WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2009 >> [2009] EPICAlert 11

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 16.11 [2009] EPICAlert 11

E P I C A l e r t

Volume 16.11 June 8, 2009
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.

"Defend Privacy. Support EPIC."

EPIC 15th Anniversary Dinner and the EPIC Champion of Freedom Awards The Fairfax at Embassy Row, Washington, DC June 9, 2009

EPIC@15 Invitation: Your Reply: Register (or donate to EPIC@15):

Table of Contents
[1] House Approves Bill Limiting Whole-Body Imaging at Airports
[2] Administration Backs State Privacy Laws Against Challenge
[3] EPIC Submits Comments on Health Breach Notification to the FTC
[4] EPIC Urges Protections for Government Use of Social Media, Endorses Better Approaches on Transparency
[5] CFP Wrap-Up in Washington
[6] News in Brief
[7] EPIC Bookstore: "Lessons From the Identity Trail"
[8] Upcoming Conferences and Events - Join EPIC on Facebook - Privacy Policy - About EPIC - Donate to EPIC - Subscription Information

[1] House Approves Bill Limiting Whole-Body Imaging at Airports
The House approved an amendment bill that will limit the use of Whole- Body Imaging machines in US airports. The Transportation Security Administration had earlier decided to replace the walkthrough metal detectors at airports with whole body imaging devices. These devices enable a virtual strip search that produces detailed naked images of individuals, including females and young children. The technology provides little additional security beyond other screening techniques, including magnetometers, physical examination, and baggage inspection.

The amendment, put forward by Congressman Jason Chaffetz (R-UT), aims to establish limitations on the use of this invasive technology for aircraft passenger screening. The bill prohibits the use of these devices as the sole or primary method of screening aircraft passengers, unless another method of screening, such as metal detection, demonstrated cause for preventing such passenger from boarding an aircraft.

The proposed law also mandates that TSA officials provide a passenger with information on the operation of such technology, on the image generated by such technology, on privacy policies relating to such technology, and on the right to request a pat-down search in lieu of such screening. The proposed law also expressly prohibits the storage, transfer, sharing and copying of the images generated by whole body imaging technology after the boarding determination with respect to such passenger is made. Misuse of the law by TSA employees will result in a penalty of fine or imprisonment.

The House voted 310-118 in support of the Chaffetz amendment to the TSA authorization bill. The Chaffetz amendment had earlier been introduced as a separate bill before being incorporated into the Transportation Security Administration Authorization Act. EPIC had launched a campaign and a Facebook Group seeking to raise public awareness and help stop Whole Body Imaging. EPIC and thirty other organizations sent a letter to DHS Secretary Napolitano urging DHS to suspend the program and begin a formal rulemaking, and investigate less invasive means of screening.

House Vote on Chaffetz Amendment:

Chaffetz Amendment (Section 215):

Whole-Body Imaging:

Congressman Chaffetz Seeks to Ban Whole-Body Imaging at Airports:

Congressman Jason Chaffetz:

Aircraft Passenger Whole-Body Imaging Limitations Act, H.R. 2027:

EPIC's Campaign to Stop TSA's Use of Whole Body Imaging:

EPIC's letter to DHS Secretary Napolitano:

EPIC's Page on Whole body Imaging:

EPIC's Spotlight on Surveillance on Whole Body Imaging:

Facebook Group: Stop Airport Strip Searches:

[2] Administration Backs State Privacy Laws Against Challenge

In a filing this week, the Department of Justice urged the nation's highest court to leave intact California's financial privacy law, saying the law does not impose hardships on banks. The California law, Financial Information Privacy Act of 2003 (SB-1), provides strong financial privacy safeguards, including the right to curtail sale of personal information by financial firms to affiliated companies, and to prohibits the sale of data to non-affiliates unless consumers explicitly "opt-in."

Earlier, the Ninth Circuit reversed a lower court ruling and reinstated the right of California consumers to stop all sharing of personal information within affiliated companies, as long as it did not pertain to credit worthiness. A consortium of financial services companies have challenged the law and, in December 2008, asked the Supreme Court to consider the case. The firms argued that the California statute conflicts with other federal rules. The Supreme Court requested the Administration's view on the case, and has often followed the Department's opinions.

The filing came a week after President Obama issued an executive order reversing the policy of the earlier administration of regularly using federal regulations to pre-empt state and local laws on consumer and environmental protection. The Obama Administration has adopted the policy that preemption of State law by executive departments and agencies should be undertaken only with full consideration of the legitimate prerogatives of the States, and with a sufficient legal basis for preemption. President Obama had further stated that "Executive departments and agencies should be mindful that in our Federal system, the citizens of the several States have distinctive circumstances and values, and that in many instances it is appropriate for them to apply to themselves rules and principles that reflect these circumstances and values."

Earlier in the litigation, EPIC urged a federal appeals court to uphold the California privacy law after banks challenged the law, and argued that the federal Fair Credit Reporting Act supersedes the California protections. The EPIC brief argued that affiliate sharing causes identity theft and fraud, and is inconsistent with fair information practices.

Supreme Court Docket:

EPIC's brief in ABA v. Brown:

Petition for Review (ABA v. Brown):

Brief for Respondents in Opposition to Petition (ABA v. Brown):

Reply to Respondents' Brief (ABA v. Brown):

White House Press Release on Preemption:

EPIC's Page on ABA v. Brown:

EPIC's Page on Privacy and Preemption:

EPIC's Page on the FCRA:

[3] EPIC Submits Comments on Health Breach Notification to the FTC

The Federal Trade Commission proposed a rule requiring vendors of medical records and related entities to notify individuals when the security of such medical information is compromised. The creation of such rule was mandated under the American Recovery and Reinvestment Act. The FTC sought comments on the proposed rule.

EPIC submitted comments recommending that the scope of the Commission's authority be construed as broadly as possible, and that regulation should include all entities that handle medical information be subject to the rule. EPIC advised that the rule "provides the FTC with a unique opportunity to strengthen privacy regulations covering [personal health records] breaches, assess the strengths and weaknesses of such a regime, and file a report with Congress." With regard to the difference between information that had been "accessed" or "acquired," as per the proposed rule, EPIC supported the presumption that if any information could be accessed by an unauthorized person was acquired, it would trigger notice obligations.

The FTC rule also provided Safe Harbor for de-identified information. EPIC stated that such a provision created significant risks to personal privacy and would undermine the purpose of the Act. EPIC raised objections stating that de-identified information was not necessarily anonymous since research has shown that a particular set of data could be traced back to an individual. With respect to provisions for media notices, EPIC advised the use of providing notice through the home page of the entity's website, or provide notice in major print or broadcast media. EPIC also encouraged the FTC to look into opportunities that would improve the adequacy of notice when the breach occurred by adopting new media technologies.

EPIC also recommended that the federal agency create comprehensive privacy and security standards, and impose penalties on entities storing health records whose security protocols do not meet minimum security minimum requirements, resulting in data breaches. EPIC supported the creation of a private right of action, including statutory damages and/or civil penalties, in addition to injunctive relief. EPIC also suggested preserving a private cause of action which would enable the burden of enforcement on the private party and not leave it exclusively upon the Commission. Among other suggestions, EPIC advised the federal agency to require verification that consumers receive data breach notifications and establish a central location to track and announce breaches.

EPIC's Comments to the FTC:

FTC Proposed Rule:

Federal Register:

FTC Public Comment Submission (Deadline June 1, 2009):

The American Recovery and Reinvestment Act of 2009:

[4] EPIC Urges Protections for Government Use of Social Media, Endorses Better Approaches on Transparency

The Department of Homeland Security is seeking public comments on "any issue of fact, law, or policy related to privacy issues posed by Government use of social media" and developing best practices. The agency plans to "develop a comprehensive record regarding Government use of social media." Pursuant to such notice, EPIC submitted comments on the benefits, issues and privacy best practices.

EPIC recommended that government websites not track users; Privacy Act protections apply to all data collected by the government and government contractors; prohibit commercialization of information on users visiting government sponsored social media resources; apply meaningful rules for public participation in government decisions; and promote open government and protect privacy. EPIC also advised the agency that use of social media be limited to providing information and directing users to official sites for providing benefits or services; not make social media sites forums for issue discussion outside the purview of relevant regulations; and apply laws that help public participation in decisions by government apply to all new technology platforms. Other suggestions were to restrict official comments for agency rulemaking to official agency sites, and the use of a model certification system.

President Obama, in an effort to develop a new open government policy, had directed his Administration to develop recommendations on Transparency and Open Government. The first phase involved an online brainstorming session and submission of ideas. EPIC submitted proposals suggesting that users are not tracked on government sites; promoting open government; allowing meaningful public participation in government decisions; stopping commercialization of personal data; and the application of Privacy Act to all data collected by the Government.

The next phase, Discussion, invites public comments focusing on several transparency themes: principles, governance, access, data, and operations, to be followed by a series of posts on participation and collaboration. The Office of Science and Technology Policy, which oversees the initiative, wanted to include a set of transparency principles. Seeking help articulating those principles, definitions and the rationale behind them, the Chief Technology Officer also expressed the necessity of explaining what the principles meant in practice and the need to prioritize them.

Department of Homeland Security:

Privacy Office of DHS:

DHS Notice of Public Comments:

EPIC's comment to DHS:

EPIC's page on The Privacy Act of 1974:

EPIC's Social Networking Page:

EPIC's Page on Network Advertising Initiative:

EPIC's page on Deep Packet Inspection:

Open Government Initiative:

Office of Science and Technology Policy, Executive Office of the President, Transparency and Open Government:

Brainstorming Session:

EPIC's Comments in the Brainstorming Phase:

EPIC's Submission: Users Are Not Tracked on Government Sites:

EPIC's Submission: Promoting Open Government:

EPIC's Submission: Allowing Meaningful Public Participation:

EPIC's Submission: Stopping Commercialization of Personal Data:

EPIC's Submission: Application of Privacy Act to Data Collected:

EPIC's Page on Open Government:

EPIC's FOIA Litigation Manual 2008:

OSTP Blog:

[5] CFP Wrap-Up in Washington

The 19th Annual Computers Freedom and Privacy conference was held at the Marvin Center at George Washington University Law School in Washington, DC on June 1-4, 2009. The gathering brought 400 academics, researchers, activists, government officials, and students to workshops, and held plenary sessions, and presentations on cutting edge privacy and technology challenges. The program opened with a day long tutorial on social activism.

The first full day of the conference began with a presentation by Susan Crawford, the Special Assistant to the President for Science, Technology, and Innovation Policy and Member of the National Economic Council. Over the course of the event debates and discussions covered the future of privacy, censorship, FISA, psychology of security and privacy, as well as special topic discussion on Internet voting, Social Networking, medical privacy and many others.

EPIC staff, board, and advisory board members presented at the meeting on a number of topics including: the Future of Security vs. Privacy, Does Government Secrecy Still Make Sense in the Internet Age, Internet Activism: 20 Years After Tiananmen, Google Book Deal, Social Justice Activism in the US and Beyond.

Lillie Coney, EPIC's Associate Director, closed the meeting with a final plenary panel on the Panopticon: Internalizing the Gaze [of Government Surveillance]. Panelists included Thomas Tamm, the DOJ whistleblower who helped shed light of the illegal domestic warrantless wiretap program; Dr. Steven Hatfill, former government virologist and bio-weapons expert accused in the Anthrax attacks and later cleared; Rebecca MacKinnon, a journalist working in China who lived with government surveillance; Anne Roth, who's partner was accused of terrorism and later released by the German Supreme Court; and Patrick Elder, a Maryland Anti-War activist whom the state police had labeled as a terrorist in criminal databases.

Google Book Deal Panel

Links: Panopticon: Internalizing the Gaze [of Government Surveillance]:

CFP Cybercast Episodes:

The Future of Security vs. Privacy:

CFP 2009:

CFP 2009 Program:

[6] News in Brief

Despite Objections, Enhanced Identity Documents Required for Travel

The Western Hemisphere Travel Initiative went into effect on June 1, 2009, despite substantial privacy and security risks. The federal government now requires US citizens as well as citizen of Canada, Mexico, and Bermuda to present identity documents when entering the US. These documents incorporate RFID technology that jeopardizes the privacy and security of US travelers. EPIC has previously urged the State Department to abandon the proposal. Senator Leahy has also criticized the program and said that improper implementation could impede the flow of people and goods across US borders.

Western Hemisphere Travel Initiative:

WHTI Land and See Final Rule:

DHS / State Department WHTI Final Rule, November 24, 2006:

EPIC's Comments on WHTI:

CBP: Travel:


EPIC's page on RFID:

EPIC's Comments on RFID Passport:

Department of State - Western Hemisphere Travel Initiative:

Senator Leahy on Western Hemisphere Travel Initiative:

EPIC's Spotlight on Surveillance: September 2007:

President Announces Privacy Safeguards for Cybersecurity Initiative

President Obama announced a Cybersecurity Initiative by releasing a review by the National Security Council and Homeland Security Council and outlined on a range of actions to be pursued in several areas. "So cyberspace is real. And so are the risks that come with it," he remarked. "It's about the privacy and the economic security of American families," he added. President Obama also stated that he was aware how it felt to have privacy violated when it happened to him during his Presidential campaign. Creating a new office at the White House to be led by the Cybersecurity Coordinator, President Obama announced five outlines: (1) Developing a comprehensive strategy to secure America's information and communications networks; (2) Ensuring an organized and unified response to future cyber incidents; (3) Strengthening the public/private partnerships that are critical to the initiative; (4) Investing in cutting-edge research and development necessary for the innovation and discovery needed; and (5) beginning a national campaign to promote cybersecurity awareness and digital literacy. President Obama emphasized that the initiative, however, did not include monitoring private sector networks or Internet traffic. "We will preserve and protect the personal privacy and civil liberties that we cherish as Americans," President Obama concluded.

Cyberspace Policy Review:

Remarks by President Obama: Cyber Infrastructure:

EPIC's Page on Critical Infrastructure Protection:

EPIC's Page on Computer Security Act of 1987:

Report Finds Widespread Website Data Sharing

A report published by researchers at the University of California, Berkeley School of Information showed that the most popular websites in the United States share data with their corporate affiliates and allow third parties to collect information directly using "web bugs," although stating the contrary. Calling for significant changes in the privacy policies, the researchers recommended that website operators and third-party trackers inform users about all the information that has been collected about them, and with whom they have shared it. Secondly, they recommended that users be allowed to choose whether or not websites can share information about them with corporate affiliates.

Press Release:

Know Privacy:

Full Report: Joshua Gomez, Travis Pinnick, and Ashkan Soltani, "KnowPrivacy:"

EPIC's Page on Proposed Google/DoubleClick Merger:

EPIC's Page on Cloud Computing:

EPIC's Page on Network Advertising Initiative:

EPIC's Page on Tools for Protecting Online Privacy:

Sears Settles With FTC Over Tracking Software

The Federal Trade Commission had filed a complaint against Sears Holdings Management Corporation alleging violation of the Federal Trade Commission Act by failing to disclose adequately the scope of consumers' personal information it collected via a downloadable software application. According to the FTC's complaint, Sears invited certain consumers visiting the and Web sites to become members its community by soliciting these consumers to "participate in exciting, engaging, and on-going interactions always on your terms and always by your choice." The Commission vote to approve the administrative complaint and proposed settlement agreement was 4-0. The settlement contains standard reporting and record-keeping provisions to allow the agency to monitor compliance.

Press Release:

FTC Complaint:

FTC Agreement:

EPIC's Page on Deep Packet Inspection and Privacy:

EPIC's Page on Cookies:

Privacy Policies without Privacy Protection:

Right to Access to Information in the Americas Move Forward

The Carter Center in collaboration with the Organization of American States, the Andean Commission of Jurists and the Knight Center for Journalism in the Americas, held a meeting in Lima, Peru from April 28-30, 2009 to find potential solutions to advance the right of access to information in the Americas. More than 115 participants from 18 countries in the Americas, representing governments, civil society organizations, international and regional bodies and financial institutions, donor agencies and foundations, the private sector, media outlets and scholars released the Americas Regional Finding and Plan of Action. The publication provides a blueprint for the regional and international community, states and non-state actors to establish, develop, and nurture the right of access to information in the Americas region.

Carter Center, Americas Regional Conference on the Right of Access to Information (2009): *****

Americas Regional Findings and Plan of Action for the Advancement of the Right of Access to Information (2009):

Atlanta Declaration and Plan of Action (2008):

EPIC's page on Open Government:

The Public Voice:

[7] EPIC Bookstore: "Lessons From the Identity Trail"

"Lessons From the Identity Trail" edited by Kerr, Steeves, Lucock.

Description: During the past decade, rapid developments in information and communications technology have transformed key social, commercial and political realities. Within that same time period, working at something less than internet speed, much of the academic and policy debates arising from these new and emerging technologies have been fragmented. There have been few examples of interdisciplinary dialogue about the potential for anonymity and privacy in a networked society. Lessons from the Identity Trail fills that gap, and examines key questions about anonymity, privacy and identity in an environment that increasingly automates the collection of personal information and uses surveillance to reduce corporate and security risks.

This project has been informed by the results of a multi-million dollar research project that has brought together a distinguished array of philosophers, ethicists, feminists, cognitive scientists, lawyers, cryptographers, engineers, policy analysts, government policy makers and privacy experts. Working collaboratively over a four-year period and participating in an iterative process designed to maximize the potential for interdisciplinary discussion and feedback through a series of workshops and peer review, the authors have integrated crucial public policy themes with the most recent research outcomes.


"This volume promises to make important contributions to policy and scholarly thinking about developments in information technologies and changes in social, cultural and personal practices and values. Ian Kerr and his talented colleagues explore the intricacies of privacy, identity and anonymity applying fresh analytical approaches, revealing the limitations of several traditional concepts, and identifying new insights on these critically important issues. The editors have effectively fused a range of multidisciplinary perspectives to enrich and sharpen the analysis and intellectual contribution. This book is likely to generate more informed and nuanced dialogue among scholars, technologists, and policymakers."

--Priscilla M. Regan, George Mason University

(- as published by The Oxford University Press)

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.

Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at: https:/

[8] Upcoming Conferences and Events

EPIC 15th Anniversary Dinner and the EPIC Champion of Freedom Awards, The Fairfax at Embassy Row, Washington, DC, June 9, 2009. For invitation, see Register at

IAPP - Practical Privacy Series - "Data Breach," "Data Governance,", "Human Resources," and "Information Security and Privacy." Network Meeting Center at Techmart, Santa Clara, CA. June 17-18, For more information,

"The Transformation of Privacy Policy," Institutions, Markets Technology Institute for Advanced Studies (IMT), Lucca, Italy, July 2-4, 2009.

Engaging Data: First International Forum on the Application and Management of Personal Electronic Information hosted by SENSEable City Lab, Massachusetts Institute of Technology. For more information,

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook

Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

END EPIC Alert 16.11


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback