The leading publication on personal privacy in the world.

PRIVACY JOURNAL offers a special rate for individual subscribers (a 50 percent discount). Write us.

Order online now using Paypal:

INDEX covering 1994 through October 2013 - $14.50 for a copy by email from us.

Back issues in electronic formats are available through National Archive Publishing Company, formerly ProQuest (1978 to the present).

Hard-copy back issues, since 1974, are available directly from Privacy Journal, 401/​274-7861.

Back issues since 1994 are available electronically by e-mail or discs so that you can store them in your computer and search by key words or dates. Indexes to all our volumes are available electronically or in hard copy.

Celebrating Our 43rd Anniversary


Our Privacy Policy

In more than 40 years of business, we have never disclosed our subscriber list and do not intend to do so.

We maintain separate lists of persons we know to be interested in privacy issues. These are the lists to which we send advertisements about our newsletter and books. These are business addresses, not residences. On occasion we permit selected organizations that are marketing conferences or publications to mail to these addresses. We remove from the lists anybody who makes a request.

We do not place "cookies" on your computer when you visit this site. The personal information you provide when you order books is stored off-line in a secure computer. We store customers' credit card account numbers so that we may retrieve them when repeat customers place orders. Sometimes we use the phone numbers of customers to notify them of the latest editions of our publications, but we never disclose telephone numbers or e-mail addresses to outsiders.


The leading privacy newsletter in the world
PO BOX 28577
Providence RI 02908 USA
401/​274-7861 fax 401/​274-4747

Highlights From Our Latest Issues

California Law with Nationwide Impact
-- From the July 2018 issue

California abruptly enacted the California Consumer Privacy Act of 2018 last month, thus moving the whole nation into a new era of privacy protection. The act will allow California residents to find out specific personal information gathered about them online, why the information is being collected, and with where companies are sharing the information. In addition, consumers will be able to prevent online companies from selling their personal data.

The effective date is January 2020, leaving ample time for amendments,

Major Court Recognition of Sensitive of Cell Tower Info
-- From the July 2018 issue

The U.S. Supreme Court, in an historic ruling, has drawn the line on how far the government may search cell-phone data, recognizing that the amount of data involved in mobile communications and the pervasive usage of hand-held devices is radically different from POTS, “plain old telephone service.”

We have come a long way since the Fourth Amendment’s protections against unreasonable searches involved the appropriateness of physical intrusions into premises in order to install listening devices, said Chief Justice John Roberts in a 5-4 opinion joined by the court’s moderate members.

Credit Freezes Now Without Charge

-- from the June 2018 issue

Reacting to the massive data breach at Equifax, Congress this spring enacted a law providing consumers a right to post an unlimited number of credit freezes (and “unfreezes”) on credit records held by them by major credit bureaus.

A credit or security freeze disallows a credit bureau from making a credit report on an individual until it is lifted by the consumer. The idea is that fraud artists would not be able to co-opt a victim’s good credit standing if access to the credit report is barred. On the other hand, a freeze may result in delays in getting credit extended for a transaction like a loan or new credit card. More than 30 states have such laws, sometimes free, sometimes not, if you are a senior or an ID-theft victim.

The new law, part of the regulatory relief granted to small banks, the Economic Growth, Regulatory Relief and Consumer Protection Act (S. 2155), allows for one free year of credit-fraud alerts for victims of breaches, allows parents to turn on and off credit reporting for children under 18 years of age and prevents credit bureaus from placing negative information on veterans’ credit scores for one year, due to mix-ups in a federal program locating medical specialists for veterans.

Equifax Breach Victims Need Not Show Harm in Mass. Litigation

-- From the June 2018 issue

The debate among appeals courts continues whether a person whose data is leaked in a security breach must should demonstrable harm to prevail in a lawsuit [see PJ May 18].

But a state judge in Massachusetts has ruled that a governmental regulator does not have to make such a showing, in a lawsuit to hold a business accountable for a security breach.

Maura Healey in Massachusetts has been the first and only state attorney general to sue Equifax for its huge loss of consumer data one year ago. She sued (within two weeks of news of the breach) under the state’s fair-credit reporting law and the state's unique data-security law, which requires that entities, even those out of state, collecting data on Massachusetts individuals to have a data-security plan in place.

Copyright © 2018 Robert Ellis Smith

Lots of New State Laws on the Books

-- From the May 2018 issue

A total of 26 states now have laws limiting employers’ access to the social-media content or passwords of their employees or applicants, according to the annual survey of state privacy laws by PRIVACY JOURNAL. [Click "Books" for ordering information.]

And 15 states have new laws limiting educational institutions from accessing social-media content of students or demanding their passwords.

Wisconsin is the only state banning landlords from such access.

“There has been a surge of concern in state legislatures about privacy in the past two years, all of it before full disclosures to the public that Facebook had abused its privacy policies and revealed personal information to third parties,” said Robert Ellis Smith, publisher of PRIVACY JOURNAL, who compiles the Compilation of State and Federal Privacy Laws and yearly supplements. “Congress has not been as busy in the past five years.”

The 2018 Supplement has an additional section this year, on “Internet Services,” to reflect two new trends. About 22 states now have laws punishing “phishing,” which is the use of email to trick users into revealing personal information. The laws presumably ban “whaling,” the wholesale targeting of executives in a company by trickery, although the laws do not mention the term.

The second trend shows states regulating private-sector web sites, regardless of where they are based. California requires web sites that collect data on its residents to disclose whether third parties collect such information in their web sites or apps.

Minnesota, Nebraska, Nevada, and Pennsylvania now have similar state laws. Delaware has provisions like California's and also requires web sites that gather personal info on residents to post privacy policies. The state also limits online advertising directed at children.

Should I Use LifeLock?
- From the March 2018 issue

We are often asked whether a person should sign up for an “ID theft protection” service like LifeLock. Since it was founded in 2005, we have advised against doing business with the company. It is deceptive in its practices.

First, the company can’t do what it implies it can do, “protect” against identity theft. Neither can its competitors. In fact, what LifeLock does for a fee is monitor a person’s credit report to detect possibly illicit inquiries by retailers into the report of a person held by a national credit bureau. By the time it detects suspicious activity, theft of identity has occurred.

Our analysis goes on to describe seven infractions by the company, including law-breaking. Ask us for a copy of the article.

And we go on to report:

Identity-theft protection services can be vulnerable to attack, thus making their customers’ personal information vulnerable to theft.

Equifax Breach Case

From the March 2018 issue

The chief federal judge in Atlanta has named three lawyers to lead the pack of two dozen lawyers pursuing multi-district claims against Equifax for its massive loss of personal data. All three have experience with consumer class-action lawsuits against Home Depot, Anthem, Target, and Yahoo [see page one and see PJ Feb 18].

Equifax, which has never been good at numbers, originally announced last summer that the records of 143 consumers were affected, then a month later, 145.5 million. That figure was revised upward by two million to about 147.9 million.

'Web Scrapping' From the January 2018 issue

LinkedIn, the site for professionals to attract attention to their qualifications, allows for some profiles to be available to non-members. But the Microsoft-owned service’s user agreement prohibits others from copying the information.

That did not deter a company named hiQ Labs from harvesting this information with its own software (called “scraping”) and then selling it to businesses, in the form of “Keeper,” which tells employers which of their employees are at the greatest risk of being recruited away; and “Skill Mapper,” which provides a summary of the skills possessed by individual workers.

Read about the lawsuit that resulted, and how hiQ seems to have the legal advantage now.

Predicting Anti-Social Behavior From the January 2018 issue

Tax-supported police department have relied on private databases for arrest information and intelligence. Now the semi-secret interstate database of choice is Palantir, a privately owned “threat intelligence firm” based in Palo Alto, Calif.

It is funded privately more so than its predecessors; its primary backer is Peter Thiel, the German innovator, Facebook board member, founder of Paypal, and (mostly) ultra-right Trump sup-porter.

The year 2016 marked the time when Palantir came to the attention of industrious journalists. It is a “threat-intelligence company,” which along the way uses demographic and criminal-justice data to predict anti-social behavior before it occurs. . . . . Read more in the January 2018 issue.

Matching All the Devices You Use
-- From the December 2017 issue
Clearly most of us are using multiple devices in our digital worlds – smartphones, tablets, lap-tops, TVs, utility meters, and now, in-car systems[see a full article on this in our December issue page one]. Businesses are increasingly interested in the trend and want to determine the identification and addresses of the devices used by the same person. Tying in social media used by an individual adds to the precision. This will allow marketers to reach their target audiences easier. It’s called cross-device tracking.

This new capability to match a person’s devices will involve collection of centralized information about the individual and provide the means for fine-tuning control over the person’s life choices.

Discovering the email address used to log onto various devices is one way to make a probable identification of a multiple user. Wi-Fi connection, installed fonts, online retail accounts, social-media choices, and physical location are other ways. Incorporating all of these clues into an algorithm enhances the ID process.

Read all about this - and what you can do to reduce the threat - in our December 2017 issue. Ask us for a sample copy.

Beware of Voice-Activated Alexa-Like Devices

Voice-activated devices like Google Home and Amazon Alexa are recording everyone in their vicinity and sending those digital voice recordings to the cloud. The resulting data is then used in any number of undisclosed ways.

According to computer security specialist Rebecca Herold, "You may be one of millions, but your data helps build a profile of you, and of people like you. These profiles are used by marketers, insurers, law enforcement and plenty of others to make assumptions and predictions about behaviors, as well as things that can trigger those behaviors.”

Second, a recently discovered vulnerability means your voice recordings could be exploited in a much more targeted way. Security researchers found it is possible to install malware on these devices that is capable of using embedded microphones to spy on the devices’ owners.

“Listening (and recording) can be unintentionally triggered – by a child, a visitor, or even a TV news report. The devices have to be listening at all times – how else would they hear the trigger word?”

In addition, researchers have devised a method to give potentially harmful instructions to most popular voice assistants using voice commands that can’t be heard by humans. An attacker could exploit inaudible voice commands, including silently instructing Siri to make a Face Time call on an iPhone, telling Google to switch the phone into airplane mode, and even manipulating the navigation system in an Audi.

. . . . Get the full story. Ask us for a sample copy of the November 2017 issue.

Two Major Protections for Social Security Numbers

Two federal agencies have finally taken steps to limit the availability of individuals’ Social Security numbers on government documents. Privacy advocates have been campaigning for these changes for more than two decades.
But taxpayers will have to wait until 2019 to reap the benefits of the changes.

First, the Internal Revenue Service has proposed a new regulation to allow employers to truncate employees’ Social Security numbers on W-2 forms.

In a separate action, the Centers for Medicare & Medicaid Services in the U.S. Department of Health and Human Services has announced that it will issue Medicare cards that will use a new Medicare Beneficiary Identifier to replace So-cial Security numbers as the Medicare enroll-ment number that now appears on Medicare cards.

Get the details in the October 2017 issue of Privacy Journal

Four Decades of Defiance

There has not been a year since 1972 in which Equifax, the major national credit bureau with crucial records on millions of Americans, has not been subject to an enforcement action by the federal government for violation of Fair Credit Reporting Act, which was enacted in 1971.

Imagine: a major company in the U.S. consumer economy continuing to operate while being found to be out of compliance continually with the law that regulates it.

Read the whole story; Ask us for a free copy of our August 2017 issue.

Legal Remedies Against Drones?

What if a neighbor's wayward drone, or your local police department's unmanned camera aircraft stays over your property line and films yourself and family in intimate moments, or seeks to peer inside your windows? Privacy Journal reviews the legal protection for victims of drone surveillance -- but you will need a clever, innovative legal strategy. Here's how to develop one: Ask for the July 2017 issue of Privacy Journal.

Test Your Online Security Smarts

from the April 2017 issue

What does the “https:/​/​” at the beginning of a URL denote, as opposed to “http:/​/​” (without the S)?

What is an example of a “phishing” attack?

Turning off the GPS function of your smart-phone prevents any tracking of your phone’s location. True or False?

If a public Wi-Fi network (such as in an airport or café) requires a password to access, is it generally safe to use that network for sensitive activities such as online banking?

Answers in our April 2017 issue; ask us for a free copy.

Abrupt Changes in Consumer Protection
From the February 2017 issue

Just six days after a new administration came to Washington, the two privacy-protecting federal agencies clicked into deregulatory mode.

These changes in the semi-independent regulatory agencies usually take several weeks or months. But not this time. The President selects the chairs of the bodies from his or her own party.

In recent years, the Federal Communications Commission had taken an increasingly assertive role in privacy protection [see PJ Nov 16]. But Ajit Pai, a Republican member, seemed to be eager to curb the agency’s pro-consumer stances. He got his chance when he was appointed chair last month and immediately took a page out of Donald Trump’s playbook and issued his own version of executive orders to undercut affordable broadband internet service and to curtail key protections for internet users.

Over at the Federal Trade Commission, there is a four-decade history of privacy enforcement and specific privacy statutes to enforce. There, activist Democratic chair Edith Ramirez departed in mid-month. As at the FCC, there was a minority Republican member who during the Obama years urged caution in regulation. But she has not yet been named chair. Maureen K. Ohlhausen now serves as interim chair on a five-member body with only two of its seats filed. (Ask for our February issue to read the whole story.)

-- From the January 2017 issue:

Tips on making it as a privacy professional.

Tips on avoiding Facebook.

A charge by a federal agency that Equifax and TransUnion national credit bureaus are still 'deceptive.'

New laws in Illinois, West Virginia and Nebraska protecting employees who use social media.

And from Massachusetts: guidelines for protecting the privacy rights of school pupils.

- From the December 2016 issue

Chilling Letters

The Republican chairs of the Senate Committee on Commerce and the House Committee on Commerce have written short but chilling letters to the Democratic chair of the Federal Trade Commission warning her to stick to routine matters in the next months and not pursue complex, partisan or controversial items. . . .

Based on a FTC enforcement action against Wyndham Hotels, Republican Members of Congress are challenging the commission on how it interprets its broad authority under Section 5 of the FTC Act when the FTC says that failing to meet a data-security plan is an unfair business practice.

Based on a second case, this one involving a teetering medical lab for physicians, LabMD, Congressional committees are seeking to use their oversight jurisdiction to curtail FTC claims that only the possibility of harm in a leak of personal information can give rise to an FTC enforcement action like a monetary punishment or ban on future activities. In the LabMD case, the members of the commission overruled their own administrative judge on this issue.

A Major Landmark

The November 2016 issue marks the forty-third year of publication for PRIVACY JOURNAL. It is believed to be the longest continuous newsletter in North America.

The newsletter began in Washington, D.C., in the same month in which Congress passed the Privacy Act and the Family Educational Rights and Privacy Act.

The major concern among the public was the growth of large government and business computer systems storing personal data about individuals. There was then no right of an individual to see or correct his or her own credit report or medical records. Polygraphs were commonly used in employment as “lie detectors.” Early databases were filled with inaccuracies. PRIVACY JOURNAL successfully pushed for reforms in these area.

Intelligence agencies were limited by the Fourth Amendment and by limited technology. There were no sophisticated means for businesses to target consumers’ every marketplace choice. Individuals had no computer capability themselves, only large organizations had it.

From the November 2016 issue

The misguided, unauthorized, and unconstitutional proposals to allow the U.S. Centers for Disease Control and Prevention to detain individuals traveling within the U.S. should be withdrawn.

In the guise of a proposal for “medical quarantine,” the CDC has proposed regulations that would give CDC employees sweeping martial-law powers of warrantless search, interrogation, tracking of movements, arrest, and extrajudicial mass detention (at the detainees’ own expense!) of individuals or entire groups of unlimited numbers of people for unlimited periods of time. [See more in PJ Oct 16.]

The proposal revives a dormant decade-old rule-making initiated after the 2001 and 2005 anthrax scares in Washington, D.C. But rather than finalizing the rules proposed (and widely criticized) in 2005, or responding to the comments submitted back then in response to the original proposal, the CDC has published a new and different but perhaps even more objectionable replacement proposal. See the complete story by travel expert Edward Hasbrouck in the November 2016 issue.

From the October 2016 issue:

Still Getting Robocalls?

In spite of a well-regarded, long-standing federal law prohibiting sales calls to persons listed on a national do-not-call list, telephone users lately are receiving more and more automated phone calls, many of them pushing scams. Why?

Draconian Measures for Travelers
The federal Centers for Disease Control and Prevention have proposed a regulation giving federal officials power to detain for three days U.S. citizens traveling within the U.S., for purpose of examination, testing, vaccination (without consent, if necessary), and possible quarantine. Airports, train stations, bus terminals and U.S. ports would be compelled to cooperate in reporting persons. Detained individuals may be required to pay for all testing, treatment, transportation and vaccination imposed. 81 Federal Register 157, p. 54230, Aug. 15.

Leaks Themselves are Harmful
Taking the unusual step of overturning a decision by its own administrative judge, the Federal Trade Commission has unanimously ruled that the mere fact that sensitive medical records were leaked and made public, without any evidence that consumers suffered any adverse effects or were even aware of the breach, was enough to support a finding of substantial consumer injury. This can subject the business to fines and penalties. A federal appeals court will now hear the case. Watch for the December issue for an account of what the appeals court had to say about this.

From the September 2016 issue

An expert examines whether Congress should enact a uniform national law on requiring companies to notify individuals affected by wrongful disclosures (or "hacks") of their personal information.

We point out that Presidential candidates, even if they agree to disclose their full medical information, may not be able to locate their records, just like the rest of us. After more than eight years of trying, the medical community has not streamlined electronic patient records.

And experts discuss whether the traditional "protection" of giving people notice of data gathering and of getting their consent has any meaning in the current digital environment.

It's all in the September issue. Ask for a sample.

From our August 2016 issue:

Lawyers who are pressed to explain why certain government conduct is an unconstitutional invasion of privacy often resort to the response, “Well, it’s creepy and un-American.”

Did it all begin with Alex Kozinski, chief judge of the tech-savvy Ninth Circuit Court of Appeals? In a dissent from his colleagues in 2010, he wrote, “I don’t think that most people in the United States would agree with the panel that someone who leaves his car parked in his driveway outside the door of his home invites people to crawl under it and attach a device that will track the vehicle’s every movement and transmit that information to total strangers. There is something creepy and un-American about such clandestine and underhanded behavior. To those of us who have lived under a totalitarian regime, there is an eerie feeling of déjà vu.”

Judge Kozinski spent the first 12 years of his life living in Romania, which was dominated by the Soviet Union. Read the full story in the August 2016 issue of Privacy Journal. . . .

From the July issue: The FBI has claimed for the past year that encryption used by private individuals to protect their personal telephone and email correspondence is obstructing law enforcement’s ability to investigate criminal activity and get access to – and to read intelligibly – evidence of suspects’ behavior. But data released in July by the federal court system seems to refute that assertion.

The annual “wiretap report” required by law showed that encryption was a problem in 2015 less than it was in 2014. Ask us for the July issue to read more.

From the June 2016 issue:

Forty-five privacy, civil liberties, and immigrants’ rights organizations have objected to the FBI that it proposed exempting a massive data¬base of biometric information on Americans from the protections of the Privacy Act and permitted the public a short time to object. The deadline has been extended to July 6.

* * * In an opinion finding for an information broker, U.S. Supreme Court Justice Samuel Alito wrote for the majority, “We have made it clear time and time again that an injury in fact must be both concrete and particularized. An example [of the opposite] that comes readily to mind is an incorrect zip code. It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.” But an expert in privacy shows how disxlosure of a postal code can in fact lead to trouble for a family.

* * * What did Steven Spielberg say this month about obsessive use of hand-held devices?

* * * A "Stingray" is a brand name for a “cell site simulator” because it mimics a cell tower and captures information from a targeted phone. The manufacturer tells police who buy it not to disclose that they are using it. What did a court in Maryland scold a prosecutor for trying to persuade a trial judge that use of the device does not require prior approval by a judge? How many states now require a court warrant for police to use it?

Why are the coming "neural" invasions of privacy threatening?

You need Privacy Journal every month to protect yourself from the coming intrusions. Ask us for a free copy of our June 2016 issue and be informed!

From the May 2016 issue:

Tips for figuring out online privacy polices - without having to read through all of them

Legislatures in states busy enacting laws on tracking technologies and statewide student databases

Okay to make certain negative statements about your boss on Facebook and not get fired, says high federal court in CT

What your neighbors think of requiring ID to vote

Ask us for a free sample copy of the May 2016 issue

Juries Affirm Time-Tested Principles
- From the April 2016 issue

In an era when gawking and gossip and Internet bullying and sexual harassment seem pervasive, two juries have reaffirmed the principles of invasion of privacy developed more than a century ago in American law.

Trends since the turn of the Twentieth Century seemed to favor the press and the collectors of information about individuals. Further, with the coming of the Internet, courts seemed hesitant at first to provide recourse to victims of the seemingly Constitutionally protected free expression on this digital frontier.

Early in March a jury in Nashville awarded $55 million in damages to Erin Andrews, an attractive and effective on-air sports reporter for ESPN. A stalker had videotaped her through a peephole in a Marriott Hotel in 2008 and posted nude images of Andrews on the Internet.

Then, 17 days after the Campbell verdict in Nashville, a jury in rural Florida, awarded $100 million to Terry Bollea, better known as wrestling entertainer Hulk Hogan, against Nick Denton, publisher of the gossip Web site Gawker, who posted purchased videotapes of Hulk having sex with a friend’s wife. The same well-established tort principles would have been presented to the jury in this case, including instructing them, “The line is to be drawn when the publicity ceases to be the giving of information to which the public is entitled, and becomes a morbid and sensational prying into private lives for its own sake.”

For the full analysis, see the April 2016 issue. Request it my email today.

Court Nominee Judge Garland's Views on Data Collection
He seems cautious but humane in privacy and open access cases, according to our analyst, California attorney Steven C. Posner.

From the March 2016 issue:

My dispute with Antonin Scalia over the dimensions of personal privacy and organizational secrecy, by Publisher Robert Ellis Smith
20 Tips for Managers to Combat Theft of Identity
The Legality of the FBI's demand for access to Apple's phone
How you can halt wanted postal mail
What is Stingray technology and will [police need court approval to use it?

Europeans' Privacy Complaints Get Priority over Americans'
From the February 2016 issue
European and U.S. negotiators have reached agreement on a plan for transfer of personal information across the Atlantic that continues to provide more protection by U.S. agencies to Europeans than to Americans.

First, the U.S. will establish an ombudsman in the Department of State to address complaints related to U.S. intelligence authorities’ access to data about Europeans. American citizens and residents have no such redress.

Next, the U.S. Office of National Intelligence has made binding commitments that U.S. access to Europeans’ data for national security purposes will have “clear limitations, safeguards and oversight mechanisms” limiting the access to what is “necessary and proportionate.” The U.S. has also agreed to an annual review of these commitments. American citizens have no such assurances.

Thirdly, U.S. Department of Commerce will monitor companies to ensure that they publish their privacy commitments, which then become enforceable by the Federal Trade Commission, similar to the previous Safe Harbor framework. But the privacy policies need not provide any protections for Americans.

Fourth, European Union individuals will have access to free alternative dispute resolution mechanisms. Americans will not benefit from this.

Fifth, European regulators will have a formal channel to refer complaints to the U.S. Department of Commerce and the FTC. And complaints from Europe will need to be resolved by stated deadlines, meaning that they will have priority over complaints by Americans, where there are no required deadlines.

For the full story get a free copy of the February 2016 issue. Ask for it by phone or email.

Find a typographical error on this web site and receive a free book from us.

From the January 2016 issue:

Beware Square

In a restaurant or other retail establishment, you are now often asked to use a swivel tablet, sometimes add a tip, and sign the screen with a fingertip.
A company called Square, founded by the co-founder of Twitter, Jack Dorsey, is marketing the devices throughout the U.S., Canada, and Japan. What it doesn’t tell you, nor does the retailer, is that the system apparently matches your credit-card number with an email address found in a database and then generates an automated, non-requested receipt of the transaction. Credit-card companies generally do not disclose this information about their card-holders.

For the full story, ask for a copy of the January 2016 issue. [Square Inc. added to this information, in the February 2016 issue.]

From the December 2015 newsletter
Now that the Federal Trade Commission and Federal Communications Commission have begun working in tandem to invigorate privacy-protection enforcement, the two agencies have acted simultaneously to hire recognized, pro-privacy technologists to advise their staffs.

This continues a pattern of recruiting at the FTC, which investigates deceptive and unfair marketing practices and, thanks to a recent court decision, lack of security in companies entrusted with personal data.

The latest FTC pick is Lorrie Faith Cranor, the prime mover in creating strong privacy research centers at Carnegie Mellon University. [For more, ask for our December 2015 issue.]

It does not take much imagination to foresee the potential misuse of drone technology by criminals, stalkers, voyeurs, private investigators, and terrorists. One question that is never asked in the current discussion: Is the use and deployment of civilian drones a good idea? [For more, ask for our December 2015 issue.]

Millions of teenagers in high schools nationwide are using a smartphone app to share anonymously their deepest anxieties, secret crushes, vulgar assessments of their classmates and even violent threats, all without adults being able to look in. The After School app has exploded in popularity this school year and is now on more than 22,300 high school campuses. Many parents and administrators know nothing about it, [For more, ask for a copy of our December 2015 issue. No charge.]

From the October 2015 issue:

Which states prohibt employers from snooping into employees' Facebook accounts and passwords?

Which prohibit colleges and universities from doing so? (A different list.)

What does an invasion of privacy (through electronic surveillance) feel like, in the words of a victim?

What is a 'marshmallow' and how does it affect your online life?

What are the best tips for protecting yourself?

All of this in the October 2015 issue.

Google and Your Privacy
- from the September 2015 issue

The company that has gathered the most online users in the world based on its public representations of being pro-privacy shows a pattern of abusing privacy, according to the lead article in the September 2015 issue. Ask us for a sample copy.

Beware Butt Calls
- From the August 2015 issue

A federal appeals court in the Midwest has ruled that a person who inadvertently places what the court politely calls a “pocket dial” from a cell phone runs the risk that the person on the other end may linger on the phone and listen to conversations in the dialer’s surroundings.

Most people call these accidents “butt calls,” or “butt dials.” They usually occur when a phone user places the phone in a pocket or purse and inadvertently presses a key or two. When the mistaken calls are discovered, they prompt acquaintances who have been out of touch to have unexpected chats. No harm done.

But not for a business executive in Ohio who inadvertently placed such a call to his assistant while he was on a business trip in Italy in October 2013.

Birth of a Constitutional Right 50 Years Ago

- From June 2015 issue

The constitutional right to privacy is generally regarded as stemming from a Supreme Court decision announced 50 years ago this month invalidating Connecticut’s laws that had made it a crime to use birth control devices or to give information or instructions on their use.

The decision, about which there was hardly a majority on the court, came on June 7, 1965, five years after the federal government approved “the pill” as a contraceptive for women.

In the court’s majority opinion, Associate Justice William O. Douglas reviewed the previous Supreme Court decisions that had found “peripheral rights” emanating from specific rights in the Constitution, even if they were not specifically mentioned in the Constitution itself. Justice Douglas, then the longest serving member of the court, had replaced Justice Louis D. Brandeis in 1939. He was as contemptuous of government intrusions into individual rights as Brandeis, "the father of privacy in U.S. law," had been.

In the case of Griswold v. Connecticut, Douglas wrote: “The foregoing cases suggest that specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and sub-stance. Various guarantees create zones of privacy."
Subsequent court decisions confined this right to privacy to matters relating to marriage, procreation, contraception, family relationships, sexuality, some matters in the home, child rearing and education.

For the full story ask us for a sample copy of the June 2015 issue.

An Artist's Eye View:

“No Privacy in the Bathroom” by Shar Young, acrylic on canvas, one of several works of art on a theme of personal privacy, in an exhibit sponsored by Vincents Art Workshop in Wellington and the Privacy Commissioner of New Zealand. Privacy Journal reprinted five of them. Call or write for a sample copy of the May 2015 issue.

Drug Tests OK Where Marijuana Legal?
-- From the May 2015 issue

“A question I get asked all the time is ‘Can I still be fired for smoking marijuana, even if I live in a state that legalized marijuana?’ observes Johnny Green, a marijuana activist from Oregon, which has legalized the possession and use of the drug effective July 15.

“The quick answer is yes, employers can still fire you for marijuana, even if your state has legalized marijuana,” Green answers. “Does that mean that each and every employer will fire every marijuana consumer for a failed drug test? Of course not. Not all employers drug test, and some will no doubt update their drug testing policy to exclude marijuana. However, be aware that due to the fact that employers can hide behind federal law, they can still fire you even though marijuana is legal to consume within some states.

Marijuana use is still illegal under federal laws. Therefore, any workplace that receives federal funding like contracts or is subject to federal regulations requiring the testing of safety-sensitive workers must consider marijuana a prohibited substance, according to the Drug-Free Workplace Act of 1988.

The issue of drug testing in states where pot is legal may become focused with an expected decision by the Colorado Supreme Court (Coats v Dish Network, 2013SC000394).

Brandon Coats was fired in 2010 by Dish Network after he tested positive for an element in marijuana. He had been paralyzed in an auto accident and had a license from the state to use marijuana for medical purposes. He says that pot relives his pain, insomnia, and spasms. He sued the company for discriminatory firing. The “Lawful Activities” state statute prohibits an employer from discharging an employee for engaging in lawful activity off the premises of the business during nonworking hours.

A trial court and the Colorado Court of Appeals ruled against Coats. In the meantime, pot has become legal in the state, making it a regulated substance like alcohol. Thus, a decision in his favor by the highest court in the state may mean that employers may not fire or discipline employees using marijuana legally. Would such a decision also mean that companies may not require drug testing for marijuana in states where pot has been legalized?

How Do the States Rank in ID Theft?

-- From April 2015 issue

The following list shows ID-theft cases per 100,000 population and the absolute number of cases reported in 2014, according to the Federal Trade Commission. For more, including how one small state managed to virtually wipe out identity theft, see the April 2015 issue of Privacy Journal.

1 Florida 186.3, 37,059
2 Washington 154.8, 10,930
3 Oregon 124.6 4,946
4 Missouri 118.7, 7,195
5 Georgia 112.7, 11,384
6 Michigan 104.3, 10,338
7 California 100.5, 38,982
8 Nevada 100.2, 2846
9 Arizona 96.0, 6460
10 Maryland 95.9, 5734
10 Texas 95.9, 25,843

12 Illinois 95.6, 12,317
13 Colorado 85.5, 4579
14 Connecticut 85.4, 3071
15 Arkansas 83.6, 2481
16 Pennsylvania 81.7, 10,446
17 New York 80.8, 15,959
18 Mississippi 80.5, 2409
19 New Jersey 79.9, 7144
20 Ohio 79.0, 9161

21 Delaware 78.1, 731
22 Alabama 77.7 3,770
23 New Mexico 77.2, 1611
24 Tennessee 76.2, 4993
25 Massachusetts 75.8, 5116
26 Wisconsin 74.4, 4283
27 Louisiana 73.8, 3430
27 North Carolina 73.8, 7334
29 Alaska 73.6, 542
30 South Carolina 73.3, 3540

31 Virginia 71.1, 5921
32 Oklahoma 68.5, 2656
33 Indiana 68.2, 4498
34 Rhode Island 66.2, 699
35 Kansas 65.2, 1892
36 Vermont 64.2, 402
37 West Virginia 61.4, 1,136
38 Minnesota 59.2, 3229
39 Idaho 58.9, 962
40 Montana 57.2, 585

41 New Hampshire 54.7, 726
42 Utah 53.9, 1586
43 Kentucky 53.4, 2358
44 Maine 52.1, 693
45 Wyoming 49.1 287
46 Nebraska 48.6, 914
47 Iowa 48.5, 1506
48 North Dakota 43.1, 319
49 Hawaii 40.9, 580
50 South Dakota 36.3, 310

Metro areas
Number of complaints and complaints per 100,000 population

1 Miami-Fort Lauderdale-West Palm Beach, FL Metro 18,428, 316.2
2 Seattle-Tacoma-Bellevue, WA Metro 7473, 207.0
3 St. Louis 5724, 204.4
4 Tallahassee 706, 189.1
5 Naples-Immokalee, Fla. 586, 172.5

6 Olympia, Wash. 418 159.3
7 Portland, Ore. 3685, 159.2
8 Pueblo, Col. 252, 156.1
9 Jacksonville 2156, 154.6
10 Detroit 6522, 151.9

-- From February 2015 issue


It varies. Get the full story from the February 2015 issue of PRIVACY JOURNAL.


Some citizens have been cowed into thinking that beginning in 2016 they will be barred from federal buildings or from boarding an aircraft if their states of residence are not in compliance with REAL ID or if they do not have REAL ID- compliant drivers licenses.

If your license complies with REAL ID it will have a red star on it. (Not difficult to counterfeit, right?)

So are the fears realistic?

With regard to federal buildings, the federal government has already exempted popular tourist destinations from the requirement. And the law includes no requirement that an ID document must be displayed for this purpose, only that a document that is required must apparently comply with REAL ID standards.
In fact, a passport will do, to enter a federal building or to board an airplane. And, in fact, U. S. transportation officials have insisted for nearly two decades, that an ID document has never been required to board an airplane, it merely speeds the process. [See PJ Mar 08.]

Further, many states have not yet adopted REAL ID. “Half the state legislatures in the country passed resolutions objecting to the REAL ID Act or bills outright barring their states from complying,” according to a report last May by Jim Harper, director of information policy studies at the Cato Institute.

Read the whole story; ask for a free copy of our February 2015 issue

I Am Overwhelmed. Does it Matter?
By Murray Long

Personal technologies and social media have become way too complex for the average person to even attempt to comprehend. And too complex for using the proffered settings effectively; the choices and their impacts are equally complex and weighted towards the interests of the provider. Everyone knows this of course.

But as a supposed “privacy expert” or at least a person who has attempted to undertake real research and then write credibly about numerous privacy issues in the past, I feel overwhelmed at the amount of time and research that would have to be undertaken to attempt truly to understand the choices and the tensions involved.

I can extemporize that location-tracking phones become key tools in our increasing surveillance state and therefore I possibly should personally avoid the location capabilities – but then you have the whole other question of whether you let concerns or even paranoia about the state (or hackers) interfere with personal choices you feel you should have a right to make – and that dilemma of trying to figure out just how incursive those police/​state powers might be in your own personal life.
And how deep do you go into that quagmire?

We would avoid all telecommunications technologies and revert to blinking flashlights at each other from bedroom windows at night if we took this issue too far.

Read the complete essay by Canadian privacy specialist Murray Long on the difficulty of taking advantage of privacy settings in your computer life, by asking us for a free copy of the January 2015 issue of the monthly newsletter.

Index on 'Concern' Rises in Polls

Perhaps most striking about public-opinion polling taken in 2014 by the Pew organization is Americans’ lack of confidence that they have control over their personal information. Ninety-one percent in the survey agree or strongly agree that consumers have lost control over how personal information is collected and used by businesses.

Comparing to Louis Harris Data

These results can be compared roughly to public-opinion results collected by Louis Harris & Associates in the 1970s through 2000. Using a comparable question, Harris found in 1970 that 34 percent of Americans were “concerned.” Then in 1977, 47 percent were “concerned” (including 25 percent “very concerned”); 79 percent in 1990, 83 percent in 1993, and 92 percent in 1997. The significant jumps after 1990 reflect one thing: Americans had discovered the Internet.

In the 2014 Pew survey, 88 percent agree or strongly agree that it would be very difficult to remove inaccurate information about oneself online.

- - - Full results in the December 2014 issue. Ask for it now.

News About Travel in the October 2014 Issue

'The more that I learned about the technical capabilities of the e-passport system, the more I came to see it as a threat to personal safety, security, and privacy. E-passports are intended to be used by governments; they can also be used by businesses or criminals, for surveillance, tracking, and the construction of ID-linked movement and event logs. E-passports make it possible to build bombs triggered by the proximity of passports of a specified nationality or nationalities – or of a specific target person or persons.

"Further, skimming” or interception of communications with'“legitimate' e-passport readers – by the person behind you in line at the airport kiosk or check-in counter, for example – allows identity thieves to clone touchless digit-ally-perfect remote passports." See the October 2014 issue for the full appraisal by the man most qualified to write about this: Edward Hasbrouck, The Practical Nomad, a trip adviser and writer on privacy and the rights of travelers..

* * *
"Since January 2009, the Secure Flight program has changed from one that identifies high-risk passengers by matching them against the No Fly and Selectee Lists to one that assigns passengers a risk category: high risk, low risk, or unknown risk," according to a Congressional report on airport screening.

* * *
Tens of thousands of people try to fly without ID each year and do so successfully, according to suggestions in an internal document of the U.S. Transportation Security Administration.
A total of 119 persons declined or could not present ID when boarding a plane in the overnight hours (described as a quiet night) of a sample period in 2008, according to an email uncovered in documents released in a Freedom of Information Request by the Electronic Privacy Information Center in Washington. No data was included for the daylight hours, which are presumably much busier. It appears that most of the 119 were allowed to fly; only eight were reported as “denials.”

* * *
The U.S. Transportation Security Administration has issued a final order saying that an air passenger who stripped off all his clothes and stood naked at the security checkpoint in the Portland International Airport in Oregon to protest security demands violated a federal regulation.

TSA personnel called the airport police and the man, John Brennan was charged with indecent exposure. In criminal court he was found not guilty. [See PJ May 13.] He lost his job. But TSA persisted and hit him with a $500 civil penalty. The final internal order upheld the penalty, for “interfering with” screening personnel. Brennan is now free to challenge the ruling in federal court, if he can find the resources to do so. In Matter of John Brennan, 12-TSA-0092 (Sept. 19).

* * *
A gadfly named simply Sai is challenging the Transportation Security Administration’s harassment of him at airport security points because he insists on carrying certain liquids. He has an uncommon but recognized medical condition requiring ready access to liquids, and TSA regulations say it allows passengers to carry medically necessary liquids. Sai says that government agents seized his medical liquids, denied him access to them, detained him, and refused to let him travel by air. He is seeking to discover more about this by a Freedom of Information Act request.

Credit Bureaus Still Evading Law
- From the August 2014 issue

Ever since the Fair Credit Reporting Act was enacted in 1971, the national credit bureau then known as TRW and now known as Experian has operated either under an investigation by federal agents or a court-approved order to comply with the act.
Now the state of Mississippi, source of a major lawsuit that tamed the tobacco industry, has joined the act.

State Attorney General Jim Hood in June sued the national credit bureau for persistently failing to correct errors in consumers’ credit reports, errors it has been notified of.

Inaccuracy has plagued the industry since passage of the FCRA, which requires “maximum possible accuracy.” The law also requires a credit bureau to investigate and correct inaccuracies promptly.

“Experian has, over more than two decades, engaged in an unyielding pattern and practice of violating state and federal law,” the complaint says. The suit alleges that the firm provides no easy way for consumers to correct inaccuracies. Further, the firm seems routinely to rule against the consumer and favor a lender or debt collector that reports the information in the first place.

In other words, Experian’s business model has not changed since 1971. . . .
Ask for a free copy of the August issue and get the full story.

Free Credit Scores Coming?
From the July 2014 issue. Ask for a free copy

The U.S. Consumer Financial Protection Bureau is in the midst of an effort to get credit bureaus and/​or the makers of credit scores to provide the scores free to consumers. So far the effort has been limited to asking companies to make free disclosures voluntarily; the agency has not yet endorsed a federal requirement to disclose credit scores.

FICO, created by Fair Isaac Corporation, is the most frequently used credit score. It can determine whether an individual qualifies for mortgages and auto loans, the amount of interest charged by lenders, and in some cases, approval for a rental apartment.

Federal law allows an individual to request a free credit report annually from each of the reporting agencies by going to the Web site But this does not include a free credit score . . . .

States Busy With New Laws
- From the June 2014 issue

State legislators have been extraordinarily busy in the past 14 months enacting privacy protective legislation. During the same period, Congress did not pass any notable pro-privacy reforms.

PRIVACY JOURNAL has counted more than 60 important laws on privacy enacted by state legislators in the 12 months since publication of its 2013 Compilation of State and Federal Prvacy Laws. The new laws are described with legal citations in the 2014 Supplement, available in hard copy or pdf email attachment for $16.

The 2013 book with the supplement included is $40 (postage included) and the digital version is $28.50.

The book and supplement describe each law, grouped by states and by categories, and include the legal citation of each state law.

Facebook Passwords

A total of 17 states, 12 of them in the past year, have passed laws restricting employers from demanding social-media passwords or access to personal sites belonging to applicants or employees. In recent months ten states have extended these protections to students in higher education. Louisiana, Michigan, New Mexico, Oregon, Utah, and Washington State have extended this protection to students in high schools and secondary schools as well. Wisconsin includes landlords in the prohibition.

Surveillance by Drones

Lawmakers in blue and red states alike have turned their attention to regulating law enforcement’s use of unmanned aircraft for surveillance (drones). New laws in nine states require the government to have court approval before using drones for surveillance or for capturing images. North Carolina and Virginia have enacted moratoria on drone use by the government, both expiring in mid-2015. Oregon requires state registration of all drones and bans their uses as weapons.

Access to Metadata

Montana is apparently the first state to limit government agencies from getting access to location information from telephone providers (metadata) unless there is consent, an emergency, a search warrant, or a report of a stolen device. Texas seems to be the first state to require by statute a court warrant for law enforcement to procure email content. The law is written in such a way as to authorize access to email as much as to restrict it. The statute claims that Texas authorities may seize email content outside of Texas.


There has been a significant campaign throughout the U.S. to “ban-the-box.” That is the box found on many job applications asking whether Applicants have ever been arrested or convicted. Many applicants have said that checking the box virtually assures that an application will be ditched.

Therefore, reformers have asked state legislators to enact “ban-the-box” laws. The laws require elimination of the inquiry, whether it is in writing or verbally, until an applicant has been determined to meet the minimum requirements for a position and moves to the second stage of consideration for a job, usually an interview.

Hawaii passed the first “ban-the-box” law in the nation, in 1998. In the past 18 months, ten states have followed suit. Some laws cover government employment; others cover public and private employment. In addition, Georgia and Illinois have banned the box administratively.

Employers’ Electronic Monitoring

Connecticut and Delaware now prohibit electronic monitoring of employees without advance notice.

In California

California legislators continue to occupy themselves with advancing the pro-privacy laws in their state. In the past 12 months, they required Web sites to notify the public that they are forbidden from using personal data about minors in marketing. Kids now have rights to remove some data about themselves from Web sites.

‘Smart Grid’ Restrictions

Utilities in California are restricted in secondary uses of customer data in so-called “smart grid” technology, which allows precise pricing based on usage. This is the first such law in the nation.

The 2014 supplement shows the varied dimensions of PRIVACY in this decade.

Schools May Not Require SSNs
- From the May 2014 issue

The federal government has again instructed school districts that they may not require Social Security numbers of students or parents. The guidance came in a memo from the Department of Justice and Department of Education in May emphasizing previously issued prohibitions against rejecting immigrant children, whether or not they came to this country illegally.

Canadian Internet Traffic Monitored in U.S.?
- From the May 2014 issue

The revelation in June 2013 about widespread surveillance by the National Security Agency has led to an effort in Canada to stop Internet service providers there from routing Canadians’ communications through the U.S.

"Twenty-five percent of Internet traffic that originates and terminates in Canada travels via the U.S., where unprotected by either Canadian or U.S. legal systems, it is subject to NSA surveillance. We call this ‘boomerang’ traffic," says a research team at the University of Toronto. In the process the group determined that no ISP in Canada fully complies with the nation's privacy law, PIPEDA. In response, they created, a mapping tool that displays the routing of personal data of Canadians through the U.S.

Get the full story by asking for a sample of our May 2014 issue.

A Guide for the Frugal Privacy Seeker
By Publisher Robert Ellis Smith
From the March 2014 edition

A Washington author used up space in The New York Times early this month telling readers that protecting your privacy is expensive. “Last year, I spent more than $2200 and countless hours to protect my privacy,” she wrote.

I didn’t. In my 40 years in this business, it has cost me less than $50 a year and only a few hours a year to provide myself a strong sense of privacy.
Some strategies are essential:

1. Protect your Social Security number at all times. Don’t give it out even though it seems that you may be penalized for it.

2. Avoid “credit monitoring services,” paper shredders, apps, “identity-theft protection,” anti-eavesdropping experts, Internet filters, unless you want to spend a lot of money.

3. Think of Noah’s Ark. To protect your privacy, think in twos. Rip in half any documents with vital personal information on them, including Social Security numbers, bank-account figures, or credit-card numbers. Deposit them in separate side-by-side trash containers. Empty each trash can at alternating times. Or use a paper shredder if you still want to spend money.

Use two personal phone numbers, one for your friends and another for commercial transactions and public circulation. Use a personal mailing address and a “public” mailing address, which can be a post office box, a commercial mail-receiving firm, an office address, or a landlord’s address. This second address will not disclose your physical whereabouts, or that of your children.

Have two Internet service providers and electronic-mail providers, one for sensitive uses and the other for “public” uses. Have two credit cards, one for point-of-sale use and one for online use. If something goes wrong online, you can promptly cancel that credit card with no inconvenience at all.

Use a second, out-of-town doctor to disguise certain sensitive treatments, if necessary.

There are many more tips in this article in the March 2014 issue. Ask for a free copy at orders@​

And many more tips on this Web site, at Privacy Tips.

PRIVACY JOURNAL publisher Robert Ellis Smith has expanded his interest in personal privacy and solitude to explore the lure that islands hold for all of us, as places to live or places to escape. He has published "The Magnetism of Islands," an eBook that takes you to real and literary islands to discover how much alike they are, whether urban or rural, New England or South Pacific. "The Magnetism of Islands" is available from to download to your electronic reading device or directly from PRIVACY JOURNAL, orders@​ The price is $9.50.

- From the January 2014 issue

Drones and the Current Law
By Brian Stern and Matthias Rubekeil

Many UAVs [drones] can carry sensors and cameras that produce quality real-time imagery, making them ideal vehicles for surveillance tasks. Combining sensor capabilities with facial or biometric recognition software would make UAVs even more appealing for such purposes and allow potentially significant intrusions and threats to the constitutional right to privacy. . . . .

While the U. S. Supreme Court has not yet addressed the use of drones in conducting domestic surveillance, there are cases that could be instructive.
First, there are cases pertaining to surveillance by manned aircraft, where police have attempted to investigate marijuana-growing operations based on information obtained from tipsters. . . . .

Under current regulations, it is easier for private citizens to fly a drone than to obtain a license to operate a car. . . . Get the full story by asking for a sample copy of our December 2013 issue.

Hackers Get into Consumer Data
- From the November 2013 issue

A shady service that sells Social Security numbers and drivers license numbers – as well as bank-account and credit-card data on millions of Americans – purchased much of its data from a company owned by Experian, one of the three major credit bureaus, according to a story in the November 2013 issue.

An information broker that sells Social Security numbers, dates of birth, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to an accompanying article in the same issue..

The Web site (sometimes referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, dates of birth, and other personal data on nearly all U.S. residents.

Portable Police Device to ID Suspects Instantly
-- From the October 2013 issue - Ask for a free copy

Within seconds of the fatal shooting of the gunman in the Washington Navy Yard massacre Sept. 16, law enforcement personnel on the scene were able to apply a hand-held device to his hand and determine his identity and possible encounters with police.

The prints gathered by the device are run through an electronic database, usually operated by individual states, creating a rapid search for identities and outstanding warrants.

In this case, the instant identification of Aaron Alexis, the presumed gunman, was probably not crucial. He was carrying an identity document permitting access to the naval complex and employees within the complex were browsing the Internet on their office computers to determine his identity within moments of when the shooting began.

The New York City Police Department has had this high-tech capability for more than five years.

The NYPD has about 20 of the MorphoTrak readers, at a cost of about $5,000 each. . . .

'Something Else to Worry About'
-- -- -- From the September 2013 issue

It is the curse – or the responsibility – of this publication to greet readers each month with Something Else to Worry About.
This month it is “The Internet of Things.” The Oxford English Dictionary, often the arbiter of acceptable current language, added the phrase to its definitions last month, at the same time that The National Geographic magazine took notice.
This month, as a prelude to a workshop in Washington on the concept, the Federal Trade Commission presented what is perhaps a garden-variety deceptive-advertising case involving providers of home-security services as its first “Internet of Things” enforcement action. Ask for a sample copy of our September 2013 issue for the full story.

Just Published

“The recent news about the extent to which the U.S. government is monitoring the communications, online interactions and activities of American citizens brings into question our ethical responsibilities as privacy professionals,” writes Mozilla Chief Privacy Officer Alex Fowler in an open letter to his colleagues, corporate privacy officers. Keep up with this important stuff. Subscribe to the newsletter and stay current each month.

Shouldn't Equifax Be Ineligible for Federal Money?
-- From the August 2013 issue [Ask for a free copy.]

The U.S. Department of Health and Human Services has extended a lucrative contract to the discredited national credit-reporting company Equifax to check whether low-income applicants qualify for government subsidies for health-insurance coverage in the new Obamacare program.

Since the Fair Credit Reporting Act was enacted in 1971, the Atlanta-based company has been under Federal Trade Commission orders to comply with the act. The FTC has forced Equifax to submit to regular compliance audits. Normally businesses subject to such federal sanctions are placed on a list of non-responsible bidders and therefore ineligible for federal contracts.

Letter to the Editor
- From the July 2013 issue

From Florida: How do you respond to people who say that nabbing the Boston Marathon bombers and the potential for catching other criminals justifies the blizzard of camera installations around the country?

What methods have you found to be effective in persuading people to care about privacy and its preservation?

Response: We urge our readers and Web-site visitors to submit responses to these queries.

Our response is that we should not include the NSA surveillance, the anti-terrorist law enforcement activity in the U.S. including camera surveillance, and commercial snooping in the same all-inclusive eulogy for the death of privacy. They have different roots and different motivations.

We should remember that it was an eyewitness identification of one suspect that led to the solution of the Boston Marathon case. Camera suveillance tapes were then used to notify the wider community of the suspects’ identities.

Law enforcement will tell you that TV cameras all over town rarely deter crime; they lead to the capture of suspects. But even that use will have diminishing effectiveness, as the equipment rusts, gets blown off target by weather, gets vandalized and broken. And perhaps as Americans get annoyed with it.

Further, most Americans give up more of their own privacy than is taken away from them by government or business. And they give it up for mere convenience, without regard to the sacrifices made by our American forebears to assure a right to privacy.

What’s important is that we not resign ourselves to a life without privacy and individualism, that we do not take a bemused attitude towards what is essentially a betrayal of American values.

Even if you yourself are not interested in privacy, there are many persons for whom privacy is essential and worth fighting for. A sense of privacy and autonomy is essential for sound mental health. Without it, there is no originality of thought, no intellectual risk taking, no willingness to challenge conventional wisdom.

The great danger is that we become a nation of sheep, mindlessly exchanging trivial comments over communications systems that we subconsciously no longer trust. Individuals in this decade have under their control an unprecedented array of communications technology; yet we use it for silly purposes.

A Student Actor Describes His Nudity on Stage

By David Lee Dallas
--- From the April 2013 edition

What my experience with nudity in a student theater production taught me was the significance of earning the nudity within the context of the story being told. If the nudity exists fully and fluidly within the narrative and thematic realm of the piece, it becomes inseparable from the piece, and not an entity itself. Audiences understood why the character is naked, and thus they had no concern for, or even cognizance of, the actor’s nudity. Ultimately, what matters, what is permanent for the audience, is the why of the nudity, not the body or the memory of the body.

. . . The fact of my naked body standing on that stage remains in the privacy of the play's theatrical space, a space cleaved open when the house lights dimmed and closed shut when they came back on.

A Chance to Comment on Airport Screening

-- From the April 2013 edition

Compelled by a court order sought by the Electronic Privacy Information Center 18 months ago, the Transportation Security Administration has launched an opportunity for citizens to comment on airport screening procedures. TSA has a policy of declining to admit that the procedures capture images of the nude human body; they use the euphemism “advanced image technology.” Travelers have a right to opt out of these scanners, but this is not always clearly announced and the alternative may be less palatable for many – a shockingly intrusive pat-down. It’s not clear that the scanners detect explosives. The public comment process will end June 24. To submit comments, go to http:/​/​​. To find recommendations on commenting by EPIC, go to http:/​/​​.

Protections From Domestic Drones Overhead?
-- From the March 2013 issue; ask for a free copy

After a full year of acting as if no privacy safeguards protect against spying by drones flying overhead in the U.S. or are necessary, the federal government now says that it will develop privacy protections in a rule-making process.
The Federal Aviation Administration Modernization and Reform Act passed in February 2012 gave the go-ahead to drone use within the U.S., and several privacy groups, including the American Civil Liberties Union, Center for Democracy and Technology, Electronic Frontier Foundation, and Electronic Privacy Information Center wrote to the FAA urging privacy protections. Last month, the FAA wrote back, saying that it would develop them.

Letter to the Editor From a Security Specialist

I recommend that Facebook users perform a self-audit of their profiles at least annually. Chances are this audit will reveal that you are sharing way more information about yourself than you understood. And with the new Facebook Graph Search [see PJ Feb 13], more people than you ever intended will be able to find this information. To conduct a self-audit, download your expanded Facebook archive (important to chose this option) by following the directions at http:/​/​​ 2013/​02/​01/​how-to-backup-your-facebook-data-in-5-easy-steps. As well, you may find this article from TIME Tech helpful in reviewing your privacy settings on Facebook: http:/​/​techland.​2013/​02/​15/​how-to-check-your-face book-privacy-settings/​.

Evidence of Intrusive Spying on Muslims in U.S.
-- From the February 2013 issue

Shocking assertions of police surveillance in the anti-terrorism age against law-abiding citizens, most of them Muslims, came from two different sources this month.

Both sources said that the spying was expensive, excessive, invasive, unconstitutional, and ultimately ineffective in identifying terrorism suspects.
Lawyers representing the New York Civil Liberties Union filed papers in federal court in Manhattan Feb. 4 seeking to stop the N.Y. Police Department from creating dossiers on innocent Muslim New Yorkers and to end the police department’s ability to initiate investigations into Muslims when there is no belief that they have engaged or are about to engage in unlawful activity or an act of terrorism.

Secondly, a book published this month asserts, “Since 9/​11 the FBI has built the largest net-work of spies ever to exist in the United States – with ten times as many informants on the streets today as there were during the infamous Cointelpro operations under FBI Director J. Edgar Hoover – with the majority of these spies focused on ferreting out terrorism in Muslim communities. Agents
provocateurs were behind most of the scary terrorist plots you’ve heard about since 9/​11.”

The author of the expose, The Terror Factory, is Trevor Aaronson, a highly recognized investigative journalist who has amassed information about the FBI’s activities and expenditures over the past ten years (http:/​/​ He writes that he discovered “how the government has exaggerated the threat of Islamic terrorism in the U.S.”

Get the full story in the February 2013 issue, available without charge if you request by email or telephone.

Privacy Advocates Counteract Corporate Lobbying in Europe

Public-interest advocates in Washington have taken the unusual step of packing their bags and traveling to Europe to counteract corporate lobbying to diminish data-protection legislation in the European Parliament. One organization has taken the unprecedented step of hiring a new staff person specifically to lobby for privacy protections in Europe.

The group met with Members of the European Parliament in Brussels last month.

In California, App Must Have Policy and Live By It
- From the January 2013 issue of Privacy Journal

In the first enforcement action concerning mobile applications under California’s online privacy law, California Attorney General Kamala D. Harris filed a state court complaint against Delta Air Lines for failing to post a privacy policy that covers its mobile app. The California Online Privacy Protection Act and the state’s Unfair Competition Law require a business like Delta to “conspicuously post a privacy policy in its Fly Delta app” and to comply with its own Web site privacy policy, the AG says. New rules affecting all businesses in the state came in January.

FTC's Privacy Compliance Powers Challenged

When the Wyndham hotel chain was sued by the Federal Trade Commission last summer after experiencing three serious hacking incidents involving theft of customer billing data, the corporation struck back, filing a motion to dismiss, saying that the FTC had no authority to do what it was doing. Most businesses have accepted the commission's authority in this area. The U.S. Chamber of Commerce and other business interests immediately jumped to the defense of the company.

Get the full stories and more, by getting a sample copy of the January 2013 issue of PRIVACY JOURNAL.

Federal Trade Commission Steps Up Enforcement

In its December 2012 issue, Privacy Journal described sanctions and penalties issued in the past 12 months by the federal government's prime agency for enforcing requirements that companies abide by their promises to keep information secure, accurate, and timely.

Among the companies that faced monetary penalties and requirements that they open their books to regular audits by the FTC are:

MySpace; Facebook, Equifax Information Services, Inc., one of the three major consumer reporting agencies; Direct Lending Source, Inc., one of Equifax' partners in a list-rental scheme; Google, for bamboozling customers of the Google Buzz social-media product in 2010.

Spokeo of Pasadena, Calif., which aggregates postal and email addresses and telephone numbers from public records and social-media sites and sells them to employment recruiters; HireRight Solutions, an Irvine, Calif. firm that does background checks for employers. of Boston; DesignerWare, a software supplier; RockYou, developer of social games; EPN, Inc., a Utah debt collector; Franklin Toyota in Statesboro, Ga.; Upromise, an online rebate service; ScanScout, a broker on online video ads.

The FTC had to order Google to appoint a privacy officer. In January, the same agency ordered Google to change some practices that the agency said were monopolistic.

Only Privacy Journal compiled this detailed listing and published it.

Kids Creating Own Online Schoolhouses
By Michael Levin
-- from the November 2012 issue

The Internet affords children endless oppor¬tun¬i-ties to get into serious trouble, downloading what they shouldn’t download, looking at what they shouldn’t be looking at, and getting ideas about what they shouldn’t be getting ideas about.

But the good news is that if your kids are like mine, they may be doing some or all of those things, but there’s another use for the Internet that’s attracting their time and attention.

It’s called teaching. . . .

May Companies Control Facebook Use at Work?

The staff of the National Labor Relations Board, which investigates unfair labor practices, has considered several cases involving possible or actual discipline of employees using social media like YouTube, blogs, and Facebook. In at least six cases, Acting General Counsel Lafe E. Solomon found the company policies on use of social media by employees “overbroad and thus unlawful under the National Labor Relations Act.”

[In the November issue: the text of what the NLRB considers a lawful company policy on Facebook use. Ask us for a free copy.]

Important Items From our October issue:

“A bipartisan Senate investigation shows that fusion spying centers do not keep us safe but, instead, waste billions of tax dollars, violate civil liberties of ordinary Americans, and utterly fail to stop terrorists,” according to Carol Rose, executive director of the American Civil Liberties Union of Massachusetts.

Rose has been alerting the public to the dangers of these federally funded centers of federal, state, and local law-enforcement intelligence officers since they were created after the 2001 terrorist attacks. They were a reaction to the revelations that intelligence officers at different levels were not “connecting the dots” by sharing terrorism clues they had in their possession.

* * *

The health-care compliance office in the U.S. Department of Health and Human Services has finally approached collecting a $4.3 million fine it assessed in February 2011 against Cignet Health, a clinic in suburban Washington, for major violations of the HIPAA rule.

* * *

Despite deep ideological divisions, Democrats and Republicans in Congress still can find common ground on one thing: their frustration with Medicare. Five years after being told to look at taking Social Security numbers off Medicare cards, Medicare officials told lawmakers at a tense House hearing this summer that they still need six more months to figure out how much it will cost.

* * *
New high-definition cameras are being rolled out across United Kingdom cities without public consultation into the intrusion they pose, the United Kingdom’s first “surveillance commissioner” has told "The Independent."

Andrew Rennison said that the increasing sophistication of surveillance technology is becoming so serious that Britain may be in breach of its own human rights laws. There are an estimated 1.85 million CCTV (closed-circuit) cameras in the U.K., but no one really knows.

* * *

California Gov. Jerry Brown has signed two bills prohibiting employers and educational institutions from requiring or coercing disclosure of passwords or other means to access personal information on social-media sites. Gov. Brown vetoed a bill that would have required law enforcement officers to get a search warrant in order to obtain location information generated by a cell phone, tablet computer or automobile navigation system (GPS).

* * *

Do You Have Klout, or Merely Clout?
By Lini S. Kadaba - From the July 2012 issue

What’s Your Klout Score?

Increasingly, that’s the question asked during job interviews, before first dates and for the chance to win cool trips.

For the clueless, Klout is the four-year-old, controversial grandaddy of social scoring, in which a top-secret algorithm distills the ability to influence online action into a single number between 0 and 100. Think of it as a credit score for the social Net.

Get the full story; ask for a free copy of our July 2012 issue.

The Eavesdropping Fanatic
- From the July 2012 issue

Nanette and Norman had an intimate relationship from 2001 to 2007. Then things went sour. Very sour.

In February 2007 they quit seeing each other. In July 2007, a plumber informed Nanette (not her real name) that he found suspicious equipment between the floor jousts in the small crawl space beneath her house in central Connecticut. The woman, a medical assistant, promptly called the local police and asked Norman whether he had installed the listening equipment. Norman admitted that he had, according to Nanette. He further admitted that he had been viewing video from her bedroom and, in his car, listening to audio coming through devices he had installed in her home.

What happened next? Call or write for a sample copy of the July 2012 issue.

Taming ID Theft Through Credit Bureau Restrictions
- From the July 2012 issue

Rhode Island has enacted a new law that, for the first time in any state, strikes at the heart of the epidemic of theft of identity. Effective immediately, it requires any credit bureau to rely on more identifiers than solely a Social Security number when it furnishes a credit report to a credit grantor on a particular consumer.

Since the mid-1990s, credit bureaus have furnished a credit report on a consumer when merely the Social Security in the credit report matches the Social Security number listed on a credit application. The Federal Trade Commission staff at the time actually encouraged credit bureaus to do this.

Sixty percent or more of theft of identity arises when an imposter takes another person’s Social Security number and applies for credit, using a different address from the victim’s and possibly a different name. Still, credit bureaus furnish the victim’s credit report to the credit grantor, whether retailers, employers, landlords, or insurance companies. The imposter relies on the victim’s good credit and the consumer is left to clear up the confusion caused by what is called “a mixed file.”

Now, in Rhode Island at least, credit bureaus must also make sure that the name and at least one other identifier in addition to an SSN match, like address, date of birth, place of employment, or lines of credit. Presumably an imposter would have to possess name, SSN, and one other identifier in order effectively to misappropriate a consumer’s credit record.

What Do We Think of Others' Conduct?
- From the June 2012 issue. Ask for a free copy, by email or postal mail

Americans have changed hardly at all in the past 11 years in most of their ideas about what is morally acceptable. . . . according our front-page story. In that period have come terrorism threats, increased availability of pornography online, breakthroughs in cloning human beings, campaigns to fund research into stem-cell usage, popularity of gaming casinos, politicians’’ disapproval of the use of birth control and abortion, and continuing incidence of divorce and “living together.”
Yet in each of these areas, about the same number of Americans views the activities as morally acceptable as they did in 2001.

By exception respondents to a Gallup poll in May showed more acceptance of homosexuality and less acceptance of the death penalty.

College Admissions Offices Too Busy to Snoop FB

As students – and their parents – fret over social networks and what all they convey, college admissions officers allow that they are not spending hours hunting for blush-worthy tweets or photos of drunken high school students. It is partly an issue of invading what some consider a private space. But it is also very much a matter of hours in a day, writes Lini S. Kadaba in the June issue.

“We don’t go fishing,” said Jim Bock, vice president and dean of admissions at Swarthmore College in Pennsylvania. “It’s a time issue. We have a lot of information to review, and it’s a privacy issue as well. . . . What we ask for is enough.”

Compelling perspectives from the May 2012 issue:

"The goal of the World Conference on International Telecommunications this December is to re-negotiate and re-draft the 1988 global treaty in order to give the ITU jurisdiction over the Internet. While the draft proposals will seem 'innocuous and small at first, there’s going to be a big line crossed, and that will be from the U.N. not regulating the Internet to it having jurisdiction over the Internet. That would be just the first stage of an incremental [U.N. takeover of the Internet].'”
* * *

"Though the U.S. Supreme Court decision says only that the practice of strip-searching is permitted, not required, a vast discretion is now placed in the hands of any and 'every petty official' who for no reason other than a desire to humiliate and intimidate can order a strip search of political protesters, minority persons, women, gays, etc. There is a solution at hand, however. States are free to enact legislation mirroring that of the ten states that already ban strip searches of arrestees for misdemeanors unless an officer has reason to believe the person is concealing weapons or contraband. "
* * *

"With a surge in the final days of the 2011 session, the California legislature enacted several new privacy protections that clearly keep the state at the top of our list of the privacy-protecting states in the U.S. California has ranked first and Minnesota a close second since this newsletter began ranking the states in 1999. "
* * *

"Terrorists can do only so much. They cannot take away our freedoms. They cannot reduce our liberties. They cannot, by themselves, cause that much terror. It’s our reaction to terrorism that determines whether or not their actions are ultimately successful. That we allow governments to do these things to us – to effectively do the terrorists’ job for them – is the greatest harm of all."

It's a Lousy Word

- From April 2012 issue

"We often say that the word privacy is inadequate. It is vague, subject to outrageous degrees of modification, is mauled by arbitrary interpretation and its meaning and context constantly shift. However we may not have considered how the word itself – in its nature and form – is wholly inadequate and even detrimental."

Why is this man so upset? Find out by reading Simon Davies' complete rant against the word privacy in our April 2012 issue. Free sample available upon your request.

In the March issue: Why corporate legal strategies are undermining the right to a jury trial?

Highlights From the February 2012 issue

Electronic Frontier Foundation's Rainey Reitman tells you how to handle Google's consolidated privacy policy.

Publisher Robert Ellis Smith projects a course of action after the Jones decision on GPS tracking

Ontario's Privacy Commissioner gives her constituents urgent homework.

An author sees a difference between men's and women's reactions to eavesdropping.

A tech-savvy reader provides a great bar-code oriented solution to unwanted mail.

Another reader sees nothing wrong with demanding ID documents at the polling place.

And a third reader tells you how to keep track of the online marketers tracking you.

Ask for a sample copy of the February 2011 issue to get all this and more.

The Decade of Facial Recognition
- From the January 2012 issue

Will the years between 2011 and 2020 be the decade of facial recognition?

New software can measure spatial relationships among facial features in a photo or drawing of a person, convert the data into an algorithm (or mathematical ‘map’ of the face) and then compare it with the same elements in a person captured by a Web camera in a crowd.

Investigators need not develop a database or even facial-re¬cognition applications on their own. A fledgling business is doing it for them.

It is called Facebook. The social-media giant, founded by college kids just eight and a half years ago, has made facial recognition a top priority. And Apple and Google are not far behind.

Researchers at Carnegie Mellon University in Pittsburgh have identified anonymous persons merely by searching Facebook’s photo collection.

“The face is the conduit between you (your life) and the online world, between offline data and the online world,” says one. Next: Facial recognition capability in eye glasses; police in Brazil will use them to patrol the World Cup soccer crowds this summer. Next, after that: Face recognition capability in contact lens. No kidding.

Get a copy of our January 2011 newsletter for the whole story. orders@​

Federal Agency Timid About Collecting Fine
- from December 2011 issue

When the Department of Health and Human Services assessed a fine of $4.3 million on a suburban Washington health provider for its refusal to give patients copies of their medical records, it ordered the company, Cignet Health, to pay up immediately.

After all, Congress in 2009 had amended the HIPAA health confidentiality law to force HHS to enforce the law, at least more than it had in the recent past.

“We’re serious about this,” said HHS Secretary Kathleen Sibelius.

That was Feb. 4. The fine has yet to been paid. The department has no plan to collect it. Its Office for Civil Rights has rebuffed PRIVACY JOURNAL’s regular requests for information about the hold-up and the government’s apparent timidity to collect the fine. Collecting unpaid fines is not exactly a novel governmental func¬tion but, OCR tells PRIVACY JOURNAL, it doesn’t want to talk about the Cignet indebtedness. The health-care provider refused to give patients copies of their medical records, as required by federal law, and then much later gave them to the wrong people.

Voter ID Requirements Will Slow the Process
-From November 2011 issue

. . . Voter-identification requirements will surely alter the balance in voting in the 2012 election because they will certainly slow down the process in neighborhoods that traditionally have had significant waiting lines to vote. They will allow poll workers to send some voters away without voting and allow some poll workers to pick and choose voters for strict application of the law. Some minority-group community workers feel that the ID requirements will deter many voters from even showing up at the polls, especially Hispanic residents worried about their status.

For all citizens, the push for identification will diminish their freedom by inducing them to believe that they must carry ID at other times and must disclose personal information in order to secure an acceptable piece of plastic.

For more on this and a list of states with new ID requirements for voting, ask for a free copy of our November issue, in hard copy or the pdf email version.

Wear the Web on Your Sleeve
- From October 2011 issue

New fangled bar codes now allow strangers with a scanning device to access your personal profiles on social-media sites and other kinds of Web-related information you have posted online.

Wearing the so-called QR (quick response) code allows you to “wear the Web,” according to one distributor of the scanners, Skanz. You become a walking Web site. QR codes can store far more data than traditional bar codes with vertical black lines. Because they are easily readable and have huge storage capacity, the two-dimensional codes have become the latest thing in the fashion industry, retailing, periodicals, and automotive manufacturing. Models often have the codes as part of the clothing they display so that interested persons may simply access a Web site with online product information.

Scan a QR code in an advertisement or news article and go immediately to a relevant Web page. Pass by a military recruiting office and scan the QR code in the window. Scan the code (in 2013 anyway) on the window sticker of a new automobile and learn lots more about the fuel usage and environmental impact of the vehicle.

Learn more by asking for a copy of the October 2011 newsletter (no charge).

- from the September 2011 issue

. . . Examining the actions of those behind the social networking boom, as opposed to their rhetoric, reveals that they, much more so than their customers, scrupulously protect personal information about themselves.

It’s no secret that Mark Zuckerberg, founder of Facebook, is in the business of encouraging people to share more of their personal information online. The company’s business model relies on revenues from targeted advertisements, which means it requires not only a constant increase in users, but also a constant increase in the amount of personal information users share. Therefore, it should be no surprise that Zuckerberg’s public statements tend to downplay privacy concerns and encourage users to feel comfortable posting their personal information online for the world, including Facebook’s advertising partners, to see.

. . . . If, as he claims, the current social norm is to post all our personal information publicly for anyone to see, then Zuckerberg’s own social networking pages show that he must be behind the times. While any Facebook member can view the 27-year-old entrepreneur’s basic Facebook page, he rarely posts anything that is publicly viewable [He's not the only social-networking exec to prize his own privacy and belittle others. Ask for a free copy of the September 2011 PJ for the full story by Andrew P. Smith.]


Since 2001, we have allowed angry surveillance and intrusive questioning to be turned against our own people, spending billions of dollars in bogus technology and identity schemes, most of it to create what policy makers will admit is “security theater.” They will say that that is what the American public wants, not carefully targeted security precautions directed towards the likely perpetrators of the September 11 terrorist attacks and their progeny.

Americans, the victims of the attacks, are subjected to delays at airports and outrageous pokes at their private parts, viewed by networked cameras everywhere, required to carry photo IDs in order to travel or to vote or attend school; their personal data is collected and manipulated and stored in gigantic database that seem to show no relevance to the current threat.

Read the whole editorial retrospective in the September 2011 issue, available for free -

Our email address: orders@​
Telephone: 401/​274-7861

No Big Secret

- From the August 2011 issue of Privacy Journal, available now

It’s not hard at all to figure out who is male and who is female by looking at the language used on Twitter, according to an analysis by four researchers at the Mitre Corp. "Discriminating Gender on Twitter,"​work/​tech_papers/​2011/​11_0170/​11_0170.pdf. A similar analysis at Johns Hopkins University in 2010 claimed to identify political parties, place of residence and age from the words used on Twitter,​~delip/​smuc.pdf.

The Chief Judge of Silicon Valley

From the July 2011 issue

The center of gravity in the Internet legal world is the courtroom of the chief judge of the federal court for the Northern District of California, located in San Jose, the heart of Silicon Valley.

Because the Silicon Valley area south of San Francisco is home to Google, Facebook, PayPal and other Internet giants, class actions and other lawsuits over privacy, intellectual property, and other hi-tech issues end up in the federal court there, and usually on the calendar of the chief judge, James Ware. His decisions will re-define several aspects of law in the Internet age.

The 65-year-old judge has little in the way of high-tech training or experience to make him particularly well suited to preside over these influential cases, but he is no stranger to high-profile cases or the media spotlight that comes with them.

Read the full story by requesting a sample copy of the July 2011 issue.

Police Now Have Device for Sweeping All Cell Data

From the July 2011 issue

With all their new functionality, smartphones can make almost everybody’s job easier – including law enforcement. A new industry has emerged making and marketing both devices and software that can extract sensitive data from cell phones and other mobile technology. With all the information that can potentially pass through a cell phone, these devices could lead to a paradigm shift in evidence gathering for law enforcement.

One such device, the Cellebrite UFED, has been produced since 2007 and marketed to “military, law enforcement and government agencies around the world,” according to PJ correspondent Andrew P. Smith.

The UFED has the ability to extract virtually every bit of data (past and present) from cell phones and other mobile devices.

For the full story ask for a free copy of our July 2011 issue.


All I wanted to do was have Google's Street View remove the image of my personal residence from its Web site, as it promises to do. In the June 2011 issue of PRIVACY JOURNAL, read the logs of my email messages back and forth to Google; 17 months later I still do not have a resolution, in violation of federal privacy standards and Google's own promises. Publisher Robert Ellis Smith

Student Records and Student Rights

The U.S. Department of Education proposes making pupil records more widely available to states for tracking progress. A parent balks at "biometric finger scanning identification" of elementary students in New Jersey. Kids use a new app called Foursquare to keep in touch - and expose themselves to stalking. "Youths are facing a fishbowl existence and have to chose between "excessive caution or foolhardy fearlessness," says a new collection of essays. All of this in the May 2011 issue of Privacy Journal.

Last Four Digits? Careful!
Providing only the last four digits of your Social Security number – once a fall-back position – does not provide adequate protection against theft of identity. In our April issue, we explain why.

And we report that Google, Inc., may have succeeded in locking out the most activist of privacy groups from receiving grants under an $8.5 million fund created in a settlement of a class-action lawsuit over the company’s violation of the privacy of customers of its Google Buzz product. The grants were intended for Internet privacy education efforts.

Does Eric Schmidt Mean It All?

By Chisheng Li
In September, Eric Schmidt, the chief executive officer of the search giant Google, was satirized as a “privacy pervert” by Consumer Watchdog, an investigative Web site attacking “injustice.” As part of its “Do Not Track Me” advertising campaign, the group paid for a billboard in Times Square depicting Schmidt as a data-thirsty person who stealthily spies on others.

This unflattering portrayal came following a year full of public objections, lawsuits and bad publicity concerning Google‟s massive collection of personal data from users‟ search choices and their unsecured residential WiFi networks and its disclosure of private Gmail contact information on Google Buzz, a social media site. . . .

If there is one consistent factor in Google‟s rough year of privacy miscues, it is its chief executive's ability to make seemingly rash comments that tend to underline the company‟s insensitivity towards users' individual rights.

At the Washington Ideas Forum in October, Schmidt labeled Google an omniscient Web product, saying, “We don‟t need you to type at all. We know where you are. We know where you've been. We can more or less know what you‟re thinking about.” Ironically, this comment came after he reassured his audience at the same forum that Google is against consumer intrusions. “The Google policy on a lot of things is to get right up to the creepy line and not cross it.” Unfortunately, his demonstration of Google‟s sophisticated tracking technology crossed over the “creepy line,” in the eyes of many. His undiplomatic PR effort was unpersuasive that the company truly cares for its users.

For the full story of privacy gems from Google's CEO, ask us for a sample copy of the January 2011 PRIVACY JOURNAL.

Who Has to Make Notifications of Company Losses
of Personal Data? When? How? And to Whom?

Each state law is different. Get the complete story in the February 2011 issue of PRIVACY JOURNAL. Ask for a sample copy now.

A Concept for Persons, Not Corporations

Virtually everybody agrees that privacy, by definition, is uniquely a personal right. Artificial persons, as opposed to natural persons, do not enjoy a right to privacy. [See "The Law of Privacy" by David Elder, 1991.] The law of privacy was “designed primarily to protect the feelings and sensibilities of human beings, rather than to safeguard property, business or other pecuniary interests,” according to the Kentucky Supreme Court in 1943. The reason for this is that a corporation of “a fictitious person and has no ‘feelings’ which may be injured,” according to a California state appeals court in 1980.

This is not to say that laws, regulations, and social policy do not recognize that corporations and other organizations have interests in confidentiality. This is distinct from a right to privacy. The law of trade secrets and the law of copyright are examples of interests in confidentiality by organizations; so are laws permitting certain government agencies to keep secret certain businesses information in their possession.

From "The Law of Privacy Explained" by Robert Ellis Smith

In view of this history, it is strange that the U.S. Supreme Court has agreed to hear a case in the new year that recognizes a right to privacy for corporations. [Get the full story by getting a copy of our December 2010 issue free by emailing or calling us, 401/​274-7861.] Subsequently, on Mar. 1, 2011, the Supreme Court ruled unanimously that a corporation may not make use of the "personal privacy" exemption in the Freedom of Information Act.

Our email address: orders@​
Telephone: 401/​274-7861

What Is Happening with Street View?

For a scorecard on the investigations around the world of the collection of WiFi information from residences by Google's Street View camera cars, see the November 2010 issue of PRIVACY JOURNAL. Ask for a copy.

The Most Brutal Intrusion
From the October 2010 issue

It was the most humiliating and brutal invasion of privacy to afflict someone.

It was, in fact, the type of invasion of privacy that most persons conjure when imagining the most obviously outrageous example of a privacy intrusion. But it is usually invoked as a hypothetical example.
An 18-year-old male freshman at Rutgers University in New Jersey covertly took camera images of his 18-year-old roommate in a male-to-male encounter in their dormitory room and aired them live throughout the global Internet.

The victim, Tyler Clementi, after discovering the exposure, tried desperately to get advice from friends on the Internet as to how to stop the camera stalking, whether to report it, or how to ignore it. The perpetrator, Dharun Ravi, then invited online friends a second time to view Tyler in a gay encounter the privacy of his dorm room.

What are the criminal and civil-lawsuit consequences of the apparent act? Only Publisher Robert Ellis Smith can answer this intelligently, and he does do in the October 2010 issue of PRIVACY JOURNAL. Send us an email for a free sample copy and a discount off your ultimate subscription.

Efforts to Curb Blackberry Use Overseas
-- From the August 2010 issue

UAE is the second country after Saudi Arabia to issue a ban on BlackBerry service. China, India and Kuwait are contemplating similar acts for the same reason. Amid concerns about RIM’s encryption protocol, the European Commission earlier this month said it would replace the BlackBerry with the iPhone and HTC as the organization’s smartphone choices.

RIM, maker of Blackberry devices, currently operates in at least 175 countries world-wide. Although RIM remained vague on the company’s next step, it is possible that the firm would accommodate the requests from the UAE to some extent. Technology companies have increasingly found it challenging to maintain a high standard of consumer data protection.

Read the full account by Chisheng Li of PRIVACY JOURNAL by asking for a free sample copy of our August 2010 issue.

Social Security to Employ Experian
- From the July 2010 issue

The Social Security Administration has contracted with the Experian nationwide credit bureau to verify or authenticate the identity of persons applying for benefits. Experian has been cited by another arm of the federal government, the Federal Trade Commission, and courts for inaccuracy in its data systems since passage of the Fair Credit Reporting Act in 1970.

The Social Security Administration believes that its own records are not accurate enough to do this.

The new procedure is part of a capability to apply for benefits online, said to be about one year away. verify or authenticate individuals. SSA would provide name, address, date of birth, and a phone number supplied with the online application and Experian will generate a few questions that the applicant to answer, to verify identity. Non- online applicants and current recipients will not be affected by the change, the agency said.

In 2000, a federal appeals court cited Experian for shoddy handling of matches based on Social Security numbers, and anecdotal evidence since then shows persistent failures by the company.

Our June issue is devoted to bringing you totally up to date on the privacy miscues by Google and by Facebook, calling each of them taken alone the greatest threat to privacy since we began publishing 36 years ago. Call or write us for a free copy of our June issue, hard copy or electronic. 401 274-7861, orders@​

States Regulate Auto 'Black Boxes'
- From May 2010 issue

Thirteen states have now enacted similar laws placing restrictions on the use of data in event data recorders, the “black boxes” that record a motor vehicle’s speed, steering, use of brakes and seat belts, and other characteristics for analysis after a collision.

The first generation of laws, like those in Arkansas and Texas, say that the owner of the vehicle owns the data and that it may not be retrieved or used without consent. Connecticut’s law, like others, permits access by a police officer or pursuant to a search warrant or if “The data is used for the purpose of improving motor vehicle safety.” In California, manufacturers must notify owners of the presence of the devices; Nevada requires the consent of owners.

The trend has been pushed by IEEE, the world’s leading professional association for the advancement of technology, through its so-called P1616a Working Group.

- For the rest of this story and an account of security-breach notification laws now in 44 states, write for a sample copy of the May 2010 issue.

One Man's Success Resisting a Universal Identifier
- From the April 2010 issue of PJ

Richard Lindsey, a plumbing contractor in Stuart, Fla., has lived much of his life without a Social Security number. That's 75 years.

Or so he thought until he challenged a requirement that he provide
an SSN to the county real-estate appraiser. The county wanted the number, it said, to match local taxpayers with identities of property owners in other states to see whether a local resident is claiming a homestead exemption in more than one jurisdiction. The exemption saves lots of tax money for those who reside full time in their own properties.

Only Florida seems to have this requirement; property-tax records generally do not have Social Security numbers appended to them, and so a true interstate matching system seems unattainable right now.

In the course of a lawsuit by Lindsey, the county discovered that there was in fact a Social Security number issued to Richard Lindsey, apparently secured by his parents long ago without his knowledge. And so, in a settlement of the lawsuit last month, Lindsay consented to use of the long-lost SSN - even though he disavowed it - and the county agreed to grant the homestead exemption.

PRIVACY JOURNAL Publisher Robert Ellis Smith was engaged as an expert witness in the case. Lindsey v. Kelly, 06-349-CA (Fla. 19th Cir. Ct. Martin County).

Richard Lindsey explains: "What really convinced me to file suit against the tax assessor was the rapid escalation of my property value and the county's nwillingness to offer any compromise or alternate for someone with no SSN. Most of my life I have been self-employed, which had something to do with operating minus an SSN, but the real secret was that there are no laws that require an American to have an SSN, and/​or operate under the Social Security system. The IRS provides alternatives for one who is opposed to the SSN.

"Most people do not know this but there are thousands, maybe millions of Americans who have strong feelings about the effects of government and the SSN universal identifier. Yes, I do have a drivers license. Yes, I do file taxes. The instructions from the IRS are to mark your return 'religious objector.' Yes I do have a passport - same strategy - where called for SSN you mark it 'religious objector.'"

911 Porn
-- from the March 2010 Privacy Journal

“News organizations increasingly seem to be treating their access to 911 recordings as what I would call ‘911 Porn’ -- playing these materials to their audiences in most cases solely for their prurient ratings value,” says privacy/​cyber¬rights activist Lauren Weinstein of Woodland Hills, Calif.

Weinstein says that it is time to stop releasing 911 materials on demand for publication or broadcast, absent clear and demonstrated necessity for the public good in any specific case.

“In specific situations where 911 conversations have probative value in courts, for other legal proceedings, or in related investigations, the recordings (and/​or associated transcripts) should obviously be made available to the relevant parties.”

Legislators in some states agree with him. Missouri, Pennsylvania, Rhode Island and Wyoming already keep such recordings private. Proposals to do so in Alabama, Ohio, and Wisconsin have been presented in state legislatures.

For the full story, ask for a free copy of our March 2010 issue, in pdf by email or hard copy.

Advice on the Census
-- From the February 2010 issue

The census form to be circulated in April has ten questions: number of persons living in the structure; additional persons “staying there”; type of residence and type of financing; telephone number; and the gender, age, date of birth, ethnicity, race, and alternative residence of each person in the household. The Census form does not require Social Security numbers, salary, credit-card or banking information, marital information, or sexual identity.

Census workers will carry government ID badges and will not ask to enter the house. Federal law provides a fine of $100 for failure to answer and $500 for answering untruthfully. But this is rarely enforced and courts have not been clear that answering the Census is required.

Personal data held by the Bureau of Census is confidential by law, with stiff penalties for violations, and the bureau has a longtime reputation for vigorously protecting data in its possession.

Has TV Surveillance Peaked?
-- From the February 2010 issue

Great Britain is experiencing TV surveillance fatigue, says a young scholar who has studied the inner workings of cameras (CCTV) in England.

“We may be seeing a diminution,” said Gavin J.D. Smith, a lecturer in sociology at City University in London who spent long hours with the operators and observers of the cameras and wrote his PhD thesis on the effects of the operation on observers, not the observed. One
operator told him, “It's over. TV surveillance is dead.”

Smith's findings? “It's a screwed-up work culture,” bringing to mind William Faulkner's recurrent literary theme that victimizers often become victims and oppressors experience more mental anguish than the oppressed.

For a full report on the latest in camera surveillance in the U.S., Canada, and Great Britain, ask us for a sample copy of the February 2010 issue.

Ralph Nader Takes on Nude Scanners
-- From the February 2010 issue

Ralph Nader, the long-time consumer activist,has turned his sights to the “backscatter” nude screening devices and other technology at airports.
“Multi-million dollar investments in intelligence failed to do its job,” Nader told a group of privacy advocates gathered in Washington by the Electronic Privacy Information Center in January, and so the government is turning to untested technological fixes. He said the government was “sold a bill of goods” with regard to devices that puff air at a traveler to dislodge and detect explosive powders.

“There‟s a commercial motivation. Vendors persuade government security agencies to purchase this stuff. I wonder if you could get a court injunction holding up procurement?” Nader questioned whether the nude screening machines emit harmful radiation to frequent travelers.

“Dragnet surveillance is the last resort of people who haven‟t done their jobs. Our entire homeland-security operation is made up of ad hoc responses to the last failure.” For the full story, ask us for a sample copy of our February 2010 issue.

HINT: Find "Eric Blair" in the text below for a free offer you cannot refuse.

Passwords Are Like Underwear
-- From the January 2010 issue

The Office of Policy Development and Education (since discontinued) in the Information Technology Division at the University of Michigan (​education) created a password protection campaign with five posters intended to alert students to the importance of computer security.

The theme of the posters was “passwords are like your underwear”:

The longer the better.
Don’t share them with friends.
Change yours often.
Don’t leave yours lying around.
Be mysterious.

Hi-Tech Labeling of Kids OK, Governor Says
-- From the December 2009 issue

Governor Donald Carcieri of Rhode Island not only vetoed a bill that would have restricted the use of radio-frequency identity chips (RFID) on school children, he proclaimed in his veto message that tracking children is a great idea.

[The R.I. legislature overrode the veto Jan. 5 so that this bill will become law.}

“Why would the General Assembly therefore place restrictions on the use of this technology as an option for all students?” Carcieri, a Republican, wrote. “In certain circumstances, it may be helpful for schools to have the ability to quickly identify where each of their students is located. Such circumstances may include weather-related natural disasters, terrorist or criminal events or even a need for use during field trips and outside school activities.”

This is the third time that Carcieri has vetoed a version of RFID privacy legislation. In 2006, lawmakers passed a bill that would have prohibited state and local government from using RFID to track their employees and school children in addition to restricting the use of high¬way-toll transponder information using RFID technology.

“Originally developed to track cattle and commerce, RFID technology allows a person’s identity and movement to be monitored electronically,” Steven Brown of the Rhode Island branch of the American Civil Liberties Union explained. “When the Middletown school district last year began a pilot program that placed RFID chips on the backpacks of elementary school children, purportedly to make sure they got on the right school bus, the need for this legislation became more apparent than ever.”

For more on these stories, ask for a free copy of our December 2009 issue.

Devices That Pinpoint Your Location:
Do They Worry You?

-- From November 2009 issue

Massive numbers of Americans are carrying around on their persons electronic devices that permit tracking of their locations. They are concerned about the drawbacks, but apparently not concerned enough to curtail their usage, according to a study by the privacy-oriented researchers at Carnegie Mellon University in Pittsburgh.

The four scholars listed technologies that allow for pinpointing one’s location:
Global Positioning Systems when they are a part of a cell phone – not yet common – or a laptop. Currently GPS are the most accurate way of pinpointing location.
Wireless positioning when a laptop user makes use of public WiFi access points. Unlike GPS, the tracking can be indoors.
Cellular identification: “A mobile phone is [usually within signal range] of upwards of three cell phone towers, allowing a location to be triangulated if the locations of the cell towers are known.” Loopt, a location-sharing service, uses its partnership with AT&T to provide always-on location information.

The Carnegie-Mellon team reported that in their survey of nearly 600 persons, “We find that although the majority of our respondents had heard of location-sharing technologies (72.4 percent), they do not yet understand the potential value of these applications, and they have concerns about sharing their location information online. Most importantly, participants are extremely concerned about controlling who has access to their location.”

For a copy of the full story, ask for a copy of the November 2009 issue, hardcopy by mail or pdf by email. That includes a link to the original study.

FTC Reevaluates Privacy Enforcement
-- From November 2009 issue

The Federal Trade Commission is undertaking what seems the most fundamental reexamination of its compliance program since it first acquired jurisdiction over privacy practices with passage of the Fair Credit Reporting Act in 1970.

It begins with a “fundamentals’ roundtable discussion at the FTC headquarters in Washington Dec. 7. Information about participation and the content is at privacyround@​ or​bcp/​workshops/​privacyround tables/​index.shtml#participate.

An additional session is planned tentatively for Jan. 29, 2010, at University of California Berkeley Law School and a third in mid-March in Washington. The new guard at the Bureau of Consumer Protection wants to move beyond the “harms-based” enforcement effort [see PJ Aug 09].

Privacy Officer - It's a Risky Job
-- From October 2009 issue

Being a chief privacy officer can be dicey – balancing the interests of management, consumers, courts, regulators, and advocacy groups.
Peter Fleischer, Google’s American-educated, European-based privacy officer, has found an additional, serious risk to the job. He has found himself this month in a non-English speaking courtroom facing criminal charges.

Fleischer and three colleagues at Google are accused of violating the data-protection law in Italy by allowing YouTube, which is owned by Google, to display a three-minute mobile-phone video of a teenager with Down's syndrome being bullied at school.

For the complete story, ask us for a sample copy of the October 2009 issue

Cut & Paste a Privacy Policy? Why Not?

A California company saved a little money by simply cutting and pasting another company’s privacy policy on to its own Web site. The "borrowed" policy said that the company abided by the U.S. “safe harbor” international privacy principles. If that’s untrue, you can’t do that. And so the Federal Trade Commission put the company out of business. Find the full story in the October 2009 issue of Privacy Journal. Ask for it.

'Paramour Rule'

A Tennessee Court of Appeals has said that a statewide policy of courts including an “overnight paramour clause” in custody cases need not be followed in every case; it is the interests of the child that must come first. Get the full story. orders@​

Should the Identity of Your Computer
Be Protected as 'Personal Information'?
-- From September 2009 issue

* * * What about an IP address? Is that personal information that should be protected?

That's the number that identifies a computer connected to the Internet through an Internet Protocol (IP). It doesn't identify the owner of the computer necessarily, nor the current user. And Internet providers often switch the IP addresses of users. But knowing the IP address may serve to identify the user, especially in instances - very common, of course - when one person habitually uses one computer.

European authorities have said an IP address is personal information, entitled to protection under European privacy laws. The New Jersey Supreme Court in 2008 said it is protected information. But a federal court in Seattle, Microsoft's backyard, ruled in June that an IP address is not entitled to protection. * * *

To know exactly where you stand, you need to see the September 2009 issue of PRIVACY JOURNAL. Send us an email and ask for a free sample.

Tolerance for ‘Street View’ in U.S.
- From the July 2009 issue

Americans seem not to mind that photos of their residences are posted on a Web site without their consent. There has been little objection here to Google's Street View Web site.

But in Canada, public sentiment forced the company to agree permanently to blur and anonymize images of individuals captured among the myriad of views of private residences. Greece’s data protection agency has told Google to suspend its Street View product there until the company clarifies its practices on retention of the images and on individuals’ right to get them deleted. The data protection authority in Hamburg, Germany’s second largest city, threatened sanctions if Google did not comply with the city and federal privacy laws.

By contrast, a judge in Pittsburgh has dismissed the only known legal challenge to Street View, filed by a couple with a secluded residence that is pictured on Street View without their consent.

How Did the Massive Leak
At Heartland Systems Happen?

Do You Know About Two Important
Changes at Airport Security Gates?

To read each of these stories, ask us for a free copy of our May 2009 issue

PUZZLER From the April issue

Q: What does “Attack of the Killer Tomatoes” have to do with the worldwide trend to require notification to affected persons when there is a leak of personal information from a computer system?

A: Ask for a sample copy of our April 2009 issue and you will find out.

- From the March 2009 edition

You have to wade through the complex small print to discover exactly what the privacy provisions accomplish in the Health Information Technology for Economic and Clinical Health Act, part of the stimulus package, now Public Law 111-5. PRIVACY JOURNAL does this.

The new act amends the existing regulations on the confidentiality of medical records under the 1996 Health Insurance Portability and Administration Act (HIPAA).

The act establishes a federal requirement that patients must be notified if there is a breach of security of their health information, if it were not encrypted or otherwise made indecipherable to outsiders. Vendors who deal in health information must notify the Federal Trade Commission, which heretofore has had no involvement or expertise in medical information.

The act provides transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record in the prior three years, including disclosures to treat a patient. Still, tracking secondary disclosures by receivers of patient information would be difficult.

The act ensures that new entities that were not contemplated when the federal privacy rules were enacted in 2001, as well as those entities that do work on behalf of health-care providers (“business associates”) are subject to the same HIPAA privacy and security rules as providers and health insurers (“covered entities”).

The act seems to allow a patient to bar individually identifiable disclosures to a health network if paying out of pocket for medical services.

The act affects the sales and mining of patient information by limiting (but not totally eliminating) the sale of an individual’s health information without the individual’s authorization.
This provision may not cover barter and rental arrangements or use of a third party.

The act requires that health-care providers like doctors, hospitals, and nursing homes not use patient information for marketing without consent and not use it for fundraising without an opportunity for individuals to opt-out.

The act strengthens enforcement of federal privacy and security rules by increasing penalties for violations, providing greater resources for enforcement and oversight activities, creating new training, enforcement, and monitoring capability in the regional offices of HHS.
State attorneys general may pursue HIPAA violations.

The act makes clear that those who furnish records or receive them in violation of the law may face criminal prosecution.

Get the full story by asking for a free sample copy of the March 2009 issue. orders@​

Automated Health Records to Stimulate Economy?
- From February 2009 edition

One of the lynchpins of the Obama Administration plan to stimulate the national economy is creating a nationwide network to exchange patient records among health-care providers.

The stimulus program passed by Congress includes from $20 to $22 billion for the elusive goal, one that many members of the medical community have sought for more than 15 years. As part of this, the so-called American Recovery and Reinvestment Act, HR 1, includes a patient confidentiality provision that privacy and patient advocates have endorsed.

Subtitle D includes a ban on the sale of health information, audit trails to keep track of disclosures from the electronic network, encryption of certain health information, enhanced rights of patient access to one’s own data, improved enforcement mechanisms, and support for advocacy groups to participate in the regulatory process that will follow passage of the bill.

Get the full story by asking for a sample copy of the February 2009 issue.

Quest to be Popular
Drives Facebook Users
to Post Personal Information

- From January 2009 issue

It’s the need for popularity that is driving young adults to disclose more personal information on Facebook than they normally would reveal, according to a new study by two psychology researchers at the University of Guelph in Ontario, Canada.

“There is something different about how people interact in online environments,” said Emily Christofides, one of the graduate-student researchers. “They share and show more about themselves than they might in other social settings. We wanted to find out if different psychological factors are involved in that behavior.”

Christofides and Amy Muise surveyed 343 Facebook users, all university students between the ages of 17 and 24. Participants were asked about personality factors such as self-esteem, need for popularity, levels of trust and overall tendency to disclose personal information.

The study found that the majority of persons (76 percent) are concerned about privacy and information control, yet they still disclose a great deal of personal information on Facebook. This includes details like birthdays, email addresses, hometowns, school and degree majors, and intimate photographs.

The pair asked how likely were the students, on a scale of one to seven, to post various types of pictures. The responses:

A profile portrait – 6.60 mean
With friends – 6.41
With boyfriend or girlfriend – 5.91
At parties or a bar – 5.85
With friends drinking – 5.62
Kissing someone – 4.37
In bikini or bathing suit – 4.23
In a bedroom – 3.60
“Making out” with someone – 2.52
Doing something illegal – 2.45
Doing drugs – 1.99
Naked or partially naked – 1.49

For the full story, ask us for a sample copy of our January 2009 issue.

Data-Mining to Look for Voters
- From the December 2008 issue

Both national political parties are purchasing individual consumer-choice data and manipulating it in their quest for funds and voters.

Immediately after the election, in a joint appearance with his Republican counterpart, Democratic National Committee Chair Howard Dean said in reference to the Republicans, “We now can do what they can do. We have your credit card data like they do. They’ve been for years doing something that we, until 2006, weren’t able to do. We can predict with 85 percent accuracy how you’re going to vote based on your credit card data without bothering to see what party you’re in – [through] the Secretary of State’s office.”

“They’ve been doing it for a long time,” Gov. Dean said of Republicans. “No wonder we’ve been throwing rocks at the bottom of the well. These guys – we can argue about how well they run the country, but they certainly know how to run elections.”

“The model for party building was the Republican National Committee,” Dean says. “We copied almost everything and improved on it. We got technology that predicted with 85 percent certainty how someone would vote." FOR THE FULL STORY, ASK FOR A FREE COPY OF OUR DECEMBER 2008 ISSUE.

Privacy Officer a Huckster Too

It’s a novel role for a chief privacy officer.

Acxiom, one of the largest collectors and sellers of consumer data in the U.S., uses its longtime privacy officer to promote publicly its sale of databases reflecting consumers’ personal preferences.

Privacy officer Jennifer Barrett, in a video on Acxiom’s Web page promoting sales of its data about consumers’ use of their credit cards, even endorses use of financial and health information about individuals in the marketing process.

Barrett, who joined the company back in 1974 before it emerged as an aggressive user of new technology and of merging of disparate individual data, was named chief privacy officer in 1991, one of the first in the nation in the corporate world. FOR THE FULL STORY, ASK FOR A FREE COPY OF OUR DECEMBER 2008 ISSUE.

NEW: Government Permission to Travel in U.S.

- From November 2008 issue

For the first time in U.S. history, Americans will have to get the permission of their government to travel from state to state.

The U.S. Transportation Security Administration has issued a final rule requiring passengers to provide name, gender, and date of birth when making a domestic airline reservation. This information will be reported to the TSA, which will report back to the airline whether the individual is cleared to board an airplane. If TSA reports back that the individual is on its Watch List or “inhibited status,” the passenger must present a government ID to the airline and then may fly if TSA reports back with permission. If no permission is granted, the airline may not board the passenger. The regulation seems to say that individuals not on the Watch List need not show an identity document to the airline.

The rule also seems to say that a photo-identity document issued by a local governmental agency is no longer acceptable, only IDs issued by federal, state, or tribal governments.

For the complete story, ask for a free copy of our November 2008 issue.

Find a typo, spelling error or other mistake on this Web site and win a free book of your choice.

That's What Friends Are For
- From October 2008 issue

Many marketers are now persuaded that online data showing whom people associate with are more predictable indicators of consumer preferences than standard demographics or even evidence of prior purchases. And that explains why they want to harvest data from “social-networking” sites like MySpace, Facebook, and Flixster.

Blogs, in which birds of a feather tend to flock together, are another source.

In order to participate in such sites, users generally identify acquaintances – “friends” – who may have access to their social-networking sites and with whom they keep in regular contact.

“People are more like their friends than they are like other people that fit their demographic or psychographic makeup. Social psychology has shown that people tend to develop relationships with those that have similar interests to them, transcending demographics and psycho-graphics,” says one of the prime practitioners of this new art, 30-something Auren Hoffman, head of Rapleaf. “And those that have a strong relationship with each other have the capacity to influence each others’ behavior.”

Hoffman cites research by Shawndra Hill, a junior faculty member at the University of Pennsylvania, showing “A firm can benefit from the use of social networks to predict the likelihood of purchasing. Taking the network data into account improves significantly and substantially [on a company’s customary marketing and on target marketing].” [For the full story, ask us for a free copy of our October 2008 issue.]

The Background on This

In 1991 or thereabouts, marketing specialists discovered “target marketing” or “database marketing” to zero in on potential customers based on aggregated computer data reflecting tastes in publications, automobiles, and consumer products, combined with demographic data available from the Census Bureau and other sources.

Five years later, they began exploiting Internet data (“cookies”) that revealed consumers’ interests in different Web sites. Then a couple of years ago came “ehavioral” marketing, using manipulative online advertising based on data from a person’s online searches and consumer choices.

Now comes the next best thing: “socialgraphic targeting” (described on this page, above), based on the friendships and relationships that one forms online.

- Chris Slane,

PJ's Current Reading List
- From the August 2008 issue:

A reader asked us to recommend the best current books on privacy. Here are our choices:

Trust and Risk in Internet Commerce, L. Jean Camp, 2000.

Privacy & Human Rights, An International Survey of Privacy Laws and Developments, Electronic Privacy Information Center, updated yearly.

Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet, Robert Ellis Smith, 2004.

“RFID and Privacy: Guidance for Health-Care
Providers,” Information and Privacy Commissioner of Ontario, Toronto, Canada, 2008.

“Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation,” Information and Privacy Commissioner of Ontario, Canada, 2008.

The Privacy Advocates by Colin Bennett, describing the efforts of the eccentric and often effective band of brothers and sisters who work for privacy protections in the U.S. and abroad, 2008.

Compilation of State and Federal Privacy Laws, Privacy Journal, updated yearly.

Privacy Torts, David A. Elder, 2002.

Privacy on the Line, Whitfield Diffie and Susan Landau, 2007.

Secrets & Lies: Digital Security in a Networked World, Bruce Schneir, 2000.

“A Guide to the Privacy Profession,” International Association of Privacy Professionals, 2007.

Are the Paparazzi Winning?

Hollywood finally had its revenge on the tabloid press in 1998. The Screen Actors Guild lobbied the California legislature successfully for a new law limiting the ability of paparazzi photographers to intrude into personal activities. The law allows celebrities to sue photographers or news organizations if they trespass or use telephoto lenses to capture images of persons in personal or family activities.

The law, a response to the death of Princess Diana in Paris in 1997, provides rights also to victims of crimes who feel they are put upon by intrusive photographers.

The California Press Association and the major networks opposed the bill in the legislature, saying it unconstitutionally restricts their First Amendment rights to gather the news In 2005 Gov. Arnold Schwarzenegger, himself a huge Hollywood celebrity, approved legislation allowing treble damages for paparazzi victims and limiting the profits that photographers could reap from photographs involving altercations.

And last winter, after even more chaotic scenes where photographers confronted famous film and music personalities, a member of the Los Angeles City Council, Dennis Zine, proposed tightening law enforcement at the locations. Zine, who represents the district adjoining Beverly Hills to the west, also proposed creation of a city-enforced “personal safety zone.” Some call it “Britney’s Law.” Actors showed up at a task force meeting on the subject held July 31.

The photographers themselves now feel threatened in the frenzy, and many support tougher enforcement practices.

For the rest of the story, email us and ask for a sample copy of our August 2008 issue.

What's in Public Can Be Private
- From July 2008 issue

It has been conventional wisdom that nothing can be done legally about ubiquitous camera surveillance in our communities, that it does not violate any law or constitutional principle. Part of that accepted wisdom is the mistaken idea that because an activity takes place in public view, it is not protected by any expectation of privacy.

In fact, there are many activities in public that are entitled to privacy protection, according to previous federal court holdings: going to and from a house of worship, an abortion clinic, or a medical facility; holding hands or embracing affectionately in public; participating in a political demonstration or wearing political symbols; reading a book or a magazine; meditating or praying, and perhaps even chatting on a cell phone in an audible way. The right to vote may be interpreted to prohibit videotaping citizens as they visit a polling place. “The Fourth Amendment protects people, not places,” said the U.S. Supreme Court 1967, in an opinion that restricted law enforcement’s use of audio evidence from a public phone booth. And the Fourth Amendment protects not merely homes, but also citizens’ “persons, houses, papers, and effects.”

For the rest of the story, ask us for a sample copy of our July 2008 issue.

This regular feature provides ways to use 20 minutes of your life each month to protect your privacy.

The state laws on placing a “credit freeze” or “security freeze” on your credit report vary widely. You must check the specifics of your law.

Most states require a paper request by mail. Email is okay in Delaware. But in the District of Columbia, certified mail and ID are required, although Web registration must be available by 2009. Kansas requires a police report proving victimization of identity theft, but most state laws allow anyone to get a freeze. For Connecticut residents, a credit bureau must place the freeze within five business days and notify the consumer within ten days and provide a unique ID number or password for future communications.

A freeze is a notification in a credit file that no credit report shall be provided to a retailer or, in many states, no credit report shall be provided without the consumer’s consent.

A consumer may request a temporary, specific, or permanent lift of the freeze. There is usually no fee. But North Carolina and Oregon authorize a $10 fee. In New Hampshire victims of ID theft may not be charged a fee. In New Hampshire, New Mexico, New Jersey, and New York, credit bureaus must notify residents of all of this.

The Consumer Federation of America, 202/​387-612,, can direct you to the text of your state’s law.

The 35 state laws are described and cited in PRIVACY JOURNAL’s Compilation of State and Federal Privacy Laws. Federal law requires nationwide credit bureaus to accept “fraud alerts” only for victims of ID theft.

Loaded Question
- From March 2008 newsletter

The death of conservative commentator William F. Buckley, Jr., in February recalls this story he told about himself in 1978, when the moderator of a panel asked him and others whether they had ever been victims of an invasion of privacy.

On a recent trip, Buckley said, a hefty woman at airport security was rummaging through his carry-on baggage. She pulled out a package of Preparation H, a tonic for hemorrhoids, and held it up. Within hearing range of several fellow passengers, she bellowed to the urbane Buckley, “Do these work?”

TV Monitoring in Public Places:
Effectiveness Not Determined

- From the March 2008 issue

Does installation of video surveillance in public places work? There has been a dearth of studies in the U.S. addressing that crucial question. The federal government and hundreds of local governments simply assume that the answer is yes, aided by hundreds of vendors who insist that high-tech equipment will indeed reduce or deter crime.

A report entitled "Video Surveillance of Public Places" issued in 2006 by the Office of Community Oriented Policing of the U.S. Department of Justice “notes that while there is a general perception among system managers and the public that video surveillance cameras are effective in preventing crime, actual evidence of crime reduction is more difficult to find,” according to a review of the literature by the Office of the Information and Privacy Commissioner in Ontario, Canada.

The Ontario report, "Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation," “found numerous studies on the effectiveness of video surveillance on crime, in a broad range of settings. These studies varied substantially, however, in terms of their methodological rigor.”

The report cited only two from the U.S.: The Department of Justice study, conducted by criminologist Jerry Ratcliffe at Temple University, and one conducted by Marcus Nieto of the California Research Bureau in 1997. . .

For the full story, ask for a sample copy of our March 2008 issue.

Order back issues. Ask for our discounted rates.

Need a speaker or an expert witness on privacy, surveillance, ID theft, medical confidentiality, credit reporting? Call us, 401/​274-7861.

"What about LifeLock? Is it worth it?" asks a reader.
- From the February issue

LifeLock is the “identity-theft protection service” whose chief executive, Todd Davis, announces his own Social Security number just to show how confident he is that his company will protect him and others from identity theft.

For a monthly fee, these companies merely monitor your credit record to look for abnormal activity and place a “security freeze” (or “fraud alert”) on your credit record. That means that the credit bureau must check with you before issuing a credit report.

Abnormal activity on your credit file is often a sign of identity theft, but some forms of ID theft do not alter your credit record. In some forms of identity theft, an undocumented immigrant uses the victim’s SSN to get a drivers license or birth certificate. In other forms, a stranger uses the victim’s ID when committing a crime. Checking credit reports will not detect these forms. And, the companies like LifeLock that monitor credit activity are known to miss signs of ID theft in credit reports.

By federal law, you are entitled to one look at your credit report per year without charge; after that the fee is nominal. And in most instances you can get a fraud alert without charge.

No company can guarantee against ID theft, as LifeLock claims it can.

LifeLock admitted that a crook has used Davis’ Social Security number to obtain a $500 check-cashing loan from a business in Ft. Worth, Tex. Davis said that the check-cashing company didn’t pull a credit check and therefore LifeLock’s methodology didn’t prevent this theft of identity.

Similarly, the host of “Top Gear” on British Broadcasting System TV, Jeremy Clarkson, wrote a newspaper column dismissing the threat of identity theft after the British government admitted losing two compact discs with personal data on more than 25 million persons. He published his bank account information and hinted at his home address, defying anyone to abuse it. The most anyone can do, he wrote, is put funds into my account. A week later, a hacker set up a $1000 monthly debit from his account to a diabetes charity, and Barclay’s Bank isn’t sure that it can stop it. “I was wrong and I was punished,” Clarkson said afterwards

Our email address: orders@​
Telephone: 401/​274-7861

LOOK: From a Surveillance Camera Viewpoint
- From the December 2007 issue

Citizens have been accepting of surveillance cameras everywhere, but there are signs of intolerance. Attitudes may be shaped in the most significant ways by an innovative Hollywood film set for release in December.

Writer and director Adam Rifkin shot the entire new film Look from the perspective of security cameras. “That’s what makes Rifkin’s acclaimed new film so shocking,” said Newsweek. The scenes in the film seem at first to be intrusive, but random shots – now commonplace in our surveillance society. But in the end they form a chilling tale about real peoples’ lives.

“We’re not taking sides,” the co-producer of the film Barry Schuler told PRIVACY JOURNAL. “Privacy and security are far too complex. But the cameras are everywhere, and it’s not just government surveillance; there is ‘citizen video’ everywhere.” Schuler, a former chief executive of America Online and framer of many of its early traits, added, “This is just not on people’s radar screen yet. And the default position is it keeps growing.”

Call or send an email for a free copy of the full story in our December 2007 issue.

Passport Office Gets FBI Access
- From the November 2007 issue

Since the inception of the National Crime Information Center in 1967, the FBI’s automated database of wanted persons and multiple offenders, the bureau has insisted that the data would be available only to law-enforcement agencies. Gradually that assurance has been chipped away.

The latest non-law enforcement agency to have access is the Passport Services Office in the U.S. Department of State.

Still, the FBI in its required notice about the NCIC system states, “Data stored in the NCIC is documented criminal justice agency information and access to that data is restricted to duly authorized criminal justice agencies.” With access only to the wanted persons sector of NCIC, the passport office will be required to confirm any “hit” with the originating police department, which must send a substantive response promptly or send back a “negative confirmation” The system is plagued with a rate of errors or incomplete records far in excess of 33 percent.

(For more, ask us for a copy of our November 2007 issue.)

ID Theft Precaution: Free 'Shredathon'
- From November 2007 issue

As part of his campaign against identity theft, Rob McKenna, the attorney general of the State of Washington, has organized a series of "shredathons" around the state. A private company in the shredding business provides the community shredder and a local organization provides the publicity. Citizens are invited to bring boxes of their sensitive documents to the site for secure shredding.

Lost or stolen mail and other documents with Social Security numbers and credit-card data on them are one source for identity thieves to get the information they need to co-opt someone’s credit accounts, but they are probably not the predominant source.

The first shredathon was held last April 18 at 29 locations around Washington State.

(For more, ask us for a copy of our November 2007 issue.)

Scary Stuff - Excerpts
-- From the October 2007 issue

As the government officials responsible for enforcing privacy laws worldwide met in September in Montreal, there was little of the traditional talk about the nuts and bolts of data protection like opt-in, transparency, or transborder data flows.

Instead, there were urgent and distressed discussions about uberveillance, ambient technology, ubiquitous computing, ingestible bugs, and nanotechnology.

The terms may be overlapping and may in fact be somewhat synonymous. They all refer to an environment in which electronic media are everywhere, gathering and processing information in a seamless way, beyond the control of each human being.

The discussions began a few years ago with recognition of a coming Internet of things, much as public awareness of the Internet began in the 1980s with talk of an information super highway. . . .

One prime speaker, Ian Kerr, Canada Research Chair in Ethics, Law and Technology at the University of Ottawa, noted that the Canadian Supreme Court had established a hierarchy of privacy values: bodily or personal privacy (highest level of protection), territorial privacy, and informational privacy (less protection).

The technology, as well as the law, has “smudged” the traditional hierarchy, said Kerr. He cited as evidence new human-area networking technology that permits the human body to be the conduit for electronic transmissions – of information, instructions, behavior and a lot more. See

A co-panelist with Kerr cited Eastman-Kodak’s announcement this year that it has developed an RFID identifying chip that may be swallowed by humans – an ingestible bug. The patent filing suggested potential uses, including monitoring “bodily events,” tracking how a person’s digestive track is absorbing medicine, or verifying how a specific medicine is interacting with other drugs in one’s body. The RFID tag would disintegrate eventually, the company said.

Other futurists used the terms ubiquitous computing and pervasive or invasive computing. Some European privacy officers believe that that ambient intelligence is an even greater challenge to European privacy enforcers than terrorism. Ambient intelligence refers to an environment in which electronic devices support human beings in their daily activities.

Michael G. Michael, a theologian and technology historian at the University of Wollongong, in New South Wales, Australia, warned that uberveillance, a term he is said to have created, will lead to increased cases of insanity and mental distress. “Mental illness will become an increasingly confronting factor as these issues develop,” he frowned.

Another threatening term often used in these contexts is nanotechnology, which refers to a miniaturization of technology allowing applications originally deemed impossible. Still another term is biobanking, which, in the words of an IBM developer, aims to empower researchers to have access within the human body to a chip that has data on a person's clinical records combined with his or her molecular make-up.

For more on this, including current practices of manipulating children on commercial Web sites primarily of interest to kids, ask us for a sample copy of our October 2007 issue. 401/​274-7861.

See our exclusive report on anti-terrorism 'fusion centers' below.

20 Minutes
- From August 2007

This regular feature provides ways to use 20 minutes of your life each month to protect your privacy or the privacy of others.

The Federal Trade Commission is seeking comments on uses of Social Security numbers in the private sector that may contribute to the epidemic of identity theft. The FTC also plans to host one or more public forums on the issue in the coming months. It is following up on a report by the President’s Identity Theft Task Force, led by Attorney General Alberto Gonzales and FTC Chair Deborah Platt Majoras.

Include this information: “SSNs in The Private Sector – Comment, Project No. P075414.” Need more information? Call the FTC at 877/​382-4357. Need suggestions, ask us.

Is Googling Fair?
-- From June 2007 issue (excerpt)

A well-known psychotherapist in western Canada has been permanently denied entry to the U.S., where his two grown children live. Why? Because of Google.

The man was detained at a border crossing in the State of Washington when the guard took his passport, turned to his computer, and Googled the traveler's name, “Andrew Feldmar.”

Google produced a link to an article that Feldmar wrote in a journal called Janus Head in 2001, which mentioned his use of LSD almost 40 years ago.

Feldmar had crossed the U.S.-Canadian border many times, but this crossing turned quickly into a nightmare. And he is no stranger to harsh treatment by security guards. . . .

Is Googling fair? The main unfairness is that Google does not vouch for the accuracy of the information it uncovers, nor does the Web site that displays the material. A new generation has come of age thinking that if it’s on a computer, it’s true. They rely on what they read on untested Web sites. Employers – and law enforcement – increasingly use search engines and social-networking sites to check out persons of interest.

On the other hand, getting information by a search engine is little different than stumbling upon it in a daily newspaper – just a lot easier and a lot more inclusive.

A year ago an informal hearing officer in the U.S. Department of Commerce Googled an employee facing termination for repeated and admitted misuse of government vehicles and expense accounts. On appeal, David Mullins complained, “She Google-searched my name. . . and came across my alleged prior removal from the Air Force.” He appealed again, saying among other things that his firing was based on information from an ex parte Google search. The Court of Appeals for the Federal Circuit in the District of Columbia ruled May 4, 2007, that there was plenty of other evidence – admitted by Mullins – to support the firing and that the information from Googling did not influence the firing decision because it had been revealed earlier.

For the full story, ask for a sample copy of our June 2007 issue.

'Fusion Centers' Now Consolidate
Data - With No Accountability

- From July 2007 issue

"In developing our country's response to the threat of terrorism, public safety leaders from all disciplines have recognized the need to improve the sharing of information and intelligence across agency borders. Every law enforcement, public safety, and private sector official involved in information and intelligence sharing has a stake in this initiative. Leaders must move forward with a new paradigm on the exchange of information and intelligence."

From this statement in a report by the grantsmaking office of the U.S. Department of Justice came the impetus for creation of “fusion centers” in urban regions.

"What Is a Fusion Center?" asks the same document. “A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to fight crime and terrorism by merging data from a variety of sources."

Fusion centers are also a consolidation of personal information in the hands of federal, state, and local law enforcement agencies and even private-sector security with often no oversight, no accountability, and no guidelines concerning the accuracy of and the use of personal information in its possession.

When the governor established such a fusion center in Massachusetts in 2005, Carol Rose, executive director of the American Civil Liberties Union there, wrote, "[The problem with the idea] could be that it provides one-stop shopping for identity theft. Or that it diverts millions from community policing, while Boston struggles with a rising homicide rate and 239 fewer cops on the beat than six years ago. Or maybe that history and the 9/​11 Commission showed that gathering piles of data doesn’t equal sound law enforcement.

"No, the biggest problem with the Commonwealth Fusion Center is that Governor Romney's system has no accountability, at a time the feds are abusing their power by spying on progressive U.S. activists." There have been similar complaints in Texas, where the fusion center will amass lots of personal information under the control of the governor. "In the fusion center, the governor will have at his disposal both public and private databases on Texans. This could potentially include everything from what magazines you read to traffic tickets and arrests," wrote Jake Bernstein, executive editor of the progressive watchdog publication The Texas Observer.

There are fusion centers in an estimated 38 states plus a half-dozen at the regional level like the widely heralded Joint Regional Intelligence Center (or "Jay-Rick") in Los Angeles. Fusion centers were designed as a mechanism to share information, maximize resources, streamline operations, and improve the ability to fight crime and terrorism by merging data from a variety of sources, including anonymous tips.

Thomas E. McNamara, of the National Intelligence Office, appears to be spearheading the effort, although the Department of Justice funds the centers.
Justice has made noises about requiring privacy-protection standards but without specifics, according to Carol Rose.

"We just met with Governor Deval Patrick with an eye towards developing privacy protections," she told PRIVACY JOURNAL. "Perhaps what Massachusetts develops can be a model for the other fusion centers around the country."

For more on "fusion center," ask for a sample copy of our June 2007 issue.

It's Gonna Costa Ya'
- Excerpt from a longer story chronicling Federal Trade Commission fines for privacy violations
From the April 2007 issue

Microsoft helped the FTC nail a tech-savvy Hawaii couple sending hard-to-trace pornography over the Internet; the FTC secured an order freezing the assets of their operation, called Net Everyone. Another company,, had to give up $6,500, roughly $1 per email sent to persons who had requested to receive no more. In January the FTC staff announced that it would collect a total of $1.624 million from five small online porn operations for not labeling their electronic mail as “sexually explicit.”

After complaining to a court that an online marketer named Jumpstart offered free movie tickets to consumers in exchange for the names and email addresses of five or more of their friends, the FTC secured a penalty of $900,000 a year ago. The problem with the marketing plan, the FTC alleged, was that Jumpstart disguised its commercial email messages as personal messages, and that is a deceptive trade practice.

Kodak Imaging Network, formerly Ofoto, Inc., paid a modest $32,000 penalty to the FTC, for the modest transgression of not providing an opt-out mechanism in its commercial emails. The amount represented the estimated proceeds from the mailings. In November a small outfit called Yesmail, Inc., operating as @​Once Corp. forfeited $50,717.

A credible commercial book club called Bookspan, a Doubleday affiliate, forfeited $680,000 last year after the trade commission staff caught it dialing sales calls to persons who had already said, “No thanks” on the national do-not-call list.

Credit Foundation of America Inc., a debt-management firm marketing to consumers, paid up even more last year, nearly $1 million, for making deceptive pre-recorded calls to residents. And last June a seller of discount health and prescription drug cards and its telemarketer agreed to pay civil penalties of $300,000 and $50,000 to settle Federal Trade Commission charges that they have been violating the do-not-call law. A Southern California-based mort-gage broker forked over $50,000, and a similar operation was originally assessed nearly $500,000.

For the full story, ask for a free sample copy of our April 2007 issue. Specify hard copy or email edition. orders@​ 401/​274-7861

The Case of the Telltale Foreheads
- From February 2007 issue

All is fair in politics – at least to the staff of a TV program in Italy called Le Iene (The Hyenas).
The program, which satirizes personalities of the establishment, found a way to poke fun at Members of Parliament who had sponsored Europe’s most restrictive national anti-drug law last February. Here is what they did:
A “reporter” from the program invited 50 members of the Lower House to discuss the budget on camera. At a break in the taping, an assistant would pat the forehead of each interviewee, presumably to replenish make-up.
In fact, the staff was gathering perspiration samples. They tested the sweat samples for drug use in the past 32 hours.
Le Iene announced that its upcoming program would show that a third of the members tested positive; 12 out of the 50 would show marijuana use and four cocaine. “One MP in three enjoys a spliff or a snort,” chortled one staff member.
There was outrage immediately. One Member of Parliament sued and demanded the immediate seizure of his sample (yet insisting he “had nothing to hide”). The staff vouched for the reliability of the sweat test. FOR THE REST OF THE STORY, ASK FOR A FREE COPY OF OUR FEBRUARY 2007 ISSUE.

New Federal Law Bans Pretexting
To Get Phone-Call Information

- From the January 2007 issue

Congress at the end of its 2006 session approved a bill to punish anyone who through fraud buys or acquires or receives or sells or attempts to sell “confidential telephone information” about customers.

The new law defines protected "confidential telephone information" as data concerning the type or destination of calls or data “contained in any bill, itemization, or account statement provided to a customer.” It protects calling information in Internet Protocol-enabled voice services.

The law will not preempt 15 state laws that already punish acquiring telephone-calling records by pretext (pretending to be someone else). [See PJ Dec 06.]

Find this law, Public Law 109-476, already listed in the 2006 Supplement to our Compilation of State and Federal Privacy Laws. Essential for anyone who follows privacy happenings.

Do You Believe in Redemption?
In the Privacy Field, You Must.

-- Take, for example, these examples from our December 2006 issue:

* In 2004, ChoicePoint, which sells personal data on consumers, discovered that thieves posing as legitimate businesses were able to access ChoicePoint profiles that include Social Security numbers, credit histories, criminal records and other sensitive personal information. It paid $15 million in penalties.

In 2006, ChoicePoint appointed a chief privacy officer and a consumer advocate office under its vice president and chief public and consumer affairs officer as “another great enhancement to our privacy and information security portfolio.” This month, it sent its president, Doug Curling, out to sit down with privacy advocates. * * *

* Throughout most of the Twentieth Century Russia trampled on the privacy and autonomy of its citizens. In July 2006, Russia joined the European data protection club of nations by enacting a European-style data-privacy protection law and another law permitting access to government documents.

* The Electronic Privacy Information Center filed a privacy complaint in 2001 with the Federal Trade Commission about Microsoft’s Passport scheme, which permits users to enter personal information into a packet on their PCs and thereby allow them to complete application forms later easily (and mindlessly). In 2006, Microsoft Chief Privacy Strategist Peter Cullen unveiled a “global online identity system” [see PJ Nov 06] that generally won praise from privacy activists, including EPIC.

* In May 2006, the Department of Veterans Affairs experienced a huge scare when a laptop with sensitive data on 26.5 million veterans and active military personnel was stolen from a staff member at home. As penance, the department has embarked on a bold campaign pushed by its secretary to create what it calls “the Gold Standard for data protection.”

For the full stories, ask for a sample copy of our December 2006 issue.

States Prohibit Pretext to Get Phone Records
- From the October 2006 issue

California is the latest of 15 states to prohibit using pretext or deceit to get a list of the telephone numbers you have dialed or a list of the telephone numbers dialing into your telephone.

Each of these laws has come in 2006, prior to the revelations about Hewlett-Packard's corporate snooping. Ask us for a copy of our October issue for the full story and to see whether your state is included. Call 401/​274-7861. Fax 401/​274-4747.

Do You Still Have an Expectation of Privacy?
By Robert Ellis Smith

From Privacy Journal June 2006

Do you have a reasonable expectation of privacy? In the identity of the phone calls you make and receive? In your bank records? In your travels from place to place? In your medical records? Your phone conversations? Your Social Security number? Your Internet browsing? (Careful, it’s a trap question.)

What if the government or a private agency begins getting access to personal information that you previously assumed was reasonably confidential? Does that obliterate your “reasonable expectation of privacy”?

It took a Canadian to raise the question. At a conference on privacy at Carleton University in Ottawa last fall, Stephanie Perrin, now with the federal Privacy Commissioner’s office, rose to say that talking about an expectation of privacy in these times is a trap. “We should be talking about a reasonable need for privacy.” She went on to point out that we have a need for privacy in many areas even though that privacy has been eroded. In other words, governmental and business practices ought not eliminate a “reasonable expectation of privacy” on the part of the individual.

Other Needs, Not Expectations

Can’t the same be true about environmental protection? We may not expect clean air and clean water, but we do need them and are entitled to them. Or consider personal safety. We may not expect safe neighborhoods and cities, but we need them.

In 1967, when the U.S. Supreme Court ruled that the Constitution protects “people, not places” a lot of people and a lot of judges came to believe that the court had set a standard that the Constitution protects “a reasonable expectation of privacy” – and apparently only a reasonable expectation of privacy. But there is no basis for this in case law over the years.
The term never appeared in the court’s opinion in Katz v. U.S. (The court spoke of “the privacy upon which he justifiably relied.”) The idea of “reasonableness” comes from the concurring opinion by Justice John Marshall Harlan. He was characterizing the majority opinion saying that for a Constitutional violation “first, that a person must have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’”

The Reality

What the majority opinion actually said was that notions of private property and trespass were not really relevant in protecting the Constitutional right to privacy. What matters is what a person “seeks to preserve as private, even in an area accessible to the public.”

It is important in these times to recall that the Supreme Court in its 1967 decision invalidated the kind of government wiretapping that had been unchecked virtually since the invention of the telephone system. In the Katz decision, the court found a privacy interest against a practice that had been commonplace until then.

Yet, privacy advocates are constantly confronted with proclamations from government and corporate lawyers that there can be no reasonable expectation of privacy against practices that we have known about for years. Sometime this is morphed into a “legitimate expectation.”

Under that reasoning, we had a reasonable expectation of privacy in our bank transactions only until the Bank Secrecy Act was enacted in 1970, or only since passage of the Gramm Leach Bliley Act in 1999.

We had a reasonable expectation that credit bureaus wouldn’t sell information in our credit reports without protections of the Fair Credit Reporting Act until they began to do so in the early 1990s.

We had an expectation that credit bureaus would not use Social Security numbers to confirm the identity of credit applicants until they began to do so in the early 1990s (and gave rise to an epidemic of identity theft).

We had a reasonable expectation of privacy in the contents of our medical files until a regulation under a 1996 law, HIPAA, removed much of that.

We had a reasonable expectation in the confidentiality of our records held by libraries, travel agents, real-estate agents, brokerages, retail stores, and private clubs. Did that disappear with Section 215 of the PATRIOT ACT, enacted in 2001 and renewed in 2006? (Much of that act requires that a terrorism investigation be a predicate for governmental demands into these files, but not all of it.)

We had a reasonable expectation of privacy in overseas phone conversations – at least if there was no probable cause of criminal activity or a need to gather foreign intelligence – until that was taken away by the Bush Administration.

We had a reasonable expectation of privacy in the numbers we dialed and the numbers of persons who phoned us – at least if we didn’t create any suspicion in our activities – until that was taken away by the Bush Administration.

We had an expectation that our Internet browsings would be confidential until the Department of Justice decided in 2006 that it would be a fine idea for Internet service providers to preserve that information for later government access.

A Loser for Citizens

What’s left? Under the “reasonableness” formulation (a loser every time for individual rights), we still have an expectation of privacy that our transactions at automatic bank teller machines in our neighborhoods and around the world will not be used to track our movements and prevent our making withdrawals. But do we forfeit that as soon as the government decides that it needs to use the ATM network for that purpose? Will it be said, “Americans cannot really expect that their ATM transactions won’t become known to investigators when this capability has existed for years and when the transactions take place in public”? (The Right to Financial Privacy Act of 1978 seems to require that customers get advance notice when federal agents get such access, but the PATRIOT Act may override that.)
Under the “reasonableness” formulation, we still have an expectation of privacy in a secret ballot. But where does that come from?

No law requires a secret ballot, no Constitutional provision, no court decision. And the secrecy of the ballot has been compromised from time to time when courts are investigating allegations of fraud. Yet we rely on it. Will the Bush Administration discover that this element of democracy is protected only by tradition, thereby allowing it to probe into the way each of us votes? The wedge has already been provided in the Help America Vote Act, which requires a driver’s license or portion of a Social Security number in order to vote. It creates state databases to keep track of voters and their identifying numbers. Experts testified just last month that the creation of these databases significantly increases the possibilities that hackers will be able to penetrate voting records.

Governmental Justification

If the government regarded a resolution to “fight terrorism in Iraq” as authority to monitor overseas telephone calls without regard to the federal law already on the books (as it did), will it regard the PATRIOT Act as authority to track citizens through their ATM usage? Will it regard the Help America Vote Act as authority to probe into the way we are voting? Will we then say collectively, “Gee, we thought that information was private. We had a reasonable expectation of privacy in that information.” And the government will say, paraphrasing Justice Harlan, “That was not an expectation that society is prepared to recognize as ‘reasonable’ under this administration. Just last month experts testified that hackers can get into voting information.”

Copyright © 2006 Robert Ellis Smith

Medical Theft of Identity
- From July 2006 issue

The World Privacy Forum warns about the emergence of theft of medical identity. Fraud artists are getting medical treatment in the name of a victim. The victim has no knowledge of the transaction until he or she discovers in the patient record mysterious entries for medical procedures he or she did not have.

Sometimes only insurance or payments information is used, not names or Social Security numbers.
One victim was told that he couldn’t have access to the information in his own medical file because it doesn’t pertain to him, it pertains to an impostor.

It is said that the former wife of Rep. Joe Barton, R-Tex., has had a stranger get medical treatment under her name in their hometown of Ennis, Tex. Barton is chair of the House Energy and Commerce Committee, which held hearings on theft of identity (the original version) in March.

The University of Connecticut Health Center reports a dozen attempts each week of persons trying to impersonate beneficiaries, sometimes to secure prescription drugs. Across the nation, this has resulted in additional requirements for patients to show identification documents before getting treatment. Blue Cross has begun warning its subscribers about medical ID theft.

For the full story, ask for a sample of our July 2006 issue.

Our June 2006 issue included an article (see above) pointing out how some ill-informed lawyers' notions about "an expectation of privacy" actually diminish your privacy.

Another Credit Score to Decipher
- From May 2006

Just when you got used to figuring out your “FICO score” and its importance to determining your credit-worthiness, the Big Three credit bureaus want to change all that.

For years the benchmark for rating consumer-credit applicants has been the FICO score developed by Fair Isaac from data supplied by each of the Big Three. Each of the credit bureaus used its own data and formulas to score consumers and each credit grantor had different criteria for assessing a FICO score.

After a long battle [by PRIVACY JOURNAL and others], consumers finally got access to their own scores, which range from 300 to 850, with 720 generally regarded as the cut-off for acceptable risk. About 80 percent of the major lenders use the FICO score.

But Experian, Equifax, and Trans Union, which are supposed to be competing with each other, got together and did an end-run around Fair Isaac. They created their own credit score, based on a lettering system, A through F. The new product is to be called VantageScore. (The letter grades are backed by a numbering system roughly equivalent to academic grades; 901 or higher equals an A, 801 to 900 equals a B, etc. This means that a 720 as a VantageScore is so-so, but from Fair Isaac is a respectable credit score.)

“This will only cause confusion in the marketplace,” said Travis Plunkett, legislative director for the Consumer Federation of America. The three separate national credit bureaus will use the same methodology but will issue different scores for the same person. They will charge perhaps $5 for a consumer to see his or her own score, beginning next month. By federal law, consumers are entitled to see their own credit scores.

One analyst of the industry, Bill Hardekopf of, said that this scheme is a way for the major credit bureaus to recoup revenue
that they lost when Congress in 2003 required free credit reports for any consumers who ask.

“This isn’t about making credit easier for the little guy,” writes Liz Pulliam Weston, personal finance columnist for MSN Money. “This is business.”

For more about credit reports, ask us for a sample copy of PRIVACY JOURNAL with information about credit bureaus. orders@​

Cell Phone Numbers Called - Get 'Em Online
- From December 2005 issue
A mother of two children living in central Massachusetts was shocked to discover that her estranged husband could easily get a list of the telephone numbers she had dialed form her cell phone. “I’m sure he wanted to make sure I wasn’t seeing anyone,” says the woman. “He found a cell phone number that he didn’t recognize, called it and left threatening messages.”
For about $100 at several Internet sites, the husband and many others like him can purchase lists of numbers dialed from a targeted person’s cell phone. The same is true of land-line phone calls.
Is it legal? No state or federal laws restrict telephone companies from disclosing such information about customers, although most have policies against disclosure. How do the Internet brokers get the information? It’s possible that they pay a person within the phone company to provide the data – a disgruntled employee, a former detective now in the company security department, or a clerk who applied for a job precisely to feed the data brokers and make some extra money. Or perhaps it’s simpler than that: A security consultant in Quebec City reported that he was able to get call records faxed to him from major phone companies merely by knowing the targeted person’s postal code. Another method: Hackers can use special software to make their own number appear on call displays regardless of where they are calling from. Phone companies rely on the call display as confirmation of the caller’s identity and then provide the information to the imposter, according to the Quebec consultant. . . . ASK US FOR A FREE SAMPLE OF THE DECEMBER 2005 ISSUE, FOR THE FULL STORY.

Rosa Parks of Privacy Protection?
A 50-year-old mother of four children living in Denver faces minor federal charges this month for declining to provide personal identification while on a city bus on her way to work. One of her kids is soldiering in Iraq.

The RTD (Regional Transportation District) bus that Deborah Davis took to work in September happens to pass through the Denver Federal Center in Lakewood, Col. As she was sitting reading a book, a federal guard climbed aboard and demanded to see her identification. . . . what happened to her? ASK FOR THE JANUARY 2006 ISSUE FREE.

Spend 20 Minutes for Your Kids
- From October 2005 issue

You may have thought that personal information possessed by your child’s school is protected, but that is not always so. The Department of Defense has a pervasive program for harvesting 4.5 million students’ addresses, dates of birth, even cell-phone numbers and e-mail addresses. The data file also includes Social Security numbers, in apparent violation of the federal Privacy Act. This is part of the Joint Advertising, Market Research and Studies program (JAMRS) in the Pentagon.

The infamous No Child Left Behind law, 20 U.S. Code 7908(a)(1), requires schools to turn over this data to military recruiters. It also provides parents with a chance to opt-out and demand that schools not disclose the information. But parents have to act to make this happen.

It is best to make a request in writing, and be sure to state whether you want your option to apply only to military recruiting or to all requests for directory information about your child (name, grade level, etc.).
Parents and students may also take advantage of the Defense Department’s own “name-suppression” database. Write JAMRS Opt-Out, 4040 N. Fairfax Dr., Suite 200, Arlington, Va. 22203. For more information, go to​documents/​military.pdf.
The Pentagon has contracted with a marketing company named BeNow in Wakefield, Mass., to collect and massage the data. The system also collects similar data on 4.6 million college students and data on other young people from other sources. Two of the sources are American Student List, which has long compiled marketing lists on students, and Student Marketing Group. The Federal Trade Commission has cited the first company for deception in its data collection, and the New York State Attorney General has cited the second company for collecting data on students through phony survey forms.

Best advice: Insist that your child bring home any survey form before filling it out. Under the No Child Left Behind Act, ask that your school not release data on your children. Complain to 703/​601-4722, Records Management Section, Pentagon 1155, Washington D.C. 20301-1155, that you think that the Defense Department’s operation of this information collection violates the federal Privacy Act.

Entire contents of this Web site:
Copyright © 2010 Robert Ellis Smith

Letter to the Editor
- From August 2005 issue

From St. Paul, Minn.: Awesome articles on the cover and on page three of the July issue [RFID tags required of elementary students in California and parallel efforts to impose a national ID card]. “Scarifying,” as usual.

Would you provide a discussion of, or references to, solid and specific information about privacy implications (if any) of switching phone service to Voice Over Internet Protocol (VOIP)? Specifically, privacy implications for employees when the employer makes the change to VOIP?

For example, I assume that a record of outgoing calls (date, time, destination, length) is captured “in-house” and thus more easily accessible to the employer than records kept by a phone service provider – especially for local calls. Is the source of an incoming calls recorded anywhere other than on the telephone set (called ID, etc.)? As computer keystrokes can be recorded, can phone set “pulses” be tracked also? And what is the system’s ability (if any) to record or monitor the content of the calls as voices are “digitized” and sent over the Internet?

Response: Employers and others indeed have the capability of monitoring, logging, and tracking conversations transmitted via VOIP, as they do over existing telecommunications technologies. Your inquiry is timely. Phil Zimmermann, the man behind the popular and accessible Pretty Good Privacy encryption program for e-mail, has just announced that he is launching a new program that aims to provide the same security for Internet phone calls.

Like PGP and PGPfone, which he created as human rights tools for people around the world to communicate without fear of eavesdropping, Zimmermann’s new program, zfone, is intended for everyday users and for businesses seeking to combat corporate espionage. Whether employees will be permitted to use the product at work is another question.

VOIP, or Internet telephony, allows people to speak to each other through Internet connections. VOIP uses broadband networks, making conversations vulnerable to eavesdropping.

If you look out the windows of the downtown Boston offices of the American Civil Liberties Union of Massachusetts, you see surveillance systems closing in on you.

“Even in Massachusetts – the nation’s historic ‘cradle of liberty’ – civil liberties are under threat in ways that don’t necessarily make us more secure,” says Carol Rose, executive director of the Massachusetts ACLU. The surveillance cameras and other high-tech devices installed for the Democratic National Convention in August have found a permanent home in Boston.

One of the greatest threats, in Rose’s mind, is a new automated fare collection system on the subway line that has no anonymous option if transit riders purchase their fare cards with a credit card or debit card. The purchase is linked to an individual’s identity, as is use of the Fast Lane toll option on the Massachusetts Turnpike and on most toll roads in the U.S.

In Boston senior citizens, students, or those who are disabled must now show identification documents and have personal information linked to their fare cards to get discounted rates.

The transit system (called “The T” or the MBTA) will document the identity of riders and time, date and location where they board a bus or trolley or pass through a subway turnstile. Because of the vagaries of Boston’s aging system, there are no card-reading devices or turnstiles at many disembarking points, and so the system doesn’t always record when a person leaves.

The new “smart card” is called a “Charlie Card,” named after “the man who never returned” when he got lost on the Boston subway, in the political song of the 1940s popularized by The Kingston Trio in 1959. (Charlie got lost be-cause of a complicated fare system.)

MBTA officials see the Charlie Card as allowing it to track riders and ridership, cut down on fare evasion, and create a more efficient transit operation.

"It will be a magnet for identity thieves seeking to get this information, and the worst thing is that consumers have no idea this is going to happen to them,” said State Senator Jarrett T. Barrios of Cambridge, who has been urging the transit authority to strengthen its privacy protections.

For the complete story, e-mail or call 401/​274-7861 and ask for a free sample of the June 2005 issue.

Careless Record Keeping: The Cumulative Effect
- From May 2005

To appreciate THE CUMULATIVE EFFECT, Privacy Journal newsletter compiled the following list of breaches of sensitive personal information, disclosed just since January. It's not an atypical list for a three-month period, but breaches are obviously getting more press attention.

* Tepper School of Business at Carnegie Mellon University reported that a hacker had access to Social Security numbers and other sensitive personal information relating to 5000 or more students, staff, and alumni.

* Tufts University notified 106,000 alumni, warning of "abnormal activity" on its fund-raising computer system listing names, addresses, phone
numbers, and, in some cases, Social Security numbers and credit-card account numbers.

* ChoicePoint, the "information broker" based in Georgia, sold personal data on 100,000 or more persons to fraud artists posing as legitimate businesses.

* DSW Shoe Warehouse experienced a hacking incident involving access to an estimated 1.4 million credit-card numbers and names, 10 times more than investigators estimated at first.

* HSBC North America, which issues GM's MasterCard, urged all customers to replace their cards as quickly as possible because personal data was compromised. The customer records of Polo Ralph Lauren Corp., were involved.

* Ameritrade Holding Corp., the online discount broker, informed about 200,000 current and former customers that a back-up computer tape was lost during shipping.

* Canadian Imperial Bank of Commerce, CIBC, one of Canada's leading banks, misdirected confidential faxes sent to outside parties over a three-year period. Bank of Montreal, Royal Bank of Canada, Scotiabank, TD Bank, and National Bank have also misdirected faxes with customer information.

* Motor vehicle departments in four states have lost personal data. The Texas Department of Public Safety mailed to 500 to 600 licensed drivers renewal documents that pertained to other persons. In March, burglars rammed a vehicle through a back wall at a Nevada Department of Motor Vehicles and drove off with files on about 9000 people, including Social Security numbers. In April police arrested 52 people, including three examiners at the Florida Department of Motor Vehicles, in a scheme involving the sale of more than 2000 fake driver's licenses. Also, Maryland police arrested three people, including a DMW worker there, in a plot to sell about 150 fake licenses.

* A Boston-based storage company named Iron Mountain Inc., lost Time Warner Inc.'s computer back-up tapes with Social Security numbers and names of 600,000 employees and dependents. This is the fourth time this year that Iron Mountain has lost tapes during delivery to a storage facility, according to The Wall Street Journal.

* Someone gained access to the personal information of 59,000 students at California State University, Chico, the university revealed in March.

* A laptop that contains about 100,000 Social Security numbers of students and personnel at the University of California, Berkeley was stolen from the school's campus.

* Someone hacked into a database at the Kellogg School of Management at Northwestern University, possibly exposing data pertaining to 21,000 individuals.

* More than 1600 parents discovered in January that records in the Colorado State Health Department relating to an autism study were lost.

* * *A free copy of the current issue of Privacy Journal is available through orders@​ Specify e-mail copy or hard copy (and include a mailing address).

A press interview
with Publisher Robert Ellis Smith

- From April 2005 issue

1. Issuing your special report on ChoicePoint is interesting timing. Do you really think it’s a good idea to kick a good company like ChoicePoint when it’s down? In football, piling on draws a penalty.

Robert Ellis Smith: I’m a journalist. Everybody needs to know about this company. It has been in the headlines but people do not realize that it grew out of Equifax, that it has been out of compliance with FTC orders for years, and that it is closely allied with the voter-list purge in Florida in 2000 and the development of “Matrix.” If mere words can crumble a company, it deserves not to survive. [To download the report on ChoicePoint, click below.]

2. Did you decide to issue your special report before the revelations about the loss of data made earlier this year?

Response: I issued it because of the many inquiries I have received wanting to know about the company and its nature. No one has covered Equifax more than I have.

3. What were some of its problems when it was Equifax? How did the company respond to privacy concerns before it became Equifax?

Response: When ChoicePoint was the insurance reporting division of Equifax, the FTC found it out of compliance with Fair Credit Reporting Act accuracy and correction requirements. Continually. ChoicePoint acquired an “information broker” that was known to be in-accurate, irresponsible and out of compliance with the FCRA (CDB Infotek).
Equifax was formerly known as Retail Credit
Co. It was abuses in the insurance and employment “consumer investigation” part of Retail Credit Co. that alone led to passage of the Fair Credit Reporting Act. That, in short, is why an act with “credit” in the title also regulates consumer investigations for insurance and employment purposes. See my book Ben Franklin’s Web Site for documentation of this. Within three years after the FCRA was enacted, the part of Retail Credit Co. now known as ChoicePoint was found by the FTC and a federal court to be out of compliance with the act in serious ways.

For the rest of the story, ask for a free sample of our April 2005 issue.

ID Theft Mainly in America. Why?
- From March 2005 Privacy Journal

Theft of identity is largely an American phenomenon.

There are reasons for that. Other nations don’t rely on an identifying number – like a number to keep track of pension accounts or government benefits – for other purposes, like identifying consumers in credit reports.

Since the early 1990s credit bureaus in the U.S. have been collecting Social Security numbers and relying on the numbers to confirm a match when a lender requests a credit report on an applicant. By the same token, credit bureaus usually ask a consumer who wants to see his or her own credit report, as permitted by law, to provide a Social Security number to confirm his or her identity. The Federal Trade Commission, which regulates credit bureaus, actually encouraged this in the 1990s.

Strangers can get Social Security numbers from payroll records or buy them from Internet sites.

Thus, it’s not hard to see why theft of identity is easy in the U.S. A stranger need only get a Social Security number to match a name and then ask a credit bureau to provide a copy of “his” credit report. The impostor changes addresses on the credit accounts listed on the credit report.

For the full story, ask us for a sample copy of our March 2005 issue.

Choicepoint, A Corporate History
- From March 2005 Privacy Journal

In our March 2005 issue, we published a timeline of the ignoble history of ChoicePoint, a former division of Equifax that is now known mainly for massive sales of personal information in its files to ID thieves. Here is an excerpt:

1996 CDB Infotek advertises that it will sell information at the top of a credit report – “header information” like Social Security number, date of birth, phone number, and “a/​k/​a’s.” It offers access to Social Security account information, the change-of-address lists of the Postal Service, lists of registered voters (in violation of state laws in California and elsewhere), and data on personal assets. It sells criminal and civil-court records, demographics of a target’s closest neighbors, California driving records, employment reports, and much more. In 1992 CDB had been cited by the FTC for major violations of the credit-reporting law. CDB did not challenge the FTC findings.

1996 Seven months after CDB’s ad appears, Equifax purchases 70 percent of CDB Infotek and folds it into its Insurance and Special Services unit.

1997 An Equifax shareholder, in a formal demand for due diligence by the parent company, cites “law-breaking, fraud and unethical conduct” by CDB.

1997 Alarmed by its negative reputation with the acquisition of Infotek, its FTC cease-and-desist orders, and consumer lawsuits, Equifax spins off its Insurance and Special Services unit and calls it ChoicePoint. The new unit absorbs CDB’s files. It also takes in driver and motor-vehicle, divorce, marriage, corporate, property-ownership, and other data of questionable reliability owned by a company called Database Technologies, Inc., in Boca Raton, Fla. ChoicePoint’s independence is questionable. The chair of Equifax, chair of the executive committee of ChoicePoint’s board of directors. ChoicePoint’s new president was executive vice president of Equifax.

For the full story of ChoicePoint from 1970 to the present, ask for a sample copy of our March 2005 issue.

For a report collecting all of Privacy Journal's past stories about this company (13 pages, $8.50),

Can Software Defeat 'Phishing'?
- From October 2004

New software tools to combat the intrusive on-line practice of “phishing” may require monitoring your Internet traffic in a way that is possibly more intrusive than the scourge of phishing itself.

Phishing accounted for an estimated $500 million in fraud in the past year, according to TRUSTe, a non-profit privacy group. TRUSTe’s new study also found that three-quarters of online users had experienced an increase in incidents in the past few months.
Phishing is the sending of an e-mail falsely claiming to be a legitimate enterprise, even using the logos of the enterprise, to tempt a user into visiting a site and surrendering personal information, which can then be used for identity theft and fraud.

Prominent victims include Bank of America, Best Buy, Citigroup, eBay, and their customers.

People are directed to Web pages that look identical to the companies' sites. Most ignore the “fishing” bait, but many bite. The practice is also called brand spoofing or carding.

The Securities and Exchange Commission warned this month about a scam in which phony e-mails purportedly sent by Smith Barney [pictured in our hard copy edition], a stock-brokerage unit of Citigroup, Inc., seek recipients’ account information.

In response, developers have created new forms of anti-phishing software; Microsoft has pro-posed new security standards directed at stop-ping the phenomenon. But are the new tools also intrusive? The first line of defense that companies such as MasterCard have used against phishing is simple, “intelligent” online monitoring. The electronic asset protection company NameProtect, for example, offers a service to MasterCard and others that scours millions of Web pages, domain names, chat rooms, and the like for indicators of online fraudulent activity.

For the REST OF THE STORY, call or write for a free sample of our October 2004 issue.

The ABCs of RFID
By Mikhail Zolikoff
- From August 2004
Beginning next year, observant consumers will notice an additional logo stamped on the products they purchase from retailers. This logo will indicate that the product carries an RFID (or “radio frequency identification”) tag.

RFID electronic chips are capable of storing unique identifying information about a product and then remotely transmitting that information to a tag reader by use of radio waves. Manufacturers will be using these miniature embedded tags to keep track of materials in production and distribution. Retailers are implementing this technology with the hope that the checkout experience will be shortened, inventory costs will reduced, and product theft and shrinkage (the loss of product between the manufacturer and the shelf) will be eliminated.

Eventually these tags, also known as “Electronic Product Codes” (EPCs), will replace the familiar but outdated UPC, the Universal Product Code, or bar code. Distinct RFID tags would be assigned to each individual item; by contrast, a bar code is assigned to all identical items. RFID tags identify a particular item purchased at a particular time; bar codes merely identify a category of individual items. RFID tags have the capacity to transmit large amounts of data about an individual item. Bar codes, by contrast, can reflect only the identity of the generic product, brand, size, and pricing.

Privacy activists have repeatedly expressed their concerns that the RFID labels in consumer goods could potentially be used for tracking the possessor of the item without consent. While the electronic chip embedded within each tag has the capability of being “killed” or deactivated and therefore no longer able to transmit its identifying information, this has not been established as a default when consumers purchase their items and leave the store. As such, anyone with a tag reader – the devices are readily available on the Internet and the price is quickly dropping – could scan you, your car, or your home without your permission to determine which products you’ve purchased and have in your possession.

Hewlett-Packard, one of the corporate sponsors of the 27-mile Boston Marathon, sponsored a project in which RFID tags were embedded in the shoelaces of each runner in the event last April. As the runner ran across special mats placed along the route to Boston the transponder reported each competitor’s place and the running time to a Web site. Family members and news reporters could then access the information in real time.

Privacy critics of the technology ask us to imagine the consequences when the highly personal items we carry around day to day are identifiable without our consent.

For the full text of this story, ask us for a sample copy of our August 2004 issue.

Why Are Fingerprints Demeaning?
- From June 2004

Letter to the Editor
From Minneapolis: How can we explain, in a language the average American can understand, why fingerprinting foreigners is a bad idea? I have lots of theoretical arguments, but nothing visceral.

Response: We are familiar with fingerprints in a criminal context. That’s why it is an indignity to be asked for a fingerprint, in order to cash a check, cross a border, get public assistance, or hold a job. Getting fingerprinted is stigmatizing. It connotes suspicion. In addition, in the electronic age, the print image goes beyond the control of the individual who provides it, and probably beyond the control of the organization gathering it.

There is a real possibility that the electronic image could be affixed to a crime scene, to a piece of evidence, or other object, either maliciously or in error. The same is true of electronically stored signatures. Wise citizens know to refrain from providing such sensitive biometric bits of themselves before the technology has been fully tested for reliability and trustworthiness.

Further, providing a fingerprint in a law-abiding context increases the chances that an individual’s prints will be stored in the databases that are checked when latent prints are found at a crime scene - like the National Crime Information Center or the FBI’s automated fingerprint database. This increases the chances that the innocent individual will be identified by an erroneous match. These false positives are not frequent, but persons whose prints are not in the database have a zero chance of being the victim of a false match.

A component of privacy is autonomy – the ability to make personal choices – and to control sensitive personal information, even if it is accurate. Within that definition, the collection of fingerprints from masses of law-abiding individuals is a loss of privacy.

Video Voyeurism Bill Advances

The House of Representatives is expected to pass a bill making it a federal crime to capture an “improper image” of an individual nude or in undergarments without consent, where there is “a reasonable expectation of privacy.” The so-called “video voyeurism” bill, S 1301, matches laws enacted in 32 states in the past five years but does not preempt or invalidate them. The federal bill, approved by unanimous consent by the Senate last September, exempts law enforcement and intelligence. Michael DeWine, R-Ohio, introduced the bill a year ago; in his home state prosecutors had difficulties trying to charge or convict a man accused of using a hid-den video camera in his home to record unsuspecting female cheerleaders changing clothes to use his swimming pool.

For the complete story, ask for a sample copy of our June 2004 issue.

20 Minutes
- From January 2004 issue

This monthly feature advises you how to protect your own privacy, by taking 20 minutes a month.

Dispose of any documents or correspondence that show your Social Security number, credit-card numbers, or other sensitive personal information only after shredding, either by hand or machine. If you tear off the portion with account numbers by hand, dispose of the pieces in a separate trash can and place it for collection on a separate day.

Or you can purchase a shredder, now a necessity in most homes.

The Man Who Just Said 'No'
- From December 2003 issue

He’s been called an “unemployed cowboy with no assets beyond a few head of cattle and a pickup truck.”

A newspaper article called him a grouchy farm hand. An article on the Web site of the Clark County (Las Vegas) Bar Association, which should know the libel laws, calls him “a drunk in rural Nevada.”

A national newspaper columnist said that his name should be Obstinate.

And that’s the whole point. Dudley Hiibel declined to give his name when approached by a police officer just outside the limits of his hometown of Winnemucca, Nev. (pop. 9400). A witness had reported to the deputy seeing a man strike a woman with whom he was riding in a pickup truck. The deputy found Hiibel standing by his vehicle at the side of the road. He assumed that Hiibel had been drinking. Eleven times the officer asked Hiibel to identify himself, and 11 times Hiibel declined. And so the officer arrested him on charges of violating a state law that requires a person to identify himself when police stop him or her with reasonable suspicion of criminal activity. The woman he was with was his daughter.

Hiibel engaged the public defender in Humboldt County, Robert Dolan, to defend him. Hiibel – known as Larry D. Hiibel in court documents – was convicted of obstructing and delaying a police officer, a misdemeanor worth a $250 fine.

When a higher court affirmed the conviction, Hiibel immediately turned to his lawyer and said, “I’m being treated like I’m in a communist country.”

Dolan sued the court on his client’s behalf, and the case of Hiibel v. Sixth Judicial District Court soon came before the State Supreme Court of Nevada. Hiibel, 54, was not seen at the oral arguments, but he managed to get three of the seven members of the high court to agree with him. But a four-person majority ruled against him. Now the U.S. Supreme Court has scheduled oral arguments for January in his appeal to the highest court in the land.

For the full story, and to learn what this has to do with personal privacy, send an e-mail or call us for a free sample copy of our December 2003 issue.

Privacy Tip
- From October 2003 issue

Credit-card company rules require merchants to accept a card charge without demanding additional ID or other information as long as the signature on the back of the card bears a "reasonable likeness" to the signature you provide on the credit slip. If you encounter a merchant requiring additional ID (or setting a minimum charge), report this to MasterCard at (However, American Express allows some firms like WalMart and K-Mart to require you to provide your billing address Zip code in a digital key pad). In CA, DE, DC, FL, GA, KA, MD, MA, MN, NJ, NY, ND, PA, RI, and WI, it is illegal for merchants to record any extra information on credit slips like phone numbers, addresses, or ID numbers. For more on this tip for protecting your privacy, ask us for a sample copy of the October 2003 issue.

Federal Regulations for Ferry Travel
- From September 2003 issue:

All ferry companies in the U.S. must develop security plans by the end of the year that may lead some of them to demand photo IDs for passengers.

An interim Coast Guard regulation requiring new security precautions on maritime vessels does not require or even suggest demanding IDs; in fact, it says that a ticket is adequate proof that a person belongs on a vessel. But any ferry company is free to use the regulation to initiate a photo ID requirement for passengers, and the regulation recognizes the seagoing tradition that a boat captain may deny passage to anyone for any reason.

On a separate matter, the authority to search passengers, the interim regulation requires boat companies to “conspicuously post signs that describe security measures currently in effect and clearly state that . . . boarding the vessel is deemed valid consent to screening or inspection; and failure to consent or submit to screening or inspection will result in denial or revocation of authorization to board.”

However, the vessel operator must also “ensure vessel personnel are not required to engage in or be subjected to screening, of the person or of personal effects, by other vessel personnel, unless security clearly requires it. Any such screening must be conducted in a way that takes into full account individual human rights and preserves the individual’s basic human dignity.”

On IDs, the same section of the rule says that vessel operators must “check the identification of any person seeking to board the vessel, including vessel passengers and crew, facility employees, vendors, . . and visitors. This check includes confirming the reason for boarding by examining at least one of the following: (i) joining instructions; (ii) passenger tickets; (iii) boarding passes; (iv) work orders, pilot orders, or surveyor orders; (v) government identification; or (vi) visitor badges issued in accordance with an identification system required [by the regulation].” Further, the vessel operator must, “deny or revoke a person’s authorization to be on board if the person is unable or unwilling, upon the request of vessel personnel, to establish his or her identity.” * * *

For the full story, call or write for a free sample of our September issue.

Twenty Minutes a Month
- from the May 2003 issue
This monthly feature advises you how you can campaign for privacy protection or protect your own privacy, by taking 20 minutes a month. If you subscribe within the next month, ask us for a copy of all of these tips, and we'll send it to you free.

One simple way to dramatically reduce your risk of identity theft and secondary use of personal information is to opt-out from prescreened credit card offers. These offers are sent to individuals whose credit reports match criteria desired by credit issuers. The problem with these offers is that they can be intercepted in the mail by a fraud artist and then used to obtain credit in your name. Prescreened offers are delivered not only by mail; there is a growing movement to transmit them by e-mail, which implicates even greater security risks.

You can opt-out of prescreening from Experian, Trans Union, and Equifax by calling one phone number: 1-888-5-OPTOUT. Pay careful attention to the options on the phone menu. The first option on the menu will remove your information for only two years. The second option places you back on prescreening lists! The last option is the one that you want – it will remove your information from prescreened list permanently. In order to exercise this last option, you will have to complete a form that will be mailed to you after you complete the telephone call.

Other ways to reduce the risk of identity theft: Provide your Social Security number only when the transaction has tax consequences or involves Medicaid or Medicare. Do not provide it to apply for credit, employment, or insurance. Don’t provide it by telephone to strangers or to anyone by fax. Check your own credit report for accuracy, perhaps once a year. Before disposing of documents with credit-card numbers or Social Security numbers on them, tear them in half, splitting the identifying numbers, and then deposit the pieces in separate trash containers.

Just Published
From the April 2003 issue

In a new study, the Center for Democracy and Technology advises a couple of tricks to lessen the amount of unwanted e-mail advertising (Spam). List your email address on Web sites and newsgroups as username at [with spaces before and after the "at"]. Listing your real address, like username@​ makes it easy for marketers to harvest it automatically and add it to their lists. Another idea: use a second e-mail address as the “public address” that you make available on-line and in commercial transactions.

In each issue, Privacy Journal provides tips like this and a listing of new publications and upcoming events relevant to protection of personal privacy.

A New Fashion Statement?
- From February 2003 edition

There a “ChipMobile” moving about the nation – or at least about communities in Florida. It’s Applied Digital Solutions’ “state-of-the-art, fully equipped mobile unit to spread awareness about the benefits of VeriChip to wide audiences.”

VeriChip, first announced in December 2001, is a miniaturized radio-frequency identification device (RFID) that can be used in “a variety of security, financial, emergency, identification and health-care applications,” according to the company. It now has seven authorized VeriChip centers in Florida, Washington, D.C., and elsewhere in the U. S.

Back in September 1994, PRIVACY JOURNAL reported, “Entrepreneurs in the microchip-implant business who are eager to sell their products to ‘the human market’ have said that implanting identity chips in Alzheimer’s patients would be the most benign and publicly acceptable use of human implants with which to begin.”

Indeed, doctors for Applied Digital Solutions first implanted the tiny VeriChip transponder in a memory-impaired patient on May 10, 2002. Now there are 20 Americans walking around with them, including the company’s public relations consultant, who proudly wears an implant in his upper right arm. The new chips are inert demos right now because the reading devices for them are scarce and because the chips do not locate the individual or store medical information.

For the complete story, ask us for a sample copy of the February 2003 edition:

Virginia Citizen Makes Courts Think Twice
- From January 2003 issue

Court clerks throughout the nation may be moving to post court documents on their Web sites, but in Virginia that trend has skidded to a halt because of the efforts of one woman.

Betty “BJ” Ostergren of Hanover County began her campaign to warn citizens of the invasion of their privacy last August, when a local title searcher told her that the county clerk planned to place court records on-line. The records would include deeds of trust with signature facsimiles and Social Security numbers; certificates of satisfaction/​assignments; homestead deeds; final divorce decrees; judgments and liens; wills; lists of heirs; fiduciary reports for estates; and Financing Statements (often called UCC’s).

BJ was infuriated by this prospect. She decided to spend money she had set aside for family Christmas gifts to launch a direct-mail campaign.
BJ Ostergen’s direct-mail approach was effective. She downloaded personal information from Web sites maintained by neighboring counties and mailed it to the individuals involved, along with a letter urging action. She started with King County. “I got the folks riled up over there and the Board of Supervisors eventually voted to kick the clerk off the Web site since he was using the county’s site,” she told FauquierNews, an electronic investigative newsletter on open records in Virginia edited by James Borland.

Ostergren claims credit for ending Internet publication of citizens’ documents in King William, Scott, and Warren counties. Her home county never went ahead with its plan. At a citizens meeting on general concerns sponsored in Richmond last month by the Virginia Institute, Ostergren energized the people there, got a State Senate candidate fired up by displaying the data on him that she had downloaded, and had a member of the state legislature promise to introduce a bill to limit the kinds of personal data that courts may display on Web sites. This month she’s building her own Web site, not to show personal information about citizens but to inform them of their vulnerability.​watchdog.

For the full text of the article, send us an e-mail request for a free sample of the January 2003 issue.
If you have gotten this far in our Web site, you deserve a free 6 month subscription! Call us or e-mail us and ask for the free subscription to the "Eric Blair" special. If you identify the significance of that name, we'll add a free month to your 6 free months!

Go to our Ranking
of States in Privacy Protection

Essential Books

A - Legal Reference
Consumer Protection eBook
An eBook that you can upload to your handhold device and consult whenever you are in the marketplace or at work, to see what privacy protections exist to help you.
B - History
the tug between privacy and surveillance in U.S. history
E - Directory
500 names, address, phone numbers, and Web sites of the top experts and organizations in the field of personal privacy. $18.50
Order Form
D - Current issues
Anecdotes of Persons Victimized by Invasions of Privacy
Essays on privacy issues
D - Current Issues
C - Advocacy
F - Legal Reference
G. Classic Still Available
1980 National Book Award nominee
Regional Humor
Quiz for a Rainy Day