EPIC Alert 18.19
E P I C A l e r t
Volume 18.19 September 28, 2011
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC Warns Congress of Cybersecurity Risks to Consumers
 US, Euro Consumer Groups to Congress: Learn from EU Data Directive
 EPIC to Fed. Appeals Court: Stop Covert Video Recording of Workers
 Federal Trade Commission Offers New Rules for Kids' Online
 EPIC Slams Homeland Security For ID Regs That Harm The Homeless
 News in Brief
 Book Review: 'The Privacy Advocates'
 Upcoming Conferences and Events
TAKE ACTION: Sign the White House Petition to Abolish the TSA!
- SIGN the Petition: http://epic.org/redirect/092711-sign-tsa.html
- WATCH EPIC Discuss TSA on ABC: http://epic.org/redirect/092711ts.html
- READ EPIC's TSA FOIA Notes: http://epic.org/redirect/092711-foia.html
- SUPPORT EPIC: http://www.epic.org/donate/
 EPIC Warns Congress of Cybersecurity Risks to Consumers
EPIC participated in a September 14 Congressional hearing
"Cybersecurity: Threats to the Financial Sector." The hearing, held by
the House Subcommittee on Financial Institutions
and Consumer Credit,
focused on security problems around financial institutions and
consumer data. Several prominent government
and private sector
officials also testified on two witness panels.
In his prepared testimony, EPIC Executive Director Marc Rotenberg
highlighted several recent high-profile data breaches, including those
that involved the falsification, or "spoofing," of the SSL
security certificates used to authenticate websites. Citing reports
from the Privacy Rights Clearinghouse, Rotenberg said,
on financial institutions produce both direct and indirect costs for
consumers who must contend with the risk of
identity theft and
EPIC provided information to the Subcommittee on fraudulent or stolen
digital security certificates
as well as other new and emerging threats
to consumer data. EPIC also recommended that companies use an "opt-in"
personal information, which would allow consumers more
flexibility and would not preempt stronger state data breach
In June, EPIC's Rotenberg testified before the Senate Banking Committee
on Cybersecurity on the growing threat to financial-sector
data. At the June hearing, Rotenberg explained how current data
protection provisions inadequately safeguard the personal
of consumers, bank customers, and depositors. EPIC recommends that
financial institutions minimize data collection
in order to promote
EPIC: Testimony at US House Cybersecurity Hearing (Sept. 14, 2011)
US House Financial Services Committee on Cybersecurity (Sept. 14, 2011)
EPIC: Testimony on the SAFE Data Act (June 15, 2011)
Privacy Rights Clearinghouse: Chronology of Data Breaches
EPIC: Cybersecurity Privacy - Practical Implications
 US, Euro Consumer Groups to Congress: Learn from EU
In a September 14 letter to the US House
Subcommittee on Commerce,
Manufacturing and Trade, EPIC and other members of the Trans-Atlantic
Consumer Dialog (TACD) stressed
the EU Data Directive's important role
in safeguarding the interests of European consumers and businesses.
TACD, a coalition of
85 American and European consumer organizations,
formally requested that the letter be entered into the record of the
September 15 hearing on "Internet Privacy: The Impact
and Burden of EU Regulation."
TACD's letter pointed out that "US privacy
laws lag woefully behind
current technology and business practices", and encouraged Congress to
"learn from a fair and balanced
review of the EU Data Directive, just
as the EU has learned much from the US experience." The letter also
emphasized the "great
urgency in the need for the US Congress to
address meaningfully the new challenges to privacy," adding that the
EU Directive provides
a "good starting point" for meaningful reform in
US privacy laws.
According to the TACD, the EU Data Directive is a concise, "technology-
neutral" legal framework that promotes trade, protects privacy, and is
less burdensome than many US privacy laws. The TACD letter
the spiraling increase in identity theftand security breaches in the
Nicole Y. Lamb-Hale, the Trade Administration's
Assistant Secretary for
Manufacturing and Services, testified at the September 15 hearing in
support of a new US legislative framework
for consumer data privacy,
stating that "an enhanced U.S. privacy framework would facilitate
mutual recognition of commercial data
privacy laws around the world."
Trans-Atlantic Consumer Dialogue
TACD: Letter to House Trade Subcommittee (Sept. 14, 2011)
House Energy & Commerce Committee: Hearing on EU (Sept. 15, 2011)
House Energy & Commerce Committee: N. Lamb-Hale (Sept. 15, 2011)
EPIC: EU Data Protection Directive
US Commercial Service: Safe Harbor Program
 EPIC to Fed. Appeals Court: Stop Covert Video Recording
EPIC Senior Counsel John Verdi argued September
13 before the Third
Circuit Court of Appeals that secretive video surveillance, coupled
with the storage and dissemination of sensitive
violates the right to information privacy and should be prohibited.
The appeals case in question, Doe v.
Luzerne County, concerns a Jane
Doe police deputy who is suing her former employer for privacy
According to the
plaintiff, in 2007 a coworker secretly captured semi-
nude video footage of her during a mandatory decontamination shower.
footage was then uploaded onto a government computer and
released over the municipal network. There is a dispute over who
the filming and whether an order had actually been given.
Defendant Barry Stankus, the Luzerne County Sheriff at the time of the
incident, stated he ordered Doe's decontamination shower filmed for
"training purposes." No instructional film was ever made, but
to the plaintiff, another defendant, Deputy Chief Ryan Foy, showed the
footage to other deputies and stored copies on
his work computer.
EPIC's Verdi argued that the case "presents novel privacy issues
involving new technology" and that "the District
Court failed to
appreciate the unique damage caused by unlawful disclosures of
information over computer networks." EPIC's "friend
of the court" brief
on the case reiterates that "such disclosures create particular privacy
harms when the images reveal unique
physical features, which constitute
personally identifiable information." In this case, the name of Ms.
Doe's girlfriend was tattooed
on her back, thus revealing her sexual
EPIC has a well-established history of protecting individuals from
digital imaging and advocating the right to privacy
against compelled disclosure of personally identifiable information.
EPIC has pursued a lawsuit against the Department of
Homeland Security to strike down the Transportation Security
airport body scanner program.
EPIC: Recorded Audio Testimony on Doe v. Luzerne Cty. (Sept. 13, 2011)
EPIC: Doe v. Luzerne County
EPIC: EPIC Amicus Brief on Doe v. Luzerne County (April 14, 2011)
EPIC v. DHS (Suspension of Body Scanner Program)
 Federal Trade Commission Offers New Rules for Kids'
The Federal Trade Commission has proposed
new rules for the Children's
Online Privacy Protection Act, or COPPA. The new rules were created in
response to changes in technology
since the passage of COPPA in 1998,
particularly with respect to "an explosion in children's use of mobile
devices". EPIC Executive
Director Marc Rotenberg stated that the new
rules are "a well-reasoned and innovative approach to online privacy."
rules broaden the definition of Personally Identifiable
Information to include geolocation information, facial recognition
and other identifiers such as cookies and IP addresses.
Other new provisions are data minimization requirements, which require
web sites that collect personal information to retain it "for only as
long as is reasonably necessary," and then delete the information
entirely. Finally, the Commission recommends changes to the method
of parental consent, replacing email with digitally scanned
videoconferencing, and verifying government-issued identification.
Cookies and other persistent identifiers "expose Internet
personal information to marketers, advertisers, and others without
users' knowledge," EPIC wrote in comments submitted to
in 2010. Moreover, EPIC stated, children's increasing use of mobile
devices "necessitates that locational information
. . . be expressly
enumerated" in the definition of personal information. Children are
particularly vulnerable because they "lack
the maturity and
sophistication to appreciate the privacy consequences of their online
In 2010, EPIC testified before
the Senate Committee on Commerce,
Science, and Transportation and submitted comments to the FTC
regarding the implementation of
COPPA. At the time, EPIC
recommended that "location information associated with an individual
child should be included in the categories
of personal information,"
and that the age requirement be raised from 13 to 18.
FTC: News Release on Changes to COPPA (Sept.
FTC: Text of New COPPA Rules (Sept. 2011)
EPIC: Comments to the FTC on COPPA Rule Review (July 2010)
EPIC: Testimony Before US Senate on COPPA (April 2010)
 EPIC Slams Homeland Security For ID Regs That Harm
EPIC filed comments September 16 against the
Department of Homeland
Security's REAL ID compliance requirements, noting the recent death of
former college basketball legend
Lewis Brown. Brown, who was suffering
from cancer and homeless, could not afford the government-issued
identification card required
to fly from Los Angeles to New York to see
his family. He subsequently died on a Los Angeles sidewalk.
In the comments, EPIC cited
Homeland Security's overruling of the State
of California's written objections to the REAL ID laws, which would
have enabled Brown
to travel. EPIC stated that "the Department of
Homeland Security should collect information regarding the burden
imposed on the
public resulting from the agency's identity
requirements. Documented burdens include the inability to travel,
which may adversely
impact health or lead to loss of life."
REAL ID prohibits individuals without compliant identification cards
from flying on commercial
airlines. A number of states have objected
to REAL ID as an unfunded mandate that unnecessarily increases both
the cost of state-issued
identification cards and their attendant
privacy and security risks. Despite such objections, Homeland Security
has set January
15, 2013, as the nationwide deadline for national REAL
EPIC's comments demand "a rigorous, transparent review of
costs of REAL ID, including the possible loss of life that results from
a mandatory document requirement that prevents
routine travel", and
recommends that DHS should report annually on the number of citizens
prevented from seeing family members
because of REAL ID regulations.
Homeland Security was required to solicit public comments in compliance
with the legal obligations
laid out in the Privacy Act of 1974.
EPIC: Comments to DHS on REAL ID (Sept. 15, 2011)
Department of Homeland Security: REAL ID Regulations
NY Times: Faded Basketball Prodigy Dies Homeless (Sept. 16, 2011)
EPIC: Real ID
 News in Brief
EPIC Asks Court for DHS Disclosure of Mobile Body Scanner Documents
EPIC has filed a motion for summary judgment in EPIC v. DHS,
of Information Act case against the Department of Homeland Security
involving the agency's planned expansion of the body scanner program
devices. EPIC has asked the US District Court for the
District of Columbia to force Homeland Security to disclose documents
include all communications with body scanner manufacturer Rapiscan
and other scanner vendors. EPIC has previously obtained hundreds
pages of documents describing how the agency is exploring the use of
body scanners on individuals who travel by train, attend
events, enter federal buildings, or travel along public highways.
EPIC: Motion for Summary Judgment in EPIC v. DHS
(Sept. 22, 2011)
EPIC: FOIA Information on Mobile Body Scanners
EPIC: Full FOIA Note #20 on Body Scanners
EPIC: FOIA Note #20 (Aug. 15, 2011)
EPIC: Body Scanner Technology
Sen. Schumer Calls for Probe into "Brazen" OnStar Privacy Violations
Senator Charles Schumer (D-NY) has written a letter to the
Trade Commission, requesting an investigation into OnStar's
announcement that it would track the location of customer vehicles
even after customers cancel their service. OnStar has also reserved the
right to sell such locational information to advertisers.
In a same-day
interview with Dallas, TX, FOX News affiliate KDFW, EPIC Executive
Director Marc Rotenberg warned that OnStar would
make data on former
customers available to third parties. "They are gathering lots and lots
of data about their subscribers, making
that data available to third
parties for research, for commercial sales," Rotenberg said.
Sen. Charles Schumer: OnStar Press
Release and Letter (Sept. 22, 2011)
KDFW: "OnStar to Collect Data on All Its Vehicles" (Sept. 22, 2011)
EPIC: Locational Privacy
Netflix Attacks Consumer Privacy Law
In a September 22 blog entry, Netflix announced that it has launched a
against the federal Video Privacy Protection Act of
1988, which safeguards consumer video rental information. Netflix,
under fire for hikes in rental prices and the subsequent
division of its DVD rentals and streaming services into two separate
claims that the privacy law prevents Facebook users from
posting information about Netflix on their Facebook pages. According to
OpenSecrets, operated by the Center for Responsive Politics, Netflix
has spent almost $200,000 in lobbying in 2011, up from $20,000
of 2009. EPIC has described the Video Privacy Protection Act as "one of
the strongest protections of consumer privacy against
a specific form
of data collection." The Act includes exceptions for user consent,
which means that Facebook users are free to
disclose information about
the videos they rent. However, Netflix is asking for "blanket consent"
so that all Netflix use will
be posted routinely to Facebook.
Netflix: Blog Entry: "Watch This Now: Netflix and Facebook" (Sept. 22, 2011)
opensecrets.org: Netflix Lobbying Efforts, by Dollar Amount and Year
EPIC: Video Privacy Protection Act
Google: EU Wi-Fi Owners Can Opt Out of StreetView Registry
In response to mounting discontent from European privacy regulators,
Google announced September 13 that it will allow EU owners of Wi-Fi
access points to opt out of Google's location services registry.
Google's locational products utilize data from nearby GPSes, cell
towers, and Wi-Fi routers to provide users with targeted advertising
and local content. Wi-Fi owners still must opt out deliberately to
prevent Google's services from using their access points. However,
Google's new agreement appears to be part of a conciliatory trend; EU
regulators have claimed previously that Google's unauthorized
locational data collection violates European privacy law. Google plans
to roll out similar opt-out preferences worldwide.
'A New Option for Location-Based Services'
EPIC: Locational Privacy
EPIC: Google StreetView
 EPIC Book Review: 'The Privacy Advocates'
"The Privacy Advocates: Resisting the Spread of Surveillance,"
Colin J. Bennett
Privacy, like love, is a many-splendored thing. In "The Privacy
Advocates," Colin J. Bennett, a Political Science professor at
Canadian University of Victoria, provides a wide range of complex but
understandable categories in which privacy can be "framed,"
corralled and examined closely. Despite a tendency to read more like a
sociological survey than a call to mobilization, "The
Advocates" is entertaining and even gossipy, full of name-dropping and
frank adulation for privacy luminaries. More importantly,
the book is
able to galvanize readers into becoming active participants in one of
this era's increasingly critical sociopolitical
"The Privacy Advocates," first published in 2008, remains apropos and
contemporary. The book is primarily a historical
and conceptual work,
and post-publication events like the Obama election and Facebook's
ascendancy are largely irrelevant to the
larger context. Most of
Google's privacy-suspect platforms, including StreetView and targeted
advertising, were all available in
2008; so were backscatter X-ray
Despite his requisite focus on US-centric topics like Google and the
of the George W. Bush administration, Bennett
doesn't limit himself to US privacy efforts. He identifies non-
advocacy as a fundamentally American phenomenon,
but devotes both space and respect to the history of international
since the 1970s, including half a chapter describing
the 1980s privacy protests in Germany and Australia.
Bennett argues that successful
privacy efforts must incorporate more
than one category of privacy advocate (e.g., civil libertarians,
consumer activists), form of persuasion
(symbolic and "leverage" politics, reportage and fact-finding), and
means of networking
(Net activism, coalitions, campaigns). Only then
will enough stakeholders be reached and persuaded. Combating privacy
not "a continual game of 'whack a mole,'" he says. Instead,
the future of the privacy network lies in "the persistent, relentless,
and informed articulation of the very simple proposition that
individuals have a right to control the information that relates
them." And who won't sign on to that?
-- EC Rosenberg
the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark
(EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For
More Information: http://www.thepublicvoice.org/.
33rd International Conference of Data Protection and Privacy
Commissioners (ICDPPC 2011). Mexico City, Mexico, 2-3 November 2011.
For more information: http://www.privacyconference2011.org/.
8th Conference on Privacy and Public Access to Court Records.
Sponsored by the College of William and Mary School of Law.
VA, 3-4 November 2011. For More Information:
2nd Annual GridWise(R) Global Forum, Co-Hosted by the GridWise(R)
Alliance and the US Dept. of Energy. Washington, DC, 8-10 November
2011. For More Information: http://www.gridwiseglobalforum.org/.
Workshop on Cryptography for Emerging Technologies and Applications.
NIST Campus, Gaithersburg, MD, 7-8 November 2011. For More
Computers, Privacy, & Data Protection 2012: European Data Protection:
Coming of Age. Brussels, Belgium, 25-27 January 2012.For
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 11:00am ET.
Start a discussion on privacy. Let us know your thoughts.
Stay up to date
with EPIC's events.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 18.19 ------------------------