WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2009 >> [2009] EPICAlert 19

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 16.19 [2009] EPICAlert 19

Focusing public attention on emerging privacy and civil liberties issues

EPIC Alert 16.19

EPIC Alert 16.19 (08/28/09)

E P I C A l e r t

Volume 16.19 October 8, 2009
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.

"Defend Privacy. Support EPIC."

Table of Contents
[1] Department of Justice Limits Use of State Secrets Privilege
[2] EPIC to FTC: "Parental Control" Software Firms Gather Data on Kids
[3] Data Breach Bill Advances in House
[4] ICANN Issues Affirmation of Commitment, Seeks Comments on WHOIS
[5] Future of Registered Traveler, Clear Data Unclear
[6] News in Brief
[7] EPIC Bookstore: "Three Felonies a Day"
[8] Upcoming Conferences and Events - Join EPIC on Facebook - Privacy Policy - About EPIC - Donate to EPIC - Subscription Information

[1] Department of Justice Limits Use of State Secrets Privilege

Department of Justice Limits Use of State Secrets Privilege On September 23, the Department of Justice (DOJ) announced a new policy that limits the government's use of the state secrets privilege. The state secrets privilege, first recognized by the Supreme Court in United States v. Reynolds, is a rule of evidence intended to prevent genuine matters of national security from being disclosed in open court. The government can invoke the privilege by submitting an affidavit to the court asserting that the proceedings might reveal information that could endanger national security. Once the privilege is invoked, the protected evidence is eliminated from the litigation.

Although the privilege originally was intended to protect national security, it has recently been misused by both the Bush and Obama administrations in order to derail litigation completely. For instance, in 2007 EPIC filed a "friend-of-the-court" brief in Hepting v. AT&T, in which the plaintiffs accused AT&T of violating the law and the privacy of their customers by working with the National Security Agency in its warrantless domestic spying program. However, the government argued that the case should be dismissed because it would reveal "state secrets."

Under the new policy, the privilege will be invoked only "to the extent necessary to protect against the risk of significant harm to national security." The privilege will explicitly not be invoked in order to conceal violations of the law, embarrassment to the government, to restrain competition, or to delay release of unprotected information. The policy also implements procedural safeguards. If a government agency or department seeks to invoke the privilege, an Assistant Attorney General must approve the request, and then a State Secrets Review Committee must give a recommendation to the Attorney General, who must approve each determination. Finally, the DOJ will provide periodic reports to Congress explaining the basis for any invocations.

The State Secret Protection Act of 2009, legislation with a similar purpose, is now pending in Congress. The legislation may still be necessary despite the DOJ policy, as the policy will not necessarily be binding on future administrations. The proposed act would allow invocation of the privilege only if disclosure was "reasonably likely to cause significant harm to the national defense or the diplomatic relations of the United States." The legislation also requires a court to determine whether the government may invoke the privilege, which is not explicitly required by the DOJ policy.

DOJ Press Release:

DOJ Policy Memo:

United States v. Reynolds:

State Secret Protection Act of 2009:

EPIC: Hepting v. United States:

EPIC: Open Government:

[2] EPIC to FTC: "Parental Control" Software Firms Gather Data on Kids

EPIC filed a complaint with the Federal Trade Commission (FTC) against Echometrix, the developers of parental control software that monitors children's online activity. Echometrix also develops software called Pulse, which collects and sells information about how children use the internet and what children are saying on the internet to third parties for market-intelligence research purposes. According to Echometrix, information is collected regarding children's online activity from, among other sources, instant message conversations, social networking sites, and chat rooms.

The EPIC complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the parental control software protects children online, without informing parents that it simultaneously collects and discloses information about children's online activity. EPIC argues that the privacy policy for the parental control software does not clearly disclose how children's information is being collected and used. Therefore, parents are unaware that information about their children's online activity is sold to third parties.

The EPIC complaint further alleges that Echometrix's practices violate the Children's Online Privacy Protection Act by collecting and disclosing information from children under the age of 13. The Act requires that website operators have clear privacy policies indicating how children's information is collected and disclosed. Further, website operators must obtain verifiable parental consent before collecting personal information from children. The complaint alleges that Echometrix's privacy policy does not clearly disclose how children's information is used, and that Echometrix is collecting personal information (e-mail addresses) from children in violation of the Act.

The EPIC complaint asks the FTC to investigate and stop these practices, seek compensation for victims, and ensure that Echometrix's collection and disclosure practices comply with the Children's Online Privacy Protection Act. Further, EPIC urges the Commission to require that Echometrix destroy all current records stored that involve children's personal information.

EPIC's Complaint to the Federal Trade Commission:

EPIC: Children's Online Privacy Protection Act:

Echometrix website:

Federal Trade Commission: Consumer Privacy:

[3] Data Breach Bill Advances in House

On September 30, the House Energy and Commerce Committee considered a proposed federal law that would establish national standards for data breach notifications. The Data Accountability and Trust Act also regulates information brokers and requires companies to adopt security policies. The bill was introduced in April by Representative Bobby Rush, D-IL, chair of the subcommittee on Commerce, Trade, and Consumer Protection. It passed the subcommittee in June and was referred to the full committee, which began considering it this week.

If passed, the Data Accountability and Trust Act would require the Federal Trade Commission to promulgate regulations requiring businesses that own or possess electronic data containing personal information to establish security policies and procedures. It would also authorize the FTC to require a standard method for destroying obsolete non-electronic data. The bill would impose several new regulations on information brokers to ensure that they establish procedures to verify the accuracy of the portfolios they maintain on individuals and allow those individuals to review and correct their files.

Finally, the bill's new data breach notification procedures would expand the number of circumstances in which companies must notify customers of breaches. In particular, it would require notification for breaches by contractors who maintain or process electronic data containing personal information, breaches involving telecommunications and computer services, and breaches of health information.

In May, EPIC testified before Congress on the bill, highlighting the importance of regulating data brokers, but warning of the dangers posed by federal laws that preempt stronger state privacy safeguards. Also in May, President Obama stated that "executive departments and agencies should be mindful that in our Federal system, the citizens of the several States have distinctive circumstances and values, and that in many instances it is appropriate for them to apply to themselves rules and principles that reflect these circumstances and values." The Senate is considering a similar bill, the Personal Data Privacy and Security Act, which would protect additional categories of consumer information.

Data Accountability and Trust Act (H.R. 2221):

Personal Data Privacy and Security Act of 2009 (S. 1490):

EPIC: Testimony before House Subcommittee:

EPIC: Identity Theft:

[4] ICANN Issues Affirmation of Commitment, Seeks Comments on WHOIS

The Internet Corporation for Assigned Names and Numbers (ICANN) has recently signed an affirmation of commitment with the US Department of Commerce. ICANN is the corporation that coordinates the assignment of domain names to Internet Protocol addresses through a longstanding agreement with the U.S. government.

This document affirms key commitments by Department and ICANN, including agreements to ensure that decisions made related to the global technical coordination of the Domain Name System, are made in the public interest and are accountable and transparent. In addition, the document states that international participation in the Domain Name System technical coordination will be facilitated.

ICANN also commits to enforcing the existing WHOIS policy, subject to applicable laws. The WHOIS database was originally intended to maintain the stability of the internet by allowing network administrators to find and fix problems with minimal hassle. But now it exposes domain name registrants' personally identifiable information to spammers, stalkers, criminal investigators, and copyright enforcers.

Current WHOIS policies require accurate WHOIS information without having established appropriate privacy and data protection safeguards. The enforcement of the accuracy of WHOIS data has serious implications on privacy. Some domain name registrants have legitimate reasons for providing inaccurate WHOIS information, especially when there are no privacy safeguards in place. To limit the amount of personal information to the public through WHOIS queries, domain name registrants have been using a privacy or proxy registration service when registering their domain name.

ICANN has released a preliminary report showing that about 15 to 25 percent of domain names have been registered in a manner that limits the amount of personal information available to the public through WHOIS queries.  A call for public comments of the preliminary WHOIS report is open until November 6, 2009.

Affirmation Of Commitments By The United States Department Of Commerce And The Internet Corporation For Assigned Names And Numbers:

ICANN's Study on the Prevalence of Domain Names Registered using a Privacy or Proxy Service:

EPIC: Whois:

Privacy & Human Rights: An International Survey of Privacy Laws and Developments" (EPIC 2007):

The Public Voice: WHOIS Policy Development:

[5] Future of Registered Traveler, Clear Data Unclear

A subcommittee of the House Committee on Homeland Security held a hearing on September 30 to consider the future of the Registered Traveler Program, also known as Clear. The Subcommittee on Transportation Security and Infrastructure Protection held the hearing to consider what will happen to the sensitive passenger data held by the company now that it has declared bankruptcy.

The Clear program was the brand name for the Transportation Security Administration's (TSA) Registered Traveler Program, also known as Secure Flight. The program was a passenger prescreening program in which passengers could submit to extensive background checks to go through special security lines in airports. The screening process required substantial data collection, including biometric identifiers, from passengers who participated. It was introduced in 2004, then suspended in 2006 amid considerable privacy and security concerns.

The Registered Traveler Program underwent a new two-year pilot program between 2006 and 2008 and was due for relaunch next year. But Verified Identity Pass, the company TSA contracted to provide the service, closed operations and declared bankruptcy in June, 2009. Now an investment group has signed a letter of intent to purchase the bankrupt company's assets and restart the program, raising questions about the security of the data collected from passengers. Currently, TSA is directing all questions regarding the status of the data to the companies themselves.

Subcommittee Hearing:

TSA: Registered Traveler Program:

EPIC: Secure Flight:

EPIC: Spotlight On Surveillance - Registered Traveler Card:

[6] News in Brief

EPIC Celebrates International Right to Know Day

On Monday, September 28, 2009, EPIC celebrated International Right to Know Day, which was established to raise awareness of every individual's right of access to government-held information. EPIC spoke at American University's Third Annual International Right-To-Know Day Celebration concerning opportunities to restore US leadership in government transparency. Other speakers discussed the international status of freedom of information laws, the United States' role in fostering freedom of information values, and strategies for implementation of the Obama Administration's stated goal of transparent government.

American University's Washington College of Law, International Right to Know Day:

EPIC: Open Government:

EPIC: FOIA Litigation Manual:

White House Announcement Regarding Transparency:

Americans Object to Online Tracking

According to a study conducted by researchers from the University of Pennsylvania and University of California - Berkeley, 66% of Americans object to online tracking. The study, which surveyed 1,000 adult Internet users, is one of the first independent studies to address the issue of online targeting. The aversion to targeted advertising did not vary among age groups, even the young adult demographic, which Facebook and other companies have argued do not have a problem with disclosing information for targeted advertising purposes. The study also revealed that 92% of respondents supported the idea of strengthening privacy laws, more specifically, passing legislation requiring websites to delete information upon request of a user. As Jeff Chester of the Center for Digital Democracy noted, "this research gives the Federal Trade Commission and Congress a political green light to go ahead and enact effective, but reasonable, rules and policies."

Study: Americans Reject Tailored Advertisements:

N.Y. Times: Two-Thirds of Americans Object to Online Tracking:

EPIC: Deep Packet Inspections and Privacy:

FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising:

Google Urged to Fix Book Privacy Policy

With the settlement in the Google Books project still pending, Google recently released a Google Books privacy policy. In response, EPIC conducted an in-depth analysis of the privacy policy and found it to be lacking in satisfactory privacy safeguards. EPIC cited several provisions in the policy that allow for the collection, storage, and sharing of massive amounts of personally identifiable user information. EPIC advocated for the inclusion of privacy provisions in the Google Books Settlement and urged Google to fix the privacy policy and improve privacy protection.

Google Books Privacy Policy:

EPIC: Google Books: Policy Without Privacy:

EPIC: Google Books Settlement:

Patriot Act Reform Moves Forward in Senate

The process of renewing and reforming certain provisions of the USA PATRIOT Act and the Foreign Intelligence Surveillance Act has been moving very quickly in the Senate. Three provisions are due to expire on December 31, 2009. The first provision is the Business Records provision, which grants the Federal Bureau of Investigation the authority to request an order "requiring the production of any tangible things (including books, records, papers, documents, and other items)" relevant to an investigation of international terrorism or clandestine intelligence activities. The second is the Roving Wiretap provision, which allows the interception of any communications made to or by an intelligence target without specifying the particular telephone line, computer or other facility to be monitored. And the third is the "Lone Wolf" provision, which allows investigation into terrorists not directly connected to a foreign nation or organization. The Department of Justice has asked that the provisions be renewed unchanged, but has expressed willingness to consider additional privacy protections as long as they do not reduce the provisions' efficacy. hree bills were proposed to address these expiring provisions, each with various other reforms. Last week, the Senate Judiciary Committee began the markup process on S.1692, USA PATRIOT Act Sunset Extension Act of 2009 and finished the process on Thursday, October 8th. The Committee made a number of amendments to the bill, eliminating many proposed reforms but preserving required minimization procedures for National Security Letters and reducing the delay on notification for Sneak & Peek searches from thirty days to seven days. The bill passed committee by a vote of 11-8 and will next be considered for further amendment by the full Senate.

Senate Judiciary Committee, Markup - Oct. 1:

Senate Judiciary Committee, Markup - Oct. 8:

EPIC: PATRIOT Act Extension?


EPIC Participates in Internet Governance Panel

On Friday, October 2, 2009, EPIC participated in a panel at the Internet Governance Forum USA Conference. The panel, which featured experts from industry, advocacy organizations, and the United States government, focused on security and privacy issues related to Web 2.0. Panel experts debated whether self regulation or federal regulation would be more effective in protecting customers and fostering innovation on the internet. EPIC explained the privacy and security problems with self regulation, citing numerous examples of unfair and ineffective privacy policies, data breaches, and unauthorized sharing of personal user information. In light of these problems, EPIC advocated for stronger, clearer federal regulatory standards regarding online behavioral targeting and cloud computing.

Internet Governance Forum:

EPIC: Cloud Computing:

EPIC: Search Engine Privacy:

EPIC: Google/DoubleClick Merger and Behavioral Targeting:

[7] EPIC Bookstore: "Three Felonies a Day"
"Three Felonies a Day: How the Feds Target the Innocent" By Harvey A. Silverglate To purchase:

"The average professional in this country wakes up in the morning, goes to work, comes home, eats dinner, and then goes to sleep, unaware that he or she has likely committed several federal crimes that day. Why? The answer lies in the very nature of modern federal criminal laws, which have exploded in number but also become impossibly broad and vague."

In Three Felonies a Day: How the Feds Target the Innocent, criminal defense attorney Harvey Silverglate illustrates this point as he chronicles high-profile cases, some in which he participated in as a lawyer, arguing that overly ambitious prosecutors coupled with vague criminal statutes are responsible for the continuing rise of federal criminal prosecutions in America. Silverglate makes clear that any citizen, whether politician, doctor, or average taxpayer, is subject to federal prosecution: "When the feds appear on the scene, claiming to represent the public by going after some citizen who had no reasonable way of knowing that his or her conduct could be deemed a felony, do not ask for whom the bell tolls. It tolls for all."

In a chapter entitled "Giving Doctors Orders," Silverglate describes the "win at virtually any cost" mentality of the government through the case of Dr. Hurwitz. Dr. Hurwitz was charged with violating the Controlled Substances Act by allegedly overprescribing the addicting drug OxyContin. To establish that Dr. Hurwitz complied with accepted medical practices, the defense planned to use a frequently asked questions pamphlet posted on the Drug Enforcement Administration's (DEA) website, which allowed physicians broad discretion in their prescribing practices. However, the pamphlet was withdrawn by the DEA only two months after its adoption in a successful attempt to "cement[] the case against Dr. Hurwitz." Although a jury did convict Dr. Hurwitz, the Court of Appeals for the Fourth Circuit reversed this decision for the district court's failure to instruct the jury to acquit Dr. Hurwitz if they found his actions were in "good faith" and within "accepted medical practice."

In his book, Silverglate takes particular issue with anti-terrorist, or national security, statutes such as the Espionage Act and USA Patriot Act, a discussion which spans two chapters and illustrates the acts' "infinite malleability" as a catalyst for the prosecution of students, journalists, artists, and professors. Silverglate aptly notes that the increasing popularity of technology and the internet in the post-9/11 area has exacerbated this problem of wrongful prosecution of innocent actions. He describes the first indictment under the USA Patriot Act, where University of Idaho doctoral candidate Sami Omar al-Hussayen was charged with providing "material support" for terrorist activities. The material support al-Hussayen allegedly provided came from his creation of several websites for a Muslim charity, which prosecutors alleged housed links to other websites containing violent messages and soliciting donations to terrorist organizations. Because al-Hussayen was the webmaster and because users could eventually access these websites through links on his sites, al-Hussayen allegedly provided "expert advice or assistance" to terrorists. Although the jury acquitted al-Hussayen on the serious charges, al-Hussayen was eventually deported to Saudi Arabia. The case still leaves the meaning of "expert advice or assistance" in the USA Patriot Act unclear, although the term "assistance" now includes merely maintaining or linking to websites. The issue of the Act's ambiguity is an increasingly hot topic today, as the possibility of revising the Act is currently being discussed in Congress.

The remaining chapters in the book track this theme of overly zealous prosecutors exploiting unclear and overbroad statutes. In his conclusion, Silverglate calls upon citizens to lobby for legislative and regulatory change, write op-ed columns, and file amicus ("friend of the court") briefs to support the legal principles that protect our interests and to protect our constitutional right to "be free from prosecution under vague statutes." Silverglate shows us that we all have a stake in this issue, as no one is safe from prosecution of our seemingly innocuous actions. As a result, it is up to us as citizens to bring attention to the issue of wrongful prosecution in order to effect change.

--Kim Nguyen

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.

Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at: https:/

[8] Upcoming Conferences and Events

Engaging Data Forum, MIT, October 12-13, 2009. For more information:

10th German Big Brother Awards, Bielefeld, Germany, October 16, 2009. For more information:

eChallenges 2009, Istanbul, Turkey, October 21-23, 2009. For more information:

Big Brother Awards Switzerland, Zurich, Switzerland, October 24, 2009. For more information:

3rd European Privacy Open Space, Vienna, Austria, October 24-25, 2009. For more information:

Austrian Big Brother Awards Vienna, Austria, October 25, 2009. For more information:

Free Culture Forum: Organization and Action, Barcelona, Spain, October 29 - November 1, 2009. For more information:

Employee surveillance in Europe: Balancing privacy rights and management control, Madrid, Spain, 3 November, 2009. For more information:

Global Privacy Standards in a Global World, The Public Voice, Madrid, Spain, November 3, 2009. For more information:

31st International Conference of Data Protection and Privacy Commissioners, Madrid, Spain, November 4-6, 2009. For more information:

Free Society Conference and Nordic Summit, Gothenburg, Sweden, November 13-15, 2009. For more information:

UN Internet Governance Forum, Sharm El Sheikh, Egypt, November 15-18, 2009. For more information:

Privacy 2010, Stanford, March 23 - 25, 2010. For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook


Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

END EPIC Alert 16.19


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback