EPIC Alert 16.24
E P I C A l e r tVolume 16.24 December 18, 2009
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/alert/epic_alert_1624.html
"Defend Privacy. Support EPIC." http://epic.org/donate
Table of Contents
[1] EPIC Files Facebook Privacy Complaint with Trade Commission
[2] EPIC Files Suit Against DOJ About Whole Body Imaging Documents
[3] EPIC Supports Privacy Safeguards for Genetic Information
[4] Google Expands Control of Internet Architecture
[5] Supreme Court Grants Cert in Workplace Privacy Case
[6] News in Brief
[7] EPIC Bookstore: "Change of State: Information, Policy, and Power"
[8] Upcoming Conferences and Events - Join EPIC on Facebook http://facebook.com/epicprivacy - Privacy Policy - About EPIC - Donate to EPIC http://epic.org/donate - Subscription Information
[1] EPIC Files Facebook Privacy Complaint with Trade Commission
The Electronic Privacy Information Center (EPIC), joined by nine privacy and consumer organizations, filed a complaint with the Federal Trade Commission (FTC) charging that Facebook’s recent changes to user privacy settings violate federal consumer protection law.
The EPIC complaint urges the Trade Commission to open an investigation into the recent changes made by Facebook to the privacy settings of Facebook users and to require Facebook to restore privacy safeguards.
On November 19 and December 9, Facebook changed key privacy settings and required Facebook users to go through a "transition tool" before they could obtain access to their accounts.
According to the EPIC complaint, far more user information became publicly available as result of this change. EPIC also said that more personal information will become available to third party application developers as a result of the changes to the privacy settings.
The EPIC complaint cites widespread opposition to the changes by Facebook users, news organizations, bloggers, and security experts. Ed Felten, a security expert and Princeton University professor, wrote, "As a user myself, I was pretty unhappy about the recently changed privacy control. I felt that Facebook was trying to trick me into loosening controls on my information." Danny Sullivan, the editor of Search Engine Land and an expert in search engine design, wrote on his blog, "I was disturbed to discover things I previously had as options were no longer in my control."
The EPIC complaint also cites the creation of new Facebook user groups, such as "Against The New Facebook Privacy Settings!" and "Facebook! Fix the Privacy Settings."
Among the organizations supporting the EPIC complaint are the American Library Association, the Center for Digital Democracy, the Consumer Federation of America, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, the Privacy Rights Now Coalition, the Privacy Rights Clearinghouse, and the U. S. Bill of Rights Foundation.
Previous EPIC complaints to the FTC have led to the largest judgment in the Commission’s history, substantial changes to online authentication techniques, and the recent decision of the Department of Defense to stop selling a spyware program to military families.
EPIC’s Complaint: "In re Facebook," filed December 17, 2009: http://www.epic.org/privacy/inrefacebook/EPIC-FacebookComplaint.pdf
Background on EPIC Complaint: "In re Facebook": http://www.epic.org/privacy/inrefacebook
EPIC: Facebook and Privacy: http://epic.org/privacy/facebook/
FTC: "ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress" http://www.ftc.gov/opa/2006/01/choicepoint.shtm
FTC: "Microsoft Settles FTC Charges Alleging False Security and Privacy Promises": http://www.ftc.gov/opa/2002/08/microsoft.shtm
[2] EPIC Files Suit Against DOJ About Whole Body Imaging Documents
On December 17, 2009, EPIC filed a Freedom of Information Act (FOIA)lawsuit against the United States Department of Justice. The lawsuit arose from a July 2009 FOIA request EPIC submitted to the United States Marshals Service (USMS), a component of the DOJ, for records of Whole Body Imaging.
Whole body imaging technology was originally introduced in 2007, when the Transportation Security Administration (TSA), a component of Department of Homeland Security, began testing the imaging technology to screen travelers. These machines produced detailed, three-dimensional images of individuals' naked bodies and are being used at airport security checkpoints, court houses, and correctional facilities.
While TSA originally provided assurances that the technology would not be mandatory for passengers and would include a privacy algorithm that blurred faces, the agency later withdrew these assurances. In April 2009, the agency announced plans to expand the mandatory use of body imaging to all U.S. Airports. This means that Whole Body Imaging devices will replace metal detectors at the primary screening devices in US airports. As a consequence, the TSA could obtain naked pictures of every airline passenger, including children, who travel from a US airport.
In response to TSA's expansion of the program, the U.S. House of Representatives passed H.R. 2200, a bill that would limit the use of whole body imaging systems at airports. The measure is still pending in the Senate.
TSA's website also states that the machines are being used in U.S. Federal Courts, including at least one court in Virginia. The USMS, which is responsible for coordinating "the installation of complex electronic security systems to protect federal judges, courthouse staff members and the physical court facilities," would be in control of these Whole Body Imaging machines. In light of this, EPIC submitted a FOIA request to the USMS for documents related to the Whole Body Imaging machines, including the images that the machines capture, the contracts with the manufacturer of the machines, and information about technical specifications and training materials.
The USMS replied to EPIC's request, stating that it had searched USMS headquarters - but not the Virginia court(s) where the machines are housed. In response, EPIC filed suit, arguing that the USMS had not performed a sufficient search and should find, and disclose, the documents.
EPIC's Complaint: http://epic.org/foia/DOJ_USMS_Complaint.pdf
EPIC: Whole Body Imaging: http://epic.org/privacy/airtravel/backscatter/
TSA: Whole Body Imaging: http://www.tsa.gov/approach/tech/imaging_technology.shtm
H.R. 2200: http://www.epic.org/redirect/112209hr2200.html
Privacy Coalition Letter Regarding Whole Body Imaging: http://www.epic.org/redirect/112209dhswbiletter.html
DHS Response to Privacy Coalition Letter: http://privacycoalition.org/dhs-reply-wbi_ltr.pdf
[3] EPIC Supports Privacy Safeguards for Genetic Information
EPIC filed comments with the Department of Health and Human Services (HHS), advising the federal agency to strengthen the requirements for classifying data as "de-identified" under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. EPIC's comment focuses on the risks of re-identification of information when de-identification techniques are not adequate.
HHS proposed a rule that would clarify HIPAA and the Genetic Information Nondiscrimination Act, by providing that genetic information is "health information" and prohibiting the use of such information for underwriting purposes or other discriminatory purposes. Group health plans and issuers would no longer be allowed to increase premiums, deny enrollment, or impose pre-existing condition exclusions based on the results of an enrollee's genetic information. The rule, according to HHS Secretary, will increase "[c]onsumer confidence in genetic testing[, which] can now grow and help researchers get a better handle on the genetic basis of diseases."
EPIC supports this proposed regulation but warned that HIPAA's safe harbor provision for de-identified data could undercut privacy safeguards unless the techniques were shown to be "robust, scalable, transparent, and provable." The Privacy Rule currently exempts de-identified health information from the rules governing the uses and disclosure of protected health information, or individually identifiable health information.
HIPAA's standard for de-identification affords HIPAA-covered entities wide discretion in determining whether health information is identifiable and therefore subject to HIPAA privacy obligations. According to EPIC's comment, granting such authority poses many concerns, namely because de-identified data is only anonymous to the extent that outside information is not obtained which would allow individuals to be linked to that record.
EPIC's Comment: http://www.epic.org/redirect/121709epicscomment.html
HHS News Release: http://www.hhs.gov/news/press/2009pres/10/20091001b.html
HIPAA Privacy Rule: http://www.epic.org/redirect/121609hippaprivrule.html
HHS Interim Final Rule: http://www.epic.org/redirect/121609/interimrule.html
Genetic Information Nondiscrimination Act: http://www.epic.org/redirect/121609GINA.html
[4] Google Expands Control of Internet Architecture
Google announced Google Public DNS on December 8, a new service which would allow users to use Google's servers as a sort of "phonebook" for internet addresses, instead of the servers provided by their internet service provider. The internet phonebook is a system called the Domain Name System, or DNS. When users access the internet, all requests for website addresses pass through this system.
For example, when a user types "www.epic.org" in the address bar of their browser, the computer must send that request to a DNS server, which will return the IP address that identifies the server hosting the requested address (e.g. http://66.39.35.141/). By default, most user's computers are configured to use the DNS servers provided by their Internet Service Provider. These requests would normally pass through these servers. Instead, those who have configured their computer to use Google's new DNS service will send their request to Google's servers.
Google joins at least two other companies offering free DNS alternatives, although Google is the first of these companies to also have so many other services in various layers of the internet architecture. By tradition, DNS is a distributed function, subject to an open standard-setting process and part of the generally distributed nature of the internet. A new authentication standard is in the works, called the Domain Name System Security Extensions (DNSSEC). Google's DNS service does not use the new authentication standard, but instead uses a proprietary security method.
Google Public DNS: http://code.google.com/speed/public-dns/
Google Public DNS Announcement: http://www.epic.org/redirect/121609googlednsannounce.html
DNSSEC Official Site: http://www.dnssec.net/
EPIC: DNSSEC: http://epic.org/privacy/dnssec/
[5] Supreme Court Grants Cert in Workplace Privacy Case
The Supreme Court agreed to decide whether government employees have a constitutional right to keep text messages private. The case, City of Ontario v. Quon, is the most important privacy case that the Court has agreed to hear this term.
The basic issue, whether government employees have a constitutional right to keep text messages private, will hinge on whether employees have a "reasonable expectation of privacy" when they text while at work. The Court will also examine whether government workers' rights are less extensive if they use government-owned pagers. There are special constitutional rules for public employees. The Supreme Court has previously recognized some workplace privacy for public employees, but warned that government workers' privacy rights aren't absolute.
The case involves Ontario city officials who reviewed text messages sent by a SWAT team member to his mistress, and also messages he sent to his wife. Official police policy states that officers have no privacy in text messages. However, there was an informal policy of not examining officers' messages as long as they didn't abuse the privilege.
The Ninth Circuit held that users of text messaging services ordinarily have a constitutional expectation of privacy in the contents of their text messages. It held that the police department's informal policy of not examining officer's text messages made the officer's expectation of privacy in those messages reasonable. But, the court did not make clear whether the department's policies are relevant only because of the special constitutional rules for public employees.
The lower court's decision provides strong protections for workplace privacy. EPIC believes it is important for people to be able to keep their personal lives private, even while at work. Quon also raises interesting issues for people who send texts to government employees - it's critical that their privacy be respected too.
Supreme Court order agreeing to hear the case: http://www.supremecourtus.gov/orders/courtorders/121409zor.pdf
Ninth Circuit opinion: http://www.epic.org/redirect/121609ninthciropinion.html
EPIC: Workplace Privacy: http://epic.org/privacy/workplace/default.html
[6] News in Brief
EPIC's Lillie Coney Appointed to Election Advisory Committee
House Speaker Nancy Pelosi appointed EPIC Associate Director and leading election reform advocate, Lillie Coney to the Election Assistance Commission (EAC) Board of Advisors. EAC is an independent, bipartisan commission charged with developing guidance to meet Help America Vote Act requirements, adopting voluntary voting system guidelines, and serving as a national clearinghouse of information about election administration. The EAC also accredits testing laboratories and certifies voting systems, as well as audits the use of HAVA funds. Ms. Coney leads EPIC’s voting project and has worked on developing voting technology standards, statewide-centralized voter registration systems with privacy safeguards, and voter identification policy.
EPIC: Lillie Coney:
http://epic.org/epic/lillie_coney.html/
EPIC Voting Privacy Page:
http://epic.org/privacy/voting/
White House Releases Open Government Directive
The White House announced a new Directive to promote transparency, collaboration, and accountability across the federal government. The Directive builds on President Obama's Open Government Memo, issued in January 2009. The Directive will establish benchmarks, and require agencies to create new websites and plans to promote transparency. Competitions are also planned. EPIC submitted comments on the Directive, calling for both stronger privacy safeguards and greater transparency.
EPIC: Open Government: http://epic.org/privacy/litigation/
White House: http://www.whitehouse.gov/
White House Blog Announcement: http://www.epic.org/redirect/121609whitehouseblog.html
Text of Open Government Directive: http://www.epic.org/redirect/121609opengovtdirective.html
President Obama's Open Government Memo: http://www.epic.org/redirect/121609opengovtmemo.html
EPIC: Comment: http://opengov.ideascale.com/akira/pmd/6537-4049
Media Shield Law Moves Forward in Senate The Free Flow of Information
Act of 2009 was passed by the Senate Judiciary Committee with a vote of 14-5 and has been sent to the full Senate for a vote. The bill will make it more difficult to compel journalists to disclose information, including the identities of their sources, by requiring the government or other party requesting disclosure to demonstrate that the information sought is "essential" to a case and that all reasonable alternatives have been exhausted before a judge will consider ordering disclosure. A version of the bill was passed by the House earlier this year.
Free Flow of Information Act of 2009: http://thomas.loc.gov/cgi-bin/query/z?c111:S.+448:
Senate Judiciary Committee Press Release: http://leahy.senate.gov/press/200912/121009a.html
House Version of the Bill: http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.+985:
EPIC: Privileges: http://epic.org/privacy/privileges/
House Passes Data Breach Bill
On December 11, legislators in the House of Representatives passed the Data Accountability and Trust Act, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. The bill now moves to the Senate, which is also considering a similar measure sponsored by Senator Patrick Leahy. In May, EPIC Director Marc Rotenberg testified before Congress, urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain.
House: Text of the Data Accountability and Trust Act: http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.2221:
Senate: Text of the Personal Data Privacy and Security Act of 2009: http://thomas.loc.gov/cgi-bin/query/z?c111:S.1490:
EPIC: Marc Rotenberg's Testimony: http://epic.org/linkedfiles/rotenberg_house_ctcp2221_1319.pdf
EPIC: Identity Theft: http://epic.org/privacy/idtheft
FTC Considers Emerging Privacy Concerns at First Privacy Roundtable
The Federal Trade Commission held the first of three privacy roundtables this week in Washington, DC. The well-attended event featured privacy and security experts from around the country, with each panel consisting of at least one industry representative and one privacy advocate. The failure of the current notice and choice model, the need to regulate behavioral targeting, concerns about government access to data, and the high privacy expectations of consumers were among recurring topics throughout the day. EPIC's Marc Rotenberg said it was important for the Commission to focus on emerging business practices and the impact on consumer privacy. The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law. The FTC welcomes comments from the public in advance of the roundtable.
FTC: Privacy Roundtables: http://www.ftc.gov/bcp/workshops/privacyroundtables/
FTC: Privacy Roundtables Agenda: http://www.epic.org/redirect/121609ftcprivrdtblagenda.html
Data Privacy Day: http://dataprivacyday2010.org/
FTC: Comment Submission: http://www.ftc.gov/bcp/workshops/privacyroundtables/#comment
[7] EPIC Bookstore: "Change of State: Information, Policy, and Power"
To purchase: http://www.epic.org/redirect/121609amazonbook.html
Sandra Braman's new book posits the end of the bureaucratic welfare state in America and its replacement with what Braman terms the "informational state." In a comprehensive approach to the this new state, she explains that, because information is the key to power in modern society, information policy now governs the overall power structure. Braman carefully and deliberately lays out the analysis, and then argues that this shift negatively affects society.
Braman spends a good portion of the work describing the scope of informational policy, first detailing a history of information policy and its precursors from the time of the American Revolution to the present, then outlining the current scope from the political and social perspectives in addition to that of the individual. Once she has defined the boundaries of what she means by "information policy," Braman discusses twenty different constitutional principles and how they affect the areas within these boundaries. She identifies these principles as explicit in the text, explicit in the amendments, and implicit in the "penumbra," and includes such principles as Due Process, Privacy, Open Government, and the Right to Receive Information.
After establishing her constitutional basis, Braman moves into her argument: that the changes in the information state harm society. She makes this argument from four perspectives: Identity, Structure, Borders, and Change. As a matter of Identity, Braman highlights the ways that the government and corporate entities have become collectors of personal information, making it difficult for individuals and groups to maintain their own identities. Structurally, Braman argues that the increasing complexity of information policy makes it difficult to effectively regulate. From the Border perspective, the author discusses informational borders, rather than physical ones, blocking transfer of information through social and technological means. Finally, Braman presents her perspective on Information Policy and Change, arguing that regulations of information hinder social progress and limit constitutional freedoms.
Braman closes her work with a return to the constitutional principles outlined at the outset and answers several questions that she has posed over the course of the text. The piece provides a very intense analysis on the past several years of information policy, and is an excellent choice for those wishing to further study the concept.
--Jared Kaprove
EPIC Publications:
"Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.
http://epic.org/bookstore/foia2008/
Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
http://www.epic.org/redirect/aspen_ipl_casebook.html
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.
http://www.epic.org/bookstore/pvsourcebook
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.
http://www.epic.org/bookstore/pls2004/
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.
http://www.epic.org/bookstore/filters2.0
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
EPIC Bookstore
http://www.epic.org/bookstore
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes
[8] Upcoming Conferences and Events
Annual Privacy Coalition meeting, EPIC, Washington, DC, January 21-23, 2010. For more information: http://www.theprivacycoalition.org
"Reader Privacy: Should Library Standards Apply Online?," University of North Carolina, Chapel Hill, January 22, 2010.
Data Privacy Day, January 28, 2010.
For more information:
http://www.thepublicvoice.org
FTC Privacy Roundtable: Exploring Privacy, A Roundtable Series,
University of California, Berkeley, School of Law, Booth Auditorium,
Boalt Hall, Berkeley, CA, January 28, 2010.
For more information:
http://www.ftc.gov/bcp/workshops/privacyroundtables/index.shtml
"Computers, Privacy, and Data Protection: An Element of Choice,"
Brussels, Belgium, January 29-30, 2010.
For more information:
http://www.cpdpconferences.org/
RSA 2010, San Francisco, March 1-5, 2010.
For more information:
http://www.rsaconference.com/2010/usa/
Association for Practical and Professional Ethics, Cincinnati,
March 5, 2010.
For more information:
http://www.indiana.edu/~appe/annualmeeting.html
Privacy 2010, Stanford, March 23 - 25, 2010.
For more information:
http://codex.stanford.edu/privacy2010
Join EPIC on Facebook
Join the Electronic Privacy Information Center on Facebook
http://facebook.com/epicprivacy
Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC.
Privacy Policy
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
About EPIC
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.
Subscription Information
Subscribe/unsubscribe via web interface:
http://mailman.epic.org/mailman/listinfo/epic_news
Back issues are available at:
http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
END EPIC Alert 16.24
.