WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2011 >> [2011] EPICAlert 25

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 18.25 [2011] EPICAlert 25

EPIC Alert 18.25

======================================================================= E P I C A l e r t ======================================================================= Volume 18.25 December 23, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================= Table of Contents ======================================================================= [1] EPIC to Court: Force DHS Compliance with Public Comment Mandate [2] EPIC Sues DHS Over Covert Surveillance of Facebook and Twitter [3] EPIC 'Fix FB Privacy Fail' Drive Underway; FB 'Timeline' Released [4] US to Retain Biometric Database on Iraqis [5] Franken Questions CarrierIQ, Service Providers on Mobile Tracking [6] News in Brief [7] EPIC's Holiday Wish List: Gift Ideas for the Privacy Enthusiast [8] Upcoming Conferences and Events TAKE ACTION: Fix Facebook Privacy Fail! - SIGN the Petition: - DEMAND Your Facebook Data: - READ the FTC Settlement: - SUPPORT EPIC: ======================================================================= [1] EPIC to Court: Force DHS Compliance with Public Comment Mandate ======================================================================= EPIC has filed papers in federal court, seeking, for the second time this year, to enforce an order that requires the Department of Homeland Security to begin a rulemaking on the controversial airport body scanner program. As a result of EPIC's ongoing lawsuit against DHS, the DC Circuit Court of Appeals ruled that the agency violated federal law by installing body scanners as primary screening devices without first soliciting public comment. The Court also held that travelers had a right to opt-out of the airport body scanners. More than two years ago EPIC and a coalition of civil liberties and civil rights organizations petitioned Secretary of Homeland Security Janet Napolitano to provide the public the opportunity to comment on the program. Through Freedom of Information Act litigation, EPIC had already obtained hundreds of traveler complaints, including instances when travelers said that TSA officials retaliated against them for choosing not to go through the body scanners. Privacy and traveler advocates, health and security experts, as well as airline pilots have also raised questions about the screening procedures. In July 2011, the Court ordered Homeland Security to "promptly" seek public comment, but the agency has failed to respond. The Court's decision held that "the TSA has not justified its failure to initiate notice-and-comment rulemaking before announcing it would use AIT scanners for primary screening." The appeals court's decision states that "None of the exceptions urged by the TSA justifies its failure to give notice of and receive comment upon such a rule, which is legislative and not merely interpretive, procedural, or a general statement of policy", adding that "Few, if any regulatory procedures impose directly and significantly upon so many members of the public." In the motion to enforce, EPIC highlighted a recent report by ProPublica, which described the DHS's failure to take account of radiation risks posed by body scanners. EPIC also noted the European Commission's recent decision to limit body scanner use within the EU. The European Commission specifically banned the use of backscatter x-ray devices in the European airports because of public health concerns. Meanwhile, DHS is lobbying Congress to increase the use of these devices in the United States. EPIC: Motion to Enforce Order on DHS (Dec. 23, 2011) EPIC v. DHS: Full Body Scanner Radiation Risks DC Circuit Court: Opinion on EPIC v. DHS (July 15, 2011) ProPublica: Series on Body Scanner Radiation European Commission: Press Release on EU Scanners (Nov. 14, 2011) EPIC: EPIC v. DHS (Suspension of Body Scanners) ======================================================================= [2] EPIC Sues DHS Over Covert Surveillance of Facebook and Twitter ======================================================================= EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security (DHS) to force disclosure of the details of the agency's proposed social network monitoring program. In news reports and a Federal Register notice, DHS has stated that it will routinely monitor the public postings of users on Twitter, Facebook, and other social networks. The planned social media monitoring initiative is designed to gather Personally Identifiable Information, including account usernames, full names, affiliations, and positions or titles. According to the Federal Register and Privacy Impact Assessments, DHS's social media monitoring initiative would allow the agency to "establish [fictitious] usernames and passwords" in order to create covert social media profiles to spy on other users, deploy search tools, and record the online activity of particular users based on the presence of such search terms as "illegal immigrants," "drill," "infection," "strain," "outbreak," "virus," "recovery," "deaths," "collapse," "human to animal," and "Trojan." User data will be stored for five years and shared with other government agencies. Legal authority for the Homeland Security program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. EPIC: Complaint in EPIC v. DHS (Dec. 20, 2011) EPIC: FOIA Request Against DHS (Apr. 12, 2011) epicvdhs-foia-request.html Federal Register: Notice of Proposed DHS Initiative (Feb. 1, 2011) EPIC: Social Networking Privacy ======================================================================= [3] EPIC 'Fix FB Privacy Fail' Drive Underway; FB 'Timeline' Released ======================================================================= Without user consent, Facebook is choosing to disclose far more user information than was previously available. With the announcement of the new "Timeline" feature, the social networking company will make old posts available under Facebook's current downgraded privacy settings. Users have just a week to clean up their history before Timeline goes live. The surprising announcement follows a recent decision by the Federal Trade Commission, which found that Facebook had engaged in "unfair and deceptive" trade practices by repeatedly changing user privacy settings. EPIC, which initiated the complaint that led to the proposed settlement, is now urging Facebook users to submit comments to the FTC in order to strengthen the settlement before finalization. EPIC recently sent a letter to the FTC about Timeline, arguing that Timeline's "level of exposure is vastly different from that of the old Facebook Profile." EPIC's letter also noted that security experts have said that Timeline makes it "a heck of a lot easier" for computer criminals to unearth personal details that can be used to craft attacks. EPIC's campaign recommends the following improvements to the settlement: (1) Restore Original Settings: (2) Know What They Know; (3) Facial Recognition; (4) Transparency; and (5) Secret Tracking. Facebook users can visit EPIC's Facebook app to sign on to the petition through December 30, 2011. The Irish Data Protection Agency has recently finished an audit of Facebook Ireland, which has been tasked with responsibility for all Facebook user data outside the US and Canada. As a result, the audit reflects Facebook Ireland's compliance not only with Irish but also with EU privacy laws. According to the Irish Data Protection Authority, as a result of the audit Facebook Ireland and the agency have agreed to "significant [privacy] recommendations and commitments" to be undertaken by Facebook Ireland over the next six months. EPIC: Fix FB Privacy App EPIC: Fix FB Privacy Non-Facebook Comment Form EPIC: Letter to FTC Letter re: Timeline (Sept. 29, 2011) EPIC: Facebook Privacy EPIC: Facebook FTC Settlement (Nov. 29, 2011) Irish DPA: Press Release on Facebook Audit (Dec. 21, 2011) ====================================================================== [4] US to Retain Biometric Database on Iraqis ======================================================================= According to Wired Magazine, US Central Command will retain a massive database on millions of Iraqi citizens, including personal data such as retinal scans, thumbprints, and religious affiliation. Although the war in Iraq officially concluded on December 20, the US has opted to hold onto the information for future use. In 2007 EPIC, joined by Human Rights Watch and Privacy International, sent a letter to then-Secretary of Defense Robert Gates, objecting to the collection of Iraqis' personally identifiable information. EPIC's letter warned that US collection of biometric data overseas posed a direct risk to human rights and could result in genocidal violence. The Defense Science Board also warned that the database could "become a hit list if it gets in the wrong hands." EPIC's letter to Secretary Gates stated that collection of Iraqis' biometric information could "strip away a substantial privacy measure for Iraqi citizens in the midst of a conflict that flows from deep religious and ethnic division" and even "contravene international treaties." The letter urged the Department of Defense to "develop and adopt clear guidelines that incorporate strong privacy safeguards to ensure that Iraqis are afforded basic human rights in their personal information." The National Academy of Sciences recently released a report entitled "Biometric Recognition: Challenges and Opportunities." The report concluded that biometric recognition technologies are an "inherently probabilistic endeavor" with an "inevitable uncertainty and risk of error." Precipitated by a complaint from EPIC, the Federal Trade Commission is currently investigating Facebook's use of facial recognition technology to build a biometric database from Facebook user photos. Wired: Article on US Iraqi Biometric Database (Dec. 21, 2011) EPIC: Iraqi Biometric Identification System EPIC: Letter to Former Defense Secretary Robert Gates (July 27, 2007) EPIC: Transcript of Roundtable on Iraqi Biometrics (Aug. 2007) National Academy of Sciences: Biometic Recognition EPIC: Facebook Facial Recognition Complaint EPIC: Biometrics ======================================================================= [5] Franken Questions CarrierIQ, Service Providers on Mobile Tracking ======================================================================= Senator Al Franken (D-MN) has sent open letters to mobile device diagnostic analysis company CarrierIQ, major cellular service providers, and cell phone manufacturers, requesting more information about CarrierIQ's potential collection and distribution of sensitive customer data. Franken's letters were written in response to recently posted online videos revealing the capabilities of CarrierIQ software, which comes pre-installed on millions of smartphones. CarrierIQ's response to Franken maintained that the company's software only collects data for diagnostic purposes, and does not "record or transmit" the contents of messages or communications. AT&T and Sprint also responded to Franken's questions by describing the extent, duration, and purpose of their use of the CarrierIQ software. All parties involved asserted that any data collected and transmitted was secure, and that they were in compliance with Federal Wiretap and Computer Fraud and Abuse Laws. The online videos demonstrate how CarrierIQ software collects sensitive user data, including keystrokes, text message content, websites visited, user locations, and detailed call records. Cellular carriers, including AT&T and Sprint, require smartphone manufacturers to install CarrierIQ software on millions of smartphones, a practice heretofore unknown to most consumers. Franken's letter indicated that collection of such data might constitute an "unlawful intercept" under the Electronic Communications Privacy Act of 1986 (ECPA). Franken's letter to cellular providers also asked whether the companies have disclosed any CarrierIQ data to "federal or state law enforcement." The operators responded that they have not, but AT&T was quick to point out that it "does comply with court orders, subpoenas," and other legal requirements. In 2011, EPIC was in the forefront of a number of mobile and locational privacy cases, including the iPhone geotracking scandal, the Google Buzz settlement, the Supreme Court GPS tracking case US v. Jones, Google StreetView, and Sprint Mobile's abrupt privacy policy changes for existing contract holders. Senator Al Franken (D-MN): Open Letter to CarrierIQ (Dec. 1, 2011) Sen. Franken: Statement on Mobile Carrier Responses (Dec. 15, 2011) Trevor Eckhart: Video on CarrierIQ 'Rootkit' (Nov. 28, 2011) EPIC: Complaint to FTC re: Verizon Privacy Changes (Oct. 28, 2011) EPIC: ECPA EPIC: US v. Jones EPIC: Locational Privacy ======================================================================= [6] News in Brief ======================================================================= EPIC Urges Court to Order Disclosure of Cybersecurity Authority EPIC filed papers December 23 urging a federal court to order the National Security Agency to disclose National Security Presidential Directive 54. The Directive is a key document governing national cybersecurity policy, and grants the NSA broad authority over the security of American computer networks; however, to date the agency has refused to make the document public in response to EPIC’s 2009 Freedom of Information Act request. EPIC's motion notes that "The NSA’s position amounts to a claim that the President may enact secret laws, direct federal agencies to implement those laws, and shield the content of those laws from public scrutiny", and argues that the law "does not support such a sweeping result." EPIC: Motion for Summary Judgment Against NSA (Dec. 23, 2011) EPIC: Freedom of Information Act Request to NSA (Nov. 2009) EPIC: EPIC v. NSA - Cybersecurity Authority EPIC to DHS: Disclosing Personal Information of US Public Is Unlawful EPIC has submitted comments to the Department of Homeland Security, objecting to the agency's plan to disclose personal information about the general public to former DHS employees, third party employers, and foreign and international agencies. The agency seeks to disclose personal information, including criminal conviction records, employee records, and foreclosures, about a broad category of individuals, including members of the public, individuals who file administrative complaints with DHS, and even individuals who are named parties in cases "in which DHS believes it will or may become involved." DHS intends to disclose this information pursuant to the Privacy Act "routine use" exemption, which allows federal agencies to disclose, in certain, narrow circumstances, personal information in an agency's possession without individual consent. EPIC objects to the agency's lack of opportunity to review public comment on the proposed disclosures, and maintain that the agency's proposals would "undermine privacy safeguards set out in the Privacy Act and would unnecessarily increase privacy risks for individuals whose records are maintained by the federal government." EPIC: Comments to DHS (Dec. 22, 2011) Federal Register: DHS Notice of Privacy Act SORN (Nov. 23, 2011) EPIC: Privacy Act of 1974 and Amendments EPIC: Privacy Act of 1974 EPIC: Profiling EPIC Submits Comments on Children's Online Privacy Rule EPIC has submitted comments to the Federal Trade Commission on a proposed rule to the Children's Online Privacy Protection Act, or COPPA. The proposed rule would revise the definition of Personally Identifiable Information to include cookies, IP addresses, and geolocation information. The new rules also contain data minimization and deletion requirements and simplified methods of obtaining parental consent for data collection. "The proposed revisions update the COPPA rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses," EPIC said. However, EPIC urged the FTC to further improve the rule by applying it to SMS and MMS messaging services, extending the definition of "personal information" to cover the combination of birth date, gender, and ZIP code, and adding a data-breach notification requirement. In 2010, EPIC testified before the Senate on COPPA and filed comments with the agency. EPIC: Comments on FTC COPPA Revisions (Dec. 23, 2011) FTC: Press Release on Proposed COPPA Revisions (Sept. 15, 2011) EPIC: Testimony Before US Senate on COPPA (April 29, 2010) EPIC: Comments to FTC on COPPA (July 9, 2010) EPIC: COPPA EPIC: Federal Trade Commission Senate Opens Investigation into Google Search Senators Herb Kohl (D-WI) and Mike Lee (R-UT), Chairman and Ranking Member of the Judiciary Antitrust Subcommittee, sent a December 19 letter to Federal Trade Commissioner Jon Leibowitz, expressing concern over Google's business practices and the company's competitive impact on Internet search and commerce. In September, EPIC wrote to the FTC and urged the agency to investigate the extent to which Google has used its search market dominance to influence the online video marketplace. EPIC's letter precipitated a Senate hearing on "The Power of Google: Serving Consumers or Threatening Competition?" In 2007, EPIC testified before the Senate Antitrust Subcommittee on Google's growing dominance of essential Internet services, including the company's proposed merger with ad management service DoubleClick. Sens. Kohl and Lee: Letter to FTC Chair re: Google (Dec. 19, 2011) EPIC: Letter to FTC on Google Search Bias (Sept. 8, 2011) US Senate: Hearing on Google Antitrust Issues (Sept. 21, 2011) EPIC: Senate Testimony on Google/DoubleClick Aquisition (Sept. 2007) US Lobbying Against New European Privacy Law A document obtained by the European Digital Rights Initiative (EDRi), a European civil liberties organization, indicates that the US Department of Commerce is actively opposing European Union efforts to update and strengthen the EU data privacy framework. The "Informal Note on Draft EU General Data Protection Regulation" argues that the proposed updates to the EU Data Protection Directive could adversely impact the "global interoperability of national and international privacy regimes." The US assessment follows a multi-year effort by the EU to establish a comprehensive framework for privacy protection, which the US has opposed, opting instead for "self-regulation." EDRi subsequently has prepared a brief analysis of the "most prominent exaggerations and misunderstandings in the US paper." EDRi: Obtained Document on US Efforts re: EU Privacy Law (Dec. 2011) EPIC: EU Data Protection Directive EDRi: Press Release on US Efforts (Dec. 22, 2011) TACD: Letter to House Trade Subcommittee (Sept. 14, 2011) Congressional Research Service Issues Report on US Cybersecurity Laws The Congressional Research Service has issued a report detailing Congress's proposed revisions to various federal statutes related to cybersecurity. The report discusses the "framework and proposals to amend more than 30 acts of Congress" affecting cybersecurity. Among the report's recommendations are updating the Electronic Communications Privacy Act of 1986 to reflect user privacy and law enforcement rights in cloud computing; establishing a "Privacy and Civil Liberties Board within the Executive Office of the President," and revising the E-Government Act of 2002 to improve "privacy provisions to account for the increased commercial availability of personally identifiable information." The document also includes a comprehensive table of "Laws Identified as Having Relevant Cybersecurity Provisions." Federation of American Scientists: Congressional Report (Dec. 7, 2011) EPIC: Cybersecurity Privacy EPIC: Electronic Privacy Communications Act EPIC: Open Government ======================================================================= [7] EPIC's Holiday Wish List: Gift Ideas for the Privacy Enthusiast ======================================================================= TSA T-Shirt Why present a discreet opt-out card to the airport TSA officer when you can shout out the same statement to everyone in the security line? Available in four styles and 11 colors for conference circuits and book tours. 'Faux Ivy' Privacy Screen It's only as high as the average home fence, so all your privacy needs should be kept as low to the ground as possible. 'Unpopular Privacy: What Must We Hide?' Anita L. Allen Anita Allen's book explores a difficult premise: Should privacy laws be enacted even when their beneficiaries don't want them? A thought- provoking look at the tensions between strong privacy protections and the core values of a liberal democracy. Prive Kitty Litter Screen Because your cat deserves to be protected against unreasonable search and seizure too. Never mind that the pre- French Revolution design sends the wrong message about open government. Barbie 'Mystery Squad Surveillance Specialist Kenzie' Unfortunately there's no "Privacy Activist Penelope" for counterbalance. Advanced Security Tunable Receiver Monitor "Quickly and easily finds wireless cameras and lets you see exactly what they see." $450 may be a reasonable expenditure for the true privacy vigilante. 'Privacy Blocker' App for Android Despite the counterintuitive name, Privacy Blocker gets high marks for sanitizing and hiding what the app's creator calls your "dirty secrets." It also claims to be the only Android product that "can actually scan through other apps' code to find privacy issues." Florene Contemporary 'Privacy' Greeting Cards Keep your sentiments under wraps with these symbolic and clever cards. Blank inside. Invisible ink not included. IEEE Security and Privacy Magazine Stay in the forefront of privacy and security technology and policy. Objective, accessible and written for an audience drawn from academia, industry, and government. TV-B-Gone An oldie and a goodie - and based on past experience, almost universally effective. Few things destroy the privacy of a good conversation, read, or creative moment like a blaring TV screen. -- EC Rosenberg ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [8] Upcoming Conferences and Events ======================================================================= More Surveillance, More Security? The Landscape of Surveillance in Europe and Challenges to Data Protection and Privacy. Brussels, 4 January 2012. For More Information: Platts Smart Grid Data Privacy Symposium. Las Vegas, NV, 16-17 February 2012. For More Information: 2012/pc217/index. Computers, Privacy, & Data Protection 2012: European Data Protection: Coming of Age. Brussels, Belgium, 25-27 January 2012, Call for Papers Abstracts Deadline 1 June 2011. For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.25 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback