E P I C A l e r t
A recent filing with the Security and Exchange Commission indicates that the Federal Trade Commission has "issued a request for additional information and documentary materials regarding the proposed acquisition" of DoubleClick. Last week, the Federal Trade Commission opened a preliminary antitrust investigation into Google's planned $3.1 billion acquisition of the online advertising company.
It was decided last week that the FTC, and not the Department of Justice, would conduct the investigation; the two agencies share the duty of antitrust enforcement, though the FTC has extensive expertise in consumer privacy matters. The FTC's "second request" for information suggests that the proposed acquisition raises more serious antitrust issues. According to FTC Chair Majoras's statement on the merger review process, "the majority of investigations in which the FTC issued a second request resulted in a merger challenge, consent order, or modification to the transaction, suggesting that the FTC generally issues second requests only when there is a strong possibility that some aspect of the investigation would violate the antitrust laws."
Last month, EPIC, the Center for Digital Democracy and the United States Public Interest Research Group, filed a request for the FTC to investigate the privacy implications of the proposed merger. In the complaint, the groups noted that Google collects the search histories of its users, while DoubleClick tracks what Web sites people visit. The groups urged the FTC to assess the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. The groups recommended that the merger not be approved unless adequate privacy safeguards are established.
In an antitrust investigation, regulators must define the relevant market, and weigh the likely impact on competition. Privacy issues are relevant to the Google/DoubleClick antitrust investigation because of the unique circumstance presented in the world of online advertising: the success of targeted marketing and the use of individuals' personal data are inextricably linked.
Securities Exchange Commission filing:
FTC Merger Reform Announcement (Feb. 2006) (pdf):
EPIC's Complaint to the FTC (pdf):
EPIC's FTC Google Complaint page:
Letter from the NY State Consumer Protection Board (pdf):
The European Union's Article 29 Data Protection Working Party has launched an investigation into Google's privacy practices. In a letter to Google, chair of the Article 29 Working Party, Peter Schaar asked whether the company has "fulfilled all the necessary requirements" to abide by EU privacy rules.
Mr. Schaar explained, “As you are aware, server logs are information that can be linked to an identified or identifiable natural person and can, therefore, be considered personal data in the meaning of Data Protection Directive 95/46/EC. For that reason, their collection and storage must respect data protection rules.” EU Directive 95/46/EC states that individuals' personal information can only be collected for "specified, explicit and legitimate purposes." Information that is collected can only be kept in identifiable form for as long as is "necessary for the purposes for which the data were collected or for which they are further processed."
Mr. Schaar pointed to the “Resolution on Privacy Protection and Search Engines,” which urged data minimization and addressed several issues with regard to server logs and the detailed profiling of users. “The Article 29 Working Party fully supports this Resolution and would appreciate the detailed views of Google on the steps which it has taken to fully implement its recommendations.” The Working Party will discuss the investigation into Google's privacy practices at its meeting in June and requested that the company respond before then.
In 2001, a coalition of consumer organizations in Europe and North America wrote to policymakers regarding the privacy implication of the America Online and Time Warner merger. The groups urged officials to " condition approval of the proposed merger on the adoption of enforceable Fair Information Practices that would guarantee consumer privacy safeguards at least equal to those that would be provided under the EU Data Directive." The groups also recommended that EU and US officials "consider the impact of mergers on privacy, as one factor in the review to determine if a merger is in the public interest" and establish "legal mechanisms to address privacy concerns of mergers, such as mechanisms to place conditions on mergers that would protect consumer privacy."
Article 29 Data Protection Working Party page:
Statement of TransAtlantic Consumer Dialogue Regarding Merger of America Online and Time Warner and Privacy Protection (Feb. 2000) (pdf):
On June 7, the Subcommittee on Social Security of the Committee on Ways and Means will hold a hearing on current and proposed employment eligibility verification systems and the role of the Social Security Administration in authenticating employment eligibility. Subcommittee Chairman Michael R. McNulty (D-NY) said, "“If employment eligibility verification is to be a key enforcement tool for immigration policy, we must ensure the system is effective, efficient and feasible. We need a better understanding of the possible consequences and impact on the Social Security Administration if they are to undertake this expanded responsibility without compromising their core mission of administering Social Security.”
EPIC's current "Spotlight on Surveillance" scrutinizes the national employment verification system now under consideration in Congress. The national database is proposed to prevent undocumented immigrants from obtaining employment in the United States, but it could instead prevent millions of Americans from obtaining lawful employment. The federal program will also be expensive. The Government Accountability Office has estimated that a nationwide expansion of the Basic Pilot program would cost $11.7 billion.
Basic Pilot, a joint project of Customs and Immigration Services and the Social Security Administration, is a voluntary employment eligibility verification system created in 1997. In the Basic Pilot program, an employer voluntarily fills out an online form with the new employee's name, date of birth and Social Security Number within three days of the employee's hire date. This information is checked against Social Security Administration databases to verify identity and, if the employee is a non-citizen, her data is then checked against the Department of Homeland Security databases to verify employment eligibility.
Congress is considering two bills that would create a nationwide, mandatory employment eligibility verification system. An examination of the two bills finds that the proposed changes would make the already-flawed identification systems worse for both U.S. citizens and documented immigrants. As of December, Basic Pilot consisted of 12,000 employers, about 0.2 percent of the seven million employers nationwide. In Fiscal Year 2005, less than one million verifications were run through Basic Pilot. Under H.R. 1645 and S. AMDT 1150, all of the nation's seven million employers would be mandated to use another version Basic Pilot system, creating a national employment eligibility verification system ("EEVS") of 143.6 million authorized workers.
Several government analyses of Basic Pilot have detailed significant flaws in the system and have recommended against expanding the employment verification system nationwide. EEVS would use the same databases to check the employment eligibility of workers, though the Government Accountability Office and the Social Security Administration's Inspector General have found the databases used in Basic Pilot are filled with inaccurate data, which can lead to authorized workers being deemed ineligible for employment. The Inspector General estimated that the Social Security Administration's Numerical Identification File ("NUMIDENT") had about 17.8 million records with discrepancies with name, date of birth or death, or citizenship status; about 13 million of these inaccurate records belong to U.S. citizens. Sometimes the errors are corrected and the employee is not adversely affected, but government analyses of Basic Pilot have shown that employees can be negatively affected. If an initial check under Basic Pilot returns a "further action" notice, then employers have reduced the pay or responsibilities of workers or even terminated employment, even though such action is illegal. Employers may only terminate employment if there is a final determination of a worker's employment ineligibility. Government analyses have found that workers are sometimes not told of the "further action" notice, so they do not know why they have been adversely affected and the employees cannot take steps to correct the records.
Both H.R. 1645 and S.AMDT. 1150 expand data sharing and collection, consolidating the power to access and control this information in the Department of Homeland Security. New exemptions are created, requiring the Social Security Administration, Internal Revenue Service, and Department of State to disclose confidential and sensitive personal data to the Department of Homeland Security. This data includes employee data, birth and death records, driver's license and state identification files, visa and passport records and taxpayer information. EEVS also presumes that workers will use biometric Social Security cards and REAL ID cards - neither of which exist.
EPIC Executive Director Marc Rotenberg is expected to testify at the hearing next week.
EPIC Spotlight on Surveillance on EEVS:
Committee Press Release on June 7 Hearing:
Submit Public Comment for the June 7 Hearing:
Office of Inspector General, Social Security Administration: Congressional Response Report: Accuracy of the Social Security Administration's Numident File, A-08-06-26100 (Dec. 18, 2006) (pdf):
H.R. 1645 (pdf):
S.AMDT. 1150 (pdf):
Previous EPIC Congressional Testimony About Social Security:
EPIC, the American Civil Liberties Union, and the National Security Archive filed a supplemental memorandum that urged a federal district court to require the Justice Department to disclose documents about the NSA Domestic Surveillance program. The motion follows the testimony of former Deputy Attorney General James Comey before the Senate Judiciary Committee that indicated that top officials at the Department of Justice believed that the program was illegal. EPIC first sought documents regarding the legal basis for the program just hours after the warrantless surveillance program was first reported in the New York Times in December 2005.
The New York Times reported that President George W. Bush had issued an order in 2002 allowing the National Security Agency unprecedented authority to conduct domestic surveillance. The government's authority to conduct surveillance is found in two statutes: Title III, also called the "Wiretap Statute," outlines the strict guidelines regulating ordinary domestic law enforcement surveillance, and the Foreign Intelligence Surveillance Act (FISA) establishes a separate legal regime for foreign intelligence surveillance information in furtherance of U.S. counterintelligence. Congress specifically stated that FISA and Title III "shall be the exclusive means by which electronic surveillance ... and the interception of domestic wire, oral, and electronic communications may be conducted."
In a letter sent to Attorney General Alberto Gonzales, Senators Patrick Leahy and Arlen Specter are seeking the legal justifications for the President's warrantless domestic spying program. Senate Judiciary Committee Chairman Leahy and Ranking Member Specter wrote that the Attorney General has "rebuffed all requests for documents and your answers to our questions have been wholly inadequate and, at times, misleading." The senators said that the testimony of former Deputy Attorney General James Comey, which indicated that the White House went forward with the warrantless spying even though top officials at the Department of Justice believed the program was illegal, "raises very serious questions about your personal behavior and commitment to the rule of law."
In addition to questions about the legality of the NSA program and the consequences of a possible determination that public officials violated the FISA, EPIC has also urged Congress to consider the importance of establishing reporting requirements for the NSA that are comparable to other federal agencies that conduct surveillance in the United States.
Letter from Sen. Patrick Leahy and Sen. Arlen Specter to Attorney General Alberto Gonzales:
EPIC's Spotlight on Surveillance "Legality of NSA's Secret Eavesdropping Program Is Suspect and Cost is Unknown":
EPIC's page on FISA:
http://www.epic.org/privacy/terrorism/fisa/ EPIC's page on EPIC v. DOJ:
The Technical Guidelines Development Committee, the standards development committee of the federal government's Election Assistance Commission, met last week to review and approve their revised draft of recommendations on future voluntary voting system guidelines. This was the ninth meeting of the Committee, which is working with the assistance of the National Institute of Standards and Technology to develop voting guidelines for 2007.
The Election Assistance Commission was established by the Help America Vote Act of 2002, and provides guidance to states on the conduct of federal elections and the adoption of new voting systems. The standards adopted by the Commission are mandatory for those states that take federal funding for the replacement of their voting systems. The Help America Vote Act establishes the standards development process that governs the adoption of new voting systems intended for use in federal public elections. This process begins with recommendations from the Technical Guidelines Development Committee being sent to the Election Assistance Commission. The recommendations approved last week will be submitted by early July to the Election Assistance Commission, who will then publish the document in the Federal Register and open a public comment period.
This will mark the second standards document completed in the Help America Vote Act process in two years. The first federal Voluntary Voting System Guidelines document was completed and published in the Federal Register in April 2005. Prior to the Act's process requirements, there were two voting standards documents (one in 1990 and the other in 2002) produced by the National Association of State Election Directors.
In other voting news, Senator Feinstein, the new chair of the Senate Rules Committee, has introduced a bill (S.1487) to help ensure the accuracy of vote counts in federal elections and institute reforms in the administration of elections. The legislation is intended to be the Senate companion bill to House Resolution 811. The key provision in both bills is the establishment of a voter verified paper record by 2010 for all direct recording electronic voting systems. Senator Feinstein's version of the legislation would ban the purchase of any new direct recording electronic voting systems that do not provide an accessible, durable permanent voter-verified paper ballot; and prohibit election officials from serving in an official capacity with federal political campaigns.
S.1487: A bill to amend the Help America Vote Act of 2002 to require an individual, durable, voter-verified paper record under title III of such Act, and for other purposes:
House Resolution 811 (pdf):
National Association of State Election Directors:
Help America Vote Act Law:
Technical Guidelines Development Committee page:
Election Assistance Commission page:
EPIC's page on voting:
National Committee for Voting Integrity:
Social Security Agency Revisions to Privacy and Disclosure Rules
The Social Security Administration (SSA) has revised its privacy and disclosure rules for the first time since 1980. The revisions, which came into effect on May 29, 2007, describe the existing responsibilities and functions of the Privacy Officer, establish a new senior agency official for privacy as required by the Office of Management and Budget, and explain the SSA's new Privacy Impact Assessment process in accordance with the E-Government Act of 2002. Further, the revisions state that the SSA cannot process electronic requests via the Internet if the requester's identity cannot be confirmed. Another revision gives individuals more direct access to their medical records.
Federal Register - Social Security Administration Proposed Rules (Sept. 13, 2006):
EPIC's page on Social Security Numbers
GAO Report: FBI Needs to Address Weaknesses in Critical Network
A recent Government Accountability Office report found weaknesses in the FBI's information security controls for one of its critical networks. The FBI did not consistently prevent unauthorized insider access and ensure system integrity; identify and authenticate users to prevent unauthorized access; apply strong encryption techniques to protect sensitive data on its networks; log, audit, or monitor security-related events; protect the physical security of its network; or patch key servers and workstations in a timely manner. The GAO concluded, "these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats."
Although the FBI has an agency-wide information security program, it has not been fully implemented. Outdated risk assessment, incomplete security plans, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning all contribute to weaknesses in the critical network system. The GAO made several recommendations in a separate, classified report, to correct specific weaknesses in the security of the FBI's networks.
GAO Report: Information Security (pdf):
GAO Report: Privacy Office - Progress Made but Challenges Remain
The US Government Accountability Office (GAO) issued a report on the Department of Homeland Security's Privacy Office this week. The GAO found that the DHS Privacy Office has made significant progress by establishing a compliance framework for conducting Privacy Impact Assessments, which are required by the E-Government Act of 2002. The GAO also commended the DHS Privacy Office for integrating privacy considerations into the DHS decision-making process, by establishing an advisory committee, holding public workshops, and participating in policy development. However, the GAO found that limited progress has been made in updating public notices required by the Privacy Act for systems of records that were in existence prior to the creation of DHS. The report recommends appointing privacy officers in key DHS components, implementing a process for reviewing Privacy Act notices, and establishing a schedule for timely issuance of Privacy Office reports.
GAO Report: DHS Privacy Office (pdf):
EPIC's Report Recommending on Sui Generis Privacy Agencies (pdf):
Facebook Allows Third Party Access to Social Networking Database
Social Networking service Facebook.com introduced a new feature last week that allows third party websites to access user data. Using an Application Programming Interface, third party websites can offer services to Facebook users based on personal information in the Facebook database. Facebook users can configure their privacy settings to stop their information from leaving Facebook, but Facebook has configured the Application Programming Interface so that users are opted-in by default.
EPIC Page on Social Networking and Privacy:
"Facebook API Unilaterally Opts Users Into New Services":
CRS Reports on Intelligence, Passenger Screening
Two new Congressional Research Service reports are available. "Detection of Explosives on Airline Passengers" discusses the recommendations of the 9/11 Commission and the current state of explosive screening. Policy issues covered include cost, certification and feasibility, erroneous detection, potential for intentional disruption and research and development. Another report summarizes ongoing Congressional concerns in Intelligence, entitled "Intelligence Issues for Congress." The report lists relevant legislation in the 110th and 109th Congresses, and identifies current issues before the 110th, such as the terrorist surveillance program and allegations of prisoner abuse and the CIA.
Detection of Explosives on Airline Passengers (pdf):
Intelligence Issues for Congress (pdf):
EPIC's 9/11 Commission page:
EPIC's Air Travel Privacy page:
Understanding Surveillance Technologies: Spy Devices, Privacy, History & Applications, Second Edition by J. K. Petersen (Auerbach Publications, 2007)
Petersen provides a comprehensive overview of surveillance and information gathering devices, broken down into four major sections: acoustic, electromagnetic, chemical & biological, and miscellaneous surveillance. Each section then is further broken down into particular chapters: "acoustic," for example includes aural listening devices as well as sonar technology. "Electromagnetic" includes not just radio, but also radar, infrared, ultra-violet, and, of course, visual. The range of devices and technologies covered is daunting -- the book covers over 1000 pages.
The first chapter is an introduction to and an overview of surveillance technologies. From then on the chapters are modular - applying the same structure to the topic discussed. A chapter on a technology will include an introduction to science in the area; the kinds of surveillance that are done, the context it is used in, the origins and evolution, descriptions and functions; applications; problems and limitations; restrictions and regulations; privacy implications of use; and list of resources.
The traditional fields of surveillance are thoroughly covered. The audio surveillance chapter takes up 100 pages and is also supplemented by the 50 page radio surveillance chapter of the electromagnetic section. The history of wiretap technologies and law is covered. The legal developments have a United States centric angle. The implications discuss past abuses as well as the increasing presence of wiretaps.
For a non-traditional example, the chapter on animal surveillance covers the use of animals as detectors, as research subjects, as assistants -- like seeing eye dogs, and as treatment indicators -- profiling individuals by their treatment of animals. The limitations section addresses the specific issues that animals face, such as narcotics sniffing false positives, and the difficulty of relocation and maintenance. The implications address the individual temperament of the animals and arguments concerning animal rights. Further resources are pointed to in the form of organizations working for animal rights, for law enforcement animals, assistance animals.
The book serves best as a professional or student reference. It should be consulted before one begins a new venture analyzing an area of surveillance. It quickly allows the reader to gain a basic knowledge in the scientific workings of a technology, its history, legal regime, main privacy implications and resources.
-- Guilherme Roschke
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2005: An International Survey of Privacy Laws
and Developments" (EPIC 2006). Price: $60.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2004: Litigation Under the Federal Open Government Laws," Harry
Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004).
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
2007 ALA Annual Conference. Washington Convention Center. June 23-26,
2007. Washington, DC. For more information:
National Institute on Computing and the Law: From Steps to Strides into
the New Age. June 25-26, 2007. San Francisco, CA. For more
Federal Trade Commission: Spam Summit - The Next Generation of Threats
and Solutions. July 11-12, 2007. Washington DC. For more information:
Civil Society Privacy Conference: Privacy Rights in a World Under
Surveillance. September 25, 2007. Montreal, Canada. For more
29th International Conference of Data Protection and Privacy
Commissioners. September 25-28, 2007. Montreal, Canada. For more
OECD and Industry Canada: Shaping Policies for Creativity, Confidence
and Convergence in the Digital World. October 3, 2007. Ottawa,
For more information:
University of Ottawa Faculty of Law: The Revealed "I". October 25-27,
2007. Ottawa, Canada. For more information:
Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.