EPIC Alert 19.19
E P I C A l e r t
Volume 19.19 October 12, 2012
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC: Facebook-Datalogix Partnership May Violate FTC Consent Order
 EPIC Urges Support for New European Privacy
 US Senate Report: Fusion Centers 'Wasteful', Overstep Privacy Laws
 FBI Exempts Massive Database from Privacy Act
 EPIC FOIA Uncovers Google's Privacy Assessment
 News in Brief
 EPIC in the News
 Book Review: 'This Machine
 Upcoming Conferences and Events
SAVE THE DATE: The Public Voice Annual Conference in Uruguay, Oct. 22!
for the Conference: http://epic.org/redirect/101212-reg.html
READ the Program: http://epic.org/redirect/101212-program.html
SIGN the Madrid Declaration: http://epic.org/redirect/101212-mad.html
SUPPORT EPIC: http://epic.org/donate
 EPIC: Facebook-Datalogix Partnership May Violate FTC
EPIC and other consumer protection groups
have asked the Federal Trade
Commission to investigate a partnership between Facebook and data-
broker Datalogix to determine whether
or not the business arrangement
violates Facebook's 2011 consent order with the FTC. At issue is
Facebook's use of Datalogix data
to measure the effectiveness of
advertising on the Facebook site, specifically whether users buy
products in physical stores after
seeing them advertised on Facebook.
EPIC's letter questions whether these new advertising activities
violate the consent order,
which "prohibits Facebook from
'misrepresent[ing] in any manner, expressly or by implication, the
extent to which it maintains
the privacy or security of covered
information", and requires Facebook "to obtain the 'affirmative express
consent' of the user
. . . prior to any sharing of a user's nonpublic
user information . . . with any third party, which materially exceeds
imposed by a user's privacy setting(s)".
The EPIC letter calls on the FTC to investigate: 1) Whether Facebook
has failed to give
users proper notice of the Datalogix arrangement,
and 2) Whether Facebook has misrepresented data-sharing policies.
contends that, rather than asking users to "opt-in" to the
new data-sharing arrangement, Facebook has instituted a "confusing and
ineffective" "opt-out" system that requires users to navigate a maze
of Facebook policy pages. EPIC also questioned the "expansion
advertising based on the personal information of Facebook users,
including "Facebook Exchange," which allows "companies to target
Facebook users based on browsing activity occurring off of Facebook's
In 2009 and 2010, EPIC and other public interest
a complaint with the FTC over Facebook's privacy practices. The FTC
subsequently issued a settlement against
Facebook in November 2011.
EPIC has filed several complaints with the FTC about the privacy
implications of numerous Facebook policies
including facial recognition techniques and Facebook Timeline.
Facebook has agreed to stop facial recognition
entirely in the EU,
and has ceased facial "tagging" of users in the US.
EPIC: Letter to FTC (Facebook-Datalogix Relationship)
(Sept. 27, 2012)
FTC: Initial Facebook Settlement (Nov. 29, 2011)
FTC: Press Release re: Final Facebook Settlement (Aug. 18, 2012)
FTC: Final Facebook Settlement (Aug. 10, 2012)
EPIC: FTC-Facebook Settlement
EPIC: In re: Facebook
EPIC: In re: Facebook II
EPIC: Facebook Privacy
EPIC: Facebook and Facial Recognition
EPIC: Facebook Timeline and Privacy
EPIC: Federal Trade Commission
 EPIC Urges Support for New European Privacy Framework
EPIC Executive Director Marc Rotenberg testified before
Parliament in Brussels October 9 in support of the EU General Data
Protection Regulation. EPIC was invited to the
meeting of the European
Parliament's Committee on Civil Liberties, Justice and Home Affairs in
order to comment on the new regulation,
which will govern the European
Union's privacy practices.
The meeting opened with remarks by Juan Fernando Lopez Aguilar,
of the "LIBE" Committee. Other speakers included Vice
President of the European Commission, Viviane Reding; Francoise
Director General of DG Justice, European Commission;
Jan Philipp Albrecht, Member of the European Parliament, Rapporteur
on the Data
Protection Regulation; Peter Hustinx, European Data
Protection Supervisor Jacob Kohnstamm, President of the Article 29
and Alexander Alvaro, Vice President of the European
Speakers from the United States also included David Vladeck, Director
of theBureau of Consumer Protection, Federal Trade Commission; Bruce
Schwartz, Deputy Assistant Attorney General, US Department
Justice; and Cameron F. Kerry, US Department of Justice.
In prepared remarks, Mr. Rotenberg explained that raising privacy
in the European Union will improve privacy protections for
consumers all around the globe. "This was the experience with the
in 1995 and it is the reason that the effort to update the
European privacy framework is broadly supported by consumers in Europe
and around the world," Mr. Rotenberg said.
In September 2012, EPIC and over 20 other US consumer, privacy, and
organizations sent a letter to members of the European
Parliament expressing support for the new European data protection law.
The letter stated that the proposed regulation "provides important new
protections for the privacy and security of consumers". EPIC
a signatory to the 2009 Madrid Privacy Declaration, which reaffirmed
international legal instruments that protect privacy,
new challenges, and proposed concrete actions for policymakers,
including the establishment of a new international framework
privacy protection "that is based on the rule of law, respect for
fundamental human rights, and support for democratic institutions."
EPIC: Testimony of Marc Rotenberg Before EU Parliament (Oct. 10, 2012)
EU Parliament Committee on Civil Liberties: Draft Agenda (Oct. 9, 2012)
European Commission: Protection of Personal Data (Apr. 4, 2012)
European Commission: Proposal for Regulation (Jan. 25, 2012)
EPIC: Letter re: EU General Data Protection Regulation (Sep. 5, 2012)
TACD: Letter to House Commerce Subcommittee (Sept. 14, 2011)
European Council: The Madrid Privacy Declaration (Nov. 3, 2009)
EPIC: EU Data Protection Directive
 US Senate Report: Fusion Centers 'Wasteful', Overstep
The bipartisan US Senate Permanent Subcommittee
on Investigations has
released a scathing new report on "fusion centers." The Subcommittee's
report found that fusion centers -
massive computer centers holding and
processing data on Americans, which are overseen by the Department of
Homeland Security and
operated at the federal, state, and local
levels - "often produce[d] irrelevant, useless or inappropriate
intelligence" and store
records on US persons "possibly in violation of
the Privacy Act." The report also concluded that fusion centers have
made no contribution
to counterterrorism efforts; that the DHS has
lacked oversight to change known problems; and that the agency did not
know how much
it had spent on fusion centers since their inception
The Subcommittee's investigation found overarching issues with DHS's
management of counterterrorism intelligence reporting. According to the
Senate report, "DHS required only a week of training for
officials before sending them to state and local fusion centers to
report sensitive domestic intelligence, largely
persons", and that "[o]fficials who routinely authored useless or
potentially illegal fusion center intelligence
reports faced no
sanction or reprimand."
The report of the Committee on Investigations also accuses DHS of poor
use of taxpayer
money, claiming that DHS was "unable to provide an
accurate tally of how much it had granted to states and cities to
centers efforts, instead producing broad estimates of
the total amount of Federal dollars spent on fusion center activities
2003 to 2011, estimates which ranged from $289 million to $1.4
billion." Nor, according to the report, did DHS know "how much grant
money it has spent on specific fusion centers, nor could it say how
most of those grant funds were spent, nor has it examined the
effectiveness of those grant dollars." The Senate investigation "found
that top DHS officials consistently made positive public
the value and importance of fusion centers despite "internal reviews
and non-public assessments [that] highlighted
problems at the centers
and dysfunction in DHS' own operations." Even though DHS produced
"thousands of pages of updates, assessments
and other reports" at
Congress's request, the problems highlighted in the Senate report went
"largely undisclosed and unexamined."
Most significantly, the Senate report concluded, "[F]usion centers have
been unable to meaningfully contribute to federal counterterrorism
efforts," citing that "DHS has struggled to identify a clear example in
which a fusion center provided intelligence which helped
terrorist plot, even as local and Federal law enforcement have thwarted
dozens of terrorist attacks on U.S. soil and
against U.S. interests in
the past decade . . . In some cases, fusion centers' analytical efforts
have instead caused frustration
and embarrassment for themselves and
The Subcommittee's concluding recommendations to DHS include that the
"improve its training of intelligence reporters"; "track
how much money it gives to each fusion center" and "link funding of
fusion center to its value and performance"; "timely disclose to
Congress significant problems within its operations"; and "align
practices and guidelines to protect civil liberties, so they adhere to
the Constitution, federal law, and its statutory mission."
In 2007, EPIC's "Spotlight on Surveillance" warned that frusion centers
would lead to
"abuse and misuse." In subsequent FOIA cases, and in
comments to the DHS, EPIC has documented the many problems with the
fusion center program, including lack of oversight and
ineffective privacy safeguards.
US Senate Subcommittee: Report on Fusion
Centers (Oct. 3, 2012)
EPIC: Information Fusion Centers and Privacy
EPIC: Spotlight on Surveillance
EPIC: EPIC v. VA Dept. of State Police (Fusion Center Secrecy Bill)
 FBI Exempts Massive Database from Privacy Act Protections
Beginning October 9, the Federal Bureau of Investigation
the records contained in the FBI Data Warehouse System from the
notification, access, and amendment provisions of
the Privacy Act of
1974. For the past decade, EPIC has cautioned federal agencies about
the risks of maintaining electronic information
databases for the
purposes of monitoring, tracking, and profiling targets. Such databases
are normally unlawful under the Privacy
Act, which governs the
collection, maintenance, use, and dissemination of personally
identifiable information about individuals
maintained in systems of
records by federal agencies. However, the Privacy Act contains
exceptions and exemptions for data that
is being used for law
enforcement and counterterrorism activities. In testimony before
DHS earlier this year, EPIC explained that
these exemptions weaken the
impact of the Privacy Act, rendering the massive databases vulnerable
to unauthorized access and abuse.
The FBI Data Warehouse System ingests vast quantities of "Personally
Identifiable Information" from various government agencies.
database contains information on a surprisingly broad category of
individuals, including, according to the FBI's Federal Register
posting, "subjects, suspects, victims, witnesses, complainants,
informants, sources, bystanders, law enforcement personnel,
personnel, other responders, administrative personnel,
consultants, relatives, and associates who may be relevant to the
or intelligence operation; individuals who are identified
in open source information or commercial databases, or who are
related, or have a nexus to the FBI's missions; individuals
whose information is collected and maintained for information system
user auditing and security purposes." The database also stores and
catalogs such data as targets' race, birthdate, biometric information,
social security numbers, and financial data.
In July 2012, the FBI published a notice in The Federal Register about
Warehouse System, in which the agency proposed to exempt the
Data Warehouse from certain provisions of the Privacy Act "in order
avoid interference with the national security and criminal law
enforcement functions and responsibilities of the FBI." After
one public comment, the FBI posted notice of the final rule on October
2; the exemption took effect one week later.
Earlier in 2012, EPIC voiced opposition to the Automated Targeting
System, or ATS, another massive government database that DHS
from Privacy Act provisions. EPIC's comments to DHS addressed the
substantial privacy and security issues raised by the
urged DHS to cease retaining personal information on US citizens in its
database. EPIC observed that exempting the
ATS from the Privacy Act's
protections only served to "increase the secrecy of the database,"
allowing the DHS to "circumvent the
intent of the Privacy Act"
through a lack of accountability.
Federal Register: Final Rule on FBI Data Warehouse (Oct. 9, 2012)
Federal Register: Notice of FBI Proposed Rulemaking (Jul. 10, 2012)
EPIC: The Privacy Act of 1974
EPIC: Comments to DHS on Automated Targeting System (Jun. 21, 2012)
EPIC: Domestic Surveillance
EPIC: FBI Watchlist
EPIC: Automated Targeting System
 EPIC FOIA Uncovers Google's Privacy Assessment
EPIC has obtained Google's privacy audit from the Federal Trade
Commission through a Freedom of Information Act (FOIA) request. Google
is required to undertake such periodic reports under a 2011 FTC consent
order. The privacy assessment, conducted
covers Google's implementation of privacy controls; whether those
controls are appropriate given Google's
size and the volume of data it
acquires; and whether the privacy controls satisfy the protections
mandated by the FTC consent order.
The FTC, however, redacted large portions of the privacy report prior
to disclosure, particularly in the area of "assessor qualifications."
Similarly, the agency did not release information about the audit
process, privacy control assessment procedures, techniques to
privacy risks, and the types of personal information Google collects.
EPIC intends to challenge the Commission's withholdings.
EPIC filed a complaint with the FTC in 2010 over Google's social media
platform, Google Buzz. Buzz transformed Gmail into a social
service without first obtaining user consent, creating large-scale user
privacy invasions in the process. The FTC's 2011
Google declared that Google had used "unfair and deceptive" trade
practices and violated privacy promises to
Google Buzz users. The FTC's
consent order mandates that Google refrain from future privacy
misrepresentations, implement a comprehensive
privacy plan, and conduct
regular, independent privacy audits for the next 20 years. The recent
audit is Google's first under the
EPIC continues to pressure the FTC to closely monitor Google privacy's
practices. In February 2012, EPIC brought a lawsuit
against the FTC
seeking to compel the Commission to exercise more stringent oversight
over Google's compliance with the consent
order. While EPIC's lawsuit
was unsuccessful, the judge in the case acknowledged that "serious
concerns" about Google's practices.
In August 2012, the FTC fined
Google $22.5 million for violating the consent order by
surreptitiously tracking Safari users' web
EPIC: Docs re: Google's Initial Privacy Assessment (Sept. 26, 2012)
EPIC: FOIA Request for Google Privacy Assessment Docs (Apr. 18, 2012)
FTC: Decision in Google Buzz (Oct. 24, 2011)
EPIC: Google Buzz
EPIC: Initial Complaint to FTC re: Google Buzz (2010)
EPIC: Federal Trade Commission
EPIC: FOIA and Open Government Project
 News in Brief
Supreme Court to Hear Challenge to Restrictive State FOI Law
The US Supreme Court has agreed to hear a case, McBurney v. Young,
challenging a Virginia state open-government law that restricts Freedom
of Information Act access to residents and media organizations
operating within Virginia. The petitioners in the case are out-of-state
requests for state documents under the Virginia Freedom
of Information Act were denied. McBurney v. Young presents the issue of
whether states can discriminate against non-residents by denying them
to state records. EPIC, in conjunction with several open
government organizations, filed a "friend of the court" brief urging
Court to hear this case.
US Supreme Court: Decision to Hear McBurney v. Young (Oct. 5, 2012)
US 4th Circuit Court: Decision in McBurney v. Young (Feb. 1, 2012)
EPIC: FOIA and Open Government
International Consumer Group Selects EPIC's Coney to Co-Chair Committee
The Trans-Atlantic Consumer Dialogue, a coalition of more
consumer organizations in Europe and North America, has selected EPIC
Associate Director Lillie Coney as an officer for
2012. Coney will join
Thomas Nortvedt of the Norwegian Consumer Council as co-chair of the
Information Society Policy Committee.
The TACD, founded in 1998,
presents joint consumer policy recommendations to the US government and
the European Union to promote
the consumer interest in EU and US
Trans-Atlantic Consumer Dialogue
EPIC: Lillie Coney
EPIC: EU Data Protection Directive
 EPIC in the News
"Internet privacy group takes on former delegate's case." Richmond
Times-Dispatch, Oct. 8, 2012.
"Google Privacy Audit Leaves Lingering Questions." InformationWeek,
Oct. 8, 2012.
"Speedy Airport Security: Should You Apply?" The New York Times, Oct.
"Justice Dept. to defend warrantless cell phone tracking." CNet, Oct.
"Some parents decry new Carroll schools' palm scanner." The Baltimore
Sun, Oct. 2, 2012.
"Facebook's digital advertising potential touted on Madison Avenue."
Los Angeles Times, Oct. 2, 2012.
"Facebook Sells More Access to Members." The Wall Street Journal, Oct.
"Facebook's New Pitch to Brand Advertisers: Forget About Clicks." The
New York Times, Oct. 1, 2012.
For More EPIC in the News:
 Book Review: 'This Machine Keeps Secrets'
"This Machine Kills Secrets: How WikiLeakers, Cypherpunks, and
Hacktivists Aim to Free the World's Information," Andy Greenberg
Journalist Andy Greenberg masterfully weaves together the histories of
data-leakers, cypherpunks, and hacktivists to reveal the
the technology that led to WikiLeaks - the biggest government secret-
killer to date.
Two quintessential leakers of
the past 50 years - Daniel Ellsberg and
Bradley Manning - provide the guideposts for the ever-improving
technology to slay the
secrets of governments and corporations
worldwide. Greenberg's use of an alternating narrative in each chapter
adds to the book's
depth and pacing, and keeps readers engaged as he
builds an ever-larger picture of the connections between the history
and leaking, and the technologies they develop and use to
disrupt the status quo of power and secrecy. This alternating style
quickly between various times in history and the present, which
can make for a little confusion about the order of events if the
isn't careful to follow along closely.
"This Machine Kills Secrets" is helped along by a large cast of
spends time providing background about a host
of eccentric and interesting individuals, and does so in a way that
reveals the various,
and sometimes interestingly tangential,
connections between the people who have contributed to the movement
toward greater government
and corporate transparency. The book covers
a lot of ground and introduces many characters, sometimes leaving the
to know more about the people involved. Nevertheless
Greenberg provides enough context to create a vivid, engaging story.
line is not just about people, however, but about the
technological evolution perpetually shifting the balance of power from
and corporations to the people. Greenberg pushes the
technological narrative without getting too bogged down in the nitty-
technical details, but still provides readers with the power to
understand technology's importance and place within the larger
"This Machine Kills Secrets" is an excellent story about the people
involved directly and indirectly in the technological
eventually culminated in WikiLeaks. This history, Greenberg tells us,
is a confirmation that WikiLeaks is not the
end but merely another
chapter in the struggle for greater institutional transparency because
as he puts it "[t]he state of the
world's information favors the leaker
now more than ever."
-- Jeramie D. Scott
"Litigation Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall,
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, and constitutional values can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
34th International Conference of Data Protection and Privacy. 23-25
October 2012, Punta del Este, Uruguay. For More Information:
The Public Voice Conference. 22 October 2012, Punta del Este, Uruguay.
For More Information: http://www.thepublicvoice.org/.
PIPA Conference 2012: "Privacy on the Go." 1-2 November 2012, Calgary,
Alberta. For More Information: http://privacyconference2012.ca.
"Computers, Privacy and Data Protection: Reloading Data Protection."
23-25 January 2013, Brussels. For More information:
22nd Annual Computers, Freedom, & Privacy Conference. 5-6 March 2012,
Washington, DC. For More Information: Contact Chris Calabrese
"Entrusting the Fourth Amendment to the Dogs: Canine Evidence and the
Constitution," Sponsored by the National Association of
Criminal Defense Lawyers. 23 October 2012, Washington, DC. For More
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 11:00am ET.
Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave. NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 19.19 ------------------------