WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2011 >> [2011] EPICAlert 23

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 18.23 [2011] EPICAlert 23

EPIC Alert 18.23

======================================================================= E P I C A l e r t ======================================================================= Volume 18.23 December 1, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================= Table of Contents ======================================================================= [1] FTC - Facebook Settlement in EPIC Privacy Complaint [2] European Union Limits Use of Airport Body Scanners [3] Congress, Public Call for TSA Reform [4] Federal Judge Orders Twitter to Turn Over WikiLeaks Supporter Data [5] Minnesota Supreme Court Limits Use of Baby DNA [6] News in Brief [7] Book Review: 'Guide to Internet Privacy, Anonymity & Security' [8] Upcoming Conferences and Events TAKE ACTION: KWTK! - Know What Facebook Knows! Demand Your Data! - WATCH the Video: - DEMAND Your Facebook Data: - READ the Facebook Complaint: - SUPPORT EPIC: ======================================================================= [1] FTC - Facebook Settlement in EPIC Privacy Complaint ======================================================================= The Federal Trade Commission announced an agreement with Facebook November 29 that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The FTC settlement contains an eight-count complaint against Facebook, and includes allegations that the company violated the FTC Act's prohibition on "unfair and deceptive" trade practices, by misleading users about the extent to which they could control access to their personal information and to which Facebook applications and advertisers had access to their personal information. Many of the findings in the FTC settlement follow from points contained in EPIC's original complaint. The proposed consent order prohibits Facebook from misrepresenting the privacy or security of users' personal information, and requires the company to (1) obtain users' affirmative, express consent before sharing their information in a way that exceeds their privacy settings; (2) establish a comprehensive privacy program; (3) ensure that personal information cannot be accessed by Facebook after a user deletes his or her account; (4) submit to independent privacy audits for 20 years. EPIC Executive Director Marc Rotenberg called the proposed agreement "sweeping and comprehensive." Facebook CEO Mark Zuckerberg also reacted to the agreement, saying that he was the "first to admit that we've made a bunch of mistakes," and said that the company would be creating two new corporate privacy officer roles in order to better address privacy concerns in the future. EPIC's Marc Rotenberg stated the settlement could be improved in several ways. First, Facebook should be required to restore the original privacy settings the company altered in 2009. Second, Facebook users in the US should have the same right as Facebook users elsewhere to obtain the complete profile that Facebook maintains on them. Third, the FTC should put limits on Facebook's use of biometric identification techniques. Rotenberg also told the New York Times that there is still a need for comprehensive privacy legislation in the United States. "There is always a risk other companies will come along and create new problems," Rotenberg said. The public has the opportunity to comment on the proposed Facebook settlement. EPIC has recently launched the "Know What They Know" campaignto encourage companies such as Facebook to become more transparent. EPIC will also be submitting comments on the proposed settlement. FTC: Press Release on Facebook Settlement (Nov. 29, 2011) FTC: Press Release on Facebook Settlement (Nov. 29, 2011) FTC: Complaint against Facebook (Nov. 29, 2011) FTC: Proposed Settlement against Facebook (Nov. 29, 2011) FTC: Link for Public Comment on Settlement EPIC: In re Facebook EPIC: In re Facebook: Supplemental Materials EPIC: Facebook and Facial Recognition EPIC: Federal Trade Commission EPIC: "Know What They Know" ======================================================================= [2] European Union Limits Use of Airport Body Scanners ======================================================================= The European Union has adopted strict new guidelines limiting the use of body scanners at EU airports. Under the new guidelines, European Union Member States may deploy airport body scanners only if the scanners comply with new regulations that "protect health and fundamental rights," including privacy. The European Commission has also prohibited any devices that store, record, or transfer images of travelers as well as devices that display an image of the naked human body. As a result, backscatter x-ray devices are now effectively prohibited in airports across the European Union. European Union Member States began testing security scanners in response to the failed December 25, 2009 terrorist attack to blow up a plane en route from Amsterdam to Detroit, in which explosives were hidden inside the attacker's underwear. Initially, Member States instituted varying national operational procedures and standards for the scanners. The new Commission rules provide for uniform application of security rules at all European Union airports, as well as mandatory guidelines to protect air traveler health, privacy, and basic rights. Member States that deploy airport scanners will have to comply with the Commission's operational and performance standards, which include eliminating X-ray technology from the list of authorized screening methods, and giving passengers the right to opt-out from a security scanner screening and select an alternative screening method. Vice-President Siim Kallas, the European Commissioner responsible for transport, said in a statement: "It is still for each Member State or airport to decide whether or not to deploy security scanners, but these new rules ensure that where this new technology is used it will be covered by EU wide standards on detection capability as well as strict safeguards to protect health and fundamental rights." EPIC has advocated against airport body scanners since their introduction in US airports. As a result of a lawsuit brought by EPIC against the Department of Homeland Security, the DC Circuit Court of Appeals ruled that the Transportation Safety Administration violated federal law by installing body scanners in airports as primary screening devices without first soliciting public comment. In a separate lawsuit against the agency, EPIC has filed a motion of summary judgment requesting that DHS be forced to disclose documents detailing radiation testing results, agency fact sheets on body scanner radiation risks, and an image produced by the machines. European Commission: Press Release on EU Scanners (Nov. 14, 2011) DC Circuit Court of Appeals: Opinion on EPIC v. DHS (July 15, 2011) EPIC: EPIC v. DHS Motion for Summary Judgment (Oct. 31, 2011) EPIC: Whole Body Imaging Technology EPIC: EPIC v. DHS (Suspension of the Body Scanner Program) ======================================================================= [3] Congress, Public Call for TSA Reform ======================================================================= Republican members of the House of Representatives have released a Joint Majority Staff Report entitled "A Decade Later: A Call for TSA Reform." The report evaluates the effectiveness of the Transportation Security Administration, which was formed shortly after the September 11, 2001 terrorist attacks. The report includes harsh criticism of TSA's competency and effectiveness, including numerous failures in leadership, bureaucracy, and personnel. According to the committee, the TSA has failed to carry out effective operations and to develop useful technology, both of which have resulted in huge costs to the federal government. Most importantly, the report argues, the TSA has failed to achieve its mission: increasing airline passenger safety. The report accuses the TSA of having "grown into an enormous, inflexible and distracted bureaucracy, more concerned with human resource management and consolidating power, and acting reactively instead of proactively." It recommends instead that the agency "focus on analyzing intelligence, setting screening and security standards based on risk, auditing passenger and baggage screening operations, and ensuring compliance with national screening standards." The House majority committee is not alone in condemning the TSA. Nearly 31,000 individuals have signed a petition to the White House, demanding that the TSA be abolished, and that the government "use its monstrous budget to fund more sophisticated, less intrusive counter-terrorism intelligence." The Obama Administration has promised to respond formally to any petition that receives 25,000 signatures, as part of the new online "We the People" petition program to encourage individual participation and open government. In 2010, EPIC filed a lawsuit against the TSA in federal appellate court for the deployment and use of full-body scanners at US airports. The DC Circuit Court sided with EPIC, finding that the agency had violated the law by deploying the scanners without first soliciting public comment. House Report: "A Decade Later: A Call for TSA Reform" (Nov. 16, 2011) White House: Petition to Abolish the TSA EPIC: Whole Body Imaging Technology and Body Scanners ======================================================================= [4] Federal Judge Orders Twitter to Turn Over WikiLeaks Supporter Data ======================================================================= A federal district judge in Virginia has ordered Twitter to make available to the Justice Department the personal information of Twitter users who may have supported WikiLeaks - including their IP addresses, session times, and the relationships between themselves and other Twitter users. The targets of the Department of Justice's investigation are the Official WikiLeaks Twitter account, and the accounts of three people connected to the group: Seattle coder and activist Jacob Appelbaum; Birgitta Jonsdottir, a member of Iceland's parliament; and Dutch businessman Rop Gonggrijp. In 1986, Congress passed the Stored Communications Act to establish legal standards for access to electronic communications in the possession of a service provider. The Act was passed alongside the Electronic Communications Privacy Act, which offered electronic communications protection from unlawful interception. However, under the court's order the Department of Justice may obtain the data with a warrant under the Stored Communications Act. In his decision, Federal District Judge Liam O'Grady relied on a revised version of Twitter's privacy policy, which was not in place when the accused users signed up. Twitter's Privacy Policy has changed five times since the company's inception in 2007. The current policy went in to effect on June 23, 2011. The policy states that Twitter "may preserve or disclose your information if [Twitter] believe[s] that it is reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Twitter's rights or property." The court ruled that Twitter's decision to turn over the information did not violate the users' reasonable expectation of privacy under the Fourth Amendment. EPIC has several Freedom of Information Act requests pending with US federal agencies concerning investigations of WikiLeaks. One request asks the Federal Bureau of Investigation to turn over communications with social media companies regarding lists of individuals who have demonstrated support or interest in WikiLeaks. Eastern District Court of Virginia: Opinion (Nov. 10, 2011) Stored Communications Act EPIC: FBI WikiLeaks FOIA Appeal (Sept. 8, 2011) Twitter: Privacy Policy EPIC: Social Networking Privacy ======================================================================= [5] Minnesota Supreme Court Limits Use of Baby DNA ======================================================================= The Minnesota Supreme Court held November 16 that the state's Genetic Privacy Act limits the use of blood samples collected under the state's Newborn Screening Program. The court found that blood samples unambiguously fit within the Genetic Privacy Act's definition of "genetic information" and that the newborn screening statutes granted the Minnesota State Health Department only limited authority to collect, use, and store the data without written informed consent. The Minnesota Newborn Screening Program, established in 1965, authorizes the Minnesota Commissioner of Health to establish procedures for screening newborn babies for certain metabolic and other disorders. Under the system, parents must be advised that their children's blood samples and test results may be retained, and parents must be given the option to decline screening or to require destruction of the samples after screening. More than 73,000 newborns are screened each year, and if any portion of one of the blood samples remains after the screening process the sample is stored indefinitely. The Minnesota Government Data Practices Act was amended in 2006 to include the terms of the Genetic Privacy Act. The amendment prohibits the collection, use, storage, or dissemination of a person's genetic information without written informed consent. The Minnesota Supreme Court held that the newborn screening statutes only provide an explicit exception to this rule for the Department of Health's "testing . . . recording and reporting those test results, maintaining a registry of positive cases for the purpose of follow-up services, and storing those test results as required by federal law." Any other use requires informed written consent pursuant to the Genetic Privacy Act. EPIC recently filed a "friend of the court" brief in US v. Pool, a case centered on DNA privacy. EPIC's brief contends that DNA privacy is crucial given that "DNA samples contain genetic information that can reveal personal traits such as race, ethnicity and gender, as well as medical risk for conditions such as diabetes." MN Supreme Court: Decision in Bearder v. State of MN (Nov. 16, 2011) State of Minnesota: Department of Health State of Minnesota: Newborn Screening Program EPIC: Genetic Privacy EPIC: US v. Pool ======================================================================= [6] News in Brief ======================================================================= Documents Expose World Market for Off-the-Shelf Surveillance Technology The Wall Street Journal has collected and made available more than 200 marketing documents by surveillance software companies, all of which advertise products that enable governments to spy on their citizens. The software manufacturers claim that their products are designed to catch criminals, though they also state they are not responsible for the products' end uses. Many of the applications discussed in the documents facilitate surveillance through installation of fake software updates and other types of malware. The Wall Street Journal divided the documents, which were gathered at a surveillance conference in Washington, DC, into five categories: Hacking, Intercept, Data Analysis, Web Scraping, and Anonymity. The United States has strict rules on the sale, export, and transfer of defense articles and defense services, though the companies claim they are compliant with all export regulations. The nonprofit group Privacy International, in conjunction with the Bureau for Investigative Journalism, has initiated a similar campaign, called "Big Brother Incorporated," with a database of companies that sell surveillance products. EPIC has filed numerous Freedom of Information Requests over issues of domestic surveillance, including with the National Security Agency and the Department of Justice. WSJ: Document Trove Exposes Surveillance Methods (Nov. 19, 2011) Wall Street Journal: The Surveillance Catalog Privacy International: 'Big Brother Incorporated' US State Department: Directorate of Defense Trade Controls EPIC: Domestic Surveillance EPIC: FOIA Case Against NSA's Domestic Surveillance Program EPIC: FOIA Case Against NSA's Cybersecurity Program FTC Issues Performance and Accountability Report for Fiscal Year 2011 The Federal Trade Commission has issued the Fiscal Year 2011 edition of the agency's Performance and Accountability Report. The report summarizes the FTC's accomplishments, demonstrates how the agency has managed its resources, and explains how the FTC plans to address future changes. According to the report, during Fiscal 2011 the Commission exceeded its privacy goals by providing 52 comments to foreign consumer protection and privacy agencies, conducting 14 technical assistance missions, and hosting one international consumer protection fellow. The agency's privacy goals for the Fiscal Year 2012 include "issu[ing] a final report on protecting consumer privacy," and "examin[ing] malware and spyware threats to mobile devices . . . and malware distributed through social networks." The FTC report made no mention of several pending complaints, including EPIC's 2009 complaint regarding Facebook's changes to user privacy settings. FTC: Fiscal Year 2011 Performance Report (Nov. 2011) EPIC: Facebook Complaint (Feb. 2009) EPIC: Federal Trade Commission EPIC: Facebook Facial Recognition Sen. Leahy Files Cybercrime Amendments To Defense Authorization Bill Senate Judiciary Chairman Patrick Leahy (D-VT) has filed amendments to the proposed National Defense Authorization Act (NDAA), which is enacted each year to specify the budget of the US Defense Department. The amendments increase penalties for certain computer crimes, including damaging systems critical to national infrastructure, and include procedures to streamline criminal penalties for computer fraud. However, they also clarify that such prosecutions should be limited to "serious misconduct." In September, the Senate Judiciary Committee approved Leahy's Personal Data Privacy and Security Act (PDPSA), and some aspects of the proposed NDAA amendments were originally introduced in the PDPSA earlier this year. EPIC has an ongoing interest in developments in privacy law reform. Sen. Leahy: Press Release on Cybercrime Amendment (Nov. 17, 2011) The Hill: Leahy adds cybercrime measure to defense bill (Nov. 17, 2011) EPIC: Open Government ======================================================================= [7] EPIC Book Review: 'Guide to Internet Privacy, Anonymity & Security' ======================================================================= "Complete Guide to Internet Privacy, Anonymity & Security," Matthew Bailey The "Complete Guide to Internet Privacy, Anonymity and Security" is a do-it-yourself privacy book that's overly Windows-centric, sometimes anachronistic, self-contradictory and obscure - and yet strangely satisfying. Self-published by computer security consultant Matthew Bailey and sold through, the oversized paperback, referred to by the author as COGIPAS, also includes an online component (, which is largely an electronic copy of the paper book. COGIPAS certainly contains good, practical information, presented in a clear, visually pleasing, and logical way; the book's large pages and type, understandable directions, screen shots, and white space are some of its better features. Bailey is a non-judgmental information provider, unquestioningly leading readers through security and anonymity on P2P/torrent and other ethically dubious Web sites. It's surprising, then, that COGIPAS unselfconsciously and even perhaps unselfawarely teeters from guiding its readers through privacy-protecting techniques and procedures to showing them how to spy on family members and co-workers. There's an uneasy disconnect between Bailey's discussion of how to use double and triple anonymous remailers, then warning readers to be suspicious if anyone else is using them. The same narrator who cheerfully explains how to anonymously obtain file from Usenet also spends pages detailing how to dig secretively and deeply into someone else's computer if you even "suspect" something untoward. COGIPAS mentions Google+ and Facebook more than once, but is peculiarly retro in its emphasis on technologies like Usenet (who knew Usenet was still operational? And who knew anyone was still downloading photos from and command-line-based IRC and chat rooms. A seemingly disproportionate amount of space is spent discussing Usenet protocols. Bailey also seems to reside in a Windows-only universe. To be fair, Windows still runs on something like 90% of the world's computers, but MacOS and Unix barely rate more a single mention. Nor is there any discussion of smart phones or other forms of mobile technology. Again, I had to check references to SSDs and thumb drives to confirm that COGIPAS is a book written in the last decade, let alone the last five years. It's hard to determine the audience for COGIPAS. The book effectively discusses security procedures at levels from introductory to advanced, and clearly spells out the differences, for example, between viruses, worms, Trojans, and rootkits. But what about a glossary that defines both Facebook and checksums? Sections that remind readers that they shouldn't click on a link in a suspicious email message and sections that explain how to use complex forensic software? COGIPAS could have used a better editor, both for overall relevance and to check for redundant subject matter. Overall, however, the book and attendant web site are remarkably helpful in understanding and remediating the myriad issues related to online security and privacy. Regardless of your experience level, it's a good, practical read, particularly if you don't mind being weirded out once in a while. -- EC Rosenberg ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Securing Our Rights in the Information-Sharing Era. San Francisco, CA, 1-2 December 2011. For More Information: Workshop on Governance of Technology, Information, and Policies (GTIP). Orlando, FL, 5-9 December 2011. For More Information: Face Facts: A Forum on Facial Recognition Technology. Washington, DC, 8 December 2011. For More Information: More Surveillance, More Security? The Landscape of Surveillance in Europe and Challenges to Data Protection and Privacy. Brussels, 4 January 2012. For More Information: Computers, Privacy, & Data Protection 2012: European Data Protection: Coming of Age. Brussels, Belgium, 25-27 January 2012, Call for Papers Abstracts Deadline 1 June 2011. For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.23 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback