E P I C A l e r t
In a motion filed this week with the Secretary of the Federal Trade Commission, EPIC and the Center for Digital Democracy have sought the disqualification of FTC Chairman Deborah Platt Majoras from the pending review of the proposed Google-DoubleClick merger. The organizations recently learned that the law firm Jones Day, at which the FTC Chairman's husband is a partner, has taken on DoubleClick as a client.
John M. Majoras is a partner who specializes in antitrust at the Jones Day law firm. Jones Day's Web site said that it is representing DoubleClick "on the international and U.S. antitrust and competition law aspects" of the deal. The Web site listed five attorneys involved in the deal, but doesn't include Majoras. However, Majoras has recused herself in other antitrust reviews when Jones Day has been involved, and the relationship between the Chairman and her husband's firm "calls into question the ability of the commission to render decisions that are fair and just." Representatives of Jones Day denied that the firm is acting for DoubleClick in the merger review.
In a subsequent filing the next day, EPIC and the Center for Digital Democracy provided new information to the Federal Trade Commission concerning Jones Day's representation of DoubleClick in the pending merger review. The new filing makes clear that statements denying Jones Day participation in the matter are flatly contradicted by an earlier posting on the firm's web site. The EPIC/CDD filing also notes that the firm has subsequently removed the relevant web pages from its web site. The groups are filing a Freedom of Information Act request for all documents at the Commission regarding the matter and notifying Congressional oversight committees.
Also this week, Rep. Joe Barton, Ranking Member of the House Energy and Commerce Committee, sent a letter to Google raising 24 questions about the company's proposed $3.1 billion merger with DoubleClick. Rep. Barton, co-founder of the House Privacy Caucus, asked Google to detail definitions of “anonymization” of consumer data, and “behavioral targeting,” among other things. He also asked Google to explain “the need to retain collected information for the length of time [Google retains consumer data]” and “how and why information is combined or shared across platforms.” A number of Senators and Representatives have called for more in-depth review of the privacy questions raised by the proposed merger. The deal is under investigation at both the U.S. Federal Trade Commission and European Commission Directorate on Competition.
EPIC and CDD Motion for Recusal (pdf):
Center for Digital Democracy:
Second recusal filing (pdf):
Jones Day's Earlier Posting (since removed):
Social networking service Facebook recently introduced new privacy components to its Beacon advertising system. The Beacon service collects information from user interactions with third party sites such as Ebay and Overstock.com. Beacon then broadcasts this information to a Facebook user's friends, identifying the interaction such as items purchased or services signed up for. A user on a third party site would have a brief opportunity to opt-out via a pop-up. Security researchers reported that information for all Internet users, not just Facebook users, was being transmitted to Facebook's servers.
EPIC, the Center for Digital Democracy and advocacy group MoveOn.org raised complaints. Thousands of Facebook users joined in protest of the new features and the limited user control. Some advertisers were reported as pulling back on using Beacon. Also reported were some prototypes of Beacon which appeared to show that Facebook considered and rejected a global opt-out of the feature. Legal issues were raised as to whether Beacon and its companion Social Ads violated the privacy tort of the right to publicity and the Video Privacy Protection Act.
Facebook CEO Mark Zuckerberg announced the new privacy features, and apologized for how Beacon was developed and how the company reacted to the aftermath. The privacy measures combine a limited opt-in and global opt-out. Before a particular third party site will transmit information, users must opt-in from their Facebook accounts. Facebook will continue to ask for opt-ins until it is granted by the user. Once the opt-in is granted, no more inquiries are made of the user. Facebook also added an ability to globally opt out of the service. Users are able to change their privacy settings and check a box entitled "Don't allow any websites to send stories to my profile." Previously this feature was only available on a site-by-site basis and only after that particular site had broadcast Beacon data to users.
None of these privacy features stops the information from being transmitted to Facebook. Rather, Facebook says that it does not retain information transmitted to it that concerns non-Facebook members or those that have opted out.
Mark Zuckerberg, Thoughts on Beacon:
EPIC's page on Social Networking Privacy:
EPIC's page on Facebook:
Congress continues to debate changes to the Foreign Intelligence Surveillance Act as the February deadline for expiration of the Protect America Act (PAA) looms. The PAA significantly expanded the surveillance authority of the president by removing certain surveillance from review by the FISA court. The PAA was requested by the administration following certain FISA court rulings on its surveillance powers. In a December 7, 2007 speech, Senator Whitehouse addressed the importance of oversight over the president's surveillance powers. The FISA court recently rejected a request to release redacted versions of the rulings outlining the legal reasoning for the surveillance.
Sen. Whitehouse criticized three legal propositions from Office of Legal Council opinions as examples of what the executive does "behind our backs when they think no one is looking." The propositions state that: the President may violate executive orders without issuing new ones; the President may determine whether he is properly exercising his Article II authority; and the Department of Justice is bound by the President's legal determinations. Since the Protect America Act removed certain surveillance from the FISA court review, Sen. Whitehouse points to these propositions as removing all limits from the President's ability to wiretap Americans traveling abroad.
Sen. Whitehouse concludes by arguing for FISA reform which maintains oversight over the president's surveillance authority. "We simply cannot put the authority to wiretap Americans, whenever they step outside America's boundaries, under the exclusive control and supervision of the executive branch. We do not allow it when Americans are here at home; we should not allow it when they travel abroad. The principles of congressional legislation and oversight, and of judicial approval and review, are simple and longstanding. Americans deserve this protection wherever on God's green earth they may travel."
Meanwhile, the FISA court refused to release redacted records of legal reasoning concerning the extent of the President's surveillance powers. The ACLU had sought the release of court orders and government pleadings regarding warrantless wiretapping by the President. The court responded by ruling that, though it had jurisdiction to consider the release of records, there was no common law or First Amendment right to the opinions. The ACLU had requested that the Court order a review of the individual records and release the portions which are improperly classified. The Court refused, stating that there would still be deleterious effects from the disclosure. Among the deleterious effect would be a chill on government disclosures to the court and the potential that sensitive information would be released. This case was the first time that anyone except the U.S. Department of Justice has argued, even in writing, before the court. It is only the third time in the history of the court that an opinion has been publicly released.
Transcript of Whitehouse Speech (Dec. 2007)(pdf):
Foreign Intelligence Surveillance Court Ruling (pdf):
EPIC's page on FISA:
This week the Internet search company Ask announced the release of Ask Eraser, a privacy "feature." An initial flurry of press reports indicated that the program would help safeguard online privacy. A more careful examination by EPIC has now raised questions about AskEraser.
According to the AskEraser FAQ, Internet users must turn on cookies and keep the AskEraser cookie on the users computer so that Ask search histories are not tracked. This procedure conflicts with the privacy protecting practice of routinely deleting cookies and would require users to disable other privacy software.
The opt-out cookie is also a "persistent identifier" that will allow companies such as Ask to track Internet users whether or not the companies retain search histories. Opt-out cookies were popularized by the Internet Advertising company DoubleClick, a firm that Google is now seeking to acquire.
Google has recently signed a multi-year deal with Ask that both extends and broadens the working relationship of the two companies. According to a mid-November press release "Google will provide Ask.com and IAC's other Internet brands with sponsored listings. Additional terms of the five-year agreement were not disclosed." However, Google is the company that processes the Ask.com search requests, even with Ask Eraser enabled, which means that Google could retain search histories.
Jeff Chester, Executive Director of the Center for Digital Democracy said, "The representations about Ask Eraser are not fair or accurate. In the absence of user action, Ask will continue to track the search histories of Internet users. Those users who enable Ask Erase must disable cookie deletion features. Also, the search deletion policy will expire. Finally, all of the Ask searches, for users who have selected Ask Eraser, will be processed by Google which purposefully chooses to retain search histories."
Marc Rotenberg, EPIC Executive Director said, "If the FTC sanctions opt-out cookies, Internet users will be required to keep persistent identifiers on their computers from all the companies they do not want tracking them. It is a nonsensical approach to privacy protection."
"Ask.com Puts You in Control of Your Search Privacy With the Launch of 'AskEraser'" (Dec. 11, 2007):
Ask Press Release, "IAC and Google Sign Multi-year Deal" (Nov. 12, 2007):
Doubleclick, "DART Ad-Serving and Search Cookie Opt-Out":
Under border control system US-VISIT, the Department of Homeland Security will begin collecting a full set of fingerprints from foreign visitors to the U.S. Until now, US-VISIT has only required two-print collection. The database now includes 90 million sets of prints.
The program initially applied only to visitors traveling to the United States on visas. However, on September 30, 2004, US-VISIT was expanded to collect biometrics from travelers visiting the United States for ninety days or less through the Visa Waiver Program, and has been broadened more in the past three years.
Under US-VISIT, foreign visitors are subject to biometric collection, biographic data collection, and watch list checks. The information collected from individuals includes name, date of birth, country of citizenship, passport number and country of issuance, complete U.S. destination address, and digital fingerscans.
The Government Accountability Office reported in July that US-VISIT is plagued with problems. "Weaknesses existed in all control areas and computing device types reviewed," the GAO said. Security flaws in the network used at 400 entry points nationwide increase the risk of theft or manipulation of tens of millions of identity records, which include passport, visa, Social Security and biometric data.
In 2005, a computer virus crashed the US-VISIT system. According to documents released to Wired News under the Freedom of Information Act, DHS knew of the software vulnerability, but deliberately chose to leave more than 1,300 sensitive US-VISIT workstations vulnerable to attack.
Government Accountability Office, "Information Security: Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program GAO-07-870" (July 2007) (pdf):
Department of Homeland Security's Press Release About 10-print Collection:
Department of Homeland Security's US-VISIT page:
EPIC's page on US-VISIT:
EPIC's page on Biometrics:
Two Informative CRS Reports on FISA are Released
As Congress continues to debate amendments to the Foreign Intelligence Surveillance Act, two new CRS reports have been released. The first presents a brief overview of selected issues in the FISA debate, including the tension between national security and civil liberties; the collection of foreign intelligence from persons based abroad; and immunity for telecommunications companies that aided the administration's warrantless surveillance program. The second report provides a detailed comparison of he three major proposals before Congress. The House passed HR 3733, which does not include immunity, is compared with the Senate Judiciary bill, which also does not contain immunity, and the Senate Intelligence Committee bill, which does contain immunity. The Senate has yet to pass a bill. The President has promised to veto bills which contain immunity.
The Foreign Intelligence Surveillance Act: A Brief Overview of Selected Issues (pdf):
The Foreign Intelligence Surveillance Act: Comparison of House-Passed H.R. 3773, S. 2248 as Reported By the Senate Select Committee on Intelligence, and S. 2248 as Reported Out of the Senate Judiciary Committee (pdf):
EPIC's page on FISA:
International Human Rights Day
December 10, International Human Rights Day, commemorated the 1948 adoption of the Universal Declaration of Human Rights. Human Rights Day 2007 marked the start of a year-long commemoration of the 60th anniversary of the Declaration. The Declaration is the foundation of international human rights law, the first universal statement on the basic principles of inalienable human rights, and a common standard of achievement for all peoples and all nations. Article 12 of the Declaration includes privacy as a fundamental human right.
UN International Human Rights Day:
Universal Declaration of Human Rights:
Privacy and Human Rights 2006:
Privacy Law Sourcebook:
Privacy Protections Lacking in US Healthcare Bill
Senators Kennedy and Enzi proposed the Wired for Healthcare Quality Act, S. 1693, in an effort to advance health information technology. However, members of the Coalition for Patient Privacy claim that the Wired Act does not contain meaningful protections to keep individuals' health information private, and have asked that the bill go no further until privacy protections are added. According to advocacy group Patient Privacy Rights, “passage of the Wired Act as written will further erode Americans' right to keep their health records private and cost the taxpayers millions.” Senator Leahy has drafted an amendment adding privacy protections, and the Coalition for Patient Privacy sent a letter to the Senate this week urging the Wired Act's sponsors to include all of the privacy protections proposed in Senator Leahy's amendment.
Wired for Health Care Quality Act, S.1693:
Senator Leahy amendment (pdf):
Coalition for Patient Privacy letter to Senators Kennedy and Enzi (Dec. 10, 2007) (pdf):
DOJ Support Voter Photo ID Requirements
The Department of Justice submitted a brief in support of the state of Indiana's voter identification law awaiting a hearing before the United States Supreme Court scheduled for January 9, 2008. The brief asserts that the Indiana Voter ID law is an administrative rule that furthers the State's interest in combating voter fraud. The Department of Justice states that the state has broad authority to establish the new photo voter ID requirement and that it is neither discriminatory nor a severe burden. EPIC filed a brief in the same case, Crawford v. Marion County, in opposition to the State's position. because of privacy and the claim by that the identification requirement protected the election process from fraud. Indiana has recent case history of absentee voter fraud that resulted in overturning a local judicial race.
The Justice Department's record of enforcing laws that protect the voting rights of minority voters has seen a shift toward voter fraud, which has little documented evidence, and away from ballot access problems that have a long history.
DOJ Brief (pdf):
EPIC's page on Crawford case:
EPIC Crawford Brief (pdf):
EPIC's page on Voting Privacy:
Samuelson Clinic Releases New Security Breach Notification Report
A new report released by the Samuelson Clinic, entitled “Security Breach Notification Laws: Views from Chief Security Officers” found that 36 states have enacted breach notification legislation, which requires notice to individuals in the event of a loss of their personal data. The report chronicled the literature on data security breaches and surveyed information security chiefs on the subject. However, the report noted that security of personal information held by companies is still not a marketable feature to consumers.
The findings of the report are that breach notification laws raise awareness of the importance of information security; facilitate better cooperation among departments within organizations; and that as a result companies are requiring better security practices of their own suppliers or contractors. The study recommends the establishment of uniform standards for: public notice of security breaches; notification to a centralized organization in addition to customers; clarification and broadening technology safe harbor provisions; create a safe harbor period for notifications; and collection of more information on the type of notification trigger language that should be used. The Federal government has failed to enact legislation related to breach notification.
Samuelson Clinic report:
One World Trust Releases 2007 Global Accountability Study
One World Trust, a leading expert in the field of global governance and accountability, has released a report at the British Parliament measuring and ranking the accountability of 30 of the world's most powerful intergovernmental, corporate, and non-governmental organizations. The Report analyses each organization's capabilities according to the four dimensions of accountability as defined by the Global Accountability Framework: transparency, participation, evaluation, and complaint and response mechanisms. This year's report shows that intergovernmental organizations showed excellent transparency and evaluation systems, while NGOs showed the best participation capabilities and corporations showed the best complaint and response mechanisms.
2007 Global Accountability Study:
The Public Voice:
Shopping for the holidays? Consider an EPIC book!
Titles from the EPIC Bookstore 2007
Litigation Under the Federal Open Government Laws (FOIA) 2006
Privacy and Human Rights 2006
Information Privacy Law 2005
The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments
The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society
Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls
Cryptography and Liberty 2000: An International Survey of Encryption Policy
The Consumer Law Sourcebook 2000: Electronic Commerce and the Global Economy
Privacy on the Line, The Politics of Wiretapping and Encryption, Updated and Expanded Edition by Whitfield Diffie and Susan Landau
"The Future of Reputation: Gossip, Rumor, and Privacy on the Internet” by Daniel J. Solove
"Privacy Law and Society" by Anita Allen
"Takeover: The Return of the Imperial Presidency and the Subversion of American Democracy" by Charlie Savage
"Digital Destiny: New Media and the Future of Democracy" by Jeff Chester
"Generation Digital: Politics, Commerce and Childhood in the Age of the Internet" by Kathryn C. Montgomery
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
US Department of Homeland Security Privacy Office Public Workshop: CCTV - Developing Privacy Best Practices. Arlington, VA. December 17-18, 2007. For more information, email firstname.lastname@example.org
ACI’s 7th National Symposium on Privacy & Security of Consumer and Employee Information. January 23-24, 2008. Philadelphia, PA. For more information: http://www.americanconference.com/privacy
Computer Professionals for Social Responsibility: Technology in Wartime Conference. January 26, 2008. Stanford University. For more information: http://cpsr.org/news/compiler/2007/Compiler200707#twc
Mobility, Data Mining And Privacy: Preserving Anonymity in Geographically Referenced Data. February 14, 2007. Rome, Italy. For more information
Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.