WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2009 >> [2009] EPICAlert 21

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 16.21 [2009] EPICAlert 21

EPIC - EPIC Alert 16.21

EPIC Alert 16.21

E P I C   A l e r t

Volume 16.21                                          November 9, 2009

                          Published by the
                  Electronic Privacy Information Center (EPIC)
                          Washington, D.C.


 "Defend Privacy. Support EPIC."

Table of Contents
[1] EPIC Urges Court to Protect Privacy Rights in Facebook Case
[2] Study Finds Privacy of Nation's School Children At Risk
[3] Public Voice Hosts Madrid Civil Society Conference
[4] Civil Society Groups Issue Privacy Declaration in Madrid
[5] EPIC Audits First Public Election to use Scantagrity Voting System
[6] News in Brief
[7] EPIC Bookstore: "Privacy By Design . . . Take the Challenge"
[8] Upcoming Conferences and Events - Join EPIC on Facebook - Privacy Policy - About EPIC - Donate to EPIC - Subscription Information

[1] EPIC Urges Court to Protect Privacy Rights in Facebook Case
On November 3, EPIC filed a friend of the court brief with the Fifth Circuit Court of Appeals, urging the Court to enforce federal privacy protections for Facebook users who rented videos from Blockbuster, a Facebook business partner.

Congress passed the Video Privacy Protection Act of 1988 to prevent the wrongful disclosure of video rental information by companies that collect detailed personal information from customers. To achieve this goal, Congress established a private right of action to ensure that there would be a meaningful remedy when companies failed to safeguard the data they collected. A private right of action is a statutory clause that gives individual citizens the right to sue companies who violate the individual's rights under the law.

Accordingly, Cathryn Harris and other Facebook users filed suit under the Act after Blockbuster made public their private video rental information. Blockbuster made the information public as part of its participation in Facebook's Beacon program, which revealed the private information on the news feeds of other users. In response to the lawsuit, Blockbuster claimed that, under the "clickwrap" agreement that consumers clicked through while signing up for Blockbuster's online service, consumers could not sue the company and had to submit to mandatory arbitration.

EPIC wrote that "absent a private right of action, there would be no effective enforcement, no remedy for violations, and no way to ensure that companies complied with the intent of the Act." EPIC's brief, which includes a detailed history of the video privacy law, urges the appeals court to uphold a lower court ruling, which held that the plaintiffs are allowed to pursue their claim that a federal law was violated.

EPIC Amicus Brief:

EPIC: Harris v. Blockbuster:

EPIC: The Video Privacy Protection Act:

EPIC: Facebook Privacy:

[2] Study Finds Privacy of Nation's School Children At Risk
A Fordham Law School study found that state educational databases across the country ignore key privacy protections for the nation's school children. The study, prepared by the Center on Law and Information Policy, reports that at least 32% of states warehouse children's social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children's educational records. Almost all states with known programs collect family wealth indicators.

Moreover, most states use third party vendors for at least part of their data collecting and reporting needs. Some states outsource the data processing without any restrictions on use or confidentiality for children's information. The study therefore recommended that states which outsource data processing have comprehensive agreements explicitly addressing the privacy obligations of the third party vendors. Furthermore, access to the information and the disclosure of personal data may occur for decades and follow children well into their adult lives. More than 80% of states fail to have data-retention policies and may retain the information indefinitely. Thus, the study recommended that states should limit data collection to necessary information and should have specific data retention policies and procedures.

The Fordham report also recommended that data at the state level be made anonymous, that the collection of information by the state be minimized and specifically tied to an articulated audit or evaluation purpose, and that states should have a Chief Privacy Officer in the department of education who monitors the privacy protections of educational record databases and who publicly reports privacy impact assessments.

These findings come as Congress is considering the Student Aid and Financial Responsibility Act, which would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states' electronic warehouses of children's information.

Study Website:

Fordham Law School, Center on Law and Information Policy:

Student Aid and Financial Responsibility Act:

EPIC: Children's Online Privacy Protection Act:

EPIC: DOD Recruiting Database:

[3] Public Voice Hosts Madrid Civil Society Conference
Almost two hundred privacy experts, advocates, and government officials from around the world gathered in Madrid for the "Global Privacy Standards" conference, organized by the Public Voice, and held in conjunction with the International Conference for Data Protection and Privacy.

The event featured five panel discussions. The "Privacy and Human Rights: The Year in Review" panel, which released the most current edition of the Privacy and Human Rights report, focused on recent developments in privacy law. "Privacy Activism: Major Campaigns" featured a discussion on privacy and data protection campaigns around the world, concentrating on the role of public education. The third panel, "Your Data in the Cloud: What if it Rains?" discussed the privacy implications of cloud computing for internet users. "Transborder Data Flow: Bridges, Channels or Walls?," centered on a discussion of when data flows should be facilitated and when they should be blocked.  Finally, in the "Toward International Privacy Standards" discussion, Marc Rotenberg offered a presentation of the Madrid Civil Society Declaration on Global Privacy Standards, and respondents from four different countries reacted to his statements.

Leading privacy officials from Spain, the European Union, the European Parliament, the OECD, and Canada all participated. Each panel featured representatives from at least three different countries. Opening remarks were made by Marc Rotenberg, President, EPIC; Mr. Alejandro Perales, President, Asociación de Usuarios de la Comunicación; and Mr. Artemi Rallo Lombarte, Director, Agencia Española de Protección de Datos. Conference attendees heard closing remarks from Mr. Stavros Lambrinidis, Vice President, European Parliament; and Mr. Peter Hustinx, Supervisor, European Data Protection Supervisor (Netherlands). The privacy commissioner's conference drew more than 1,000 participants from over fifty countries.

Global Privacy Standards Conference:

International Conference of Data Protection and Privacy:

Public Voice:

Conference Cybercast:

[4] Civil Society Groups Issue Privacy Declaration in Madrid
In a crisply worded declaration, over 100 civil society organizations and privacy experts from more than 40 countries have set out an expansive statement on the future of privacy. The Madrid Privacy Declaration was released at the Public Voice conference in Madrid on Global Privacy Standards.

The Madrid Declaration affirms that privacy is a fundamental human right. The declaration reminds the European Union member countries and Organization for Economic Co-operation and Development member countries of their obligations to protect the civil rights of their citizens under national constitutions and laws.  Noting the increase in secret surveillance and lack of independent oversight in corporations' data collection practices, the Madrid Declaration sets forth warnings and urges action on the part of the European Union countries.

The Madrid Declaration warns that "privacy law and privacy institutions have failed to take full account of new surveillance practices." Such failures to protect the privacy interests of citizens "jeopardize[] associated freedoms . . . and ultimately the stability of constitutional democracies."

The Madrid Privacy Declaration urges countries who have not done so to ratify the Council of Europe Convention 108, establish a comprehensive framework for privacy protection, develop means of properly implementing and enforcing such legal frameworks, and ensure that individuals are notified after a data breach has occurred. Furthermore, the Declaration encourages research into the effectiveness of data anonymization techniques, in an effort to determine whether such practices properly safeguard personal information.

The civil society groups and experts recommend a "moratorium on the development or implementation of new systems of mass surveillance." Finally, the Declaration calls for the "establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions."

Madrid Declaration: Global

Privacy Standards Conference:

Translations of Madrid Declaration:

Council of Europe Convention 108:

EPIC Reidentification:

[5] EPIC Audits First Public Election to use Scantagrity Voting System
The city of Takoma Park Maryland’s Clerk of Elections sought EPIC's assistance in conducting a manual audit of their November 3, 2009 election. The city chose the Scantagrity voting system for its biannual election for mayor and city council. Scantagrity is an original concept developed by David Chaum and has been refined for use in elections through the collaboration of Ron Rivest, MIT and Poorvi Vora, Computing Science Department at George Washington University.

Scantagrity’s implementation for the Takoma Park election allowed voters the option of performing a post-voting verification of the capture of their ballots for the tabulation phase of the election. Takoma Park voters also had the option of second chance voting, which allowed the selection of primary and secondary choice for the public offices on Tuesday’s ballot.

This marked the first time in the U.S. that voters had the option to check that their private votes are correctly recorded and included in the election results. Selections on each ballot used unique codes for each possible selection on the ballot. The codes correspond to the ballot number. It is important to note, however, that ballots are not associated with a specific voter. Poll book registration logging of voters participating in the election was separate from the issuance of ballots to voters.

Voters were given ballots in a privacy sleeve. They then voted using optical scan ballots behind privacy screens, which allowed voters the option of noting the codes and ballot numbers on a form they could take with them. Voters then deposited completed ballots into one of two scanners. Later, voters could verify that their ballot was included in the final results by going to the City Election Office’s web site and entering the ballot number. The process was not as accessible for unassisted voting for persons vision related disabilities, when compared with touch screen voting systems. However, the ability of voters with a wide range of disability challenges were able to vote independently, or with little assistance with their privacy sleeve enclosed ballot’s insertion in the scanner.

EPIC was asked to randomly select ballots from the choice of ballots provided to voters from each of the 6 wards. Over 1600 Takoma Park voters participated in the election. The audit ballots were selected at varying times throughout the Election Day, under the supervision of election officials. Takoma Park elections officials voided each audit ballot and marked ballots stubs to indicate that they were part of the manual audit. Then EPIC processed each manual audit ballot by revealing all possible selections for each ballot, then a copy of the original manual audit ballot was made. The original ballots were placed in a spoiled manual audit ballot envelope held by another election official stationed in the polling location. Each ballot copy was then endorsed by the Chief Election Judge, which will aid in authentication of the copies when they are submitted to the City Clerk’s office. The manual audit ballots and their selections will be verified and the results reported to the Takoma Park Clerk’s office.


Links: Takoma Park Election’s Office:

Takoma Ballot verification Web page:

EPIC’s Voting Privacy Page:

[6] News in Brief
European Commission Takes Action Against United Kingdom

The European Commission announced that the United Kingdom government has failed to comply with Europe's ePrivacy Directive and Data Protection Directive. European laws state that European Union countries must ensure the confidentiality of electronic communications by prohibiting unlawful interception and surveillance. The Commission's statement specifically cited unlawful interception under the United Kingdom Regulation of Information Powers Act. This marks the second phase of an infringement proceeding that was filed earlier this year against the United Kingdom. The case follows complaints about the use of Phorm's Deep Packet Inspection technology.

European Commission Statement:

Press Release on theInfringement Proceeding:

ePrivacy Directive:

Europe's Data Protection Directive:

EPIC: Deep Packet Inspection:

EPIC: Privacy and Human Rights Report:

Privacy Groups Urge Government to Ensure OpenInternet

EPIC has signed on to a letter from Public Knowledge to the Federal Communications Commission supporting the Commission's decision to begin public proceedings on preserving an open internet. EPIC joins many other public interest groups who have also expressed support for the FCC's initiative. The Commission's proceedings will focus on proposed rulemaking policies that would preserve open internet. EPIC favors the general principles of "network neutrality" and has called on the Commission to preserve privacy safeguards against measures that Internet Service Providers may use to limit access to the internet. For more information, see also EPIC Deep Packet Inspection.

FCC Letter:

Public Knowledge:

FCC Proceedings:

EPIC Deep Packet Inspection:

HHS Changes Breach Notification Rules

The Department of Health and Human Services issued new breach notification regulations that require health care providers, health plans, and business associates of covered entities, to notify individuals when their health information is breached. As an effort to strengthen the Health Insurance Portability and Accountability Act, the new rules subject business associates of covered entities to federal law in this area for the first time. The Department also included a provision that states a breach only occurs when access, use, or disclosure of the data poses a significant risk of financial or other harm to an individual, as determined by covered entities. These rules implement provisions of the Health Information Technology for Economic and Clinical Health Act, which was passed as part of the American Recovery and Reinvestment Act.

Department of Health and Human Services:

HITECH Breach Notification Interim Final Rule:

HHS Breach Notification Rule Page:



EPIC Medical Record Privacy:

EPIC Submits Letter Requesting Participation in Privacy Roundtable

The Federal Trade Commission announced a series of roundtables on consumer privacy, beginning December 7, 2009. These discussions will explore many issues, including consumer information collection, information management practices, new business practices, and the adequacy of existing privacy laws. EPIC submitted a letter to the Commission requesting to participate in the first privacy roundtable discussion. In its letter, EPIC made several recommendations to the Commission as it explores new internet consumer protection strategies. The recommendations include treating fair information practices as a fundamental requirement for companies collecting personal data, focusing more attention on the major Internet firms that are shaping business practices in the online environment, and investigating the extent to which security breaches contribute to identity theft.

EPIC: Letter to the FTC:

Federal Trade Commission:

FTC Press Release:

FTC Privacy Roundtable:


FB Updates Privacy Policy in Response to Canadian Investigation

In response to a September ruling by the Canadian Privacy Commissioner that Facebook's business practices violated Canadian law, Facebook announced a new privacy policy this week. In order to comply with Canada's Personal Information Protection and Electronic Documents Act, the new Facebook policy provides a more concise description of the privacy practices of the developers of third-party applications. It also explains more clearly what data Facebook retains and what abilities users do and do not have to control their data stored on Facebook. The new policy was open to comments for one week and will presumably be implemented sitewide soon.

Facebook: New Privacy Policy:

Facebook: Current Privacy Policy:

Facebook: New Third-Party Developer Policies:

EPIC: Facebook Privacy:

Office of the Privacy Commissioner of Canada: Facebook Findings:

Reporter Confidentiality Law Moves Forward in Senate

A revised version of the proposed federal media shield law moved forward in the Senate this week. The Free Flow of Information Act of 2009 will make it more difficult for the government to compel journalists to disclose information, including the identities of their sources. The White House, which had previously endorsed a much weaker version, has come out in favor of stronger statutory text which requires the government or other party requesting disclosure to demonstrate that the information sought is "essential" to a case and all reasonable alternatives have been exhausted. A judge would then balance the case for disclosure against the public interest in effective journalism. A version of the bill was passed by the House earlier this year, and with the Obama administration's support, the Senate Judiciary Committee passed the revised bill this week, sending it to the full Senate for a vote.

Senate: S. 448 - Free Flow of Information Act of 2009:

H.R. 985 - Free Flow of Information Act of 2009:

Amendment 9794 to S. 448 (White House-supported revised version):

Amendment 9860 to S. 448:

[7] EPIC Bookstore: "Privacy By Design . . . Take the Challenge"
"Privacy By Design . . . Take the Challenge" by Ann Cavoukian, Ph.D.

Available at:

Ann Cavoukian is a rare breed—a government official working with privacy and technology who genuinely seems to understand both. In Privacy By Design, the current Information and Privacy Commissioner of Ontario Canada proves it. Dr. Cavoukian's recent work compiles a number of reports, guidelines, speeches, and essays published by her and her office in recent years. These various pieces combine to show a comprehensive approach to privacy in a modern world.

Dr. Cavoukian's work over the last twenty years has been a steady evolution of ideas.  In 1995, she promoted Privacy-Enhancing Technologies (PETs) with the Netherlands Data Protection Authority. This term has been instrumental in guaranteeing the continued presence of privacy protections by building them into technology. Later in the decade, she argued for the concept of "privacy by design," a philosophy in which privacy is embedded into the technology itself during development, such that privacy and data protection become part of designers' original goals. While this view has become more prominent, Dr. Cavoukian was instrumental in its adoption.

In her current work, Dr. Cavoukian expands her idea of PETs into a new concept, which she calls "PETs Plus." This concept is the idea that privacy needs not be part of a zero-sum model, in which increasing privacy comes at a cost to efficacy. Instead, Cavoukian argues for a positive-sum model, in which privacy can be increased alongside security, or alongside business practices, so that focusing on data protection has only net benefits for designers and implementers of technology.

Many of the essays in Privacy by Design include examples of these PETs Plus, and many of them are quite impressive. In her discussion of CCTV, Dr. Cavoukian describes a new development in which people's images in the video stream are encrypted. This allows a person to monitor the video live for suspicious behavior without ever seeing anyone's identity. If the video contains evidence of a crime, proper law enforcement officials can decrypt that section, with a suitable audit trail ensuring that only the necessary information is decrypted.

Another excellent PET Plus is a design from IBM for radio frequency identification (RFID) tags that can be disabled or even reprogrammed by the consumer, which would allow the tags to be useful in inventory and sales management, while giving individuals the ability to decide exactly how they will be used at home. Dr. Cavoukian also discusses an advanced method for securing and encrypting biometric authentication systems, and privacy-maximizing best practices for a number of security processes, including CCTV, RFID in healthcare, and airport searches. Privacy By Design is a must-read for anyone in the security or privacy fields looking for the best approach to new technology.

--Jared Kaprove

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.

Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at: https:/

[8] Upcoming Conferences and Events
Biometrics and the Law, Georgetown Law Center, Washington, DC, November 10, 2009. For more information:

Louis Brandeis and the Development of the Right to Privacy, American Constitution Society, Center for American Progress, Washington, DC, November 10, 2009. For more information:

Free Society Conference and Nordic Summit, Gothenburg, Sweden, November 13-15, 2009. For more information:

UN Internet Governance Forum, Sharm El Sheikh, Egypt, November 15-18, 2009. For more information:

Privacy 2010, Stanford, March 23 - 25, 2010. For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook


Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

END EPIC Alert 16.21


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback