EPIC Alert 18.20
E P I C A l e r t
Volume 18.20 October 13, 2011
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC-Led Coalition Calls for FTC Facebook Investigation
 Documents Obtained by EPIC Reveal FBI Watch List Details
in Congress: COPPA, TSA, VPPA, and the Cloud
 EPIC Urges Supreme Court to Uphold Fourth Amendment in GPS Case
 EPIC to Supreme
Court: Affirm Privacy Act Remedies
 News in Brief
 Book Review: 'Cybertraps for the Young'
 Upcoming Conferences and Events
TAKE ACTION: Sign the White House Petition to Abolish the TSA!
- SIGN the Petition: http://epic.org/redirect/092711-sign-tsa.html
- WATCH EPIC Discuss TSA on ABC: http://epic.org/redirect/092711ts.html
- READ EPIC's TSA FOIA Notes: http://epic.org/redirect/092711-foia.html
- SUPPORT EPIC: http://www.epic.org/donate/
 EPIC-Led Coalition Calls for FTC Facebook Investigation
EPIC, in conjunction with other privacy, consumer, and civil
groups including the American Civil Liberties Union, Consumer Action,
American Library Association, and the Center for
have asked the Federal Trade Commission to investigate Facebook's new
implementation of "persistent identifiers,"
which track Facebook users
even after they have logged off the site. The September 29 letter asks
the Commission to investigate whether
Facebook's secretly implemented
technology constitutes unfair and deceptive business practices.
The coalition's letter points out
that Facebook's practices violate
to have fixed the problem,
according to the letter, "the company still
places persistent identifiers on users' browsers that collect post-
log-out data and
could be used to identify users."
The letter also requests an investigation into new Facebook
applications, such as Timeline, which
aggregates a Facebook user's data
and entire posting history, and Open Graph, which documents a user's
interaction with other web
sites. Security experts have warned that
Timeline's aggregation of user data provides a tempting target for
computer criminals. The
new applications also profoundly change the way
information is shared: "Under the frictionless sharing model, content
a passive experience in which a social app prompts the user
once, at the outset, to decide the level of privacy for the app . . .
then proceeds to share every bit of information obtained thereafter."
The coalition's letter also discusses Facebook's history of
protect consumer privacy." The Federal Trade Commission is currently
investigating Facebook's secret use of facial recognition
build a biometric database from users' photos. Facebook's use of facial
recognition technology also violated the company's
well as public assurances made by Facebook to users.
EPIC: Letter to Federal Trade Commission (Sept. 29, 2011)
EPIC: Facebook Facial Recognition Complaint
EPIC: Facebook Privacy
EPIC: Federal Trade Commission
 Documents Obtained by EPIC Reveal FBI Watch List Details
EPIC has obtained documents that reveal new details about
adding and removing names from the Federal Bureau of Investigation's
Terrorist Screening Database Watch List. The documents
were acquired as
the result of EPIC's June 2011 Freedom of Information Act (FOIA)
request to the Bureau.
The documents describe the standards for inclusion on the list and the
relative difficulty of having
an individual removed from it. The FBI's
standard for inclusion on the list is "particularized derogatory
information," a concept
that has never been recognized by a court of
law. Removal from the list is difficult - individuals may remain listed
even if charges
are dropped or if they are acquitted.
The FBI's Watch List remains highly secretive and exists outside of the
protections of both
the Privacy Act and government transparency laws.
The documents indicate that law enforcement officers are explicitly
from indicating to a person that he or she is on the Watch
List, which is considered federal property.
The New York Times broke
the Page 1 story on September 28 and posted
links to the documents obtained by EPIC.
EPIC: Information on Federal Bureau of Investigation
Watch List FOIA
EPIC: Federal Bureau of Investigation Watch List FOIA Documents
Charlie Savage, New York Times: "Even Those Cleared of Crimes Can
Stay on F.B.I.'s Watch List" (Sept. 28, 2011)
EPIC: Open Government
 Hearings in Congress: COPPA, TSA, VPPA, and the Cloud
On October 5, the House Subcommittee on Commerce, Manufacturing
Trade held a hearing on "Protecting Children's Privacy in an Electronic
World." The issue of children's privacy attracted bipartisan
the hearing, with Rep. Mary Bono Mack (R-CA) saying that the FTC's
proposed rules hit the "sweet spot," and Rep. Henry
describing the rules as "appropriate, reasonable, well thought-out and
true to the intent of the law." The hearing
comes in the wake of the
Federal Trade Commission's proposed new rules for the Children's Online
Privacy Protection Act, or COPPA.
The new rules include expanding the
definition of Personally Identifiable Information to include
identifiers such as cookies, IP
addresses, and geolocation information;
requirements for data minimization and deletion; and simplified methods
of obtaining parental
consent for data collection. EPIC has testified
previously before the Senate and submitted comments to the Federal
on children's online privacy.
Also on October 5, the House Committee on Homeland Security's
Subcommittee on Counterterrorism and
Intelligence held a hearing
on "Intelligence Sharing and Terrorist Travel: How DHS Addresses
the Mission of Providing Security, Facilitating
Commerce and Protecting
Privacy for Passengers Engaged in International Travel." Lawmakers
heard from agency officials from the Department
of Homeland Security
and Customs and Border Protection. The Committee members grilled agency
officials on effectiveness and privacy
problems with the use of
Passenger Name Recognition data.
On October 6, the House Judiciary Committee conducted a hearing and
in order to amend the Video Privacy Protection Act of 1988. The
proposed amendment would allow video tape service providers to obtain
consumer consent before disclosing Personally Identifiable Information
at either "the time the disclosure is sought, in advance for
period of time, or until consent is withdrawn" by consumers. At the
hearing, Representative Mel Watt (D-NC) voiced concern
amendment "restricts privacy" and does not have safeguards to account
for the privacy rights of children who have access
to their parents'
accounts. Watt recommended the bill go to a subcommittee, stating that
consumers should give consent on a case-by-case
basis, rather than
consenting "carte blanche".
Also on October 6, the House Committee on Homeland Security's
Subcommittee on Cybersecurity,
Infrastructure Protection and Security
Technologies held a hearing entitled "Cloud Computing: What are the
Panel members included representatives from
agencies and industry. Subcommittee members and panelists discussed
for federal government use of cloud computing.
House Subcommittee Hearing on Children's Privacy (Oct. 5, 2011)
Federal Trade Commission: Proposed COPPA Rules
EPIC: Children's Online Privacy
Facebook: Data Use Policy:
US Subcommittee Hearing on TSA Intelligence Sharing (Oct. 5, 2011)
House Judiciary Committee: H.R. 2471 (July 8, 2011)
EPIC: Video Privacy Protection Act
House Subcommittee Hearing on Cloud Computing (Oct. 6, 2011)
 EPIC Urges Supreme Court to Uphold Fourth Amendment
in GPS Case
In a "friend of the court" brief submitted to
the US Supreme Court on
October 3, EPIC urged the Court to limit the scope of pervasive GPS
surveillance by upholding robust Fourth
Amendment protections against
Supported by 30 legal scholars and technical experts, EPIC argued that
24-hour GPS surveillance
by law enforcement constitutes a "search"
under the Fourth Amendment. Geolocation tracking has become
commonplace, inexpensive, and
widely used by private companies and
government contractors. Thus, without the protections of the Fourth
Amendment, EPIC maintained,
law enforcement could access and utilize
vast stores of geolocation data without limit or supervision.
The Supreme Court case, US
v. Jones, involves the installation and use
of a GPS tracking device by a government investigatory team. Evidence
against the defendant
was gathered from a tracking device placed on the
underside of the defendant's car. The collected GPS locational data was
to the government's case, and the defendant challenged his
conviction based on the lack of a valid warrant. A three-judge appeals
panel for the DC Circuit held that "the use of the GPS device violated
[Jones'] 'reasonable expectation of privacy,' and was therefore
search subject to the reasonableness requirement of the Fourth
The government's petition for a rehearing was denied,
but the Supreme
Court is set to hear the case in November.
EPIC's brief urges the Court to consider the ubiquity of GPS technology
and the privacy implications of its unchecked use by law enforcement.
"If the Court overturns the decision below," the brief states,
would severely restrict the privacy interests of drivers by allowing
unchecked, continuous, surreptitious tracking and monitoring
individuals operating privately-owned vehicles."
EPIC: "Friend of the Court" Brief in US v. Jones (Oct. 3, 2011)
DC District Appeals Court: Ruling on US v. Jones (Aug. 2010)
EPIC: US v. Jones
EPIC: Locational Privacy
 EPIC to Supreme Court: Affirm Privacy Act Remedies
EPIC has filed a "friend of the court" brief in the US Supreme
urging the Court to enforce the rights granted under the Privacy Act of
1974, which regulates federal agencies' use of personal
EPIC's brief for Federal Aviation Administration v. Cooper argues that
the government must not avoid liability by asserting
that it need not
compensate victims of Privacy Act violations when the only harm caused
is "mental and emotional." Rather, the brief
contends that "Privacy
laws routinely provide compensation for mental and emotional distress as
a component of actual damages."
Stanmore Cooper obtained a private pilot's certificate in 1964. In order
to lawfully operate an aircraft, pilots must be issued both
valid medical certificates, both of which must be renewed. Cooper was
diagnosed with HIV in 1985 and chose to not renew
certificate because his HIV status disqualified him. In 1994, Cooper,
without disclosing his HIV status, applied for
and received a medical
certificate from the Federal Aviation Administration (FAA). Cooper
subsequently renewed his medical certificate
in 1998, 2000, 2002, and
2004, each time withholding his medical condition. In 1995, Cooper's
condition worsened, and he applied
to the Social Security
Administration (SSA) for long-term benefits, thereby disclosing his
medical condition to another federal agency.
In 2002, the Department of Transportation (DoT) and the SSA co-launched
"Operation Safe Pilot," a criminal investigation into "medically
individuals fraudulently obtaining pilot certifications. The
investigation revealed that the FAA had granted Cooper a pilot's
license while he continued to receive disability benefits from the SSA.
Cooper claims to have suffered "humiliation, embarrassment,
anguish, fear of social ostracism, and other severe emotional distress"
from the government's exchange of his personal information.
He sued the
FAA, DoT, and SSA under the Privacy Act for their "willful or
intentional" sharing of his records.
The Ninth Circuit
held that "the term 'actual damages'" in the Privacy
Act "encompasses nonpecuniary damages." EPIC's brief asks the Supreme
to affirm the lower court's decision, stating, "Effective
enforcement of privacy laws, such as the Privacy Act of 1974, requires
full compensation for the broad range of harms associated with privacy
violations." Further, EPIC argues, the Privacy Act aims to
compliances with statutory obligations."
EPIC has been a longtime advocate of the effective enforcement of US
In 2004, EPIC filed a friend of the court brief with the
Supreme Court in Doe v. Chao, a case that also concerns damages for
EPIC: FAA v. Cooper Friend of the Court Brief (Oct. 4, 2011)
EPIC: FAA v. Cooper
Ninth Circuit Appeals Court: Opinion, FAA v. Cooper (Feb. 2010)
EPIC: Doe v. Chao Friend of the Court Brief
EPIC: Privacy Act of 1974
 News in Brief
EPIC, Coalition Seek Probe of FBI ID Program and 'Secure Communities'
EPIC and a coalition of civil liberties and civil rights
have asked the Inspector General at the Department of Justice to
investigate the FBI's Next Generation Identification
"billion-dollar initiative to create the world's largest biometric
database." The 70 organizations, including EPIC, have
also urged an
assessment of "Secure Communities," the federal deportation effort that
relies on informational cooperation between
a number of government
agencies. Several states, including Illinois, Massachusetts, and New
York, have already withdrawn from the
DHS program, although it remains
unclear whether Homeland Security permits individual states to
terminate their Memoranda of Agreement
with the federal government.
Homeland Security intends to give Secure Communities a nationwide
rollout in 2013.
EPIC: Secure Communities
Coalition Letter (Sept. 11, 2011)
EPIC: Secure Communities
Department of Justice
FBI: Next Generation Identification
EPIC: Biometric Identifiers
Seventh Circuit Court Hears Oral Arguments in Student Privacy Case
The US Court of Appeals for the Seventh Circuit heard oral
September 29 in Chicago Tribune v. University of Illinois. EPIC
recently filed a "friend of the court" brief in support
university, in a case that concerns student privacy rights protected by
the Family Educational Rights and Privacy Act of 1974,
or FERPA. EPIC's
brief argued that Congress intended to protect student records,
including admissions files, from unauthorized release
Illinois' open government law must yield to the federal privacy law. In
2009, the university denied the Tribune's requests
for documents under
Illinois' open government law because those documents contained
students' personally identifiable information.
The lower court held
that the University was required to release the documents, which the
university then appealed. EPIC states that,
while it generally supports
"public disclosure of government records through the Freedom of
Information Act (FOIA) in order to improve government accountability,"
it also has "filed amicus briefs in numerous cases that balance
individual privacy with compelled government disclosure."
Seventh Circuit Appeals Court: Audio of Oral Argument (Sept. 29, 2011)
Chicago Tribune: Appellate Brief (Aug. 11, 2011)
University of Illinois: Appellate Brief (July 13, 2011)
EPIC: Friend of the Court Brief in Tribune v. U. of I. (July 20, 2011)
EPIC: Chicago Tribune v. University of Illinois
EPIC: Student Privacy
Lawmakers Say Undeletable Supercookies Raise 'Serious Privacy Concerns'
Representatives Joe Barton (R-TX) and Ed Markey (D-MA)
have written a
letter to Federal Trade Commission head Jon Liebowitz, requesting that
the Commission investigate whether the use
of Internet "supercookies" -
undeletable cookies placed on users' computers by websites including
MSN.com and Hulu - constitute
unfair or deceptive business practices.
Markey and Barton call "supercookie" tracking "unacceptable" and say
that the cookies "take
away consumer control over their own personal
information." EPIC has submitted a similar letter to the FTC regarding
of "persistent identifiers" and other forms of what
Facebook calls "frictionless sharing." Earlier in 2011, EPIC opposed
House's use of persistent Google Analytics cookies, which
track users for up to two years, instead supporting opt-in requirements
for more transparent and easily disabled Internet tracking techniques.
Reps. Barton & Markey: Letter to FTC (Sept. 26, 2011)
EPIC: Letter to FTC (Sept. 29, 2011)
The White House: Position on Use of Persistent Cookies
EPIC: White House User Tracking
EPIC: Internet Cookies
EPIC: Federal Trade Commission
 EPIC Book Review: 'Cybertraps for the Young'
"Cybertraps for the Young," Frederick S. Lane
"Cybertraps for the Young" is a straightforward book. Author Frederick
S. Lane, a writer and attorney who focuses on the social
of emerging technologies, bluntly explains the legal problems - both
criminal and civil - that children and teens can
find themselves in as
the result of abuse or misuse of digital content. Lane first defines
the issues, and then follows with examples
of children who have gotten
into trouble and descriptions of how "your" child could follow suit.
He concludes with a section on "Investigation
The book has three sections: "The Technology", "A Parent's Guide to the
Communication Revolution", and "The Solutions".
Sections One and Three
are good guides for preparing to engage your child on the topic of
technology. The younger the child, the
more useful these sections will
be to appreciate, particularly as they stress the process of "teaching
by doing", or modeling appropriate
online behavior. However, Lane
advocates one controversial deterrent that many parents have followed
out of fear, frustration, or
not having adequate time with their
children to address potential issues. Lane calls it "Investigation":
using technology to secretly
monitor your child's mobile phone or
online behavior. Many privacy advocates - and in fact many parents -
would label this behavior
This book will scare you if you are not already frightened about what
your children may be up to while using their
digital devices. Lane
provides plenty of horror stories of underage technology usage gone
horribly wrong. However, Lane's three most
important pieces of advice
are amply documented and easily actionable: First, parents should begin
early to teach their children
how to respect themselves and others.
Second, parents should better understand technology so they can learn
what is and is not possible
for their children to do. Third - and
perhaps most important - is to remember that your children see your
actions as the cues to
guide their own behavior, regardless of what you
tell them to their faces. If you illegally download digital copyrighted
engage in surreptitious online transactions, or practice
other negative online behaviors, your children will follow suit.
for the Young" consistently makes one serious error in
promoting surveillance as a positive parenting skill. While my
on surveillance comes from my work at EPIC and I am not a
parent, I strongly disagree that surveillance is a reasonable step in
cases. Nor are companies who sell or promote parental surveillance
technologies innocent themselves: In 2009, Echometrix, a company
specializing in developing parental control products, created a product
called PULSE that read "digital content from multiple sources
the web, including: instant messages ('IM'), blogs, social environment
communities, forums, and chat rooms." What parents
did not know was
that this feature allowed the company to turn their children's online
lives into market research intelligence, which
they then made available
to other companies. Lane does not mention this issue at all.
Another danger of surveillance, especially
regarding older or
technology-savvy children, is that they are highly likely to suspect or
figure out if they're being secretly monitored,
and will employ methods
for evading unwanted parental interest. Children have been teaching
each other how to use digital technology.
Parents should be doing the
same thing amongst themselves.
Read this worthwhile book, then make your own decisions. And remember
that the presence of digital technology in our lives ultimately does
little to complicate or simplify the universal issues of parenting.
-- Lillie Coney
"Litigation Under the Federal Open Government Laws 2010,"
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For
More Information: http://www.thepublicvoice.org/.
33rd International Conference of Data Protection and Privacy
Commissioners (ICDPPC 2011). Mexico City, Mexico, 2-3 November 2011.
For more information: http://www.privacyconference2011.org/.
8th Conference on Privacy and Public Access to Court Records.
Sponsored by the College of William and Mary School of Law.
VA, 3-4 November 2011. For More Information:
2nd Annual GridWise(R) Global Forum, Co-Hosted by the GridWise(R)
Alliance and the US Dept. of Energy. Washington, DC, 8-10 November
2011. For More Information: http://www.gridwiseglobalforum.org/.
Workshop on Cryptography for Emerging Technologies and Applications.
NIST Campus, Gaithersburg, MD, 7-8 November 2011. For More
Computers, Privacy, & Data Protection 2012: European Data Protection:
Coming of Age. Brussels, Belgium, 25-27 January 2012, Call
Abstracts Deadline 1 June 2011. For More Information:
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 11:00am ET.
Start a discussion on privacy. Let us know your thoughts.
Stay up to date
with EPIC's events.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 18.20 ------------------------