E P I C A l e r t
"Defend Privacy. Support EPIC." http://epic.org/donate
On February 18, 2009, hours before EPIC planned to file a complaint with federal regulators regarding changes to Facebook's Terms of Service, the social network service restored the original policy. Facebook also committed to a more transparent, participatory process regarding future changes to its Terms of Service, a process that "reflect[s] the principles and values of the people using the service." "Facebook users will have a lot of input in crafting these terms," the company promised.
The modified Terms of Service were announced on February 4, were widely criticized, and were to be the subject of the EPIC Federal Trade Commission complaint. EPIC observed that the modified Terms of Service included several material changes, which adversely impacted Facebook customers, eviscerated wide-recognized privacy rights, and unilaterally and retroactively transferred control of user generated content to Facebook. These modifications were made without any meaningful notice to Facebook users. EPIC noted that the unilateral transfer of rights to Facebook was an unfair and deceptive business practice. Facebook users observed that, under the revised policies, Facebook asserted broad, permanent, and retroactive rights to users' personal information - even after they deleted their accounts. The EPIC complaint was supported by more than a dozen consumer and privacy organizations.
Facebook's original Terms of Service stated "[w]hen you post User
Content to the Site, you authorize and direct us to make such copies
thereof as we deem necessary in order to facilitate the posting and
storage of the User Content on the Site." The original Terms
also promised "[y]ou may remove your User Content from the Site at any
time. If you choose to remove your User Content,
the license granted
[to Facebook] will automatically expire..." These clauses allow Facebook to make use of user-generated information in a manner that is consistent with typical privacy laws, which permit the business use of customer data for purposes that are necessary or incident to the provision to the service.
Facebook's modified Terms of Service removed language regarding deletion of users' content from Facebook and the expiration of Facebook's right to use such content. The modified terms also omitted the provision limiting Facebook's use of user data to activities incident to providing the service. The modified terms permitted Facebook to utilize users' personal information for any purpose – including explicitly the commercialization and monetization of Facebook users' names and likenesses – for Facebook's benefit. Facebook's modified Terms of Service asserted greater rights to user data than policies established by similar services, including MySpace, Yahoo, and Twitter.
In response to user concerns, Facebook has established a new Group Facebook Bill of Rights and Responsibilities and is seeking comments from users. The page includes these statements from the company:
1. You own your information. Facebook does not. This includes your photos and all other content. 2. Facebook doesn't claim rights to any of your photos or other content. We need a license in order to help you share information with your friends, but we don't claim to own your information. 3. We won't use the information you share on Facebook for anything you haven't asked us to. We realize our current terms are too broad here and they make it seem like we might share information in ways you don't want, but this isn't what we're doing. 4. We will not share your information with anyone if you deactivate your account. If you've already sent a friend a message, they'll still have that message. However, when you deactivate your account, all of your photos and other content are removed. 5. We apologize for the confusion around these issues. We never intended to claim ownership over people's content even though that's what it seems like to many people. This was a mistake and we apologize for the confusion.
Previous EPIC complaints at the FTC have related to Microsoft Passport, Choicepoint, and the Google-Doubleclick merger. In 2001, EPIC's privacy complaint spurred federal regulators to investigate Microsoft's business practices, and resulted in substantial modifications to the software giant's Passport service. EPIC's 2004 complaint concerning data broker Choicepoint resulted in the biggest privacy judgment in the Commission's history. In 2007, EPIC urged the FTC to impose privacy safeguards on the Google/DoubleClick merger, supporting strong privacy protections as a condition of the deal.
EPIC's "Social Networking Privacy" page: http://epic.org/privacy/socialnet/default.html
Facebook Group – "People Against the new Terms of Service (TOS)": http://www.facebook.com/group.php?gid=77069107432
Facebook Statement Regarding Reversion to the Original Terms of Service: http://blog.facebook.com/blog.php?post=54746167130
Facebook's Terms of Service: http://www.facebook.com/terms.php
Facebook Bill of Rights and Responsibilities: http://www.facebook.com/home.php#/group.php?gid=69048030774
EPIC's Choicepoint page: http://epic.org/privacy/choicepoint/
EPIC's Microsoft Passport page: http://epic.org/privacy/consumer/microsoft/passport.html
EPIC's page concerning the Google-Doubleclick merger: http://epic.org/privacy/ftc/google/
EPIC's Group Page on Facebook: http://epic.org/facebook
On February 13, 2009, the federal court of Appeals for the District of Columbia upheld telephone privacy regulations that require phone companies to obtain affirmative, opt-in consent from customers before they disclose personal information to outside corporations. At issue was an April 2, 2007 Federal Communications Commission order that protects consumers' telephone record information. The National Cable & Telecommunications Association challenged the privacy rule, claiming that companies have a free speech interest in disclosing their customers' personal information without their opt-in consent. The industry group asked the court to invalidate federal regulators' opt-in requirement, and replace it with an opt-out regime, which provides less protection for customers' privacy.
EPIC filed a "friend of the court" brief in the case urging support for opt-in safeguards for telephone customers. The EPIC brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. "Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone," the EPIC brief said. "An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers."
The federal appellate court ruled that the privacy regulations advance a substantial government interest, and do not violate telephone companies' free speech rights. The opinion recognizes that "the government has a substantial interest in protecting the privacy of customer information and that requiring customer approval advances that interest." "The privacy of customer information cannot be preserved unless there are restrictions on the carrier's disclosure of it," the Court wrote. "The carrier's sharing of customer information with a joint venturer or an independent contractor without the customer's consent is itself an invasion of the customer's privacy."
The Opinion recognizes EPIC's critical role in spurring adoption of the privacy rules at issue in the case. In August 2005, EPIC filed a petition urging the FCC to require security measures to protect access to consumers' personal telephone information from pretexters and other unauthorized parties. On July 9, 2007, EPIC filed detailed comments asking the FCC to implement additional safeguards for consumer telecommunications data. EPIC's proposals included encryption of sensitive data, the implementation of audit trails, and limitations on data retention.
The FCC rule prohibits companies from sharing "customer proprietary network information" with third parties without a consumer's opt-in consent. Customer proprietary network information (CPNI) is the data collected by telecommunications corporations about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill. EPIC has detailed the privacy violations that have resulted from unauthorized disclosure of CPNI. Such violations include pretexting, stalking, and the widespread sale of individuals' phone records on the Internet.
The Telecommunications Act of 1996 required telecommunications companies to obtain customers' approval prior to sharing their CPNI with third parties. However, there was a difference of opinion on the interpretation of "approval." EPIC and other privacy advocates and consumer rights groups argued that "approval" required that a consumer give positive, express consent to the sharing of information: that is, to "opt-in" to the marketing scheme. Telecommunications industry entities supported a presumption of consent – an opt-out system. The FCC rule clarified that the law requires "opt-in consent." The National Cable and Telecommunications Association challenged the FCC rule, alleging that corporations had a First Amendment right to share CPNI with third parties for marketing purposes. Similar arguments were rejected by federal courts in Trans Union v. FTC,  USCADC 52; 245 F.3d 809 (D.C. Cir. 2001) and IRSG v. FTC, 145 F. Supp. 2d 6, No. 00-1828 (D.D.C. 2001) following an earlier decision, US West v. FCC,  USCA10 308; 182 F.3d 1224 (10th Cir. 1999) that had been widely criticized.
D.C. Circuit Court Decision Upholding Telephone Privacy Rule: http://epic.org/redirect/022309_NCTAFCC_DCCir.html
EPIC's "friend of the court" brief: http://epic.org/privacy/nctafcc/epic-ncta-050608.pdf
EPIC's NCTA v. FCC Web Page: http://epic.org/privacy/nctafcc/
EPIC's CPNI Web Page: http://epic.org/privacy/cpni/
FCC Order Regarding CPNI opt-in: http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf
EPIC's 2005 Petition to the FCC: http://www.epic.org/privacy/iei/cpnipet.html
EPIC's July 9, 2007 Comments to the FCC: http://epic.org/privacy/cpni/cpni_070607.pdf
US West v. FCC - Privacy of Phone Records: http://www.epic.org/privacy/litigation/uswest
The Federal Trade Commission released a set of voluntary guidelines in an effort to balance the "potential benefits of behavioral advertising" against privacy concerns. The new guidelines attempt to encourage privacy protections while maintaining a competitive marketplace. The report is based on the examination of tracking, targeting and advertising online.
The report stated that depending upon the circumstances, a company whose practices fell outside the Principles may still be required to implement reasonable measures to address privacy or security risks to consumer information; companies should not unilaterally alter their policies and use previously collected data in a manner materially different from the original terms; and companies should also look into the federal and state law that may apply to their business.
The staff considered the applicability of the Principles not only to the collection and use of personally identifiable information but also the non-personally identifiable information. The staff was of the opinion that in the context of online behavioral advertising, the traditional notion of what constitutes PII versus non-PII was becoming blurred and should not by itself determine the protections necessary for consumer data. The staff considered the possibility of harm through 1) linking or merging non-PII with PII; 2) technologies rendering easier identification based on information considered non-PII; 3) information becoming identifiable when combined and linked by a common identifier; 4)the delivery of advertising on shared computer revealing private information to another user; and 5) available evidence showing consumer concern about the collection of data online regardless of PII/non-PII characterization. The staff adopted the approach to include within the Principles' scope any data collected for online behavioral advertising that could be reasonably associated with a particular person or computer.
The staff was also of the opinion that "first party" behavioral advertising were more likely to be consistent with consumer expectations and less likely to lead to consumer harm and as such it was not necessary to include "first party" behavioral advertising practices within the scope of the Principles. The staff also agreed that stronger privacy protections were necessary in sharing of data with third parties. Finally, the report also stated that it was not necessary for the Principles to cover contextual online advertising.
The guidelines set out four Principles: "1) transparency and consumer control; 2) reasonable security and limited data retention for consumer data; 3) affirmative express consent for material retroactive changes to privacy promises; and 4) affirmative express consent to (or prohibition against) use of sensitive data." In arriving at the Principles, the staff of the Trade Commission considered consumer expectations regarding the practices; the extent to which the practices were transparent; the potential for consumer harm; and the need to maintain vigorous competition in the online marketplace and avoid stifling innovation. The Staff also noted that some of the Principles were similar to the Commission law and policy.
With respect to transparency and consumer control, the report advocated a clear, concise, consumer-friendly, and prominent statement about collection and use of the information and a clear method of exercising the option. The staff stated that any data collected should be retained only as long as necessary to fulfill a legitimate business or law enforcement need. The report also called for an affirmative express consent for material changes to existing privacy promises. Finally, companies were cautioned to collect sensitive data for behavioral advertising only after obtaining affirmative consent from the consumer.
Although Commissioner Pamela Jones Harbour voted to release the report, she wrote a concurring statement stating that the report focused too narrowly and preferred that the Commission take a more comprehensive approach to privacy, and evaluate behavioral advertising within a broader context. Commissioner Jon Leibowitz added that industry needed to do a better job of meaningful, rigorous self-regulation failing which could invite legislation by Congress and a more regulatory approach by the Commission. The guidelines are partially in response to EPIC's 2007 complaint regarding the Google-Doubleclick merger raising concerns about the profiling of Internet users and the need to establish clear privacy safeguards as a condition of the merger.
FTC Staff Report: Self-Regulatory Principles For Online Behavioral Advertising: http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf
FTC Staff Revises Online Behavioral Advertising Principles: http://www.ftc.gov/opa/2009/02/behavad.shtm
The Federal Trade Commission: http://www.ftc.gov/
Concurring Statement of Commissioner Pamela Jones Harbour: http://www.ftc.gov/os/2009/02/P085400behavadharbour.pdf
Concurring Statement of Commissioner Jon Leibowitz: http://www.ftc.gov/os/2009/02/P085400behavadleibowitz.pdf
EPIC's complaint regarding Google-DoubleClick merger: http://epic.org/privacy/ftc/google/epic_complaint.pdf
EPIC's page on Privacy? Proposed Google/DoubleClick Deal: http://epic.org/privacy/ftc/google/
The U.S. Department of Homeland Security Secretary announced the appointment of the department's new Chief Privacy Officer, Mary Ellen Callahan. She has been a partner in Hogan & Hartson LLP and her areas of practice have included antitrust law, consumer protection law and internet law. The Chief Privacy Officer is in charge of the DHS Privacy Office which is the first statutorily required Privacy Office at any federal agency whose goal is to maintain individual privacy while achieving objectives of the DHS.
The DHS Privacy Office operates as the overseer of Section 222 of the Homeland Security Act, the Privacy Act, the Freedom of Information Act, Executive Orders, court decisions and Department policies that protect the collection, use, and disclosure of personal and Departmental information. The Privacy Office, as part of its outreach program, holds public workshops to explore policy, law, and technology issues of privacy and homeland security. The Privacy Office also has oversight of the implementation of Freedom of Information Act. Further, under the E-Government Act of 2002, an assessment of the privacy impact of any substantially revised or new Information Technology System is mandated. These assessments are published as Privacy Impact Assessments. The PIAs of programs such as REAL ID, Fusion Centers, Secure Flight, US VISIT and SEVIS have brought to the fore privacy issues entrenched within those programs.
The primary responsibilities of the Chief Privacy Officer includes assuring that the use of technologies sustain privacy protections relating to the use, collection, and disclosure of personal information; assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices; evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government; conducting a Privacy Impact Assessment of proposed rules of the DHS or that of the Department on the privacy of personal information; coordinating with the Officer for Civil Rights and Civil Liberties to ensure that (a) programs, policies, and procedures involving civil rights, civil liberties, and privacy considerations are addressed in an integrated and comprehensive manner; and (b) Congress receives appropriate reports on such programs, policies, and procedures; and preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters.
The Chief Privacy Officer has also the authority to investigate and have access to all records available to the Department that relate to programs and operations under his responsibilities; make such investigations and reports relating to the administration of the programs and operations as deemed necessary; require by subpoena the production, by any person, of all information, and documentary evidence necessary to the performance of the responsibilities; and administer to or take from any person an oath, affirmation, or affidavit, whenever necessary to performance of the responsibilities.
The Chief Privacy Officer reports to the Secretary of the DHS and coordinates activities with the Inspector General for the DHS. The Chief Privacy Officer also submits reports directly to the Congress regarding the performance of the responsibilities and informs the Committee on Homeland Security and Government Affairs of the Senate and the Committee on Homeland Security when the Secretary disapproves, modifies or does not act on a request for subpoena.
The DHS Data Privacy and Integrity Advisory Committee has recently submitted a series of recommendations for the new DHS Privacy Office. EPIC has also made several recommendations, including the immediate termination of the DHS-funded "Fusion Centers."
Secretary Napolitano Appoints Mary Ellen Callahan as DHS Chief Privacy Officer: http://www.dhs.gov/ynews/releases/pr_1235067917533.shtm
The Department of Homeland Security: http://www.dhs.gov
DHS Privacy Office - About the Privacy Office: http://www.dhs.gov/xabout/structure/editorial_0510.shtm
The Privacy Office of the U.S. Department of Homeland Security: http://www.dhs.gov/xabout/structure/editorial_0338.shtm
Letter to DHS Secretary Janet Napolitano from Chair, DHS Privacy and Integrity Advisory Committee, Feb. 4, 2009: http://epic.org/redirect/020909_DHS_DPIAC_letter.html
EPIC's page on Fusion Centers: http://epic.org/privacy/fusion/
Rotenberg, The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=933690
On February 17, 2009, President Barack Obama signed into law the American Recovery and Reinvestment Act of 2009. The Act contained various measures that promotes strong medical privacy safeguards. The new law amends the Public Health Service Act and the Social Security Act by adding and clarifying key definitions; sets up new offices; committees for promotion of health information technology; and assigns their powers, duties and responsibilities.
Subtitle A of the Act establishes the Office of the National Coordinator for Health Information Technology under the Department of Health and Human Services. The ONCHIT is charged with the responsibility of developing a nationwide health information technology infrastructure that allows for the electronic use and exchange of information while ensuring multiple medical privacy protections. The ONCHIT must also review and determine standards, specifications and certification criteria. Other authorities created by the Act are the HIT Policy Committee and the HIT Standards Committee. The ONCHIT is to serve as the liaison among the two Committees and the Federal Government.
A Chief Privacy Officer of the ONCHIT is also to be appointed within 12 months to advise the ONCHIT on privacy, security and data stewardship of electronic health information and coordinate with other agencies and their personnel.
The HIT Policy Committee is assigned the duty of making policy recommendations to the National Coordinator relating to the implementation of a nationwide health information technology. The HIT Standards Committee has the responsibility of recommending standards, implementation specifications and certification criteria to the National Coordinator. The Act however makes it clear that the statute does not apply to private entities or give authority to a Federal agency to require a private entity to comply unless it enters into a contract with the Federal Government to apply or use the standards and implementation specifications. The National Institute for Standards and Technology has been entrusted with the pilot testing of standards and implementation specifications to assure efficient implementation.
Sections of the bill also mandate that agencies promoting quality and efficient health care in Federal government or sponsored health care programs agree that all health care providers and similar entities utilizes health information technology systems and meet the standards and specifications adopted under the bill.
Subtitle D of the statute deals with Privacy. A section defines breach and sets forth exceptions. "Business Associate" and "Covered Entity" are also defined. In case of data breaches, the covered entity is to notify every individual reasonably believed to be affected by the breach; and if a business associate of a covered entity suffers a data breach, it must inform the covered entity about every individual whose information may have been affected. The statute also assigns the Office of Civil Rights within the Department of Health and Human Services to offer guidance and education to covered entities, business associates and individuals on their rights and responsibilities to Federal privacy and security requirements.
The new law prohibits the sale of protected health information in the absence of a valid authorization. However, the law also contains exceptions for public health activities, research, treatment and sale to a business associate at the request of a covered entity under a business associate agreement. Business associates of covered entities can only obtain protected health information when under written obligation and violations are met with civil and criminal penalties. Further, marketing based on communication by a covered entity to a business associate is not deemed to be a healthcare operation.
The statute also contains a clause that makes the standards governing the privacy and security of individually identifiable health information created under the Health Insurance Portability and Accountability Act to remain in effect only to the extent they are consistent with the American Recovery and Reinvestment Act. The Secretary of the Department of Health and Human Services is also to amend the Federal regulations consistent with the subtitle on Privacy. Another provision of the Act designates the Secretary, in consultation with the Federal Trade Commission, to conduct a study and submit a report on privacy and security requirements for entities that are not covered entities or business associates.
The Act limits the appropriation of funds in making significant investments unless such investment would permit full and accurate electronic exchange and use of health information in a medical record with both security and privacy. Patient Privacy Rights led the campaign or strong medical privacy protection to be included in the Stimulus Bill. Senator Leahy also asked for the incorporation of some of the provisions.
The American Recovery and Reinvestment Act of 2009: http://epic.org/redirect/022309_Stimulus_Act.html
Subtitle D - Privacy: http://epic.org/privacy/pdf/StimulusPassedBill-SubD.pdf
Patient Privacy Rights: http://www.patientprivacyrights.org/
Senator Leahy's statement on medical privacy: http://leahy.senate.gov/press/200902/021309c.html
EPIC's page on Medical Privacy: http://epic.org/privacy/medical/default.html
Supreme Court to Hear Arguments in Identity Theft Case
The US Supreme Court will hear oral arguments in Flores-Figueroa v. US on February 25, 2009. Before the Court is this question: "In order to prove aggravated identity theft, does the government need to prove the defendant knew the identification he possessed belonged to another person?" EPIC filed a friend of the Court brief in support of the petitioner, Flores-Figueroa and explained that the crime of identity theft should require an intent to impersonate another as Congress made clear in the federal laws under review. The brief urges the Court to not "set a precedent that might inadvertently render the use of privacy enhancing pseudonyms, anonymizers, and other techniques for identity management unlawful."
US Supreme Court, Docket, Flores-Figueroa: http://www.supremecourtus.gov/docket/08-108.htm
Oyez, Flores-Figueroa v. US, No. 08-108: http://www.oyez.org/cases/2000-2009/2008/2008_08_108/
EPIC, Flores-Figueroa v. US: http://epic.org/privacy/flores-figueroa/
Stimulus Bill Grants One Billion Dollars for Airport Scanners
The American Recovery & Reinvestment Act signed by President Obama contains a grant of $1 Billion for Aviation Security. The law grants the sum for the "procurement and installation of checked baggage explosives detection systems and checkpoint explosives detection equipment." These equipments include "backscatter" X-ray machines which show detailed images of a person's naked body, and are equivalent to a "virtual strip search" for all air travelers.
EPIC - Spotlight on Surveillance: http://epic.org/privacy/surveillance/spotlight/0605/
X-Ray Backscatter Technology and Your Personal Privacy: http://www.tsa.gov/research/privacy/backscatter.shtm
TSA's page on Backscatter: http://www.tsa.gov/approach/tech/backscatter.shtm
Massachusetts Postpones Data Privacy Rules to 2010
In November last year, the Commonwealth of Massachusetts became the first state in the United States to enact data privacy and security standards and regulations. Following a public hearing in January in which businesses stated that it would be virtually impossible to implement the new standards within the designated timeframe, the OCABR decided to extend the time required to comply with the new regulations till January 1, 2010. The OCABR decided on having comprehensive methods to ensure that businesses have adequate safeguards to protect personal information about Massachusetts residents. The new regulation prescribes the minimum standards that are to be implemented.
Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00): http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf
201 CMR 17.00 Compliance Checklist: http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf
FAQs regarding 201 CMR 17.00: http://epic.org/redirect/112008_FAQ_201CMR1700.html
European Court of Justice Upholds Data Retention Directive
The European Court of Justice dismissed a legal challenge by Ireland supported by Slovakia to the EU Data Retention Directive (2006/24/EC). The directive pertained to retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Court found that the directive was adopted on an appropriate legal basis; the provisions of the directive are essentially limited to the activities of service providers and do not govern access or use of the data by the police or judicial authorities; and the data which falls in principle within the domain covered by police and judicial cooperation in criminal matters, have been excluded from the provisions of the directive.
Ireland v. Parliament and Council of EU, E.C.J. No. 301/06: http://epic.org/redirect/022309_IrelandvEC.html
Directive 2006/24/EC of the European Parliament and of the Council: http://epic.org/redirect/022309_Directive200624EC.html
Press Release No 11/09: http://curia.europa.eu/en/actu/communiques/cp09/aff/cp090011en.pdf
EPIC, Data Retention: http://epic.org/privacy/intl/data_retention.html
Social Networking Companies Agree to European Privacy Principles
Seventeen social-networking Web sites signed a voluntary a set of networking principles in order to remove online bullying of children and young people and how to protect their personal information. The principles included 1) raising awareness of safety education messages and acceptable use policies to users, parents, teachers and caregivers in a prominent, clear and age-appropriate manner; 2) working towards ensuring that services are age-appropriate for the intended audience; 3) empowering users through tools and technology; 4) providing easy-to -use mechanisms to report conduct or content that violates the Terms of Service; 5) responding to notifications of illegal content or conduct; 6) enabling and encouraging users to employ a safe approach to personal information and privacy; and 7) assessing the means for reviewing illegal or prohibited content/conduct. The companies included Facebook, MySpace, Bebo, Microsoft Europe, Dailymotion, Google YouTube, and Yahoo! Europe.
Safer Social Networking Principles for the EU: http://epic.org/redirect/022309_SafeSocialNet_EU.html
European Union: Communications and Electronic Information - Signing of Agreement on Social Networking: http://www.loc.gov/lawweb/servlet/lloc_news?disp3_1014_text
EPIC, Social Networking Sites and Privacy: http://epic.org/privacy/socialnet/default.html
ENISA Issues Paper on Privacy Features of eID Cards
The European Network and Information Security Agency released a position paper on security features in European eID schemes. The eID card is an authentication token as well as a personal data source. The paper gives the first overview of the vast disparity between privacy features in eID cards across Europe. eID cards are currently used mainly for tax declarations and other e-government services, but applications are branching out into the commercial sector. There is a lack of coordinated strategy regarding protection of the private data stored on the card which hinders interoperability and also limits acceptability.
Privacy Features of European eID Card Specifications: http://epic.org/redirect/022309_ENISA-eID.html
Revised Binding Corporate Rules on FAQ to include Third Party Rights
The Article 29 Working Party published a revised set of Frequently Answered Questions about Binding Corporate Rules. BCRs are a legal means for providing adequate protection to personal data which is covered by Directive 95/46/EC and transferred out of the European Union to countries that are not considered to provide an adequate level of protection. The new FAQ includes principles which are enforceable as third party beneficiary rights. They include purpose limitation; data quality and proportionality; criteria for making the processing legitimate; transparency and easy access to BCR; rights of access, rectification, erasure, blocking of data and object to the processing; rights in case automated individual decisions are taken; security and confidentiality; restrictions on onward transfers outside of the group of companies; national legislation preventing respect of BCR; right to complain through the internal complaint mechanism of the companies; cooperation duties with Data Protection Authority; and liability and jurisdiction provisions.
Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules (last Revised and adopted on 21 January 2009): http://epic.org/redirect/022309_BCR_FAQ.html
Working Document Setting up a framework for the structure of Binding Corporate Rules: http://epic.org/redirect/022309_BCR_framework.html
"In Confidence" by Ronald Goldfarb
Ronald Goldfarb's book examines confidentiality by delving into "its justification, its rationales, its virtues, and its complexities" when courts weigh its importance. His book reflects on the judicially recognized rights of confidentiality extended or withheld to governments and citizens; attorneys and clients; physicians and patients; psychotherapists and patients; pastors and congregants; among family members; businesses and customers; journalists and informants. He posits that confidentiality is related to privacy, but they are not the same thing. Goldfarb's book is packed with interesting history, case studies, and legislative efforts to chart the way for confidentiality. He defines confidentiality as a component set of privacy rights. Privacy is a relatively new human right and one that evolves with times, circumstances, people, customs, and beliefs. The views of philosophers, legal historians, and privacy experts are aired in an interesting and thought provoking manner. The book is only 244 pages, but do not be misled - you must set aside some quiet time to really get the best out of the experience of reading "In Confidence."
This book is written from the perspective of a very good legal mind. I enjoyed the byplay of tension between what we may want as individuals and what challenges society might place on confidential communications between intimates. He advances Dean Wigmore's legal thinking as a litmus test to determine when and how confidential matters should be weighed in a judicial process if: "the communications were made in confidence; the element of confidentiality is essential to maintain the parties' relationship; there is a community need to 'sedulously' foster the relationship; and the harm to the relationship caused by disclosure would exceed any benefit from the disposal of the litigation," then the matter at hand should not be disclosed. I would argue on the point Goldfarb makes regarding the confidentiality of medical information or the patient doctor privilege. He argues that modern medicine is not performed on a person-to-person basis. The doctor and patient are by necessity not the only parties to the medical information provided, that office administrators, nurses, laboratory technicians, medical service providers, insurance companies, and others must have routine access to medical information to meet the medical needs of patients. He argues that the lack of confidentiality is known by patients and that the greater good of society might be served if medical information is shared when it has broader implications for the health and safety of others. History teaches well the lessons of illness and community - the ill whether they be lepers of the 1st Century or HIV/AIDS victim of the 1970s are clear. There may be just as much for the ill to fear from the healthy. Effective treatment means early detection, and early detection requires the cooperation and collaboration of those who may be ill.
Confidentiality is an important aspect of the need to disclose information to medical professionals for accurate diagnosis and treatment. Legislative remedies is one source of help for those seeking a hedge against privacy invasive technology, private or government practices, or changes in policy that erode the right to be left alone. However, the courts provide a valuable reprieve from the long path to relief that might be provided by legislative or rulemaking processes. The state and federal courts allow the affirmation or scoping out of privacy rights in circumstances that are not clear or well established. Speaking with a doctor, lawyer, priest, spouse, or mental health professional have presence and legal history to support the role of confidential communications within those relationships. He correctly argues that there are other relationships that are just as vital to society in which confidences should be maintained. He posed that members of a family, parents and children, as well as siblings are irrevocably connected in a relation that will last a lifetime. This relation is not voluntary in nature and cannot be dissolved at will. The benefit to the individual of physical, emotional, and other forms of security are real. Damage to these relationships also have consequences for the broader society, which should be recognized by courts and protected under legal mandate. Goldfarb does an excellent job at provoking and stimulating the thought processes around confidentiality which is a slice of the privacy landscape. He lands squarely on the side of fostering societal values around the right of confidentiality and flushing out notions of privileged communications based on "clear and commanding situations." I was glad to have had the opportunity to review this book for the EPIC Alert.
-- Lillie Coney
"Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.
Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes
Department of Homeland Security Data Privacy and Integrity Advisory
Committee, Public Meeting, 9:00a.m. - noon, and 1:30p.m. to 4:00p.m.
February 26, 2009 at Galleries I and II of the Hilton Arlington
Hotel, 950 North Stafford Street, Arlington, Virginia.
For more information,
Annual BCLT/BTLJ Symposium
"Security Breach Notification 6 Years Later: Lesson's Learned about
Identity Theft and Directions for
the Future," March 6, 2009 at
UC Berkeley School of Law. For more information,
2009 Freedom Forum Freedom of Information conference: "Freedom and Information: Looking Back and Looking Forward," 11th annual National FOI Day Conference, Freedom Forum's Newseum, March 13, 2009. Contact: firstname.lastname@example.org or call 202/292-6288
The IAPP Privacy Summit 2009 will be held between March 11-13, 2009, at Washington, D.C. For more information, http://www.privacysummit.org
"Conference on International Aspects of Securing Personal Data," The Federal Trade Commission, Washington, D.C., March 16-17, 2009. For more information, http://ftc.gov/opa/2008/12/datasec.shtm
UC Berkeley Law School, BCLT Second Annual Privacy Lecture,
"Confronting the Third Party Doctrine and the Privacy of Personal
March 18, 2009 at Bancroft Hotel, 2680 Bancroft Way,
Berkeley, CA 94704. For more information,
Notice and Request for Public Comments by the Federal Trade Commission
on Digital Rights Management Technologies.
March 25, 2009, Seattle, WA.
For more information,
"2nd Privacy OS Conference," MediaCentre, Berlin, Germany, April 1-3, 2009. For more information, http://www.privacyos.eu
"THE FUTURE OF PRIVACY: What's Next?" - a one day seminar.
April 28, 2009, Cartier Suites Hotel, 180 Cooper Street,
For more information,
"2nd Annual Research Symposium for the Identity, Privacy and Security Initiative," , May 6, 2009, University of Toronto. For more information, http://www.ipsi.utoronto.ca/site4.aspx
IEEE Symposium on Security and Privacy, May 17-20, 2009,
The Claremont Resort, Oakland, California. For more information,
Web 2.0 Security & Privacy 2009, Thursday, May 21,
The Claremont Resort, Oakland, California. For more information,
Computers, Freedom, and Privacy, 19th Annual Conference, Washington,
D.C., June 1-4, 2009. For more information,
Join the Electronic Privacy Information Center on Facebook
Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC.
Subscribe/unsubscribe via web interface: https://mailman.epic.org/mailman/listinfo/epic_news
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.