WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2009 >> [2009] EPICAlert 20

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 16.20 [2009] EPICAlert 20

Focusing public attention on emerging privacy and civil liberties issues

EPIC Alert 16.20

E P I C A l e r t

Volume 16.20 October 23, 2009
Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

"Defend Privacy. Support EPIC."

Table of Contents
[1] EPIC Urges Court to Protect Speech of Privacy Advocate
[2] Agency Seeks Comments on Definition of Personal Data
[3] EPIC Recommends Safeguards for Voting Systems
[4] Privacy Groups Say Homeland Security Privacy Office Failing
[5] Privacy Groups Urge Google Books Judge to Protect User Privacy
[6] News in Brief
[7] EPIC Bookstore: "Delete"
[8] Upcoming Conferences and Events  - Join EPIC on Facebook - Privacy Policy - About EPIC - Donate to EPIC - Subscription Information

[1] EPIC Urges Court to Protect Speech of Privacy Advocate

On October 20, 2009, EPIC filed a "friend of the court" brief with the Fourth Circuit Court of Appeals, urging the court to hold that the First Amendment protects the speech of Betty Ostergren, a privacy advocate.

Ostergren runs a Website calling for improved privacy rights and the removal of private information from public records. Virginia provides "secure remote access" to certain public records, including court records that contain "several hundred million documents with SSNs." Ostergren obtained unredacted public documents through the secure remote access system and posted the documents, including Social Security Numbers, on her Website. Ostergren argued that posting the records informs the public about the online availability of personal information, and increases transparency and oversight.

Under Virginia law, Ostergren could be prosecuted for publishing SSNs, even though Virginia makes the numbers widely available. The Personal Information Privacy Act provides that "a person shall not . . .
[i]ntentionally communicate another individual's social security number to the general public." The previous version of the statute provided an exception for "records required by law to be open to the public." Before the revised provision went into effect, Ostergren filed a complaint in the United States District Court for the Eastern District of Virginia, alleging that the revised provision was unconstitutional under the First Amendment and applicable Supreme Court precedent.

The District Court held that the provision was unconstitutional as applied to her website. The court found that Ostergren's website addressed a matter of public concern, and that Virginia did not appear to regard the protection of SSNs as an "interest of the highest order" because it made some records available online and did not fund the redaction of the records.

The Virginia Attorney General appealed to the Court of Appeals for the Fourth Circuit. EPIC's brief urges the appeals court to uphold the lower court's ruling, arguing that her activity is pure speech intended to call attention to the precise problems of SSN availability by publishing the SSNs of the relevant Virginia state officials who make the SSNs available. The Supreme Court has consistently held that such speech may be punished only under extraordinary circumstances. Moreover, protecting Ms. Ostergren's constitutional right to free speech will not unduly interfere with the Commonwealth's ability to protect its citizens' privacy against data mining and disclosure by commercial interests because commercial speech is governed by a lower standard.

EPIC Brief:

Virginia Attorney General Brief:

Ostergren's Website:


EPIC: Social Security Numbers:

EPIC: Identity Theft:

[2] Agency Seeks Comments on Definition of Personal Data

The Department of Health and Human Services (HHS) plans to modify sections of the federal Privacy Rule that was issued under HIPAA. The Department issued an interim final rule that would ensure genetic information is not considered in determining health care eligibility, in hopes of encouraging more people to participate in genetic testing to better detect and prevent illnesses. HHS Secretary Kathleen Sebelius stated, "protect[ing] Americans undergoing genetic testing from having the results of that testing used against them by their insurance companies is one of the 'first major new civil rights' of the new century." This rule will increase "[c]onsumer confidence in genetic testing[, which] can now grow and help researchers get a better handle on the genetic basis of diseases."

The proposed changes would clarify the scope of privacy and confidentiality of genetic information. According to Labor Department Secretary Hilda L. Solis, "Today's genetic technologies yield data that are vital to helping Americans make personal, medical decisions. It is essential that we protect such information and ensure it is not misused by health plans or insurers. The rules issued today protect individuals against the unwarranted use of information related to their personal health, because no one should have to fear that disclosure of their medical data will put their job or health coverage at risk."

