EPIC Alert 18.12
E P I C A l e r t
Volume 18.12 June 21, 2011
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC's FTC Complaint Urges Probe of Facebook's Facial Recognition
 EPIC Testifies Before Congress on Data Breach Legislation
 Court Awards Funds to EPIC in Google Buzz Case
 EU Data Supervisor Suggests Repeal of Data Retention Directive
 House Passes
Budget for TSA, Cuts Funding for Body Scanners
 News in Brief
 EPIC Book Review: "Virtual Freedom"
 Upcoming Conferences
TAKE ACTION: Facebook Privacy 2011!
- READ EPIC's complaint to FTC: http://epic.org/redirect/0611FBFTC.html
- WATCH EPIC on ABC Nightline: http://epic.org/redirect/0611FB.html
- SUPPORT EPIC http://www.epic.org/donate/
 EPIC's FTC Complaint Urges Probe of Facebook's Facial
EPIC and several other privacy organizations,
including the Center for
Digital Democracy, Consumer Watchdog, and the Privacy Rights
Clearinghouse, have filed a complaint with
the Federal Trade Commission
over Facebook's new facial recognition system. Alleging that the
feature constituted an "unfair and
deceptive" business practice, EPIC
urged the FTC to launch an immediate investigation into Facebook's
including determining the extent of
potential harm to consumer privacy and safety, and requiring stronger
privacy protections for
Facebook's new automated tagging feature uses facial recognition
software to identify individuals in users' photographs.
In the FTC complaint, EPIC alleged that "[u]sers could not reasonably
have known that Facebook would use their photos to build a
database in order to implement a facial recognition technology under
the control of Facebook." Even if a user is able to
opt-out of being
tagged in photos, there is no way to opt-out of being added to
Facebook's facial recognition biometric database
Data-protection officials from the European Union have launched their
own investigation into Facebook's facial-recognition
system, via the
directives of the EU's Article 29 Data Protection Working Party. The
privacy regulation bodies of both the UK and
Ireland have indicated
interest in beginning similar probes.
The State of Connecticut's Attorney General, George Jepsen, has
raised concerns over the Facebook system. In a June 16
press release, he stated that he had contacted Facebook directly
EPIC: Facebook Complaint (June 10, 2011)
EPIC: Facebook Privacy
EPIC: Facial Recognition
Facebook: Making Photo Tagging Easier
European Union: Article 29 Data Protection Working Party
CT AG: Press Release on Facebook Facial Recognition (June 16, 2011)
 EPIC Testifies Before Congress on Data Breach Legislation
EPIC Executive Director Marc Rotenberg testified before
a House Energy
and Commerce subcommittee on June 15 regarding proposed legislation
that would require greater protection for sensitive
consumer data and
timely notification in case of breach. EPIC recommended modifications
to the SAFE Data Act, but supported the overall
goal of limiting harm
to consumers who are victims of data breaches.
The SAFE Data Act was introduced by Representative Mary Bono
(R-CA), Chair of the Subcommittee on Commerce, Manufacturing and Trade.
Under the proposed legislation, companies are required
to assess and
address vulnerabilities within their systems and participate in data
minimization practices such that such that only
"reasonably needed for legitimate business purposes" should be
retained. The bill also requires law enforcement
and the Federal Trade
Commission to be notified within 48 hours of discovery of a data breach.
If a security assessment suggests
that the data breach "presents a
reasonable risk of identify theft, fraud, or other unlawful conduct",
the company must notify all
affected US customers within 48 hours.
The legislation does not allow a private cause of action against a
company, although the FTC
and state attorneys general are empowered to
enforce the statute.
EPIC's Rotenberg urged the Subcommittee to adopt language that
create a data minimization requirement: "If you can't protect it, don't
collect it." He also agreed with the 48-hour requirement
notification. However, he stated, companies should not have the
discretion to determine whether a particular data breach presented
"reasonable risk of identity theft, fraud, or other unlawful conduct";
instead, notification should be routine. Mr. Rotenberg
changes to the definition of "Personal Information" to apply to all
unique information, regardless of other information
taken with it,
including Social Security numbers and Facebook user IDs.
EPIC's testimony included examples of breaches at Southern
Medical-Legal Consultants, affecting 300,000 consumers; Citigroup
(200,000 customers); PlayStation Network, (100 million
Epsilon (up to 100 million customers).
Marc Rotenberg, Testimony on the SAFE Data Act, June 15, 2011
Subcommittee on Commerce, Manufacturing and Trade Hearing on (H.R. ___)
Discussion Draft of the SAFE Data Act (H.R. ____)
United States House of Representatives: Congresswoman Mary Bono Mack
EPIC: Identity Theft
 Court Awards Funds to EPIC in Google Buzz Case
A Federal district court in California overseeing the Google Buzz
class-action case has revised a proposed settlement agreement
that EPIC receives a portion part of the cy pres settlement funds.
"Cy pres" ("as near as possible") is a legal doctrine
courts to allocate funds to protect the interests of individuals in a
class action settlement.
In February 2011, the
Court ordered distribution of settlement funds to
organizations "who would reasonably benefit the class through
privacy education and policy programs." EPIC's
complaint to the Federal Trade Commission about Google Buzz resulted in
privacy safeguards for Google users; however, the
orignal settlement proposed by class action attorneys excluded EPIC
On May 31, Northern California District Court Judge James Ware held
that "the Court does not find good cause to
exclude EPIC from the list
of recipients of the cy pres funds." The court revised the settlement
agreement to reallocate the cy pres
funds, and awarded EPIC $500,000.
Executive Director Marc Rotenberg spoke on EPIC's behalf: "We
appreciate the court's recognition
of EPIC's important work."
In re: Google Buzz: Final Approval of Settlement (May 31, 2011)
FTC: "Deceptive Privacy Practices in [Google Buzz]" (Mar. 31, 2011)
EPIC: Google Buzz Complaint (Feb. 2010)
EPIC: Google Buzz Supplemental Complaint (Mar. 2010)
EPIC: In re: Google Buzz
 EU Data Supervisor Suggests Repeal of Data Retention
European Union Data Protection Supervisor Peter
Hustinx has raised the
possibility of repealing Europe's Data Retention Directive, which
requires telecommunication companies and
Internet service providers to
retain user data for law enforcement purposes. The Directive applies
to traffic and location data and
the "related data necessary to
identify" a user. Each EU member state must retain this data for a
period of six months to two years
from the date of the user's
The Directive also requires each EU member state to enact procedures
that grant law enforcement
access to the data. According to Hustinx,
the Directive does not provide clear guidance about why this data must
be retained or who
will have access to it.
Similarly, Hustinx believes that the Directive does not sufficiently
justify the necessity of the data retention,
lacks foreseeability, and
is overly intrusive. He also notes that statistics on access requests
indicate that a retention period
of up to two years "goes far beyond"
what is necessary. In light of these concerns, Hustinx has asked the
European Commission to
consider all other options, "including the
possibility of repealing the Directive."
Hustinx also states that this data retention
interferes with the right
to privacy as defined in articles of both the European Convention of
Human Rights and the European Union
Charter of Fundamental Rights.
EPIC has opposed data retention obligations and has specifically
recommended data minimization techniques
to safeguard the
privacy and security of Internet users.
European Parliament and EU Council: 2006 Data Retention Directive
EU Data Protection Supervisor: View of Data Directive (May 31, 2011)
European Court of Human Rights: European Convention on Human Rights
European Union: Charter of Fundamental Rights
EPIC: Data Retention
EPIC: EU Data Protection Directive
 House Passes Budget for TSA, Cuts Funding for Body
The House approved the 2012 budget for the Transportation
Administration, cutting $270 million from the amount originally
requested by the Agency. The cuts include $76 million that
designated for the purchase of 275 airport body scanners. Leading
lawmakers and consumer activists have called attention
to the health
risks associated with the scanners, as well as their invasiveness.
Representative Jason Chaffetz (R-UT) criticized
the machines as "slow"
In 2005, the TSA began testing body scanners to screen air travelers.
Body scanners produce
detailed three-dimensional images of individuals.
Security experts have described whole body scanners as the equivalent
of "a physically
invasive strip-search." The agency operates the body
scanner devices at airports throughout the United States; as of early
nearly 80 US airports had installed the scanners, with many
more deployments planned.
In 2010, EPIC filed a lawsuit to suspend the
deployment of body
scanners at US airports. EPIC subsequently obtained documents
establishing that the TSA required the machines
to be capable of
storing, recording, and transferring detailed images of naked air
travelers, contrary to the Agency's pubic claims.
EPIC asserts that
the Agency's controversial program violates the Administrative
Procedures Act, the Privacy Act, the Religious Freedom
the Video Voyeurism Prevention Act, and the Fourth Amendment.
On June 10, the Campaign for Liberty hosted the "Ban the Scan" rally
New York, featuring anti-scanner activist and former Miss USA, Susie
Castillo. The Campaign is working to eliminate body scanners
York City. Rep. Chaffetz and Ms. Castillo were among the recipients of
EPIC's 2011 Champion of Freedom Awards.
Representatives: DHS Appropriations Act, 2012 (June 6, 2011)
Reuters: Number of Body Scanners in US Airports
EPIC: Whole Body Imaging Technology
EPIC: EPIC v. DHS (Body Scanners)
EPIC: EPIC v. DHS (Suspension of Body Scanner Program)
EPIC: Annual Champion of Freedom Awards
 News in Brief
21st Annual Computers, Freedom & Privacy: "The Future is Now"
EPIC hosted this year's Computers, Freedom & Privacy conference,
in Washington DC, from June 14-16. More than 300 attendees
participated in over 100 panels and events at the Georgetown University
Law Center. Senator Patrick Leahy (D-VT) gave the keynote speech, which
centered around the importance of continuing the privacy
debate and his
efforts to update the Electronic Communications Privacy Act. CFP
features panels with top government decision makers,
researchers and leading experts in cybersecurity and privacy worldwide.
Computers Freedom & Privacy: Main Page
EPIC: Senator Leahy Introduces Bill to Update Digital Privacy Law
Twitter: Computers, Freedom & Privacy 2011
Privacy Advocates Receive 2011 EPIC Champion of Freedom Awards
At the 2011 EPIC awards dinner, Congressman Jason Chaffetz (R-UT),
Congressman Rush Holt (D-NJ), The Wall Street Journal, and TV actress
and former Miss USA, Susie Castillo received the EPIC awards
defense of civil liberties and human rights, and for raising public
awareness of new challenges to privacy. Representative
meaningful oversight of the Transportation Security Administration and
helped strengthen the Freedom of Information Act. Representative Holt
is a leading champion for Patriot Act reform. The Wall Street Journal's
investigative series "What They Know"
exposed how the world's most
popular web sites secretly track and monitor consumers' online
behavior. Jeffrey Rosen and danah boyd
cohosted the event in
Washington, D.C. Ralph Nader presented the EPIC Citizen Activist award
to Susie Castillo, a leading advocate
for the dignity of air travelers.
EPIC: Champion of Freedom Awards Dinner
Congressman Chaffetz: Representing the 3rd District of Utah
Representative Rush Holt: Serving New Jersey's 12th District
Wall Street Journal: "What They Know Series" (2010)
Susie Castillo: Susie's TSA Petition to Congress
EPIC, Others Urge Homeland Security to Stop National ID System
EPIC and a coalition of privacy, consumer rights, and civil rights
organizations have filed a statement to the Department of Homeland
Security in opposition to the proposed expansion of the employment
verification system, "E-Verify." The agency announced plans to
incorporate state driver license records into the information
by E-Verify, which could significantly expand the use
of the Homeland Security database. The coalition claims that the DHS
is unlawful and is analogous to the REAL ID Act, which has
been rejected by 24 states as of Feb. 2011. EPIC has testified before
Congress and published a "Spotlight on Surveillance" report about
EPIC: Comments on E-Verify (June 8, 2011)
Federal Register: Notice on E-Verify (May 9, 2011)
EPIC: Testimony on E-Verify (June 7, 2007)
EPIC: Spotlight on Surveillance (July 2007)
Congressman Markey Commends EPIC for Filing Facebook Complaint
Congressman Ed Markey (D-MA) expressed support for the complaint
by EPIC and other consumer groups over Facebook's new automated photo-
tagging feature. In a published statement, Congressman
"The Federal Trade Commission should investigate this important privacy
matter, and I commend the consumer groups for
their filing. When it
comes to users' privacy, Facebook's policy should be: 'Ask for
permission, don't assume it.' Rather than facial
should be a Facebook recognition that changing privacy settings without
permission is wrong. I encourage the FTC
to probe this issue and will
continue to closely monitor this issue." EPIC and affiliated groups now
have several complaints regarding
Facebook pending at the FTC.
Rep. Ed Markey: Markey Supports Consumer Groups (June 13, 2011)
EPIC: Facebook Complaint (June 10, 2011)
EPIC: Facebook Complaint (Dec. 17, 2009)
Senator Leahy Introduces Data Privacy Bill
Senator Patrick Leahy (D-VT) has introduced the Data Privacy Bill
of 2011, which is
aimed at increasing protection for Americans'
personal information and privacy in the realm of electronic
communications. The bill
establishes a national security breach
notification standard, and requires businesses to safeguard consumer
information and allow
consumers to correct inaccurate information.
Senator Leahy previously sponsored the Personal Data Privacy and
Security Act in 2005
and has introduced similar legislation in the last
three Congresses. Senator Leahy also recently commended EPIC's work at
Freedom & Privacy" conference in Washington D.C.
Sen. Patrick Leahy: Data Privacy Bill of 2011
S. 1332: Personal Data Privacy and Security Act of 2005
EPIC: Identity Theft
Sen. Leahy: Press Release of Data Privacy Bill of 2011 (May 17, 2011)
Whitehouse.gov to Track Users for Two Years
whitehouse.gov. The new
policy, which, at nearly 3,500 words, is more
than twice as long as the former version, states the White House web
site now uses
persistent Google Analytics cookies that track users for
up to two years. Previously, whitehouse.gov employed only
cookies, which were automatically deleted when users
closed their browsers. The site does not provide a means for visitors
out of receiving cookies. This new policy reflects changes the
Obama Administration made in 2010, permitting Federal web sites to
collect user information for later use.
White House: Our
OMB: Guidance for Use of Web Measurement and Customization Tools
EPIC: Internet Cookies
EPIC: Privacy and Consumer Profiling
Privacy Study: More Americans Distrust Big Business than Big Government
In June, the Center for the Digital Future at the University
Southern California's Annenberg School released the "2011 Digital
Future Report". The annual survey of 1,926 Americans ages 12
found that 48% of Internet users are concerned about companies tracking
their online activities, while only 38% are concerned
monitoring. "Many of us are worried that the Big Brother in our lives
is actually Big Business," says Jeffrey I.
Cole, Director of the Center
for the Digital Future. However, the study found only 33% of Internet
users believe it safe to voice
their political opinions online. The
report also found limited enthusiasm for online voting. The study's
results are consistent with
EPIC's previous coverage of public opinion
research, reflecting widespread concern about both private sector and
Center for the Digital Future: 2011 Digital Future Report Press Release
Center for the Digital Future: 2011 Digital Future Report
EPIC: Public Opinion on Privacy
EPIC: Privacy and Consumer Profiling
Ontario Privacy Commission: De-Identification Still Valid Privacy Tool
Ontario, Canada's Information and Privacy Commissioner,
has released a report stressing that de-identification of consumer
information remains a powerful tool for safeguarding
privacy. In her
report, "Dispelling the Myths Surrounding De-identification:
Anonymization Remains a Strong Tool for Protecting Privacy,"
and co-author, University of Ottawa Medical School professor Khaled
El Emam, refute arguments that all data can be "re-identified"
specific individual with little effort; rather, they claim,
anonymization and de-identification of medical data can protect
sensitive patient records. Although the report focuses on medical data
collection, Cavoukian and El Emam state, "the same arguments
the broader context of personal information." EPIC has advocated
against the re-identification of data, most recently in
Supreme Court case "IMS Health v. Sorrell."
