WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2011 >> [2011] EPICAlert 24

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 18.24 [2011] EPICAlert 24

EPIC Alert 18.24

======================================================================= E P I C A l e r t ======================================================================= Volume 18.24 December 14, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================= Table of Contents ======================================================================= [1] EPIC Urges Public Comment on FTC Facebook Settlement [2] EPIC to Court: Demand DHS Release of Scanner Radiation Documents [3] EPIC Urges Supreme Court to Enforce Federal Privacy Act [4] EPIC to Challenge FERPA Revisions [5] EU Justice Minister Warns US on 'Self-Regulation' [6] News in Brief [7] Book Review: 'The Lie Detectors' [8] Upcoming Conferences and Events TAKE ACTION: Fix Facebook Privacy Fail! - SIGN the Petition: - DEMAND Your Facebook Data: - READ the FTC Settlement: - SUPPORT EPIC: ======================================================================= [1] EPIC Urges Public Comment on FTC Facebook Settlement ======================================================================= Following the November 29 announcement of a proposed settlement between the Federal Trade Commission and Facebook, EPIC has launched the "Fix FB Privacy Fail" campaign, which encourages Facebook members to express support for privacy-enhancing improvements to the settlement. Facebook users can sign on, "Like," or tweet the petition, and those who wish to avoid using Facebook can sign the petition without entering the Facebook Web site. "Fix FB Privacy Fail" aims to strengthen the final settlement by encouraging the FTC to take into account the views of civil society. Significant numbers of Facebook users expressing support for EPIC's recommendations increases the probability that the FTC will incorporate those changes into the final settlement. The proposed settlement contains an eight-count complaint against Facebook, and includes allegations that the company violated the FTC Act's prohibition on "unfair and deceptive" trade practices by misleading users about the extent to which they could control access to their personal information, and to which applications and advertisers had access to that same information. Specifically, the proposed consent order prohibits Facebook from misrepresenting the privacy or security of users' personal information, and requires Facebook to (1) obtain users' affirmative, express consent before sharing their information in a way that exceeds their privacy settings; (2) establish a comprehensive privacy program; (3) ensure that cannot access personal information after a user deletes his or her account, and (4) submit to independent audits for 20 years. Although the settlement is far-reaching and comprehensive, it can be strengthened in several ways. With input from members of the EPIC Advisory Board, the Privacy Coalition, and the Trans-Atlantic Consumer Dialogue, EPIC recommends the following improvements: - Restore Original Settings. Facebook should default to the privacy settings available to users in 2009. - Know What They Know. Facebook should let users have access to all data that Facebook keeps about them. - Facial Recognition. Facebook should stop making facial recognition profiles without users' consent. - Transparency. Facebook's privacy reports should be made publicly available. - Secret Tracking. Facebook should stop secretly tracking users across the Web. The "Fix FB Privacy" campaign will run until December 30, 2011, at which FTC stops accepting public comments. Facebook users can visit EPIC's Facebook app to sign on to the petition. EPIC: "Fix FB Privacy" App EPIC: "Fix FB Privacy" (Non-Facebook) FTC: Complaint against Facebook (Nov. 29, 2011) FTC: Proposed Settlement against Facebook (Nov. 29, 2011) FTC: Link for Public Comment on Facebook Settlement EPIC: 2009 Complaint against Facebook (Dec. 2009) EPIC: 2010 Complaint against Facebook (May 2010) ======================================================================= [2] EPIC to Court: Demand DHS Release of Scanner Radiation Documents ======================================================================= EPIC filed a reply motion on December 3 in EPIC v. DHS, a pending Freedom of Information Act lawsuit against the Department of Homeland Security for information about the radiation risks posed by airport body scanners. EPIC's initial Freedom of Information Act request was filed in July 2010, but the agency failed to respond until EPIC filed suit in DC District Court in early 2011. EPIC's lawsuit resulted in the disclosure of over a thousand pages of documents, including studies detailing danger zones around the scanners and proper limits of employee exposure. Although the agency initially withheld radiation emission facts, EPIC was able to force disclosure. EPIC's motion asks the court to force the agency to disclose additional documents, which include radiation testing results, agency fact sheets on body scanner radiation risks, and an image produced by the machines. The European Union recently effectively prohibited the use of backscatter x-ray devices in EU airports by demanding that any airport that deploys the scanners must "do so under strict operational and technical conditions" set by the EU. EPIC v. DHS: Full Body Scanner Radiation Risks EPIC: Reply Motion in EPIC v. DHS (Dec. 3, 2011) EPIC: Motion for Summary Judgment in EPIC v. DHS (Oct. 31, 2011) European Commission: Press Release on EU Scanners (Nov. 14, 2011) ======================================================================= [3] EPIC Urges Supreme Court to Enforce Federal Privacy Act ======================================================================= The Supreme Court heard oral arguments November 30 in FAA v. Cooper, a case that tests the scope of damages available for "willful and intentional" violations of the Privacy Act. Pilot Stanmore Cooper brought a claim under the Privacy Act after his Federal Aviation Administration and Social Security Administration medical records were exchanged by the agencies in violation of the Privacy Act. The SSA records included Cooper's HIV status, which prevented him from renewing his pilot's license, and Cooper claimed damages for severe mental and emotional distress. The federal circuit courts are divided over whether mental and emotional damages are recoverable under the Privacy Act. EPIC filed a "Friend of the Court" brief in FAA v. Cooper, arguing that Congress intended the Privacy Act to provide robust and comprehensive protections for individual privacy, and that such protections are only effective when the Privacy Act is enforced. EPIC maintains that "mental and emotional damages are just the sort of harms for which privacy laws routinely provide compensation. And the Privacy Act's legislative history makes clear that Congress intended to include mental and emotional distress as one component of 'actual damages.'" In October, EPIC submitted a similar brief to the Supreme Court in First American Financial Services v. Edwards, which involves a Constitutional challenge to a statutory injury claim under the Real Estate Settlement Procedures Act, or RESPA. EPIC's brief argues that Congress should be allowed to create statutory rights under these circumstances, the violation of which constitutes a Constitutionally sufficient injury. EPIC's 2003 brief in the Supreme Court case Doe v. Chao argued in favor of Privacy Act statutory damages, but the Court held that a plaintiff must show "actual damage" before recovering the statutory minimum of $1,000. US Supreme Court: Transcript: FAA v. Cooper Arguments (Nov. 30, 2011) EPIC: "Friend of the Court" Brief in FAA v. Cooper (Oct. 4, 2011) EPIC: FAA v. Cooper EPIC: Brief in First American v. Edwards (October 18, 2011) EPIC: First American v. Edwards EPIC: Friend of the Court Brief in Doe v. Chao (Aug. 2003) EPIC: Doe v. Chao ====================================================================== [4] EPIC to Challenge FERPA Revisions ======================================================================= The Department of Education has released final regulations of the Family Educational Rights and Privacy Act, or FERPA. EPIC had submitted extensive comments to the agency in May 2011 in response to an initial request for public comments. EPIC's comments addressed both the student privacy risks and the Department of Education's lack of legal authority to make changes to FERPA without explicit Congressional intent. The final FERPA regulations both exceed the Department of Education's legal authority and expose students to new privacy risks. Specifically, the new rules permit educational institutions to release student records to non-governmental agencies without obtaining written parental consent. The regulations also broaden the permissible purposes for which third parties can access student records without parental notification. Similarly, without mandatory guidelines in place to prevent unlawful third-party access to education records, the ED has failed to create sufficient safeguards against the risk of student re-identification. EPIC plans to challenge the agency's new regulations. FERPA was signed into law by President Gerald Ford in August 1974 in response to "the growing evidence of the abuse of student records across the nation." A number of amendments were added later that year, including limiting the right of post-secondary students to inspect and review financial records, thereby denying access to parental financial records or confidential letters of recommendation placed in their files. FERPA has been amended a total of nine times since its enactment. Through these amendments, Congress has acknowledged new circumstances under which personally identifiable information contained in education records can be disclosed without the consent of parents or students. EPIC has been a longtime advocate for student privacy rights. In addition to filing public comments in FERPA, earlier in 2011 EPIC filed a "friend of the court" brief in Chicago Tribune v. University of Illinois, a case involving student privacy rights protected by FERPA. In 2005, EPIC and more than 100 local, state, and national organizations urged former Secretary of Defense Donald Rumsfeld to end the "Joint Advertising and Market Research Studies" Recruiting Database, which would have disclosed personal information of Americans ages 16-25 without obtaining individual consent. Department of Education: FERPA Final Regulations (Dec. 2, 2011) EPIC: Comments to the Department of Education on FERPA (May 23, 2011) EPIC: Friend of the Court Brief in Tribune v. U. of I. (July 20, 2011) Privacy Coalition: DOD Database Campaign Coalition Letter (Oct. 2005) EPIC: Student Privacy ======================================================================= [5] EU Justice Minister Warns US on 'Self-Regulation' ======================================================================= EU Justice Minister Viviane Reding warned at a December 6 speech in Brussels that a US plan for privacy self-regulation will "not be sufficient" to protect the flow of personal data between Europe and the United States. Reding also said that European companies were likely to rely on European rather than US cloud service providers as long as the US Patriot Act remained law. A draft of the European Union's new General Data Protection Regulation was made available via the Internet in late November. The Regulation is a sweeping and comprehensive update of the 1995 EU Data Protection Directive, setting out new enforcement powers for privacy agencies. The document is the product of over two years of meetings, focus groups, and discussions with various stakeholder groups. In 2010, EPIC Executive Director Marc Rotenberg appeared before the European Parliament, encouraging the adoption of a framework to protect the flow of personal data between the EU and the US. The draft regulations also build upon 2000's Charter of Fundamental Rights of the European Union, which established a right of "Information Privacy." The draft charter grants both explicit legal rights to EU residents and obligations to companies doing business in the EU, whereas the current regime only requires member countries to establish compatible laws. Among the individual rights to be established are transparency, access to data, rectification, erasure, and the right to object to profiling. A spokesperson for the White House again pledged that a long-delayed paper on US privacy would soon be available. The paper, which has been promised for over a year, is to be released by the Office of Science and Technology Policy, and contain suggestions on privacy standards and protections to be taken up later in Congress. Europa: Speech of Viviane Reding, VP of EU Commission (Dec. 6, 2011) EU: Draft of General Data Protection Regulation (Nov. 29, 2011) EU: 1995 Data Protection Directive EPIC: EU Data Protection Directive EU: Charter of Fundamental Rights (Dec. 2000) ======================================================================= [6] News in Brief ======================================================================= EPIC to Congress: Video Act Amendments Would Weaken Online Privacy In response to a request from Congressman Melvin Watt (D-NC), EPIC has provided a letter to Rep. Watt's office explaining that HR 2471, a bill to amend the Video Privacy Protection Act, would reduce privacy for Internet users by weakening the consent provision in current law. The bill, backed by Netflix, would make Facebook users' personal information and online habits more widely available. EPIC's letter points out that the bill does not "modernize" the video privacy law; rather, it makes it more difficult for users to protect their data. The bill passed through the House December 7 without a public hearing or debate. EPIC: Letter Supporting Video Privacy (Dec. 6, 2011) US House of Representatives: Text of HR 2471 (Dec. 7, 2011) EPIC: Video Privacy Protection Act http// EPIC Joins Coalition Seeking Audit of TSA Racial Profiling A coalition of 30 activist organizations, including EPIC, has asked Department of Homeland Security Secretary Janet Napolitano to undertake an independent audit of the Transportation Security Agency to determine whether TSA airport screeners engage in racial profiling. According to news reports, TSA agents have subjected Mexican, Dominican, and Sikh travelers to additional screening based solely on race. As a result of EPIC v. DHS, a federal appeals court ordered the TSA in July 2011 to undertake a formal rulemaking, but the agency has yet to solicit public comments on its airport screening procedures. Coalition Letter to DHS Secretary Napolitano (Dec. 5, 2011) EPIC: Air Travel Privacy EPIC: Passenger Profiling EPIC: EPIC v. DHS (July 2, 2010) EU, US Groups Object to EU-US Passenger Data Agreement Over 20 organizations in the EU and the US have sent an open letter to the European Parliament, opposing a new agreement that would allow European companies to transfer the personal data of European travelers to the United States government in apparent violation of the EU Data Protection Directive. The European Court of Justice struck down the original Passenger Name Record agreement in 2006 after members of the European Parliament charged that there was no legal basis to disclose the data to the US. The revised agreement is still subject to approval by the Parliament, which has also gained new legal powers since the earlier dispute. US, EU Civil Society Groups: Letter Re: EU-US PNR Agreement EU Court of Justice: Decision Annulling 2004 PNR Agreement (May 2006) EU Parliament: Proposed Revised PNR Agreement EPIC: EU-US Airline Passenger Data Disclosure EPIC: Air Passenger Profiling Civil Liberties Groups Lay Out Principles for Border Policy Civil liberties organization The Identity Project reported December 7 that "in anticipation of [an] announcement [for] new, secretly- negotiated places for a 'North American Security Perimeter' agreement between the US and Canada," the ACLU, Privacy International, and a coalition of Canadian organizations have released a statement addressing core civil and human rights principles that the agreement should contain. These core principles include the substantive right to the freedom of movement protected both by the US Constitution and the International Covenant on Civil and Political Rights, as well as the procedural right to due process. EPIC has consistently supported traveler privacy for both US citizens and those traveling across US borders, particularly in the areas of airport security and national ID cards. The Identity Project: Principles for Border Policy (Dec. 7, 2011) ACLU: Principles for US-Canada Border Policy (Dec. 5, 2011) Intl. Covenant on Civil and Political Rights: Article 12 (1976) Court Holds Privacy Settlements Should Go to Privacy Organizations The US Ninth Circuit Court of Appeals has rejected the proposed $110,000 settlement in a class-action privacy lawsuit against AOL. With 66 million AOL users represented in the class, the relatively small damages award could not reasonably be distributed to class members. In such situations, a court must determine the "next best use" of the funds under the doctrine of "cy pres." Typically such funds are distributed to charities that serve the interests of the class or otherwise provide a reasonable substitute for compensation. However, in the AOL decision Judge Christina A. Snyder agreed to distribute the $110,000 to several Los Angeles charities that had no connection to the class or subject matter. The Ninth Circuit panel unanimously held that the settlement was improper because the selected charities were unconnected to plaintiffs' e-mail privacy claims, under the rationale that the selection of cy pres beneficiaries must be tethered to the nature of the lawsuit. Circuit Rejects AOL Privacy Settlement (Nov. 21, 2011) Ninth Circuit Court: Opinion in AOL Lawsuit (Nov. 21, 2011) ======================================================================= [7] EPIC Book Review: 'The Lie Detectors' ======================================================================= "The Lie Detectors: The History of an American Obsession," Ken Alder Few technologies of crime fighting have enjoyed a more storied history than the lie detector. Featured in movies, books, and popularized in Dick Tracy cartoons, one could easily imagine that the American system of justice was deeply indebted to a device with pens scratching lines across rolled paper. And why not? Imagine a machine that could probe inside the human soul, separate truth from falsity, and determine with scientific precision guilt or innocence. And in a country that has always welcomed scientific innovation, a truth machine would become a holy grail. But the real history of the device, as told by Ken Adler, is very different -- fun and fascinating, and filled with colorful characters: August Vollmer, the early 20th century Berkeley police chief who brought scientific methods to policing; John Larson, the cop with the PhD, whose efforts to make scientific the use of the lie detectors remained unfulfilled. And Leonarde Keller, named for Leonardo da Vinci, the geek in the story, whose obsession and determination made him the father of the polygraph. And then there are the suspects -- the college coeds engaged in dormitory pranks, the hustlers and hoodlums, and the hardened criminals. Would they break when faced with the truth-extracting machine? Adler's reporting follows the up and downs of the "polygraph," Greek for many writings, through great success and abysmal failure. Increasingly the reader learns that the lie detector relies less on physiological indicators and more on setting, timing, context, and collaboration. Keller, himself an amateur magician, adopted many tricks to create the illusion that his device was infallible. Perhaps this is why the courts have never been comfortable with the device nor with the prospect that judges and juries could be replaced by automated devices designed to dispense justice. In 1922, a court announced what would come to be known as the "Frye Rule," which would require evidence of general acceptability in the relevant scientific community. For the lie detector, that would remain a goal beyond reach. Still, large companies, government agencies, private investigators, security firms and others outside the courtroom made extensive use of polygraphs. But why rely on this technique if it is not reliable? Adler answers "The lie detector cannot be killed by science because it is not born by science. . . . To put it in more somber economic terms: lie detection is demand driven." That observation might also apply to many of the post 9/11 techniques, promoted by the Department of Homeland Security and others who seek to divine "mal intent" through the deployment of new methods and techniques. John Poindexter believed that if enough data could be captured -- a Total Information Awareness -- it would be possible to predict future terrorist acts before they occurred. Others noted that when looking for needles in haystacks it probably is best not to pile on more hay. But perhaps the better example from Adler's perspective is the DHS proposal for a "Future Attribute Screening Technology" (FAST) a device designed to identity people who might do something bad by hooking them up to a device that is designed to measure "physiological and behavioral signals" including heartbeat, respiration, electrodermal activity and more. Call it Polygraph 2.0. If Adler's book is any guide, there is much reason to believe that readings produced by the latest generation of truth-seeking machine is more likely to reflect sleight of hand than science. -- Marc Rotenberg ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [8] Upcoming Conferences and Events ======================================================================= More Surveillance, More Security? The Landscape of Surveillance in Europe and Challenges to Data Protection and Privacy. Brussels, 4 January 2012. For More Information: Platts Smart Grid Data Privacy Symposium. Las Vegas, NV, 16-17 February 2012. For More Information: 2012/pc217/index. Computers, Privacy, & Data Protection 2012: European Data Protection: Coming of Age. Brussels, Belgium, 25-27 January 2012, Call for Papers Abstracts Deadline 1 June 2011. For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.24 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback