EPIC Alert 18.17
E P I C A l e r t
Volume 18.17 August 31, 2011
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC Files for Rehearing in Airport Body Scanner Case
 FTC Finds Mobile Phone App Violated Children's Privacy Law
Makes Some Changes, Privacy Complaints Still Pending
 Twitter Adopts Privacy-Enhancing Default to HTTPS
 German DPA Asks for
Removal of Facebook 'Like' Button on .de Sites
 News in Brief
 EPIC Bookstore
 Upcoming Conferences and Events
Facebook Privacy 2011!
- READ EPIC's complaint to FTC: http://epic.org/redirect/062011FB.html
- WATCH EPIC on ABC Nightline: http://epic.org/redirect/062011FB.html
- SUPPORT EPIC: http://www.epic.org/donate/
 EPIC Files for Rehearing in Airport Body Scanner Case
Citing significant errors in an earlier decision, EPIC has
the District of Columbia Circuit Court of Appeals to rehear EPIC's
challenge to the Transportation Safety Administration's
body scanner program. EPIC is challenging both the factual and legal
conclusions of the court. "The court overstated
the effectiveness of
the body scanner devices and understated the degree of the privacy
intrusion to the traveling public," stated
EPIC Executive Director
EPIC's petition for rehearing highlights the distinction between the
images viewed by TSA
officials and the raw, naked images captured by
the body scanner devices. According to documents EPIC obtained via the
Information Act (FOIA) - including technical specifications,
vendor contracts, and hundreds of complaints from US air travelers
about the body scanners
- the agency specifically designed the devices
to capture, store, and transfer naked images of screened individuals.
The TSA claims
to filter the images, but in a related suit against the
United States Marshall Service, EPIC obtained 35,000 of the original,
images from a single body scanner operated in a courthouse.
EPIC's petition also challenges the finding that the scanners detect
"liquid and powders." As a factual matter, the finding was never
established, nor did the TSA itself make any such claims.
further argues that the court wrongly concluded that the TSA is
not subject to a federal privacy law that prohibits video voyeurism.
The panel of judges found that TSA body scanner employees are "engaged
in law enforcement activity," contrary to the TSA's own regulations,
which state that the Transportation Security Officials who conduct the
airport screening are not engaged in law enforcement activity.
EPIC did not challenge the court's determination that the TSA
unlawfully failed to provide an opportunity for public comment on
controversial screening program, or that travelers have a right to
opt-out of airport body scanners.
EPIC: Petition for Rehearing
or Rehearing En Banc (Aug. 29, 2011)
EPIC v. DHS: Original Opinion (July 15, 2011)
EPIC: Opening Brief (Nov. 2010)
EPIC: EPIC v. DHS
EPIC: Whole Body Imaging Technology
 FTC Finds Mobile Phone App Violated Children's Privacy
In the first privacy settlement involving a mobile application,
Innovations, a CA-based mobile-phone game developer, has settled
charges with the Federal Trade Commission for violations of the
Children's Online Privacy Protection Act (COPPA). The Commission
imposed a fine of $50,000 against the company for "illegally collecting
and disclosing personal information from tens of thousands of children
under age 13 without their parents' prior consent."
LLC, doing business as Broken Thumbs Apps, develops and
distributes mobile apps for the iPhone and iPod touch that allow users
play games and share information online. The FTC's complaint charged
that W3 Innovations and company president and owner Justin Maples
distributed iPhone/iPod Touch apps that collected and maintained
thousands of email addresses from users. Many of these apps are
towards young children and were listed in the "Games-Kids" section of
Apple Inc.'s App Store. Titles include "Emily's Girl
Dress Up," "Emily's Dress Up & Shop" and "Emily's Runway High Fashion."
"The FTC's COPPA Rule requires parental
notice and consent before
collecting children's personal information online, whether through a
website or a mobile app," said Commission
Chairman Jon Leibowitz via
the FTC's web site. "Companies must give parents the opportunity to
make smart choices when it comes to
their children's sharing of
information on smart phones."
EPIC previously testified before the Senate Commerce Committee and
comments to the FTC on the need to update COPPA and to
clarify the law's application to mobile and social networking services.
FTC: Press Release on COPPA Ruling (Aug. 15, 2011)
EPIC: Testimony before US Senate on COPPA (April 29, 2010)
EPIC: Comments to the FTC on COPPA (July 9, 2010)
EPIC: Children's Online Privacy Protection Act
 Facebook Makes Some Changes, Privacy Complaints Still
In response to several complaints filed by EPIC
with the Federal Trade
Commission, Facebook announced August 23 that it would make some
changes in its business practices, including
providing more accurate
information about the disclosure of user data and new safeguards for
Privacy controls for
sharing photos, posts, and other content now will
be inside user profile and status pages instead of on a separate page.
have greater flexibility in selecting who sees each
individual piece of information, and can now can approve or deny "tags"
they appear public. However, Facebook now routinely posts
location and status updates; a user no longer has the ability to
EPIC, along with other privacy organizations including the Center for
Digital Democracy, Consumer Watchdog, and the
Clearinghouse, have filed several complaints with the Commission about
Facebook's automated tagging of users, changes
in Privacy settings, and
transfers of personal data, stating that Facebook's practices were
"unfair and deceptive." In the June 2011
FTC complaint about Facebook's
new automated facial recognition feature, EPIC alleged that "[u]sers
could not reasonably have known
that Facebook would use their photos to
build a biometric database in order to implement a facial recognition
technology under the
control of Facebook."
In response to a July 2011 letter from Connecticut Attorney General
George Jepson, Facebook agreed to run
ads that link users to their
privacy settings and show them how to opt-out of Facebook's facial
recognition program. The ads are
new, but Facebook has failed to
implement an opt-in model for its facial recognition technology. Even
if a user is able to opt-out
of being tagged in photos, there is no way
to opt-out of being added to Facebook's facial recognition biometric
EPIC's complaints at the FTC are still pending.
Facebook: Announcement on Privacy Controls (Aug. 23, 2011)
Facebook: Description of New Privacy Controls (Aug. 2011)
Connecticut AG: Press Release (July 26, 2011)
EPIC: Facebook Complaint to FTC (June 10, 2011)
EPIC: Facebook Privacy
EPIC: Facial Recognition
Facebook: Making Photo Tagging Easier
 Twitter Adopts Privacy-Enhancing Default to HTTPS
Twitter announced August 23 that it will implement HTTPS functionality
by default in order to encrypt data and protect privacy for
Twitter users. HTTPS is an Internet protocol allowing web servers to
use encryption to securely transfer and display content.
policy promotes enhanced privacy for Twitter users, particularly when
the service is accessed through public Internet
access points. However,
because default HTTPS will be phased in gradually, users should still
specify "Always use HTTPS" in their
Twitter's policy change stems from several security incidents in early
2011, including two in which hackers
gained administrative control of
the popular web site. After these attacks, the Federal Trade Commission
investigated Twitter's business
practices, resulting in a settlement
agreement that requires Twitter to stop "misleading consumers about the
extent to which it protects
the security, privacy, and confidentiality
of nonpublic consumer information."
As a further condition of the settlement, Twitter
is required to
maintain a "comprehensive information security program" for a period of
10 years. Every violation of the settlement
could cost Twitter up to
In 2009, EPIC pointed out the importance of default HTTPS in a
complaint to the Commission about
Google's Cloud Computing Services.
EPIC cited the growing dependence of American consumers, businesses,
and federal agencies on cloud
computing, and urged the Commission to
take "such measures as are necessary" to ensure the safety and security
of information for
Cloud Computing services.
Twitter: Notice on Using HTTPS for Improved Security (Aug. 23, 2011)
FTC: Press Release on Twitter Settlement (Mar. 11, 2011)
EPIC: Complaint to FTC on Cloud Computing (Mar. 17, 2009)
EPIC: Social Networking Privacy
EPIC: In Re Google and Cloud Computing
 German DPA Asks for Removal of Facebook 'Like' Button
on .de Sites
Thilo Weichert, Data Protection Authority commissioner
for the German
state of Schleswig-Holstein, has called on web site owners in his state
to remove Facebook "Like" buttons. Sites that
do not comply by the end
of September 2011 could face a formal complaint, a prohibition order,
and/or a penalty fine that may reach
After conducting a thorough legal and technical analysis in conjunction
with the Independent Centre for Privacy Protection
concluded that when users click the "Like" button on web pages, traffic
and content data are transferred to Facebook's
"Whoever visits facebook.com or uses a plug-in must expect that he or
she will be tracked by the company for two
years. Facebook builds a
broad individual - and for members even a personalized - profile,"
said Weichert. ULD considers such profiling
an infringement of German
and European data protection law.
In recent weeks, Germany has issued several statements against
German data protection authorities have said that Facebook's
new facial recognition feature is illegal and have asked the site to
remove it and delete all related information: "[E]ven if Facebook was
offering a user-friendly method to opt-out, it would not meet
or European data protection requirements. For storage of biometrics a
pre-issued, unambiguous consent by the affected is
Authorities also have demanded that network users have more control
over their e-mail address books in Facebook's "Friend
EPIC has written several complaints to the Federal Trade Commission
regarding Facebook's privacy infringements and
is awaiting determination
by the agency.
German Data Protection Commissioner: Press Release (Aug. 8, 2011)
Hamburg, Germany DPC: Press Release (Aug. 2, 2011)
EPIC: Facebook Facial Recognition
EPIC: In Re Facebook (I) (Dec. 17, 2009)
EPIC: In Re Facebook (II) (May 5, 2010)
 News in Brief
EPIC's Verdi to Argue Privacy Case in Federal Court of Appeals
The Third Circuit Court of Appeals has granted EPIC's request to
in support of a Jane Doe police deputy in Luzerne County, PA, who is
suing to recover monetary damages for privacy violations.
argument, EPIC Senior Counsel John Verdi will urge the court to hold
that the Luzerne County Sheriff's Department violated
Constitutional right to informational privacy when a coworker captured
semi-nude video footage without her consent during
decontamination shower. The 2007 footage was uploaded onto a government
computer. EPIC has filed an amicus brief in the
Third Circuit Court of
Appeals arguing that the case implicates "freedom, intimacy, autonomy,
and human dignity." EPIC has filed
similar briefs in other cases,
including NASA v. Nelson, decided by the Supreme Court earlier this
year. Oral argument is scheduled
for September 13 in Philadelphia.
EPIC: Doe v. Luzerne
EPIC's amicus brief in Doe v. Luzerne
EPIC Settles Street View Case with Federal Trade Commission
EPIC and the Federal Trade Commission have agreed to settle an open
government lawsuit regarding the Commission's decision to close the
investigation of Google Street View. EPIC sought documents from
after members of Congress urged the Commission to pursue an aggressive
investigation and privacy agencies worldwide determined
violated national privacy laws. In 2010 and 2011 the Federal Trade
Commission provided EPIC with documents suggesting
that the agency
believed it lacked enforcement authority over Google. However, the 2010
closing letter in the case also indicated
that the Commission never
undertook an independent investigation to determine whether other
violations of law may have occurred.
The case is EPIC v. FTC, No.
11-cv-00881 (D.C. Dist. Ct 2011).
Reps. Barton and Markey's Letter to FTC Chairman Leibowitz (May
FTC Consumer Protection Office: Street View Closing Letter (Oct. 2010)
EPIC: Google Street View
Federal Judge: Locational Data Protected Under Fourth Amendment
A federal district judge ruled August 22 that law enforcement
must have a warrant to access cell phone locational data. Judge
Nicholas Garaufis of the Eastern District of New York found
"The fiction that the vast majority of the American population consents
to warrantless government access to the records ...
of their movements
by 'choosing' to carry a cell phone must be rejected .... In light of
drastic developments in technology, the
Fourth Amendment doctrine must
evolve to preserve cell-phone user's reasonable expectation of privacy
in cumulative cell-site-location
records." Courts are divided regarding
whether historical mobile phone data, including location, should be
protected by a warrant
requirement. EPIC has filed amicus briefs in
several related cases.
US Dist. Court, Eastern NY: Ruling on Cell Phone Data (Aug.
Judge Nicholas G. Garaufis
EPIC: Commonwealth v. Connolly
EPIC: US v. Jones
EPIC: Locational Privacy
Israel Grants Google Street View Conditional Approval
The Israeli Justice Ministry has granted Google conditional approval to
use its Street View mapping service in Israel. In return, Google has
accepted several limitations, including allowing Israeli citizens
request further blurring of buildings and license plates, accepting
Israeli legal rulings in any lawsuit, providing information
public about the service, and applying "privacy by design." Other
countries, including the UK, France, and Spain, have determined
Google broke privacy laws when Street View cars collected wi-fi data
from private wireless networks. In the US, the Federal
Commission launched an investigation after EPIC filed a complaint
asking the Commission to investigate violations
of federal wiretap law
and the US Communications Act.
Israeli Justice Ministry: Google Street View Information (Aug. 2011)
EPIC: Google Street View Complaint (May 18, 2010)
FCC Chairman: Response to Reps. Rogers, Barrow et al. (June 22, 2011)
EPIC: Google Street View
EPIC Moderates #PrivChat on Twitter
EPIC has taken over as the new moderator and co-host, with Privacy
Camp, of #PrivChat, a
weekly Twitter chat that explores developments
in the privacy world. #PrivChat takes place every Tuesday at 12:00 PM
EST and typically
lasts for 45 minutes. Participants include lawyers,
advocates, industry representatives, technical and security experts,
individuals and organizations interested in privacy.
Discussion topics may be submitted on Twitter using the #PrivChat
hash tag in
advance of the meeting. Weekly topics will be posted one
hour prior to the beginning of each #PrivChat, at 11:00 AM EST.
will be retained and posted afterward.
EPIC: PrivChat Archives
"Litigation Under the Federal Open Government Laws 2010," edited by
Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
Privacy Platform Meeting on The Transatlantic Dimension of Data
Protection. Brussels, Belgium, 7 September 2011. For More Information:
5th Annual International Right-to-Know Day Celebration. American
University Law School, Washington, DC, 28 September 2011. For
EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For
More Information: http://www.thepublicvoice.org/.
33rd International Conference of Data Protection and Privacy
Commissioners (ICDPPC 2011). Mexico City, Mexico, 2-3 November 2011.
For more information: http://www.privacyconference2011.org/.
8th Conference on Privacy and Public Access to Court Records.
Sponsored by the College of William and Mary School of Law.
VA, 3-4 November 2011. For More Information:
Workshop on Cryptography for Emerging Technologies and Applications.
NIST Campus, Gaithersburg, MD, 7-8 November 2011. For More
Computers, Privacy, & Data Protection 2012: European Data Protection:
Coming of Age. Brussels, Belgium, 25-27 January 2012, Call
Abstracts Deadline 1 June 2011. For More Information:
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 12:00pm ET.
Start a discussion on privacy. Let us know your thoughts.
Stay up to date
with EPIC's events.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 18.17 ------------------------