen Makes Courts Think Twice
- From January 2003 issue
Court clerks throughout the nation may be moving to post court documents on their Web sites, but in Virginia that trend has skidded to a halt because of the efforts of one woman.
Betty “BJ” Ostergren of Hanover County began her campaign to warn citizens of the invasion of their privacy last August, when a local title searcher told her that the county clerk planned to place court records on-line. The records would include deeds of trust with signature facsimiles and Social Security numbers; certificates of satisfaction/assignments; homestead deeds; final divorce decrees; judgments and liens; wills; lists of heirs; fiduciary reports for estates; and Financing Statements (often called UCC’s).
BJ was infuriated by this prospect. She decided to spend money she had set aside for family Christmas gifts to launch a direct-mail campaign.
BJ Ostergen’s direct-mail approach was effective. She downloaded personal information from Web sites maintained by neighboring counties and mailed it to the individuals involved, along with a letter urging action. She started with King County. “I got the folks riled up over there and the Board of Supervisors eventually voted to kick the clerk off the Web site since he was using the county’s site,” she told FauquierNews, an electronic investigative news-letter on open records in Virginia edited by James Borland.
www.fauquiernews.com/010703issue.htm.
Ostergren claims credit for ending Internet publication of citizens’ documents in King William, Scott, and Warren counties. Her home county never went ahead with its plan. At a citizens meeting on general concerns sponsored in Richmond last month by the Virginia Institute, Ostergren energized the people there, got a State Senate candidate fired up by displaying the data on him that she had downloaded, and had a member of the state legislature promise to introduce a bill to limit the kinds of personal data that courts may display on Web sites. This month she’s building her own Web site, not to show personal information about citizens but to inform them of their vulnerability. www.opcva.com/watchdog.
For the full text of the article, send us an e-mail request for a free sample of the January 2003 issue.
_________
If you have gotten this far in our Web site, you deserve a free 6 month subscription! Call us or e-mail us and ask for the free subscription to the "Eric Blair" special. If you identify the significance of that name, we'll add a free month to your 6 free months!
Canada’s Privacy Watchdog Presses On
– From December 2002 issue
The Privacy Commissioner of Canada has had an extraordinarily busy year, and no month has been busier than November. Within just 25 days, George Radwanski took on the Parliament, the Customs Agency, the passport office, and the entire governmental establishment implementing anti-terrorism proposals.
When George Radwanski was appointed in 2000, it was predicted that he would be controversial. He has not disappointed. Back in 2000, Conservatives in the Parliament and some privacy activists sharply attacked the nomination, saying that Radwanski was “unacceptable” because he was too chummy with the Liberal government of Prime Minister Jean Chretien. [See PJ Sep 00.] Indeed, Radwanski had held several partisan offices (like his predecessors as Privacy Commissioner actually).
A year ago, Radwanski was out on a limb with several assertive rulings in favor of protecting privacy. [See PJ Nov 01.]
He fired off more salvos last month:
Nov. 1: The Commissioner criticized the government’s proposal in Parliament to provide the Royal Canadian Mounted Police and the Canadian Security and Intelligence Service with unfettered access to personal information on all Canadian passengers held by airlines. “I have raised no objection to the primary purpose of this provision, which is to enable the RCMP and CSIS to use this passenger information for anti-terrorist ‘transportation security’ and ‘national security’ screening. But my concern is that the RCMP would also be expressly empowered to use this information to seek out persons wanted for criminal offenses that have nothing to do with terrorism, transportation security or national security. In Canada, it is well established that we are not required to identify ourselves to police unless we are being arrested or we are carrying out a licensed activity such as driving. The right to anonymity with regard to the state is a crucial privacy right. Since we are required to identify ourselves to airlines as a condition of air travel and since [the proposed law] would give the RCMP unrestricted access to the passenger information obtained by airlines, this would set the extraordinarily privacy-invasive precedent of effectively requiring compulsory self-identification to the police.”
Nov. 5: He told the foreign ministry to remove “place of birth” from Canadian passports because “We do not have different classes or categories of Canadian citizens depending on their country of birth.”
Nov. 22: The Commissioner, for a second time, termed as illegal a planned expansion of a Customs Agency database to collect personal information on new arrivals in the country and keep it on file for six years. This time he produced two legal opinions provided at his request by a retired Supreme Court justice and by a former deputy attorney general who helped draft the Canadian Charter of Rights and Freedoms. “I have made clear to you and to your most senior officials on numerous occasions my concern that the amassing of dossiers of personal information on all law-abiding Canadians, as is being done by your CCRA database, has no place in a free and democratic society like Canada,” Radwanski said in a sharply worded letter to the Minister of National Revenue. “These concerns have been endorsed by seven provincial and territorial information and privacy com-missioners from across Canada. Now you have it on the authority of two of Canada’s most eminent legal and Charter experts that your ‘Big Brother’ database is in violation of the Canadian Charter of Rights and Freedoms. I cannot imagine what more a reasonable person such as yourself can require to be persuaded that this database initiative is untenable and cannot stand.”
Nov. 25: The Privacy Commissioner told the heads of three ministries that their plan for “lawful access” to citizens’ Internet, cell phone, and e-mail activities was ill-advised. “If Canadians can no longer feel secure that their Web surfing and their electronic communications are in fact private, this will mark a grave, needless and unjustifiable deterioration of privacy rights in our country,” he stated. Radwanski said in a newspaper interview that the Liberal government had lost its moral compass. The ministries replied that they heard Radwanski’s complaint but “our interest in these proposals is public safety.”
For the full story, write us for a free sample of our December 2002 issue.
Letters to the Editor
- From the November 2002 issue
From Boston: I’m gathering information about theft of identity on college campuses. Many schools have students use their Social Security numbers as their student ID#, which frequently gets placed on a student ID card (which can be lost or stolen). That number is used for everything from getting your grades to getting into the cafeteria.
Response: Laws in Arizona, New York, and Wisconsin now prohibit state universities from requiring Social Security numbers as student ID numbers.
From Cyberspace: Can any one tell me the idea and meaning of this question? “Most persons think of the publication of private facts about a person when they think of the right to privacy, yet this variety of the tort has been the least accepted by the courts. Why?” What’s that mean deeply?
Response: Lawyers traditionally have divided the “tort” of invasion of privacy into four branches: disclosure of private facts about a person, commercial appropriation of a person’s likeness or persona, portraying a person in a false light even though “truthfully,” and intruding upon a person’s solitude or personal space. The question says, “People usually think of the disclosure of private facts when they think of privacy, yet of the four branches, courts seem most reluctant to accept it, or approve lawsuits involving it. Why?”
From Van Meter, Iowa: I just recently ordered the Compilation of State and Federal Privacy Laws from Amazon, and I want you to know how helpful I’ve already found the compilation book.
From Cyberspace: Would you consider doing a piece on www.vitalsearch-ca.com? They are publishing birth records on all of the people born in California. And that includes everyone’s mother’s maiden name and DOB. We don’t like to see our children’s names on these Web sites. Maybe if everyone goes to the Web site, and finds their name, they’ll be so disgusted that they’ll get a law passed to stop this nonsense. You might also consider doing a piece on www.anybirthday.com. They get this DOB information from voter registration records. If people knew that when they registered to vote their names and dates of birth were going to be sold to companies such as this one, they’d probably not register again. When we called one of the county offices, even their own employees were unaware that the government sold this information. Luckily, you can remove your name from this Web site, but that does not really solve the problem. The government should stop selling this information.
