WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2008 >> [2008] EPICAlert 12

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 15.12 [2008] EPICAlert 12

E P I C A l e r t

Volume 15.12                                             June 13, 2008
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents
[1] EPIC Urges Senate to Crack Down on Spyware
[2] Privacy Groups " Should Link to a Privacy Policy"
[3] Canadian Law Students File Privacy Complaint Against Facebook
[4] Coalition of Privacy Advocates Urges Privacy in E-Prescribing
[5] EPIC Urges DC Council to Suspend Video Surveillance Program
[6] News in Brief
[7] EPIC Bookstore: Zero Day Threat
[8] Upcoming Conferences and Events - Subscription Information - Privacy Policy - About EPIC - Donate to EPIC - Support Privacy '08

[1] EPIC Urges Senate to Crack Down on Spyware

On June 11, 2008, EPIC Executive Director Marc Rotenberg testified on spyware in a hearing before the Senate Commerce Committee. EPIC said that spyware, adware, and other information collection techniques are growing threats to the privacy of Internet users. EPIC warned that spyware could cause significant degradation in system performance, result in loss of Internet access, and impose substantial costs on consumers and businesses. Furthermore, spyware creates numerous privacy threats, including theft of personal information, monitoring of communications and tracking of an individual's online activity.

The Committee is presently considering anti-spyware legislation, the Counter Spy Act. EPIC generally supported the Committee's efforts. However, EPIC cautioned that a federal spyware law should not pre-empt state laws that provide stronger consumer protections. EPIC commended existing and innovative state spyware laws, including the Washington State Computer Spyware Act. The Washington State law recently led to a $1,000,000 settlement with software company Secure Computer.

EPIC also urged the Committee to address new spyware-like surveillance techniques that do not involve the installation of software on users' computers. Non-traditional computer surveillance technologies present additional privacy threats. These technologies include deep packet inspection, data collection through social networking platforms, third-party and opt-out cookies, and mobile device surveillance. Non-traditional spyware-like technologies are not directly addressed by the present draft of the Counter Spy Act.

EPIC also briefed the Committee on privacy threats arising from “stalker spyware,” over-the-counter surveillance technologies sold for individuals to spy on other individuals. On March 6, 2008, EPIC filed a complaint with the FTC against “stalker spyware” vendors. EPIC highlighted the unfair and deceptive practices used to market this software. These practices include the promotion of illegal surveillance targets, the promotion of “Trojan Horse” email attacks, and the failure to warn purchasers of the legal consequences of unlawful use.

The proposed Counter Spy Act:

EPIC's Testimony before the Senate Commerce Committee (pdf):

EPIC's Personal Surveillance Technologies Page:

EPIC's Complaint to the FTC regarding Spyware (pdf):

[2] Privacy Groups: " Should Link to a Privacy Policy"

This week, California Assembly member Joel Anderson said that Google is in violation of California Law. In a letter to Eric Schmidt, CEO of Google, Mr. Anderson wrote "All Google must do to bring itself into compliance with the law is to place the word 'privacy' on its homepage to link to its privacy policy."

Last week, Consumer Privacy groups requested that follow California law and place a prominent link to its privacy policy on its home page, calling the failure to do so "alarming." The groups also argue that it is widespread industry practice to display such a link. Currently it requires clicking three hyperlinks to reach Google's privacy policy, and the link on the homepage does not mention privacy.

The California Online Privacy Protection Act requires that operators of commercial websites that collect personally identifiable information "conspicuously post" a link to their privacy policy. The link should be on the "homepage" or the "first significant page after entering the website" or in a functional hyperlink such that any reasonable person would notice it. In the letter, the groups argue that the "straightforward reading of that law is that Google must place the word 'privacy' on the web page linked to its privacy policy."

The law also requires that the policy meet certain standards. The policy must identify the categories of personal information collected and the categories of third parties that personal information is shared with. The policy must also describe any process by which users can request or review their personal information which has been collected, and describe how users will be notified of material changes to the privacy policy.

The groups further argue that while privacy policies are "no guarantee of privacy protection," the posting of one represents a commitment to inform consumers about privacy practices. The prominent posting of a privacy policy reflects the principle of openness about information collection practices.

EPIC is a signatory to the letter, mainly joined by the California-based World Privacy Forum and the Privacy Rights Clearing house.

Press Release From Consumer and Privacy Groups (pdf):

Letter to Eric Schmidt, CEO of Google (pdf):

EPIC Google Privacy Page:

[3] Canadian Law Students File Privacy Complaint Against Facebook

On May 30 2008, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint with the Canadian Privacy Commissioner regarding unnecessary and non-consensual collection and use of personal information by Facebook. CIPPIC is a legal clinic affiliated with the University of Ottawa and focuses on technology law issues. CIPPIC accuses Facebook of violating the Canadian privacy laws set by the Personal Information Protection and Electronic Documents Act (PIPEDA). The complaint outlines that Facebook places conditions on access to its services by asking users to consent to information collection unnecessary for these services, collects information by deceptive practices, gives third parties more access to their users' information than necessary and has lax security measures.

PIPEDA states that an organization shall not condition the supply of a service by requiring an individual to consent to the collection, use and disclosure of information beyond that required to fulfill the specified purposes. CIPPIC argues that the obligatory provision of the date of birth does not comply with this statement. Furthermore, in order to add third-party applications, users have to give access to far more information than the amount required for their purposes.

The University of Virginia's Adrienne Felt and CNET's Chris Soghoian previously noted the practices with regards to third-party applications. According to them, 90% of the applications get access to more information than they need, including access to the information of the friends of the user who installed the application. The complaint specifically mentions that while Facebook is clear to developers about which information they can collect from users, there is little to no disclosure to the users themselves.

Facebook claims to offer granular control over its privacy settings. CIPPIC finds this deceptive: "Facebook purports to provide users with a high level of control over their data," said Harley Finkelstein, one of the law students who lodged the complaint. "But our investigation found that this is not entirely true." CIPPIC also finds Facebook's narrow representation as a Social Networking Site misleading, because they also engage in advertising and disseminating information to third parties beyond the function of their applications.

A technical analysis of Mobile Facebook, the Facebook website for the mobile phone, showed that it deployed sub par security measures. A cookie that provides login credentials for the Facebook website has an indefinite expiration time, which would allow other parties to gain indefinite access to a users profile. It is common practice in computer engineering to give cookies an expiration time to reduce these risks.

CIPPIC's director, Philippa Lawson, told the BBC that they are planning to scrutinize other Social Networking Sites: "They are all suspect. Facebook is the most popular site in Canada and so that is why we looked at it particular, but I am hoping to be able to do an analysis of MySpace later this year."

CIPPIC's PIPEDA Complaint Regarding Facebook (pdf):


EPIC Page on Facebook:

Washington Post: A Flashy Facebook Page, at a Cost to Privacy

[4] Coalition of Privacy Advocates Urges Privacy in E-Prescribing

A coalition of 25 privacy and civil liberty organizations sent a letter to the key Congressional Committees on Capitol Hill regarding the importance of patient prescription privacy. The coalition asked that patient privacy should be a key consideration as Congress considers the adoption of electronic prescribing policy.

As a solution for medical errors and to make health care administration more efficient, technology to support the sharing of prescription information across databases is being advanced. However, the data transfer capability of e-prescribing services may also be used for data mining and research purposes. E-prescribing may also allow the sale and reuse of prescription information without the consent or knowledge of patients.

The letter outlined basic principles in the adoption of e-prescribing such as a right to health information privacy; use of data only for medical purposes; prompt notification of privacy breaches; meaningful penalties; opt-out option for physicians; annual reports on patient access to their data; no preemption of state privacy laws; and greater transparency on Centers for Medicare and Medicaid Services.

EPIC Medical Privacy Page:

EPIC Amicus Brief, IMS v. State of New Hampshire (pdf):

Link to Privacy Letter on E-Prescribing:

[5] EPIC Urges DC Council to Suspend Video Surveillance Program

On June 2, 2008, EPIC Executive Director Marc Rotenberg appeared before the District of Columbia Council to support the suspension of the District's Video Interoperability for Public Safety ("VIPS") video surveillance system. The VIPS system, supported by DC mayor Adrian Fenty, would consolidate about 5,200 surveillance cameras into a single network. The system does not have privacy regulations. Citing privacy concerns, the DC Council Public Safety and Judiciary Committee recently cut $886,000 from Mayor Fenty's proposed homeland security budget, money that was designated for the VIPS system.

Mr. Rotenberg urged the Council to suspend the VIPS system, noting that EPIC uncovered evidence of previous DC video surveillance of political protestors. This practice implicates Constitutional rights, and raises questions about the widespread, regular use of surveillance cameras. Through Freedom of Information Act litigation, EPIC obtained individual logs of aerial video surveillance conducted by the DC Metropolitan Police Department and the FBI of protesters at the Million Family March, pro-Life demonstrations at the Supreme Court, and the various World Bank protests. These images were obtained by helicopter and downloaded to police on the ground. They were also provided to the MPD Command Center.

EPIC also urged the City Council to investigate the role of the firm L-1 Identity Solutions, the leading vendor of camera surveillance equipment. EPIC believes that L-1 would become a primary contractor for the VIPS system. L-1 has been the focus of several important studies, including “No Place to Hide” by Washington Post reporter Robert O'Harrow and “China's All-Seeing Eye” by Rolling Stone's Naomi Klein. Klein describes L-1 as a company that is helping China “build the prototype for a high-tech police state.”

EPIC has previously supported strong privacy safeguards for video surveillance. In May, EPIC urged the DC Council to carefully evaluate the cost and effectiveness of camera surveillance systems. Council members were debating a bill that would have required all gas station owners in the District to purchase and install camera systems. In 2002, EPIC testified before the City Council regarding the problems with video surveillance, and recommended strong privacy safeguards.

EPIC's Testimony Regarding VIPS (pdf):

DC VIPS System:

EPIC Video Surveillance Page:

EPIC - Observing Surveillance:

EPIC's Statement Regarding Mandatory Gas Station Camera in DC (pdf):

[6] News in Brief

Leaked Report Shows ISP spied on Web Surfers, Crashing Their Browsers.

A report leaked from British Telecom shows some of the results of its use of the Phorm monitoring service. The ISP routed user's web surfing traffic to Phorm, which then replaced parts of the websites they were viewing with targeted ads. Phorm profiled users based on the users' browsing history. The report details that users had no notice of the system, and no choice to opt out. Additionally, the technology sometimes crashed browsers or actually caused users to post on interactive online forums. In the United States, Charter Communications has announced that it plans on joining with NebuAd to perform similar monitoring and profiling.

Leaked BT-Phorm Report (pdf):

EPIC Page on Deep Packet Inspection:

Study Secretly Tracks Cell Phone Users Outside US

Nature magazine recently published a study by researchers that tracked the location of 100,000 cell phone users outside of the United States for a six-month period. Researchers report using anonymous data, but also report that individual travel patterns show temporal and spatial regularity. Individuals could be re-identified since they are likely to be at home in the evenings and at work during the day. In the United States, the Communications Act protects cell phone location information as Customer Proprietary Network Information (CPNI). Carriers have a duty to protect the privacy of CPNI.

Study 'Understanding Human Mobility Patterns':


TSA Changes ID Policy

The Transportation Security Administration announced a change in the agency's air travelers ID policy. Beginning June 21, 2008, passengers who are suspected of willfully refusing to provide identification at a security checkpoint will be denied access to the secure area of the airport. However, there is no change in the agency's policy of allowing travelers who may have lost, forgotten, or had their ID stolen from traveling. Passengers suspected of lying about the reason why they have no ID are vulnerable to this change in ID policy.

EPIC Air Travel Privacy:

TSA Press Release:

Fusion Centers Face “Insufficient” Terrorist Activity

A recent study of fusion centers determined that “[t]here is, more often than not, insufficient purely 'terrorist' activity to support a multi-jurisdictional and multi-governmental level fusion center that exclusively processes terrorist activity.” Fusion centers are intelligence databases that collect information on ordinary citizens. These state entities were established after 9-11, and were originally intended to compile information regarding terrorist activity. Privacy advocates have identified privacy threats created by fusion centers, and criticized fusion centers' involvement in domestic spying that is unrelated to terrorism. The Department of Homeland Security has awarded over $380 million in grants to fund fusion centers. Information in the recent study, authored by Milton Nenneman of the Naval Postgraduate School, suggests that fusion centers lack enough terrorism-related work to justify their present staffing levels and budgets.

“An Examination of State and Local Fusion Centers and data Collection Methods” (pdf):

EPIC's Fusion Center page:

Privacy In the Clouds: White Paper on Privacy and Digital Identity

The Information and Privacy Commissioner (IPC) of Ontario published a white paper about identity management with Privacy Enhancing Technologies (PETs) on the Internet. The central standpoint of the white paper, 'Privacy in the Clouds', focuses on informational self-determination, or the ability of an individual to control the collection, use and disclosure of their personal information. IPC calls for creating a user-centric identity management infrastructure, both in effect on the Internet (Web 2.0) and the real world (medical records). This infrastructure allows users to determine what information will be revealed to what parties and for what purposes. It gives users insight on how trustworthy those parties are, how they will handle the information and what the consequences of sharing their information will be. IPC sees a large role for open standards, such as OpenID, and community-driven operability to develop this infrastructure.

Information and Privacy Commissioner of Ontario:

EPIC Page on Internet Privacy:

EPIC Page on Medical Record Privacy:

Bush Orders Contractors to Check Legal Status of Employees

President Bush signed Executive Order 12989, which gives the Department of Homeland Security authority to review employment eligibility for all federal employees and federal contractors. The decision to expand "E-Verify" comes after Congress rejected the President's verification proposal and a federal court struck down the agency's attempt to establish similar authority by regulation. EPIC testified in Congress in 2007 against the "Employment Eligibility Verification System." The Government Accountability Office, in a June 10 report, stated that "challenges remain" in the path to implementation of full employment verification. The GAO is concerned with the ability of DHS and the Social Security Administration to handle the increased workload, the inability of E-Verify to catch certain types of fraud, and the vulnerability of E-Verify to employer fraud and misuse.

Executive Order 12989:

GAO: Employment Verification: Challenges Exist in Implementing a Mandatory Electronic Employment Verification System (pdf):

EPIC Spotlight on Surveillance - Electronic Employment Verification:

[7] EPIC Bookstore: Zero Day Threat

Zero Day Threat

The book is a walk through the world of computer crime from the perspective of security or law enforcement professionals. The view from the perspective of the authors is that these criminals are young male loners looking for attention or money to support drug habits. Or they are the tools of global organized criminal networks.

I did not like this book, but it might be just the read for a computer security professional or law enforcement person. The underlying problems attributed to computer related crimes are software engineering, inferior data management practices by private companies, and the dysfunctional rules for granting credit. The book did not focus on these issues, but cataloged the disreputable nature of offenders.

The first decade of the digital communication age did belong to the young-and that was not a bad thing. Young men with an interest in computers are not all bad, and yes the worms and viruses spread over the Internet under the names "I Love You," "Melissa", "Anna Kournikova", and "SoBig" were costly headaches attributed in many cases to young males. The authors of the book document the history of these incidents and connect the motivations to attention seekers, vandals, methamphetamine addicts, and finally international crime syndicates. The later being the scariest of them all because the Internet is global and the resources are focused solely on theft in a grand way.

Stronger physical locks result from lock manufacturers reacting to threats to their customers. Unfortunately there is a disconnect between the real world problems of consumers and the poor data management practices of data holders who are often hidden from view. The quote "Right now it isn't painful enough for customers," reveals a disconnect from consumers because it is painful to deal with the problems of identity theft, but they are not getting the right information on the real source of the problem.

There is one maxim that may be helpful to summarize my view on the situation: "If you build it, thieves will come--so build it well." If the "it" happens to be an identification system such as REAL ID, or credit granting system like the one used by the financial services industry: do not use bad practices because they will be exploited.

- Lillie Coney

EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50.

This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:


[8] Upcoming Conferences and Events

Making the Future of the Internet Economy Work for Citizens, Consumers and Workers, The Public Voice Conference. June 16, 2008. Seoul, Korea. For more information:

Future of the Internet Economy - OECD Ministerial Meeting. June 17-18, 2008. Seoul, Korea. For more information:

Second Annual National Institute on Cyberlaw: Expanding the Horizons. June 18-20, 2008. Washington DC. For more information: 

Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. For more information:

National Conference on DNA Databanks and Race. June 19-20, 2008, New
York University (NYU) Department of Sociology. For more information:

International workshop on "Global Internet Governance: An
Interdisciplinary Research Field in Construction" in Paris. 23 June
2008, Paris, France . For more information:

Personal Democracy Forum 2008: Rebooting the System. June 23-24, New
York City For more information:

Homeland Security, Privacy and Civil Liberties:A Five Year Review. June
26, 2008. The Heritage Foundation's Allison Auditorium For more

Privacy Laws & Business 21st Annual International Conference. Value Privacy, Secure Your Reputation, Reduce Risk. 7-9th July, 2008, St. John’s College, Cambridge. For more information:

The Privacy Symposium - Summer 2008: An Executive Education Program on Privacy and Data Security Policy and Practice, August 18-21, 2008, Harvard University, Cambridge, MA. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

Support Privacy '08

If you would like more information on Privacy '08, go online and search for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at Support the campaign.

Facebook Cause:



END EPIC Alert 15.11


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback