EPIC Alert 18.13
E P I C A l e r t
Volume 18.13 July 5, 2011
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 US Supreme Court Strikes Down VT Prescription Privacy Law
 Judge, FCC: Google Street View Data May Violate Wiretap Act
Supreme Court Agrees to Hear Three Privacy-Related Cases
 EPIC Urges Congress to Act in Response to Data Breaches
DHS Documents Raise New Questions About Body Scanner Risks
 News in Brief
 EPIC Book Review: "The Silicon Jungle"
Conferences and Events
TAKE ACTION: Facebook Privacy 2011!
- READ EPIC's complaint to FTC: http://epic.org/redirect/062011FB.html
- WATCH EPIC on ABC Nightline: http://epic.org/redirect/062011FB.html
- SUPPORT EPIC http://www.epic.org/donate/
 US Supreme Court Strikes Down VT Prescription Privacy
In a 6-3 decision, the US Supreme Court struck down
the State of
Vermont's Prescription Confidentiality Law, which prohibits pharmacies
from selling information about prescriptions
to data mining firms for
Circuit courts had been split on this issue, with the First Circuit
similar laws in Maine and New Hampshire and the Second
Circuit Court rejecting the Vermont privacy statute. In IMS Health Inc.
v. Sorrell, the Supreme Court held that the Vermont statute is an
unconstitutional limitation on the First Amendment rights of data
Justice Anthony Kennedy, writing for the majority, underscored
Vermont's practice of allowing most types of
collection and use of
prescription information, which bars only pharmaceutical sales
representatives from targeting their marketing
doctors. According to Kennedy, Vermont "burdened a form of protected
expression that it found too persuasive.
At the same time, the State
has left unburdened those speakers whose messages are in accord with
its own views. This the State
cannot do." Justice Kennedy also
suggested that a more privacy-protective statute might have withstood
In a dissenting opinion, Justice Stephen Breyer, joined by Justices
Ginsburg and Kagan, stated that the Vermont statute was a reasonable
regulation of commercial activity that did not significantly burden the
free speech rights of data miners. Justice Breyer wrote,
prohibition is justified by the need to ensure unbiased sales
presentations, prevent unnecessarily high drug costs, and
privacy of prescribing physicians."
EPIC filed a "friend of the court" brief on behalf of 27 technical
legal scholars, as well as nine consumer and privacy
groups, arguing that the privacy interest in safeguarding medical
is substantial and that the "de-identification" techniques
adopted by data-mining firms do not protect patient privacy.
Court: Opinion: IMS Health v. Sorrell
US Supreme Court: IMS Health v. Sorrell Docket
EPIC: IMS Health v. Sorrell "Friend of the Court" Brief
EPIC: IMS Health v. Sorrell
 Judge, FCC: Google Street View Data May Violate Wiretap
As the result of a class-action lawsuit, a federal judge
has found that Google's collection of Wi-Fi data as part of its "Street
View" initiative could constitute illegal
wiretapping. The judge
determined that the facts of the case were "sufficient to state a claim
for violation of the Wiretap Act."
These facts include that Google
"intentionally ... used [its] technology to intercept Plaintiffs' data
packets, arguably electronic
communications, from Plaintiffs' personal
Wi-Fi networks . . . [that] were not readable by the general public."
The federal court
explained that the case "presents a case of first
impression as to whether the Wiretap Act imposes liability upon a
allegedly intentionally intercepts data packets from a
wireless home network."
Meanwhile, the Federal Communications Commission
is continuing its own
inquiry into Google Street View. The Commission opened an investigation
in November 2010 after EPIC filed
a complaint requesting that the
Commission examine possible violations of federal wiretap law under the
Communications Act. After
the Commission failed to take action, the
House of Representatives passed its Financial Services Appropriations
bill, which contained
an amendment requiring the Commission to report
on its Street View investigation within 180 days. The bill was voted
out of committee
and is headed for a full House vote.
EPIC has also filed a "friend of the court" brief in the case,
providing a detailed legislative
history of the Electronic
Communications Privacy Act and arguing that private Wi-Fi
communications are entitled to privacy protection
under the Act. EPIC
states that Congress established "a presumption in favor of
confidentiality except in those circumstances where
the user has
knowingly chosen to broadcast communications to the general public."
Several countries, including the U.K., Germany,
Spain, and Canada, have
conducted similar investigations and determined that Google violated
their privacy laws.
of N. CA: Google Street View Decision (June 29, 2011)
EPIC: Letter to FCC: Google Street View (Apr. 11, 2011)
EPIC: Friend of the Court Brief re: Street View (May 18, 2010)
New York Times: F.C.C. Investigates Google Street View (Nov. 10, 2011)
US House of Reps.: Financial Appropriations Amendments (June 23, 2011)
EPIC: Investigations of Google Street View
 Supreme Court Agrees to Hear Three Privacy-Related
The US Supreme Court has granted certiorari to hear
privacy cases for the upcoming October 2011 Term.
U.S. v. Jones involves warrantless GPS tracking. In 2009, the
placed a wireless GPS transmitter on the car of Antoine Jones, who was
later found guilty of drug trafficking, without a search
Police then tracked Jones for more than a month using GPS signals
continually transmitted every 10 seconds. Jones filed
that the GPS tracking was an unreasonable search prohibited by the
Fourth Amendment. In 2010, the D.C. Circuit
Court agreed with Jones,
ruling that such round-the-clock surveillance required a search warrant
based on probable cause. This
ruling is in conflict with a 9th Circuit
Court opinion, Pineda-Moreno v. US, which allowed warrantless GPS
tracking. EPIC filed
an amicus brief in a similar case in
Massachusetts, Commonwealth v. Connolly, in which the court ruled a
warrant was required.
EPIC intends to file an amicus brief in this
matter in support of Jones's claims under the Fourth Amendment.
FAA v. Cooper concerns
the 1974 Privacy Act, which limits the ability
of government agencies to share personal information. In 1985,
pursuant to an FAA
rule denying pilot licenses to HIV-positive
individuals, Stanmore Cooper, a small-plane pilot, gave up his license.
When the FAA
repealed its ban on pilots with HIV, Cooper reapplied for
a license but did not disclose his condition. After his health briefly
worsened in 1995, he applied for Social Security benefits, with the
assurance that his medical records would remain confidential.
revoked Cooper's license in 2005 after obtaining his medical records
from the Social Security Administration as part of
Pilot," which examined records of 47,000 Northern California pilots.
The Fifth and Ninth Circuit Courts ruled that
Cooper could seek damages
for emotional harm under the 1974 Privacy Act; the Sixth and Eleventh
Circuit Courts ruled against Cooper.
EPIC intends to file an amicus
brief in support of Cooper's claims under the Privacy Act.
Florence v. Bd. of Chosen Freeholders
of the County of Burlington
involves privacy as a civil right. Albert Florence was stopped by an
officer of the New Jersey State
Police and arrested for civil contempt.
At two separate facilities, Florence was forced to strip naked and
submit to a cavity
search. After charges were dismissed, Florence
brought a class action lawsuit against the jails and municipal
officials under section
1983 of the U.S. Civil Rights Act. The
District Court granted a judgment for Florence, but allowed the jail
to appeal. The Third
Circuit accepted the appeal, determining that
jails can conduct strip searches for any arrestees who will be exposed
to the general
prison population. Furthermore, the Third Circuit Court
decided, jails are not required to provide evidence of attempted
or discovered contraband as justification for policy.
EPIC regularly participates in litigation on privacy issues. In the
term of the Supreme Court, EPIC submitted amicus curiae
briefs in five cases related to privacy.
US Supreme Court: US v. Jones
DC Circuit Court: Opinion in US v. Jones (Aug. 6, 2010)
EPIC: US v. Jones
EPIC: Commonwealth v. Connolly
US Supreme Court: FAA v. Cooper
US Ninth Circuit Court: Opinion in FAA v. Cooper (Feb 22, 2010)
EPIC: FAA v. Cooper
US Supreme Court: Florence v. County of Burlington
US Third Circuit Court: Opinion: Florence v. Burlington (Sept. 2010)
 EPIC Urges Congress to Act in Response to Data Breaches
EPIC Executive Director Marc Rotenberg testified on June
21 before the
Senate Banking Committee. In his testimony, Rotenberg urged lawmakers
to adopt data breach notification regulations.
At the Senate hearing, "Cybersecurity and Data Protection in the
Financial Sector," Rotenberg exhorted the Banking Committee to
breach notification regulations to financial institutions and promote
authentication techniques that reduce risks to consumers.
that current laws do not adequately protect consumers because they have
anemic data breach protections and lack strong
Rotenberg cautioned that weaker federal legislation should not preempt
more robust state laws, and called
for the development of policies
that are open to public review and comment, respect the role of the
private sector, and safeguard
the rights of consumers and users. EPIC
also highlighted a series of recent high-profile data breaches in the
including breaches at Citigroup and Bank of America.
In response to a question on the current data-protection laws,
that "the laws currently in place do not provide
adequate protection to bank customers, particularly in light of some of
security breaches that have been so widely reported."
According to the non-profit Privacy Rights Clearinghouse, 500 million
records have been breached since 2005. The actual number is
likely much higher, as many data breaches are never reported in the
media. EPIC previously testified before the House concerning data
breach legislation and provided comments to the Federal Trade
Commission on the need for comprehensive privacy protection for
EPIC: Testimony Before the US Senate Banking
Committee (June 21, 2011)
US Senate: Committee on Banking, Housing and Urban Affairs
US Senate: Committee on Banking, Housing and Urban Affairs - Hearings
Privacy Rights Clearinghouse: Chronology of Data Breaches 2005-Present
 FOIA'd DHS Documents Raise New Questions About Body
As part of a Freedom of Information Act (FOIA) lawsuit against the
Department of Homeland Security, EPIC has obtained over 1,000 pages of
documents concerning the radiation
risks of the Transportation
Security Administration's (TSA) airport body scanner program. These
documents, which include agency
emails, radiation studies, memoranda of
agreement concerning radiation testing programs, and results of
radiation tests, call into
question the Agency's assurances about the
health risks posed by full body scanners.
One document set reveals that even after
TSA employees at Boston's
Logan International Airport identified cancer clusters possibly linked
to radiation exposure, the Agency
failed to issue employees radiation
dosimeters - safety devices that monitor an individual's radiation
exposure. Another document
indicates that Homeland Security publicly
mischaracterized the findings of the National Institute of Standards
and Technology (NIST),
stating that the Institute "affirmed the safety"
of full body scanners. The documents obtained by EPIC reveal that the
disputed that characterization and stated that it did not,
in fact, test the devices for safety; rather, a NIST study warns
screeners to avoid standing next to full body scanners.
Similarly, a Johns Hopkins University study revealed that radiation
body scanners could exceed the "General Public Dose Limit."
In 2005, the TSA began testing body scanners to screen air travelers.
Body scanners produce detailed, three-dimensional images of
individuals. The Agency operates the body scanner devices at airports
throughout the United States. While no comprehensive independent study
has been conducted on the health risks of full body scanners,
have questioned their safety and noted that radiation exposure from
devices similar to full body scanners increase subjects'
Other scientists and radiology experts, including those at the
University of California - San Francisco, Columbia
Arizona State University, have identified cancer risks to air travelers
arising from improper maintenance and flawed
operation of full body
In July 2010, EPIC filed a Freedom of Information Act request with the
Department of Homeland Security for Agency records directly relating to
the radiation risks posed by full body
scanners. The Department
acknowledged receipt of EPIC's request, but failed to disclose any
documents. In November 2010, EPIC sued
Homeland Security to force
disclosure of the body scanner radiation documents. EPIC, which has
publicized the various risks of
body scanners since 2009, released
these documents on June 24.
EPIC: FOIA'd Documents on Body Scanner Safety
EPIC: EPIC v. DHS (Full Body Scanner Radiation Risks)
EPIC: Whole Body Imaging Technology
EPIC: EPIC v. DHS (Body Scanners)
EPIC: EPIC v. DHS (Suspension of Body Scanner Program)
 News in Brief
FCC Sets New Penalties for CallerID Spoofs, Adopts EPIC Recommendations
The Federal Communications Commission has adopted new rules
increase the penalties for Caller ID "spoofing," the practice of
organizations or individuals faking caller ID information,
harmful purposes such as stalking or identity theft. Under the new
rules, the Commission can fine violators up to $10,000
each time they
change their caller ID information with the "intent to defraud, cause
harm, or wrongfully obtain anything of value."
The "intent" requirement
is an important safeguard to protect entities with legitimate reasons to
keep their telephone information
private, such as domestic violence
shelters. Over the last decade, EPIC has recommended adoption of the
intent requirement in comments
to the Commission, as well as testified
before both the House and Senate.
FCC: Press Release on Caller ID Spoofing (June 23,
FCC: Rules and Regulations re: Truth in Caller ID Act of 2009
EPIC: Comments to the FCC re: Implementing the Truth in Caller ID Act of 2009"
EPIC: Caller ID
Federal Trade Commission Steps Up Google Antitrust Investigation
Google confirmed on June 24 that the Federal Trade Commission
has opened an investigation into its business practices for possible
antitrust violations. The investigation likely will
center on whether
Google uses its dominance in the Search market to inhibit competition
in other areas. Google, however, claimed
that it did not clearly
understand the focus of the FTC's investigation. Both the Federal Trade
Commission and U.S. Justice Department
have investigated Google's
business practices and Internet dominance in recent years. EPIC filed a
formal objection to Google's
acquisition of Doubleclick in 2007 and
subsequently testified before a Senate committee regarding the privacy
issues arising from
Google's dominance of essential Internet services.
Google: "Supporting Choice, Insuring Economic Opportunity" (June 2011)
Wall Street Journal: Feds to Launch Probe of Google (June 24, 2011)
EPIC Senate Testimony: Google-Doubleclick Merger (Sept. 27, 2007)
EPIC: Google Street View
Privacy Groups Tell Senate Stronger Laws Needed
A coalition of 15 privacy and consumer groups, representing millions of
consumers and Internet users, sent a letter to the Senate Commerce
Committee urging Congress to do more to protect consumer information.
"Consumers today face an unfair choice: either stay offline and ignore
the benefits of new technology, or plug in and run extraordinary
to privacy and security," the coalition wrote, adding, "It shouldn't be
this way. Consumers are more concerned about the
privacy threat from big
business than from big government." The coalition, which includes the
Consumer Federation of America, Consumers
Union, and the National
Consumers League, argues that current privacy laws are inadequate, and
that industry self-regulation has
failed, as evidenced by millions of
records compromised in data breaches. The consumer letter follows one
sent by industry groups
urging lawmakers not to pass any additional
EPIC: Consumer Coalition's Letter to Congress
EPIC: Industry Coalition's Letter to Congress
Supreme Court Sides with Video Game Manufacturers
In a 7-2 decision, the US Supreme Court ruled unconstitutional
ban on the sale or rental of violent video games to
minors. The Court held that the law violates the First Amendment and
a restriction on the content of protected speech that does not
pass strict scrutiny. The majority opinion noted that "'the basic
principles of freedom of speech and the press, like the First
Amendment's command, do not vary' when a new and different medium
communication appears." EPIC Board Member Paul Smith successfully
argued the case in front of the Supreme Court on behalf of
Respondents, Entertainment Merchants Association.
US Supreme Court: Opinion: Brown v. Entertainment Merchants Association
Supreme Court: Oral Argument: Brown v. Entertainment Merchants Assn.
US 9th Circuit Court: Opinion: Brown v. Entertainment Merchants Assn.
International Consumer Group Approves Smart Meter Resolutions
The Trans-Atlantic Consumer Dialogue (TACD), a coalition of US
European Union consumer groups, adopted a report on privacy and
consumer electrical services at the 12th Annual TACD meeting
Brussels in June. The "Resolution on Privacy and Security Related to
Smart Meters" warns that the increasing amount and specificity
available about consumer energy consumption may reveal intimate,
personally identifiable details of household life, and
the US and EU take legislative action to "prohibit use of utility
consumer consumption data for marketing, selling,
sharing or reuse
without the customer's specific and unambiguous consent." The
Resolution also recommends that smart meter operators
privacy-enhancing features by design through "default settings and
usability features for smart meters".
on Smart Meter Privacy and Security (June 2011)
TACD: 12th Annual Meeting (June 2011)
EPIC: Smart Grid and Privacy
EPIC: Department of Energy Smart Grid FOIA Documents
 EPIC Book Review: "The Silicon Jungle"
"The Silicon Jungle: A Novel of Deception, Power, and Internet
Intrigue", Shumeet Baluja
Shumeet Baluja's first novel is an entertaining thriller that also
raises significant philosophical and ethical questions about
direction our Internet-driven society is headed. Baluja, a Google
engineer, uses his extensive technical knowledge to illuminate
increased online data collection by both the private sector and
governments threaten our security and privacy.
Jungle"'s protagonist, Stephen, has been languishing in a
dead-end job ever since his Internet start-up went bust. Stephen
lands a coveted internship with Ubatoo, a company that bears
striking similarities to Google in its domination of the Internet
landscape. Stephen works in the data-mining group, the division of
Ubatoo dedicated to exploiting the vast troves of user data it
in order to increase advertising revenue. Baluja's depiction of Ubatoo's
culture reveals an insider's perspective most
of us will never see -
caffeine-fueled Ubatoo employees working late into the night, hunched
over their desks, analyzing millions
of data records collected from an
Stephen is eventually approached by a man who purportedly works for the
American Coalition for Civil Libertes, who asks him to use Ubatoo's
data to help identify people that may have ended up on an FBI
list. But Stephen discovers that this man is not who he claims to be,
and soon Stephen finds himself drawn into a web of
including FBI agents and potential terrorists, who find Ubatoo's data
so valuable they will go to great lengths
to acquire it.
"The Silicon Jungle" reads as a cautionary tale for the future (or
perhaps the present), as we allow more and
more data to be collected by
fewer and fewer entities. Some of the more disturbing scenarios in the
book include a real-time map
at Ubatoo headquarters showing what each
individual is browsing on the Internet, the use of an Ubatoo credit
card which then allows
the company to track purchasing habits both
online and offline, and an FBI that outsources its sensitive work to
By wrapping these lessons in an engaging narrative, Baluja makes them
more exciting than didactic for the reader. Despite
oversimplification of topics such as Muslim extremism, "The Silicon
Jungle" is that rare novel that is as smart
as it is engaging.
-- Sharon Goott-Nissim
"Litigation Under the Federal
Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark
S. Zaid (EPIC 2010).
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
"Aligning Privacy Accountability with your Business Strategy:" Privacy
Laws and Business 24th Annual International Conference. St.
College, Cambridge, United Kingdom, 11-13 July 2011. For More
EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For
More Information: http://www.thepublicvoice.org/.
Computers, Privacy, & Data Protection 2012: European Data Protection:
Coming of Age. Brussels, Belgium, 25-27 January 2012, Call
Abstracts Deadline 1 June 2011. For More Information:
Join EPIC on Facebook
Join the Electronic Privacy Information Center on Facebook
Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
The EPIC Alert mailing list is used only
to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend
to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list,
please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 18.13 ------------------------