Home | Databases | WorldLII | Search | Feedback EPIC Alert

EPIC Alert 16.06 [2009] EPICAlert 6

E P I C A l e r t

http://www.epic.org/alert/EPIC_Alert_16.06.html

"Defend Privacy. Support EPIC." http://epic.org/donate

On March 17, 2009, EPIC filed a complaint with the Federal Trade Commission, urging the federal agency to investigate Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the [service's] privacy and security safeguards." The complaint follows recent report of a breach of Google Docs. EPIC observed that Google repeatedly assures consumers that Google Cloud Computing Services store user-generated data securely. However, the Google Docs data breach exposed user-generated documents to users of the service who lacked permission to view the files. EPIC urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google.

On March 18, 2009, the FTC responded to EPIC's complaint. The Commission will review EPIC's description of Google's unfair and deceptive business practices concerning the firm's Cloud Computing Services. EPIC's complaint "raises a number of concerns about the privacy and security of information collected from consumers online," the agency said. On March 26, 2009, security consultants revealed additional security flaws in Google Docs. The flaws permit unauthorized individuals to access user-generated Google Docs content.

EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services. Studies estimate that 69 percent of Americans use webmail services, store data online, or otherwise use cloud computing software programs, whose functionality is located on the web. According to the Pew Internet and American Life Project, an overwhelming majority of cloud users express serious concern about the possibility that a service provider would disclose their data to others. Approximately three-quarters of senior IT executives said that security is the biggest challenge for the cloud computing model.

The Google Docs breach is only one example of known security flaws involving Google's Cloud Computing Services. In January 2005, researchers identified several security flaws in Google's Gmail service. The flaws allowed theft of usernames and passwords for the Google Accounts centralized log-in service and enabled outsiders to access users' email. In December 2005, researchers discovered a vulnerability in Google Desktop and the Internet Explorer web browser that exposed Google users' personal data to malicious internet sites. In January 2007, security experts identified another security flaw in Google Desktop. The vulnerability could enable malicious individuals to achieve remote, persistent access to sensitive data, or gain full control of the system.

Previous EPIC complaints to the FTC led the Commission to order Microsoft to revise the security standards for Passport and to require databroker Choicepoint to change its business practices and pay $15 m in fines. On July 26, 2001, EPIC and twelve organizations submitted a FTC complaint detailing the serious privacy risks of Microsoft Windows XP and Microsoft Passport. The complaint alleged that Microsoft "has engaged, and is engaging, in unfair and deceptive trade practices intended to profile, track, and monitor millions of Internet users" in violation of federal law. Approximately one year later, the FTC announced a settlement in its privacy enforcement action against Microsoft. The settlement required that Microsoft establish a comprehensive information security program for Passport, and prohibited any misrepresentation of its practices regarding information collection and usage. In December 2004, EPIC filed a complaint with the Federal Trade Commission against ChoicePoint, alleging that Choicepoint failed to safeguard sensitive consumer data. In January 2006, the FTC announced a settlement with the databroker, requiring Choicepoint to pay $10 million in civil penalties and provide $5 million for consumer redress. It is the largest civil penalty in FTC history.

EPIC Complaint to the FTC Concerning Google and Cloud Computing Services: http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf

FTC Letter Concerning Review of EPIC Complaint: http://epic.org/privacy/cloudcomputing/google/031809_ftc_ltr.pdf

EPIC's "In re Google and Cloud Computing" page: http://epic.org/privacy/cloudcomputing/google/

EPIC's Cloud Computing page: http://epic.org/privacy/cloudcomputing/default.html

The Attorney General issued new Freedom of Information guidelines pursuant to President Obama's memorandum directing all executive branch departments and agencies to maintain a presumption of openness in releasing information requested from them and take affirmative steps to make information public. In the memorandum, the Attorney General strongly encouraged agencies to make discretionary disclosures of information to the fullest extent possible taking reasonable steps to segregate and release nonexempt information.

Rescinding the FOIA Memorandum of October 12, 2001, the Attorney General stated that the Justice Department would defend a FOIA request only if the agency reasonably foresees that the disclosure would harm a statutorily protected interest or the disclosure was prohibited by law. The directive also declared that Justice Department lawyers should consult the guidance with regard to pending litigation when there is a substantial likelihood that application of the guidance would result in a material disclosure of additional information.

Instructing each agency to be fully accountable for its administration of the FOIA, the head of the Department of Justice and chief law enforcement officer of the Federal Government noted that everyone must do their part to ensure open government and must address the key roles played by a broad spectrum of agency personnel who work with agency FOIA professionals in responding to requests. The memorandum also clarified that each agency is required by law to designate a senior official who has direct responsibility for efficient operations and appropriate FOIA compliance and such official was to recommend adjustments to agency practices, personnel, and funding as necessary. Urging agencies to be mindful of their obligation to work "in a spirit of cooperation," the Attorney General echoed the Presidential proclamation of removing unnecessary bureaucratic hurdles in the "new era of open Government."

The executive missive instructed agencies to readily and systematically post information online before any actual public requests were made. Pursuant to the OPEN Government Act of 2007, the agencies would be required to assign individualized tracking numbers to requests taking more than ten days to process and enable the electronic tracking of status with up-to-date information. The Chief FOIA officer of each agency is also charged with reviewing thr FOIA administration and is to report annually to the Justice Department the measures taken to improve operations and facilitate disclosure of information.

The new guidelines were issued during the Sunshine Week which is a national initiative to open a dialogue about the importance of open government and freedom of information.

Attorney General Issues New FOIA Guidelines to Favor Disclosure and Transparency: http://www.usdoj.gov/opa/pr/2009/March/09-ag-253.html

Memorandum for Heads of Executive Departments and Agencies: http://www.usdoj.gov/ag/foia-memo-march2009.pdf

Presidential Memorandum of January 21, 2009 - FOIA: http://edocket.access.gpo.gov/2009/pdf/E9-1773.pdf

USDOJ OIP Guidance: Assigning Tracking Numbers and Providing Status Information for Requests: http://www.usdoj.gov/oip/foiapost/2008foiapost30.htm

Attorney General FOIA Memorandum, October 12, 2009: http://www.usdoj.gov/oip/foiapost/2001foiapost19.htm

Sunshine week: http://www.sunshineweek.org

EPIC's Page on Open Government: http://epic.org/open_gov/

The Organization for Economic Co-operation and Development welcomed the establishment of the Civil Society Information Society Advisory Council in the Committee for Information Computer and Communications Policy work through a multi-stakeholder cooperation approach. This follows-up on a decision by the OECD Council to add Civil Society and the Internet Technical Community to the list of key non governmental stakeholders in the ICCP's terms of reference, joining business and trade-unions.

Similar in type and function to the Business Industry Advisory Committee for industry and the Trade Union Advisory Committee for trade unions, the Civil Society Information Society Advisory Council has been established to facilitate participation of Civil Society Participants in the OECD-ICCP Committee.

This proposal followed many years of effort by civil society organizations at the OECD which was first highlighted in the OECD's Ottawa ministerial conference on electronic commerce 10 years ago, affirmed in venues like the World Summit on the Information Society, and requested by civil society participants of The Public Voice Coalition in the 1998 Civil Society Declaration in Ottawa as well as in its 2008 Seoul Declaration.

"This is an enormous achievement, the culmination of a ten-year effort to formalize civil society participation on Internet policy work at the OECD," Marc Rotenberg, EPIC Executive Director said. A framework to govern the participation of civil society in OECD-ICCP work and that of its working parties was approved in the 57th OECD-ICCP held at Paris on March 11-13, 2009.

Civil society participants of The Public Voice Coalition worked together to adopt a formal consensus charter for participation at the OECD-ICCP Committee through the recently established CSISAC. The CSISAC charter creates a Membership, a Steering Committee, and a Liaison, as well as making clear the goals of civil society participation at the OECD-ICCP. An interim Liaison is provided by EPIC's The Public Voice Project for 2009-2010 and is serving as the initial point of contact with the OECD and is also responsible for facilitating CSISAC participation.

The main CSISAC purposes are:

- Engage in constructive input and dialogue with the OECD Committee for Information, Computer and Communications Policy (ICCP) about policy issues of interest to civil society; - Pursue the agenda set out in the Civil Society Seoul Declaration of 2008; - Report to civil society organizations about the OECD publications, events, and policy recommendations of interest to civil society; - Identify and publicize opportunities for participation by civil society organizations in the work of the OECD; - Maintain appropriate communications tools (e.g. content management system, mailing list, social network platform) that highlight key OECD-ICCP developments of interest to civil society and facilitate broader civil society participation; and - Report on an annual basis the accomplishments of the past year and the goals for the next year.

Civil Society Information Society Advisory Council (CSISAC): http://www.csisac.org

The CSISAC Charter: http://thepublicvoice.org/documents/CSISAC-Final.pdf

The OECD Civil Society Seoul Declaration: http://thepublicvoice.org/events/seoul08/seoul-declaration.pdf

Principles for the Participation of Non-governmental Stakeholders in the Work of the ICCP Committee and its Working Parties: http://www.oecd.org/dataoecd/38/34/42399492.pdf

Resolution of the OECD Council regarding ICCP's Term of Reference: http://epic.org/redirect/040109_OECD_ICCP_terms.html

OECD, "The Future of the Internet Economy OECD Ministerial Meeting," June 17-18, 2008, Seoul, South Korea: http://www.oecd.org/FutureInternet

"Closing remarks by Angel Gurrķa, OECD Ministerial Meeting on the Future of the Internet Economy," June 18, 2008: http://epic.org/redirect/112008_OECD_MM_closeremarks.html

OECD: "The Public Voice in the Development of Internet Policy" (Ottawa 1998): http://gilc.org/events/ottawa98/

The Chairman of the Federal Trade Commission issued the FTC Annual Report for the year 2009. The report describes the agency's competition and consumer protection accomplishments over the past year. The report also stated that data security and the protection of consumer privacy remained a central focus of FTC's consumer protection goals. The report further highlighted that although new technologies provided benefits to consumers, the developments posed new threats to sensitive consumer data and the security of personal computers and email.

The Federal Trade Commission brought actions challenging inadequate data security practices by companies that handle sensitive consumer data. The Commission announced a settlement with TJX after an intruder exploited security loopholes to prevent unauthorized access to obtain credit card information as well as personal information of approximately 455,000 consumers. The Commission had also made a settled with Reed Elsevier with respect to data security breaches. Due to security failures, identity thieves obtained access to sensitive information concerning at least 316,000 consumers which was subsequently used to activate credit cards and open new accounts. EPIC had filed comments with the FTC urging the Commission to include civil penalties in the settlements. EPIC wrote that civil penalties are necessary to provide incentives for companies to safeguard personal data. EPIC had also noted that the FTC imposed $10 million in civil penalties in the Choicepoint case. The final agreements imposed security and audit responsibilities, but no financial penalties. The FTC also reached a settlement agreement with CVS Caremark when it left information in unsecured dumpsters in locations across the country.

The report elaborated that complaints collected by the FTC are entered into a secure, online database within the Commission's Consumer Sentinel Network. The agency shares the information with law enforcement officials to spot trends quickly, target the serious illegal practices and coordinate law enforcement efforts. The FTC, the U.S. Secret Service, and the Justice Department have provided local and state law enforcement officers with tools to assist victims of identity theft, investigate the crime and work with local prosecutors. The report identifies Identity Theft as the top most consumer complaint in 2008 with 26% reporting with 313,982 complaints.

The Trade Commission published several studies and reports which included a report on social security numbers and identity theft recommending measures to help prevent identity theft using SSNs. Another study focused on online behavioral advertising principles in which the staff recommended four self-regulatory principles for online behavioral advertising. A report was also published on the protection of customers in face of emerging technologies in the next 10 years.

Hearings and workshops held to address consumer concerns and privacy included a roundtable discussion on phishing; best practices for protecting personal information; privacy and security issues associated with RFID applications. A report on identity theft was published by the President's Identity Theft Task Force which was led by the Attorney General and the FTC Chairman and discussed expansion of the Task Force's existing data security and identity theft business and consumer education campaign; improving consumer authentication mechanisms; and launching of new initiatives to help identify theft victims. The FTC also testified before the Congress on a number of issues including behavioral advertising, and spyware and other malware.

Annual Report of the Chairman - Federal Trade Commission (2009): http://www.ftc.gov/os/2009/03/2009ftcrptpv.pdf

Chairman Issues Commission's Annual Report at ABA Spring Meeting: http://www.ftc.gov/opa/2009/03/annualrpt.shtm

The Federal Trade Commission: http://www.ftc.gov/opa/2009/03/annualrpt.shtm

EPIC's Page on Identity Theft: http://epic.org/privacy/idtheft/

The European Parliament adopted with 481 votes a report on Security and Fundamental Freedoms on the Internet on March 26, 2009. The report is the first recommendation from the Members of the European Parliament concerning the fight against cybercrime and preserving the rights of internet users. The report contained recommendations to the Council by Stavros Lambrinidis, a Greek Member of the European Parliament.

The adopted text of the report took into account various international covenants, charters, directives, framework decisions and recent judgments. The parliamentary approval also took notice of the internet being used for promoting democratic initiatives and its necessity in providing a suitable regulatory framework for citizen participation in e-government; transparency, privacy and trust being an indispensable part of the internet; enhancement and exposure of freedom of expression and privacy to intrusions and limitations by both private and public actors; the increasing problems of identity theft and fraud; recognition of imposing limitations on the exercise of freedom of expression and the respect for private life which may be imposed if in accordance with law, proportionate and appropriate; and the ongoing process of the "Internet Bill of Rights" to take into account all relevant research and undertakings in the field.

The Parliament urged Member States to update the law to protect children using the internet and criminalize grooming. The report also called on Member States to protect fundamental rights affected by the internet such as privacy, data protection, freedom of speech and association, freedom of press, political expression and participation, non-discrimination and education through the use of existing national, regional and international law, and to exchange best practices. The text also took notice of the nature of the internet being open to abuse with a proliferation for violent messages, hate-based criminal acts, cybercrime and identity theft. The Parliament called on the Council and the Commission to develop a comprehensive strategy to combat cybercrime, identity theft and fraud.

The report also raised the question of consent of internet users when giving personal information to governments or private entities and the imbalance of negotiating power between the users and the entities. The Parliament additionally stressed the importance of internet users being able to retain the right of permanently deleting their personal information on any internet site or third party storage medium. A draft of the report was released in January.

The European Parliament: http://www.europarl.europa.eu/parliament.do

Adopted Text: http://epic.org/linkedfiles/EuroParl032609.pdf

Press Release: http://epic.org/redirect/040109_EU_Parl_InternetFreedom.html

EPIC's report on Privacy & Human Rights 2006: http://www.epic.org/phr06/

Cybersecurity Chief Steps Down Warning of Growing NSA Influence

Rod Beckstrom resigned as the Director of the National Cybersecurity Center, a component of the Department of Homeland Security. In a letter to Homeland Security Secretary Janet Napolitano, Beckstrom warned of the increasing role of the National Security Agency in domestic security. The "intelligence culture is very different than a network operation or security culture... the threats to our democratic processes are significant if all top government network and monitoring are handled by any one organization... we have been unwilling to subjugate the NSCS under the NSA," wrote the former NCSC Director. The announcement follows Congressional testimony from the new Director of National Intelligence that the NSA should be responsible for network security. Susan Collins, Ranking Member of the Senate Committee on Homeland Security and Government Affairs asked DHS to send a number of documents to show how the department spent its $6 million NCSC budget and provided other means of support for the NCSC. DHS Secretary Napolitano appointed Philip Reitinger, a Chief Trustworthy Infrastructure Strategist at Microsoft, to be deputy undersecretary for the department's National Protection and Programs Directorate, where he will be responsible for protecting federal computing systems from domestic and foreign threats. EPIC has long maintained that the NSA, though it plays a vital role in gathering foreign intelligence, should not be the lead agency for domestic network security because it also engages in extensive and unregulated spying.

Rod Beckstrom: http://en.wikipedia.org/wiki/Rod_Beckstrom

National Cyber Security Center: http://en.wikipedia.org/wiki/National_Cyber_Security_Center

Resignation Letter: http://epic.org/linkedfiles/ncsc_directors_resignation1.pdf

DNI Director Congressional Testimony: http://www.dni.gov/testimonies/20090225_transcript.pdf

National Protection and Programs Directorate: http://www.dhs.gov/xabout/structure/editorial_0794.shtm

Secretary Napolitano Names Philip Reitinger as Deputy Undersecretary of National Protection & Programs Directorate: http://www.dhs.gov/ynews/releases/pr_1236796289008.shtm

Senate Committee on Homeland Security and Government Affairs Press Release (Ranking Member): http://epic.org/redirect/040109_Senate_Homeland_Press.html

World Privacy Forum Publishes Patient's Guide to HIPAA

The World Privacy Forum has prepared a "Patient's Guide" to Health Insurance Portability and Accountability Act. The purpose of the guide is to help health privacy laws work in protecting a patient's privacy. The guide teaches patients about HIPAA and the "seven basic rights" - right to inspect and copy of one's record; right to request confidential communications; right to request amendment; right to receive an accounting of disclosures; right to complain to the secretary of HHS; and the right to request restrictions on uses and disclosures. The third part of the guide aims to educate patients about what should be known regarding uses and disclosures. The guide also comes with a "sidebar" to offer an illustration, explanation, or comment.

Patient's Guide to HIPAA: How to Use the Law to Guard your Health Privacy: http://www.worldprivacyforum.org/hipaa/index.html

HIPAA Privacy Rule: http://epic.org/redirect/040109_HIPAA_Privacy_Rule.html

World Privacy Forum: http://www.worldprivacyforum.org/

Office of Civil Rights, Department of Health and Human Services (HHS): http://www.hhs.gov/ocr/hipaa

EPIC's Page on Medical Privacy: http://epic.org/privacy/medical

Article 29 Group to Verify Compliance of Data Retention Laws

The Article 29 Working Party will look into telecommunication providers and Internet Service Providers and ensure compliance with data retention laws. The legal basis for the investigation is the e-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC. The Working Party expressed the aim of contributing to a more proactive stance towards EU wide synchronized enforcement as a means of increasing compliance. The primary aim of the verification is to analyze whether and how data protection requirements concerning the type of retained data, security measures and prevention of abuse and storage limit requirements are adhered within the telecom sector within each member state.

Article 29 Working Party: http://epic.org/redirect/040109_A29WP.html

Press Release: http://epic.org/redirect/040109_A29_DataRetention_PR.htm

Directive 2002/58/EC on data protection and privacy: http://epic.org/redirect/091208_eu.html

Directive 2006/24/EC of the European Parliament and of the Council: http://epic.org/redirect/022309_Directive200624EC.html

EPIC, Data Retention: http://epic.org/privacy/intl/data_retention.html

EC Releases Guide on EU Transborder Data Transfer

The Data Protection Unit of the European Commission has released a Frequently Asked Questions to better clarify the EU framework on transborder data transfer to third countries. In the EU, the Data Protection Directive usually determines transfer of personal data which may take place only if the third country in question ensures an adequate level of protection. However, there are also situations where the level of protection has not been assessed and determined but where personal data may nevertheless be transferred to the third countries.

FAQS relating to Transfers of Personal Data from the EU/EEA to Third Countries: http://epic.org/redirect/040109_EU_IntDataTransfer.html

Council of Europe Privacy Convention: http://epic.org/privacy/intl/coeconvention/default.html

Study Finds Most Users Believe Sites Track Behavior

A survey conducted by an advertising provider has revealed that 80 percent of internet users are concerned about privacy. With over 4000 users surveyed, the results indicated that privacy is a significant concern amongst web users, and the survey also revealed that concern increased with the age of the respondent. The study also found that most web users believed that web sites were tracking their behavior online with three out of five respondents indicating that it was likely that a web site they visited collected information on how they navigated and interacted with it. The study also revealed that personal privacy was not something people were willing to give up for more relevant advertising.

Burst Media Study Revealed that 80% of Web Users are Concerned About Privacy Online: http://www.burstmedia.com/about/news_display.asp?id=1

Online Privacy Still A Consumer Concern: http://www.burstmedia.com/research/current.asp

Respondents Saying it is Likely Web Sites Are Collecting PII and Non-PII Information: http://epic.org/redirect/040109_BurstMedia_Survey.html

"Googling Security: How Much Does Google Know About You?" by Greg Conti

http://www.amazon.com/gp/product/0321518667?tag=e03a6-20

"Ah, the simple search box. Over the course of our lives, we pour our successes, failures, hopes, dreams, and life events, both significant and minor, into a small text field and turn our destinies over to Google in hopes of finding the answers we seek. . . . it is almost as if the users are communicating with God."

- Greg Conti

If you want to learn more about the privacy risks of Google's many "free" services, what should you do? One answer is to read the Google privacy policies. A second answer is to watch the Google videos on YouTube (a Google company). The best answer is to read Greg Conti's "Googling Security," a clever, informative, and important overview of the many ways that Google now captures your data and the increasing risks that result.

Conti makes clear at the beginning that he is impressed by the technology wizardry that serves up search results, email service, mapping and just about everything else that most people do online. Of course, privacy and security concerns have long dogged Google. But rather than careening off into the too frequent discussion about whether Google is/could become "evil," he looks closely at how these various services operate -- what data is collected, how it is used, who has access, and what the risks might be. And it is not a pretty picture.

As Conti makes clear, Google services are not really free. "You pay big time with the personal information you provide." And few consumers have any idea about the true extent of Google's data collection activities. Even the fact that searches histories are saved is surprising to most users, according to one recent poll. But the privacy risks of the web taken as a whole, are much more extensive. As Conti explains, "web browsing isn't a one-to-one conversation with a single web site. Instead embedded content such as maps, images, videos, advertisements, web analytics, code, and social networking widgets immediately disclose each user's visit to a third party when that user merely view a page in his or her browser."

Google, for more than any other company, is deeply embedded in the techniques that make it possible to collect and analyze the activities of Internet users. And Google's dominance is clearly growing with increasing market share in the search industry, the acquisition of Doubleclick. Conti says simply, "Information disclosure occurs when you use virtually any online tool but is significantly more risky when a single company offers many services." Of course, much of Google's attraction is ease of use. "Counterintuitively, the more easy-to-use these services are, the more information you are enticed to disclose, and hence the greater the information disclosure risk." Large amounts of free online storage present another risk by encouraging users to keep information online that might otherwise simple delete.

Conti's warning applies broadly to cloud computing, the network model strongly favored by Google. As he explains, "By placing applications and their data files on centralized servers, we lose control of our data. Critical information that was once safely stored on our personal computers now resides on the servers of online companies."

Although Google makes information widely available and is seen as promoting transparency, the information that users get from Google is not what Google can get from Google. Google has access to much more data and more powerful search techniques. "The publicly accessible face of Google provide only a small fraction of its capabilities to end users when compared to the internal capabilities of Google," Conti writes. And he warns that advances in data mining and artificial intelligence will simplify magnify the threat, under the guise of improving the user experience.

But Conti is also funny and tosses in a few clever lines. He writes that cookies are "like the tracking darts scientists shoot into wild animals on nature documentaries." The line is even better when you realize that DART also refers to the tracking technique of Doubleclick, the online advertiser that Google acquired last year. Of course, the scientist's dart is easily removed. Google's persistent identifier constantly reattaches itself to Internet users.

Conti's chapter on "Countermeasures" describe a whole bunch of techniques to limit Google's data profiling prowess. But even he concedes this is a losing campaign - "If you attempt to use all the techniques presented in this chapter, you will create a nearly intolerable web-browsing experience." There is the whack-a-mole strategy that has users turning on and off certain features based on need, but even that seems unlikely to succeed. Identifying anonymous Internet users becomes easy over time, "often a very short period of time," thanks to the steady stream of search and web site visit data. And all the cookie deletion and anonymizing techniques fail once you have a Google account.

Conti gets that, too, and proposes advocacy and legislative strategies to help get to some of the larger problem. His book stops short of a draft Internet Privacy Act, but he offers a nice segue from real problems and proposed solutions to a policy debate that could leave users with more time to use the web and less time worrying about privacy settings.

It is always tempting when discussing criticisms of Google to add a line like, "and other companies." In fact, this is what the Google PR folks routinely tell journalists when the news stories turn to privacy concerns. But Google really is different. No other company collects as much data on Internet users as Google. No other company controls more Internet-based applications than Google. No other company plays a more dominant role in Internet policy than Google. And no other company is likely to play a greater role shaping the future of the Internet than Google.

Perhaps then this is a good time to move beyond the "is Google evil?" debate and began to ask some tough questions about what Google is doing with all of this information and what the risks really are. Greg Conti's Googling Security is the right place to start.

- Marc Rotenberg

"Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.

http://epic.org/bookstore/foia2008/

Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.

"Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.

http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.

"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.

http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.

http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.

EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:

EPIC Bookstore
http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/bookshelf/epicorg.html

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.

Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes

"Toward a Legal Framework for Identity Management" Oxford Internet Institute, Oxford, England, April 2-3, 2009. For more information, http://www.oii.ox.ac.uk/

"2nd Privacy OS Conference," MediaCentre, Berlin, Germany, April 1-3, 2009. For more information, http://www.privacyos.eu

"THE FUTURE OF PRIVACY: What's Next?" - a one day seminar. April 28, 2009, Cartier Suites Hotel, 180 Cooper Street, Ottawa, Canada. For more information,
http://www.rileyis.com/seminars/

2009 FTC Workshop: Best Practices for Business: Protecting Personal Information and Fighting Fraud with the Red Flags Rule: Pope Auditorium, Lincoln Center Campus, Fordham School of Law's Center for Law and Information Policy, 113 West 60th Street, New York, NY 10023. For more information,
http://www.ftc.gov/bcp/workshops/infosecurity/index.shtml

"2nd Annual Research Symposium for the Identity, Privacy and Security Initiative," , May 6, 2009, University of Toronto. For more information, http://www.ipsi.utoronto.ca/site4.aspx

IEEE Symposium on Security and Privacy, May 17-20, 2009, The Claremont Resort, Oakland, California. For more information,
http://oakland09.cs.virginia.edu/

Web 2.0 Security & Privacy 2009, Thursday, May 21, The Claremont Resort, Oakland, California. For more information,
http://w2spconf.com/2009/

Computers, Freedom, and Privacy, 19th Annual Conference, Washington, D.C., June 1-4, 2009. For more information,
http://www.cfp2009.org/wiki/index.php/Main_Page

"The Transformation of Privacy Policy," Institutions, Markets Technology Institute for Advanced Studies (IMT)Lucca, Italy, July 2-4, 2009.

Join the Electronic Privacy Information Center on Facebook
http://epic.org/facebook

Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC.

Subscribe/unsubscribe via web interface: https://mailman.epic.org/mailman/listinfo/epic_news

Back issues are available at:
http://www.epic.org/alert

The EPIC Alert displays best in a fixed-width font, such as Courier.

The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.

Thank you for your support.

.