E P I C A l e r t
Pursuant to a Freedom of Information Act lawsuit, EPIC has obtained a Memorandum of Understanding between the FBI and the Virginia State Police that limits the state's open government law. The Memorandum applies to the Virginia Fusion Intelligence Center, a database that collects information on ordinary citizens. The agreement requires the state agency to comply with federal regulations that restrict the disclosure of records about the Virginia Fusion Center that would otherwise be available to the public. The State Police disclosed the document in response to EPIC’s lawsuit, which follows EPIC’s February 12, 2008 open government request to the Department.
The federal regulations (28 CFR Part 16) cited in the Memorandum contain at least thirty-seven exemptions from open government and privacy laws. The Memorandum also requires the State Police to refer open government requests to federal agents if the requests relate to information shared by the FBI with the fusion center. In effect, the Memorandum imposes additional limitations on the documents that can be accessed by the public under Virginia’s open records and privacy law.
EPIC’s lawsuit against the Virginia State Police remains pending. At a April 10, 2008 hearing in Richmond, a District Court judge required the State Police to produce additional records sought by EPIC. EPIC’s requests target documents relating to communications between the State Police and federal entities regarding funding and development of the Virginia Fusion Center, as well as impact on Virginia’s government transparency and privacy laws.
EPIC sued the State Police to compel the disclosure of public records relating to the role of federal agencies in the Virginia Fusion Center. Of particular interest to EPIC is federal involvement in recent legislative efforts to limit Virginia’s open government and privacy laws. EPIC seeks to determine whether the U.S. Dept. of Justice or the U.S. Dept. of Homeland Security participated in the development of the legislation, HB 1007. The legislation, introduced in January 2008, limits Virginia's open government and privacy statutes, as well as Virginia's common law right of privacy, for Virginia agencies connected to the Virginia Fusion Center. The fusion center is one of several similar entities established by state governments throughout the United States.
Fusion centers are intelligence databases that collect information from federal, state, municipal, and private sources. Privacy advocates have criticized the non-transparent operation of fusion centers, and their lack of meaningful civilian oversight. Federal guidelines call for fusion centers to accumulate and retain information about citizens from sources such as: financial records, credit reports, medical records, internet and email data, video surveillance from retail stores and sporting facilities, data from preschools, and welfare records.
EPIC v. Virginia Department of State Police - Fusion Center Secrecy Bill:
Memorandum of Understanding:
EPIC’s Freedom of Information Act Lawsuit:
EPIC’s Freedom on Information Act Request:
EPIC - Information Fusion Centers and Privacy:
A recent opinion from the Article 29 Data Protection Working Party has established that European privacy rules apply to various search engine services. A previous opinion had stated that Internet Protocol (IP) addresses were personal data. Search engines collect vast amounts of data in the form of search terms submitted by individuals, cookies, logs of IP addresses, data collected via associated services (like email or instant messaging), and in their cached copies of indexed websites. Search engines that have establishments or use equipment within the European Union are subject to the requirements of the Data Protection Directive, even if their corporate headquarters are outside of Europe.
The requirements limit the processing of personal data to legitimate purposes, and forbid excessive collection of data. Search engines must therefore delete or anonymize personal data once they are no longer necessary for the original purpose collected. The Working Party did not see a need for the retention to last longer than 6 months. Search engines should follow "robots.txt" and other metadata used by website owners to mark which parts of their websites should not be indexed by search engines. Search engines should give data subjects clear and intelligible information about the data they collect, and the purposes for which it is used. Secondary uses, such as creating profiles of natural persons or facial recognition of images, must be based on legitimate grounds such as consent. These uses should also meet all the requirements of the Data Protection Directive.
Earlier this year, EPIC urged the European Parliament to protect the privacy of search engine information. EPIC noted that search engines keep personal data when IP addresses can be used to identify individuals. EPIC also detailed general privacy problems with the Google-Doubleclick merger, including the 2 year retention of query data and the lack of adequate explanation of why this retention is necessary. Google also fails to allow individuals to see the data that is kept on them or otherwise expunge this data.
The Working Party also stated that the requirements of the Data Retention directive did not apply to search engine services. Search engines are not "electronic communications services" subject to retention requirements, though search companies may offer other services, such as email, that would be.
Opinion on Data Protection Issues Related to Search Engines
Article 29 Data Protection Working Party
EPIC Testimony Before the European Parliament on Data Protection and Search Engines
EPIC's Search Engine Privacy page
EPIC Page on the Google-DoubleClick Merger
On April 7, 2008, EPIC asked the Senate Commerce Committee to press the Federal Trade Commission (FTC) on the Commission's failure to adequately protect consumer privacy and failure to operate transparently. EPIC highlighted the Commission's decision to not require privacy safeguards as a condition of the recent Google/Doubleclick merger. EPIC also detailed the FTC's handling of Chairman Deborah Platt Majoras’ apparent conflict of interest in the merger review, and noted that the FTC has failed to disclose records relating to Jones Day's involvement in the merger review.
In a letter to the Committee, EPIC stated that, by approving the Google/Doubleclick merger on December 20, 2007, the Commission failed to fulfill its obligations to the public. As a result, it placed the privacy interests of American consumers at grave risk.
On April 20, 2007, EPIC filed a detailed complaint asking the Commission to establish substantial privacy safeguards as a condition of approving the then-proposed merger of Google, Inc. and Doubleclick, Inc. EPIC informed the Commission that the Google/Doubleclick merger posed a unique and substantial threat to the privacy interests of Internet users around the world. EPIC’s Complaint urged the Commission to either block the deal or impose substantial privacy safeguards as conditions of merger approval. Others, including Senators Patrick Leahy and Herbert Kohl, shared EPIC’s concerns regarding the merger’s privacy implications. Despite the serious consumer privacy threats raised by the merger, the Commission approved it, and did not impose any conditions to protect consumers’ privacy.
EPIC’s letter to the Committee also observed that the Commission’s handling of Chairman Majoras’ apparent conflict of interest in the Google/Doubleclick merger review reflects poorly on the Commission’s impartiality and commitment to transparency. The role of the Jones Day law firm in the Google/Doubleclick merger review raised questions regarding an apparent conflict of interest. During the Commission’s review of the merger, Jones Day publicly stated that it represented Doubleclick regarding the merger. EPIC learned that Chairman Majoras’ spouse, John M. Majoras, is a Jones Day partner, and sought the Chairman’s recusal from the merger review. Chairman Majoras declined to recuse herself, and voted to approve the merger without conditions. In December 2007, EPIC filed two brief open government requests for Commission records relating to the apparent conflict. The Commission did not respond timely to EPIC’s requests, and has not disclosed a single document. On March 14, 2008, EPIC filed a lawsuit to compel the FTC to disclose the documents.
The Senate Commerce Committee held hearings regarding the Commission's reauthorization on April 8, 2008. EPIC urged the Committee to cut the Commission's budget by 5% based on the Commission's lack of commitment to consumer privacy and open government.
EPIC’s Letter to the Senate Commerce Committee:
Summary of FTC Reauthorization Legislation:
EPIC’s Open Government Lawsuit Against the FTC:
EPIC's page on Privacy? Proposed Google/Doubleclick Deal:
In response to a request from a New Hampshire state senator, EPIC this week analyzed HB 686, concerning radio frequency identification (RFID) technology. EPIC supports the legislation, as it includes strong consumer protections, and recommends two additions.
RFID systems generally include a tag or chip (on which data is stored) and an antenna (to transmit the data to a reader). “Active” RFID tags or chips have an internal power source, transmit continuously, and can initiate communication with readers. “Passive” RFID tags or chips do not have an internal power source but rather derive power from the reader’s signal; nor can they initiate communication with readers.
RFID tags are small enough to be invisibly embedded in products, product packaging and even printing inks. They can be read from a distance and through a variety of substances such as snow, fog, ice or paint. The data transmitted by the tag may provide identification or location information, or specifics about the product tagged, such as price, color, or date of purchase.
HB 686 is important, EPIC said, because "RFID technology is rapidly increasing. Major uses of RFID include electronic roadway toll collection (E-Z pass systems), passports, various ID cards (such as university ID cards), credit and debit cards, supply chain management and animal tracking." EPIC explained there are privacy and security risks associated with RFID-enabled identification cards, including “skimming” and “eavesdropping.” Skimming occurs when an individual with unauthorized RFID reader gathers information from an RFID chip without the cardholder’s knowledge. Eavesdropping occurs when an unauthorized individual intercepts data as it is read by an authorized RFID reader or interrogator.
The legislation would establish important safeguards for New Hampshire residents, EPIC said "including: (1) penalties for illegal use of RFID technology; (2) a private right of action for individuals; (3) restrictions on the use of RFID technology by the State of New Hampshire with few exceptions; (4) prohibitions on electronic tracking of individuals without a valid court order or consent; and (5) prohibitions against forced implantation of RFID devices in humans."
Though HB 686 includes numerous consumer protections, EPIC also recommended the NH Senate "also: (1) address unique identifiers linked to databases containing personally identifiable information, and (2) label RFID readers and interrogators, as well as RFID tags and products containing tags." Such unique identifiers can be used to create detailed personal profiles on individuals. "Though companies have urged against the regulation of these unique identifiers, they should be covered under HB 686 because the misuse or abuse of such unique identifiers could be as risky as misuse or abuse of Social Security Numbers," EPIC said.
Also, though HB 686 includes provisions requiring the labeling of products containing RFID tags, EPIC recommends "that there should be a requirement that RFID readers or interrogators also clearly and prominently display a universally recognized symbol for RFID technology, so that consumers will know where there is a danger of their data being read without their knowledge." HB 686 has passed the New Hampshire House and is before the Senate.
New Hampshire HB 686, “An act relative to the regulation of remotely readable devices and the illegal use of payment card scanning devices or reencoders”:
EPIC Analysis of HB 686 (April 14, 2008) (pdf):
EPIC page on RFID Technology:
The Trans-Atlantic Consumer Dialogue (TACD), a group of US and EU consumer organizations, has issued its Charter for Consumer Rights in the Digital World. The Charter "identifies the core rights that the members of TACD regard as indispensable to meeting the challenges presented by the digital world and the utilization of its potentials."
These rights are culled from previous TACD resolutions detailing the interests of consumers in the digital world. The rights in the Charter are: "1. Right to access neutral networks 2. Right to access digital media and information 3. Right to secure networks and services 4. Right to privacy and data protection 5. Right to software interoperability 6. Right to barrier-free access and equality 7. Right to pluralistic media."
As personal data of consumers is increasingly gathered and compiled into detailed profiles, there is a need to focus on the right to privacy and data protection. For example, online targeted advertising is becoming more invasive. TACD urges, among other things, that businesses and governments: "be subjected to enforceable Fair Information Practices that give rights to consumers and impose responsibilities on organizations that collect and use personal data"; "use effective and updated technology to protect confidential personal data against unauthorized use"; "inform consumers of the measures they can take to protect their own data." Also, governments should "ensure that programs to combat terrorism and organized crime do not undermine self-determination in terms of personal information and the protection of individuals' privacy."
As the Internet becomes a more important information source, there is the growing risk that such data will be filtered or slanted in some form. TACD notes, "Internet service providers (ISPs) may block or degrade the access of consumers to certain content and applications, or limit the types of equipment that can be attached to networks." Therefore, TACD details the right of consumers to access neutral networks. "That means that consumers have the right to attach devices of their choice, the right to access or provide content, services and applications of their choice, and the right for this access to be free from discrimination according to source, destination, content and type of application."
Finally, the TACD Charter for Consumer Rights urged "Internet users and governments to develop a better understanding of the challenge industry consolidations pose to the open Internet and specifically how dominant Internet firms are able to leverage their position in one market sector to discourage competition other market sectors." TACD recommended that governments "Ensure that competition law is enforced paying particular attention to the increasing vertical integration in this sector" and that governments "Establish privacy and consumer safeguards as a central requirement in the context of merger review for Internet firms."
On its Web site, TACD lists more recommendations on how to protect the seven rights of the Charter for Consumer Rights in the Digital World.
Trans-Atlantic Consumer Dialogue, Charter for Consumer Rights in the Digital World (April 16, 2008):
Code of Fair Information Practices:
EPIC page on Privacy? Proposed Google-DoubleClick Merger (concerning online targeted advertising and privacy questions):
EPIC page on Personal Data and Privacy Protection:
Bill to Reimburse Jurisdictions for Cost of Paper Ballots for November Fails
The House failed to pass H.R. 5036 with a sufficient margin to ensure that jurisdictions that decide to acquire paper ballot systems for the November 2008 election from being reimbursed by the federal government. The measure would have also provided funding to states for conducting post election audits. The vote was actually a procedural move to place the bill on the “Suspension Calendar,” which would indicate a non-controversial measure. The Democrats and Republicans had worked out an agreement to support the bill being placed on the Suspension Calendar, but the White House issued a statement late on the day prior to the vote in opposition of the effort. This resulted in a nearly perfect party line vote—resulting in the outcome falling short of the 2/3rds majority needed. The vote was 239 for and 178 against placing the bill on House Calendar under suspensions.
Vote on the Bill:
White House Statement
EPIC voting project:
Medical Center Staff Spied for 10 years on Celebrity Patients
UCLA Medical center staff have, for 10 years, improperly accessed confidential medical files. A former employee recently confirmed accessing the records of celebrities such as Maria Shriver and Farrah Fawcett. Another discussed similar snooping 13 years ago. Secretary Kim Belshe, of the California Health and Human Services agency has promised to take action against UCLA.
Report: UCLA File Snooping an Old Issue
EPIC Page on Medical Privacy
Legal Questions Surround Surreptitious DNA Gathering
Lawyers are raising challenges to police practices of gathering DNA from individuals without warrants or other legal process. Police tail the suspect and wait for them to discard a cigarette, saliva, or other material from which DNA can be extracted. Lawyers argue that individuals have a reasonable expectation of privacy in their genetic information discarded by routine bodily functions. The police practice leads to the unsupervised government collection of DNA information on innocent individuals. DNA can identify not only an individual, but can also reveal sensitive health and family information.
Lawyers Fight DNA Samples Taken on The Sly
EPIC Genetic Privacy Page
EPIC Page on Johnson v. Quander (Compelled DNA Collection)
Washington, DC, Police to Connect 5,000 Surveillance Cameras
DC officials are poised to give the Metropolitan Police Department access to 5,000 cameras throughout the city. These cameras were originally deployed to monitor traffic, schools and public housing but are now being drafted into general public surveillance. Last month, in a statement to the DC Council, EPIC urged a careful evaluation of the cost and effectiveness of camera surveillance systems. No studies have shown a significant drop in violent crime when camera systems are used. The MPD has suggested a drop in crime in some parts of the city, but Council member Mary Cheh noted that MPD did not analyze whether the crimes were merely displaced to other areas of the city. In the MPD's annual report on cameras, police showed no convictions and a handful of arrests based on evidence from the 73 cameras throughout the District.
Washington Metropolitan Police Department, Closed Circuit Television (CCTV) Annual Report 2007 (pdf):
EPIC, Statement to the DC Council Opposing Expanded Camera Surveillance Under Bill 17-438 (pdf):
EPIC's page on Video Surveillance:
Alaska Joins Other States in Rejecting REAL ID System
Just two weeks after DHS granted all 56 states and territories extensions that would allow state licenses and ID cards to remain "valid for federal purposes" past May 11, 2008, Alaska has passed legislation against the REAL ID national identification scheme. SB 202 states, "A state agency may not expend funds solely for the purpose of implementing or aiding in the implementation of, the requirements of the federal Real ID Act of 2005." DHS has said it "made extensions available for states that needed additional time to come into compliance, or to complete ongoing security measures," implying that states that received extensions had agreed to implement the national identification system. However, Alaska is one of several states that has declared unequivocally that it will not implement the REAL ID scheme.
Alaska SB 202, "An Act relating to expenditures in aid of or to implement the provisions of the federal Real ID Act" (pdf):
EPIC's page on National ID Cards and the REAL ID Act:
Federal Dataveillance: Implications for Constitutional Privacy Protections by Martin Kuhn.
The defining of what is meant by privacy is the topic of this book—but more important the challenges of keeping that definition salient to the world of information exchange. The book explores privacy as space, privacy as secrecy, and privacy as information control. The definition has changed because of new business practices, technologies and social and cultural norms. This book does a very good job of touching on the issues of information privacy by first explaining its origin and its transformation into an enforceable right protected by the First and Fourth Amendment. It is also noteworthy that this book is one of the best resources on the body of work produced by privacy experts who focus on the public interest because of extensive referencing. Too often writers who address the topic of privacy may fail to cite the original source of a particular perspective or research.
The book is a surprisingly quick read on a complicated subject, which is very successful in presenting the information in a digestible format. The writings of the best minds that have worked on and advanced the cause of privacy are cited in the book. A legal overview is presented in chapters 2 and 3, which look at important Supreme Court cases that impacted the legal framework that establish the right to engage in anonymous political speech, association with others, as well as invasions of privacy related to searches, government wiretaps, and physical searches of items discarded by individuals.
The author makes the case that today’s discussions on privacy have pooled all of the issues that have advanced the notion of privacy rights i.e. technology, business practices, and government authority. US Government agencies are very interested in knowledge discovery in databases (KDD) because they believe that this approach will yield information on potential terrorists and criminals. However, great stores of data now resides in the hands of private companies not government agencies. The introduction of technology that allows for remote access and manipulation of digital records presents challenges to the wall that once separated government and private data.
Kuhn poses a question at the start of his book does the use of KDD infringe upon constitutional privacy rights to such an extent that the courts will need to rethink key areas of privacy law. This is the challenge of the new century and the landscape of privacy protection in the United States.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006
This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 23nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005).
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
"Can Privacy Education Help Consumers?". April 17, 2008. National Press
Club. For more information:
"Next steps towards privacy enhancing security technologies", April
28-29, 2008, Vienna. For more information:
Identity, Privacy and Security Research
Symposium, May 2, 2008, Toronto. For more information:
CFP 2008: Technology Policy 08. New Haven, Connecticut. May 19-23, 2008. For more information http://www.cfp2008.org
Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:
Second Annual National Institute on Cyberlaw: Expanding the Horizons.
June 18-20, 2008. Washington DC. For more information:
Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. For more information http://www.ethicsandtechnology.eu/ETI
The Privacy Symposium - Summer 2008: An Executive Education Program on
Privacy and Data Security Policy and Practice, August 18-21,
Harvard University, Cambridge, MA. For more information:
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.