E P I C A l e r t
Volume 18.01 January 13, 2010
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Report All Screening Experiences at
EPIC Body Scanner Incident Report
Table of Contents
 Key Consumer Privacy Legislation Enacted in Early 2011
 EPIC to Comment on Key Privacy Reports
 EPIC Hosts Conference
and Files Reply Brief in Body Scanners Case
 Key Court Decisions Examine Traditional Warrant Requirements
 Supreme Court to
Hear Medical Privacy Case
 Gallup Poll Shows Public Opposed to Online Tracking
 News In Brief
 Upcoming Conferences and
TAKE ACTION: Stop Airport Strip Searches!
- JOIN Facebook Group "Stop Airport Strip Searches" and INVITE Friends
the IMAGE http://thepublicvoice.org/nakedmachine.jpg
- SUPPORT EPIC http://www.epic.org/donate/
 Key Consumer Privacy Legislation Enacted in Early 2011
President Obama has signed into law two key pieces of legislation
will serve to strengthen privacy protections, the "Social Security
Protection Act of 2010" and the "Truth in Caller ID Act."
The first new law is aimed at reducing identity theft by limiting the
Government's use of and access to social security numbers.
prohibits government agencies from printing social security numbers on
checks and prohibits prison inmates' access to social
"Social Security numbers are among Americans' most valuable but
vulnerable assets," said Sen. Feinstein (D - CA),
a sponsor of the bill.
"Identity theft is a serious concern for all consumers, and we should
make every effort to protect personal
EPIC has testified many times before Congress on the need to safeguard
Social Security Numbers, including at four
separate House hearings
between 2001 and 2007. EPIC has also participated in important cases on
Social Security Number privacy. For
example, in Doe v. Chao in 2004,
EPIC, along with a coalition of civil liberties organizations and
technical and legal experts, filed
a "friend of the court" brief,
arguing that the Privacy Act provides damages for those who suffer
"adverse effects," though no actual
President Obama has also signed into law the "Truth in Caller ID Act."
This new act will ban the transmission of misleading
caller ID information "with the intent to defraud, cause harm, or
wrongfully obtain anything of value." The change
will affect normal
telephones as well as wireless and Internet phone services. EPIC
recommended this intent requirement in testimony
before the House in
2006 and 2007, and before the Senate in 2007, so that Privacy Enhancing
Techniques (PETs) would not be criminalized.
Social Security Protection Act of 2010
Truth in Caller ID Act
EPIC: House Testimony on Truth in Caller ID Act (May 2006)
EPIC: House Testimony on Truth in Caller ID Act (Feb. 2007)
EPIC: Senate Testimony on Truth in Caller ID Act (June 2007)
EPIC: Doe v. Chao
EPIC: Social Security Numbers
EPIC: Identity Theft
EPIC: Caller ID
 EPIC to Comment on Key Privacy Reports
Both the Federal Trade Commission (FTC) and the Department of Commerce
are requesting public comments on their respective Internet
reports by the end of January. The Commission's staff report,
"Protecting Consumer Privacy in an Era of Rapid Change," is
comments until January 31, while the Commerce Department will accept
comments on its green paper, "Commercial Data Privacy
and Innovation in
the Internet Economy: A Dynamic Policy Framework," until January 28.
The Federal Trade Commission released a preliminary
staff report on
privacy, following a series of public roundtable discussions. The report
recommends the establishment of a Do-Not-Track
mechanism, based in
Internet browsers, which would enable users to opt-out of third-party
web tracking, including behavioral advertising.
The report also calls
for simplified consumer privacy notices and recommends that "companies .
. . adopt a 'privacy by design' approach
by building privacy protections
into their everyday business practices."
EPIC's comments on this report will address the need for
independent privacy agency with enforcement powers and will propose a
comprehensive federal privacy law based on Fair Information
and modeled on the OECD Privacy Guidelines and the Privacy Act of 1974.
EPIC will also urge the Commission to pursue investigations
before it, including those that involve Google Buzz and Facebook privacy
settings. The FTC's refusal to act on these claims
self-regulation fails without meaningful enforcement of a company's
published privacy policies.
The Department of Commerce
report calls for the adoption of Fair
Information Practices, the development of privacy codes of conducts, and
the creation of a
privacy office in the Department of Commerce. However,
the Commerce report stops short of a legislative proposal for an
privacy agency. EPIC's comments to the Department of
Commerce will address all of these topics, focusing on implementation
Additionally, the comments will discuss why "safe
harbor" does not work and the need to support a comprehensive
for privacy protection.
The House Energy and Commerce Committee also recently addressed the
potential for a Do-Not-Track mechanism.
EPIC had submitted a statement
following a Committee hearing, which recommended that Congress review
the lessons learned from the
history of the Do-Not-Call List and the
Telephone Consumer Protection Act. EPIC said that an effective
Do-Not-Track initiative must
ensure that a consumer's decision to
opt-out is "enforceable, persistent, transparent, and simple."
FTC Privacy Report
Department of Commerce Privacy Report
FTC Privacy Roundtables
EPIC: Statement to FTC on Cloud Computing/Social Networking
Privacy Act of 1974
EPIC: In Re Google Buzz
EPIC: In Re Facebook
EPIC: Statement on Do Not Track (Dec. 2010)
US-EU Safe Harbor Framework
EPIC: Online Tracking and Behavioral Advertising
 EPIC Hosts Conference and Files Reply Brief in
Body Scanners Case
On January 6, 2011, EPIC hosted "The
Stripping of Freedom: A Careful
Scan of TSA Security Procedures" at the Carnegie Institute for Science
in Washington, DC. The conference
brought together elected officials,
grassroots advocates, civil society groups, and law and technology
scholars to discuss the Department
of Homeland Security's body scanner
program in a total of four hour-long panels and two keynote addresses.
Speakers included Representative
Rush Holt, who delivered the opening
keynote speech, consumer advocate Ralph Nader, New York City Councilman
David Greenfield, as
well as representatives of the Libertarian Party,
Flyer's Rights, and the CATO Institute. Technology expert Bruce Schneier
the afternoon keynote speech, "Restoring Sanity to Airport
Security." The conference, covered by CSPAN, was fully interactive, with
a videocast and a live Twitter feed.
On the same day, EPIC filed a reply brief in its lawsuit to disband the
program. The brief
argues that because "the TSA has acted outside of its
regulatory authority and with profound disregard for the statutory and
rights of air travelers, the agency's rule should be set
aside and further deployment of the body scanners should be suspended."
EPIC filed its opening brief on November 1, 2010, arguing that the body
scanners are "unlawful, invasive, and ineffective." Oral
scheduled for March 10, 2011.
EPIC Counsel Ginger McCall discussed the reply brief at the conference
on a panel with
Nadhira Al-Khalili and Jeffrey Rosen, a professor at the
George Washington University Law School. Ms. Al-Khalili is Legal Counsel
for the Council on American Islamic Relations and a pro-se litigant in
EPIC's lawsuit, based on religious objections to the body
program. Professor Rosen has authored two compelling news articles about
the body scanners, privacy, and the Constitution for The Washington Post
and The New Republic.
The Stripping of Freedom: A Careful Scan of TSA Security Procedures
"Nude Breach" (Dec. 13, 2010)
"The TSA Is Invasive, Annoying, and Unconstitutional" (Nov. 28, 2010)
EPIC v. DHS: EPIC's Reply Brief (Jan. 6, 2011)
EPIC v. DHS: EPIC's Opening Brief (Nov. 1, 2010)
 Key Court Decisions Examine Traditional Warrant Requirements
State and federal courts have been scrutinizing traditional
requirements when applied to cell phones and cell-site data, email, and
law enforcements' use of GPS devices to track individuals.