Specifically, HHS proposes to modify the Privacy Rule, pursuant to the Genetic Information Nondiscrimination Act Title I, to prohibit group health plans from using or disclosing personally identifiable health information. This would explicitly include genetic information, for underwriting purposes. Thus, group health plans and issuers cannot increase premiums, deny enrollment, or impose pre-existing condition exclusions based on the results of an enrollee's genetic information. These prohibitions already apply to the individual health insurance market, as regulated by the Act.

Public comments on the proposed rule are due December 7, 2009. EPIC is recommending that HHS pay particular attention to the problem of data reidentification.

Department of Health and Human Services:

Privacy Rule:

Genetic Information Nondiscrimination Act:

HHS Press Release: New Rules Protect Patients' Genetic information:

HHS Proposed Rule Modifying HIPAA:

EPIC: Reidentification:

[3] EPIC Recommends Safeguards for Voting Systems

The Election Assistance Commission (EAC) recently closed its latest request for public input into the process of developing new federal guidelines on voting system technology to be used federal elections. The standards, when final, would replace the 2005 version and be the first major rewrite of voting systems standards in more than five years.

The most recent comment period marked the second 120-day comment period for the Commission's work to redraft standards for federal voting system testing and certification. The "Draft Standards" document released for the most recent comment period had significant, unexplained changes from the document released for the first 120-day comment period held in 2008. The document released by the EAC in 2008 for that comment period included provisions for "software independence" and an "innovation class" for voting systems. Both of these proposals are missing from the 2009 opportunity to comment on the Election Assistance Commission's efforts to update standards for voting systems.

EPIC's comments to the agency raised questions about transparency in the drafting process for the next iteration of the Voluntary Voting System Guidelines. EPIC questioned why the Technical Guidelines Development Committee currently lacks a role in the drafting. The Technical Guidelines Development Committee was established to inform the agency on the drafting of voting system standards, but has not met since August 2007 and was officially disbanded in 2009. Additionally, EPIC's comment noted that past public comments submitted on earlier iterations of the Voluntary Voting System Guidelines are not available on the agency's Web site and that differences between versions of the document are not explained. In its comments, EPIC stressed the importance of protection of the secret ballot cast in public elections.

EPIC urged the Commission to include in its guidelines strong support of open government procedures that allow public access to the election administration process. EPIC also urged the Commission to include guidance that addresses the need to minimize and, when possible, eliminate the threat to voters' privacy. Finally, EPIC reiterated its support for "software independence" and the "innovation class as recommended by the Technical Guidelines Development Committee.

EPIC 2009 Comments to the EAC:

Voluntary Voting System Guidelines 2009 120-Day Comment Period Document:

Voluntary Voting System Guidelines 2008 120-Day Comment Period Document:

EPIC 2008 Comments to the EAC:

EPIC Voting Privacy Page:

[4] Privacy Groups Say Homeland Security Privacy Office Failing

EPIC and a number of other privacy and civil liberties groups have sent a letter to the House Committee on Homeland Security, in response to the Annual Report recently issued by the Chief Privacy Officer of the Department of Homeland Security. The annual report discusses all of the activities of the Privacy Office from July 2008 to June 2009. Notably absent from the report were ways in which the Office had performed its statutory obligation to assure "that the use of technologies sustain, and do not erode, privacy protections."

To help the Officer achieve these goals, Congress granted considerable investigative authority, including access to nearly all documentation relating to Department programs, the power to conduct investigations into any program or operation, the power to take sworn affidavits, and the power to issue subpoenas with the approval of the Secretary. Yet the section of the annual report entitled "Compliance" only briefly discusses ways in which the Office has affected Department policy. Instead, it focuses almost entirely on the conducting of assessments.

The letter from EPIC and the other organizations focused on four major programs within the Department and highlighted the Privacy Office's lack of action on each one:

-Fusion Centers and the Information Sharing Environment -Whole Body Imaging -Closed-Circuit Television Surveillance -Suspicionless Electronic Border Searches

As the letter states, in each of the above cases, the Privacy Office "has written Privacy Impact Assessments, but these Assessments have no force, no meaningful effect on the Department’s activities." Also, in each case, the Office has focused on justifying the legality of Department behavior, made recommendations with no force, or used the Assessment process as an outreach tool in an attempt to explain away violations of privacy. The letter states that the job of the Chief Privacy Officer, "as defined in the statute is to protect the privacy of American citizens, through investigation and oversight.  If this cannot be achieved by an internal office, then the situation calls for an independent office that can truly evaluate these programs and make recommendations in the best interests of the American public."

The letter ends by urging the Committee to open an investigation into the Privacy Office and to consider replacing it with an independent office.

EPIC and Other Groups' Letter:

DHS Privacy Office 2009 Annual Report:

DHS Privacy Office:

Statutory Obligations of CHS Chief Privacy Officer:

[5] Privacy Groups Urge Google Books Judge to Protect User Privacy

In hopes of influencing the revision of the Google Books Settlement several organizations and experts issued an October 9, 2009 letter to Google regarding the Settlement. The writers included EPIC, library associations, nonprofit organization, and privacy authors and publishers (represented by the Electronic Frontier Foundation, the American Civil Liberties Union Foundation, and the Samuelson Law, Technology & Public Policy Clinic). The letter was written to urge Google to include enforceable privacy protections along with the amended settlement agreement that the company is currently negotiating.

The letter cited the failure of the settlement to ensure that readers using the Google Book Search services will have their privacy protected as much as readers using physical books. This failure, the letter said, is not only the basis for some objections to the settlement, but has also been raised as a concern by those who support the settlement. "Providing real, enforceable privacy protections may help reduce the number of objections that the court must consider as the case moves forward," the letter writers argued.

The letter writers also stated that current Google Books Privacy Policy does not go far enough, saying "We believe that it is vital that Google commit to additional privacy protections and that such commitments be enforceable by the court presiding over the settlement."

EPIC has been consistently involved in the Google Books settlement. On September 4, 2009, EPIC filed papers in federal district court on the proposed settlement between Google, authors, and publishers. The Google Books Settlement would create a single digital library, operated by Google, but currently fails to limit Google's use of the personal information collected. EPIC stated that the settlement "mandates the collection of the most intimate personal information, threatens well-established standards that safeguard intellectual freedom, and imperils longstanding Constitutional rights, including the right to read anonymously." EPIC further warned that the Google Books deal "threatens to eviscerate state library privacy laws that safeguard library patrons in the United States."

EPIC has also conducted an in-depth analysis of the Google Books privacy policy and found it to be lacking in satisfactory privacy safeguards. EPIC cited several provisions in the policy that allow for the collection, storage, and sharing of massive amounts of personally identifiable user information. EPIC advocated for the inclusion of privacy provisions in the Google Books Settlement and urged Google to fix the privacy policy and improve privacy protection.

October 9, 2009 Letter Issued to Google Regarding Settlement:

EPIC: Google Books Settlement and Privacy:

EPIC: Google Books Litigation:

EPIC: Google Books: Policy Without Privacy:

Google Books Privacy Policy:

[6] News in Brief

TSA Expands Passenger Electronic Strip Search Program

The Transportation Security Administration has plans to greatly expand its use of whole body imaging machines at airports around the country. The x-ray machines, which each cost over $100,000, capture detailed, graphic images of passengers' naked bodies. In June, the House of Representatives overwhelmingly passed a measure that would restrict Administrations's use of these machines. The measure is pending in the Senate. The Privacy Coalition has urged the Department of Homeland Security to suspend the program until privacy and security risks can be fully evaluated. EPIC has also filed Freedom of Information Act requests for the contracts with the vendor Rapiscan.

EPIC: Whole Body Imaging:

EPIC: Spotlight on Surveillance:

House Bill HR 2027:

TSA's Website on Whole Body Imaging:

California Governor Vetoes Consumer Privacy Bill, but Signs Bill to Strengthen Celebrity Privacy

Governor Schwarzenegger has terminated S.B. 20, a bill that would have strengthened California's data breach laws by requiring that consumers be notified every time their privacy was compromised. But just days later, the Governor signed A.B. 524, an amendment to California's current anti-paparazzi law that will protect the privacy of celebrities by making it easier to sue photographers and media outlets for taking or purchasing unauthorized pictures. For more information about privacy in California, see the California Office of Information Security and Privacy Protection.

Data Breach Bill: S.B. 20:

Anti-Paparazzi Amendment: A.B. 524:

California's Current Anti-paparazzi Law:

California Office of Information Security and Privacy Protection:

EPIC Meets with Spanish Delegation on Freedom of Information Laws

Last week, EPIC met with a delegation from Spain, which included professors, journalists, and lawyers, to offer advice on drafting a Spanish freedom of information law. Currently, Spain is the only major country in the European Union that does not have such a law Delegates from Spain traveled to the U.S. to meet with several FOIA experts and discuss the details of FOIA law, in hopes that this would inform the creation of their own open government law. EPIC assisted the delegation by discussing important advantages and disadvantages of United States open government laws.

EPIC: Open Government:

US Freedom of Information Act:

EPIC FOIA Litigation Manual 2008:

European Commissioner Calls for Privacy Safeguards for Internet

Commissioner Viviane Reding, Member of the European Commission in charge of Information Society and Media, reaffirmed support for an open Internet and called for new initiatives for "the protection of privacy and personal data in the online environment." Reding cited three commercial developments that require close attention: social networking, behavioral advertising and RFID "smart chips." EPIC will be hosting an international conference on privacy protection in Madrid (in conjunction with the annual meeting of the Data Protection Commissioners) that will explore these topics and other related issues.

Commissioner Reding's Biography:

Commissioner's Press Release:

EPIC: International Privacy Protection Conference:

Annual Meeting of Data Protection Commissioners:

EPIC Speaks on Google Books, Privacy at "D is for Digitize" Conference

On October 9, 2009, EPIC spoke at New York Law School's "D is for Digitize" conference, highlighting the privacy threats posed by the Google Books settlement. EPIC discussed its September motion to intervene in the lawsuit, and explained why it has asked a New York federal court to reject the proposed deal unless the parties add meaningful privacy safeguards. The settlement would resolve a complaint filed by rightsholders against Google, and arose from Google's large-scale digitization of books. On September 23, 2009, the parties withdrew the proposed settlement and announced plans to renegotiate terms. The new settlement must be submitted for court review by November 9, 2009. In July, the Department of Justice announced an investigation of the proposed agreement. EPIC and other experts have criticized the settlement on privacy and antitrust grounds.

EPIC Google Books Settlement and Privacy:

EPIC Google Books Litigation Page:

EPIC Google Books: Policy Without Privacy:

"D is for Digitize" Conference:

[7] EPIC Bookstore: "Delete"
"Delete: the virtue of forgetting in the digital age" By Viktor Mayer-Schönberger

To purchase:

"For millennia, the relationship between remembering and forgetting remained clear.  Remembering was hard and costly, and humans had to choose deliberately what to remember.  The default was to forget.  In the digital age, in what is perhaps the most fundamental change for humans since our humble beginnings, that balance of remembering and forgetting has become inverted."

In "Delete," Viktor Mayer-Schönberger examines the role of remembering and forgetting throughout human history. From early cave paintings to the evolution of the written word, the act of remembering was a laborious task, so by default most information was forgotten. However, the advent of digital technology has stripped our natural ability to forget, depriving us of important societal benefits. Mayer-Schönberger, who is the director of the Information and Innovation Policy Research Centre at the National University of Singapore's Lee Kuan Yew School of Public Policy, deconstructs the technological factors that facilitate our inability to forget, from digitization to cheap storage. Although several other scholars and experts have proposed solutions that would restore our ability to forget, Mayer-Schönberger explains why those fixes are insufficient and proposes an alternative - imposing expiration dates on information.

"Delete" begins by retracing the role of remembering and forgetting in human history. For thousands of years, humans have tried to invent ways to remember more and forget less. Beginning with language and simple oral communication, humans soon developed the ability to store external memory and pass memories on to others through paintings. By the fourth millennium BCE, humans had developed script, and more economical means of printing words would eventually follow. However, until recently, forgetting has always been at least a little bit easier and cheaper than remembering.  Therefore, humans always had to decide what was important enough to remember.

In the digital age, however, remembering has become the norm: "Modern technology has fundamentally altered what information can be remembered, how it is remembered, and at what cost." Mayer-Schönberger identifies four "main technological drivers" that have catalyzed the change: digitization, cheap storage, easy retrieval, and global reach. Digitization has allowed the "lossless, cheap, and easy copying of digital information," which enables "a new generation of information processing, storage, retrieval, and sharing that is vastly superior to its analog counterparts."  Cheap storage allows for vast amounts of information to be stored indefinitely, and it is likely that "storage capacity will continue to double and storage costs to halve about every eighteen to twenty-four months, leaving us with an abundance of cheap digital storage."  Digital tools streamlining the easy retrieval of information "strip[s] away original context," and even with re-contextualization efforts, much of the original context of the information is lost. Finally, as a result of global reach and sharing over the Internet, "our capacity as individuals to control information is vastly reduced."

Mayer-Schönberger then argues that the immortality of digital memory adversely affects the "power" and "time" of our information. Information is power, but the accessibility, durability, and comprehensiveness of the available digital information alter the balance of power in a way that harms individuals and influences how humans behave.  Moreover, he argues, "digital remembering negates time, and thereby threatens our ability to decide rationally." After explaining why forgetting is important in the digital age, Mayer-Schönberger examines "six possible responses aimed at preventing or mitigating the challenges of power and time posed by digital memory." He considers three responses - digital abstinence, privacy rights, and privacy digital rights management -  which "[focus] on the ability of individuals to control the sharing of information with others."  He also considers three others - cognitive adjustment, information ecology, and full contextualization - which focus on "the human process of using information for decision-making."  However, none, he argues, "offered a silver bullet" because none addressed both components. Mayer-Schönberger then suggests another solution: "associating information we store in digital memory with expiration dates that user set."  By setting expiration dates, people will be able to both control the sharing of information with others, as well as be more aware of the "finiteness of information."  He considers the numerous methods and variations of expiration that would be possible, and explains why the concept improves upon the six alternative solutions. Mayer-Schönberger's book raises serious questions about the role of forgetting in our society, and his solution is an elegant one that addresses many of the problems associated with digital remembering.

--Matthew Phillips

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.

Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at: https:/

[8] Upcoming Conferences and Events

eChallenges 2009, Istanbul, Turkey, October 21-23, 2009. For more information:

Big Brother Awards Switzerland, Zurich, Switzerland, October 24, 2009. For more information:

3rd European Privacy Open Space, Vienna, Austria, October 24-25, 2009. For more information:

Austrian Big Brother Awards Vienna, Austria, October 25, 2009. For more information:

Free Culture Forum: Organization and Action, Barcelona, Spain, October 29 - November 1, 2009. For more information:

Employee surveillance in Europe: Balancing privacy rights and management control, Madrid, Spain, 3 November, 2009. For more information:

Global Privacy Standards in a Global World, The Public Voice, Madrid, Spain, November 3, 2009. For more information:

31st International Conference of Data Protection and Privacy Commissioners, Madrid, Spain, November 4-6, 2009. For more information:

Free Society Conference and Nordic Summit, Gothenburg, Sweden, November 13-15, 2009. For more information:

UN Internet Governance Forum, Sharm El Sheikh, Egypt, November 15-18, 2009. For more information:

Privacy 2010, Stanford, March 23 - 25, 2010. For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook


Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

END EPIC Alert 16.20


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback