WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2011 >> [2011] EPICAlert 20

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 18.20 [2011] EPICAlert 20

EPIC Alert 18.20

======================================================================= E P I C A l e r t ======================================================================= Volume 18.20 October 13, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================= Table of Contents ======================================================================= [1] EPIC-Led Coalition Calls for FTC Facebook Investigation [2] Documents Obtained by EPIC Reveal FBI Watch List Details [3] Hearings in Congress: COPPA, TSA, VPPA, and the Cloud [4] EPIC Urges Supreme Court to Uphold Fourth Amendment in GPS Case [5] EPIC to Supreme Court: Affirm Privacy Act Remedies [6] News in Brief [7] Book Review: 'Cybertraps for the Young' [8] Upcoming Conferences and Events TAKE ACTION: Sign the White House Petition to Abolish the TSA! - SIGN the Petition: - WATCH EPIC Discuss TSA on ABC: - READ EPIC's TSA FOIA Notes: - SUPPORT EPIC: ======================================================================= [1] EPIC-Led Coalition Calls for FTC Facebook Investigation ======================================================================= EPIC, in conjunction with other privacy, consumer, and civil liberties groups including the American Civil Liberties Union, Consumer Action, American Library Association, and the Center for Digital Democracy, have asked the Federal Trade Commission to investigate Facebook's new implementation of "persistent identifiers," which track Facebook users even after they have logged off the site. The September 29 letter asks the Commission to investigate whether Facebook's secretly implemented technology constitutes unfair and deceptive business practices. The coalition's letter points out that Facebook's practices violate the terms of the site's own Privacy Policy. Although Facebook claims to have fixed the problem, according to the letter, "the company still places persistent identifiers on users' browsers that collect post- log-out data and could be used to identify users." The letter also requests an investigation into new Facebook applications, such as Timeline, which aggregates a Facebook user's data and entire posting history, and Open Graph, which documents a user's interaction with other web sites. Security experts have warned that Timeline's aggregation of user data provides a tempting target for computer criminals. The new applications also profoundly change the way information is shared: "Under the frictionless sharing model, content sharing is a passive experience in which a social app prompts the user once, at the outset, to decide the level of privacy for the app . . . then proceeds to share every bit of information obtained thereafter." The coalition's letter also discusses Facebook's history of "failing to protect consumer privacy." The Federal Trade Commission is currently investigating Facebook's secret use of facial recognition technology to build a biometric database from users' photos. Facebook's use of facial recognition technology also violated the company's Privacy Policy, as well as public assurances made by Facebook to users. EPIC: Letter to Federal Trade Commission (Sept. 29, 2011) EPIC: Facebook Facial Recognition Complaint EPIC: Facebook Privacy EPIC: Federal Trade Commission ======================================================================= [2] Documents Obtained by EPIC Reveal FBI Watch List Details ======================================================================= EPIC has obtained documents that reveal new details about standards for adding and removing names from the Federal Bureau of Investigation's Terrorist Screening Database Watch List. The documents were acquired as the result of EPIC's June 2011 Freedom of Information Act (FOIA) request to the Bureau. The documents describe the standards for inclusion on the list and the relative difficulty of having an individual removed from it. The FBI's standard for inclusion on the list is "particularized derogatory information," a concept that has never been recognized by a court of law. Removal from the list is difficult - individuals may remain listed even if charges are dropped or if they are acquitted. The FBI's Watch List remains highly secretive and exists outside of the protections of both the Privacy Act and government transparency laws. The documents indicate that law enforcement officers are explicitly prohibited from indicating to a person that he or she is on the Watch List, which is considered federal property. The New York Times broke the Page 1 story on September 28 and posted links to the documents obtained by EPIC. EPIC: Information on Federal Bureau of Investigation Watch List FOIA EPIC: Federal Bureau of Investigation Watch List FOIA Documents Charlie Savage, New York Times: "Even Those Cleared of Crimes Can Stay on F.B.I.'s Watch List" (Sept. 28, 2011) EPIC: Open Government ======================================================================= [3] Hearings in Congress: COPPA, TSA, VPPA, and the Cloud ======================================================================= On October 5, the House Subcommittee on Commerce, Manufacturing and Trade held a hearing on "Protecting Children's Privacy in an Electronic World." The issue of children's privacy attracted bipartisan support at the hearing, with Rep. Mary Bono Mack (R-CA) saying that the FTC's proposed rules hit the "sweet spot," and Rep. Henry Waxman (D-CA) describing the rules as "appropriate, reasonable, well thought-out and true to the intent of the law." The hearing comes in the wake of the Federal Trade Commission's proposed new rules for the Children's Online Privacy Protection Act, or COPPA. The new rules include expanding the definition of Personally Identifiable Information to include identifiers such as cookies, IP addresses, and geolocation information; requirements for data minimization and deletion; and simplified methods of obtaining parental consent for data collection. EPIC has testified previously before the Senate and submitted comments to the Federal Trade Commission on children's online privacy. Also on October 5, the House Committee on Homeland Security's Subcommittee on Counterterrorism and Intelligence held a hearing on "Intelligence Sharing and Terrorist Travel: How DHS Addresses the Mission of Providing Security, Facilitating Commerce and Protecting Privacy for Passengers Engaged in International Travel." Lawmakers heard from agency officials from the Department of Homeland Security and Customs and Border Protection. The Committee members grilled agency officials on effectiveness and privacy problems with the use of Passenger Name Recognition data. On October 6, the House Judiciary Committee conducted a hearing and markup in order to amend the Video Privacy Protection Act of 1988. The proposed amendment would allow video tape service providers to obtain consumer consent before disclosing Personally Identifiable Information at either "the time the disclosure is sought, in advance for a set period of time, or until consent is withdrawn" by consumers. At the hearing, Representative Mel Watt (D-NC) voiced concern that the amendment "restricts privacy" and does not have safeguards to account for the privacy rights of children who have access to their parents' accounts. Watt recommended the bill go to a subcommittee, stating that consumers should give consent on a case-by-case basis, rather than consenting "carte blanche". Also on October 6, the House Committee on Homeland Security's Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies held a hearing entitled "Cloud Computing: What are the Security Implications?" Panel members included representatives from agencies and industry. Subcommittee members and panelists discussed security implications for federal government use of cloud computing. House Subcommittee Hearing on Children's Privacy (Oct. 5, 2011) Federal Trade Commission: Proposed COPPA Rules EPIC: Children's Online Privacy Facebook: Data Use Policy: US Subcommittee Hearing on TSA Intelligence Sharing (Oct. 5, 2011) House Judiciary Committee: H.R. 2471 (July 8, 2011) EPIC: Video Privacy Protection Act House Subcommittee Hearing on Cloud Computing (Oct. 6, 2011) ======================================================================= [4] EPIC Urges Supreme Court to Uphold Fourth Amendment in GPS Case ======================================================================= In a "friend of the court" brief submitted to the US Supreme Court on October 3, EPIC urged the Court to limit the scope of pervasive GPS surveillance by upholding robust Fourth Amendment protections against it. Supported by 30 legal scholars and technical experts, EPIC argued that 24-hour GPS surveillance by law enforcement constitutes a "search" under the Fourth Amendment. Geolocation tracking has become commonplace, inexpensive, and widely used by private companies and government contractors. Thus, without the protections of the Fourth Amendment, EPIC maintained, law enforcement could access and utilize vast stores of geolocation data without limit or supervision. The Supreme Court case, US v. Jones, involves the installation and use of a GPS tracking device by a government investigatory team. Evidence against the defendant was gathered from a tracking device placed on the underside of the defendant's car. The collected GPS locational data was central to the government's case, and the defendant challenged his conviction based on the lack of a valid warrant. A three-judge appeals panel for the DC Circuit held that "the use of the GPS device violated [Jones'] 'reasonable expectation of privacy,' and was therefore a search subject to the reasonableness requirement of the Fourth Amendment." The government's petition for a rehearing was denied, but the Supreme Court is set to hear the case in November. EPIC's brief urges the Court to consider the ubiquity of GPS technology and the privacy implications of its unchecked use by law enforcement. "If the Court overturns the decision below," the brief states, "it would severely restrict the privacy interests of drivers by allowing unchecked, continuous, surreptitious tracking and monitoring of individuals operating privately-owned vehicles." EPIC: "Friend of the Court" Brief in US v. Jones (Oct. 3, 2011) DC District Appeals Court: Ruling on US v. Jones (Aug. 2010) EPIC: US v. Jones EPIC: Locational Privacy ======================================================================= [5] EPIC to Supreme Court: Affirm Privacy Act Remedies ======================================================================= EPIC has filed a "friend of the court" brief in the US Supreme Court, urging the Court to enforce the rights granted under the Privacy Act of 1974, which regulates federal agencies' use of personal information. EPIC's brief for Federal Aviation Administration v. Cooper argues that the government must not avoid liability by asserting that it need not compensate victims of Privacy Act violations when the only harm caused is "mental and emotional." Rather, the brief contends that "Privacy laws routinely provide compensation for mental and emotional distress as a component of actual damages." Stanmore Cooper obtained a private pilot's certificate in 1964. In order to lawfully operate an aircraft, pilots must be issued both pilot and valid medical certificates, both of which must be renewed. Cooper was diagnosed with HIV in 1985 and chose to not renew his medical certificate because his HIV status disqualified him. In 1994, Cooper, without disclosing his HIV status, applied for and received a medical certificate from the Federal Aviation Administration (FAA). Cooper subsequently renewed his medical certificate in 1998, 2000, 2002, and 2004, each time withholding his medical condition. In 1995, Cooper's condition worsened, and he applied to the Social Security Administration (SSA) for long-term benefits, thereby disclosing his medical condition to another federal agency. In 2002, the Department of Transportation (DoT) and the SSA co-launched "Operation Safe Pilot," a criminal investigation into "medically unfit" individuals fraudulently obtaining pilot certifications. The investigation revealed that the FAA had granted Cooper a pilot's license while he continued to receive disability benefits from the SSA. Cooper claims to have suffered "humiliation, embarrassment, mental anguish, fear of social ostracism, and other severe emotional distress" from the government's exchange of his personal information. He sued the FAA, DoT, and SSA under the Privacy Act for their "willful or intentional" sharing of his records. The Ninth Circuit held that "the term 'actual damages'" in the Privacy Act "encompasses nonpecuniary damages." EPIC's brief asks the Supreme Court to affirm the lower court's decision, stating, "Effective enforcement of privacy laws, such as the Privacy Act of 1974, requires full compensation for the broad range of harms associated with privacy violations." Further, EPIC argues, the Privacy Act aims to "ensure compliances with statutory obligations." EPIC has been a longtime advocate of the effective enforcement of US privacy laws. In 2004, EPIC filed a friend of the court brief with the Supreme Court in Doe v. Chao, a case that also concerns damages for Privacy Act violations. EPIC: FAA v. Cooper Friend of the Court Brief (Oct. 4, 2011) EPIC: FAA v. Cooper Ninth Circuit Appeals Court: Opinion, FAA v. Cooper (Feb. 2010) EPIC: Doe v. Chao Friend of the Court Brief EPIC: Privacy Act of 1974 ======================================================================= [6] News in Brief ======================================================================= EPIC, Coalition Seek Probe of FBI ID Program and 'Secure Communities' EPIC and a coalition of civil liberties and civil rights organizations have asked the Inspector General at the Department of Justice to investigate the FBI's Next Generation Identification program, a "billion-dollar initiative to create the world's largest biometric database." The 70 organizations, including EPIC, have also urged an assessment of "Secure Communities," the federal deportation effort that relies on informational cooperation between a number of government agencies. Several states, including Illinois, Massachusetts, and New York, have already withdrawn from the DHS program, although it remains unclear whether Homeland Security permits individual states to terminate their Memoranda of Agreement with the federal government. Homeland Security intends to give Secure Communities a nationwide rollout in 2013. EPIC: Secure Communities Coalition Letter (Sept. 11, 2011) EPIC: Secure Communities Department of Justice FBI: Next Generation Identification EPIC: Biometric Identifiers Seventh Circuit Court Hears Oral Arguments in Student Privacy Case The US Court of Appeals for the Seventh Circuit heard oral arguments September 29 in Chicago Tribune v. University of Illinois. EPIC recently filed a "friend of the court" brief in support of the university, in a case that concerns student privacy rights protected by the Family Educational Rights and Privacy Act of 1974, or FERPA. EPIC's brief argued that Congress intended to protect student records, including admissions files, from unauthorized release and that Illinois' open government law must yield to the federal privacy law. In 2009, the university denied the Tribune's requests for documents under Illinois' open government law because those documents contained students' personally identifiable information. The lower court held that the University was required to release the documents, which the university then appealed. EPIC states that, while it generally supports "public disclosure of government records through the Freedom of Information Act (FOIA) in order to improve government accountability," it also has "filed amicus briefs in numerous cases that balance protecting individual privacy with compelled government disclosure." Seventh Circuit Appeals Court: Audio of Oral Argument (Sept. 29, 2011) Chicago Tribune: Appellate Brief (Aug. 11, 2011) University of Illinois: Appellate Brief (July 13, 2011) EPIC: Friend of the Court Brief in Tribune v. U. of I. (July 20, 2011) EPIC: Chicago Tribune v. University of Illinois EPIC: Student Privacy Lawmakers Say Undeletable Supercookies Raise 'Serious Privacy Concerns' Representatives Joe Barton (R-TX) and Ed Markey (D-MA) have written a letter to Federal Trade Commission head Jon Liebowitz, requesting that the Commission investigate whether the use of Internet "supercookies" - undeletable cookies placed on users' computers by websites including and Hulu - constitute unfair or deceptive business practices. Markey and Barton call "supercookie" tracking "unacceptable" and say that the cookies "take away consumer control over their own personal information." EPIC has submitted a similar letter to the FTC regarding Facebook's use of "persistent identifiers" and other forms of what Facebook calls "frictionless sharing." Earlier in 2011, EPIC opposed the White House's use of persistent Google Analytics cookies, which track users for up to two years, instead supporting opt-in requirements for more transparent and easily disabled Internet tracking techniques. Reps. Barton & Markey: Letter to FTC (Sept. 26, 2011) EPIC: Letter to FTC (Sept. 29, 2011) The White House: Position on Use of Persistent Cookies EPIC: White House User Tracking EPIC: Internet Cookies EPIC: Federal Trade Commission ======================================================================= [7] EPIC Book Review: 'Cybertraps for the Young' ======================================================================= "Cybertraps for the Young," Frederick S. Lane "Cybertraps for the Young" is a straightforward book. Author Frederick S. Lane, a writer and attorney who focuses on the social implications of emerging technologies, bluntly explains the legal problems - both criminal and civil - that children and teens can find themselves in as the result of abuse or misuse of digital content. Lane first defines the issues, and then follows with examples of children who have gotten into trouble and descriptions of how "your" child could follow suit. He concludes with a section on "Investigation and Prevention." The book has three sections: "The Technology", "A Parent's Guide to the Communication Revolution", and "The Solutions". Sections One and Three are good guides for preparing to engage your child on the topic of technology. The younger the child, the more useful these sections will be to appreciate, particularly as they stress the process of "teaching by doing", or modeling appropriate online behavior. However, Lane advocates one controversial deterrent that many parents have followed out of fear, frustration, or not having adequate time with their children to address potential issues. Lane calls it "Investigation": using technology to secretly monitor your child's mobile phone or online behavior. Many privacy advocates - and in fact many parents - would label this behavior as "spying." This book will scare you if you are not already frightened about what your children may be up to while using their digital devices. Lane provides plenty of horror stories of underage technology usage gone horribly wrong. However, Lane's three most important pieces of advice are amply documented and easily actionable: First, parents should begin early to teach their children how to respect themselves and others. Second, parents should better understand technology so they can learn what is and is not possible for their children to do. Third - and perhaps most important - is to remember that your children see your actions as the cues to guide their own behavior, regardless of what you tell them to their faces. If you illegally download digital copyrighted material, engage in surreptitious online transactions, or practice other negative online behaviors, your children will follow suit. "Cybertraps for the Young" consistently makes one serious error in promoting surveillance as a positive parenting skill. While my perspective on surveillance comes from my work at EPIC and I am not a parent, I strongly disagree that surveillance is a reasonable step in most cases. Nor are companies who sell or promote parental surveillance technologies innocent themselves: In 2009, Echometrix, a company specializing in developing parental control products, created a product called PULSE that read "digital content from multiple sources across the web, including: instant messages ('IM'), blogs, social environment communities, forums, and chat rooms." What parents did not know was that this feature allowed the company to turn their children's online lives into market research intelligence, which they then made available to other companies. Lane does not mention this issue at all. Another danger of surveillance, especially regarding older or technology-savvy children, is that they are highly likely to suspect or figure out if they're being secretly monitored, and will employ methods for evading unwanted parental interest. Children have been teaching each other how to use digital technology. Parents should be doing the same thing amongst themselves. Read this worthwhile book, then make your own decisions. And remember that the presence of digital technology in our lives ultimately does little to complicate or simplify the universal issues of parenting. -- Lillie Coney ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [8] Upcoming Conferences and Events ======================================================================= EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For More Information: 33rd International Conference of Data Protection and Privacy Commissioners (ICDPPC 2011). Mexico City, Mexico, 2-3 November 2011. For more information: 8th Conference on Privacy and Public Access to Court Records. Sponsored by the College of William and Mary School of Law. Williamsburg, VA, 3-4 November 2011. For More Information: 2nd Annual GridWise(R) Global Forum, Co-Hosted by the GridWise(R) Alliance and the US Dept. of Energy. Washington, DC, 8-10 November 2011. For More Information: Workshop on Cryptography for Emerging Technologies and Applications. NIST Campus, Gaithersburg, MD, 7-8 November 2011. For More Information: Computers, Privacy, & Data Protection 2012: European Data Protection: Coming of Age. Brussels, Belgium, 25-27 January 2012, Call for Papers Abstracts Deadline 1 June 2011. For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.20 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback