E P I C A l e r t
The Finnish government will be required to pay a fine because it failed to protect patient data against the risk of unauthorized access, according to a ruling from the European Court of Human Rights. The ruling establishes a nexus between the right to privacy under human rights law and the protection of personal information. The European Court of Human Rights held that Article 8 of the European Convention on Human Rights, which guarantees respect for every citizen's private life against needless interference by the government, includes an affirmative obligation to ensure the security of personal data. According to the court, a government hospital's failure to guarantee the security of the petitioner's data against the risk of unauthorized access constituted a "breach of the state's positive obligation to secure respect for her private life by means of a system of data protection rules and safeguards."
The hospital ran afoul of the Convention's guarantee of personal privacy because its records system violated Finland's own law requiring hospitals to secure personal data against unauthorized access. The petitioner, who worked as a nurse at the same hospital where she was being treated for HIV, began to suspect that her co-workers had learned about her disease by reading her confidential medical records. Although hospital rules stated that records could only be accessed for treatment purposes, as a practical matter patient records could be viewed by any hospital staff. Despite the plain privacy violation, the petitioner was unable to meet her burden under the Finnish privacy law. The hospital's failure to sufficiently document access to medical records made it difficult to prove that loose policies caused the rumors.
Nevertheless, the court held that the simple fact that the hospital had an insecure medical records system was enough to make the health care facility responsible for the otherwise unexplained spread of the employee's private medical information. "The mere fact that the domestic legislation provided the applicant with an opportunity to claim compensation for damages caused by an alleged unlawful disclosure of personal data was not sufficient to protect her private life," said the court. "What is required in this connection is practical and effective protection to exclude any possibility of unauthorized access occurring in the first place. Such protection was not given here."
The European Court of Human Rights was established in 1950 by the European Convention on Human Rights. It has issued many important privacy decisions based on Article 8 of the European Convention.
European Court of Human Rights: http://www.echr.coe.int/echr/
I v. Finland, Eur. Ct. H.R., No. 20511/03 (17 July 2008): http://www.epic.org/privacy/intl/echr-finland.pdf
EPIC's Privacy And Human Rights Report: http://epic.org/phr06/
EPIC's Medical Privacy Page: http://epic.org/privacy/medical
The Third Circuit Court of Appeals struck down the Child Online Protection Act, a federal law that sought to prohibit the publication of information on the Internet that could be considered "harmful to minors." The Court held that the law violated the First and Fifth Amendments because it is "impermissibly overbroad and vague."
The censorship law also failed a strict scrutiny analysis because it did not employ less restrictive alternatives, like internet content filters that can be programmed or configured according to the values of individual families. The Court affirmed a District Court's permanent injunction that prevents the Government from enforcing this law.
The Court also criticized the law's encroachment on the right of Internet users to receive information anonymously, a claim that EPIC raised early in the litigation. Without anonymity, many users are deterred from accessing online content. Forcing people to provide personally identifiable information to content providers for age verification purposes exposes them to fraud and identity theft, a rapidly growing problem in the United States. The internet censorship law would also "chill protected free speech" by requiring Web publishers to either self-censor or bear the cost of implementing age verification technologies.
The lawsuit challenging the Child Online Protection Act began nearly ten years ago, following the Supreme Court's invalidation of Congress' first attempt to censor the Internet with the Communications Decency Act. Immediately after the Child Online Protection Act's enactment in 1998, the plaintiffs, consisting of speakers, content providers, and users of the Web, sought an injunction to bar the law's enforcement. In 2002, the Supreme Court upheld the district court's preliminary injunction with grave doubts about the law's ultimate constitutionality. The case was remanded to the district court for a ruling on the merits.
EPIC was plaintiff and co-counsel in the case and specifically urged the court to consider the impact on privacy of the age verification procedures.
ACLU, EPIC, et al v. Mukasey, No. 07-2359 (3rd Cir., July 22, 2008): http://www.ca3.uscourts.gov/opinarch/072539p.pdf
Child Online Protection Act: http://epic.org/free_speech/censorship/copa.html
EPIC Alert on the Original Grant of the Preliminary Injunction: http://epic.org/alert/EPIC_Alert_6.02.html
EPIC page on the Child Online Protection Act: http://epic.org/free_speech/copa/
EPIC page on the Communications Decency Act: http://epic.org/free_speech/cda/
Google's posting conforms with the widespread practice of commercial web sites. Google has also instituted a privacy transparency program, accessible through this link, which includes YouTube videos, blog posts, and other resources explaining the various privacy issues likely to be encountered by Google consumers.
Google has been no stranger to consumer privacy issues. After a blogger discovered a weakness in Gmail's security last week, Google promised to take steps to repair the problem. Aviram Jenik, of SecuriTeam blog, published a blog post about a feature of Google calendar which allows any Gmail user to see the registered full name of any other Gmail user by merely sharing a Google Calendar with them. Although the problem has since been repaired, Google claimed that it was "not a security issue" and was an intentionally included feature of the calendar system.
EPIC's page on Google privacy issues: http://epic.org/privacy/ftc/google/
The letter from EPIC and other advocacy organizations: http://epic.org/privacy/ftc/google/Google_Letter060308.pdf
Google's announcement of privacy link on homepage: http://epic.org/redirect/google072408.html
Blog post about the Gmail security hole: http://blogs.securiteam.com/index.php/archives/1113
On July 14, 2008, search engine Ixquick was presented with the first European Union (EU) Privacy Seal by EuroPriSe. The European Privacy Seal ensures that internet technology (IT) products and services comply with EU laws and regulations on privacy and data security. "The awarding of the first European Privacy Seal to the meta-search engine Ixquick marks an important milestone to implement privacy on the World Wide Web and highlights this privacy-friendly service," said EU Data Protection Supervisor Peter Hustinx.
Ixquick offers solutions to many of the privacy concerns created by the internet. Search engines and other websites have been criticized because searches and visits are routinely recorded and combined into personal and behavioral profiles. In 2006, Ixquick became the first search engine to delete information like IP-addresses and eliminate the use of ID cookies. Unlike Facebook and Google, Ixquick does not reveal personal data of its users to third parties.
The European Privacy Seal is a simple uniform method to identify whether an IT product meets the high privacy standards of the EU. The seal is given to an IT product only after it has been audited to determine if it meets compliance with European regulations on privacy and data security. First, legal and IT experts evaluate the product or service. Second, an accredited certification body cross-checks the evaluation report. Over 120 experts from various EU countries have been trained to provide evaluations.
The award "underlines that a balance between the open nature of the internet, providers' interests, and the protection of personal data of internet users is possible" said EU Commissioner Vivian Reding.
EU Data Protection Supervisor http://www.edps.europa.eu/EDPSWEB/
European Privacy Seal Press Release: http://epic.org/redirect/eucourt072408.html
Ixquick's Press Release: http://eu2.ixquick.com/eng/press/europrise.html
Ixquick's Homepage: http://www.ixquick.com
EPIC's Page on Search Engine and Privacy: http://epic.org/privacy/search_engine
EPIC's Privacy and Human Rights Report: http://epic.org/phr06
The Internet Corporation for Assigned Names and Numbers (ICANN) recently announced that the Domain Name Security Extensions (DNSSEC) will be implemented on the domain name service system for .ORG domain names. The added security layer will primarily protect users from attempts by hackers to spoof, masquerade, and hijack websites, which are attacks to which users of wireless networks are particularly vulnerable. The .org domain is now the first generic Top Level Domain authorized to implement the security extensions on its domains.
Domain names substitute Internet Protocol (IP) addresses for actual names. Instead of using a series of numbers, an actual "www.website.org" address, or domain name, identifies a website. However, the distribution of domain names is not protected against hackers. An unauthorized network operator can redirect an unsuspecting user's DNS requests from the desired website to a totally different website. Because the user would not know that the corrupted website is not the actual domain name requested, the user's personal information could be exposed to a malicious website. With security extensions, however, users are protected from hackers pretending to be a domain name distributor.
EPIC submitted comments to ICANN in support of the DNSSEC standard. The implementation provides protection against hacker attacks by adding cryptographic information to the domain name system, which will make redirecting to malicious websites especially difficult. Also, when a client requests a domain name for an IP address, the DNS will provide origin authentication of data, data integrity, and authenticated denial of existence. The DNS security extensions have already been implemented in Sweden, Bulgaria, Brazil, and Puerto Rico.
.ORG Announces DNSSEC Implementation: http://pir.org/index.php?db=content/News&tbl=Press&id=9
EPIC's Page on DNSSEC: http://epic.org/privacy/dnssec/default.html
.ORG to consider secure DNS: http://epic.org/alert/EPIC_Alert_15.10.html
Under Pressure, Embarq Scraps Internet Snooping Plan
A week after senior members of Congress criticized Embarq's test of Internet snooping technology, the ISP announced that it will shut down its controversial behavioral advertising partnership with NebuAd. Embarq was intercepting customers' browsing activity "to create consumer profiles for the purpose of serving ads to consumers based upon their search and surfing habits," the Congressmen said in a letter to Embarq. They also observed that Embarq's secret Internet surveillance raised substantial questions of compliance with federal law. "Embarq's apparent use of this technology without directly notifying affected customers that their activity was being tracked, collected, and analyzed raises serious privacy red flags," said Congressman Edward Markey. Congressmen Markey (D-MA) and Joe Barton (R-TX) previously urged Charter Communications, the nation's fourth-largest cable company, to back off on a similar venture with NebuAd. The cable giant scrapped the controversial plan in June.
Letter To Embarq Sent By Senior Members Of Congress: http://epic.org/redirect/markey072408.html
July 21, 2008 Letter From Embarq Detailing Internet Surveillance Test: http://epic.org/privacy/dpi/embarq_072108.pdf
July 23, 2008 Letter From Embarq Detailing Internet Surveillance Test: http://epic.org/privacy/dpi/embarq_072308.pdf
EPIC's Page On Deep Packet Inspection And Privacy: http://epic.org/privacy/dpi/
Facebook's new design does not address privacy problems
On July 20, 2008, Facebook released a new webpage design, but still fails to meet previous privacy problems that have plagued the company. According to Facebook CEO Mark Zuckerberg, the changes were designed "to highlight the most recent and relevant information that users value, give users even more control and ownership over their profiles and simplify the user experience." The new design allows Facebook users to adjust the size and prominence of stories published on their profiles. Users can also utilize the "Publisher" feature to upload photos and videos, or write notes. None of these changes, however, address the privacy issuess that continue to plague Facebook. Developers of Facebook applications still enjoy access to users' detailed personal information and the detailed personal information of the users' friends - even if these friends choose not to install the application.
Facebook Press Release: http://www.facebook.com/press/releases.php?p=47448
EPIC Facebook Page: http://epic.org/privacy/facebook/default.html
Lawsuit uncovers Maryland police spying on peace groups
Undercover Maryland state troopers have been conducting surveillance three groups advocating peace and protesting the death penalty. The police infiltrated the group by attending meetings and sending reports on the groups' activities to U.S. intelligence and military agencies, according to documents released as part of a Freedom of Information Act lawsuit filed by the Maryland chapter of the American Civil Liberties Union. The documents show at least 288 hours of surveillance over the 14-month period. Information sharing databases similar to HIDTA exist elsewhere in the country and have frequently been criticized for privacy problems. EPIC recently won a Freedom of Information lawsuit against the Virginia State Police regarding the role of the federal government in the operation of the state Virginia Fusion Center and EPIC is currently pursuing similar FOIA requests in all 50 states.
ACLU Press Release: http://www.aclu-md.org/aPress/Press%202006/082906_FOIA.html
EPIC page on fusion centers: http://epic.org/privacy/fusion/
Social Security Unveils New Earnings Calculator
On July 21, 2008, the U.S. Social Security Commissioner introduced a new online calculator to help people plan their retirement. The Social Security Commissioner stated that the new calculator is "easy-to-use and will provide highly accurate benefit estimates for those nearing retirement age." The calculator allows the user to compare and contrast several different retirement options. For instance, it allows the user to change expected future earnings and modify retirement dates. The new calculator addresses privacy problems that were raised by previous versions. The previous calculator was problematic because it temporarily stored earnings records on local computers while the user was on the page. The new calculator displays only estimates of retirement benefits and not other personal information, such as previous earnings.
New Social Security Calculator: http://www.socialsecurity.gov/estimator/
Social Security New Calculator Press Release: http://www.ssa.gov/pressoffice/pr/ret-est-pr.htm
EPIC's Social Security Section: http://epic.org/privacy/ssn/
TSA Expands Testing of Full-Body Backscatter Scanners
The Transportation Security Administration will expand usage of new backscatter scanning systems to screen airline passengers. The new SmartCheck Z Backscatter Personnel Screening System will be installed at John F. Kennedy International Airport in New York. Similar systems are already in place at airports in Phoenix and Los Angeles. EPIC and others have raised privacy concerns about the scanners, which can create photo-quality images of travelers as if they were undressed. The scanner's manufacturer claims that the new system creates a less detailed image than previous backscatter scanners, does not show detailed images of genitalia, and does not store and transmit saved images. Like previous scanners, the new devices are a voluntary alternative to pat-downs. Approximately 90% of passengers so far have chosen to be screened by the SmartCheck rather than a pat-down.
American Science & Engineering's Page on the Privacy Enhanced System: http://www.as-e.com/products_solutions/tsa_z_backscatter_pilot.asp
EPIC's page on Backscatter Screening Technology: http://epic.org/privacy/airtravel/backscatter/
EPIC's Spotlight on TSA Backscatter Use: http://epic.org/privacy/surveillance/spotlight/0605/
Library Association Launches "Privacy Revolution"
The American Library Association, in partnership with EPIC and other groups, has called for a national privacy revolution. The initiative aims to inspire Americans to join librarians in a call for new privacy standards for the digital age. The campaign responds to the organization's 2006 resolution calling for a "national discussion on privacy." As part of the plan, local libraries will solicit public support for legislative and agency-level reforms that protect and preserve personal privacy. Internet users can take a survey on Library Association's website and watch video of the launch at the 2008 conference. Previous ALA initiatives, including a campaign for reader privacy, led to amendments protecting library privacy in the Patriot Act.
American Library Association Privacy Revolution: http://privacyrevolution.org/ala/oif/ifissues/privacyrevolution.cfm
EPIC's Privacy 08 Campaign: http://www.privacy08.com
Health IT Bill Moves Forward in House with Some Privacy Safeguards
The House Commerce Committee approved H.R. 6357, the Protecting Records, Optimizing Treatment, and Easing Communication through Healthcare Technology Act of 2008. The PRO(TECH)T Act will promote the adoption of health information technology that is intended to improve the delivery of healthcare services. The bill includes some security and privacy safeguards, such as data breach notification, though Patient Privacy Rights believes that stronger protections are necessary. EPIC made several suggestions to strengthen the privacy provisions. For more information see EPIC Medical Privacy.
PRO(TECH)T Act Passes Houses Committee: http://energycommerce.house.gov/Press_110/110nr324.shtml
EPIC Comments on PRO(TECH)T Act: http://epic.org/privacy/medical/EPIC_HIT_060908.pdf
EPIC Medical Privacy Page http://epic.org/privacy/medical/EPIC_HIT_060908.pdf
"Distracted: The Erosion of Attention and the Coming Dark Age" by Maggie Jackson (Prometheus Books 2008)
Increasingly, our thought is shaped by distraction, argues Maggie Jackson in her riveting and convincing diagnosis of our cultural malaise. In every area of life, from consumer gadgetry to our patterns of work and play, the relentless change that we associate with progress are eroding our capacity for deep, sustained, perceptive attention. And she warns that all our material riches, abundant information, and creative leaps will not save us from a coming cultural "dark age"-unless we learn to value and nurture undivided attention as the bedrock of healthy mental and social life.
A recurrent theme in her account is the connection between the fragmentation of attention and the fragmentation of trusting relationships. To show the cumulative impact of technology on our attention spans and communal bonds, Jackson points out trends among disparate corners of social life, ranging from the nineteenth century's reactions to the telegraph, the transformation of family relationships viewed through meals and funerals, and new documentation of the damage to child development of using television as a babysitter. Reflecting on the evidence of Bentham's Panopticon in today's technologies for conducting social relationships, she writes, "Surveillance can't cohabitate with trust, that slow-to-bud, immeasurable essence of close relations that thrives only outside the panoptic gaze. By choosing surveillance-based attention, we are ushering in an age of mistrust."
It takes a nuanced cultural critic to weave to together the disparate symptoms of this disease, but Jackson does so without a trace of shrillness. She deftly threads together her own observations as a journalist with her survey of the insights of a century of like-minded historians, psychologists, sociologists, and novelists. Her account is a pleasure to read because it is a powerful articulation of both sides of our ambivalence towards the rapid encroachment of communications technology into our lives. To the reader who feels fragmented by the staccato of bullet points, text messages, and microwave dinners that increasingly characterizes every facet of modern life, Distracted feels like a long, honest look in the mirror.
-- Andrew Gradman
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50.
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
The 8th Privacy Enhancing Technologies Symposium (PETS 2008), July 23-
25, 2008. Leuven, Belgium. For more information:
The Privacy Symposium - Summer 2008: An Executive Education Program on
Privacy and Data Security Policy and Practice, August 18-21,
Harvard University, Cambridge, MA. For more information:
Privacy Awareness Week. August 24, 2008. Australia, New Zealand, Hong
Kong, Korea and Canada. For more information:
Youth Privacy Online: Take Control, Make It Your Choice! September 4,
2008, Eaton Centre Marriott, Toronto. For more information:
Access to Information: Twenty-five Years on. September 8, Minto Suites Hotel, Ottowa. For more information: http://www.rileyis.com/seminars/
Workshop on Applications of Private and Anonymous Communications.
September 22, 2008. Istanbul, Turkey. For more information:
Europe-wide action day "Freedom not fear." October 11, 2008. Multiple
sites. For more information:
International Symposium on Data Protecion in Social Networks. October
13, 2008, Strasbourg. For more information:
Protecting Privacy in a Borderless World. October 15-17, 2008, Strasbourg. For more information: http://www.privacyconference2008.org
Privacy in Social Network Sites Conference October 23-24, 2008. Delft University of Technology, Faculty of TPM, The Netherlands. For more information: http://www.ethicsandtechnology.eu
Third Internet Governance Forum. December 3-6, 2008. Hyderabad, India. For more information: http://www.intgovforum.org
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.
If you would like more information on Privacy '08, go online and search for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08.
Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at epic.org. Support the campaign.