EPIC Alert 18.25
E P I C A l e r t
Volume 18.25 December 23, 2011
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC to Court: Force DHS Compliance with Public Comment Mandate
 EPIC Sues DHS Over Covert Surveillance of Facebook and Twitter
 EPIC 'Fix FB Privacy Fail' Drive Underway; FB 'Timeline' Released
 US to Retain Biometric Database on Iraqis
 Franken Questions
CarrierIQ, Service Providers on Mobile Tracking
 News in Brief
 EPIC's Holiday Wish List: Gift Ideas for the Privacy Enthusiast
 Upcoming Conferences and Events
TAKE ACTION: Fix Facebook Privacy Fail!
- SIGN the Petition: http://epic.org/privacy/fixprivacyfail/noauth.php
- DEMAND Your Facebook Data: http://epic.org/redirect/102511-kwtw.html
- READ the FTC Settlement: http://epic.org/redirect/121311-ftc-FB.html
- SUPPORT EPIC: http://www.epic.org/donate/
 EPIC to Court: Force DHS Compliance with Public Comment
EPIC has filed papers in federal court, seeking,
for the second time
this year, to enforce an order that requires the Department of Homeland
Security to begin a rulemaking on the
controversial airport body
scanner program. As a result of EPIC's ongoing lawsuit against DHS, the
DC Circuit Court of Appeals ruled
that the agency violated federal law
by installing body scanners as primary screening devices without first
soliciting public comment.
The Court also held that travelers had a
right to opt-out of the airport body scanners.
More than two years ago EPIC and a coalition
of civil liberties and
civil rights organizations petitioned Secretary of Homeland Security
Janet Napolitano to provide the public
the opportunity to comment on
Through Freedom of Information Act litigation, EPIC had already obtained
hundreds of traveler complaints, including instances when travelers
said that TSA officials
retaliated against them for choosing not to go
through the body scanners. Privacy and traveler advocates, health
and security experts,
as well as airline pilots have also raised questions
about the screening procedures.
In July 2011, the Court ordered Homeland Security
to "promptly" seek
public comment, but the agency has failed to respond. The Court's
decision held that "the TSA has not justified
its failure to initiate
notice-and-comment rulemaking before announcing it would use AIT
scanners for primary screening."
court's decision states that "None of the exceptions urged
by the TSA justifies its failure to give notice of and receive comment
upon such a rule, which is legislative and not merely interpretive,
procedural, or a general statement of policy", adding that "Few,
regulatory procedures impose directly and significantly upon so many
members of the public."
In the motion to enforce, EPIC
highlighted a recent report by
ProPublica, which described the DHS's failure to take account of
radiation risks posed by body scanners.
EPIC also noted the European
Commission's recent decision to limit body scanner use within the EU.
The European Commission specifically
banned the use of backscatter
x-ray devices in the European airports because of public health
concerns. Meanwhile, DHS is lobbying
Congress to increase the use of
these devices in the United States.
EPIC: Motion to Enforce Order on DHS (Dec. 23, 2011)
EPIC v. DHS: Full Body Scanner Radiation Risks
DC Circuit Court: Opinion on EPIC v. DHS (July 15, 2011)
ProPublica: Series on Body Scanner Radiation
European Commission: Press Release on EU Scanners (Nov. 14, 2011)
EPIC: EPIC v. DHS (Suspension of Body Scanners)
 EPIC Sues DHS Over Covert Surveillance of Facebook
EPIC has filed a Freedom of information Act
lawsuit against the
Department of Homeland Security (DHS) to force disclosure of the
details of the agency's proposed social network
In news reports and a Federal Register notice, DHS has stated that it
will routinely monitor the public postings
of users on Twitter,
Facebook, and other social networks. The planned social media
monitoring initiative is designed to gather Personally
Information, including account usernames, full names, affiliations, and
positions or titles.
According to the Federal
Register and Privacy Impact Assessments, DHS's
social media monitoring initiative would allow the agency to "establish
usernames and passwords" in order to create covert social
media profiles to spy on other users, deploy search tools, and record
online activity of particular users based on the presence of such
search terms as "illegal immigrants," "drill," "infection," "strain,"
"outbreak," "virus," "recovery," "deaths," "collapse," "human to
animal," and "Trojan."
User data will be stored for five years
and shared with other
government agencies. Legal authority for the Homeland Security program
remains unclear. EPIC filed the lawsuit
after the DHS failed to reply
to an April 2011 FOIA request.
EPIC: Complaint in EPIC v. DHS (Dec. 20, 2011)
EPIC: FOIA Request Against DHS (Apr. 12, 2011)
Federal Register: Notice of Proposed DHS Initiative (Feb. 1, 2011)
EPIC: Social Networking Privacy
 EPIC 'Fix FB Privacy Fail' Drive Underway; FB 'Timeline'
Without user consent, Facebook is choosing to disclose
far more user
information than was previously available. With the announcement of the
new "Timeline" feature, the social networking
company will make old
posts available under Facebook's current downgraded privacy settings.
Users have just a week to clean up their
history before Timeline goes
The surprising announcement follows a recent decision by the Federal
Trade Commission, which
found that Facebook had engaged in "unfair and
deceptive" trade practices by repeatedly changing user privacy
settings. EPIC, which
initiated the complaint that led to the proposed
settlement, is now urging Facebook users to submit comments to the FTC
to strengthen the settlement before finalization.
EPIC recently sent a letter to the FTC about Timeline, arguing that
"level of exposure is vastly different from that of the old
Facebook Profile." EPIC's letter also noted that security experts have
said that Timeline makes it "a heck of a lot easier" for computer
criminals to unearth personal details that can be used to craft
EPIC's campaign recommends the following improvements to the settlement:
(1) Restore Original Settings: (2) Know What They
Know; (3) Facial
Recognition; (4) Transparency; and (5) Secret Tracking. Facebook users
can visit EPIC's Facebook app to sign on
to the petition through
December 30, 2011.
The Irish Data Protection Agency has recently finished an audit of
which has been tasked with responsibility for all
Facebook user data outside the US and Canada. As a result, the audit
Ireland's compliance not only with Irish but also
with EU privacy laws. According to the Irish Data Protection Authority,
as a result
of the audit Facebook Ireland and the agency have agreed to
"significant [privacy] recommendations and commitments" to be
by Facebook Ireland over the next six months.
EPIC: Fix FB Privacy App
EPIC: Fix FB Privacy Non-Facebook Comment Form
EPIC: Letter to FTC Letter re: Timeline (Sept. 29, 2011)
EPIC: Facebook Privacy
EPIC: Facebook FTC Settlement (Nov. 29, 2011)
Irish DPA: Press Release on Facebook Audit (Dec. 21, 2011)
 US to Retain Biometric Database on Iraqis
According to Wired Magazine, US Central Command will retain a massive
database on millions of Iraqi citizens, including personal
as retinal scans, thumbprints, and religious affiliation. Although the
war in Iraq officially concluded on December 20,
the US has opted to
hold onto the information for future use.
In 2007 EPIC, joined by Human Rights Watch and Privacy International,
sent a letter to then-Secretary of Defense Robert Gates, objecting to
the collection of Iraqis' personally identifiable information.
letter warned that US collection of biometric data overseas posed a
direct risk to human rights and could result in genocidal
Defense Science Board also warned that the database could "become a hit
list if it gets in the wrong hands."
letter to Secretary Gates stated that collection of Iraqis'
biometric information could "strip away a substantial privacy measure
for Iraqi citizens in the midst of a conflict that flows from deep
religious and ethnic division" and even "contravene international
treaties." The letter urged the Department of Defense to "develop and
adopt clear guidelines that incorporate strong privacy safeguards
ensure that Iraqis are afforded basic human rights in their personal
The National Academy of Sciences recently
released a report entitled
"Biometric Recognition: Challenges and Opportunities." The report
concluded that biometric recognition
technologies are an "inherently
probabilistic endeavor" with an "inevitable uncertainty and risk of
error." Precipitated by a complaint
from EPIC, the Federal Trade
Commission is currently investigating Facebook's use of facial
recognition technology to build a biometric
database from Facebook
Wired: Article on US Iraqi Biometric Database (Dec. 21, 2011)
EPIC: Iraqi Biometric Identification System
EPIC: Letter to Former Defense Secretary Robert Gates (July 27, 2007)
EPIC: Transcript of Roundtable on Iraqi Biometrics (Aug. 2007)
National Academy of Sciences: Biometic Recognition
EPIC: Facebook Facial Recognition Complaint
 Franken Questions CarrierIQ, Service Providers on Mobile
Senator Al Franken (D-MN) has sent open letters
to mobile device
diagnostic analysis company CarrierIQ, major cellular service
providers, and cell phone manufacturers, requesting
about CarrierIQ's potential collection and distribution of sensitive
customer data. Franken's letters were written
in response to recently
posted online videos revealing the capabilities of CarrierIQ software,
which comes pre-installed on millions
CarrierIQ's response to Franken maintained that the company's software
only collects data for diagnostic purposes,
and does not "record or
transmit" the contents of messages or communications. AT&T and Sprint
also responded to Franken's questions
by describing the extent,
duration, and purpose of their use of the CarrierIQ software. All
parties involved asserted that any data
collected and transmitted was
secure, and that they were in compliance with Federal Wiretap and
Computer Fraud and Abuse Laws.
online videos demonstrate how CarrierIQ software collects
sensitive user data, including keystrokes, text message content,
visited, user locations, and detailed call records. Cellular
carriers, including AT&T and Sprint, require smartphone manufacturers
to install CarrierIQ software on millions of smartphones, a practice
heretofore unknown to most consumers. Franken's letter indicated
collection of such data might constitute an "unlawful intercept" under
the Electronic Communications Privacy Act of 1986 (ECPA).
Franken's letter to cellular providers also asked whether the companies
have disclosed any CarrierIQ data to "federal or state law
enforcement." The operators responded that they have not, but AT&T was
quick to point out that it "does comply with court orders,
and other legal requirements.
In 2011, EPIC was in the forefront of a number of mobile and locational
including the iPhone geotracking scandal, the Google Buzz
settlement, the Supreme Court GPS tracking case US v. Jones, Google
existing contract holders.
Senator Al Franken (D-MN): Open Letter to CarrierIQ
(Dec. 1, 2011)
Sen. Franken: Statement on Mobile Carrier Responses (Dec. 15, 2011)
Trevor Eckhart: Video on CarrierIQ 'Rootkit' (Nov. 28, 2011)
EPIC: Complaint to FTC re: Verizon Privacy Changes (Oct. 28, 2011)
EPIC: US v. Jones
EPIC: Locational Privacy
 News in Brief
EPIC Urges Court to Order Disclosure of Cybersecurity Authority
EPIC filed papers December 23 urging a federal court to order the
National Security Agency to disclose National Security Presidential
Directive 54. The Directive is a key document governing national
cybersecurity policy, and grants the NSA broad authority over the
security of American computer networks; however, to date the agency
has refused to make the document public in response to EPIC’s 2009
Freedom of Information Act request. EPIC's motion notes that "The
NSA’s position amounts to a claim that the President may enact secret
laws, direct federal
agencies to implement those laws, and shield the
content of those laws from public scrutiny", and argues that the law
"does not support
such a sweeping result."
EPIC: Motion for Summary Judgment Against NSA (Dec. 23, 2011)
EPIC: Freedom of Information Act Request to NSA (Nov. 2009)
EPIC: EPIC v. NSA - Cybersecurity Authority
EPIC to DHS: Disclosing Personal Information of US Public Is Unlawful
EPIC has submitted comments to the Department of Homeland
objecting to the agency's plan to disclose personal information about
the general public to former DHS employees, third
party employers, and
foreign and international agencies. The agency seeks to disclose
personal information, including criminal conviction
records, and foreclosures, about a broad category of individuals,
including members of the public, individuals
who file administrative
complaints with DHS, and even individuals who are named parties in
cases "in which DHS believes it will or
may become involved." DHS
intends to disclose this information pursuant to the Privacy Act
"routine use" exemption, which allows
federal agencies to disclose,
in certain, narrow circumstances, personal information in an agency's
possession without individual
consent. EPIC objects to the agency's
lack of opportunity to review public comment on the proposed
disclosures, and maintain that
the agency's proposals would "undermine
privacy safeguards set out in the Privacy Act and would unnecessarily
increase privacy risks
for individuals whose records are maintained by
the federal government."
EPIC: Comments to DHS (Dec. 22, 2011)
Federal Register: DHS Notice of Privacy Act SORN (Nov. 23, 2011)
EPIC: Privacy Act of 1974 and Amendments
EPIC: Privacy Act of 1974
EPIC Submits Comments on Children's Online Privacy Rule
EPIC has submitted comments to the Federal Trade Commission on a
rule to the Children's Online Privacy Protection Act, or
COPPA. The proposed rule would revise the definition of Personally
Information to include cookies, IP addresses, and
geolocation information. The new rules also contain data minimization
requirements and simplified methods of obtaining parental
consent for data collection. "The proposed revisions update the COPPA
by taking better account of the increased use of mobile devices
by users and of new data collection practices by businesses," EPIC
said. However, EPIC urged the FTC to further improve the rule by
applying it to SMS and MMS messaging services, extending the
of "personal information" to cover the combination of
birth date, gender, and ZIP code, and adding a data-breach
In 2010, EPIC testified before the Senate on
COPPA and filed comments with the agency.
EPIC: Comments on FTC COPPA Revisions (Dec.
FTC: Press Release on Proposed COPPA Revisions (Sept. 15, 2011)
EPIC: Testimony Before US Senate on COPPA (April 29, 2010)
EPIC: Comments to FTC on COPPA (July 9, 2010)
EPIC: Federal Trade Commission
Senate Opens Investigation into Google Search
Senators Herb Kohl (D-WI) and Mike Lee (R-UT), Chairman and Ranking
Member of the
Judiciary Antitrust Subcommittee, sent a December 19
letter to Federal Trade Commissioner Jon Leibowitz, expressing concern
Google's business practices and the company's competitive impact
on Internet search and commerce. In September, EPIC wrote to the
and urged the agency to investigate the extent to which Google has used
its search market dominance to influence the online video
EPIC's letter precipitated a Senate hearing on "The Power of Google:
Serving Consumers or Threatening Competition?"
In 2007, EPIC testified
before the Senate Antitrust Subcommittee on Google's growing dominance
of essential Internet services, including
the company's proposed merger
with ad management service DoubleClick.
Sens. Kohl and Lee: Letter to FTC Chair re: Google (Dec.
EPIC: Letter to FTC on Google Search Bias (Sept. 8, 2011)
US Senate: Hearing on Google Antitrust Issues (Sept. 21, 2011)
EPIC: Senate Testimony on Google/DoubleClick Aquisition (Sept. 2007)
US Lobbying Against New European Privacy Law
A document obtained by the European Digital Rights Initiative (EDRi), a
civil liberties organization, indicates that the US Department
of Commerce is actively opposing European Union efforts to update
strengthen the EU data privacy framework. The "Informal Note on Draft
EU General Data Protection Regulation" argues that the
to the EU Data Protection Directive could adversely impact the "global
interoperability of national and international
privacy regimes." The
US assessment follows a multi-year effort by the EU to establish a
comprehensive framework for privacy protection,
which the US has
opposed, opting instead for "self-regulation." EDRi subsequently has
prepared a brief analysis of the "most prominent
misunderstandings in the US paper."
EDRi: Obtained Document on US Efforts re: EU Privacy Law (Dec. 2011)
EPIC: EU Data Protection Directive
EDRi: Press Release on US Efforts (Dec. 22, 2011)
TACD: Letter to House Trade Subcommittee (Sept. 14, 2011)
Congressional Research Service Issues Report on US Cybersecurity Laws
The Congressional Research Service has issued a report
Congress's proposed revisions to various federal statutes related to
cybersecurity. The report discusses the "framework
and proposals to
amend more than 30 acts of Congress" affecting cybersecurity. Among
the report's recommendations are updating the
Privacy Act of 1986 to reflect user privacy and law enforcement rights
in cloud computing; establishing
a "Privacy and Civil Liberties Board
within the Executive Office of the President," and revising the
E-Government Act of 2002 to
improve "privacy provisions to account for
the increased commercial availability of personally identifiable
information." The document
also includes a comprehensive table of
"Laws Identified as Having Relevant Cybersecurity Provisions."
Federation of American Scientists:
Congressional Report (Dec. 7, 2011)
EPIC: Cybersecurity Privacy
EPIC: Electronic Privacy Communications Act
EPIC: Open Government
 EPIC's Holiday Wish List: Gift Ideas for the Privacy
Why present a discreet opt-out card to the airport TSA officer when you
can shout out the same statement to everyone in the security
Available in four styles and 11 colors for conference circuits and
'Faux Ivy' Privacy Screen
It's only as high as the average home fence, so all your privacy needs
should be kept as low to the ground as possible.
Privacy: What Must We Hide?' Anita L. Allen
Anita Allen's book explores a difficult premise: Should privacy laws be
enacted even when their beneficiaries don't want them? A
provoking look at the tensions between strong privacy protections and
the core values of a liberal democracy.
Because your cat deserves to be protected against unreasonable search
and seizure too. Never mind that the pre- French Revolution
the wrong message about open government.
Barbie 'Mystery Squad Surveillance Specialist Kenzie'
Unfortunately there's no "Privacy Activist Penelope" for counterbalance.
Advanced Security Tunable Receiver Monitor
"Quickly and easily finds wireless cameras and lets you see exactly
what they see." $450 may be a reasonable expenditure for the
'Privacy Blocker' App for Android
Despite the counterintuitive name, Privacy Blocker gets high marks for
sanitizing and hiding what the app's creator calls your "dirty
secrets." It also claims to be the only Android product that "can
actually scan through other apps' code to find privacy issues."
Florene Contemporary 'Privacy' Greeting Cards
Keep your sentiments under wraps with these symbolic and clever cards.
Blank inside. Invisible ink not included.
IEEE Security and
Stay in the forefront of privacy and security technology and policy.
Objective, accessible and written for an audience drawn from
industry, and government.
An oldie and a goodie - and based on past experience, almost universally
effective. Few things destroy the privacy of a good conversation,
or creative moment like a blaring TV screen.
-- EC Rosenberg
Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
More Surveillance, More Security? The Landscape of Surveillance in
Europe and Challenges to Data Protection and Privacy. Brussels,
January 2012. For More Information:
Platts Smart Grid Data Privacy Symposium. Las Vegas, NV, 16-17 February
2012. For More Information: http://www.platts.com/ConferenceDetail/
Computers, Privacy, & Data Protection 2012: European Data Protection:
Coming of Age. Brussels, Belgium, 25-27 January 2012, Call
Abstracts Deadline 1 June 2011. For More Information:
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 11:00am ET.
Start a discussion on privacy. Let us know your thoughts.
Stay up to date
with EPIC's events.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave. NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 18.25 ------------------------