WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2011 >> [2011] EPICAlert 19

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 18.19 [2011] EPICAlert 19

EPIC Alert 18.19

======================================================================= E P I C A l e r t ======================================================================= Volume 18.19 September 28, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================= Table of Contents ======================================================================= [1] EPIC Warns Congress of Cybersecurity Risks to Consumers [2] US, Euro Consumer Groups to Congress: Learn from EU Data Directive [3] EPIC to Fed. Appeals Court: Stop Covert Video Recording of Workers [4] Federal Trade Commission Offers New Rules for Kids' Online Privacy [5] EPIC Slams Homeland Security For ID Regs That Harm The Homeless [6] News in Brief [7] Book Review: 'The Privacy Advocates' [8] Upcoming Conferences and Events TAKE ACTION: Sign the White House Petition to Abolish the TSA! - SIGN the Petition: - WATCH EPIC Discuss TSA on ABC: - READ EPIC's TSA FOIA Notes: - SUPPORT EPIC: ======================================================================= [1] EPIC Warns Congress of Cybersecurity Risks to Consumers ======================================================================= EPIC participated in a September 14 Congressional hearing entitled "Cybersecurity: Threats to the Financial Sector." The hearing, held by the House Subcommittee on Financial Institutions and Consumer Credit, focused on security problems around financial institutions and consumer data. Several prominent government and private sector officials also testified on two witness panels. In his prepared testimony, EPIC Executive Director Marc Rotenberg highlighted several recent high-profile data breaches, including those that involved the falsification, or "spoofing," of the SSL digital security certificates used to authenticate websites. Citing reports from the Privacy Rights Clearinghouse, Rotenberg said, "These attacks on financial institutions produce both direct and indirect costs for consumers who must contend with the risk of identity theft and financial fraud." EPIC provided information to the Subcommittee on fraudulent or stolen digital security certificates as well as other new and emerging threats to consumer data. EPIC also recommended that companies use an "opt-in" approach towards personal information, which would allow consumers more flexibility and would not preempt stronger state data breach legislation. In June, EPIC's Rotenberg testified before the Senate Banking Committee on Cybersecurity on the growing threat to financial-sector consumer data. At the June hearing, Rotenberg explained how current data protection provisions inadequately safeguard the personal information of consumers, bank customers, and depositors. EPIC recommends that financial institutions minimize data collection in order to promote consumer privacy. EPIC: Testimony at US House Cybersecurity Hearing (Sept. 14, 2011) US House Financial Services Committee on Cybersecurity (Sept. 14, 2011) EPIC: Testimony on the SAFE Data Act (June 15, 2011) Privacy Rights Clearinghouse: Chronology of Data Breaches EPIC: Cybersecurity Privacy - Practical Implications ======================================================================= [2] US, Euro Consumer Groups to Congress: Learn from EU Data Directive ======================================================================= In a September 14 letter to the US House Subcommittee on Commerce, Manufacturing and Trade, EPIC and other members of the Trans-Atlantic Consumer Dialog (TACD) stressed the EU Data Directive's important role in safeguarding the interests of European consumers and businesses. TACD, a coalition of 85 American and European consumer organizations, formally requested that the letter be entered into the record of the Subcommittee's September 15 hearing on "Internet Privacy: The Impact and Burden of EU Regulation." TACD's letter pointed out that "US privacy laws lag woefully behind current technology and business practices", and encouraged Congress to "learn from a fair and balanced review of the EU Data Directive, just as the EU has learned much from the US experience." The letter also emphasized the "great urgency in the need for the US Congress to address meaningfully the new challenges to privacy," adding that the EU Directive provides a "good starting point" for meaningful reform in US privacy laws. According to the TACD, the EU Data Directive is a concise, "technology- neutral" legal framework that promotes trade, protects privacy, and is less burdensome than many US privacy laws. The TACD letter also noted the spiraling increase in identity theftand security breaches in the United States. Nicole Y. Lamb-Hale, the Trade Administration's Assistant Secretary for Manufacturing and Services, testified at the September 15 hearing in support of a new US legislative framework for consumer data privacy, stating that "an enhanced U.S. privacy framework would facilitate mutual recognition of commercial data privacy laws around the world." Trans-Atlantic Consumer Dialogue TACD: Letter to House Trade Subcommittee (Sept. 14, 2011) House Energy & Commerce Committee: Hearing on EU (Sept. 15, 2011) House Energy & Commerce Committee: N. Lamb-Hale (Sept. 15, 2011) EPIC: EU Data Protection Directive US Commercial Service: Safe Harbor Program ======================================================================= [3] EPIC to Fed. Appeals Court: Stop Covert Video Recording of Workers ======================================================================= EPIC Senior Counsel John Verdi argued September 13 before the Third Circuit Court of Appeals that secretive video surveillance, coupled with the storage and dissemination of sensitive personal information, violates the right to information privacy and should be prohibited. The appeals case in question, Doe v. Luzerne County, concerns a Jane Doe police deputy who is suing her former employer for privacy violations. According to the plaintiff, in 2007 a coworker secretly captured semi- nude video footage of her during a mandatory decontamination shower. The video footage was then uploaded onto a government computer and released over the municipal network. There is a dispute over who ordered the filming and whether an order had actually been given. Defendant Barry Stankus, the Luzerne County Sheriff at the time of the incident, stated he ordered Doe's decontamination shower filmed for "training purposes." No instructional film was ever made, but according to the plaintiff, another defendant, Deputy Chief Ryan Foy, showed the footage to other deputies and stored copies on his work computer. EPIC's Verdi argued that the case "presents novel privacy issues involving new technology" and that "the District Court failed to appreciate the unique damage caused by unlawful disclosures of information over computer networks." EPIC's "friend of the court" brief on the case reiterates that "such disclosures create particular privacy harms when the images reveal unique physical features, which constitute personally identifiable information." In this case, the name of Ms. Doe's girlfriend was tattooed on her back, thus revealing her sexual orientation. EPIC has a well-established history of protecting individuals from non-consensual digital imaging and advocating the right to privacy against compelled disclosure of personally identifiable information. Most recently, EPIC has pursued a lawsuit against the Department of Homeland Security to strike down the Transportation Security Administration's airport body scanner program. EPIC: Recorded Audio Testimony on Doe v. Luzerne Cty. (Sept. 13, 2011) EPIC: Doe v. Luzerne County EPIC: EPIC Amicus Brief on Doe v. Luzerne County (April 14, 2011) EPIC v. DHS (Suspension of Body Scanner Program) ======================================================================= [4] Federal Trade Commission Offers New Rules for Kids' Online Privacy ======================================================================= The Federal Trade Commission has proposed new rules for the Children's Online Privacy Protection Act, or COPPA. The new rules were created in response to changes in technology since the passage of COPPA in 1998, particularly with respect to "an explosion in children's use of mobile devices". EPIC Executive Director Marc Rotenberg stated that the new rules are "a well-reasoned and innovative approach to online privacy." COPPA's new rules broaden the definition of Personally Identifiable Information to include geolocation information, facial recognition technology, and other identifiers such as cookies and IP addresses. Other new provisions are data minimization requirements, which require web sites that collect personal information to retain it "for only as long as is reasonably necessary," and then delete the information entirely. Finally, the Commission recommends changes to the method of parental consent, replacing email with digitally scanned forms, videoconferencing, and verifying government-issued identification. Cookies and other persistent identifiers "expose Internet users' personal information to marketers, advertisers, and others without users' knowledge," EPIC wrote in comments submitted to the Commission in 2010. Moreover, EPIC stated, children's increasing use of mobile devices "necessitates that locational information . . . be expressly enumerated" in the definition of personal information. Children are particularly vulnerable because they "lack the maturity and sophistication to appreciate the privacy consequences of their online activities." In 2010, EPIC testified before the Senate Committee on Commerce, Science, and Transportation and submitted comments to the FTC regarding the implementation of COPPA. At the time, EPIC recommended that "location information associated with an individual child should be included in the categories of personal information," and that the age requirement be raised from 13 to 18. FTC: News Release on Changes to COPPA (Sept. 15, 2011) FTC: Text of New COPPA Rules (Sept. 2011) EPIC: Comments to the FTC on COPPA Rule Review (July 2010) EPIC: Testimony Before US Senate on COPPA (April 2010) ======================================================================= [5] EPIC Slams Homeland Security For ID Regs That Harm The Homeless ======================================================================= EPIC filed comments September 16 against the Department of Homeland Security's REAL ID compliance requirements, noting the recent death of former college basketball legend Lewis Brown. Brown, who was suffering from cancer and homeless, could not afford the government-issued identification card required to fly from Los Angeles to New York to see his family. He subsequently died on a Los Angeles sidewalk. In the comments, EPIC cited Homeland Security's overruling of the State of California's written objections to the REAL ID laws, which would have enabled Brown to travel. EPIC stated that "the Department of Homeland Security should collect information regarding the burden imposed on the public resulting from the agency's identity requirements. Documented burdens include the inability to travel, which may adversely impact health or lead to loss of life." REAL ID prohibits individuals without compliant identification cards from flying on commercial airlines. A number of states have objected to REAL ID as an unfunded mandate that unnecessarily increases both the cost of state-issued identification cards and their attendant privacy and security risks. Despite such objections, Homeland Security has set January 15, 2013, as the nationwide deadline for national REAL ID compliance. EPIC's comments demand "a rigorous, transparent review of the actual costs of REAL ID, including the possible loss of life that results from a mandatory document requirement that prevents routine travel", and recommends that DHS should report annually on the number of citizens prevented from seeing family members because of REAL ID regulations. Homeland Security was required to solicit public comments in compliance with the legal obligations laid out in the Privacy Act of 1974. EPIC: Comments to DHS on REAL ID (Sept. 15, 2011) Department of Homeland Security: REAL ID Regulations NY Times: Faded Basketball Prodigy Dies Homeless (Sept. 16, 2011) EPIC: Real ID ======================================================================= [6] News in Brief ======================================================================= EPIC Asks Court for DHS Disclosure of Mobile Body Scanner Documents EPIC has filed a motion for summary judgment in EPIC v. DHS, a Freedom of Information Act case against the Department of Homeland Security involving the agency's planned expansion of the body scanner program into mobile devices. EPIC has asked the US District Court for the District of Columbia to force Homeland Security to disclose documents that include all communications with body scanner manufacturer Rapiscan and other scanner vendors. EPIC has previously obtained hundreds of pages of documents describing how the agency is exploring the use of body scanners on individuals who travel by train, attend sporting events, enter federal buildings, or travel along public highways. EPIC: Motion for Summary Judgment in EPIC v. DHS (Sept. 22, 2011) EPIC: FOIA Information on Mobile Body Scanners EPIC: Full FOIA Note #20 on Body Scanners EPIC: FOIA Note #20 (Aug. 15, 2011) EPIC: Body Scanner Technology Sen. Schumer Calls for Probe into "Brazen" OnStar Privacy Violations Senator Charles Schumer (D-NY) has written a letter to the Federal Trade Commission, requesting an investigation into OnStar's announcement that it would track the location of customer vehicles even after customers cancel their service. OnStar has also reserved the right to sell such locational information to advertisers. In a same-day interview with Dallas, TX, FOX News affiliate KDFW, EPIC Executive Director Marc Rotenberg warned that OnStar would make data on former customers available to third parties. "They are gathering lots and lots of data about their subscribers, making that data available to third parties for research, for commercial sales," Rotenberg said. Sen. Charles Schumer: OnStar Press Release and Letter (Sept. 22, 2011) OnStar LLC: Privacy Policy KDFW: "OnStar to Collect Data on All Its Vehicles" (Sept. 22, 2011) EPIC: Locational Privacy Netflix Attacks Consumer Privacy Law In a September 22 blog entry, Netflix announced that it has launched a lobbying campaign against the federal Video Privacy Protection Act of 1988, which safeguards consumer video rental information. Netflix, already under fire for hikes in rental prices and the subsequent division of its DVD rentals and streaming services into two separate companies, claims that the privacy law prevents Facebook users from posting information about Netflix on their Facebook pages. According to OpenSecrets, operated by the Center for Responsive Politics, Netflix has spent almost $200,000 in lobbying in 2011, up from $20,000 for all of 2009. EPIC has described the Video Privacy Protection Act as "one of the strongest protections of consumer privacy against a specific form of data collection." The Act includes exceptions for user consent, which means that Facebook users are free to disclose information about the videos they rent. However, Netflix is asking for "blanket consent" so that all Netflix use will be posted routinely to Facebook. Netflix: Blog Entry: "Watch This Now: Netflix and Facebook" (Sept. 22, 2011) Netflix Lobbying Efforts, by Dollar Amount and Year EPIC: Video Privacy Protection Act Google: EU Wi-Fi Owners Can Opt Out of StreetView Registry In response to mounting discontent from European privacy regulators, Google announced September 13 that it will allow EU owners of Wi-Fi access points to opt out of Google's location services registry. Google's locational products utilize data from nearby GPSes, cell towers, and Wi-Fi routers to provide users with targeted advertising and local content. Wi-Fi owners still must opt out deliberately to prevent Google's services from using their access points. However, Google's new agreement appears to be part of a conciliatory trend; EU regulators have claimed previously that Google's unauthorized locational data collection violates European privacy law. Google plans to roll out similar opt-out preferences worldwide. Google: 'A New Option for Location-Based Services' EPIC: Locational Privacy EPIC: Google StreetView ======================================================================= [7] EPIC Book Review: 'The Privacy Advocates' ======================================================================= "The Privacy Advocates: Resisting the Spread of Surveillance," Colin J. Bennett Privacy, like love, is a many-splendored thing. In "The Privacy Advocates," Colin J. Bennett, a Political Science professor at the Canadian University of Victoria, provides a wide range of complex but understandable categories in which privacy can be "framed," or corralled and examined closely. Despite a tendency to read more like a sociological survey than a call to mobilization, "The Privacy Advocates" is entertaining and even gossipy, full of name-dropping and frank adulation for privacy luminaries. More importantly, the book is able to galvanize readers into becoming active participants in one of this era's increasingly critical sociopolitical issues. "The Privacy Advocates," first published in 2008, remains apropos and contemporary. The book is primarily a historical and conceptual work, and post-publication events like the Obama election and Facebook's ascendancy are largely irrelevant to the larger context. Most of Google's privacy-suspect platforms, including StreetView and targeted advertising, were all available in 2008; so were backscatter X-ray machines. Despite his requisite focus on US-centric topics like Google and the anti-privacy excesses of the George W. Bush administration, Bennett doesn't limit himself to US privacy efforts. He identifies non- governmental privacy advocacy as a fundamentally American phenomenon, but devotes both space and respect to the history of international privacy activism since the 1970s, including half a chapter describing the 1980s privacy protests in Germany and Australia. Bennett argues that successful privacy efforts must incorporate more than one category of privacy advocate (e.g., civil libertarians, journalists, technologists, consumer activists), form of persuasion (symbolic and "leverage" politics, reportage and fact-finding), and means of networking (Net activism, coalitions, campaigns). Only then will enough stakeholders be reached and persuaded. Combating privacy erosion is not "a continual game of 'whack a mole,'" he says. Instead, the future of the privacy network lies in "the persistent, relentless, and informed articulation of the very simple proposition that individuals have a right to control the information that relates to them." And who won't sign on to that? -- EC Rosenberg ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [8] Upcoming Conferences and Events ======================================================================= EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For More Information: 33rd International Conference of Data Protection and Privacy Commissioners (ICDPPC 2011). Mexico City, Mexico, 2-3 November 2011. For more information: 8th Conference on Privacy and Public Access to Court Records. Sponsored by the College of William and Mary School of Law. Williamsburg, VA, 3-4 November 2011. For More Information: 2nd Annual GridWise(R) Global Forum, Co-Hosted by the GridWise(R) Alliance and the US Dept. of Energy. Washington, DC, 8-10 November 2011. For More Information: Workshop on Cryptography for Emerging Technologies and Applications. NIST Campus, Gaithersburg, MD, 7-8 November 2011. For More Information: Computers, Privacy, & Data Protection 2012: European Data Protection: Coming of Age. Brussels, Belgium, 25-27 January 2012.For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.19 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback