WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2012 >> [2012] EPICAlert 19

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 19.19 [2012] EPICAlert 19

EPIC Alert 19.19

======================================================================= E P I C A l e r t ======================================================================= Volume 19.19 October 12, 2012 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================== Table of Contents ======================================================================== [1] EPIC: Facebook-Datalogix Partnership May Violate FTC Consent Order [2] EPIC Urges Support for New European Privacy Framework [3] US Senate Report: Fusion Centers 'Wasteful', Overstep Privacy Laws [4] FBI Exempts Massive Database from Privacy Act Protections [5] EPIC FOIA Uncovers Google's Privacy Assessment [6] News in Brief [7] EPIC in the News [8] Book Review: 'This Machine Kills Secrets' [9] Upcoming Conferences and Events SAVE THE DATE: The Public Voice Annual Conference in Uruguay, Oct. 22! REGISTER for the Conference: READ the Program: SIGN the Madrid Declaration: SUPPORT EPIC: ======================================================================== [1] EPIC: Facebook-Datalogix Partnership May Violate FTC Consent Order ======================================================================== EPIC and other consumer protection groups have asked the Federal Trade Commission to investigate a partnership between Facebook and data- broker Datalogix to determine whether or not the business arrangement violates Facebook's 2011 consent order with the FTC. At issue is Facebook's use of Datalogix data to measure the effectiveness of advertising on the Facebook site, specifically whether users buy products in physical stores after seeing them advertised on Facebook. EPIC's letter questions whether these new advertising activities violate the consent order, which "prohibits Facebook from 'misrepresent[ing] in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information", and requires Facebook "to obtain the 'affirmative express consent' of the user . . . prior to any sharing of a user's nonpublic user information . . . with any third party, which materially exceeds the restrictions imposed by a user's privacy setting(s)". The EPIC letter calls on the FTC to investigate: 1) Whether Facebook has failed to give users proper notice of the Datalogix arrangement, and 2) Whether Facebook has misrepresented data-sharing policies. The letter contends that, rather than asking users to "opt-in" to the new data-sharing arrangement, Facebook has instituted a "confusing and ineffective" "opt-out" system that requires users to navigate a maze of Facebook policy pages. EPIC also questioned the "expansion of advertising based on the personal information of Facebook users, including "Facebook Exchange," which allows "companies to target Facebook users based on browsing activity occurring off of Facebook's website." In 2009 and 2010, EPIC and other public interest organizations filed a complaint with the FTC over Facebook's privacy practices. The FTC subsequently issued a settlement against Facebook in November 2011. EPIC has filed several complaints with the FTC about the privacy implications of numerous Facebook policies and applications, including facial recognition techniques and Facebook Timeline. Facebook has agreed to stop facial recognition entirely in the EU, and has ceased facial "tagging" of users in the US. EPIC: Letter to FTC (Facebook-Datalogix Relationship) (Sept. 27, 2012) FTC: Initial Facebook Settlement (Nov. 29, 2011) FTC: Press Release re: Final Facebook Settlement (Aug. 18, 2012) FTC: Final Facebook Settlement (Aug. 10, 2012) EPIC: FTC-Facebook Settlement EPIC: In re: Facebook EPIC: In re: Facebook II EPIC: Facebook Privacy EPIC: Facebook and Facial Recognition EPIC: Facebook Timeline and Privacy EPIC: Federal Trade Commission ======================================================================= [2] EPIC Urges Support for New European Privacy Framework ======================================================================= EPIC Executive Director Marc Rotenberg testified before the European Parliament in Brussels October 9 in support of the EU General Data Protection Regulation. EPIC was invited to the meeting of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs in order to comment on the new regulation, which will govern the European Union's privacy practices. The meeting opened with remarks by Juan Fernando Lopez Aguilar, Chairman of the "LIBE" Committee. Other speakers included Vice President of the European Commission, Viviane Reding; Francoise Le Bail, Director General of DG Justice, European Commission; Jan Philipp Albrecht, Member of the European Parliament, Rapporteur on the Data Protection Regulation; Peter Hustinx, European Data Protection Supervisor Jacob Kohnstamm, President of the Article 29 Working Party; and Alexander Alvaro, Vice President of the European Parliament. Speakers from the United States also included David Vladeck, Director of theBureau of Consumer Protection, Federal Trade Commission; Bruce Schwartz, Deputy Assistant Attorney General, US Department of Justice; and Cameron F. Kerry, US Department of Justice. In prepared remarks, Mr. Rotenberg explained that raising privacy standards in the European Union will improve privacy protections for consumers all around the globe. "This was the experience with the Directive in 1995 and it is the reason that the effort to update the European privacy framework is broadly supported by consumers in Europe and around the world," Mr. Rotenberg said. In September 2012, EPIC and over 20 other US consumer, privacy, and civil liberties organizations sent a letter to members of the European Parliament expressing support for the new European data protection law. The letter stated that the proposed regulation "provides important new protections for the privacy and security of consumers". EPIC was also a signatory to the 2009 Madrid Privacy Declaration, which reaffirmed international legal instruments that protect privacy, identified new challenges, and proposed concrete actions for policymakers, including the establishment of a new international framework for privacy protection "that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions." EPIC: Testimony of Marc Rotenberg Before EU Parliament (Oct. 10, 2012) EU Parliament Committee on Civil Liberties: Draft Agenda (Oct. 9, 2012) European Commission: Protection of Personal Data (Apr. 4, 2012) European Commission: Proposal for Regulation (Jan. 25, 2012) EPIC: Letter re: EU General Data Protection Regulation (Sep. 5, 2012) TACD: Letter to House Commerce Subcommittee (Sept. 14, 2011) European Council: The Madrid Privacy Declaration (Nov. 3, 2009) EPIC: EU Data Protection Directive ======================================================================== [3] US Senate Report: Fusion Centers 'Wasteful', Overstep Privacy Laws ======================================================================== The bipartisan US Senate Permanent Subcommittee on Investigations has released a scathing new report on "fusion centers." The Subcommittee's report found that fusion centers - massive computer centers holding and processing data on Americans, which are overseen by the Department of Homeland Security and operated at the federal, state, and local levels - "often produce[d] irrelevant, useless or inappropriate intelligence" and store records on US persons "possibly in violation of the Privacy Act." The report also concluded that fusion centers have made no contribution to counterterrorism efforts; that the DHS has lacked oversight to change known problems; and that the agency did not know how much it had spent on fusion centers since their inception in 2003. The Subcommittee's investigation found overarching issues with DHS's management of counterterrorism intelligence reporting. According to the Senate report, "DHS required only a week of training for intelligence officials before sending them to state and local fusion centers to report sensitive domestic intelligence, largely concerning U.S. persons", and that "[o]fficials who routinely authored useless or potentially illegal fusion center intelligence reports faced no sanction or reprimand." The report of the Committee on Investigations also accuses DHS of poor use of taxpayer money, claiming that DHS was "unable to provide an accurate tally of how much it had granted to states and cities to support fusion centers efforts, instead producing broad estimates of the total amount of Federal dollars spent on fusion center activities from 2003 to 2011, estimates which ranged from $289 million to $1.4 billion." Nor, according to the report, did DHS know "how much grant money it has spent on specific fusion centers, nor could it say how most of those grant funds were spent, nor has it examined the effectiveness of those grant dollars." The Senate investigation "found that top DHS officials consistently made positive public comments about the value and importance of fusion centers despite "internal reviews and non-public assessments [that] highlighted problems at the centers and dysfunction in DHS' own operations." Even though DHS produced "thousands of pages of updates, assessments and other reports" at Congress's request, the problems highlighted in the Senate report went "largely undisclosed and unexamined." Most significantly, the Senate report concluded, "[F]usion centers have been unable to meaningfully contribute to federal counterterrorism efforts," citing that "DHS has struggled to identify a clear example in which a fusion center provided intelligence which helped disrupt a terrorist plot, even as local and Federal law enforcement have thwarted dozens of terrorist attacks on U.S. soil and against U.S. interests in the past decade . . . In some cases, fusion centers' analytical efforts have instead caused frustration and embarrassment for themselves and DHS." The Subcommittee's concluding recommendations to DHS include that the agency should "improve its training of intelligence reporters"; "track how much money it gives to each fusion center" and "link funding of each fusion center to its value and performance"; "timely disclose to Congress significant problems within its operations"; and "align its practices and guidelines to protect civil liberties, so they adhere to the Constitution, federal law, and its statutory mission." In 2007, EPIC's "Spotlight on Surveillance" warned that frusion centers would lead to "abuse and misuse." In subsequent FOIA cases, and in comments to the DHS, EPIC has documented the many problems with the federal fusion center program, including lack of oversight and ineffective privacy safeguards. US Senate Subcommittee: Report on Fusion Centers (Oct. 3, 2012) EPIC: Information Fusion Centers and Privacy EPIC: Spotlight on Surveillance EPIC: EPIC v. VA Dept. of State Police (Fusion Center Secrecy Bill) ======================================================================= [4] FBI Exempts Massive Database from Privacy Act Protections ======================================================================= Beginning October 9, the Federal Bureau of Investigation has exempted the records contained in the FBI Data Warehouse System from the notification, access, and amendment provisions of the Privacy Act of 1974. For the past decade, EPIC has cautioned federal agencies about the risks of maintaining electronic information databases for the purposes of monitoring, tracking, and profiling targets. Such databases are normally unlawful under the Privacy Act, which governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals maintained in systems of records by federal agencies. However, the Privacy Act contains exceptions and exemptions for data that is being used for law enforcement and counterterrorism activities. In testimony before DHS earlier this year, EPIC explained that these exemptions weaken the impact of the Privacy Act, rendering the massive databases vulnerable to unauthorized access and abuse. The FBI Data Warehouse System ingests vast quantities of "Personally Identifiable Information" from various government agencies. The database contains information on a surprisingly broad category of individuals, including, according to the FBI's Federal Register posting, "subjects, suspects, victims, witnesses, complainants, informants, sources, bystanders, law enforcement personnel, intelligence personnel, other responders, administrative personnel, consultants, relatives, and associates who may be relevant to the investigation or intelligence operation; individuals who are identified in open source information or commercial databases, or who are associated, related, or have a nexus to the FBI's missions; individuals whose information is collected and maintained for information system user auditing and security purposes." The database also stores and catalogs such data as targets' race, birthdate, biometric information, social security numbers, and financial data. In July 2012, the FBI published a notice in The Federal Register about the Data Warehouse System, in which the agency proposed to exempt the Data Warehouse from certain provisions of the Privacy Act "in order to avoid interference with the national security and criminal law enforcement functions and responsibilities of the FBI." After receiving one public comment, the FBI posted notice of the final rule on October 2; the exemption took effect one week later. Earlier in 2012, EPIC voiced opposition to the Automated Targeting System, or ATS, another massive government database that DHS exempted from Privacy Act provisions. EPIC's comments to DHS addressed the substantial privacy and security issues raised by the database, and urged DHS to cease retaining personal information on US citizens in its database. EPIC observed that exempting the ATS from the Privacy Act's protections only served to "increase the secrecy of the database," allowing the DHS to "circumvent the intent of the Privacy Act" through a lack of accountability. Federal Register: Final Rule on FBI Data Warehouse (Oct. 9, 2012) Federal Register: Notice of FBI Proposed Rulemaking (Jul. 10, 2012) EPIC: The Privacy Act of 1974 EPIC: Comments to DHS on Automated Targeting System (Jun. 21, 2012) EPIC: Domestic Surveillance EPIC: FBI Watchlist EPIC: Automated Targeting System ======================================================================== [5] EPIC FOIA Uncovers Google's Privacy Assessment ======================================================================== EPIC has obtained Google's privacy audit from the Federal Trade Commission through a Freedom of Information Act (FOIA) request. Google is required to undertake such periodic reports under a 2011 FTC consent order. The privacy assessment, conducted by PricewaterhouseCoopers, covers Google's implementation of privacy controls; whether those controls are appropriate given Google's size and the volume of data it acquires; and whether the privacy controls satisfy the protections mandated by the FTC consent order. The FTC, however, redacted large portions of the privacy report prior to disclosure, particularly in the area of "assessor qualifications." Similarly, the agency did not release information about the audit process, privacy control assessment procedures, techniques to identify privacy risks, and the types of personal information Google collects. EPIC intends to challenge the Commission's withholdings. EPIC filed a complaint with the FTC in 2010 over Google's social media platform, Google Buzz. Buzz transformed Gmail into a social media service without first obtaining user consent, creating large-scale user privacy invasions in the process. The FTC's 2011 injunction against Google declared that Google had used "unfair and deceptive" trade practices and violated privacy promises to Google Buzz users. The FTC's consent order mandates that Google refrain from future privacy misrepresentations, implement a comprehensive privacy plan, and conduct regular, independent privacy audits for the next 20 years. The recent audit is Google's first under the order. EPIC continues to pressure the FTC to closely monitor Google privacy's practices. In February 2012, EPIC brought a lawsuit against the FTC seeking to compel the Commission to exercise more stringent oversight over Google's compliance with the consent order. While EPIC's lawsuit was unsuccessful, the judge in the case acknowledged that "serious concerns" about Google's practices. In August 2012, the FTC fined Google $22.5 million for violating the consent order by surreptitiously tracking Safari users' web browsing. EPIC: Docs re: Google's Initial Privacy Assessment (Sept. 26, 2012) EPIC: FOIA Request for Google Privacy Assessment Docs (Apr. 18, 2012) FTC: Decision in Google Buzz (Oct. 24, 2011) EPIC: Google Buzz EPIC: Initial Complaint to FTC re: Google Buzz (2010) EPIC: Federal Trade Commission EPIC: FOIA and Open Government Project ======================================================================== [6] News in Brief ======================================================================== Supreme Court to Hear Challenge to Restrictive State FOI Law The US Supreme Court has agreed to hear a case, McBurney v. Young, challenging a Virginia state open-government law that restricts Freedom of Information Act access to residents and media organizations operating within Virginia. The petitioners in the case are out-of-state residents whose requests for state documents under the Virginia Freedom of Information Act were denied. McBurney v. Young presents the issue of whether states can discriminate against non-residents by denying them access to state records. EPIC, in conjunction with several open government organizations, filed a "friend of the court" brief urging the Court to hear this case. US Supreme Court: Decision to Hear McBurney v. Young (Oct. 5, 2012) US 4th Circuit Court: Decision in McBurney v. Young (Feb. 1, 2012) EPIC: FOIA and Open Government International Consumer Group Selects EPIC's Coney to Co-Chair Committee The Trans-Atlantic Consumer Dialogue, a coalition of more than 60 consumer organizations in Europe and North America, has selected EPIC Associate Director Lillie Coney as an officer for 2012. Coney will join Thomas Nortvedt of the Norwegian Consumer Council as co-chair of the Information Society Policy Committee. The TACD, founded in 1998, presents joint consumer policy recommendations to the US government and the European Union to promote the consumer interest in EU and US policymaking. Trans-Atlantic Consumer Dialogue EPIC: Lillie Coney EPIC: EU Data Protection Directive ======================================================================= [7] EPIC in the News ======================================================================= "Internet privacy group takes on former delegate's case." Richmond Times-Dispatch, Oct. 8, 2012. "Google Privacy Audit Leaves Lingering Questions." InformationWeek, Oct. 8, 2012. "Speedy Airport Security: Should You Apply?" The New York Times, Oct. 3, 2012. "Justice Dept. to defend warrantless cell phone tracking." CNet, Oct. 2, 2012. "Some parents decry new Carroll schools' palm scanner." The Baltimore Sun, Oct. 2, 2012. "Facebook's digital advertising potential touted on Madison Avenue." Los Angeles Times, Oct. 2, 2012. "Facebook Sells More Access to Members." The Wall Street Journal, Oct. 1, 2012. "Facebook's New Pitch to Brand Advertisers: Forget About Clicks." The New York Times, Oct. 1, 2012. For More EPIC in the News: ======================================================================= [8] Book Review: 'This Machine Keeps Secrets' ======================================================================= "This Machine Kills Secrets: How WikiLeakers, Cypherpunks, and Hacktivists Aim to Free the World's Information," Andy Greenberg Journalist Andy Greenberg masterfully weaves together the histories of data-leakers, cypherpunks, and hacktivists to reveal the origins of the technology that led to WikiLeaks - the biggest government secret- killer to date. Two quintessential leakers of the past 50 years - Daniel Ellsberg and Bradley Manning - provide the guideposts for the ever-improving technology to slay the secrets of governments and corporations worldwide. Greenberg's use of an alternating narrative in each chapter adds to the book's depth and pacing, and keeps readers engaged as he builds an ever-larger picture of the connections between the history of leakers and leaking, and the technologies they develop and use to disrupt the status quo of power and secrecy. This alternating style veers quickly between various times in history and the present, which can make for a little confusion about the order of events if the reader isn't careful to follow along closely. "This Machine Kills Secrets" is helped along by a large cast of characters. Greenberg spends time providing background about a host of eccentric and interesting individuals, and does so in a way that reveals the various, and sometimes interestingly tangential, connections between the people who have contributed to the movement toward greater government and corporate transparency. The book covers a lot of ground and introduces many characters, sometimes leaving the reader wanting to know more about the people involved. Nevertheless Greenberg provides enough context to create a vivid, engaging story. The story line is not just about people, however, but about the technological evolution perpetually shifting the balance of power from government and corporations to the people. Greenberg pushes the technological narrative without getting too bogged down in the nitty- gritty technical details, but still provides readers with the power to understand technology's importance and place within the larger narrative. "This Machine Kills Secrets" is an excellent story about the people involved directly and indirectly in the technological advances that eventually culminated in WikiLeaks. This history, Greenberg tells us, is a confirmation that WikiLeaks is not the end but merely another chapter in the struggle for greater institutional transparency because as he puts it "[t]he state of the world's information favors the leaker now more than ever." -- Jeramie D. Scott ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= 34th International Conference of Data Protection and Privacy. 23-25 October 2012, Punta del Este, Uruguay. For More Information: noticias/noticia-destacada. The Public Voice Conference. 22 October 2012, Punta del Este, Uruguay. For More Information: PIPA Conference 2012: "Privacy on the Go." 1-2 November 2012, Calgary, Alberta. For More Information: "Computers, Privacy and Data Protection: Reloading Data Protection." 23-25 January 2013, Brussels. For More information: 22nd Annual Computers, Freedom, & Privacy Conference. 5-6 March 2012, Washington, DC. For More Information: Contact Chris Calabrese at "Entrusting the Fourth Amendment to the Dogs: Canine Evidence and the Constitution," Sponsored by the National Association of Criminal Defense Lawyers. 23 October 2012, Washington, DC. For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 19.19 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback