WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2011 >> [2011] EPICAlert 9

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 18.09 [2011] EPICAlert 9

EPIC Alert 18.09

======================================================================= E P I C A l e r t ======================================================================= Volume 18.09 May 09, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================= Table of Contents ======================================================================= [1] EPIC Urges FTC to Require Fair Information Practices for Google [2] In Data Mining Case, Supreme Court Explores Privacy [3] Federal Appeals Court Affirms Civil Penalties in Privacy Act Case [4] EPIC Requests Clarifications on New Passport Application [5] Mobile Developers Face Pressure on Location Tracking [6] News In Brief [7] EPIC Book Review: "Access Controlled" [8] Upcoming Conferences and Events TAKE ACTION: Computers, Freedom, & Privacy 2011! - REGISTER to attend - LIKE the page on, FOLLOW it on Twitter @cfp11! - SUPPORT EPIC ======================================================================= [1] EPIC Urges FTC to Require Fair Information Practices for Google ======================================================================= EPIC has submitted detailed comments on the Federal Trade Commission's landmark agreement with Google regarding Buzz, Gmail, and all Google products and services. As part of the privacy agreement, Google must adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the Commission require Google to adopt and implement comprehensive Fair Information Practices, as part of the Privacy Program. EPIC also recommended encryption for Google's cloud-based services, new safeguards for reader privacy, limitations on data collection, and warrant requirements for data disclosures to government officials. EPIC said that similar privacy safeguards should be established for other Internet companies. EPIC also led a campaign to encourage Internet users to offer their suggestions to improve safeguards for Google's products and services. The campaign included an online petition and a "Fix Google Privacy" webpage to promote public participation in the FTC's deliberations. Submissions to EPIC were forwarded to the Federal Trade Commission and will be considered by the agency as part of the final Privacy Plan. The FTC charged that Google violated its own privacy policies by using information provided in connection to Gmail for another purpose - social networking - without obtaining consumers' permission in advance. The FTC also alleged that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor privacy framework. The FTC's action against Google follows a Complaint and an Amended Complaint filed by EPIC on behalf of Gmail subscribers and other users. EPIC's complaint alleged that Google had "violated user expectations, diminished user privacy, and contradicted Google's privacy policy." EPIC: Comments to FTC FTC: Public Comments on In re Google FTC: Settlement Announcement FTC: Consent Order EPIC: Fix Google Privacy EPIC: Fix Google Privacy Petition EPIC: Google Buzz Complaint (February 2010) EPIC: Google Buzz Supplemental Complaint (March 2010) EPIC: Google Buzz ======================================================================= [2] In Data Mining Case, Supreme Court Explores Privacy ======================================================================= A spirited dialogue about the right of privacy dominated oral argument in a Supreme Court case on medical record data mining. The case concerns a state privacy law that seeks to regulate data-mining of prescription records for commercial purposes. Data mining companies have challenged the Vermont law, arguing that it violates the First Amendment and that there is no privacy interest in the transfer of "de-identified" prescriber records. The Court of Appeals' decision, which relied on this First Amendment argument, diverged significantly from other decisions upholding similar laws. At oral argument, Justice Breyer implied that the Federal Trade Commission could prevent questionable existing commercial uses of private medical data by deeming the practices to be unfair and deceptive. Justices Sotomayor and Kennedy both pressured the data mining companies to focus on the constitutionality of preventing the spread of sensitive medical information. The Court had recently affirmed, by a seven-Justice majority, multiple Supreme Court precedents that recognize a privacy interest in "avoiding disclosure" that "arguably ha[s] its roots in the Constitution." In that same case, Justice Scalia urged the Court to roll back these precedents, which all parties had conceded were "seminal." In this case, Scalia took a much different tack, challenging the Vermont Medical Privacy Statute under review as insufficiently dedicated to protecting prescriber privacy. EPIC filed a “Friend of the Court” brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the de-identification techniques adopted by data mining firms do not protect patient privacy. EPIC's brief for the lower appellate court was cited in the opinion of Judge Deborah Ann Livingston. As Judge Livingston explained, "neither appellants nor the majority advances any serious argument that the state does not have a legitimate and substantial interest in medical privacy . . . " IMS Health v. Sorrell: Supreme Court Oral Argument Transcript IMS Health v. Sorrell: EPIC Supreme Court "Friend of the Court" Brief IMS Health v. Sorrell: Second Circuit Opinion IMS Health v. Sorrell: EPIC Second Circuit "Friend of the Court" Brief FTC Google Buzz Consent Order EPIC: Amended FTC Complaint re: Google Buzz ======================================================================= [3] Federal Appeals Court Affirms Civil Penalties in Privacy Act Case ======================================================================= A federal appeals court held that the Privacy Act provides monetary damages for harms stemming from inaccurate government records. The appeals court overruled a district court decision that would have permitted the Department of Homeland Security to exempt itself from Congress's framework for compensating victims of agency violations. The case arose in 2006 when Julia Shearson and her four-year-old daughter, both U.S. citizens, re-entered the country over the Canadian border. A customs database incorrectly identified Shearson as "ARMED AND DANGEROUS," after which she was handcuffed, questioned for several hours, and then released without explanation. Customs and Border Protection took Shearson's car keys and searched her car during the interrogation. Having damaged it in the process, Customs then falsely represented to her that no search took place. CBP later informed lawmakers that its agents acted "in response to what later proved to be a false computer alert." Shearson sued under the Privacy Act and sought damages from the Department of Homeland Security for the agency's failure to ensure the accuracy of its computer records. In response, DHS cited an ambiguous legal provision that denies agencies the right to exempt themselves from monetary damages for specific categories of Privacy Act violations. Failure to ensure the accuracy of computer records was not listed, and the Department therefore contended that it had the legal authority to exempt itself from monetary damages for harms stemming from inaccurate computer records. The Sixth Circuit disagreed and held that Congress specifically intended that the Privacy Act to provide civil remedies for government failures to comply with the Act's mandatory duties. EPIC routinely files comments about the obligation of federal agencies to comply with the Privacy Act, including comments about the Department's Fusion Center Program and its Social Media Monitoring and Situational Awareness Initiative as well. EPIC has also filed a Supreme Court "Friend of the Court" brief in support of damage awards in Privacy Act cases. Shearson v. DHS: Sixth Circuit Opinion Doe v. Chao: EPIC "Friend of the Court" Brief EPIC: Comments to DHS about Fusion Centers EPIC: Comments to DHS about Social Media Monitoring ======================================================================= [4] EPIC Requests Clarifications on New Passport Application ======================================================================= EPIC has filed comments with the U.S. Department of State regarding Form DS-5513, a new passport application that requires unusually detailed information about the background of some passport applicants. For example, the new application would require applicants to provide their mother's place of employment at the time of their birth. The agency claims that such information is necessary "when the applicant submits citizenship or identity evidence that is insufficient to meet his/her burden of proving citizenship or identity." In its comments, EPIC wrote that the State Department needs to provide more information about the purposes of the data collection in order for the public to meaningfully assess the rulemaking's impact, and should clarify and reâ€�issue its notice. "The lack of specificity," wrote EPIC, "has led to confusion and concern, as evidenced by the several thousand public comments the Department of State received regarding this matter." EPIC: Comments to State Dept. on Proposed Passport Application Form Proposed Passport Application Form DS-5513 Federal Register: Notice on Proposed Passport Application Form EPIC: National ID and REAL ID ======================================================================= [5] Mobile Developers Face Pressure on Location Tracking ======================================================================= Security researchers recently discovered that Apple has been recording detailed location data of iPhone and 3G iPad users in a secret file stored on the mobile device. The revelation was announced at a locational conference. The information, which includes latitude/longitude of the device and a time stamp, is captured by the devices and then transferred to a user's computer during the syncing process, where it is stored unencrypted. By doing this, Apple may have violated Section 222 of the Communications Act, which requires companies to obtain customer consent before location data is used or disclosed for commercial purposes. Apple did not make a statement about this development for several days after the revelation. As details continued to emerge, Senator Al Franken (D-MN), Representative Ed Markey (D-MA), and Representative Jay Inslee (D-WA) asked Apple CEO Steve Jobs to explain why the company was storing information on its users in a secret file. Meanwhile, a class action lawsuit was filed alleging violations of the Computer Fraud and Abuse Act, as well as state claims of unfair and deceptive trade practices, and Illinois Attorney General Lisa Madigan asked for a meeting with Apple. In response to growing public concern, Apple released a software update to iOS4. The update will (1) limit the storage of locational data to one week; (2) stop transferring locational data from the device to the user's computers, (3) allow users to delete all locational data collection on the device; and (4) encrypt the locational data stored on the device. Apple pledged that the company "has no plans to ever" track iPhone users. EPIC has commended Apple for moving quickly to address this problem. Representatives Ed Markey (D-MA) and Joe Barton (R-TX) subsequently received responses from the four major U.S. wireless carriers about privacy and location data - AT&T; Verizon; Sprint; and T-Mobile. The wireless carriers say that third-party applications are the biggest privacy threat to users of mobile services. A recent Nielsen poll also finds that US smartphone users are concerned with privacy when it comes to location. Alastair Alden and Pete Warden: iPhone & iPad Tracking (Apr. 20, 2011) The Communications Act: Section 222 Sen. Franken letter to Apple (Apr. 20, 2011) Rep. Markey Letter to Apple (Apr. 21, 2011) Ajjampur v. Apple, Inc.: Complaint Illinois Attorney General: Statement (Apr. 25, 2011) Apple: Q&A on Location Data (Apr. 27, 2011) Rep. Markey and Rep. Barton: Responses from Wireless Carriers Nielsen Poll: Locational Tracking EPIC: iPhone and Privacy EPIC: Locational Privacy ======================================================================= [6] News In Brief ======================================================================= New Voter Photo ID Laws Under Consideration More than 30 states are considering new laws that would require voters to obtain government-issued photo identification. Voter photo identification laws have been routinely challenged in federal court, and many have been set aside or altered. Currently eight states have photo identification requirements. Prior to the Help America Vote Act, most states allowed several forms of identification to establish residence. In 2007, EPIC filed an amicus brief in the U.S. Supreme Court, joining a challenge to an Indiana voter ID law. The Court upheld the law 6-3. Justice Souter wrote in dissent, "This statute imposes a disproportionate burden upon those without" government-issued photo IDs. NYTimes: The Republican Threat to Voting EPIC: Crawford v. Marion County EPIC: Voting Privacy Federal Election Commission: Help America Vote Act Solicitor General to Supreme Court: Review GPS Tracking Cases. The Solicitor General filed a petition with the Supreme Court about the growing dispute in the federal courts over warrantless locational tracking. There is a split among the appellate court about GPS tracking by police agencies. The petition appeals a decision from the DC Circuit which held that the warrantless tracking of a motor vehicle violates the Constitutional right against unlawful searches. Earlier, EPIC filed an amicus brief in the Massachusetts Supreme Judicial Court case that also held that a warrant is required for the use of a GPS tracking device. U.S. v. Jones: Petition for Writ of Certiorari (Apr. 18, 2011) U.S. v. Maynard: D.C. Circuit Opinion (Aug. 6, 2010) Commonwealth v. Connolly: EPIC Amicus Brief (Apr. 20, 2009) Commonwealth v. Connolly EPIC: Commonwealth v. Connolly EPIC: Locational Privacy Senator Blumenthal Asks Justice Dept. to Investigate PlayStation Breach Senator Richard Blumenthal (D-CT) wrote to Attorney General Eric Holder asking that the Department of Justice open an investigation into the Sony PlayStation security breach. Sony recently informed PlayStation Network customers that an "unauthorized user" had obtained the personal and financial information of 70 million gamers, including minors. Blumenthal wrote that whomever hacked into the PlayStation Network violated the Computer Fraud and Abuse Act. He also expressed concern about Sony's week-long delay in notifying users about the breach. In 2009, EPIC testified before Congress about the need to strengthen data breach notification laws, noting "in the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." Press Release: Blumenthal Calls for DOJ Investigation (Apr. 28, 2011) Computer Fraud and Abuse Act EPIC : Identity Theft ======================================================================= [7] EPIC Book Review: "Access Controlled" ======================================================================= "Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace," Hal Roberts, Nart Villeneuve, Ethan Zuckerman, Colin Maclay, Ronald Deibert, John Palfrey, Rafal Rohozinski, Jonathan L. Zittrain (editor), and Miklos Haraszti (Foreword) The Open Net Initiative (ONI)'s Access Controlled is the activist's answer to the CIA's World Factbook. The title plays off an earlier volume, Access Denied, to signal that worldwide domestic efforts to infiltrate informal, decentralized online movements and to disrupt their internal communications have grown subtler and far more potent. Each new generation of tactical innovation, and the ONI identifies three, is increasingly complex. Access Controlled focuses on guiding readers through the technical, social, and legal measures that make such efforts possible. The book's breadth and depth is considerable: a single-stop reference for the new status quo on government censorship. ONI's core methodology is innovative, as its research agenda documents the wider ecosystem of factors that normalize censorship and related methods of government control on the web. The result is a comprehensive and meticulous account of the landscape of "power, rights, and rule in cyberspace." Jutting out over that landscape are powerful democratic campaigns that engage traditional forms of power across the globe. In response, some governments have supplemented threats of physical violence with efforts to identify informational choke points, cut off access to internet content, and disseminate misinformation. Others have started to outsource the enforcement of online repressive norms by exerting both official and illicit pressure on private intermediaries, including Internet service providers and host websites. Still others are documented as having deployed "Internet Brigades:" pro-state bloggers that post "prepackaged propaganda" as part of targeted, long-term misinformation campaigns. The ONI has categorized the recent widespread adoption of all of these measures, including the U.S.'s warrantless wiretap surveillance program, as a "third generation" of internet control. ONI considers the degree to which this latest generation directly undermines the spread of salient politically relevant information to be revealing. Secretive governments simultaneously shroud their own conduct and enhance citizen transparency. Accountable governments, on the other hand, should idealize state transparency and individual freedom. For those of us in the United States, then, it is encouraging that the Supreme Court recently affirmed the right to informational privacy as rooted in this country's foundational document: the U.S. Constitution. On the other hand, it is also particularly troubling to see just how many state actors perceive active propaganda as the most cost-effective method to address popular demands for good government reform. Recent efforts by autocrats in the Middle East and North Africa to disrupt and destroy alternative political voices on Facebook and Twitter have laid bare the potentially dire ramifications of such misguided perceptions. The clarion call for governments to respect the fundamental rights to expression, assembly, and personal privacy has reached a fever pitch in country after country. And as George Orwell once wrote: "[t]o see what is in front of one's nose needs a constant struggle." For its readers, Accessed Controlled moves the struggle away from recognizing the new status quo and toward realizing what to do about it. As citizen movements rise and coalesce around meaningful government reforms to stem third generation controls, the obvious last step is for governments to enforce the rule of law. That mandate applies across the board, from the Egyptian military to European Data Protection Authorities; from the Chinese politburo to the U.S. Department of Homeland Security. -- Conor Kennedy ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Hearing on Privacy Legislation. PA Senate Communications & Technology Committee, Harrisburg, PA, 11 May 2011. For More Information: "Transforming to a Smarter Electric Power Grid." Michigan State University, Deaborn, MI, 18-19 May 2011. For More Information: "The Digital Grapevine: Should Government Keep the Right to Monitor Us?" European Parliament, Room PHS 3 C 5, 1 June 2011. For More Information: Mr. Khalid Bouffadis at "EPIC Champion of Freedom Awards Dinner." The Fairfax at Embassy Row, Washington, D.C., 13 June 2011. For More Information: "The Tenth Workshop on Economics of Information Security." The George Mason University, 14-15 June 2011. For More Information: "Computers, Freedom, and Privacy 2011." Georgetown Law Center, Washington D.C., 14-16 June 2011. For More Information: "Online Tracking Protection and Browsers." Brussels, Belgium, 22-23 June 2011. For More Information: ICANN Board Meeting. Singapore. 19-24 June 2011. For More Information: "Aligning Privacy Accountability with your Business Strategy:" Privacy Laws and Business 24th Annual International Conference. St. John's College, Cambridge, United Kingdom, 11-13 July 2011. For More Information: EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For More Information: Computers, Privacy, & Data Protection 2012: European Data Protection: Coming of Age. Brussels, Belgium, 25-27 January 2012, Call for Papers Abstracts Deadline 1 June 2011. For More Information: ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.09 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback