EPIC Alert 18.16
E P I C A l e r t
Volume 18.16 August 17, 2011
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC-Led Coalition Calls For Halt of Secret Government Watchlist
 US Senate Unanimously Passes 'Faster FOIA Act'
 DHS Terminates
Secure Communities Agreements with States
 New Body Scanner Software No Panacea for TSA Privacy Violations
 California Protects
the Privacy of Consumer Smart Meter Data
 News in Brief
 EPIC Book Review: 'Nothing to Hide'
 Upcoming Conferences and Events
TAKE ACTION: Facebook Privacy 2011!
- READ EPIC's complaint to FTC: http://epic.org/redirect/062011FB.html
- WATCH EPIC on ABC Nightline: http://epic.org/redirect/062011FB.html
- SUPPORT EPIC http://www.epic.org/donate/
 EPIC-Led Coalition Calls for Halt of Secret Government
Earlier this month, EPIC led a coalition of privacy,
and civil rights organizations that submitted comments to suspend the
Department of Homeland Security's controversial
Watchlist program. In
July, the agency proposed new expansions to the program while also
claiming a series of exemptions from the
duties and obligations laid
out in the Privacy Act of 1974. The coalition recommended that the
agency completely suspend the program
and comply with Privacy Act
The Watchlist program is a secretive government database comprised of
information, including names, birth places and
dates, biometric and photographic data, passport information, driver's
and "other available identifying particulars." The
program transmits the records from the Federal Bureau of Investigation
Department of Justice to the Department of Homeland Security
and associated sub-departments. Sub-departments can record "encounters"
with any person whose name is on the list, which is itself a secret,
and send that information back to the Department of Homeland
the FBI and the Department of Justice. Officials at Homeland Security
are planning to develop a Watchlist "mirror," a near-real-time
the original database that synchronizes itself by adding, modifying, or
deleting data in accord with updates to records in
The Watchlist program is subject to Privacy Act requirements. The
Privacy Act mandates that government agencies maintain
complete records, and only when such records are relevant and necessary
for an authorized purpose. The Act also requires
agencies to give
notice to data subjects, as well as providing subjects with access and
the right to correct inaccurate information.
The Department of Homeland
Security claimed these obligations were unduly burdensome and
hypothetically could interfere with investigations
and with the
automation and development of the Watchlist program and its "mirror"
database. In a Notice of Public Rulemaking, the
public input regarding its request for Privacy Act exemptions.
EPIC's comments emphasized that Congress passed
the Privacy Act "to
maintain transparent and secure government recordkeeping systems." The
coalition recommended a more general course
correction regarding the
agency's overall approach to centralizing large stores of sensitive
data. As stated in the comments, the
Watchlist program's database of
individual records "will provide an appealing mark for thieves trying
to create false identities
for criminal activities." EPIC has
previously testified that privacy is much better safeguarded by keeping
information in multiple,
decentralized locations, and collecting it
only when necessary.
EPIC: Comments on Watchlist Program Proposal (Aug. 5, 2011)
DHS: Notice of Proposed Rulemaking (July 6, 2011)
DHS: Systems of Record Notice (July 6, 2011)
EPIC: Testimony Before House Security Subcommittee (Sep. 9, 2008)
EPIC: "Spotlight on Surveillance" (Secure Flight) (Aug. 2007)
 US Senate Unanimously Passes 'Faster FOIA Act'
On August 2, the Senate unanimously approved bipartisan legislation,
cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn
to improve Freedom of Information Act (FOIA) processing. The Senate
previously passed the Faster FOIA Act in May 2011, but the bill failed
to pass in the House of Representatives.
During the Congressional debt
ceiling debate, the bill, S.627, became part of the Budget Control Act
of 2011, where most of its provisions
were stripped. According to
Senator Leahy's office, the bill was reintroduced on August 1, and now
will return to the House to await
The Faster FOIA Act will establish a panel to examine agency backlogs
in processing FOIA requests and provide recommendations
to Congress to
accelerate agency response time. The panel will also identify methods
to reduce FOIA processing delays, including
determining whether the
system for charging and waiving FOIA fees should be reformed.
"According to the Department of Justice's
Freedom of Information Act
Annual Report for Fiscal Year 2009, the Department had a backlog of
almost 5,000 FOIA requests at the end of 2009. The Department
Homeland Security's report for the same period shows a backlog of
18,918 FOIA requests. These mounting FOIA backlogs are simply
unacceptable," said Senator Leahy at the original introduction of
EPIC has testified previously before the House Oversight
about FOIA delays and politicized processing within the Department of
US Senate: The Faster FOIA
Sen. Patrick Leahy: Press Release on Faster FOIA Act (Aug. 2, 2011)
EPIC: Testimony Before the House Oversight Committee (Mar. 31, 2011)
EPIC: FOIA Litigation
 DHS Terminates Safe Communities Agreements with States
The Department of Homeland Security informed state governors
that its Secure Communities program intends to terminate agreements
with 40 state and local governments and will continue
biometric data without the permission of local officials. Secure
Communities collects and discloses biometric information
individuals who come into contact with police. The data is used to
determine whether those individuals have prior criminal
whether they are in the US illegally. If so, Immigration and Customs
Enforcement (ICE) often seeks to deport them.
to the letter from Secure Communities director John Morton,
"Once a state or local law enforcement agency voluntarily submits
data to the federal government, no agreement with the state
is legally necessary for one part of the federal government to share
with another part." However, neither Morton nor any official within
Secure Communities, Immigration and Customs Enforcement, or
Security has identified the legal authority permitting the agency's
unilateral termination of the agreements.
letter follows lawmakers' recent criticisms of Secure
Communities. In June 2011, officials in Illinois, New York and
notified DHS that their states would no longer
participate in the program. Also in June, California legislators
urged Governor Jerry
Brown to suspend that state's participation,citing
a "crisis of confidence" in Secure Communities. The lawmakers
risks raised by the program and noted, "victims of
domestic violence have been [wrongfully] placed into deportation
the result of Secure Communities when they simply called
the police for help."
In response to concerns that the Secure Communities
crime victims and witnesses and promotes racial and ethnic profiling,
Morton and Homeland Security Director Janet
Napolitano have announced
new guidelines and training for ICE officers. Many human rights and
civil liberties groups, including EPIC,
have opposed the Secure
Communities program, citing potential privacy and legal violations.
Homeland Security seeks to deploy Secure
ICE: Secure Communities Letter to State Officials (Aug. 2011)
CA State Reps. Roybal-Allard et al.: Letter to Gov. Brown (June 2011)
ICE: Memorandum on Prosecutorial Discretion (June 2011)
ICE: Secure Communities
EPIC: Secure Communities
 New Body Scanner Software No Panacea for TSA Privacy
As part of a Freedom of a Information Act (FOIA) lawsuit against the
Transportation Security Administration (TSA), EPIC has obtained an
initial set of documents that describe
the new software the agency is
installing on airport millimeter-wave full-body scanners. The heavily
redacted documents include procurement
contracts, training materials,
and technical specifications for the software, which shows human forms
as "stick figures" rather than
naked bodies. The TSA began testing
the software in 2010, and over the next few months hopes to have it
installed on every currently
deployed millimeter-wave body scanner.
The TSA maintains that this modification will mitigate privacy risks
to travelers and provide
a better customer experience at
checkpoints. However, EPIC's documents indicate that the new
software still may be capable of storing
and transmitting unfiltered
images of naked airline travelers. The documents also indicate that
passengers passing through the machines
will be identified by gender
and assigned a unique identification number.
No plan currently exists to install similar software on
the more widely
used and more controversial "backscatter" x-ray scanners, although the
TSA plans to conduct tests in Fall 2011.
Documents obtained by EPCIC under a previous Freedom of Information Act
lawsuit against the Agency reveal that neither millimeter-wave nor
backscatter scanners are designed to detect powdered explosives
PETN, the explosive used in the failed 2009 Christmas Day "underwear
bomb" plot. EPIC currently is pursuing other FOIA lawsuits
radiation emitted from body scanners as well as the development and use
of mobile body scanners.
EPIC v. TSA: Complaint,
Case No. 11-0290 (Feb. 2, 2011)
EPIC v. TSA: Documents Obtained Under FOIA
TSA: Press Release on Passenger Privacy (July 20, 2011)
EPIC: Whole Body Imaging Technology and Body Scanners
 California Protects the Privacy of Consumer Smart Meter
The California Public Utility Commission has established
new rules to
protect information about consumer use of "smart meter" electrical
services. The California decision, the first in the
fair information practice requirements, including a consumer right of
access and control, data minimization obligations,
use and disclosure
limitations, and data quality and integrity requirements. Electric
utilities and their contractors, as well as
third parties who receive
electricity usage data from utilities, are subject to the new rules.
However, not all entities will be
covered by these rules. Exemptions
include organizations that collect data directly from energy users,
such as appliance and electric
vehicle manufacturers whose products
collect consumer energy consumption and product usage, then send data
back to the manufacturer.
In 2010, EPIC submitted extensive comments to the California Public
Utility Commission regarding privacy safeguards for consumer
usage data. In its comments, EPIC said that utility customers should
control the use of personal information generated by
services. Otherwise, EPIC warned, companies may use the data for
purposes not related to electricity delivery, consumption
or payment. EPIC urged the California Commission to include a
requirement limiting the use of personal data by third
offering energy management services. The Commission acknowledged EPIC's
comments in its previous proposed California
Smart Grid plan.
EPIC also coordinated extensive comments from a group of 23 NGOs,
legal, and technology experts on the National
Institute of Standards
and Technology's 2009 Guidelines for Smart Grid Cyber Security.
Additionally, EPIC Associate Director Lillie
Coney testified on Smart
Grids before the House Committee on Science and Technology. In her
prepared statement, Coney told Congress
that the "basic architecture of
the Smart Grid presents several thorny privacy issues" and explained
how smart meters and appliances
transmitting user data wirelessly
introduced threats to consumers. She also described how strong
security and privacy standards can
address the risks of identity
theft, unauthorized access, and individual surveillance.
California Public Utility Commission: Rulemaking
(July 28, 2011)
CA Public Utility Commission: Proposed Smart Grid Plan (May 21, 2010)
EPIC: Comments on CA Smart Grid Plan (Mar. 9, 2010)
EPIC: Comments (April 7, 2010)
Comments to NIST (Dec. 1, 2009)
EPIC: Testimony (July 1, 2010)
EPIC: Smart Grid Privacy
 News in Brief
DHS Refuses to Disclose Details of Mobile Body Scanner Technology
New documents released by the Department of Homeland Security
indicate the the agency continues to hide details about body scanners.
In November 2010, EPIC filed a Freedom of Information Act request with
the agency regarding the deployment of body scanners in surface transit
and street-roving vans. In its latest document
release, the agency
supplied several pages that were completely redacted. As a result
of the agency's failure to comply with the
Freedom of Information
Act, EPIC has filed suit to force disclosure of the records.
EPIC: FOIA Note #20
EPIC: FOIA Request Regarding Mobile Body Scanners (Nov. 24, 2010)
EPIC v. DHS (Mobile Body Scanners)
EPIC: Whole Body Imaging Technology
GAO: Agencies Must Improve Social Networking Privacy, Security
A June 2011 report from the independent, nonpartisan Government
Accountability Office (GAO) recommends that federal agencies "improve
their development and implementation of policies and procedures
managing and protecting information associated with social media use."
Between July 2010 and January 2011, the Government Accountability
Office surveyed 23 federal agencies about their privacy and security
policies. At the time, only half of the agencies had updated
privacy policies to take account of personal information collected
through social media monitoring, while only only a quarter
conducted privacy impact assessments of agency social media activities.
The GAO also noted that only seven of the surveyed agencies
identified and documented social-media security risks. In March 2011,
EPIC filed comments regarding DHS's Social Media Monitoring
Situational Awareness Initiative, identifying substantial privacy and
Government Accountability Office: Social
Media Report (June 2011)
EPIC: Comments to DHS on Social Media Privacy (March 3, 2011)
EPIC: Social Networking Privacy
TSA Expands Behavioral Profiling at Boston's Logan Airport
The Transportation Security Administration has begun training screeners
at Logan International Airport in Boston to engage in behavioral
profiling of air travelers. The program authorizes Transportation
Security Officers to ask airline passengers personal questions
concerning their travel plans and employment. Some travelers will
subjected to additional searches based on their responses, including
handwanding, pat-downs, and hand inspection of baggage.
TSA: Behavioral Detection and Profiling
Logan International Airport: Security Information
DHS: Privacy Impact Assessment for the SPOT Program (Aug. 5, 2008)
EPIC: Air Travel Privacy
 EPIC Book Review: 'Nothing to Hide'
"Nothing to Hide: The False Tradeoff between Privacy and Security,"
Privacy law expert Daniel Solove's latest book, "Nothing to Hide: The
False Tradeoff between Privacy and Security," guides readers
clear, thorough, and often cleverly constructed journey through the
history and legal issues surrounding today's security/privacy
dichotomy. Solove's analysis and suggestions, particularly with respect
to revamping Fourth Amendment law, alternate between conservative
radical. Throughout, Solove makes strong and coherent arguments about
how and why US privacy law must keep up with today's rapidly
"Nothing to Hide" is divided into four sections: "Values," "Times of
Crisis," "Constitutional Rights," and
"New Technologies." Some
chapters within each section read as if they were originally written as
individual essays and seem only
tenuously knit to the whole. Solove
nevertheless maintains logical continuity between his initial
refutation of common anti-privacy
rationales (including the titular
"Nothing to Hide" argument) and his ultimate condemnation of 21st-
century security policy and
technology. Neither individuals nor society
really know or understand what privacy means, he argues, and without an
of privacy itself, privacy law will always fall
short or be subverted.
Solove's focus on Fourth Amendment law reveals not only the
application of the Fourth Amendment in the digital age, but also
demonstrates how technological progress perpetually outstrips
ability to deal with it. One of Solove's examples is the "Third Party
Doctine," in which your intellectual or physical
property falls outside
your Fourth Amendment rights if it is being held by someone other than
you: "The government doesn't need to
enter your home to find out what
you're reading and writing - it can get your Web-surfing records from
your ISP, your credit card
records, your purchase records from
merchants like Amazon.com. None of this receives Fourth Amendment
protection thanks to the Supreme
Court's view that privacy is
equivalent to secrecy," he says.
While Solove lambastes the privacy policies of Google, Facebook,
data miners and the rest of the usual private-sector
suspects, more of his ire is directed at US government policies. He
courts and Congress for being overly deferential to security
experts, and the executive branch for developing, implementing, and
then lying about secretive, invasive or even illegal practices. Nor do
fellow privacy scholars receive gentle treatment: Solove seems
reference experts with whom he disagrees far more often than those with
whom he concurs.
Solove's bleak view of privacy's future
at the federal level is only
tempered by his wan hope that an educated, activist citizenry can
convince state and local legislators
and judges to enact more pro-
privacy laws. However, the cumulative effect of "Nothing to Hide" is
that Solove perceives himself
as a lone defender of privacy and
individual freedoms, a singular thinker whose reasonable ideas are
somehow viewed as too radical
to gain traction in a bureaucratic,
obsessively fearful society.
-- Beth Rosenberg
"Litigation Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall,
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
Privacy Platform Meeting on The Transatlantic Dimension of Data
Protection. Brussels, Belgium, 7 September 2011. For More Information:
EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For
More Information: http://www.thepublicvoice.org/.
33rd International Conference of Data Protection and Privacy
Commissioners (ICDPPC 2011). Mexico City, Mexico, 2-3 November 2011.
For more information: http://www.privacyconference2011.org/.
8th Conference on Privacy and Public Access to Court Records.
Sponsored by the College of William and Mary School of Law.
VA, 3-4 November 2011. For More Information:
Workshop on Cryptography for Emerging Technologies and Applications.
NIST Campus, Gaithersburg, MD, 7-8 November 2011. For More
Computers, Privacy, & Data Protection 2012: European Data Protection:
Coming of Age. Brussels, Belgium, 25-27 January 2012, Call
Abstracts Deadline 1 June 2011. For More Information:
Join EPIC on Facebook
Join the Electronic Privacy Information Center on Facebook
Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
The EPIC Alert mailing list is used only
to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend
to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list,
please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 18.16 ------------------------