WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2011 >> [2011] EPICAlert 8

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 18.08 [2011] EPICAlert 8

EPIC Alert 18.08

======================================================================= E P I C A l e r t ======================================================================= Volume 18.08 April 22, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." Submit comments to FTC On Google Buzz and Privacy ======================================================================= Table of Contents ======================================================================= [1] White House Releases Plans for Internet Identities [2] Senators Kerry and McCain Introduce Privacy Legislation [3] Department of Education Plans to Disclose Confidential Student Data [4] EPIC Argues Residential Routers are Not Exempted Under Wiretap Laws [5] EPIC Champions Right to Informational Privacy Before Third Circuit [6] News In Brief [7] EPIC Book Review: "Security or Surveillance?" [8] Upcoming Conferences and Events TAKE ACTION: Tell the FTC to Fix Google Privacy! - SUBMIT comments here - POST the link on your Facebook Page and Twitter Account! - SUPPORT EPIC ======================================================================= [1] White House Releases Plans for Internet Identities ======================================================================= The White House has published the National Strategy for Trusted Identities in Cyberspace (NSTIC), which provides guidance for an Internet identity system. The plan comes nearly two years after the White House first released its Cyberspace Policy Review, which set forth a national plan for Internet identities. In 2010, the White House released the draft NSTIC, and accepted public comments via an online forum. The Draft was developed with significant contributions from the Department of Homeland Security. EPIC responded with comments that emphasized the need for strong privacy safeguards for Internet users. "The President endorsed 'Privacy Enhancing Technologies' for online credentials. That is historic," said EPIC Executive Director Marc Rotenberg today, "but online identity is complex problem and the risk of 'cyber-identity theft' with consolidated identity systems is very real. The U.S. will need to do more to protect online privacy." The Strategy is being deployed as public-private partnership, with the Federal Government leaving the majority of research and development to the private sector. The NSTIC document set out four goals that are necessary to meet in the implementation of the program: development of a comprehensive Identity Ecosystem Framework; Construction of interoperable identity solutions; enhancement of confidence and willingness to participate in the identity ecosystem; and assurance of the long-term success and viability of the program. The first phase of the Strategy is meant to be completed in the next three to five years, and will entail the development of a growing marketplace of identity providers with a number of attribute providers and enrolled identities taking advantage of the Strategy's benefits. By 2021, the Strategy is supposed to be self-sustaining. Several elements of the NSTIC proposal reflect work undertaken by EPIC over the past decade. For example, in 2001 EPIC, members of the EPIC Advisory Board, and a coalition of consumer and privacy organizations filed a complaint with the Federal Trade Commission that urged an investigation of the Microsoft plan for a single Internet identity system called "Passport." EPIC and the groups recommended the development of "techniques for anonymity and pseudo-anonymity" so that users could access the Internet "without disclosing their actual identity." In 2002, the Microsoft Corporation agreed to settle Federal Trade Commission charges regarding the privacy and security of personal information collected from consumers through the "Passport" web services. As part of the settlement, Microsoft agreed to a comprehensive information security program for Passport and similar services. Microsoft subsequently developed a less centralized approach to online credentials, that allowed for a variety of options for user authentication. The FTC has recently concluded an investigation in another matter sparked by an EPIC complaint concerning Google and Privacy. Google has agreed to establish a Comprehensive Privacy Program for all of its products and services. White House: National Strategy for Trusted Identities in Cyberspace Department of Homeland Security: Draft NSTIC EPIC: Creating Options for Enhanced Online Security & Privacy White House: Cyberspace Policy Review EPIC: National Strategy for Trusted Identities in Cyberspace EPIC: Microsoft Passport Investigation Docket FTC: Microsoft Settles FTC Charges Alleging False Security and Privacy Promises EPIC: In re Google Buzz FTC: Press Release (Google Buzz) EPIC: Fix Google Privacy ======================================================================= [2] Senators Kerry and McCain Introduce Privacy Legislation ======================================================================= On April 12, Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the "Commercial Privacy Bill of Rights Act of 2011" (S-799) with the purpose of online and offline consumer privacy protection. The Bill endorses several "Fair Information Practices," such as security, accountability, and data minimization. Sponsored by two former Presidential candidates of opposing parties, the Bill suggests stong bipartisan support for privacy legislation in the current Congress. Further, the Bill restricts collection and sharing of sensitive information with third party entities. This includes expands current law to include protection for religious information as well as medical and financial data, which is already protected in separate statutes. However, after many political compromises, the Bill no longer allows for a private right of action, it includes a "Safe Harbor" arrangement that exempts companies from significant privacy requirements, and it preempts state privacy laws, which are often more protective. In addition, an earlier draft of the bill extended protection to any type of data, but the current language restricts protections to "sensitive data." In addition, the Bill provides an exemption for third parties that gather data through companies that have an established business relationship with a consumer. The Bill is currently under review in the Committee on Commerce, Science, and Transportation. Commercial Privacy Bill of Rights Act of 2011 Senator McCain: Statement on Bi-Partisan Legislation (Apr. 12, 2011) EPIC: Online Tracking and Behavioral Profiling EPIC: Federal Trade Commission ======================================================================= [3] Department of Education Plans to Disclose Confidential Student Data ======================================================================= The U.S. Department of Education has proposed new regulations that would allow expanded transfer of previously confidential student data from schools to state agencies. The regulations will revise key provisions of the Federal Educational Rights and Privacy Act (FERPA), which was enacted to protect the privacy, security, and confidentiality of student data. The proposal is part of a new federal program, "ARRA Support for State Longitudinal Data Systems," that requires schools to disclose their students' data, including enrollment information, degree of success transitioning from secondary to post-secondary institutions, and demographic data in order to receive federal funding. The student information will be compiled into large databases and used to track and analyze student's progress through the education system. Among other changes, the regulations also modify what is considered disclosable "directory information" under FERPA. Students' names, photographs, and student ID numbers would now fall into this category. The Department of Education asserts it is responding to concerns that students and parents had been opting out of having directory information disclosed and were thus able to avoid wearing student ID badges required by some school systems. The Department is accepting comments on the proposed regulations. Deadline for comment is May 23, 2011. EPIC: Family Educational Right to Privacy Act (Buckley Amendment) EPIC: Student Privacy U.S. Department of Education: FERPA Proposed Regulations ARRA Support for State Longitudinal Data Systems ======================================================================= [4] EPIC Argues Residential Routers are Not Exempted Under Wiretap Laws ======================================================================= EPIC has filed an amicus brief in federal court arguing that users of private residential routers are entitled to privacy protection. The EPIC brief is in response to a series of questions asked by a federal judge as to whether private Wi-Fi communications are covered under the Federal Wiretap Act. EPIC explained that a "Wireless Local Area Network (WLAN)" provides functionality for those within the home who take advantage of shared services, such as printers and Internet access. In contrast, WiMAX, WWAN, and WiLD are wireless devices that broadcast over a long distance and are intended for public access. EPIC also pointed out that users of residential WLANs can configure their devices to operate as "Hot Spots," but few choose to do so. EPIC stated that Congress established "a presumption in favor of confidentiality except in those circumstances where the user has knowingly chosen to broadcast communications to the general public." EPIC made similar arguments in a complaint to the Federal Communications Commission about Google Street View. The complaint explained how Google Street View cars were collecting Wi-Fi data from private wireless networks, and asked the Commission to investigate Google for violations of federal wiretap law and the U.S. Communications Act. In response to this complaint, the Commission has since opened an investigation. Many other countries have opened investigations into Google Street View. Recently, France's National Commission for Computing and Civil Liberties fined Google 100,000 Euros for violating French privacy rules when Google's Street View cars collected peoples' e-mails and passwords without their knowledge. The Commission cited the "established violations and their gravity, as well as the economic advantages Google gained," as reasons for the highest fine it has ever levied. Several other countries, including the U.K., Canada, Germany, and Spain have conducted similar investigations and determined that Google violated their privacy laws. EPIC: "Friend of the Court" Brief, Google Street View EPIC: In re Google EPIC: Google Street View Complaint (May 21, 2010) U.S. Communications Act FCC Investigation French National Commission for Computing and Civil Liberties EPIC: Google Street View ======================================================================= [5] EPIC Champions Right to Informational Privacy Before Third Circuit ======================================================================= EPIC has filed an amicus brief with the Third Circuit Court of Appeals in support of a Jane Doe police deputy suing to recover monetary damages for privacy violations. The case, Doe v. Luzerne, will determine the deputy's legal rights after a coworker captured semi-nude video footage without her consent, during a mandatory decontamination shower. The footage was uploaded onto a government computer. EPIC argued that the case implicates "freedom, intimacy, autonomy, and human dignity," and urged the Federal appeals court to hold that the Sheriff's Department violated the Constitutional right to informational privacy. Deputy Chief Ryan Foy, the officer who conducted the video filming of the Appellant, served as the Sheriff's Department computer administrator in 2007. This position provided Foy access to all the computers used by the office. In April 2008, an employee of the Sheriff's Department found a digital copy of the video, as well as screen-shots from the footage, on Foy's old computer. The video contained images revealing Appellant's back, shoulders, and limbs. The Appellant testified that the rest of her body was covered only with "paper sheets, almost like when you're at a doctor's office." The Third Circuit now has an opportunity to reverse the trial court's holding that the Appellant's experience "d[id] not rise to the level of a shocking degradation or egregious humiliation" to merit Constitutional protection. EPIC argued that "[t]he risk of improper disclosure of the naked images of an employee placed on a computer network goes far beyond what the Supreme Court called a 'mere possibility that security measures will fail.'" The Court's "mere possibility" standard is derived from NASA v. Nelson, 131 S.Ct. at 763 (2011), which set the baseline parties must satisfy to bring claims under the Constitutional right to informational privacy. The Appellant also testified that the images revealed a tattoo on her back containing the name of her girlfriend, thus revealing her sexuality to any individual who viewed the video or the screen-shots. A fellow Deputy testified that she was "shocked" to see the tattoo and to learn that it bore the initials of Doe's girlfriend. On this point, EPIC's brief argued that digital images of unique physical features constitute Personally Identifiable Information (PII), as information that is linked or can be linked to a known individual. EPIC laid out the harms that courts have acknowledged as results from divulging PII. EPIC: "Friend of the Court" Brief, Doe v. Luzerne EPIC: Doe v. Luzerne Third Circuit: Appellant's Brief, Doe v. Luzerne U.S. District Court (Mid. PA): Doe v. Luzerne ======================================================================= [6] News In Brief ======================================================================= Epsilon Data Breach Threatens E-mail Privacy of Millions On April 6, Epsilon, a large marketing firm, announced data breaches that compromised user information for websites of corporations such as Walgreens, JP Morgan Chase, Capitol One, and others. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Data service providers, like Epsilon, are not well known by consumers and are not typically regulated. EPIC anticipated these circumstances and provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for consumer data. Epsilon Epsilon: Press Release EPIC: Identity Theft EPIC: Federal Trade Commission EPIC to Host Annual Awards Dinner, Co-Hosts Rosen and boyd EPIC is hosting its Annual Champion of Freedom Awards Dinner on June 13, 2011. The event will be co-hosted by Jeffrey Rosen, a constitutional law professor and legal affairs editor at The New Republic, and Dr. danah boyd, a web anthropologist researching cutting edge issues in networked publics. Guests will be treated to a full dinner at The Fairfax at Embassy Row in Washington, D.C. Previous recipients of the award include Senator Patrick Leahy (D-NH), former FTC Commissioner Pamela Jones Harbour, and Congressman Joe Barton (R-TX). EPIC: June 13 EPIC: Annual Champions of Freedom Awards Dinner Faster FOIA Act Moves Forward in Senate The Senate Judiciary Committee has approved bipartisan legislation, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), to improve the handling of Freedom of Information Act (FOIA) requests. Currently, the process is slow and political. The Faster FOIA Act will create an advisory panel to examine agency backlogs and provide recommendations to Congress. EPIC recently testified before the House Oversight Committee about FOIA delays and politicized processing within the Department of Homeland Security. U.S. Senate: Patrick Leahy John Cornyn EPIC: Open Government EPIC: Litigation Under the Federal Open Government Laws EPIC Launches "Fix Google Privacy" Campaign In response to the recent announcement that Google has agreed to adopt a "Comprehensive Privacy Plan," EPIC has launched "Fix Google Privacy," a campaign to encourage Internet users to offer their suggestions to improve safeguards for Google's products and services. The Google Agreement with the Federal Trade Commission is a historic opportunity for the public to suggest requirements for Google, which could include: Endorse Do Not Track, Protect Reader Privacy, Delete Search Histories, Encrypt the Cloud, Require Search Warrants, and Stop Spy-Fi. Comments are due May 2, 2011, and can be submitted through EPIC's website or directly to the Commission. Fix Google Privacy Campaign FTC: Proposed Order FTC: Press Release (March 31, 2011) Federal Register: "Proposed Consent Agreement" (April 5, 2011) Sophos Urges Facebook to Improve Privacy Sophos, a security research firm, recommended that Facebook allow users to opt-in to new features that share their information, limit application developers on its website (there are currently over a million), and encrypt its data by default using HTTPS. Last year, Congressmen Ed Markey (D-MA) and Joe Barton (R-TX) sent a letter to Facebook about the news that Facebook's business partners transmitted personal user data to advertising and Internet tracking companies in violation of the company's policy. In addition, EPIC has two complaints pending at the Federal Trade Commission regarding Facebook's unfair and deceptive trade practices. Sophos: Open Letter to Facebook (Apr. 18, 2011) Congressmen Markey and Barton: Letter to Facebook (Oct. 18, 2010) EPIC: In Re Facebook I EPIC: In Re Facebook II ======================================================================= [7] EPIC Book Review: "Security or Surveillance?" ======================================================================= "Surveillance or Security? The Risks Posed by New Wiretapping Technologies," Susan Landau Surveillance or Security? explores contemporary threats to the freedom to communicate. The book explains that the principle threat is legislation, such as the Communications Assistance for Law Enforcement Act (CALEA), which allows the federal government to wiretap digitally switched telephone networks, and was extended by a federal court of appeals to apply equally to Voice over Internet Protocol (VoIP). Landau argues that the "1990s battle over encryption has shifted the public's ability to encrypt their communications to the government's requiring that surveillance capabilities be built directly into communications infrastructures." This trend leads to greater surveillance and, to our detriment, less security. Over the course of the book, Landau examines how telephony and Internet communications networks developed; the causes behind the Internet's present insecurity and concomitant technology risks of embedding eavesdropping capabilities into those networks; the legal and policy aspects of wiretapping, as well as the quality of, perpetrators behind, and effectiveness of monitoring communications' networks; communications during disasters; and the potential for getting "communications security and surveillance 'right.'" Landau's book is richly textured with technological, legal, and policy discussion of how the law protecting freedom to communicate must address technological developments that make it easier and easier to eavesdrop on communications. Landau identifies six characteristics of future Internet communications protocols and applications, and claims that the protections necessary to facilitate such a future Internet must recognize that, "[t]he Internet is not simply a piece of technology; it is a piece of technology embedded with human values." Additionally, future Internet security requires a contextualized approach in which the sensitivity of the device should proscribe a limit to how broadly the public may access the device; no longer should all devices be able to connect to any other device. There are exceptions, such as Landau describes this as the technology partitioning out of "internetwork" or "partitioning the network." This may add security to communications networks but still does not fully address the issue of wiretapping and the potential threats associated with it, especially unauthorized wiretapping. Landau emphasizes the importance of public vetting to assure the quality of security mechanisms. She proposes shifting the liability of communications' interceptions to those who develop interception systems because they make decisions about security and can be most incentivized to make the best decisions about how to manage the risks. Because there is no government agency responsible for ensuring the security of our communications infrastructure, Landau emphasizes that our laws and policy must be directed at securing communications networks not undermining that security as they presently do. Limiting CALEA, which imposes more burdens on communications providers rather than the government, is a start. Protecting our rights to communicate security has greater value than making our networks accessible to the government for wiretapping. Indeed, Landau explains, any interruption of the security should occur only in times of extreme emergency and for temporary periods consisting of days or weeks at the most. The law must set the standard in ensuring this even as technology makes it possible to gather more and more information about how and when people communicate. -- Nichole Rustin-Paschal ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Hearing on Privac Legislation. PA Senate Communications & Technology Committee, Harrisburg, PA, 11 May 2011. For More Information: "Transforming to a Smarter Electric Power Grid." Michigan State University, Deaborn, MI, 18-19 May 2011. For More Information: "EPIC Champion of Freedom Awards Dinner." The Fairfax at Embassy Row, Washington, D.C., 13 June 2011. For More Information: "The Tenth Workshop on Economics of Information Security." The George Mason University, 14-15 June 2011. For More Information: "Computers, Freedom, and Privacy 2011." Georgetown Law Center, Washington D.C., 14-16 June 2011. For More Information: ICANN Board Meeting. Singapore. 19-24 June 2011. For More Information: EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For More Information: ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.08 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback