WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2011 >> [2011] EPICAlert 11

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 18.11 [2011] EPICAlert 11

EPIC Alert 18.11

======================================================================= E P I C A l e r t ======================================================================= Volume 18.11 June 7, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================= Table of Contents ======================================================================= [1] EPIC Files Suit for Details on Mobile Body Scanners [2] EPIC Calls Proposed Student Privacy Exemptions "Unlawful" [3] PATRIOT Act Extension Passes [4] DHS Plans to Store EU Passenger Data for 15 Years [5] EPIC Tells FTC To Step Up Enforcement Against Debt Collectors [6] News in Brief [7] EPIC Book Review: "Alone Together" [8] Upcoming Conferences and Events TAKE ACTION: Computers, Freedom, & Privacy 2011! - REGISTER to attend: - LIKE the page on, FOLLOW it on Twitter @cfp11! - SUPPORT EPIC EPIC 2011 Champion of Freedom Awards Dinner with danah boyd, Jeffrey Rosen, Rep. Jason Chaffetz, and Rep. Rush Holt Washington D.C. June 13, 2011 Register: ======================================================================= [1] EPIC Files Suit for Details on Mobile Body Scanners ======================================================================= EPIC has filed a Freedom of Information Act (FOIA) lawsuit against the Department of Homeland Security for unlawfully withholding documents concerning mobile body scanners. These mobile scanners can be used to monitor crowds, peering under clothes and inside bags. The Department has detailed plans for these scanners to be used in mass transit systems such as subways, as well as on highways, pipelines, and freight rails. EPIC has previously obtained FOIA documents in this matter indicating that the Department has already spent millions to procure mobile scanning devices. The records also detail use of body scanners on New York and New Jersey subway trains in 2006. During this period, the Department saved the images of individuals and transmitted copies to body scanner vendors. Subway riders had no opportunity to avoid the scans or control distribution of the so-called digital strip search images. These documents also describe plans to expand the use of full body scanner systems at public gatherings and sporting events. EPIC's suit asks a Federal court to order disclosure of nearly 1,000 pages of additional records detailing the controversial program - records the Department has thus far refused to make public. EPIC also has an ongoing lawsuit to suspend the contentious airport body scanner program. EPIC has also pursued a FOIA lawsuit against the Department of Homeland Security for access to images produced by the machines. EPIC obtained DHS documents that revealed that the Department expressly required that the full body scanners be able to store and transmit images. The Department has admitted to possessing around 2,000 stored images produced by the machines, but refuses to turn them over. In 2010, EPIC challenged the use of airport body scanners in Federal court. EPIC asked the court to suspend the program, calling the devices "invasive, ineffective, and unconstitutional." The lawsuit is pending. EPIC: EPIC v. DHS (Civil Action No. 10-1157) (May 20, 2011) House of Representatives: Testimony of Dr. D. Brenner (Mar. 16, 2011) EPIC: EPIC v. DHS (Body Scanners) EPIC: EPIC v. DHS (Suspension of Body Scanner Program) EPIC: Whole Body Imaging Technology EPIC: Mobile Body Scanner Documents Obtained from DHS EPIC: FOIA Request (Mobile Body Scanners) (Nov. 24, 2010) ======================================================================= [2] EPIC Calls Proposed Student Privacy Exemptions "Unlawful" ======================================================================= EPIC submitted a statement to the Department of Education in response to a request for public comment on the agency's proposal to expand exemptions in the Family Educational Rights and Privacy Act of 1974. EPIC opposes the proposed changes, stating that the federal agency lacks the legal authority to remove privacy protections for student data. Under the proposal, student records would include information about prescribed medicine, psychological and developmental tests, and "problems in a child's and family's living situation." The agency claimed that the American Recovery and Reinvestment Act of 2009, which allocated funds for tracking educational information, demonstrated "Congress's intent in the ARRA to have States link data across sectors." EPIC cited the plain language of the Family Educational Rights and Privacy Act, as well as statements from the legislative record in the Senate, to demonstrate that Congress actually anticipated and prohibited the proposed expansions. Rather than expanding exemptions, EPIC urged the agency to "develop clear, enforceable, and objective standards that reflect Congress's intent to protect student data from non-academic programs." EPIC also objected to a proposal that educational facilities be allowed to disclose student ID numbers. EPIC filed a friend of the court brief in a pending Supreme Court case detailing the myriad consequences of disclosing unique identifiers to the general public. "Re-identification" has been shown to aid investigative reporters, and can also expose individuals to unwanted disclosures material to criminal or divorce proceedings. EPIC urged the Department to precede any expansion of third-party access to student information with a comprehensive security assessment. Such an assessment would have to demonstrate that expansion would not alter any baseline risk of identity theft, student re-identification, or unlawful disclosure of sensitive student data. EPIC concluded that the Department of Education's proposed regulatory changes were unlawful. EPIC urged the agency to withdraw its proposal as contrary to law and exceeding the scope of the Department's rulemaking authority. EPIC anticipates the agency's specific and substantive responses to its comments, which are required under law. EPIC: FERPA Comments (May 23, 2011) Federal Register: FERPA Notice of Proposed Rulemaking (April 8, 2011) EPIC: Student Privacy ======================================================================= [3] PATRIOT Act Extension Passes ======================================================================= On May 26, the PATRIOT Act received another extension. The controversial law, passed shortly after September 11, 2001, expanded the authority of law enforcement and intelligence agencies to monitor private communications and access personal information. Among other provisions, the PATRIOT Act amended the Foreign Intelligence Surveillance Act (FISA) to allow the FBI to use National Security Letters in place of court-approved warrants. Several senators attempted to add amendments to the bill that would have improved oversight and privacy protections. Senator Patrick Leahy(D-VT) proposed adoption of an amendment that will establish new privacy and civil liberties safeguards. The amendment, co-sponsored with Senator Rand Paul (R-KY), would sunset National Security Letter (NSL) authority, mandate public reporting requirements, and create other protections. A similar amendment was endorsed by a majority of the Senate Judiciary Committee earlier this year. The amendment, however, did not pass. Senators Ron Wyden (D-OR) and Mark Udall (D-CO), who serve on the Senate Intelligence Committee, warned that the government conducts surveillance based on a "secret interpretation" of the PATRIOT Act, apparently involving Section 215, which cannot be discussed publicly because it is classified. The senators proposed an amendment to create more oversight and address this problem, but this amendment, too, failed to pass. EPIC has obtained over 1,500 pages of government documents concerning PATRIOT Act abuses via a related Freedom of Information Act lawsuit against the Department of Justice. Recent reports show that in 2010, 24,287 NSLs were issued, up 64% from the previous year. EPIC: USA PATRIOT Act EPIC v. DOJ: Freedom of Information Documents on the USA PATRIOT Act USA PATRIOT Act (H.R. 3162) S. 1038 (Amendment Proposed by Senators Leahy and Paul) S. 1038 (Amendment Proposed by Senators Wyden and Udall) ======================================================================= [4] DHS Plans to Store EU Passenger Data for 15 Years ======================================================================= A draft agreement between the United States and the European Union would allow the U.S. Department of Homeland Security to store passenger data for up to fifteen years. The draft allows the US to use its automated data-mining programs to analyze passenger data collected by airlines. This data would include names, addresses, phone numbers, and credit card information, as well as ethnic origin, political opinions, and details of a passenger's health or sex life. The fifteen-year time period in the proposed agreement is three times the length allowed under Europe's existing Passenger Name Record (PNR) regime. Members of the European Parliament have said that the draft agreement violates both fundamental rights and violates data protection laws. The US Senate passed a resolution last week describing the sharing of passenger data with the EU as an "important part of our layered defenses against terrorism," and saying it would not accept any weakening of the agreement. A provisional agreement on sharing airline passenger data was implemented in 2007 and was heavily debated in Europe. That agreement reduced the 34 pieces of data on passengers now collected by US law enforcement authorities to 19 data fields, including name, contact data, payment details, and itinerary information. The agreement also provided EU citizens with access to PNR information, consistent with the provisions in the US Privacy and the Freedom of Information Acts. The European Data Protection Supervisor, in response to that agreement, outlined four areas of grave concern: the lengthened retention period for PNRs, the US's use of letters to avoid a binding agreement, the lack of a robust system of redress, and the possibility of US data sharing between an undisclosed number of agencies. An earlier EU-US agreement on Passenger Name Records was struck down by the European Court of Justice in 2004. The Court found that there was no authority to enter into this Agreement. The Guardian: US-EU Passenger Data Sharing Agreement (May 26, 2011) EPIC: PNR Agreement (June 28, 2007) European Union: Passenger Name Records European Court of Justice: Press Release (May 30, 2006) Senate Committee: Homeland Security Resolution (May 19, 2011) EPIC: EU-US Airline Passenger Data Disclosure ======================================================================= [5] EPIC Tells FTC to Step Up Enforcement Against Debt Collectors ======================================================================= On May 27, EPIC submitted a detailed statement to the Federal Trade Commission urging the agency to enforce existing regulations on the debt collections industry. EPIC argued that the Commission should better police the debt industry, as well as the