Ottawa Privacy Commissioner: Report on De-Identification
EPIC: Resources on Re- and De-Identification
EPIC: IMS Health v. Sorrell
UNESCO Calls for Proposals re: Global Internet Privacy Research
UNESCO has submitted a call for proposals to conduct research
Internet privacy, regulation, and legal protections worldwide. Areas
of focus include Africa, the Arab States, Asia/Pacific, Europe/North
America, and Latin America/the Caribbean. Proposed research will
explore global legal and human rights trends arising from individuals'
Internet use, particularly use of Internet-based applications such as
search engines, social networking sites, and microblogging.
results will inform UNESCO Member States about existing Internet
privacy policies and practices, so that further action
discussed and taken. Deadline for proposals is July 1, 2011. EPIC takes
a strong stance on global Internet governance and
UNESCO: Calls for Proposals on Global Internet Privacy Survey
EPIC: Global Internet Governance
 EPIC Book Review: "Virtual Freedom"
"Virtual Freedom: Net Neutrality and Free Speech in the Internet Age,"
Dawn C. Nunziato
"Virtual Freedom" is a comprehensive survey of the history of net
neutrality and its role in our modern digital world. George Washington
University law professor Dawn C. Nunziato draws from legal and
technological history to fashion a compelling argument for treating
Internet Service Providers (ISPs) and other powerful Internet entities
as "public entities" with respect to the First Amendment,
preventing them from restricting the free flow of information over the
Nunziato's argument begins with her distinction
between the "negative"
and "affirmative" conceptions of the First Amendment. In the negative
conception, emphasis is placed on individual
speech decisions, free
from state interference only; in the affirmative conception,
citizens are sheltered from the inadequate protections
marketplace. In Nunziato's view, "the affirmative conception of the
First Amendment recognizes that individuals have a right
in democratic self-government by expressing their views, and in turn by
being exposed to a variety of viewpoints."
The central theme of "Virtual Freedom" is that an affirmative
conception of the First Amendment supports government regulation of
"powerful private actors" - those entities that exert control over the
large-scale dissemination of information simply by their existence.
To make this point, Nunziato takes the reader on a detailed common-law
history of the First Amendment from the 1930's through to
day, tracing the legal justification for an application of
Constitutional standards to private ISPs and search engines.
Most convincing to Nunziato's case is her use of real examples,
both in the US and internationally, that demonstrate the disastrous
consequences when net neutrality is not enforced. Numerous anecdotes
provide details on abuses by Internet companies, from blocking
and interrupting file transmissions to content blocking and
manipulation of search results. These accounts provide lay readers
real-world stories connecting them to what might be an otherwise overly
technical and legal discussion.
-- Amie Stepanovich
"Litigation Under the Federal Open Government Laws 2010," edited by
Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
EPIC Testimony on "Cybersecurity and Data Protection in the Financial
Sector." Senate Committee on Banking, Housing, and Urban Affairs,
Washington, DC, 21 June 2011. For More Information:
"Online Tracking Protection and Browsers." Brussels, Belgium, 22-23 June
2011. For More Information: firstname.lastname@example.org.
ICANN Board Meeting. Singapore. 19-24 June 2011. For More Information:
"Aligning Privacy Accountability with your Business Strategy:" Privacy
Laws and Business 24th Annual International Conference.
College, Cambridge, United Kingdom, 11-13 July 2011. For More
EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For
More Information: http://www.thepublicvoice.org/.
Computers, Privacy, & Data Protection 2012: European Data Protection:
Coming of Age. Brussels, Belgium, 25-27 January 2012, Call
Abstracts Deadline 1 June 2011. For More Information:
Join EPIC on Facebook
Join the Electronic Privacy Information Center on Facebook
Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
The EPIC Alert mailing list is used only
to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend
to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list,
please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 18.12 ------------------------