EPIC Alert 18.24
E P I C A l e r t
Volume 18.24 December 14, 2011
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC Urges Public Comment on FTC Facebook Settlement
 EPIC to Court: Demand DHS Release of Scanner Radiation Documents
EPIC Urges Supreme Court to Enforce Federal Privacy Act
 EPIC to Challenge FERPA Revisions
 EU Justice Minister Warns US on
 News in Brief
 Book Review: 'The Lie Detectors'
 Upcoming Conferences and Events
TAKE ACTION: Fix
Facebook Privacy Fail!
- SIGN the Petition: http://epic.org/privacy/fixprivacyfail/noauth.php
- DEMAND Your Facebook Data: http://epic.org/redirect/102511-kwtw.html
- READ the FTC Settlement: http://epic.org/redirect/121311-ftc-FB.html
- SUPPORT EPIC: http://www.epic.org/donate/
 EPIC Urges Public Comment on FTC Facebook Settlement
Following the November 29 announcement of a proposed settlement
the Federal Trade Commission and Facebook, EPIC has launched the "Fix
FB Privacy Fail" campaign, which encourages Facebook
members to express
support for privacy-enhancing improvements to the settlement. Facebook
users can sign on, "Like," or tweet the
petition, and those who wish to
avoid using Facebook can sign the petition without entering the
Facebook Web site.
"Fix FB Privacy
Fail" aims to strengthen the final settlement by
encouraging the FTC to take into account the views of civil society.
numbers of Facebook users expressing support for EPIC's
recommendations increases the probability that the FTC will incorporate
changes into the final settlement.
The proposed settlement contains an eight-count complaint against
Facebook, and includes allegations
that the company violated the FTC
Act's prohibition on "unfair and deceptive" trade practices by
misleading users about the extent
to which they could control access to
their personal information, and to which applications and advertisers
had access to that same
information. Specifically, the proposed consent
order prohibits Facebook from misrepresenting the privacy or security of
information, and requires Facebook to (1) obtain users'
affirmative, express consent before sharing their information in a way
exceeds their privacy settings; (2) establish a comprehensive
privacy program; (3) ensure that facebook.com cannot access personal
information after a user deletes his or her account, and (4) submit to
independent audits for 20 years.
Although the settlement
is far-reaching and comprehensive, it can be
strengthened in several ways. With input from members of the EPIC Advisory
Privacy Coalition, and the Trans-Atlantic Consumer Dialogue,
EPIC recommends the following improvements:
- Restore Original Settings.
Facebook should default to the privacy
settings available to users in 2009.
- Know What They Know. Facebook should let users have
access to all
data that Facebook keeps about them.
- Facial Recognition. Facebook should stop making facial recognition
without users' consent.
- Transparency. Facebook's privacy reports should be made publicly
- Secret Tracking. Facebook
should stop secretly tracking users across
The "Fix FB Privacy" campaign will run until December 30, 2011, at
stops accepting public comments. Facebook users can visit
EPIC's Facebook app to sign on to the petition.
EPIC: "Fix FB Privacy"
EPIC: "Fix FB Privacy" (Non-Facebook)
FTC: Complaint against Facebook (Nov. 29, 2011)
FTC: Proposed Settlement against Facebook (Nov. 29, 2011)
FTC: Link for Public Comment on Facebook Settlement
EPIC: 2009 Complaint against Facebook (Dec. 2009)
EPIC: 2010 Complaint against Facebook (May 2010)
 EPIC to Court: Demand DHS Release of Scanner Radiation
EPIC filed a reply motion on December 3 in EPIC
v. DHS, a pending
Freedom of Information Act lawsuit against the Department of
Homeland Security for information about the radiation risks posed by
airport body scanners. EPIC's
initial Freedom of Information Act
request was filed in July 2010, but the agency failed to respond until
EPIC filed suit in DC District Court in early 2011.
lawsuit resulted in the disclosure of over a thousand pages of
documents, including studies detailing danger zones around the scanners
and proper limits of employee exposure. Although the agency initially
withheld radiation emission facts, EPIC was able to force disclosure.
EPIC's motion asks the court to force the agency to disclose additional
documents, which include radiation testing results, agency
on body scanner radiation risks, and an image produced by the machines.
The European Union recently effectively prohibited
the use of
backscatter x-ray devices in EU airports by demanding that any airport
that deploys the scanners must "do so under strict
technical conditions" set by the EU.
EPIC v. DHS: Full Body Scanner Radiation Risks
EPIC: Reply Motion in EPIC v. DHS (Dec. 3, 2011)
EPIC: Motion for Summary Judgment in EPIC v. DHS (Oct. 31, 2011)
European Commission: Press Release on EU Scanners (Nov. 14, 2011)
 EPIC Urges Supreme Court to Enforce Federal Privacy
The Supreme Court heard oral arguments November 30 in
FAA v. Cooper, a
case that tests the scope of damages available for "willful and
intentional" violations of the Privacy Act. Pilot
brought a claim under the Privacy Act after his Federal Aviation
Administration and Social Security Administration
records were exchanged by the agencies in violation of the Privacy Act.
The SSA records included Cooper's HIV status, which
prevented him from
renewing his pilot's license, and Cooper claimed damages for severe
mental and emotional distress.
circuit courts are divided over whether mental and
emotional damages are recoverable under the Privacy Act. EPIC filed a
of the Court" brief in FAA v. Cooper, arguing that Congress
intended the Privacy Act to provide robust and comprehensive
for individual privacy, and that such protections are only
effective when the Privacy Act is enforced. EPIC maintains that "mental
and emotional damages are just the sort of harms for which privacy laws
routinely provide compensation. And the Privacy Act's legislative
history makes clear that Congress intended to include mental and
emotional distress as one component of 'actual damages.'"
EPIC submitted a similar brief to the Supreme Court in
First American Financial Services v. Edwards, which involves a
challenge to a statutory injury claim under the Real
Estate Settlement Procedures Act, or RESPA. EPIC's brief argues that
should be allowed to create statutory rights under these
circumstances, the violation of which constitutes a Constitutionally
injury. EPIC's 2003 brief in the Supreme Court case Doe v.
Chao argued in favor of Privacy Act statutory damages, but the Court
that a plaintiff must show "actual damage" before recovering the
statutory minimum of $1,000.
US Supreme Court: Transcript: FAA
v. Cooper Arguments (Nov. 30, 2011)
EPIC: "Friend of the Court" Brief in FAA v. Cooper (Oct. 4, 2011)
EPIC: FAA v. Cooper
EPIC: Brief in First American v. Edwards (October 18, 2011)
EPIC: First American v. Edwards
EPIC: Friend of the Court Brief in Doe v. Chao (Aug. 2003)
EPIC: Doe v. Chao
 EPIC to Challenge FERPA Revisions
The Department of Education has released final regulations of the
Family Educational Rights and Privacy Act, or FERPA. EPIC had
submitted extensive comments to the agency in May 2011 in response to
an initial request for public comments. EPIC's comments addressed
the student privacy risks and the Department of Education's lack of
legal authority to make changes to FERPA without explicit
The final FERPA regulations both exceed the Department of Education's
legal authority and expose students
to new privacy risks. Specifically,
the new rules permit educational institutions to release student
records to non-governmental
agencies without obtaining written parental
consent. The regulations also broaden the permissible purposes for
which third parties
can access student records without parental
notification. Similarly, without mandatory guidelines in place to
prevent unlawful third-party
access to education records, the ED has
failed to create sufficient safeguards against the risk of student
plans to challenge the agency's new regulations.
FERPA was signed into law by President Gerald Ford in August 1974 in
"the growing evidence of the abuse of student records
across the nation." A number of amendments were added later that
limiting the right of post-secondary students to
inspect and review financial records, thereby denying access to
records or confidential letters of recommendation
placed in their files. FERPA has been amended a total of nine times
since its enactment.
Through these amendments, Congress has
acknowledged new circumstances under which personally identifiable
information contained in
education records can be disclosed
without the consent of parents or students.
EPIC has been a longtime advocate for student privacy
addition to filing public comments in FERPA, earlier in 2011 EPIC
filed a "friend of the court" brief in Chicago Tribune
of Illinois, a case involving student privacy rights protected by
FERPA. In 2005, EPIC and more than 100 local, state,
organizations urged former Secretary of Defense Donald Rumsfeld to
end the "Joint Advertising and Market Research Studies"
Database, which would have disclosed personal information of Americans
ages 16-25 without obtaining individual consent.
Department of Education: FERPA Final Regulations (Dec. 2, 2011)
EPIC: Comments to the Department of Education on FERPA (May 23, 2011)
EPIC: Friend of the Court Brief in Tribune v. U. of I. (July 20, 2011)
Privacy Coalition: DOD Database Campaign Coalition Letter (Oct. 2005)
EPIC: Student Privacy
 EU Justice Minister Warns US on 'Self-Regulation'
EU Justice Minister Viviane Reding warned at a December 6 speech in
Brussels that a US plan for privacy self-regulation will "not
sufficient" to protect the flow of personal data between Europe and the
United States. Reding also said that European companies
were likely to
rely on European rather than US cloud service providers as long as the
US Patriot Act remained law.
A draft of the
European Union's new General Data Protection Regulation
was made available via the Internet in late November. The Regulation is
sweeping and comprehensive update of the 1995 EU Data Protection
Directive, setting out new enforcement powers for privacy agencies.
document is the product of over two years of meetings, focus groups,
and discussions with various stakeholder groups. In 2010,
Director Marc Rotenberg appeared before the European Parliament,
encouraging the adoption of a framework to protect
the flow of personal
data between the EU and the US.
The draft regulations also build upon 2000's Charter of Fundamental
of the European Union, which established a right of "Information
Privacy." The draft charter grants both explicit legal rights to
residents and obligations to companies doing business in the EU,
whereas the current regime only requires member countries to
compatible laws. Among the individual rights to be established are
transparency, access to data, rectification, erasure,
and the right to
object to profiling.
A spokesperson for the White House again pledged that a long-delayed
paper on US privacy would
soon be available. The paper, which has been
promised for over a year, is to be released by the Office of Science and
Policy, and contain suggestions on privacy standards and
protections to be taken up later in Congress.
Europa: Speech of Viviane
Reding, VP of EU Commission (Dec. 6, 2011)
EU: Draft of General Data Protection Regulation (Nov. 29, 2011)
EU: 1995 Data Protection Directive
EPIC: EU Data Protection Directive
EU: Charter of Fundamental Rights (Dec. 2000)
 News in Brief
EPIC to Congress: Video Act Amendments Would Weaken Online Privacy
In response to a request from Congressman Melvin Watt (D-NC),
provided a letter to Rep. Watt's office explaining that HR 2471, a bill
to amend the Video Privacy Protection Act, would
reduce privacy for
Internet users by weakening the consent provision in current law.
The bill, backed by Netflix, would make Facebook
information and online habits more widely available. EPIC's letter
points out that the bill does not "modernize"
the video privacy law;
rather, it makes it more difficult for users to protect their data.
The bill passed through the House December
7 without a public hearing
EPIC: Letter Supporting Video Privacy (Dec. 6, 2011)
US House of Representatives: Text of HR 2471 (Dec. 7, 2011)
EPIC: Video Privacy Protection Act
EPIC Joins Coalition Seeking Audit of TSA Racial Profiling
A coalition of 30 activist organizations, including EPIC, has asked
Department of Homeland Security Secretary Janet Napolitano to undertake
an independent audit of the Transportation Security Agency
whether TSA airport screeners engage in racial profiling. According to
news reports, TSA agents have subjected Mexican,
Dominican, and Sikh
travelers to additional screening based solely on race. As a result of
EPIC v. DHS, a federal appeals court ordered
the TSA in July 2011 to
undertake a formal rulemaking, but the agency has yet to solicit public
comments on its airport screening
Coalition Letter to DHS Secretary Napolitano (Dec. 5, 2011)
EPIC: Air Travel Privacy
EPIC: Passenger Profiling
EPIC: EPIC v. DHS (July 2, 2010)
EU, US Groups Object to EU-US Passenger Data Agreement
Over 20 organizations in the EU and the US have sent an open letter to
the European Parliament, opposing a new agreement that would allow
European companies to transfer the personal data of European travelers
to the United States government in apparent violation of the EU Data
Protection Directive. The European Court of Justice struck down
original Passenger Name Record agreement in 2006 after members of
the European Parliament charged that there was no legal basis
disclose the data to the US. The revised agreement is still subject to
approval by the Parliament, which has also gained new legal
since the earlier dispute.
US, EU Civil Society Groups: Letter Re: EU-US PNR Agreement
EU Court of Justice: Decision Annulling 2004 PNR Agreement (May 2006)
EU Parliament: Proposed Revised PNR Agreement
EPIC: EU-US Airline Passenger Data Disclosure
EPIC: Air Passenger Profiling
Civil Liberties Groups Lay Out Principles for Border Policy
Civil liberties organization The Identity Project reported December
that "in anticipation of [an] announcement [for] new, secretly-
negotiated places for a 'North American Security Perimeter' agreement
between the US and Canada," the ACLU, Privacy International, and a
coalition of Canadian organizations have released a statement
addressing core civil and human rights principles that the agreement
should contain. These core principles include the substantive
the freedom of movement protected both by the US Constitution and the
International Covenant on Civil and Political Rights, as well as the
procedural right to due process. EPIC has consistently
traveler privacy for both US citizens and those traveling across US
borders, particularly in the areas of airport security
The Identity Project: Principles for Border Policy (Dec. 7, 2011)
ACLU: Principles for US-Canada Border Policy (Dec. 5, 2011)
Intl. Covenant on Civil and Political Rights: Article 12 (1976)
Court Holds Privacy Settlements Should Go to Privacy Organizations
The US Ninth Circuit Court of Appeals has rejected the proposed
$110,000 settlement in a class-action privacy lawsuit against AOL. With
66 million AOL users represented in the class, the relatively
damages award could not reasonably be distributed to class members. In
such situations, a court must determine the "next best
use" of the
funds under the doctrine of "cy pres." Typically such funds are
distributed to charities that serve the interests of
the class or
otherwise provide a reasonable substitute for compensation. However, in
the AOL decision Judge Christina A. Snyder agreed
to distribute the
$110,000 to several Los Angeles charities that had no connection to the
class or subject matter. The Ninth Circuit
panel unanimously held that
the settlement was improper because the selected charities were
unconnected to plaintiffs' e-mail privacy
claims, under the rationale
that the selection of cy pres beneficiaries must be tethered to the
nature of the lawsuit.
Circuit Rejects AOL Privacy Settlement (Nov. 21, 2011)
Ninth Circuit Court: Opinion in AOL Lawsuit (Nov. 21, 2011)
 EPIC Book Review: 'The Lie Detectors'
"The Lie Detectors: The History of an American Obsession,"
Few technologies of crime fighting have enjoyed a more storied
history than the lie detector. Featured in movies, books, and
in Dick Tracy cartoons, one could easily imagine that
the American system of justice was deeply indebted to a device with
lines across rolled paper.
And why not? Imagine a machine that could probe inside the human
soul, separate truth from falsity, and
determine with scientific
precision guilt or innocence. And in a country that has always
welcomed scientific innovation, a truth
machine would become a holy
But the real history of the device, as told by Ken Adler, is very
different -- fun and fascinating,
and filled with colorful
characters: August Vollmer, the early 20th century Berkeley police
chief who brought scientific methods
to policing; John Larson, the
cop with the PhD, whose efforts to make scientific the use of the
lie detectors remained unfulfilled.
And Leonarde Keller, named for
Leonardo da Vinci, the geek in the story, whose obsession and
determination made him the father
of the polygraph.
And then there are the suspects -- the college coeds engaged in
dormitory pranks, the hustlers and hoodlums, and
criminals. Would they break when faced with the truth-extracting
Adler's reporting follows the up and downs
of the "polygraph," Greek
for many writings, through great success and abysmal failure.
Increasingly the reader learns that the lie
detector relies less on
physiological indicators and more on setting, timing, context, and
collaboration. Keller, himself an amateur
magician, adopted many
tricks to create the illusion that his device was infallible.
Perhaps this is why the courts have never been
comfortable with the
device nor with the prospect that judges and juries could be
replaced by automated devices designed to dispense
justice. In 1922,
a court announced what would come to be known as the "Frye Rule,"
which would require evidence of general acceptability
in the relevant
scientific community. For the lie detector, that would remain a goal
Still, large companies, government
agencies, private investigators,
security firms and others outside the courtroom made extensive use
of polygraphs. But why rely on
this technique if it is not reliable?
Adler answers "The lie detector cannot be killed by science because
it is not born by science.
. . . To put it in more somber economic
terms: lie detection is demand driven."
That observation might also apply to many of the
techniques, promoted by the Department of Homeland Security and
others who seek to divine "mal intent" through the deployment
methods and techniques. John Poindexter believed that if enough
data could be captured -- a Total Information Awareness --
be possible to predict future terrorist acts before they occurred.
Others noted that when looking for needles in haystacks
is best not to pile on more hay.
But perhaps the better example from Adler's perspective is the DHS
proposal for a "Future
Attribute Screening Technology" (FAST) a
device designed to identity people who might do something bad by
hooking them up to a device
that is designed to measure
"physiological and behavioral signals" including heartbeat,
respiration, electrodermal activity and more.
Call it Polygraph 2.0.
If Adler's book is any guide, there is much reason to believe that
readings produced by the latest generation
of truth-seeking machine
is more likely to reflect sleight of hand than science.
-- Marc Rotenberg
"Litigation Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A.
Verdi, Ginger McCall, and Mark
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
More Surveillance, More Security? The Landscape of Surveillance in
Europe and Challenges to Data Protection and Privacy. Brussels,
January 2012. For More Information:
Platts Smart Grid Data Privacy Symposium. Las Vegas, NV, 16-17 February
2012. For More Information: http://www.platts.com/ConferenceDetail/
Computers, Privacy, & Data Protection 2012: European Data Protection:
Coming of Age. Brussels, Belgium, 25-27 January 2012, Call
Abstracts Deadline 1 June 2011. For More Information:
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 11:00am ET.
Start a discussion on privacy. Let us know your thoughts.
Stay up to date
with EPIC's events.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave. NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 18.24 ------------------------