In People v. Diaz, the California Supreme Court has held that an
exception to the Fourth Amendment permits warrantless searches
person's cell phone following a lawful arrest. In a dissenting opinion,
Judge Werdegar said that the cited exception was intended
warrantless searches of clothing or small physical containers, and that
accessing electronic data storage devices is uniquely
before has it been possible to carry so much personal or business
information in one's pocket or purse."
In a recent
"friend of the court" brief to the Supreme Court, EPIC
explained that modern communications devices contain extensive personal
and should be entitled to privacy protection.
Other courts, however, have expanded protections for subjects of police
The Delaware Superior Court ruled that police must
obtain a warrant before using GPS devices to monitor vehicles, stating
Delaware Constitution protects its citizens' reasonable
expectation of privacy from "constant surveillance." The Court noted
"[e]veryone understands there
is a possibility that on any one occasion
or even multiple occasions, they may be observed by a member of the
public or possibly
law enforcement." But, the Court reasoned further,
"there is not such an expectation that an omnipresent force is watching
move." EPIC filed a "friend of the court" brief in a related
case where the Massachusetts Supreme Court held that a warrant is
for the use of a GPS tracking device.
The Third Circuit Court of Appeals has also strengthened privacy
protections, affirming a
decision that the government cannot seize
historical cell-site data without first satisfying strict warrant
requirements. The data
identifies the location of the towers nearest to
a mobile phone user at the beginning and end of each call, and is often
more than a year's time. After the government's second
appeal for a rehearing, the Third Circuit once again upheld the
for a higher showing.
In Warshak v. United States, the Sixth Circuit Court of Appeals ruled
that the Constitution establishes greater protections for stored email
than is set out in federal laws. The government had compelled an
provider to reveal 27,000 emails without securing a
warrant or giving notice to the customer, Steven Warshak. The Court held
the seizure violated Warshak's Fourth Amendment rights. The Court
explained that "to the extent that the [law] purports to permit
government to obtain such emails warrantlessly, [it] is
With the Warshak decision, the Sixth Circuit has
joined the First
Circuit in finding that email is subject to strong protections under
electronic privacy laws. EPIC joined a group
of civil liberties
organizations and Professor Orin Kerr to submit a "friend of the court"
brief in U.S. v. Councilman, a First Circuit
case concerning email and
the Wiretap Act. A separate "friend of the court" brief in Councilman
from leading technology experts explained
that privacy protection is
"critical for electronic mail."
EPIC: People v. Diaz
City of Ontario v. Quon: EPIC "friend of the court" brief
Delaware v. Holden: Delaware Superior Court Opinion
Commonwealth v. Connolly: EPIC "friend of the court" brief
Protection of Cell-Site Data: 3d Cir. Opinion (Denying Rehearing)
Warshak v. United States: 6th Cir. Opinion
U.S. v. Councilman: EPIC "friend of the court" brief
 Supreme Court to Hear Medical Privacy Case
The Supreme Court will review the Second Circuit Court of Appeal's
decision in Sorrell v. IMS Health Inc. The Second Circuit struck
Vermont's prescription confidentiality law regulating data mining
companies that sell or use doctors' prescribing records containing
personal information on patients.
In the request for review Vermont had argued for the importance of
consistency across state boundaries,
listing twenty-six other states
considering proposed prescription confidentiality laws. The Vermont
Attorney General wrote, "As the
ability to amass volumes of information
about prospective customers - including health care providers - grows,
States and other regulators
need guidance as to the scope of their
ability to allow individual Americans to control access to and use of
The Court of Appeal's decision, which relied on the First Amendment,
diverged significantly from other decisions upholding similar
Maine's prescription privacy law was challenged, the First Circuit
upheld the law, finding that the statute "regulates
conduct, not speech,
and even if it regulates commercial speech, that regulation satisfies
constitutional standards." The First Circuit
also upheld a similar
prescription confidentiality law prohibiting the sale of prescription
information in New Hampshire. The Supreme
Court refused a request to
review the challenge to New Hampshire's law.
EPIC filed a "friend of the court" brief in support of the
at the circuit court level, arguing that the state has a substantial
interest in protecting the privacy of medial records
and that the data
miners' de-identification practices do not, in fact, protect patient
privacy. Now that the Supreme Court has granted
review of the Second
Circuit's opinion, EPIC plans to submit a second "friend of the court"
brief in further support of Vermont's
IMS Health Inc. v. Sorell: Petition for Certiorari
IMS Health Inc. v. Sorell: 2d Cir. Opinion
IMS Health Inc. v. Sorell: EPIC "friend of the court" brief (2d Cir.)
EPIC: IMS Health v. Sorrell
EPIC: IMS Health v. Ayotte
EPIC: Medical Privacy
 Gallup Poll Shows Public Opposed to Online Tracking
A new Gallup poll released at the end of 2010 has revealed
that 67% of
U.S. Internet users do not believe that advertisers should "be allowed
to match ads to your specific interests based
on websites you have
visited." Even when confronted with the idea that these targeted ads
could keep costs down for users, 61% of
those polled said these tracking
techniques are "not worth the invasion of privacy involved." The poll
surveyed over 1,000 adults
living across the United States.
These results indicate that the public may support a Do Not Track
mechanism, similar to that recommended
by the Federal Trade Commission
recommended in its 2010 privacy report. Following a series of roundtable
discussions, the Commission
endorsed a Do Not Track mechanism that would
be based in Internet browsers and would enable users to opt-out of
third-party web tracking,
including behavioral advertising. The report
also called for simplified consumer privacy notices and recommended
a 'privacy by design' approach by building privacy
protections into their everyday business practices."
EPIC participated in the
roundtable discussions that preceded the
Commission's report and submitted a statement on the privacy
implications of cloud computing
and social networking. EPIC also
submitted a statement to Congress saying that an effective Do Not Track
initiative must ensure that
a consumer's decision to opt-out is
"enforceable, persistent, transparent, and simple."
Congress had considered various proposals
for a Do Not Track mechanism
in a hearing entitled "Do Not Track Legislation: Is Now the Right Time?"
The House Energy and Commerce
Committee Subcommittee on Commerce, Trade,
and Consumer Protection conducted the hearing, which included witnesses
from the Department
of Commerce, Federal Trade Commission, Consumer
Federation of America, TimeWarner, and Symantec.
The Gallup poll concluded that
"if the FTC moves forward with a 'Do Not
Track' measure that is voluntary for advertisers, Internet users' clear
desire is for advertisers
to sign up - and leave decisions about who can
track them squarely in the users' hands."
Gallup Poll: U.S. Internet Users Ready
to Limit Online Tracking for Ads
Federal Trade Commission: Privacy Report
FTC Privacy Roundtables
House Energy and Commerce Committee: Do Not Track Hearing (Dec. 2010)
EPIC: Do Not Track Statement (Dec. 2010)
EPIC: Online Tracking and Behavioral Profiling
 News In Brief
EPIC Publishes Year In Review: Reflects on 2010, Predicts New Issues
EPIC has released the 2010 Privacy Year In Review. The EPIC
Review examines the top privacy issues from 2010 and predicts the
privacy headlines of 2011. Top stories for 2010 included
screening, Google Streetview, and Facebook Privacy Settings, and Do Not
Track proposals. For 2011, EPIC predicts that
the privacy hot topics
will be "Smart Grid," Privacy Legislation, Biometric identifiers, and
the push for a comprehensive international
EPIC: 2010 Privacy Year In Review
Electronic Privacy Information Center
EPIC: Top News Archive
Court Grants Government Motion in EPIC Body Scanner FOIA Lawsuit
A federal district court has granted the Department of Homeland
Security's motion to conclude one of EPIC's Freedom of Information Act
lawsuits. EPIC was seeking more than 2,000 images generated by airport
body scanners held by the TSA. The DHS objected to the disclosure
the court sided with the government. The court relied on a legal theory,
"Exemption High (b)(2)" that is currently under review
by the Supreme
Court in Milner v. Dept. of Navy. As a result of this lawsuit, EPIC
obtained many documents concerning the airport
including Procurement Specifications, Operational Requirements, traveler
complaints, and vendor contracts with
L3 and Rapiscan, that were
subsequently made available to the public. EPIC may appeal the district
court's decision as to the release
of the body scanner images.
EPIC v. DHS: D.C. District Court Opinion
EPIC v. DHS: DHS Motion for Summary Judgment
EPIC: EPIC v. DHS (Body Scanners)
EPIC: Milner v. Department of Navy
EPIC: TSA Procurement Specifications Document (September 23, 2008)
EPIC: TSA Operational Requirements Document (July 2006)
EPIC: TSA Traveler Complaints
EPIC: TSA Contract with L3
EPIC: TSA Contract with Rapiscan (1)
EPIC: TSA Contract with Rapiscan (2)
EPIC: Body Scanners
Organizations Join to Fight for International DNA Database Legislation
The Council for Responsible Genetics, GeneWatch UK,
International have announced human rights standards for DNA database
legislation. A GeneWatch UK report identifies potential
areas of DNA
abuse, including unlawful tracking of individuals, genetic
discrimination, and unauthorized access to private information.
organizations have proposed limits on when genetic information can be
obtained and stored. According to the Council for Responsible
at least 56 countries operate national DNA databases. In the United
States, databases are maintained by all 50 states as
well as the Federal
Bureau of Investigation.
Council for Responsible Genetics
Council for Responsible Genetics: National DNA Databases
GeneWatch UK: Forensic DNA Databases and Human Rights
"Litigation Under the Federal Open Government Laws 2010," edited by
Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
Digital Privacy Forum. Medisbistro, New York, NY, 20 January 2011. For
More Information: http://www.mediabistro.com/digitalprivacyforum/.
"Privacy in the Age of Mobile Broadband: Government, Industry, and
Consumer Perspectives on Creating a New Privacy Paradigm." Federal
Communications Bar Association, Washington, D.C., 25 January 2011. For
More Information: http://www.fcba.org/.
"Computers, Privacy, and Data Protection Conference European Data
Protection: In Good Health?" Brussels, Belgium, 25-28 January
More Information: http://www.cpdpconferences.org/.
"Data Protection Day: Don't Let Them Know All About You," Screening,
Exhibition, and Discussion. Toldi Cinema, Budapest, Hungary,
2011. For More Information: http://www.pet-portal.eu/gallery.
Privacy Party. Brussels, Belgium, 28-29 January 2011. For More
"Data Protection Day: Joint High Level Meeting." Brussels, Belgium, 28
January 2011. For More Information:
"The Technology of Privacy: When Geeks Meet Wonks." Google, Washington,
D.C., 28 January 2011. For More Information:
"All Access Shred Day." Locations Across the United States, 28 January
2011. For More Information:
Federal Bar Association: Transportation Security Law Section and
Transportation Security Administration. Transportation Security
Administration Headquarters - Town Hall, Washington, D.C., 1 February
2011. For More Information: Adrienne Woolley, FBA, email@example.com.
Smart Grid Summit: "Personal Privacy - Who Left the Fridge Door Open?"
Miami Beach Convention Center, Miami, FL, 2-3 February 2011.
"The Tenth Workshop on Economics of Information Security." The George
Mason University, 14-15 June 2011. For More Information:
"Computers, Freedom, and Privacy 2011." Georgetown Law Center,
Washington D.C., 14-16 June 2011. For More Information:
Join EPIC on Facebook
Join the Electronic Privacy Information Center on Facebook
Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
The EPIC Alert mailing list is used only
to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend
to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list,
please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 18.01 ------------------------