December 27, 2005

Industry Lobbyists' Deck of Cards

Ever wanted to be an industry-side lobbyist? You can learn the basics right here on choof.org!

I've made the entry to your new career simple with this privacy industry deck of cards. These cards articulate all the arguments you need to make your case, without actually knowing anything. Master these arguments, and you too could be a high-paid lobbyist for almost any tech industry. Update:Ed Mierzwinski of US PIRG has suggested some additional cards based on his years of experience of listening to inane arguments.

Before you play, it helps to know some strategy. Keep these rules in mind:

• Delay almost always works to your advantage.
• Muddy the waters where possible.
• Exploit staffers' ignorance, where possible.
• "Poison the well." If there is any flaw in the opponent's argument; suggest the entire campaign is unwarranted.
• When hearing a consumer advocates' argument, deliberately misunderstand it and interpret it in the most absurd way possible
• Employ the vagueness fallacy; speak of glowingly of the importance of "trust."
• Denigrate Washington broadly, speak of "bureaucrats," etc.
• If someone calls your bluff, use your joker or other face card.
• If a lower-value card doesn't work at first, just keep on playing it over and over.

Now that you have some strategery, here are the cards:

Play this one initially: Claim that no problem even exists.

If the problem is apparent, deny that it causes harm:

If there is harm, dismiss it:

You can always claim that the barrel isn't rotten, so there's no reason to take action. Blame it on "bad apples." For some reason, people find this argument compelling.

If there is serious harm, play this card:

Go on the offensive and accuse the consumer groups of being do gooders:

If the industry is new, say that the proposal is unnecessary because of the industry's competitiveness. It doesn't matter whether the field really is competitive. People just like to hear that word.

If the industry isn't regulated:

If that doesn't work, create a bogus self-regulatory body to whitewash the problem:

If the industry is heavily regulated:

If the proposal touches on business practices or technology, say it will stifle innovation.

Even better--if your opponent is a nitwit, argue that technology can't be regulated. A related argument is: "Punish the bad actors, not the technology."

Argue that the proposal limits consumer choice. Mention that, after all, you are a consumer too.

It's time to invest a little bit of money in your campaign. Hire a professor to write something supporting your position that has enough of a patina of legitimacy to fool reporters. George Mason University, which is well positioned near Washington, is a great place to find crackpots who will support your case.

Argue that the proposal shows a lack of understanding of the industry:

(If you employ this card, don't volunteer any information about the industry.)

Threaten that the proposal will cause the industry to leave the United States:

No one with a brain believes that argument, so you'll probably have to move on to a market posture argument. So, if there's a bear market, argue that the proposal is untimely because the economy is a "finely-tuned engine," and that Congress is at best an "inexperienced mechanic."

You know what to say if we're not in a bear market:

If you still haven't killed whatever proposal is vexing you, it's time to break out the high value cards. Almost any proposal can be read to be some sort of due process violation. So make an appeal to business civil liberties and inflate your unlikely likelihood of litigation success:

Another popular one is to argue that the proposal will result in the government competing against the private sector. No one likes that, except for people who like things like public schools. So argue:

If you're working on the state level, tell the staffers that the issue is being addressed at the federal level:

If you're working on the federal level, you know what to say.

By now, it's time for the really big guns. Time to play the Joker: Give money to the leadership. That way, the proposal might not even get a vote.

As an industry lobbyist, you must stop the establishment of "private rights of action." This isn't hard, because everyone likes to deride plaintiff's attorneys. Be sure to mention that if there is a right to sue, it will result in meritless litigation.

Proposal will create a "patchwork" of compliance requirements.

Alternatively:

If you're feeling bold:

By now, things are getting desperate. It's time to retreat to the last (or first) refuge for cowards: patriotism. Be sure to deride Europe and talk about how it's impossible to do business there, whether or not you've even been there.

And the related card:

Proposal will cost jobs. Foretell gruesome effects.

If you know the law is about to pass, make sure that it has no substantive protections, and that all it gives is notice to individuals of business practices. You can go back and replay the 8 of Clubs (George Mason) and find an academic who will argue that all consumers need is notice of a particular practice, and then replay the 6 of Spades (market will remedy all problems). Amen.

On one hand, you want to preach the benefits of the free flow of information to consumers and the economy. On the other, you don't want information to be too free. For instance, what if a pesky legislator wants you to disclose information about security breaches? There is an importance balance here that you need to explain: information that benefits your company is good. Information that embarrasses your company is bad. And because there is so much bad information about your company, publication of it would overwhelm consumers and cause confusion.

Argue that the proposal will limit anti-fraud, law enforcement, or anti-terrorism efforts.

Finally, when nothing is left, you can always argue that the proposal will cause the industry to lose money:

November 09, 2005

Girls Gone Wild Creator's Privacy, Anus Invaded

Via Drew Curtis' Fark.

Radaronline reports:

The camera pans to reveal his pants dragged down around his knees and a pink vibrator resting on the crest of his buttocks, lazily gyrating with an irritating whine. The mood is hardly erotic. The man on the screen looks like a hostage in one of those videos streaming out of war-ravaged Iraq: disheveled, sleep-deprived, disoriented, and, just maybe, fearing something on the order of an on-camera beheading. “My name is Joe Francis,” he says repeatedly in a damaged monotone, slurring his words in a continuous stream. “I’m from Boys Gone Wild, and I like it up the ass.”

The copy of this tape currently in the possession of the LAPD is the unlikely centerpiece of a trial that is set to begin next year ­ one that pits Francis, the 32-year-old multi-millionaire kingpin of the Girls Gone Wild video empire, against a small-time hustler who allegedly video-taped Francis in humiliating positions while holding him at gunpoint and later tried to blackmail his victim by threatening to release the tape.

August 24, 2005

My Junk Mail Experiment

Just for kicks, I decided that in moving to San Francisco, I would tell no business my home address. I started phone and electric service in false names, and forwarded my mail from DC to my new office in downtown San Francisco. I also decided to never open my mailbox, and since March, I've just let the junk mail pile up in it.

This evening I came home and decided to open the mailbox. It was chock full of crap, and only a single piece of mail was for me (addressed to an alias!). There were 12 offers for pre-approved credit for other people who no longer live here. There were 4 identical coupons for Bed, Bath, and Beyond. And there were 3 identical offers for RCN Internet service.

The fun continues. I am going to file prohibitory orders on all of the saturation mail (mail addressed to "current resident) with my trusty Postal Form 1500, which you can obtain from the USPS here. When you file such an order, the sender is barred by federal law from mailing you again. All first class mail will be marked "Refused" and will go back into the mailbox.

August 04, 2005

New Blog: EPIC West

Hello loyal readers! I have started a new blog devoted only to privacy at EPIC. Visit it sometime: http://epic.org/west/.

July 27, 2005

CNN Headline News Sells List of Product Purchasers

CNN Headline news is selling a database of people who purchased products advertised on the channel. 150,000 individuals are in the database, at a cost of $60 per thousand names.

CNN Headline News Cable TV Product Buyers
This file contains 156,719 last-12-month phone-based buyers of products advertised on this cable network.
Selections: COD, credit cards, gender, state/SCF/ZIP Price: $60/M
Contact: RMI, 203-825-4638

Stay at Home Fathers Sold

Today's Direct list of databases includes a advertisement for stay at home fathers--"Mr. Moms."

Mr. Mom
This file offers 68,000 stay-at-home dads taken from magazine subscribers, parent teacher association, seminar and self-reported sources.
Selections: Age, ethnicity, homeowner, hotline, income, mail order buyers, marital status, phone number, state/SCF/ZIP Price: $90/M Contact: List Connection Inc., 800-499-1552

July 26, 2005

Debt Consolidators for Sale

Ever use freedebtconsolidation.com? If so, your personal information is for sale online at Direct.

Freedebtconsolidation.com
Intermark Media Inc. has appointed Acton Direct as manager of the Debt Consolidation Applicants from Freedebtconsolidation.com file. This is a list of 587,140 credit counseling agency applicants who completed an online form.
Selections: Gender, recency, state/SCF/ZIP Price: $90/M Contact: Acton Direct, 402-470-5808

July 22, 2005

A New Way to Get Off Telemarketing, Mailing Lists

Tell the DMA that you're dead. $1 fee applies. And the process involves giving your credit card number to the direct marketers!

July 21, 2005

Flash Cookies: Get Rid of Them

There's a lively discussion over at Slashdot on "Flash cookies," text files that can be set by sites using Macromedia's Flash player. The problem with these cookies is that web advertisers have figured out that they can use them to track people. The idea is that many users now know to toss their cookies. So, if you want to track someone, set both a standard web cookie and a Flash cookie on their computer. Chances are, they won't know about the Flash cookie.

We at EPIC have posted a page on Flash cookies (officially known as "local shared objects"). You can stop people from tracking you by:

The official way to address Flash cookies is to change your settings by visiting this Macromedia web page. One trick is that you can lower the allowed storage area to just 0kb. This will cause a box to appear whenever a website tries to set a Flash cookie.

Users can get rid of the current Flash cookies and their tracking information simply going to the correct folder (see below) and deleting them. The Flash cookies are organized in folders according to the site that placed them, so users can choose which objects to keep.

Flash cookies are stored in a special directory depending on the operating system on the client machine. They are arranged in directories according to the site that placed them on the computer (look for a file with a .SOL extension):

* Windows C:\Documents and Settings\[username]\Application Data\Macromedia\Flash Player
* Macintosh OSX /Users/[username]/Library/Preferences/Macromedia/Flash Player
* GNU-Linux ~/.macromedia

Firefox users can use Objection, a recently developed extension that adds a LSO deletion tool to Firefox preferences.

The good news about this problem is that Macromedia doesn't like the fact that advertisers are trying to use Flash in this fashion. And, the advertisers claiming that Flash can be used for tracking appear to be inflating the capabilities of the Flash cookie.

July 20, 2005

No One Complains About the Sports Authority's Telemarketing?

MSNBC is running a story on my telemarketing work. Bob Sullivan writes:

...Telemarketing groups are quietly mounting a campaign that would open the door to a floodgate of new calls, EPIC says, pointing to a series of requests filed with the FCC, essentially asking the agency to invalidate state laws regulating the practice.

Now my favorite part of the article is where Sullivan quotes the Sports Authority's lawyer, Bill Raney:

Bill Raney, a telecommunications lawyer who defends companies against Do Not Call lawsuits, said...consumers are not complaining about them [telemarketing calls]...

Consumers aren't complaining? How does he explain this (PDF)? Raney's own petition was sparked by a compliant filed by the State of Florida!

Looks like a complaint to me!

Hoofnagle on Consumer Protection Preemption

I'm working on comments to the Federal Communications Commission on preemption of state telemarketing laws. As I explain on EPIC's Telemarketing Preemption page, big banks, retailers (the Sports Authority), and telemarketers are trying to invalidate strong anti-telemarketing laws:

• Telemarketers are trying to force New Jersey, Indiana, and Wisconsin to recognize the "established business relationship" exception. This loophole to the Do-Not-Call Registry allows companies to contact their current customers. While that may sound reasonable, the devil is in the details: If you make any purchase, no matter how small, or request any information from a business, you have created an "established business relationship." In the case of purchases, the business may call you over the next 18 months; if you merely requested information, they may call for 3 months. This means that merely buying a cup of coffee create a "relationship" that would allow the coffee shop to call you, even if you are on the Do-Not-Call Registry.
• Telemarketers are also trying to force North Dakota and Florida to recognize the ability of a telemarketer to send "pre-recorded voice" messages. In this marketing technique, a computer is programmed to call thousands of people and play a recorded message. Telemarketers add "ums" and background noises to the recorded message to fool the listener into thinking that the call is from a live person. Unlike live telemarketing, pre-recorded voice requires the Sports Authority and the banks to use fewer resources, allowing them to initiate millions of calls a day.

Part of the telemarketers' argument is that state law is too complex--that the states have created a "patchwork" of obligations that make compliance impossible. This is the section of my comments where I argue that new technologies make compliance easier now than ever. Enjoy.

Modern profiling technology demonstrates that compliance with the laws of multiple jurisdictions is possible

1. Petitioners have not demonstrated that the dual federal-state regulatory system, which has worked successfully for almost fifteen years, is in need of change

Petitioners have not successfully made the case that preemption is now needed. Though Petitioners argue that compliance with differing state laws are too burdensome, they have lived under this dual federal-state regulatory system for almost fifteen years. If this system were really so burdensome, the telemarketing industry would have, and should have, objected to the system long ago.

Telemarketing rose in prominence and was curtailed by regulation not because of complexity in compliance, but rather because of overzealous practices that made necessary the Telemarketing Do-Not-Call Registry and restrictions on autodialers. The Petitioners' arguments, viewed in context of almost fifteen years of compliance with varying state laws, appear to be motivated more by political opportunity than technical or legal impossibility.

2. New technologies make compliance with state laws easier now than in any time in history

New technologies make it easier for telemarketers today to comply with differing state laws. Interstate commerce did not begin with the Internet. Businesses have long had to comply with varying state laws as a condition of doing business within a state. And today, with sophisticated location technology and consumer profiling, the direct marketing industry is better equipped than ever to comply with varying state laws. The need for ceiling uniformity is an overvalued idea that does not account for the industry's ability to treat different people differently – at least when there is a profit motive involved.

The same technologies that have enabled customer profiling and segmentation could enable compliance with different state laws. Direct marketers speak breathlessly about their ability to "segment" the public, that is, to treat different people differently. These companies will go to great lengths to divide people into different groups and pitch varying advertising messages to them. For instance, commercial data broker Acxiom released a new customer profiling system in June 2005. As it was described: "Personicx ANSWERS gives users more immediate access to data for marketing planning and analysis. Personicx places each U.S. household in one of 70 segments, or clusters, and 21 life-stage groups based on behavior and demographic characteristics." In addition, Claritas' PRIZM system has been used to profile American consumers for decades, and currently consists of a "62-cluster version of PRIZM and the 95-atom MicroVision system at the ZIP+4 level." These two companies categorize individuals on issues much more nuanced than the state in which they live – these categories concern lifestyle, income, and personal attitudes.

Direct marketers' own advertising literature shows that the industry can even categorize people at the zip code level. In a brochure discussing the segmentation ability of data broker Claritas, the company demonstrates how it can easily identify "young urban professionals" across three jurisdictions. The brochure shows an analysis performed at the zip code level of "Young Influentials," a group that reflects "the fading glow of acquisitive yuppiedom."

Claritas' systems can locate yuppie "concentration[s] in the inner-ring suburbs of Prince Georges County, MD, and Northern Virginia." If Claritas can discriminate on this level based on so many factors, direct marketers should be called upon to explain why this same technology cannot enable compliance with state law.

In addition, a simple search on Petitioner American Teleservices Association's (ATA) supplier page returns a variety of companies that specialize in compliance with the very laws that ATA claims are so burdensome. For instance, Call Compliance, Inc. advertises that its "multi-award-winning TeleBlock® Do-Not-Call Blocking System is the first and only blocking product that automatically screens and blocks outbound calls in real-time against federal, state, wireless, third party and in-house Do-Not-Call lists."

In fact, next to the ATA's talking points that urge telemarketers to contact the Commission in support of preemption, the organization advertises a regulatory guide to comply with state laws. The advertisement, an "animated gif," reads:

"ATA American Teleservices Association REGULATORY GUIDE
"DO-NOT-CALL made simple
"All State & Federal Rules Online
"Includes Email Alerts
"Click here for more information"

This regulatory guide proclaims that it makes compliance with state laws simple.

It is a:

[O]ne-stop, online source…[has an]…easy-to-follow menu-driven format allows you to click on a pertinent issue, pertinent text from the statute or regulation itself...essential when assessing the finer points of a problem…. Most guides are industry or state specific, with none providing a complete picture of the constantly changing regulations governing the entire telemarketing industry. With many companies operating regionally, across several states or nationally, the guide is an invaluable work-saver. You'll no longer have to waste valuable calling time jumping to, or searching for, different sites or publications to ensure that all rules are being adhered to when calling into a new area.

Similarly, on Petitioner Direct Marketing Association's supplier page, one can find dozens of companies specializing in telemarketing services. One, Creative Compliance, Inc., even includes case studies in which the company brought a 2,000-location telemarketing enterprise into compliance with federal and state laws.

From a technical perspective, coding in different time of call, established business relationship, or permission to continue laws is trivial. Markers can be placed in the database to highlight individuals who reside in states with stricter telemarketing laws, and telemarketers could be instructed not to call, or to call these individuals at specific times or in compliance with specific rules.

In the past, telemarketing groups bemoaned many aspects of the Telemarketing Sales Rule (TSR) changes, complaining that compliance with mandates, such as the 3% abandoned call rate, was impossible. However, while they complained, other companies were advertising compliance systems in direct marketing trade publications. Today, companies are complying with the TSR mandates, despite the professions of impossibility so strenuously made two years ago.

The Commission should view claims for a need for uniformity with much greater skepticism. New tools make it easier now than ever to treat people differently. The industry should have to bear the burden of explaining how on one hand it can give different people who live on the same block different credit card offers, but it cannot treat people who live in different states differently when it comes to telemarketing regulations.

July 18, 2005

Credit Card Marketers Increase Offers by 11% in First Quarter

Financial services apologists said time and time again that consolidation of banks and the availability of personal information would result in individuals being subject to fewer solicitations that were more relevant. As we predicted at EPIC, more personal information would simply result in more unwanted credit solicitations. DirectMagazine reports that credit solicitations are up big time, and that response rates are the lowest they've ever been:

Credit card marketers sent out a record 1.4 billion direct mail offers during the first quarter, up 11% over last year, according to Synovate.

[...]

With the record high mail volumes, the response rates to credit card offers reached a record low of 0.4 percent.

Hoofnagle on Google

The Associated Press is running a feature on Google privacy risks. They actually came by and took a picture of me using Google.

John M. Harris / Associated Press

Chris Jay Hoofnagle, director of the West Coast office of Electronic Privacy Information Center, says "Google is becoming one of the largest privacy risks on the Internet."

July 14, 2005

Mossberg: 3rd Party Advertising Cookies are Spyware

Imagine a world where the Wall Street Journal's Walt Mossberg were a Commissioner on the Federal Trade Commission. In such a world, consumers would have a much better shot in getting more consumer friendly products.

While the FTC is cowed by breathless and improbable claims of direct marketers who suggest that third-party advertising cookies help consumers avoid irrelevant ads, Mossberg cuts through the crap. For instance, in today's Journal, Mossberg argues that third party cookies, small text files often used to identify a computer, are spyware:

Some tracking-cookie purveyors say their cookies aren't really spyware because they aren't full-fledged programs and they aren't as outrageous as spyware programs like "key loggers," which record and report every keystroke you enter. Others argue that the companies don't collect personally identifiable data, only aggregate data from many users. To me, tracking cookies clearly meet the obvious definition of spyware.

Rather than trying to legitimize tracking cookies with pressure and marketing campaigns, I suggest that, if they really believe tracking cookies are legitimate, the companies that use them simply go straight. They should ask a user's permission to install the cookies, pointing out whatever user benefits they believe the cookies provide. They might even offer users compensation for allowing tracking cookies on their machines.

Until that happens, here is my advice: If you don't like the idea of tracking cookies, run an antispyware program that detects and removes them, along with all the other indefensible computer code some companies think they have the right to install. After all, it is your computer.

July 06, 2005

DoD Creates Lactation Database, Okays Data for Law Enforcement, Counterintel Use

The Department of Defense must be kidding us. In today's Federal Register, the agency published a Privacy Act notice to create a database of people in the "Workplace Lactation Program." Specifically, the database will be used to "to schedule and track room use." Maybe that's reasonable, but do they really need to create a system of records for this?

One major problem in the Privacy Act area is that agencies use the "routine use" exception to allow information sharing. The idea is that the Privacy Act shouldn't prohibit ordinary use of data in government database, which on its face is reasonable. But the agencies have abused the exception, and now assert a series of "routine uses" over every database.

In this case, DOD has applied its "Blanket Routine Uses" to the lactation database. This means that information from the lactation database can be transferred to others for the following reasons:

#Law enforcement.
#To other agencies when DOD requesting information in order to engage in hiring and firing decisions.
#To other agencies when requested for a variety of government decision making.
#To Congress in response to Member inquiries.
#To foreign law enforcement.
#To state and local taxing authorities.
#To the Office of Personnel Management for pay, leave, and benefits administration.
#To the Department of Justice for litigation.
#To military banking facilities.
#To the General Services Administration for records management inspections.
#To the National Archives and Records Administration.
#To the Merit Systems Protection Board.
#To almost any entity for national security purposes.

Don't you feel safer?

Read more privacy at Technorati.

[Federal Register: July 6, 2005 (Volume 70, Number 128)]
[Notices]
[Page 38893-38894]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr06jy05-66]

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Logistics Agency

Privacy Act of 1974; Systems of Records

AGENCY: Defense Logistics Agency, DoD.

ACTION: Notice to add a system of records; S600.50 DLA Workplace
Lactation Program Records.

-----------------------------------------------------------------------

SUMMARY: The Defense Logistics Agency proposes to add a system of
records notice to its inventory of record systems subject to the
Privacy Act of 1974 (5 U.S.C. 552a), as amended.

DATES: This action will be effective without further notice on August
5, 2005 unless comments are received that would result in a contrary
determination.

ADDRESSES: Send comments to the Privacy Act Officer, Headquarters,
Defense Logistics Agency, ATTN: DP, 8725 John J. Kingman Road, Stop
2533, Fort Belvoir, VA 22060-6221.

FOR FURTHER INFORMATION CONTACT: Ms. Susan Salus at (703) 767-6183.

SUPPLEMENTARY INFORMATION: The Defense Logistics Agency notices for
systems of records subject to the Privacy Act of 1974 (5 U.S.C. 552a),
as amended, have been published in the Federal Register and are
available from the address above.
The proposed system report, as required by 5 U.S.C. 552a(r) of the
Privacy Act of 1974, as amended, was submitted on June 27, 2005 to the
House Committee on Government Reform, the Senate Committee on Homeland
Security and Governmental Affairs, and the Office of Management and
Budget (OMB) pursuant to paragraph 4c of Appendix I to OMB Circular No.
A-130, `Federal Agency Responsibilities for Maintaining Records About
Individuals,' dated February 8, 1996 (February 20, 1996, 61 FR 6427).

Dated: June 29, 2005.
Jeannette Owings-Ballard,
OSD Federal Register Liaison Officer, Department of Defense.
S600.50

System name:
DLA Workplace Lactation Program Records.

System location:
Staff Director, Environment, Safety and Occupational Health,
Headquarters Defense Logistics Agency, ATTN: DES-E, 8725 John J.
Kingman Road, Stop 6220, Fort Belvoir, VA 22060-6221, and the Defense
Logistics Agency Field Activities. Official mailing addresses are
published as an appendix to DLA's compilation of systems of records
notices.

Categories of individuals covered by the system:
Civilian, military, and contractor personnel assigned to Defense
Logistics Agency (DLA) facilities who have asked to participate in the
DLA Workplace Lactation Program. The system may also cover individuals
of other agencies who receive services from DLA under an administrative
support agreement.

Categories of records in the system:
Participant's name, employing office and office symbol, work and
home telephone numbers, signed agreement forms, dates and times of
lactation room use, and physician's approval slips and forms (if
applicable).

Authority for maintenance of the system:
5 U.S.C. 301, Departmental Regulations; 10 U.S.C. 136, Under
Secretary of Defense for Personnel and Readiness; and Section 631 of
Pub. L. 107-67, Treasury and General Government Appropriations Act,
2002.

Purpose(s):
The records are maintained and used by program coordinators to
administer the DLA Workplace Lactation Program and to schedule and
track room use. Records may also be used to ensure compliance with
program rules and restrictions on room use. Statistical data with all
personal identifiers removed may be used by management for program
audit or effectiveness reviews, adequacy of facility size and
amenities, or other administrative purposes.

Routine uses of records maintained in the system, including categories
of users and the purposes of such uses:
In addition to those disclosures generally permitted under 5 U.S.C.
552a(b) of the Privacy Act, these records or information contained
therein may specifically be disclosed outside the DoD as a routine use
pursuant to 5 U.S.C. 552a(b)(3) as follows:
The DoD ``Blanket Routine Uses'' set forth at the beginning of
DLA's compilation of systems of records notices apply to this system.

Policies and practices for storing, retrieving, accessing, retaining
and disposing of records in the system:
Storage:
Records are stored in paper and electronic form.

Retrievability:
Records are retrieved by participant's name.

Safeguards:
Access is limited to those individual who require the records in
the performance of their official duties. Access is further restricted
by the use of passwords which are changed periodically. Physical entry
is restricted by the use of locks, guards, and administrative
procedures. Employees are periodically briefed on the consequences of
improperly accessing restricted data.

[[Page 38894]]

Retention and disposal:
Disposition pending. Until the National Archives and Records
Administration has approved the retention and disposal of these
records, treat as permanent.

System manager and address:
Staff Director, Environment, Safety and Occupational Health,
Headquarters Defense Logistics Agency, ATTN: DES-E, 8725 John J.
Kingman Road, Stop 6220, Fort Belvoir, VA 22060-6221; and the Heads of
the Environment, Safety, and Occupational Health offices of the Defense
Logistics Agency Field Activities. Official mailing addresses are
published as an appendix to DLA's compilation of systems of records
notices.

Notification procedures:
Individuals seeking to determine whether information about
themselves is contained in this system should address written inquiries
to the Privacy Act Officer, Defense Logistics Agency, ATTN: DP, 8725
John J. Kingman Road, Stop 2533, Fort Belvoir, VA 22060-6221, or the
Privacy Act Officer of the DLA Field Activity where employed or
assigned. Official mailing addresses are published as an appendix to
DLA's compilation of systems of records notices.

Record access procedures:
Individuals seeking access to information about themselves
contained in this system should address written inquiries to the
Privacy Act Officer, Defense Logistics Agency, ATTN: DP, 8725 John J.
Kingman Road, Stop 2533, Fort Belvoir, VA 22060-6221, or the Privacy
Act Officer of the DLA Field Activity where employed or assigned.
Official mailing addresses are published as an appendix to DLA's
compilation of systems of records notices.

Contesting record procedures:
The DLA rules for accessing records, for contesting contents, and
appealing initial agency determinations are contained in 32 CFR part
323, or may be obtained from the Privacy Act Officer, Headquarters,
Defense Logistics Agency, ATTN: DP, 8725 John J. Kingman Road, Stop
2533, Fort Belvoir, VA 22060-6221.

Record source categories:
Data is provided by the record subject, by the subject's personal
physician, and by the lactation room coordinator.

Exemptions claimed for the system:
None.

[FR Doc. 05-13205 Filed 7-5-05; 8:45 am]

BILLING CODE 5001-06-P

June 10, 2005

Deep Fried Country Folks

In today's DMNews:

Deep Fried Country Folks: Independent, Patriotic & Responsible The Direct Marketing Shop New List Description: This list contains blue-collar workers who purchase products that enhance their ability to perform their favorite activities well. Favorite activities include cooking, gardening, sewing, fishing, hunting, watching auto racing and other seasonal sports. Selects: 24 million universe, age, gender, income, ethnicity, homeowner, mail order buyer, hotline names; lifestyle categories including auto racing, campers, cooks/bakers, country music fans, fishermen, hunters, needleworkers, RV owners, smokers, vegetable gardeners, veterans. Contact: Your list broker or The Direct Marketing Shop, 18 Highland Pointe Drive, Weaverville, NC 28787 Phone: 828/645-8411; Fax: 828/645-8601

privacy

May 05, 2005

Gov. Publishes Medical Info

Isn't this nice. The government publishes the names of people with diabetes applying for an exemption to regulations concerning operators of commercial vehicles. Is there any reason why the names of the people applying for the exemption must be published? Can't they use psuedonyms or just number the applicants?

January 17, 2005

Banks Negotiating Auto Loan Discrimination Cases

The Wall Street Journal reports that the big banks are in talks with attorneys in auto-lending discrimination cases. These are cases where auto dealers "pack" financial products with extra charges. For instance, if you go buy a car from a dealership and the manufacturer offers you financing, the dealer will quietly add a couple of percentage points of interest to the loan. Over the terms of the loan, this adds up big time, resulting in thousands of dollars in interest and fees. Banks allow the additional interest charges, thus enabling dealers to rip people off: "Both Bank One and Bank of America allow dealers to tack on as much as three percentage points to the annual percentage rate the banks would offer the consumer based on creditworthiness."

The suits allege that blacks were disproportionately targeted for this practice: "A study used by plaintiffs in another suit found that African-American car buyers paid loan markups averaging $1,229 each. The average for white car buyers with similar credit histories was $867 a loan." Generally, you're targeted if you are not an informed buyer. Simply put, when buying a car, you should go get a loan directly from a credit union or bank. If you get it from the dealer, they will find a way to screw you.

Note this aspect of the case--Bank of America claims that they don't discriminate; that they only have access to credit scores rather than race: "Bank of America spokeswoman Shirley Norton also acknowledged the bank is "in talks" regarding their case, but declined to characterize the talks as settlement talks or indicate how far along the discussions are. 'We don't discriminate. Our policies are racially neutral, based on credit scores,' she said. 'We don't have access to the customers, and we don't deal directly with the customer.'" But this begs the question--are the credit scores themselves discriminatory?

January 03, 2005

Pipeline Workers Test Positive for Drugs .83%

While marine crewmembers are testing positive for drugs 2% of the time, pipeline workers are at less than 1%.

2% of CrewmenTest Positive for Drugs

A notice in the Federal Register explains: "...the Coast Guard requires marine employers to establish random drug testing programs for covered crewmembers on inspected and uninspected vessels. All marine employers are required to collect and maintain a record of drug testing program data for each calendar year..."

In 2003, 2.07% of covered crewmembers tested positive for drugs in random screens. What is a "oovered crewmember?" I'm not sure. They seem to be defined by function.

December 23, 2004

2005 Privacy Resolutions

Marc and I came up with this top ten for privacy in 2005. If you do just two or three of the "resolutions," it will slow down all of the various companies trying to bogart your bits.

1. Engage in "privacy self defense." Don't share any personal information with businesses unless it is absolutely necessary (for delivery of an item, etc.). Don't give your phone number, address, or name to retail stores. If you do, they can sell that information or use it for telemarketing and junk mail. If they ask for your information, say "it's none of your business," or give "John Doe, 555-1212, 123 Main St." Don't return product warranty cards. Don't complete consumer surveys even if they appear to be anonymous. Profilers can build in barely-perceptible codes that link you to the survey, and this data goes straight to direct marketers.

2. Pay with cash where possible. Electronic transactions leave a detailed dossier of your activities that can be accessed by the government or sold to telemarketers. Paying with cash is one of the best ways to protect privacy and stay out of debt.

3. Install anti-spyware, anti-virus, and firewall software on your computer. If your computer is connected to the Internet, it is a target of malicious viruses and spyware. There are free spyware-scanning utilities available online, and anti-virus software is probably a necessary investment if you own a Windows-based PC. Firewalls keep unwanted people out of your computer and detect when malicious software on your own machine tries to communicate with others.

4. Use a temporary rather than a permanent change of address. If you move in 2005, be sure to forward your mail by using a temporary change of address order rather than a permanent one. The junk mailers have access to the permanent change of address database; they use it to update their lists. By using the temporary change of address, you'll avoid unwanted junk mail.

5. Opt out of prescreened offers of credit. By calling 1-888-567-8688 or by visiting https://www.optoutprescreen.com/, you can stop receiving those annoying letters for credit and insurance offers. This is an important step for protecting your privacy, because those offers can be intercepted by identity thieves.

6. Choose Supermarkets that Don't Use Loyalty Cards. Be loyal to supermarkets that offer discounts without requiring enrollment in a loyalty club. If you have to use a supermarket shopping card, be sure to exchange it with your friends or with strangers.

7. Opt out of financial, insurance, and brokerage information sharing. Be sure to call all of your banks, insurance companies, and brokerage companies and ask to opt out of having your financial information shared. This will cut down on the telemarketing and junk mail that you receive.

8. Request a free copy of your credit report by visiting http://www.annualcreditreport.com. All Americans are now entitled to a free credit report from each of the three nationwide credit reporting agencies, Experian, Equifax, and Trans Union. You can engage in a free form of credit monitoring by requesting one of your three reports every four months. By staggering your request, you can check for errors regularly and identify potential problems in your credit report before you lose out on a loan or home purchase. Currently, these reports are available to residents of most western states. By September 2005, all Americans will have free access to their credit report.

9. Enroll all of your phone numbers in the Federal Trade Commission's Do-Not-Call Registry. The Do-Not-Call Registry (http://www.donotcall.gov or 1-888-382-1222) offers a quick and effective shield against unwanted telemarketing. Be sure to enroll the numbers for your wireless phones, too.

10. File a complaint. If you believe a company has violated your privacy, contact the Federal Trade Commission, your state Attorney General, and the Better Business Bureau. Successful investigations improve privacy protections for all consumers.

Magazines Creating Special Editions for Alcohol Advertising

The Wall Street Journal reports that magazine publishers are creating special editions of their publications for over 21 subscribers in response to demand from the alcohol industry. Now if they would only start making better content for their readers.

...The magazines -- typically sports, music and entertainment publications -- say the extra cost and effort of screening their subscribers are worth it as a way to help insulate liquor advertisers from accusations that they are targeting minors.

Otherwise, they fear a rerun of the precipitous drop in tobacco advertising they endured a few years ago when cigarette makers, once a mainstay for magazines, scaled back advertising after coming under fire for targeting young consumers...

The magazines' approach for the liquor companies borrows a practice from general-interest magazines like Time Warner Inc.'s Time and Sports Illustrated, which sell advertisers various editions of the same issue with ads targeting readers according to income, job title, age, sex, and geographic area. They use U.S. census data and credit-rating agencies to cull information about their readers.

For the 21-plus editions, publishers start with the names and addresses of their subscribers and run them against up to three outside databases, including that of the credit-rating agency Equifax, to find readers who are 21 and over. For instance, Spin has identified a group of 256,000 subscribers, out of a total subscriber base of 478,000, who turn up in a database showing that they are at least 21. Vibe developed its program from a similar offer it had
created for Kool cigarettes several years ago, according to Publisher Carol Watson. Magazines charge a premium of 10% to 20% of an ad's price to cover the extra production costs and database search.

December 16, 2004

Update on Wireless Phones on Airplanes

If you feel strongly about wireless phones on airplanes, be sure to comment to the FCC! Commenting only takes 30 seconds. Just click here and enter proceeding number 04-435. If you look at the bottom of the page, you'll see that there is a box for typing--just say what you want to say there. Be aware that whatever you type becomes part of the public record.

December 15, 2004

Mass. Charity Telemarketers Pocket 71% on Average

A new report by Massachusetts Attorney General Tom Reilly shows that telemarketers who call on behalf of charities pocket 71% of what they net, on average.

You should know that when attorneys general sue these telemarketers for ripping off the public, the telemarketers hide under the skirt of the First Amendment. The good news is that the Supreme Court in 2003 rejected a First Amendment defense by a telemarketer who mislead call recipients about the amount of money that goes to the charity. That case is Illinois ex rel. Madigan v. Telemarketing Associates, Inc.

December 02, 2004

Off to CA, Covering ABA v. Lockyer

I'm off to San Francisco where I'll be attending the 9th Circuit argument in ABA v. Lockyer, a very important preemption case involving California's financial privacy laws. Here's the EPIC summary on the case. I'll blog about the hearing on Monday afternoon. The 9th Circuit panel is comprised of Judges Kozinski, Bybee, and Fletcher. Should be interesting.

In ABA v. Lockyer, financial services companies are suing to invalidate a California law that provides individuals with strong privacy rights. In 2003, California enacted the California Financial Information Privacy Act, commonly known as "SB1." SB1 provides the strongest financial privacy protection in the nation. It allows customers to "opt-out" of information-sharing practices between affiliated institutions, companies that have common ownership. SB 1 also bars financial institutions from sharing information about consumers with nonaffiliated third parties unless an individual gives his or her express "opt in" consent. However, the legal issue in ABA is limited to the constitutionality of the "opt out" provision for affiliate sharing, and a series of other rights created by SB1 are not being challenged in this case.

In April 2004, the American Bankers Association (ABA), the Financial Services Roundtable and the Consumer Bankers Association filed suit arguing that SB 1 is preempted or superceded by the federal Fair Credit Reporting Act (FCRA). As interpreted by the banking industry, the FCRA imposes a preemptive ceiling on state privacy statutes, thereby preventing any state or local regulation concerning affiliate sharing of consumer information.

However, District Court Judge Morrison C. England, Jr. ruled otherwise, holding that the federal Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) allows states to erect stronger financial privacy protections. Judge England’s Amended Order, issued on July 9, 2004, concludes that (i) the FCRA was not intended to regulate the simple sharing of information between affiliates, (ii) the only reasonable reading of the FCRA preemption provision is that it prevents states from enacting laws that prohibit or restrict the sharing of consumer reports among affiliates, and (iii) the FCRA preemption provision does not broadly preempt all state laws regulating information sharing by affiliates.

On July 28, 2004, the Ninth Circuit Court of Appeals granted Plaintiff ABA's request for an expedited appeal of Judge England's decision. EPIC is preparing an amicus brief against preemption of SB1 to support California's and other states' efforts to regulate affiliate sharing.

November 22, 2004

Swipe Updated

Check out Swipe's new website. Swipe now has a loyalty card to serve you better! New Swipe drinks include the PATRIOT, Cat Eyes, the MATRIX, and CALEA.

We Use Your Information To Serve You Better

The Wall Street Journal reports:

Harrah's [casinos] patrons can apply for a Total Rewards loyalty card and receive points toward anything from a hotel stay to catalog gifts; the more they gamble, the better the perks become. Each cardholder is assigned a "customer value" based on the theoretical revenue they will generate. Customers with higher values get quicker responses from Harrah's phone systems. When a gambler dials Harrah's toll-free reservation line, the computer bounces the number off its database and places the caller in the appropriate service queue.

The operator who picks up the phone is trained not to let on that the caller has been recognized. "That would be too creepy," says Rich Mirman, Harrah's senior vice president in charge of development, and a trained mathematician and economist...

Unlike rivals such as MGM Mirage, Harrah's tries hard to keep less profitable nongambling customers out of its hotels by calculating their customer value and making them pay through the nose. In October, a room at the aging Harrah's Las Vegas was quoted to a caller at a nightly rate of $199, only $14 cheaper than a super-luxury room at Bellagio.

A frequent gambler could be charged anything from nothing to $199 at the Harrah's casino, the company says. The price is based on a complex mathematical formula that takes into account how long the customer typically stays and what games he or she plays, among other details.

November 12, 2004

DOD Invokes Geneva Conventions to Defend Bad SSN Practices

Hey, you remember that "quaint" document, the Geneva Conventions?

Well, in a letter (PDF) to the General Accounting Office, the Department of Defense has invoked one of the Conventions to defend its use of Social Security Numbers to enumerate members of the military!

So, I guess our administration has some use for the Conventions after all.

This really isn't funny. Military members are at particular risk of identity theft because they are frequently overseas, and not at home to receive the bills that arrive as a result of impostors using their credit. The ubiquity of the Social Security Number contributes to the incidence of the crime.

October 09, 2003

Captive Audiences and Advertising

A friend pointed me to PUC DC v. Pollak, a 1952 Supreme Court decision where the court rejected the First and Fifth Amendment claims of bus passengers who objected to the bus company playing music and advertisements on the intercom of the busses.

There are three rather interesting opinions--Justice Black concurred with the majority, and found that the bus passengers were not deprived of their First and Fifth Amendment rights by the music and ads. However, Justice Black argued that if the broadcasts contained news or other propaganda, forcing passengers to listen would violate the First Amendment.

Justice Frankfurter recused himself, apparently because he himself rode the bus, and was "a victim of the practice in controversy."

Justice Douglas wrote a very strong pro-privacy opinion, arguing that "If liberty is to flourish, government should never be allowed to force people to listen to any radio program..." The full text is in the extended entry below.

An excellent essay by Charles L. Black about this case was republished in Stay Free! Magazine a few years back.

Separate opinion of MR. JUSTICE BLACK.

I concur in the Court's holding that this record shows no violation of the Due Process Clause of the Fifth Amendment. I also agree that Capital Transit's musical programs have not violated the First Amendment. I am of the opinion, however, that subjecting Capital Transit's passengers to the broadcasting of news, public speeches, views, or propaganda of any kind and by any means would violate the First Amendment. To the extent, if any, that the Court holds the contrary, I dissent.

MR. JUSTICE FRANKFURTER.

The judicial process demands that a judge move within the framework of relevant legal rules and the covenanted modes of thought for ascertaining them. He must think dispassionately and submerge private feeling on every aspect of a case. There is a good deal of shallow talk that the judicial robe does not change the man within it. It does. The fact is that on the whole judges do lay aside private views in discharging their judicial functions. This is achieved through training, professional habits, self-discipline and that fortunate alchemy by which men are loyal to the obligation with which they are entrusted. But it is also true that reason cannot control the subconscious influence of feelings of which it is unaware. When there is ground for believing that such unconscious feelings may operate in the ultimate judgment, or may not unfairly lead others to believe they are operating, judges recuse themselves. They do not sit in judgment. They do this for a variety of reasons. The guiding consideration is that the administration of justice should reasonably appear to be disinterested as well as be so in fact.

This case for me presents such a situation. My feelings are so strongly engaged as a victim of the practice in controversy that I had better not participate in judicial judgment upon it. I am explicit as to the reason for my non-participation in this case because I have for some time been of the view that it is desirable to state why one takes himself out of a case.

MR. JUSTICE DOUGLAS, dissenting.

This is a case of first impression. There are no precedents to construe; no principles previously expounded to apply. We write on a clean slate.

The case comes down to the meaning of "liberty" as used in the Fifth Amendment. Liberty in the constitutional sense must mean more than freedom from unlawful governmental restraint; it must include privacy as well, if it is to be a repository of freedom. The right to be let alone is indeed the beginning of all freedom. Part of our claim to privacy is in the prohibition of the Fourth Amendment against unreasonable searches and seizures. It gives the guarantee that a man's home is his castle beyond invasion either by inquisitive or by officious people. A man loses that privacy of course when he goes upon the streets or enters public places. But even in his activities outside the home he has immunities from controls bearing on privacy. He may not be compelled against his will to attend a religious service; he may not be forced to make an affirmation or observe a ritual that violates his scruples; he may not be made to accept one religious, political, or philosophical creed as against another. Freedom of religion and freedom of speech guaranteed by the First Amendment give more than the privilege to worship, to write, to speak as one chooses; they give freedom not to do nor to act as the government chooses. The First Amendment in its respect for the conscience of the individual honors the sanctity of thought and belief. To think as one chooses, to believe what one wishes are important aspects of the constitutional right to be let alone.

If we remembered this lesson taught by the First Amendment, I do not believe we would construe "liberty" within the meaning of the Fifth Amendment as narrowly as the Court does. The present case involves a form of coercion to make people listen. The listeners are of course in a public place; they are on streetcars traveling to and from home. In one sense it can be said that those who ride the streetcars do so voluntarily. Yet in a practical sense they are forced to ride, since this mode of transportation is today essential for many thousands. Compulsion which comes from circumstances can be as real as compulsion which comes from a command.

The streetcar audience is a captive audience. It is there as a matter of necessity, not of choice. One who is in a public vehicle may not of course complain of the noise of the crowd and the babble of tongues. One who enters any public place sacrifices some of his privacy. My protest is against the invasion of his privacy over and beyond the risks of travel.

The government may use the radio (or television) on public vehicles for many purposes. Today it may use it for a cultural end. Tomorrow it may use it for political purposes. So far as the right of privacy is concerned the purpose makes no difference. The music selected by one bureaucrat may be as offensive to some as it is soothing to others. The news commentator chosen to report on the events of the day may give overtones to the news that please the bureau head but which rile the streetcar captive audience. The political philosophy which one radio speaker exudes may be thought by the official who makes up the streetcar programs to be best for the welfare of the people. But the man who listens to it on his way to work in the morning and on his way home at night may think it marks the destruction of the Republic.

One who tunes in on an offensive program at home can turn it off or tune in another station, as he wishes. One who hears disquieting or unpleasant programs in public places, such as restaurants, can get up and leave. But the man on the streetcar has no choice but to sit and listen, or perhaps to sit and to try not to listen.

When we force people to listen to another's ideas, we give the propagandist a powerful weapon. Today it is a business enterprise working out a radio program under the auspices of government. Tomorrow it may be a dominant political or religious group. Today the purpose is benign; there is no invidious cast to the programs. But the vice is inherent in the system. Once privacy is invaded, privacy is gone. Once a man is forced to submit to one type of radio program, he can be forced to submit to another. It may be but a short step from a cultural program to a political program.

If liberty is to flourish, government should never be allowed to force people to listen to any radio program. The right of privacy should include the right to pick and choose from competing entertainments, competing propaganda, competing political philosophies. If people are let alone in those choices, the right of privacy will pay dividends in character and integrity. The strength of our system is in the dignity, the resourcefulness, and the independence of our people. Our confidence is in their ability as individuals to make the wisest choice. That system cannot flourish if regimentation takes hold. The right of privacy, today violated, is a powerful deterrent to any one who would control men's minds.

October 08, 2003

Billboards An Invasion of Privacy

Some time ago, Stay Free! Magazine published an essay by 1960s ad-man Howard Gossage. In it, Gossage rejects aesthetic arguments against billboards, and instead argues that billboards are a coercive form of advertising that violate individuals' privacy. Check it:

"...there is a very real question whether it has title to its domain. Outdoor advertising is peddling a commodity it does not own and without the owner’s permission: your field of vision. Possibly you have never thought to consider your rights in the matter. Nations put the utmost importance on unintentional violations of their air space. The individual’s air space is intentionally violated by billboards every day of the year.

"But doesn’t everything visible violate one’s air space? Not at all. Visibility is not the only consideration. The Taj Mahal, street signs, the Golden Gate Bridge, a maze of telephone wires, even a garbage dump–however they may intrude on the eye–are not where they are merely to waylay your gaze; they have other functions as well. A billboard has no other function, it is there for the sole and express purpose of trespassing on your field of vision. Nor is it possible for you to escape; the billboard inflicts itself unbidden upon all but the blind or recluse. Is this not an invasion of privacy? I think it is, and I don’t see that the fact that a billboard is out-of-doors make the slightest difference. Even if it were possible for you to not look at billboards if you didn’t so choose, why in the world should you have to make the negative effort? Moreover, this invasion of your privacy is compounded in its resale to a third party. It is as though a Peeping Tom, on finding a nice window, were to sell peeps at two bits a head.

"Thus we see that what the industry has to sell doesn’t really belong to it. It belongs to you...

October 06, 2003

Golden Key Sells Your Bits to Credit Card Companies

Why can't I stop these damn incessant unsolicited credit card offers from MBNA? It's because Golden Key National Honor Society has sold them my address, and uses address update tools to track me down every time I move!

Golden Key claims to be a "a nonprofit academic honors organization"…organized "to recognize and encourage scholastic achievement and excellence in all undergraduate fields of study…" The group's main contribution to my life has been unsolicited offers of credit, which can bestow the miracle of instant credit, and her ugly sisters, who are hidden in the closet by the financial services industry: the miracle of instant bankruptcy, and the miracle of instant identity theft.

Golden Key's IRS Form 990 (which every 501(c)(3) organization is required to file) shows that the company is spending a whole hell of a lot of money in order to recognize scholastic achievement. 990s are sometimes tricky to read, but it looks as though they are spending a mere 700k on scholarships, while the top ranking employee pays himself 200k a year. $1.2 million is spent on ceremonies, and it is unclear whether any of that money becomes scholarships. The group spends almost $4 million a year promoting itself. If you ask me, a group should be able to give away more than $2 million in benefits annually if it has budget that exceeds $10 million.

You can get Form 990s on almost any non-profit by visiting Guidestar.org.

September 28, 2003

TIA Killed, NIMD Lives On?

Secrecy News reports that although Congress has killed TIA and closed the Information Awareness Office, "Novel Intelligence from Massive Data" lives on:

[...]

"Indeed, one TIA-like program conducted under the auspices of U.S. intelligence is the "Novel Intelligence from Massive Data" (NIMD) initiative of the little-known Intelligence Community Advanced Research and Development Activity (ARDA).

"Pursued with a minimal public profile and lacking a polarizing figure like Adm. Poindexter to galvanize opposition, NIMD has proceeded quietly even as TIA imploded.

"The existence of NIMD was first noted last year by Jim McGee of CQ Homeland Security. More recently, on July 24, 2003 he wrote in CQ Homeland Security that NIMD was "roaring down a parallel research track to TIA." NIMD was also cited in a May 21, 2003 article in the New York Times.

"A summary description of the NIMD program is available on the ARDA web site here:

http://ic-arda.org/Novel_Intelligence/index.html

September 22, 2003

Search for Bank Affiliates

The National Information Center of the Federal Reserve has this neat search engine that allows you to search the organizational hierarchies of federal banks.

For an idea of how your personal information can be shared when you hold a Citibank credit card, check out the relationships that Citigroup Holdings has...

September 20, 2003

NY to Account for "Stop and Frisks"

A settlement in a New York class action lawsuit will formally require police to report on "stop and frisks." The stop and frisk is a limited search, first approved by the Supreme Court in Terry v. Ohio. That case involved a police officer who, for very good reasons, thought that suspects he observed were carrying weapons, so he searched the subjects before actually arresting them. Thus, the so called "Terry" stop was born to protect police from suspects who could be armed. It was supposed to be limited to a search of the outside of clothing for concealed weapons when the police officer possessed a "particularly suspicion" that the suspect was armed or dangerous. Since then, the Terry stop and frisk is used by many police to simply harass the public—especially the minority public. As plaintiff Khalil Shkymba explains in a Washington Post article, "No officer would think of pulling a gun and telling an innocent man to pull down his pants on 60th and Lexington."

The civil liberties implications of the justifiable Terry decision come into full focus when one considers how it has been combined with other exceptions to the Fourth Amendment. For instance, under the "plain feel" doctrine, a police officer can reach into the pockets or clothes of a suspect during a Terry stop if the officer can feel the outline of a weapon or contraband concealed in clothes. In practice, this doctrine can give police justification to make a more invasive search if anything at all is within the suspect's pockets. Batteries and camera film feel like containers for crack, pens and markers feel like crack pipes, anything soft feels like marijuana, etc.

September 18, 2003

Clark's Ties to Military Contractors

General Clark's ties to Acxiom are again covered in today's Wall Street Journal:

"After the Sept. 11, 2001, terrorist attacks, Gen. Clark counseled clients on how to pitch commercial technologies to the government for homeland-security applications. One is Acxiom Corp., based in Gen. Clark's hometown of Little Rock, Ark., where he formally launched his campaign Wednesday. He joined the board of the Nasdaq-traded company in December 2001, as the company started to market its customer-database software to federal agencies eager to hunt for terrorists by scanning and coordinating the vast cyberspace trove of citizen information.

"He has made efforts at putting us in contact with the right people in Washington ... setting up meetings and participating in some himself," says Acxiom Chief Executive Charles Morgan. "Like all of us around 9/11, he had a lot of patriotic fervor about how we can save our country."

September 10, 2003

CCIA: DHS Shouldn't Rely Upon M$

The Computer & Communications Industry Association has told Secretary Ridge not to use M$ exclusively.

from: http://www.ccianet.org/letters/dhs_030827.pdf

August 27, 2003
The Honorable Tom Ridge
Secretary
U.S. Department of Homeland Security
Washington, D.C. 20528

Dear Secretary Ridge:

In light of last week’s events revealing additional serious flaws in
the Windows software bundle, I am writing concerning the Department
of Homeland Security’s choice of Microsoft as the preferred supplier
of desktop and server software for its computing needs. I strongly
urge you to reconsider this decision.

The Computer & Communications Industry Association (CCIA) is an
association of computer, communications, Internet and technology
companies that range from small entrepreneurial firms to some of the
largest members of the industry. CCIA was founded over 30 years ago
and our members include equipment manufacturers, software
developers, providers of electronic commerce, networking,
telecommunications and online services, resellers, systems
integrators, and third-party vendors. Our member companies employ
nearly one million people and generate annual revenues exceeding
$200 billion. Although we have always supported open, industry-wide
fair and efficient procurement policies, we do not represent
companies in the bidding and procurement process.

CCIA also has a long history of advocacy and expertise in the area
of cybersecurity. We recently pointed out in submissions sent to the
Administration and the Congress the importance of security testing,
the dangers of relying on single suppliers for information
technology, the inherent risks associated with homogenous systems,
and the need for “biodiversity” among software components and
applications.

We believe that for software to be truly secure it must be well
written from the outset with security considerations given a high
priority. Unfortunately, there is ample evidence that for many years
economic, marketing, and even anticompetitive goals were far more
important considerations than security for Microsoft’s software
developers, and these broader objectives were often achieved at the
cost of adequate security. Also, from a security standpoint, the
lack of diversity within a networked system amplifies the risk
emanating from any vulnerabilities that do exist. But diversity is
difficult without interoperability, and the benefits of
interoperating with more robust systems can be blocked if any
dominant player does not cooperate in fostering interoperability.
Unfortunately, numerous courts and government enforcement bodies,
including the United States Department of Justice, have formally
found that Microsoft has used technical barriers to inhibit
interoperability with, and competition from, other software
platforms and applications.

We are currently engaged in extensive security research in this area
and our preliminary findings indicate the severity of the security
problems relating to some Microsoft software is substantial. The
news from the last few weeks demonstrates that this problem is not
just theoretical, but real and immediate and one that imperils
homeland security.

In just the last two weeks, Microsoft products have been attacked by
a virus and worm -- Sobig.F and Blaster -- but these are only the
most recent examples of major security failure created by
vulnerabilities in Microsoft’s dominant software portfolio. The
damage caused by these attacks is significant and has caused
millions of dollars of harm to our economy, but security experts
agree the damage could easily have been much worse. According to the
Washington Post, Blaster and its associated counter-measures were
responsible for the temporary closure of Maryland’s Department of
Motor Vehicles offices, failure of the passenger check-in system at
Air Canada, an intrusion on the Navy-Marine intranet, and
cancellations and suspensions of service on the CSX railroad. Of
even greater concern are recent reports of an April e-mail to the
Nuclear Regulatory Commission from FirstEnergy detailing how a
previous worm directed at Microsoft servers, Slammer, disabled a
safety monitoring system at an offline nuclear power plant for close
to five hours. Fortunately, the plant was not operational during the
failure, there was no safety hazard, but this incident could have
just as easily occurred with an online plant. All of these failures
are unfortunately predictable and we can expect to continue to see
similar problems in the future.

In short, we have seen these most recent worms and viruses directed
at Microsoft slow down, delay, and disable systems handling critical
transportation, military and energy functions. Though certainly the
creator of these malicious attacks must bear the brunt of blame,
Microsoft is also largely responsible for continuing to create
software riddled with obvious and easily exploited vulnerabilities.
This problem is compounded when new or separate products and
functionalities are intricately bundled, sometimes illegally, into
Windows. As the Washington Post editorialized:

[T]he main cause of virus prevalence, say computer experts, is
poorly designed software. The Blaster worm was created to take
advantage of a vulnerability in Microsoft’s operating system,
particularly targeting Windows XP, Windows 2000, Windows NT, and
Windows Server 2003. Such vulnerabilities exist because software is
distributed without appropriate amounts of testing and because
software vendors increasingly create new functionalities that invite
infection[.]

Because of these recent developments, historical experience, and the
inherent risks associated with lack of diversity, we ask that you
reconsider your heavy reliance upon a single, flawed software
platform to protect our national security. The latest round of worms
has shown in dramatic fashion the economic damage and danger to our
safety that can occur because of reliance on a single vendor who has
failed to demonstrate a core commitment to security. Our hope is
that you fully consider these critical concerns when implementing
security and information technology in the Department.

Sincerely,
Ed Black
President & CEO

September 08, 2003

Clark for Acxiom Pt. II

Saw Wesley Clark on Real Time, where he seemed to make sense.

I've said it before, but will say it again here: Clark was a registered lobbyist for Acxiom corporation in 2002 and 2003. Here are the forms, via the Senate Public Records Web Site.

Acxiom is a company that focuses on data integration, and the one of the chief special interests behind CAPPS II. They also specialize in helping direct marketers annoy you more effectively.

A good question for Clark is whether he'd wear the Suspected Terrorist Pin.

September 05, 2003

IE, AOL Track Misspelled Site Traffic

Another reason not to use M$' IE or AOL.

An excellent alternative brower is Mozilla.

September 02, 2003

Ashcroft Terror Tour

I formally apologize for not creating the Ashcroft Terror Tour T-shirt in time. Mark Fiore beat me to it. Here was my draft design for the back of the shirt.

August 31, 2003

Clark for Acxiom

Before you get all excited over Clark for President, remember that he lobbied for Acxiom, a company that is bringing big brother to transportatin.

August 30, 2003

Junkbuster Proxy

Privoxy is an excellent tool to protect your computer from obnoxious Internet advertising, popups, animated gifs, and other annoyances. It's very flexible and free.

August 19, 2003

M$ Forced Updates?

This is a real risk to the freedom and security and general functioning of your computer.

August 17, 2003

Privacy One-Pager

I finally got around to writing a short intro to information privacy. I formally apologize that it is in pdf. Comments are welcome.

A One-Page Introduction to Information Privacy
Chris Jay Hoofnagle August 2003

What is Privacy?

Privacy is difficult to define, even for strong advocates of the right. I like Robert Ellis Smith's definition from his book, Ben Franklin's Web Site: Privacy is "the desire by each of us for physical space where we can be free of interruption, intrusion, embarrassment, or accountability and the attempt to control the time and manner of disclosures of personal information about ourselves." Privacy can encompass the desire for physical autonomy from interference; control over personal information; and mental autonomy, including the freedom to consider and take decisions, and the freedom from information.

Privacy is not merely "secrecy" or something that is "non-public." In fact, individuals have expectations of privacy in information that has been disclosed or learned by others. For instance, one may tell their doctor and financial institution about medical and monetary conditions, but doing so does not make the information public, or less private.

Fair Information Practices

Privacy advocates attempt to address privacy problems through Fair Information Practices (FIPs), rules that assign rights and responsibilities to data subjects and collectors. There are eight FIPs under 1980 guidelines developed by the Organization for Economic Cooperation and Development (OECD):

· Collection Limitation Principle: Entities should minimize the collection of data to what is necessary to administer a transaction; they should obtain data lawfully, with consent of the data subject.
· Data Quality Principle: Personal data should be accurate and compete.
· Purpose Specification Principle: Individuals should be informed of the purposes for which personal data are collected.
· Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the purpose specification principle.
· Security Safeguards Principle: Personal data should be protected by reasonable security safeguards.
· Openness Principle: Individuals should have notice of developments, practices and policies with respect to personal data. There should be no secret databases.
· Individual Participation Principle: Individuals should have access to their personal information, and the ability to have data erased, rectified, completed or amended.
· Accountability Principle: Data collectors should be accountable for complying with the above practices.

Looking Forward

Because of regulatory developments, I think the big privacy battle of the next ten years will focus on affiliate sharing. Under current law, companies can exploit personal information amongst affiliates with no limitations. Since we now have huge financial service companies, their ability to affiliate share presents new risk of fraud, information security, and invasions of privacy.

In the law enforcement context, government access to personal information in the hands of commercial entities will continue to be a challenge. Commercial entities warded off privacy regulation in the 1990s by claiming that they were not interested in providing information to the government. Now that they have reneged on this representation, the battle in the next decade will focus on whether private entities should have extra responsibilities on their data collection practices to protect individuals against law enforcement.

For More Information See

· Electronic Privacy Information Center: http://www.epic.org/
· Robert Ellis Smith: http://www.privacyjournal.net/
· Daniel Solove: http://law.shu.edu/faculty/fulltime_faculty/soloveda/solove.html
· Roger Clarke: http://www.anu.edu.au/people/Roger.Clarke/DV/

Academic PR: Hoofnagle Responds to AEI-Brookings

I've decided to start posting the correspondence I have with various people who produce either bad intentioned or aimless research on privacy. I've been writing to professors (mainly economists) for some time to debunk some of the claims in their research. Generally, I have a low opinion of economics. It is, after all, a social science. It relies upon assumptions that are often falsifiable. But, it's been elevated to the status of a religion in the US. In the extension below, I have the first salvo on a recent AEI-Brookings study performed by Professors Jamal, Maier, and Sunder. It concludes that the US system of privacy protection is superior to the UK's because US companies have privacy notices. In detail below, I explain why this is crap.

Reply-To: hoofnagle@epic.org
From: "hoofnagle@epic.org"
To: karim.jamal@ualberta.ca, michael-maier@uiowa.edu, shyam.sunder@yale.edu
Subject: Privacy Study / Comment
Date: Sun, 17 Aug 2003 13:06:04 -0400

Greetings Professors Jamal, Maier, and Sunder,

I recently had the opportunity to read your paper (Enforced Standards
Versus Evolution by General Acceptance), and wanted to provide some
constructive criticism. I am Chris Hoofnagle of the Electronic Privacy
Information Center.

I think that your paper relies upon some false assumptions. In
reconsidering these assumptions, you may decide to change some of the
conclusions of the paper, or adjust research methods.

First, the US does not have privacy norms that have "evolved by general
acceptance." In fact, we have a common law of privacy that is constantly
expanding as a result of a series of Federal Trade Commission complaints.
As a result of cases dating back to In Re Geocities, the US has enforced
norms that include a prohibition on materially false or deceptive claims in
privacy policies, a prohibition on omitting material uses of personal
information on the privacy policy, making false security claims, etc.
There are also some specific privacy bans that have developed as a result
of AG enforcement, such as the problem of "pre-acquired account"
telemarketing. That practice is now highly regulated as a result of fraud.
We also have the COPPA.

Second, more fundamentally, there are serious problems in the assumption
that notice is a fair information practice that promotes privacy. Notice,
specifically, is not a fair information practice. If you visit the 1980 EU
Guidelines (which you incorrectly claim has only 5, rather than 8 fair
information practices--you have cited "FIPs Lite," the FTC guidelines),
you'll see that notice derives from the "openness" principle. That
principle stands for the premise that there should be no secret databases.
It is in fact derived from American studies (the 1973 HEW report and the
Privacy Act of 1974, which requires all agencies to disclose the presence
of all databases, even if classified).

In the US, and especially in the context of 4th Amendment rights, notice is
used to *eliminate privacy.* So, when you visit an airport, the sign says
"we may search your personal belongings." This is an attempt to relieve
individuals of expectations of privacy so that they do not have a 4th
Amendment claim against those who search them.

In the context of commercial privacy policies, you'll see that one may have
more privacy without them. Your study assumes that presence of a notice is
a good thing, where in reality the notice just serves as a disclaimer.
Take for instance, the privacy policy of ticketmaster.com, which does not
allow individuals to opt-out of anything. Saying that a privacy policy
protects privacy is just like saying that a food with a nutrition
disclosure is nutritious.

As far as fair information practices go, the OECD's first, collection
limitation, is far more important than any other practice. Many of the
privacy problems we experience would be eliminated if collection were
limited to what is necessary to administer a transaction, with the consent
and knowledge of the data subject.

So, your study highlights the least important aspect of privacy, while more
or less glossing over a much more important issue—use of 3rd party cookies.
The study could have just as easily concluded that websites in the UK are
better because they are less likely to use 3rd party cookies, and when they
do employ them, they are more likely to give notice of the fact.

Third, it is a generally accepted fact that so called "web seals" are
pointless. Truste is a joke. It's been known for some time that the group
has been captured, and even if it were not, business will always private
enforcement actions (ADR) rather than a public one that is more
accountable. Robert Gellman's work in this field is necessary for an
understanding of web seal weaknesses.

Much valuable research could be done in this field. I would suggest, if
you are interested in doing more privacy work, to address the issue of
*actual* privacy practices, especially in the arena of cross-selling and
CRM within the big banks. The banks are very secretive about these
practices. I suspect that they are objectionable practices. Additionally,
the problem of customer exclusion have not received enough attention. But,
it is clearly a new trend in this field—that is, excluding customers
because they are too troublesome, or because they aren't profitable to the
company.

I hope this is helpful, and please contact me with any concerns or
questions.

Regards,
Chris Hoofnagle

April 15, 2003

The Keynote of the Hour is Vigilance

Appearing in the Tally Ho: Security of the Community. I'll be seeing you.

Appearing in the Tally Ho...

Security of the Community

The new No. 2 has issued a call for increased vigilance at all times. The
security of the community must be protected.
"We must constantly be on guard against enemies in our mind," he declared,
giving a stern warning against political subversion.
"The keynote of the hour is vigilance" said No. 2. "We do not necessarily
know where our enemies are, or who they might be. Therefore it is the duty
of all of us to be on constant look out against traitors who, behind our
back, seek to undermine and destroy us."
No. 2 warned that no mercy would be shown to those who, against the
interests of the community, sabotage "our great achievements."
Let those who think they can strike when our guard is down take heed," said
No. 2. "We are never asleep. We will never relax our guard. We know there
are those who believe they can get away with their plots and conspiracies.
They will learn a sharp lesson."
"Not only the conspirators, but those who look the other way and do not
report their suspicions will be treated as traitors," said No. 2.
"It is the duty of each one of us to fight this menace and those who know
more than they tell are high on the list of guilty ones. No mercy will be
shown to anyone who shirks his duty to report his neighbor's secrets.
Vigilance is not only requested, it is ordered.Be vigilant day and night.
Let us root out the conspirators. Security is the keyword of the moment.
Security is the responsibility of all of us. Security is our duty. Be
vigilant or the consequences will be severe. No other warning will be given."

January 14, 2002

Telemarketers Beware

Telemarketers! Do you dare call my phone? This is what will happen to you.

December 03, 2001

Hoofnagle Contra M$

Hoofnagle Contra M$.