data brokers who collect the information used to track down consumers. EPIC emphasized that Congress authorized the agency to protect consumer privacy and to prevent abuse through rigorous enforcement. EPIC's statement focused on three separate sets of regulations the agency should enforce. The Fair Debt Collection Practices Act gives the FTC enforcement power to stop debt collectors from revealing information about a consumer's debt to other parties, including family members and friends. The Gramm-Leach-Bliley Act provides an affirmative duty for debt collectors to protect any consumer information they obtain. The Federal Trade Commission Act gives the FTC authority to bring sanctions against companies engaged in unfair or deceptive trade practices. EPIC detailed the debt collection industry's recent history of systematically violating each of these laws in the face of lax enforcement. In 2004, EPIC filed a complaint with the agency after data broker ChoicePoint's security deficiencies compromised the sensitive personal data of more than 163,000 consumers. In 2008, data brokers Reed Elsevier and Seisint provided unauthorized access to criminal actors who retrieved sensitive information from 316,000 individuals, used that information to activate credit cards, and then made fraudulent purchases. In 2009, consumers launched three separate lawsuits against debt collectors for violating their online privacy on social networking sites; one debt collector working for Auto Financing Network even created a website about a consumer's debt, entitled "Jennifer Dicks isn't paying for her Cavalier!" In 2010, the Department of Justice brought down the directors of a large debt collection firm who transferred sensitive information, including Social Security numbers, to a fraudulent scheme. EPIC's statement follows a groundswell of serious consumer complaints, including tens of thousands of reports informing the FTC that debt collectors are violating the law by disclosing sensitive information to third parties and harassing them. EPIC laid out a detailed plan of action for the Agency moving forward, stating that "[t]he FTC must develop proactive regulations and take meaningful enforcement actions with effective sanctions." EPIC recommended binding legal rules that require companies to implement commonsense security measures; regulations against harassing consumers via email, test messaging, or social networking sites; and a prohibition against using Social Security numbers as primary identifiers. The Commission will review EPIC's statement and other responses to its public request for comments, and plans to produce a substantive response in the upcoming months. EPIC: Debt Collection Comments (May 27, 2011) Federal Trade Commission: Debt Collection 2.0 Workshop (Apr. 28, 2011) Federal Register: Debt Collection NPRM (Mar. 15, 2011) EPIC: ChoicePoint EPIC: Identity Theft ======================================================================= [6] News in Brief ======================================================================= House Examines White House Cybersecurity Proposal The House of Representatives has held two hearings on the White House legislative plan for cybersecurity. The House Oversight and House Judiciary Committees questioned government officials and members of private industry on the proposal. Committee members showed particular interest in provisions that pre-empted stronger state laws and those that offered immunity to private industry for complying with government requests for information on data breaches. Rep. Melvin Watt (D-NC) asked how the proposal was unlike the controversial telecom immunity contained in the Patriot Act. The White House proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. In the past, EPIC has called for cybersecurity legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. White House: Cybersecurity Legislation Proposal White House: 2009 Cyberspace Policy Review House Oversight Committee: Cybersecurity Hearing (May 25, 2011) House Judiciary Committee: Cybersecurity Hearing (May 25, 2011) EPIC: Testimony on Cybersecurity (July 15, 2010) EPIC: Patriot Act EPIC: Cybersecurity and Privacy EPIC: National Strategy for Trusted Identities in Cyberspace FCC and FTC Announce Public Meeting on Locational Privacy The Federal Communications Commission and the Federal Trade Commission will co-host a Location Based Services Forum on June 28, 2011. The event will include representatives from industry, consumer advocacy groups, and academia discussing the benefits and risks of location based services and industry best practices. The agencies are calling for public comment on location based services. EPIC previously submitted comments to the FCC on locational privacy in 2001 and 2006, requesting that the Commission establish guidelines for the protection of users' locational privacy. In 2010, EPIC specifically warned two Congressional committees about the privacy risks of location services in mobile phones. FCC: Location-Based Services Forum FCC: Public Notice Regarding Location Based Services Forum EPIC: Comments to the FCC (Apr. 6, 2001) EPIC: Comments to the FCC (Apr. 14, 2006) EPIC: Statement on ECPA EPIC: Locational Privacy Senate Holds Hearing on Privacy and Mobile Services On May 19, the Senate Commerce Committee held a public hearing entitled "Consumer Privacy and Protection in the Mobile Marketplace." Chairman Jay D. Rockefeller IV (D-WV) said that users of mobile services have "an expectation of privacy ... a right to privacy" but that the "mobile marketplace is so new and technology is moving so quickly that many consumers do not understand the privacy implications of their actions." The FTC's David Vladeck stated that consumers face new threats in the mobile marketplace and described the Agency's recent actions against Twitter and Google. Also present were representatives from Facebook, Apple, Google, and consumer groups. In 2010, EPIC recommended new privacy safeguards for location data. Senate Commerce Committee Senate Commerce Committee: Hearing (May 19, 2011) Senate Commerce Committee: Rockefeller Statement (May 19, 2011) Senate Commerce Committee: David Vladeck Statement (May 19, 2011) EPIC: Statement to House on Location Information (Feb. 24, 2010) EPIC: Locational Privacy European Privacy Officials Release New Report on Mobile Privacy A report from the Data Protecting Working Party on Geolocation Services and Smart Mobile Devices recommends new privacy safeguards, including limitations on data collection and retention. Other recent reports from the Data Protection Working Party cover such topics as Data Breaches, Smart Meters, and RFID Applications. Article 29 Data Protection Working Party Data Protection Working Party: Mobile Device Geolocation (May 16, 2011) Data Protection WP: EU Personal Data Breach Framework (Apr. 5, 2011) Data Protection Working Party: Opinion: Smart Metering (Apr. 4, 2011) Data Protection WP: Opinion: RFID Applications (Feb. 11, 2011) EPIC: International Privacy Standards EPIC Briefing Explores Google Street View and Wi-Fi Privacy On May 18, EPIC hosted a Capitol Briefing on "Street View, Privacy & the Security of Wireless Networks." The luncheon symposium featured a panel with FTC Director of Consumer Protection David Vladeck, former FTC Commissioner Pamela Jones Harbour, and other Wi-Fi experts, including Skyhook, Inc. CEO Ted Morgan, who explained the fine points of wi-fi scanning. Many countries have launched investigations of Google Street View after it was discovered that Google had unlawfully collected wi-fi data and intercepted private communications traffic. EPIC has recommended that the US Federal Communications Commission undertake its own investigation. Numerous participants live-tweeted the event at #wifiprivacy. Street View, Privacy, & the Security of Wireless Networks (May 18, 2011) EPIC: Street View EPIC: FTC ======================================================================= [7] EPIC Book Review: "Alone Together" ======================================================================= "Alone Together: Why We Expect More from Technology and Less from Each Other," Sherry Turkle Some people like the idea of being under surveillance, because it suggests that someone cares about us. Being seen means we are not insignificant or alone. In the same way, some people are gratified by a certain amount of exposure. It feels like validation, not violation. Technology now gives us more and more of what we think we want, but, as Sherry Turkle explains, we are starting to display symptoms born of isolation and abandonment. Her book "Alone Together: Why We Expect More from Technology and Less from Each Other" is about shifting cultural expectations of technology. It's common to see people answering their cell phones in restaurants, even when they're dining with others. It is as if, when we get together, we are being treated as if we are not there. Turkle, a professor at MIT, goes a step further and observes that being alone has become a precondition for being together. Tired of having your conversation partners turn away from you and toward their gadgets? The response seems to be to seek solitude: Commune with your real friends by isolating yourself with your laptop. In addition to documenting the incalculable hidden costs of connectivity, Turkle does a fine job of elucidating the politics of privacy. She quotes Churchill: "We shape our buildings; thereafter, they shape us." As the panopticon serves the correctional interests of the State, digital devices are being deployed to serve the interests of a disciplinary society and a patronizing government. We have made our technology, and it is shaping us as well. -- Grayson Barber ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [8] Upcoming Conferences and Events ======================================================================= "Hyper-Public: A Symposium on Designing Privacy and Public Space in the Connected World." 9-10 June 2011, Harvard University. For More Information: "Health Privacy Summit." Georgetown Law Center, Washington, D.C., 13 June 2011. For more information: "EPIC Champion of Freedom Awards Dinner." The Fairfax at Embassy Row, Washington, D.C., 13 June 2011. For More Information: "The Tenth Workshop on Economics of Information Security." The George Mason University, 14-15 June 2011. For More Information: "Computers, Freedom, and Privacy 2011." Georgetown Law Center, Washington D.C., 14-16 June 2011. For More Information: "Online Tracking Protection and Browsers." Brussels, Belgium, 22-23 June 2011. For More Information: ICANN Board Meeting. Singapore. 19-24 June 2011. For More Information: "Aligning Privacy Accountability with your Business Strategy:" Privacy Laws and Business 24th Annual International Conference. St. John's College, Cambridge, United Kingdom, 11-13 July 2011. For More Information: EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For More Information: Computers, Privacy, & Data Protection 2012: European Data Protection: Coming of Age. Brussels, Belgium, 25-27 January 2012, Call for Papers Abstracts Deadline 1 June 2011. For More Information: ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.11 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback