Protecting Identity

[Sharing Lights]

Page 6
the end of April 2003. I was given no notice of the termination nor was there a severance offered. I simply had the rug pulled from underneath me. At present I find myself unemployed for the first time since I was 14 years old, being treated for what now has become depression, in the worst job market in 9 years, and stilling dealing with the same situation that got me here in the first place. Sadly, even as I look back over the last twenty months and re-trace my steps, I can’t identify a single thing I could have done differently that may have prevented the situation I’m currently in. RECOMMENDATIONS: I have two suggestions I feel would greatly impact the number of identity theft victims. First: I believe we need to focus on those sections of the consumer reports titled Personal Identification Information. Currently, if I need to order a copy of my report, I have to accurately provide my name, SSN, address, DOB and sometimes several account numbers from my credit report. If I don’t provide the correct information; I am not allowed to have my credit report. Creditors however are not held to this same standard. Merely by providing a SSN, they can access the consumer’s credit score and/or credit report. Additionally, it is the creditors that control what is reported in the personal information section; not the consumer. I found seventeen different addresses on my various credit reports that were used by my imposter. Six different phone numbers. Even my date of birth was changed on my credit reports as a result of information provided by the creditors that allowed these fraudulent accounts to be opened. I believe the consumer is the best source for personal and identifying information; not creditors. We should identify essential elements of personal information such as name, SSN, current address, phone number, sex, current employer and DOB. A creditor making an inquiry in regards to an application should have to correctly provide key and essential identifying information in order to complete the inquiry; not just a SSN. If incorrect data is provided, the creditor should be returned a message from the credit bureau that the customer can’t be identified and the inquiry can not be completed. Had this system been in place when my identity was stolen, not a single account could have been opened in my name. 6
--------------------------------------------------------------------------------
Page 7
7Secondly, I believe a system should be put in place to annually evaluate the credit bureaus. While I’m not expert enough on the credit bureaus to identify all criteria for such an evaluation, I am certain that credit report accuracy should be one of them. I don’t want to make unfounded accusations, but it is my belief through common sense that credit bureaus do not lose money as a result of identity theft, they make money. Over a hundred inquiries have been made to my credit reports as a result of fraudulent accounts. These are inquiries the repositories are paid for that would not otherwise have been made. Additionally, with the public becoming more informed about the seriousness and growth of identity theft, I’m certain that sales of credit monitoring systems are doing quite well also. Monetarily speaking, there is not much incentive for the repositories to be aggressive about preventing identity theft or correcting inaccurate reports resulting from identity theft. An evaluation system would provide that incentive. Accurate reports are as important to the creditors that use them as they are to the consumers they belong too. A repository that was not doing an adequate job would be penalized through fair competition and my feeling is those penalties would invoke positive changes in order to stay competitive. The burden of prevention and correction has been placed squarely on the consumers’ shoulders and yet we have very little control over either. We can’t prevent our identities from being bought and sold both legally and illegally by the thousands. We can’t prevent the sales manager who is excited by a high FICO score from opening an account in our name without verifying the identity. Once the mistakes have been made and the fraudulent accounts opened, the consumer victim is caught between the credit bureaus and creditors. It is a life changing experience. Again, I want to thank you for your time and this opportunity to share my story with your committee. I hope in so way by sharing my experiences here today, we can bring about the needed changes in combating the crime of identity theft.

[weishaupt1776]

Ahhh, so sharing lights has used a simple thing like me posting a link to his/her copy/pasted article as a springboard to vent on my past actions regarding meandering musings that went on for some 30 forum board pages or so.

I can see clearly now, the thread is gone

[Sharing Lights]

Quote:

Originally Posted by weishaupt1776

Ahhh, so sharing lights has used a simple thing like me posting a link to his/her copy/pasted article as a springboard to vent on my past actions regarding meandering musings that went on for some 30 forum board pages or so.

I can see clearly now, the thread is gone

Your thinking is of a typical lawyer brainwashed by a law school.

The fact remains that from post 9 to 11, I already went to a different subject and
reposted for readers an article on identity theft that reached the Authorities
on the high level.

You manipulated readers' trust and stated that "the Thread is gone" even after
I posted what did.


Undiputable Proof:

Quote:

I can see clearly now, the thread is gone

What can many conclude then overburdened by such evidence?

I question your "clear" vision.

Instead of "20 - 20" it may appear to many as ( - 20.)

Evasive, manipulating, a typical lawyer, many may add after comparing your
version of events with the reality.

I am relentless when people lie and/or manipulate cheaply.

The more they do so, the more I help them to look at the mirror.



I am not of your kin and proceed straight forward.


I was neither planing nor doing anything except reflecting what your post provoked.
That is the plain Truth.


So blame yourself not me, as your deal over a link vs. only two, small posts
on the same page did not seem logical at all.


When I rebut, I proceed by evidence and arguments based on history
and common sense only.

I produced the evidence or I had to hide it?

Just does not make sense.

In contrast to you, I faced you openly and fairly.

You blocked me behind my back and not in
manly fashion.

What is so manly about what you did?

No better or more chivalry than pissing from a skyscraper
on pedestrians below.

That is a safety ratio comparison between a moderator and an average member.

Not so?



In my opinion you are fighting a losing cause but
more than welcomed to find out for a fact if still doubt.


I am direct and precise - and need no spring boards
mr. lawyer-moderator.

That stand is for all you ever blocked or banned prematurely if ever did so.

[Sharing Lights]

By the way, mr. lawyer,
(if you are not lawyer, I apologize, but you act as one when your ego is wounded.)

Otherwise, you have contributed many, many valuable Posts on the Forum
and made much positive impact.

All can see that.


I address not your character, so much, but your, wrongful and unfair acts.

All have such Right when wrong is being defended by others instead of correcting errors.

On the long run, I may do more service to you, by sharing the other side,
so that you may not repeat the same errors, as you are not immune from them.

Or are you?

Quote:

How would you feel, yourself, if some one stole your access to your, own writing
by blocking, when such had been posted or
portrayed you as an an incompetent amateur, when
you posted two small posts and the "weiss or wise" guy
schools you publicly that a link is needed there
when it, obviously, does not add to clarity but rather takes away in that context?

By the way, 4,727 Posts from May 19, 2006 till now is not less contribution to Sovereignty,
by merit and dimension combined, than by other members, some may add.

Our Debt Collection research is by far the most extensive on the Web as of today
even in "Shining Spotlight on Racket of Debt Collection" alone - not to mention others.

Show me one of more depth from all the angles?
One?

Quote:

Budd Hibbs is portrayed as the No 1 Authority on the Web on debt collections.
http://www.budhibbs.com/

However, our Forum, has by mountain and abyss more height and depth, respectively,
by substance to the point that we are not even in the same league.

Quote:

I respect Budd's work but his advice, for example, to demand "seizing all communications"

is a sign of knowing superficial laws only, while we grind the depth of the Real Laws

that equip us to defend and counter-attack -not merely show blind, amateur "gas release,"

venting "frustrations" in incompetence.


http://www.budhibbs.com/cease_comm.htm

Budd does not share with Consumers how to survive the mutant's onslaught when
they drag the Consumers to courts or how to prevent that.

Many Consumers are worse off after following his "advice" than before they read it.

Only links to some lawyers are provided.
Not much for the alleged No 1 Website on dc.

So much for self-reliance and learning or so little.


We know that "seize all communications" is an invitation for a law suit by mutants.

So, what's good about that advice by that "no 1" authority?

I state again and with respect and gratitude
that not only I did my, own research
on the, truly, largest and deepest thread on Debt Collection
but have relied on the research of numerous members
right here, at our home, including yours.

Had some members been banned even earlier or treated as infants by moderators who
block their writings, many of them would have stopped contributing and, even,
would have deleted their valuable research out of frustration
of being ridiculed without a fair opportunity to answer.

Get past your ego - look at the substance of my message and reality
would shine in the face.


You and other moderators may not see it that way but who are you to tell
any of us how we feel or vice versa?

I have seen members deleting all they could in ref to what they have contributed.

Fun to some and quite sad to many of us - the progressive members.

Of course "deleting own stuff" shows that those members are not truly sincere,
as sincerity commands allowing others to benefit
even when the personal ego is wounded justly or unjustly.

But why provoke that?
Why?

Why ban prematurely when the baned ones come back with spite and cause much more destructing via courtesy of modern softwares allowing to randomly change PC's IP. (address of a computer on-line, which allows to trace the location.)


You can't trace them unless purchase expensive and very sophisticated programs.

Take my word for it.

I guarantee you that most of the banned users, particularly, those of the law background are, still, here.

I can pinpoint some by their style regardless of their name as they can't fool me.

But, I would rather battle them openly and show all their wrong than have them banned.


Banning should be used, yes, but with caution and as the last resort,
as most unethically acting members would understand a fair, equal combat
regardless how they b.... out-loud.


Those few who are close to evil - that is a different story.

I believe many banned users are not that evil but more selfish and rude.

Expose them or let them expose themselves as I "help" them for example.

We should be fair to all and allow them to defend themselves.

No one forces any one to read any post.
That solves about 80% of all problems.


In ref to deleting posts:

Do whatever want to me, I would not destroy my research,
as still want others to benefit.

But I am equipped with the Esoteric teachings and never forget that.

Do you have confidence that others had the same opportunity?

Usurped, unilateral, locking of any Thread is not worthy of Sui Juris spirit.

I am a patriot of Sui Juris - not of the Patriot Act!

So are many of us here.

I am not any better than them.

I only have the ability to stand up to injustice and be able to expose it
for all to see but by fair engagement only.
No dirty tricks!


That is why others read me - not because they are forced.



As for seeing your errors or living in denial is your, free choice,
not any less than mine to expose it when circumstances and
defense of Truth command such acts.


Judge yourself objectively.

"Ahhh, so sharing lights has used a simple thing like me posting a link to his/her copy/pasted article.."

Quote:

Part I:

Pathetic reference and typical lawyer like move.
Sorry but that is true.

I can even prove your pattern, as wrong always hunts the one who committed it.

Doubts?

Quote:

Error or pattern?


Didn't I answer then?

Quote:

Part II:

"copy/paste."

Silly argument.

Did you expect me to claim that I wrote that article when didn't?

Of course, I copied and pasted it here and openly shared so with all.

The indisputable proof is below once again.
You are making a fool of yourself more and more by such arguments.


The indisputable evidence:

Quote:

Quote:

Part III:

I am a man and act as one and do not block as coward behind people's back
because my ego can't take some one else's ability to defend better and outperform
in a battle of debate.


I am happy when others do better and wish them
to succeed even more.


When you write "her" - pull out two mirrors from your closet - just in case...

...........

[Sharing Lights]

http://thomas.loc.gov/cgi-bin/bdquery/z?d110:s.00495:


http://thomas.loc.gov/cgi-bin/bdquer...:@@@L&summ2=m&

Quote:

The Library of Congress > THOMAS Home > Bills, Resolutions >

S.495



Title: A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
Sponsor: Sen Leahy, Patrick J. [VT] (introduced 2/6/2007) Cosponsors (6)
Latest Major Action: 5/23/2007 Placed on Senate Legislative Calendar under General Orders. Calendar No. 168.
Senate Reports: 110-70
--------------------------------------------------------------------------------

Jump to: Summary, Major Actions, All Actions, Titles, Cosponsors, Committees, Related Bill Details, Amendments

--------------------------------------------------------------------------------
SUMMARY AS OF:
5/23/2007--Reported to Senate amended. (There is 1 other summary)

Personal Data Privacy and Security Act of 2007 - Title I: Enhancing Punishment For Identity Theft And Other Violations Of Data Privacy and Security - (Sec. 101) Amends the federal criminal code to add intentionally accessing a computer without authorization to the definition of racketeering activity.

(Sec. 102) Imposes a fine and/or prison term of up to five years for intentionally and willfully concealing a security breach involving sensitive personally identifiable information that causes economic damage to one or more persons. Defines "sensitive personally identifiable information" to include an individual's name in combination with his or her social security number, home address, date of birth, biometrics data, or financial account information.

(Sec. 103) Directs the U.S. Sentencing Commission to review and amend, if appropriate, federal sentencing guidelines for persons convicted of using fraud to access, or to misuse, digitized or electronic personally identifiable information, including sentencing guidelines for identity theft.

(Sec. 104) Amends the federal bankruptcy code to prohibit the dismissal or conversion of a bankruptcy case based upon a debtor's failure to meet means testing eligibility requirements if such debtor is a victim of identity theft.

Title II: Data Brokers - (Sec. 201) Requires interstate data brokers (defined as business entities which, for monetary fees or dues, regularly engage in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals to nonaffiliated third parties on an interstate basis) to: (1) disclose to a requesting individual all personal electronic records pertaining to such individual in their databases or systems at the time of such request; (2) provide guidance to such individuals for correcting inaccuracies in their records; (3) provide written or electronic notice of any adverse action taken against an individual by a third party based upon information in their databases; and (4) correct any inaccurate information in their databases.

(Sec. 202) Imposes civil penalties on data brokers who violate the requirements of this title. Grants the Federal Trade Commission (FTC) enforcement authority over data brokers. Allows state attorneys general to pursue civil remedies against data brokers who are deemed to pose a threat to state residents.

(Sec. 203) Preempts state regulation of data brokers.

(Sec. 204) Makes the provisions of this title effective 180 days after enactment of this Act.

Title III: Privacy And Security Of Personally Identifiable Information - Subtitle A: A Data Privacy and Security Program - (Sec. 301) Imposes requirements for a personal data privacy and security program on business entities that maintain sensitive personally identifiable information in electronic or digital form on 10,000 or more U.S. persons. Exempts certain financial institutions, covered entities under the Health Insurance Portability and Accountability Act (HIPAA), and public records from such requirements.

(Sec. 302) Requires a business entity that is subject to data privacy and security requirements to: (1) implement a comprehensive personal data privacy and security program to ensure the privacy, security, and confidentiality of sensitive personally identifying information and to protect against breaches of and unauthorized access to such information; (2) conduct risk assessments of potential security breaches; (3) adopt risk management and control policies and procedures; (4) ensure employee training and supervision for implementation of data security programs; and (5) undertake vulnerability testing and monitoring of personal data privacy and security programs.

(Sec. 303) Imposes civil penalties on business entities that violate the data privacy and security requirements of this subtitle. Grants enforcement authority for such requirements to the FTC.

(Sec. 304) Preempts state laws relating to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information.

Subtitle B: Security Breach Notification - (Sec. 311) Requires any agency or business entity with sensitive personally identifiable information to notify without unreasonable delay any U.S. resident of a security breach in which such resident's information has been, or is reasonably believed to have been, accessed or acquired.

(Sec. 312) Exempts agencies or business entities from security breach notification requirements if they provide written certification to the Secret Service that providing such notification would impede a criminal investigation or damage national security. Requires the Secret Service to evaluate the merits of such certifications.

(Sec. 313) Requires an agency or business entity to give notice of a security breach to any affected individuals: (1) by written notice to their last known home mailing address, by telephone, or by email (if email notification was consented to); and (2) to major media outlets if the number of residents in a state affected by a security breach exceeds 5,000.

[Sharing Lights]

Quote:

(Sec. 314) Requires the notification to individuals whose sensitive personally identifiable information has been accessed to include: (1) a description of the categories of information an unauthorized individual has acquired; and (2) toll-free numbers for contacting the agency or business entity whose databases have been breached and major credit reporting agencies.

(Sec. 315) Requires any business entity or agency that is required to provide notification to more than 5,000 individuals of a security breach to notify all consumer reporting agencies.

(Sec. 316) Requires any business entity or agency to notify the Secret Service of security breaches of sensitive personally identifying information within 14 days of any data security breach that involves: (1) more than 10,000 individuals; (2) a database that contains information about more than one million individuals nationwide; (3) a federal government database; or (4) individuals known to be government employees or contractors involved in national security or law enforcement. Requires the Secret Service to notify the Federal Bureau of Investigation (FBI), the U.S. Postal Service, and the attorney general of each affected state of a security breach within 14 days of receiving notice of any breach.

(Sec. 317) Authorizes the Attorney General to bring a civil action, including an injunction, in a U.S. district court for violations of security breach notification requirements.

(Sec. 318) Allows state attorneys general to bring a civil action in a U.S. district court to enforce security breach notification requirements. Authorizes the Attorney General to stay, or intervene in, any state action.

(Sec. 319) Declares that the provisions of this subtitle shall supersede any other provision of federal or state law relating to notification by an interstate business entity or agency of a security breach.

(Sec. 320) Authorizes appropriations to the Secret Service to carry out investigations and risk assessments of security breaches.

(Sec. 321) Requires the Secret Service to report to Congress on security breaches resulting from risk assessment exemptions.

(Sec. 322) Makes the provisions of this subtitle effective 90 days after enactment of this Act.

Subtitle C: Office of Federal Identity Protection - Establishes in the FTC an Office of Federal Identity Protection to assist victims of identity theft. Authorizes appropriations for such Office for FY2008-FY2012.

Title IV: Government Access To And Use Of Commercial Data - (Sec. 401) Requires the Administrator of the General Services Administration (GSA), in awarding contracts totaling more than $500,000 to data brokers, to evaluate their data privacy and security programs, their compliance, the extent to which their databases and systems have been compromised by security breaches, and their responses to such breaches. Provides a compliance safe harbor for data brokers and penalties against data brokers for noncompliance with security breach notification requirements.

(Sec. 402) Requires federal agencies to audit and evaluate the information security practices of government contractors and third parties that support the information technology systems of such agencies.

(Sec. 403) Amends the E-Government Act of 2002 to require federal agencies that purchase or subscribe to personally identifiable information from a commercial entity to conduct privacy impact assessments on the use of those services.

Requires the Comptroller General to conduct a study and audit and prepare a report for submission to Congress on federal agency adherence to privacy principles in using data brokers or commercial databases containing personally identifiable information.

(Sec. 404) Requires the Department of Justice to designate a department-wide Chief Privacy Officer. Sets forth the duties and responsibilities of such Officer.


--------------------------------------------------------------------------------
MAJOR ACTIONS:
2/6/2007 Introduced in Senate
5/23/2007 Committee on the Judiciary. Reported by Senator Leahy with amendments. With written report No. 110-70. Additional views filed.
5/23/2007 Placed on Senate Legislative Calendar under General Orders. Calendar No. 168.



--------------------------------------------------------------------------------
ALL ACTIONS:
2/6/2007:
Sponsor introductory remarks on measure. (CR S1628-1629)
2/6/2007:
Read twice and referred to the Committee on the Judiciary. (text of measure as introduced: CR S1629-1635)
5/3/2007:
Committee on the Judiciary. Ordered to be reported with amendments favorably.
5/23/2007:
Committee on the Judiciary. Reported by Senator Leahy with amendments. With written report No. 110-70. Additional views filed.
5/23/2007:
Placed on Senate Legislative Calendar under General Orders. Calendar No. 168.

--------------------------------------------------------------------------------
TITLE(S): (italics indicate a title for a portion of a bill)

POPULAR TITLE(S):
Identity Theft bill (identified by CRS)

SHORT TITLE(S) AS INTRODUCED:
Personal Data Privacy and Security Act of 2007

SHORT TITLE(S) AS REPORTED TO SENATE:
Personal Data Privacy and Security Act of 2007

OFFICIAL TITLE AS INTRODUCED:
A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

--------------------------------------------------------------------------------
COSPONSORS(6), ALPHABETICAL [followed by Cosponsors withdrawn]: (Sort: by date)
Sen Brown, Sherrod [OH] - 2/26/2007 Sen Cardin, Benjamin L. [MD] - 5/3/2007
Sen Feingold, Russell D. [WI] - 2/6/2007 Sen Sanders, Bernard [VT] - 2/6/2007
Sen Schumer, Charles E. [NY] - 2/6/2007 Sen Specter, Arlen [PA] - 2/6/2007

--------------------------------------------------------------------------------
COMMITTEE(S):
Committee/Subcommittee: Activity:
Senate Judiciary Referral, Markup, Reporting

[Sharing Lights]

http://www.epic.org/alert/EPIC_Alert_14.07.html

Quote:

================================================== ======================
E P I C A l e r t
================================================== ======================
Volume 14.07 April 5, 2007
------------------------------------------------------------------------

Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.

http://www.epic.org/alert/EPIC_Alert_14.07.html


================================================== ======================
Table of Contents
================================================== ======================
[1] New Privacy Safeguards for Telephone Customers
[2] EPIC Speaks Before European Parliament on Transatlantic Privacy
[3] EPIC Recommends Against Use of Universal Identifiers
[4] FBI Director Testifies on National Security Letter Misuse
[5] UK Report: You Can Have Security and Privacy
[6] News in Brief
[7] EPIC Bookstore: "Cybercrime"
[8] Upcoming Conferences and Events

================================================== ======================
[1] New Privacy Safeguards for Telephone Customers
================================================== ======================

In response to a petition filed by EPIC, the Federal Communications
Commission issued rules to protect the privacy of consumers' telephone
records. The new safeguards prohibit unauthorized access to phone
records, require passwords for customer accounts, require notice of any
changes to account information, and establish opt-in consent before
disclosing customer information.

FCC Chairman Martin called the unauthorized disclosure of customer
information "a significant privacy invasion." In its petition, EPIC
proposed five security measures that would more adequately protect
access to call detail information: consumer-set passwords, security
breach notification, audit trails, encryption, and limiting data
retention. The FCC addressed the first two security measures in its
rule, and announced a new rulemaking to consider audit trails,
encryption, data retention, and safeguards for information stored in
cell phones.

The rule prohibits companies from releasing call detail information over
the phone except when the customer provides a password. The reason is to
prevent others from pretending to be the customer and fraudulently
obtaining the call record information. If a customer does not provide a
password, the information can be disclosed by mail to the customer's
address of record, or by the company calling the customer's phone number
of record. The rule also requires that customers receive notice of any
changes made to their account information. The rules also include a
requirement to notify customers of unauthorized disclosures of telephone
records; however, law enforcement agencies can delay notification, a
provision that was criticized by Commissioner Copps and Commissioner
Adelstein.

Previous regulations prohibited disclosure of call detail information to
third parties offering non-communications-related services without the
express, or opt-in, consent of customers. The FCC's new rule extends the
requirement of opt-in consent to joint venture partners and independent
contractors. The FCC stated that substantial evidence shows that
"current opt-out rules do not adequately protect customer privacy," and
that an opt-in regime "directly and materially advances privacy and
safety interests by giving customers direct control over the
distribution of their private information." The FCC also extended the
rules to providers of interconnected VoIP service.

The FCC regulation addresses some of the issues that are considered in
legislation pending in Congress. The Prevention of Fraudulent Access to
Phone Records Act, H.R. 936 has been referred to the House Energy and
Commerce Committee for consideration.

EPIC Executive Director Marc Rotenberg testified on March 9 in support
of this legislation, stressing that action in this area was overdue.
The Act calls for several of the same measures as the FCC regulations,
such as opt-in requirements for third party disclosure, periodic audits
of telecommunications carriers by the FCC, and the use of
customer-specific identifiers in order to access call detail information.

In several areas, the Act provides stronger privacy protections than the
regulations. The Act would require telecommunications carriers to keep
a record of each time that a customer's call detail information was
requested, if access was granted, and how the person's identity or
authority to access the information was verified. Such records would
provide customers with knowledge of how their information was improperly
accessed, giving them a greater ability to prevent another breach.
Furthermore, the Act requires timely notice to a customer if there is an
unauthorized disclosure of his or her information. The Act also requires
the FCC to consider making regulations to require deletion of call
detail information after "a reasonable period of time if such data is no
longer necessary for the purpose for which it was collected."

[Sharing Lights]

Quote:

FCC Report and Order and Further Notice of Proposed Rulemaking (pdf):

http://hraunfoss.fcc.gov/edocs_publi...CC-07-22A1.pdf

Prevention of Fraudulent Access to Phone Records Act, H.R. 936:

http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.00936:

EPIC's Petition to the FCC:

http://epic.org/privacy/iei/cpnipet.html

EPIC's Illegal Sale of Phone Records page:

http://www.epic.org/privacy/iei


================================================== ======================
[2] EPIC Speaks Before European Parliament on Transatlantic Privacy
================================================== ======================

EPIC Executive Director Marc Rotenberg appeared before the European
Parliament's Committee on Civil Liberties, Justice and Home Affairs for
a public seminar on transatlantic relations and data protection. The
European Parliament is currently reviewing the transfer of travel,
consumer, and financial information on European citizens to the United
States government. European institutions are concerned about the absence
of adequate privacy protection for personal information.

The seminar examined the constitutional and legal context of data
processed in Europe, and in the USA, as well as the applicable
principles on the international level for transfer of personal data,
particularly as they pertain to passenger name records and financial
data. The self-regulatory Safe Harbor model of data transfer was also
discussed. Members of the European Parliament particularly wanted to
know: what kinds of data are being collected; what are the reasons for
the collection; problems that have arisen following collection; and what
kinds of joint review and redress mechanisms exist.

Mr. Rotenberg's presentation outlined "Recent Privacy Developments in
the United States." He explained that with respect to the privacy of
travelers, “much of the focus continues to be on problems with the watch
list systems as well as proposals to expand profiling and screening of
air travelers.” The data collected is being used by US authorities for a
range of purposes other than the fight against terrorism. He pointed out
"a critical shortcoming of the US Privacy Act," namely that it contains
"no protection at all for non-US citizens," results in a lack of redress
for European travelers.

Greek Member of Parliament Stavros Lambrinidis said that he was
"concerned about the amount of data transferred as well as about the
unclear purposes for which it will be used." Data protection expert and
Commission advisor Spiros Simitis said that the Commission had "clearly
breached its obligations" by negotiating agreements that were in breach
of data protection laws. The first two US-EU passenger name records
agreements have been highly criticized for their lack of transparency,
data protections, and redress provisions. Negotiations of a third
agreement are currently underway. This month, a Parliamentary delegation
will visit the US to discuss the passenger name records negotiations, as
well as other data transfer issues.

European Parliament Committee on Civil Liberties, Justice and Home
Affairs:

http://www.europarl.europa.eu/commit...be_home_en.htm

Marc Rotenberg, “Recent Privacy Developments in the United States”
(pdf):

http://www.epic.org/redirect/rotenberg0407.html

Privacy International SWIFT Campaign:

http://www.epic.org/redirect/pi0407.html

EPIC's EU-US Passenger Airline Data page:

http://www.epic.org/privacy/intl/passenger_data.html

..................................

[Sharing Lights]

Quote:

================================================== ======================
[3] EPIC Recommends Against Use of Universal Identifiers
================================================== ======================

In comments to the Federal Trade Commission, EPIC warned against using
universal identifiers in authentication systems. "Any move toward
universal identifiers, while potentially deterring amateur thieves,
increases the potential for misuse once determined criminals steal that
data," EPIC said.

EPIC also urged the restriction, rather than expansion, of the use of
Social Security numbers as identifiers. "Social Security numbers have
become a classic example of 'mission creep,' where a program designed
for a specific, limited purpose has been transformed for additional,
unintended purposes, sometimes with disastrous results," EPIC said. The
pervasiveness of the SSN and its use to both identify and authenticate
individuals threatens privacy and financial security; expanding use of
the SSN, making it a universal identifier, would harm, rather than help,
security efforts, EPIC said.

EPIC recommended against the creation of a centralized identification
system and advocated an identity metasystem in which authentication is
confined to specific contexts in order to limit the scope for potential
misuse. EPIC and others have explained that it decreases security to
have a centralized system of identification with one ID card for many
purposes, as there will be a substantial amount of harm when the card is
compromised. "Using a national ID card would be as if you used one key
to open your house, your car, your safe deposit box, your office, and
more," EPIC said. A centralized system of identification creates a
"one-stop shop" for identity thieves. "The confidence and trust of
consumers will fall when such a breach occurs; people will withdraw
because of privacy and security questions," EPIC said.

EPIC explained that "a system of distributed identification reduces the
risks associated with security breaches and the misuse of personal
information." For example, a banking PIN number, in conjunction with a
bank card, provides a better authentication system because it is not
coupled with a single, immutable consumer identity. If the combination
is compromised, a new bank card and PIN number can be issued and the old
combination cancelled, limiting the damage done by the compromised data.
"Distributing identity in this way allows for different profiles to be
used in different authenticating contexts. New profiles can be created
as required within a single identity metasystem," EPIC said. Misuse is
therefore limited to the context of the information breached, whether it
is a single bank account, online merchant, or medical records.

Possibilities for data misuse can also be limited at the data collection
stage, EPIC explained. Amassing large databases of credit card numbers
creates an attractive target for potential identity thieves. "One simple
response to identity theft is to require a PIN to be used in conjunction
with all credit cards. An identity metasystem would further reduce the
value of such aggregated database targets, because authenticators would
be separate and distinct from all personally identifiable information,"
EPIC said.

The FTC will hold a workshop, "Proof Positive: New Directions for ID
Authentication," on April 23 at the Commission's Satellite Building
Conference Center located at 601 New Jersey Avenue, NW, Washington, D.C.
The event is open to the public and attendance is free. There will not
be pre-registration.

EPIC Comments to the FTC (March 23, 2007) (pdf):

http://www.epic.org/privacy/id_cards...ftc_032307.pdf

Federal Trade Commission Notice Announcing Workshop and Requesting
Comments:

http://www.epic.org/redirect/ftc0407.html

EPIC page on Identity Theft: Causes and Solutions:

http://www.epic.org/privacy/idtheft/

EPIC page on National ID Cards and the REAL ID Act:

http://www.epic.org/privacy/id_cards/

================================================== ======================

[Sharing Lights]

Quote:

[4] FBI Director Testifies on National Security Letter Misuse
================================================== ======================

On March 27, 2007, FBI Director Robert Mueller testified before the Senate
Judiciary Committee regarding the Bureau's National Security Letter
authority. A recent report by the Department of Justice Office of the
Inspector General found significant violations of law and regulations by
the FBI in its use of National Security Letters. In his opening
statement, Committee Chairman Patrick Leahy stated that the FBI's
"pattern of abuse of authority and mismanagement causes me and many
others on both sides of the aisle to wonder whether the FBI and
Department of Justice have been faithful trustees of the great trust
that the Congress and American people have placed in them to keep our
nation safe while respecting the privacy rights and civil liberties of
all Americans."

In his testimony, Mr. Mueller stressed the importance of the security
letters in fighting terrorism. He further stressed that the FBI was
committed to fixing the problems exposed in the report. However, many
senators expressed concern over whether such problems could be fixed,
again raising the question of whether the FBI should be stripped of its
domestic intelligence functions in favor of creating a new agency for
such duties. Senator Arlen Specter, the ranking Republican member on
the committee, stated that "the question is emerging as to whether the
FBI is up to the enormous task that we have asked it to perform,"
pointing out that "every time we turn around, there is another, very
serious, failure on the part of the bureau."

Senator Specter showed particular concern for the fact that the report
had uncovered that many of the National Security Letters issued under
exigent circumstances were not based on a factual record to support such
a letter. He stressed the vital importance of factual accuracy, stating
that if incorrect facts are included, an individual is subjected to an
invasion of privacy, and such letters should not be issued.

Representative Jane Harman (D-CA) reintroduced legislation on March 28,
2007, that would return the threshold the issuance of a National
Security Letter back to the pre-Patriot Act standard of requiring that
the FBI show a specific connection to a terrorist or foreign power. The
bill, H.R.1739, also requires the approval of a Foreign Intelligence
Surveillance Court judge or designated United States Magistrate Judge
prior to the issuance of a National Security Letter. The bill would
further increase Congressional oversight of the FBI's use of the
letters.

In a March 21, 2007, letter to the Senate Judiciary Committee, EPIC
recommended that Congress repeal the FBI's National Security Letter
authority. In 2005, EPIC uncovered documents concerning these letters
which revealed violations of law reported to the Intelligence Oversight
Board. EPIC advised the committee that these documents and the recent
Inspector General report show that the FBI both misused its authority to
issue National Security Letters and has failed to be forthcoming with
information on the use of these powers. EPIC further urged that the
result of these failures should be the repeal of Section 505 of the
Patriot Act.

Office of the Inspector General's Report (pdf):

http://www.usdoj.gov/oig/special/s0703b/final.pdf

EPIC's Patriot Act Page:

http://www.epic.org/privacy/terrorism/usapatriot/

EPIC's National Security Letters page:

http://www.epic.org/privacy/nsl/

EPIC's letter to the Senate Judiciary Committee (pdf):

http://www.epic.org/privacy/pdf/nsl_letter.pdf

================================================== ======================