WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2011 >> [2011] EPICAlert 13

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 18.13 [2011] EPICAlert 13

EPIC Alert 18.13

======================================================================= E P I C A l e r t ======================================================================= Volume 18.13 July 5, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================= Table of Contents ======================================================================= [1] US Supreme Court Strikes Down VT Prescription Privacy Law [2] Judge, FCC: Google Street View Data May Violate Wiretap Act [3] Supreme Court Agrees to Hear Three Privacy-Related Cases [4] EPIC Urges Congress to Act in Response to Data Breaches [5] FOIA'd DHS Documents Raise New Questions About Body Scanner Risks [6] News in Brief [7] EPIC Book Review: "The Silicon Jungle" [8] Upcoming Conferences and Events TAKE ACTION: Facebook Privacy 2011! - READ EPIC's complaint to FTC: - WATCH EPIC on ABC Nightline: - SUPPORT EPIC ======================================================================= [1] US Supreme Court Strikes Down VT Prescription Privacy Law ======================================================================= In a 6-3 decision, the US Supreme Court struck down the State of Vermont's Prescription Confidentiality Law, which prohibits pharmacies from selling information about prescriptions to data mining firms for marketing purposes. Circuit courts had been split on this issue, with the First Circuit Court upholding similar laws in Maine and New Hampshire and the Second Circuit Court rejecting the Vermont privacy statute. In IMS Health Inc. v. Sorrell, the Supreme Court held that the Vermont statute is an unconstitutional limitation on the First Amendment rights of data mining companies. Justice Anthony Kennedy, writing for the majority, underscored Vermont's practice of allowing most types of collection and use of prescription information, which bars only pharmaceutical sales representatives from targeting their marketing towards particular doctors. According to Kennedy, Vermont "burdened a form of protected expression that it found too persuasive. At the same time, the State has left unburdened those speakers whose messages are in accord with its own views. This the State cannot do." Justice Kennedy also suggested that a more privacy-protective statute might have withstood Constitutional scrutiny. In a dissenting opinion, Justice Stephen Breyer, joined by Justices Ginsburg and Kagan, stated that the Vermont statute was a reasonable regulation of commercial activity that did not significantly burden the free speech rights of data miners. Justice Breyer wrote, "[T]he prohibition is justified by the need to ensure unbiased sales presentations, prevent unnecessarily high drug costs, and protect the privacy of prescribing physicians." EPIC filed a "friend of the court" brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the "de-identification" techniques adopted by data-mining firms do not protect patient privacy. US Supreme Court: Opinion: IMS Health v. Sorrell US Supreme Court: IMS Health v. Sorrell Docket EPIC: IMS Health v. Sorrell "Friend of the Court" Brief EPIC: IMS Health v. Sorrell ======================================================================= [2] Judge, FCC: Google Street View Data May Violate Wiretap Act ======================================================================= As the result of a class-action lawsuit, a federal judge in California has found that Google's collection of Wi-Fi data as part of its "Street View" initiative could constitute illegal wiretapping. The judge determined that the facts of the case were "sufficient to state a claim for violation of the Wiretap Act." These facts include that Google "intentionally ... used [its] technology to intercept Plaintiffs' data packets, arguably electronic communications, from Plaintiffs' personal Wi-Fi networks . . . [that] were not readable by the general public." The federal court explained that the case "presents a case of first impression as to whether the Wiretap Act imposes liability upon a defendant who allegedly intentionally intercepts data packets from a wireless home network." Meanwhile, the Federal Communications Commission is continuing its own inquiry into Google Street View. The Commission opened an investigation in November 2010 after EPIC filed a complaint requesting that the Commission examine possible violations of federal wiretap law under the Communications Act. After the Commission failed to take action, the House of Representatives passed its Financial Services Appropriations bill, which contained an amendment requiring the Commission to report on its Street View investigation within 180 days. The bill was voted out of committee and is headed for a full House vote. EPIC has also filed a "friend of the court" brief in the case, providing a detailed legislative history of the Electronic Communications Privacy Act and arguing that private Wi-Fi communications are entitled to privacy protection under the Act. EPIC states that Congress established "a presumption in favor of confidentiality except in those circumstances where the user has knowingly chosen to broadcast communications to the general public." Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. District Court of N. CA: Google Street View Decision (June 29, 2011) EPIC: Letter to FCC: Google Street View (Apr. 11, 2011) EPIC: Friend of the Court Brief re: Street View (May 18, 2010) New York Times: F.C.C. Investigates Google Street View (Nov. 10, 2011) US House of Reps.: Financial Appropriations Amendments (June 23, 2011) EPIC: Investigations of Google Street View ======================================================================= [3] Supreme Court Agrees to Hear Three Privacy-Related Cases ======================================================================= The US Supreme Court has granted certiorari to hear three important privacy cases for the upcoming October 2011 Term. U.S. v. Jones involves warrantless GPS tracking. In 2009, the FBI placed a wireless GPS transmitter on the car of Antoine Jones, who was later found guilty of drug trafficking, without a search warrant. Police then tracked Jones for more than a month using GPS signals continually transmitted every 10 seconds. Jones filed suit, claiming that the GPS tracking was an unreasonable search prohibited by the Fourth Amendment. In 2010, the D.C. Circuit Court agreed with Jones, ruling that such round-the-clock surveillance required a search warrant based on probable cause. This ruling is in conflict with a 9th Circuit Court opinion, Pineda-Moreno v. US, which allowed warrantless GPS tracking. EPIC filed an amicus brief in a similar case in Massachusetts, Commonwealth v. Connolly, in which the court ruled a warrant was required. EPIC intends to file an amicus brief in this matter in support of Jones's claims under the Fourth Amendment. FAA v. Cooper concerns the 1974 Privacy Act, which limits the ability of government agencies to share personal information. In 1985, pursuant to an FAA rule denying pilot licenses to HIV-positive individuals, Stanmore Cooper, a small-plane pilot, gave up his license. When the FAA repealed its ban on pilots with HIV, Cooper reapplied for a license but did not disclose his condition. After his health briefly worsened in 1995, he applied for Social Security benefits, with the assurance that his medical records would remain confidential. The FAA revoked Cooper's license in 2005 after obtaining his medical records from the Social Security Administration as part of "Operation Safe Pilot," which examined records of 47,000 Northern California pilots. The Fifth and Ninth Circuit Courts ruled that Cooper could seek damages for emotional harm under the 1974 Privacy Act; the Sixth and Eleventh Circuit Courts ruled against Cooper. EPIC intends to file an amicus brief in support of Cooper's claims under the Privacy Act. Florence v. Bd. of Chosen Freeholders of the County of Burlington involves privacy as a civil right. Albert Florence was stopped by an officer of the New Jersey State Police and arrested for civil contempt. At two separate facilities, Florence was forced to strip naked and submit to a cavity search. After charges were dismissed, Florence brought a class action lawsuit against the jails and municipal officials under section 1983 of the U.S. Civil Rights Act. The District Court granted a judgment for Florence, but allowed the jail to appeal. The Third Circuit accepted the appeal, determining that jails can conduct strip searches for any arrestees who will be exposed to the general prison population. Furthermore, the Third Circuit Court decided, jails are not required to provide evidence of attempted smuggling or discovered contraband as justification for policy. EPIC regularly participates in litigation on privacy issues. In the 2010-2011 term of the Supreme Court, EPIC submitted amicus curiae briefs in five cases related to privacy. US Supreme Court: US v. Jones DC Circuit Court: Opinion in US v. Jones (Aug. 6, 2010) EPIC: US v. Jones EPIC: Commonwealth v. Connolly US Supreme Court: FAA v. Cooper US Ninth Circuit Court: Opinion in FAA v. Cooper (Feb 22, 2010) EPIC: FAA v. Cooper US Supreme Court: Florence v. County of Burlington US Third Circuit Court: Opinion: Florence v. Burlington (Sept. 2010) ======================================================================= [4] EPIC Urges Congress to Act in Response to Data Breaches ======================================================================= EPIC Executive Director Marc Rotenberg testified on June 21 before the Senate Banking Committee. In his testimony, Rotenberg urged lawmakers to adopt data breach notification regulations. At the Senate hearing, "Cybersecurity and Data Protection in the Financial Sector," Rotenberg exhorted the Banking Committee to apply breach notification regulations to financial institutions and promote authentication techniques that reduce risks to consumers. He observed that current laws do not adequately protect consumers because they have anemic data breach protections and lack strong enforcement mechanisms. Rotenberg cautioned that weaker federal legislation should not preempt more robust state laws, and called for the development of policies that are open to public review and comment, respect the role of the private sector, and safeguard the rights of consumers and users. EPIC also highlighted a series of recent high-profile data breaches in the financial sector, including breaches at Citigroup and Bank of America. In response to a question on the current data-protection laws, Rotenberg reiterated that "the laws currently in place do not provide adequate protection to bank customers, particularly in light of some of the recent security breaches that have been so widely reported." According to the non-profit Privacy Rights Clearinghouse, 500 million sensitive records have been breached since 2005. The actual number is likely much higher, as many data breaches are never reported in the media. EPIC previously testified before the House concerning data breach legislation and provided comments to the Federal Trade Commission on the need for comprehensive privacy protection for customer data. EPIC: Testimony Before the US Senate Banking Committee (June 21, 2011) US Senate: Committee on Banking, Housing and Urban Affairs US Senate: Committee on Banking, Housing and Urban Affairs - Hearings Privacy Rights Clearinghouse: Chronology of Data Breaches 2005-Present ======================================================================= [5] FOIA'd DHS Documents Raise New Questions About Body Scanner Risks ======================================================================= As part of a Freedom of Information Act (FOIA) lawsuit against the Department of Homeland Security, EPIC has obtained over 1,000 pages of documents concerning the radiation risks of the Transportation Security Administration's (TSA) airport body scanner program. These documents, which include agency emails, radiation studies, memoranda of agreement concerning radiation testing programs, and results of radiation tests, call into question the Agency's assurances about the health risks posed by full body scanners. One document set reveals that even after TSA employees at Boston's Logan International Airport identified cancer clusters possibly linked to radiation exposure, the Agency failed to issue employees radiation dosimeters - safety devices that monitor an individual's radiation exposure. Another document indicates that Homeland Security publicly mischaracterized the findings of the National Institute of Standards and Technology (NIST), stating that the Institute "affirmed the safety" of full body scanners. The documents obtained by EPIC reveal that the Institute disputed that characterization and stated that it did not, in fact, test the devices for safety; rather, a NIST study warns airport screeners to avoid standing next to full body scanners. Similarly, a Johns Hopkins University study revealed that radiation around body scanners could exceed the "General Public Dose Limit." In 2005, the TSA began testing body scanners to screen air travelers. Body scanners produce detailed, three-dimensional images of individuals. The Agency operates the body scanner devices at airports throughout the United States. While no comprehensive independent study has been conducted on the health risks of full body scanners, experts have questioned their safety and noted that radiation exposure from devices similar to full body scanners increase subjects' cancer risk. Other scientists and radiology experts, including those at the University of California - San Francisco, Columbia University, and Arizona State University, have identified cancer risks to air travelers arising from improper maintenance and flawed operation of full body scanners. In July 2010, EPIC filed a Freedom of Information Act request with the Department of Homeland Security for Agency records directly relating to the radiation risks posed by full body scanners. The Department acknowledged receipt of EPIC's request, but failed to disclose any documents. In November 2010, EPIC sued Homeland Security to force disclosure of the body scanner radiation documents. EPIC, which has publicized the various risks of body scanners since 2009, released these documents on June 24. EPIC: FOIA'd Documents on Body Scanner Safety EPIC: EPIC v. DHS (Full Body Scanner Radiation Risks) EPIC: Whole Body Imaging Technology EPIC: EPIC v. DHS (Body Scanners) EPIC: EPIC v. DHS (Suspension of Body Scanner Program) ======================================================================= [6] News in Brief ======================================================================= FCC Sets New Penalties for CallerID Spoofs, Adopts EPIC Recommendations The Federal Communications Commission has adopted new rules that increase the penalties for Caller ID "spoofing," the practice of organizations or individuals faking caller ID information, often for harmful purposes such as stalking or identity theft. Under the new rules, the Commission can fine violators up to $10,000 each time they change their caller ID information with the "intent to defraud, cause harm, or wrongfully obtain anything of value." The "intent" requirement is an important safeguard to protect entities with legitimate reasons to keep their telephone information private, such as domestic violence shelters. Over the last decade, EPIC has recommended adoption of the intent requirement in comments to the Commission, as well as testified before both the House and Senate. FCC: Press Release on Caller ID Spoofing (June 23, 2011) FCC: Rules and Regulations re: Truth in Caller ID Act of 2009 EPIC: Comments to the FCC re: Implementing the Truth in Caller ID Act of 2009" EPIC: Caller ID Federal Trade Commission Steps Up Google Antitrust Investigation Google confirmed on June 24 that the Federal Trade Commission (FTC) has opened an investigation into its business practices for possible antitrust violations. The investigation likely will center on whether Google uses its dominance in the Search market to inhibit competition in other areas. Google, however, claimed that it did not clearly understand the focus of the FTC's investigation. Both the Federal Trade Commission and U.S. Justice Department have investigated Google's business practices and Internet dominance in recent years. EPIC filed a formal objection to Google's acquisition of Doubleclick in 2007 and subsequently testified before a Senate committee regarding the privacy issues arising from Google's dominance of essential Internet services. Google: "Supporting Choice, Insuring Economic Opportunity" (June 2011) Wall Street Journal: Feds to Launch Probe of Google (June 24, 2011) EPIC: Google/DoubleClick EPIC Senate Testimony: Google-Doubleclick Merger (Sept. 27, 2007) EPIC: Google Street View Privacy Groups Tell Senate Stronger Laws Needed A coalition of 15 privacy and consumer groups, representing millions of consumers and Internet users, sent a letter to the Senate Commerce Committee urging Congress to do more to protect consumer information. "Consumers today face an unfair choice: either stay offline and ignore the benefits of new technology, or plug in and run extraordinary risks to privacy and security," the coalition wrote, adding, "It shouldn't be this way. Consumers are more concerned about the privacy threat from big business than from big government." The coalition, which includes the Consumer Federation of America, Consumers Union, and the National Consumers League, argues that current privacy laws are inadequate, and that industry self-regulation has failed, as evidenced by millions of records compromised in data breaches. The consumer letter follows one sent by industry groups urging lawmakers not to pass any additional legislation. EPIC: Consumer Coalition's Letter to Congress EPIC: Industry Coalition's Letter to Congress Supreme Court Sides with Video Game Manufacturers In a 7-2 decision, the US Supreme Court ruled unconstitutional California's ban on the sale or rental of violent video games to minors. The Court held that the law violates the First Amendment and imposes a restriction on the content of protected speech that does not pass strict scrutiny. The majority opinion noted that "'the basic principles of freedom of speech and the press, like the First Amendment's command, do not vary' when a new and different medium for communication appears." EPIC Board Member Paul Smith successfully argued the case in front of the Supreme Court on behalf of the Respondents, Entertainment Merchants Association. US Supreme Court: Opinion: Brown v. Entertainment Merchants Association Supreme Court: Oral Argument: Brown v. Entertainment Merchants Assn. US 9th Circuit Court: Opinion: Brown v. Entertainment Merchants Assn. International Consumer Group Approves Smart Meter Resolutions The Trans-Atlantic Consumer Dialogue (TACD), a coalition of US and European Union consumer groups, adopted a report on privacy and consumer electrical services at the 12th Annual TACD meeting in Brussels in June. The "Resolution on Privacy and Security Related to Smart Meters" warns that the increasing amount and specificity of data available about consumer energy consumption may reveal intimate, personally identifiable details of household life, and recommends that the US and EU take legislative action to "prohibit use of utility consumer consumption data for marketing, selling, sharing or reuse without the customer's specific and unambiguous consent." The Resolution also recommends that smart meter operators integrate privacy-enhancing features by design through "default settings and usability features for smart meters". TACD: Resolution on Smart Meter Privacy and Security (June 2011) TACD: 12th Annual Meeting (June 2011) EPIC: Smart Grid and Privacy EPIC: Department of Energy Smart Grid FOIA Documents ======================================================================= [7] EPIC Book Review: "The Silicon Jungle" ======================================================================= "The Silicon Jungle: A Novel of Deception, Power, and Internet Intrigue", Shumeet Baluja Shumeet Baluja's first novel is an entertaining thriller that also raises significant philosophical and ethical questions about the direction our Internet-driven society is headed. Baluja, a Google engineer, uses his extensive technical knowledge to illuminate how increased online data collection by both the private sector and governments threaten our security and privacy. "The Silicon Jungle"'s protagonist, Stephen, has been languishing in a dead-end job ever since his Internet start-up went bust. Stephen finally lands a coveted internship with Ubatoo, a company that bears striking similarities to Google in its domination of the Internet landscape. Stephen works in the data-mining group, the division of Ubatoo dedicated to exploiting the vast troves of user data it collects in order to increase advertising revenue. Baluja's depiction of Ubatoo's culture reveals an insider's perspective most of us will never see - caffeine-fueled Ubatoo employees working late into the night, hunched over their desks, analyzing millions of data records collected from an unsuspecting public. Stephen is eventually approached by a man who purportedly works for the American Coalition for Civil Libertes, who asks him to use Ubatoo's data to help identify people that may have ended up on an FBI watch list. But Stephen discovers that this man is not who he claims to be, and soon Stephen finds himself drawn into a web of dark characters, including FBI agents and potential terrorists, who find Ubatoo's data so valuable they will go to great lengths to acquire it. "The Silicon Jungle" reads as a cautionary tale for the future (or perhaps the present), as we allow more and more data to be collected by fewer and fewer entities. Some of the more disturbing scenarios in the book include a real-time map at Ubatoo headquarters showing what each individual is browsing on the Internet, the use of an Ubatoo credit card which then allows the company to track purchasing habits both online and offline, and an FBI that outsources its sensitive work to private software engineers. By wrapping these lessons in an engaging narrative, Baluja makes them more exciting than didactic for the reader. Despite the occasional oversimplification of topics such as Muslim extremism, "The Silicon Jungle" is that rare novel that is as smart as it is engaging. -- Sharon Goott-Nissim ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [8] Upcoming Conferences and Events ======================================================================= "Aligning Privacy Accountability with your Business Strategy:" Privacy Laws and Business 24th Annual International Conference. St. John's College, Cambridge, United Kingdom, 11-13 July 2011. For More Information: EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For More Information: Computers, Privacy, & Data Protection 2012: European Data Protection: Coming of Age. Brussels, Belgium, 25-27 January 2012, Call for Papers Abstracts Deadline 1 June 2011. For More Information: ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.13 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback