WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2009 >> [2009] EPICAlert 23

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 16.23 [2009] EPICAlert 23

EPIC - EPIC Alert 16.23

EPIC Alert 16.23

E P I C A l e r t
Volume 16.23 December 3, 2009
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.

"Defend Privacy. Support EPIC."

Table of Contents
[1] EPIC Files Appeal for NSA Network Surveillance Policy
[2] EPIC Files Lawsuit Regarding Passport Record Breaches
[3] EPIC, Coalition, and Experts Champion Privacy for Smart Grid Data
[4] European Countries Approve Sweeping Communications, Privacy Reform
[5] EPIC Complaint Prompts Defense Department to Drop Spyware Product
[6] News in Brief
[7] EPIC Bookstore: "Googled: The End of the World As We Know It"
[8] Upcoming Conferences and Events - Join EPIC on Facebook - Privacy Policy - About EPIC - Donate to EPIC - Subscription Information

[1] EPIC Files Appeal for NSA Network Surveillance Policy

EPIC filed an administrative appeal on November 24, 2009 with the National Security Agency (NSA) over an ongoing Freedom of Information Act (FOIA) request regarding national cybersecurity policy. EPIC has requested a copy of National Security Presidential Directive 54 (NSPD 54) from the agency. The Directive is a secret order issued by President Bush in January 2008 restructuring the federal government's approach to cybersecurity.

According to reports, the document established the Comprehensive National Cybersecurity Initiative and greatly increased the NSA's authority over security for both government and commercial networks. In March 2009, the head of the Department of Homeland Security National Cybersecurity Center resigned because he felt that he was unable to do his job with the level of authority and influence that the NSA has over his now-former office.

EPIC has requested the text of NSPD 54, the full text of any executing protocols of the Cybersecurity Initiative, and any privacy policies and contracts for information shared with third parties related to either the Directive or the Initiative. The NSA has twice failed to effectively respond to EPIC's request. Most recently, the agency notified EPIC that it had located NSDP 54 and two other documents responsive to EPIC's request, but failed to provide copies of any of them.

Instead the agency withheld the Directive and instead referred the request to the National Security Council, which is not subject to the FOIA. The agency withheld the other two documents by asserting a number of vague exemptions. EPIC has appealed these withholdings as improper violations of the Act, as well as violations of President Obama's FOIA guidelines, which require federal agencies to operate under a "presumption of disclosure." Once the agency has received EPIC's appeal, it must respond within 10 working days.

NPSD 54 is of particular concern to policy makers because it creates a secret and largely accountable framework for cyber security. EPIC has argued that it is vitally important that the policy be made public.

EPIC: Administrative Appeal:

White House: Policy on Open Government:

Department of Justice: FOIA Guidelines Memo:

EPIC: Open Government:

[2] EPIC Files Lawsuit Regarding Passport Record Breaches

On November 24, 2009, EPIC filed a Freedom of Information Act (FOIA) lawsuit against the United States Department of State. The lawsuit arose from a 2008 FOIA request EPIC submitted to the Office of the Inspector General for its full, unredacted report regarding several high profile 2008 passport records breaches.

In the period leading up the 2008 elections, there were numerous reports that private contractors working for the State Department snooped through the Passport files of Presidential candidates, celebrities, and others. The victims included Senators Hilary Clinton, Barack Obama, and John McCain.

In July 2008, the Department of State's Office of Inspector General (OIG) released of a heavily redacted report prompted by the highly publicized breaches. The internal watchdog of the State Department "found many [institutional] control weaknesses relating to the prevention and detection of unauthorized access to passport and applicant information" and the subsequent disciplinary response.

The report, however, was highly redacted. In fact, only 6 of 22 recommendations were not completely redacted. The OIG used vague language, like "consider", "determine the feasibility of", and "evaluate" to recommend that the State Department implement comprehensive strategies to those weaknesses. The report also recommended assessments of existing security controls, the provision of in-house breach notification, and the extension of authorized access policies to other agencies. In a limited review of 150 high-profile people's passport files, the report found that 127 of 150 prominent figures' files were accessed at least once; 42 files were viewed at least 26 times.

In response to these redactions, EPIC filed a July 10, 2008 FOIA request for the complete, unredacted report. The Department of State denied EPIC's request. When EPIC filed an appeal to challenge this determination, the agency failed to respond. After exhausting all administrative remedies, EPIC filed suit in Federal District Court.

EPIC's complaint:

EPIC's Senate Testimony on Passport Breaches:

EPIC: Passport Privacy:

State Department's Office of the Inspector General Recommendations:

[3] EPIC, Coalition, and Experts Champion Privacy for Smart Grid Data

EPIC, members of the Privacy Coalition, and privacy and security experts urged a federal agency to establish Smart Grid safeguards that protect consumer electricity usage information from unauthorized collection, use, disclosure, or sale. The National Institute of Standards and Technology, which is the federal agency taking comments, requested comments on a report it produced addressing Smart Grid cyber security. The report also addressed Smart Grid and privacy and contained a privacy impact assessment.

EPIC's comment argued that Smart Grid networks, which uniquely identify individual devices and appliances, create new privacy risks and could reveal intimate details of home life. For instance, misuse of Smart Grid data could lead to new forms of identity theft. The proposed ability of the Smart Grid to coordinate power supply in real time could reveal intimate, personal details about consumers' lives, such as their medical needs, interactions with others, and personal habits.

Smart Grid data also presents the possibility of physical danger to consumers, as criminals, domestic abusers, or stalkers could use the data to monitor and spy on consumers. Finally, Smart Grid data can be misused by both authorized and unauthorized parties. For instance, authorized parties may misuse the data by mining it for sensitive information.

EPIC recommended that policies be established to safeguard consumer privacy, including limitations on data collection, enforceable privacy practices, new security standards, and independent oversight. EPIC urged NIST to closely mirror fair information practices that have long been established both in the United States and internationally, and to abandon the "notice and consent" model of privacy protection. EPIC also argued for an independent privacy oversight office. Finally, EPIC urged NIST to verify techniques for the anonymization of data and to establish robust cryptographic standards.

EPIC Comments:

EPIC: Smart Grid and Privacy:

Privacy Coalition:

National Institute of Standards and Technology:

[4] European Countries Approve Sweeping Communications, Privacy Reform

On November 24, the European Parliament established new Internet policies, including a right to Internet access, net neutrality obligations, and stronger consumer protections. EU citizens will benefit from these reforms, which will enhance competition in Europe's telecoms markets, improve internet coverage throughout Europe, and strengthen the right to privacy with respect to telecoms operators. EU's Telecoms Commissioner Viviane Reding remarked, "a true single market for Europe's telecoms operators and consumers is now within reach."

In a press release, Reding identified the twelve most prominent reforms in the EU Telecoms Reform package. Most of the twelve listed reforms focus on transparency and consumer protections. These reforms include provisions that require better consumer information in consumer contracts and protecting consumers against personal data breaches.

Under the ePrivacy directive, communications service providers will also be required to notify consumers of security breaches, persistent identifiers ("cookies") will become opt-in, there will be enhanced penalties for spammers, and national data protection agencies will receive new enforcement powers.

The amended directive takes effect with publication on December 18 in the EU Official Journal. Member states then have 18 months to transpose the Directive into national law. The new reforms also require that a European Body of Telecoms Regulators be established by spring of 2010.

EPIC Privacy Law Sourcebook:

Europe's Information Society: Reforming the Current Telecom Rules:

Press Release: 12 Most Prominent EU Telecoms Reforms:

Amended ePrivacy Directive:

[5] EPIC Complaint Prompts Defense Department to Drop Spyware Product

Documents obtained by EPIC, pursuant to a Freedom of Information Act (FOIA) request, revealed the Defense Department canceled a contract with a parental control software company due to privacy concerns. In October 2009, the Army and Air Force Exchange Service (AAFES) agreed to provide for sale to military families "My Military Sentry," a software product sold by Echometrix. My Military Sentry is parental control software that monitors the activity of military children online. Echometrix also analyzes the information collected from children and sells the data to third parties for market-intelligence research.

Following a complaint to the Federal Trade Commission earlier this year about privacy concerns with Echometrix products, EPIC filed a FOIA request with the Department of Defense for contracts and correspondence between the AAFES and Echometrix relating to My Military Sentry. The agency provided to EPIC a six-page contract and sixty-five pages of e-mail correspondence.

According to the documents obtained by EPIC, the AAFES expressed concern about Echometrix's information collection practices. In one email, the AAFES stated, "I was forwarded the attached complaint submitted to the [Federal Trade Commission] by EPIC. It is very unfortunate that you did not inform me of this issue. Our customer's privacy and security is very important to us, and we trust our Mall Partners to maintain the security of our customers." Echometrix responded that "there is no matter with the [Federal Trade Commission] to resolve."

The AAFES had established a strong privacy policy for military families that purchase products through the Online Mall, managed by the Defense Department office. The privacy policy states that use of customer information is prohibited "except to provide quality service." Documents obtained by EPIC revealed that after a phone call with the Echometrix Chief Executive Officer to discuss the company's information collection practices, the AAFES decided to remove the Echometrix product from its website.

In a final email to Echometrix, an the AAFES manager explained: "The collection of AAFES customer information (personal or otherwise) for any other purpose than to provide quality customer service is prohibited … Giving our customers the ability to opt out does not address this issue."

The Federal Trade Commission complaint cited in the AAFES email was filed by EPIC on September 25, 2009. The EPIC complaint alleged that Echometrix violated the Children's Online Privacy Protection Act and the Federal Trade Commission Act by collecting information from children through its Sentry Parental Controls products and selling the data to third parties for market-intelligence research purposes. The Commission has not yet responded to the complaint.

EPIC: In re Echometrix:

EPIC FTC Complaint:

EPIC FOIA Request:

Excerpts from FOIA Documents Sent by AAFES:

[6] News in Brief

DHS Announces "Global Entry" Biometric Identification

The Department of Homeland Security proposed this week to make permanent Global Entry, a program the agency says will "streamline the international arrivals and admission process at airports for trusted travelers through biometric identification." Under the proposed system, pre-registered international travelers can bypass conventional security lines by scanning their passports and fingerprints at a kiosk, answering customs declaration questions, and then presenting a receipt to Customs officials. The DHS announcement follows the recent news that Clear, a Registered Traveler program administered through the Transportation Security Administration, had entered bankruptcy, raising questions about the possible sale of the biometric database that was created. In 2005, EPIC testified before Congress that the absence of Privacy Act safeguards for Registered Traveler programs would jeopardize air traveler privacy and security. The agency is taking comments on the proposal.

Global Entry

DHS Press Release

Federal Register: Proposed Rule

EPIC: Biometrics

EPIC: Air Travel Privacy

ENISA Report Examines Cloud Computing and Privacy

The European Network and Information Security Agency has released a new report on Cloud Computing. The ENISA report recommends that European officials determine the application of data protection laws to cloud computing services. The report also considers whether personal data may be transferred to countries lacking adequate privacy protection, whether customers should be notified of data breaches, and rules concerning law enforcement access to private data. Earlier this year, EPIC filed a complaint with the Federal Trade Commission, urging the Commission to examine the adequacy of privacy safeguards for cloud computing services. A subsequent letter by computer researchers, addressed to Google Chief Executive Officer, Eric Schmidt, raised similar concerns.

ENISA Report:

EPIC: Cloud Computing:

EPIC: Cloud Computing & Google:

Letter to Google:

European Network and Information Security Agency:

EPIC Prepares for Annual Privacy Coalition Meeting

The 15th Privacy Coalition annual meeting will be held January 21, 2010 in Washington, D.C. Speakers confirmed so far include Alex Joel (Civil Liberties Protection Officer, Office of the Director of National Intelligence), and Nancy Libin (Chief Privacy Officer, United States Department of Justice). Many more speakers and attendees are in the works and will be announced as the event draws nearer. Contact Lillie Coney at for more information.

Privacy Coalition:

Office of the Director of National Intelligence:

United States Department of Justice:

Congressional Research Service Reports on Advertising in Digital Age

The Congressional Research Service issued a report discussing the advertising industry in the digital age. The report is in response to the shifting structure of the advertising market from print, television, and radio advertising to online advertising. Lawmakers are now forced to consider how to update advertising laws in this Internet age, "without stifling growth or unduly hurting media outlets dependent on advertising revenue." The report identifies behavioral advertising as one of the main concerns of consumers with respect to digital advertising. Representative Boucher plans to address this concern by introducing legislation that would impose stricter online privacy standards on advertisers. The advertising industry, however, is opposed to such regulation, arguing that the industry should remain self-regulated. Whatever the outcome of pending regulatory and legislative initiatives, the report concludes "consumers must figure out how to determine the value and veracity of advertising and media, as regulators determine how to craft a workable oversight system [in the digital world]."

CRS Report on Advertising in the Digital Age:

EPIC: Deep Packet Inspection and Privacy:

EPIC: Google/DoubleClick Merger:

Facebook to Change Privacy Controls, Issues Still Remain

Facebook CEO Mark Zuckerberg announced a number of changes to the social networking site's privacy controls. The company will eliminate regional networks, online communities for a school, workplace, or geographical area. The company will also add settings for users to decide who can see individual content that is created or uploaded. Further, in an effort to simplify the privacy settings page, many of the settings will now be combined. Facebook will prompt users to review and update their privacy settings in the coming weeks, suggesting privacy settings based on a user's current settings. One main concern with this process is that when Facebook removes the network based privacy option, users may automatically be opted in to disclosure by having their privacy settings default to "everyone", rather than having a default with the highest privacy settings.

EPIC, Quoted in TechNewsWorld Article on Facebook Privacy Settings:

Open Letter from Mark Zuckerberg:

EPIC: Facebook Privacy:

Federal Trade Commission to Host First Privacy Round table

On December 7, the Federal Trade Commission will host the first of three privacy roundtables on consumer privacy. These discussions will explore many issues, including consumer information collection, information management practices, new business practices, and the adequacy of existing privacy laws. Roundtable participants will include privacy and technology experts, including EPIC president Marc Rotenberg. The meetings are open and public comments are encouraged. EPIC has supported the FTC's privacy mission, but has also said that the agency needs to do more to safeguard consumer privacy.

FTC: Exploring Privacy: A Roundtables Series:

FTC Invitation to Comment:

EPIC Letter to Senate Commerce Committee: FTC Reauthorization Hearing:


Senate Judiciary Committee Holds DHS Oversight Hearing

The Senate Judiciary Committee will hold a full committee hearing this week to consider the activities of the Department of Homeland Security(DHS). Committee Chairman Patrick Leahy (D-Vt.) has called for an oversight hearing, in which Department of Homeland Security Secretary Janet Napolitano will testify before the Committee. This will be Secretary Napolitano's second time appearing before the Committee since assuming the role earlier this year. In a letter to a House oversight committee, EPIC and members of the Privacy Coalition said that the DHS Privacy Office is failing to safeguard the privacy rights of Americans and cited the Fusion Center program, Whole Boding Imaging, CCTV systems, and the ineffective enforcement of Privacy Act safeguards. EPIC has asked Congress to consider alternative means of oversight for the agency.

EPIC: DHS and Privacy:

EPIC's Letter to the DHS Chief Privacy Officer:

Senate Judiciary Committee: DHS Oversight Hearing and Webcast:

Leahy To Chair Department Of Homeland Security Oversight Hearing:

[7] EPIC Bookstore: "Googled: The End of the World As We Know It"
"Google takes seriously its motto, 'Don't be evil.' But because we're dealing with humans not algorithms, intent sometimes matters less than effect." "

In "Googled: The End of the World As We Know It", Ken Auletta chronicles the ascension of Google as a new media company and its transformative effect on the way people live and work. Culling stories from more than two years of interviews and access to closed-door meetings, Auletta reports on the innovative philosophy and pioneering engineers that have spurred the creation of a wide variety of successful products.

However, as Auletta explains, the same strengths that have allowed Google to become a dominant new media force are also a source of weakness. Google's singular strength lies in its unrivaled mountains of data culled from web searches and other user data. Google's cofounders "often say that their ideal is to have so much information about their users that Google can devise an algorithm that provides a single perfect answer" to search queries. However, that strength leaves Google vulnerable to other challenges: "Google depends for its continued success on users and governments that trust it will not abuse this knowledge."

Auletta reports that one reason users and governments may distrust Google's use of data derives from Google's flippant attitude towards privacy. In a chapter entitled "Waking the Government Bear," Auletta explains how the Center for Digital Democracy and EPIC helped catalyze government inquiry into Google's activities, specifically its proposed merger with online advertising giant Doubleclick.

Auletta examines both sides of the Google privacy debate: from the privacy advocate's perspective, "the central question should not be, 'Is Google invading people's privacy?' Rather it should be, 'Why does Google need to collect all of this information?'" From Google's perspective, many privacy concerns are "irrational fears that all of a sudden [Google would] do evil things."

Although Auletta does not editorialize regarding Google's privacy issues, he argues that privacy is one of the many obstacles that Google will have to avoid in order to continue "surfing a huge wave that seems not to have crested." Only by protecting users' privacy and otherwise maintaining its "deposit of public trust" can Google continue to be a "company that has swept so swiftly across the media horizon."

--Matthew Phillips

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.

Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at: https:/

[8] Upcoming Conferences and Events

Law in Cyberspace: Legal Blogging & the Courts, Northwestern School of Law, Chicago, IL, 4th Annual Judicial Symposium on Civil Justice Issues, December 7, 2009. For more information:

FTC Privacy Roundtable: Exploring Existing Regulatory Frameworks, FTC Conference Center, Washington, DC, December 7, 2009. For more information:

"Reconceptualizing the FTC's Understanding of Privacy", Willard Hotel Washington, DC, IAPP Confernce, December 8, 2009. For more information:

Annual Privacy Coalition meeting, EPIC, Washington, DC, January 21-23, 2010. For more information:

"Reader Privacy: Should Library Standards Apply Online?," University of North Carolina, Chapel Hill, January 22, 2010.

Data Privacy Day, January 28, 2010. For more information:

"Computers, Privacy, and Data Protection: An Element of Choice," Brussels, Belgium, January 29-30, 2010. For more information:

RSA 2010, San Francisco, March 1-5, 2010. For more information:

Association for Practical and Professional Ethics, Cincinnati, March 5, 2010. For more information:

Privacy 2010, Stanford, March 23 - 25, 2010. For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook


Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

About EPIC

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

END EPIC Alert 16.23


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback