WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2012 >> [2012] EPICAlert 6

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 19.06 [2012] EPICAlert 6

EPIC Alert 19.06

======================================================================= E P I C A l e r t ======================================================================= Volume 19.06 March 29, 2012 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================= Table of Contents ======================================================================= [1] Supreme Court Limits Privacy Act Remedies [2] EPIC Argues in Federal Court for Disclosure of Google-NSA Agreement [3] EPIC Urges Court to Uphold Location Privacy in Mobile Tracking Case [4] Facebook Policy Changes Raise 2011 Consent Order Compliance Issues [5] US, EU Privacy Officials Hold Joint Conference on Personal Data [6] News in Brief [7] EPIC in the News [8] Book Review: 'Net Locality' [9] Upcoming Conferences and Events SAVE THE DATE! EPIC Annual Champion of Freedom Awards Dinner, with Host Dahlia Lithwick. June 11, 2012, The Fairfax at Embassy Row, Washington, DC. For More Information: ======================================================================= [1] Supreme Court Limits Privacy Act Remedies ======================================================================= The Supreme Court held in a 5-3 opinion March 28 that the Privacy Act does not allow recovery of mental and emotional damages suffered as a result of the government's "willful and intentional violation" of the Act. In FAA v. Cooper, the Court considered whether the key term "actual damages" should be interpreted to include mental and emotional damages. A lower court held that the term unambiguously included such damages in the context of the Privacy Act. The majority Court opinion, written by Justice Samuel Alito, however, overturned the lower court's decision, finding that the term was ambiguous, and should be narrowly construed to limit government liability. In a dissenting opinion, Justice Sonia Sotomayor, joined by Justices Stephen Breyer and Ruth Bader Ginsburg, argued that the purpose of the Privacy Act is unambiguous: to protect individuals from "substantial harm, embarrassment, inconvenience, or unfairness" that result from government privacy violations. In 2011, EPIC filed a "friend of the court" brief in FAA v. Cooper, stating that privacy laws routinely provide recovery for mental and emotional harm, that such damages are the most common result of privacy violations, and that civil remedies are necessary to ensure enforcement of the Privacy Act. Congress is currently considering amendments to the Privacy Act. EPIC submitted a letter to Senator Daniel Akaka (D-HI) in response to a Request for Comments on the Privacy Act Modernization bill. The proposed legislation would strengthen civil and criminal penalties for improper disclosure of individual records. The amendments would also strengthen Government accountability. However, the proposed legislation must now account for the Supreme Courts decision in FAA v. Cooper to eliminate the primary civil remedy in a majority of Privacy Act cases. EPIC will file revised comments on the proposed legislation in light of the Supreme Court's decision in Cooper. US Supreme Court: Decision in FAA v. Cooper (Mar. 28,2012) EPIC: Letter to Sen. Akaka re: Privacy Act Comments (Mar. 27, 2012) http://epic/org/redirect/032812-epic-akaka-letter.html EPIC: FAA v Cooper EPIC: Privacy Act of 1974 ======================================================================== [2] EPIC Argues in Federal Court for Disclosure of Google-NSA Agreement ======================================================================== EPIC argued before the DC Circuit Court of Appeals March 20 that the National Security Agency must disclose documents related to a January 2010 cyber-attack on Google services. After the attack it was widely reported that Google and the NSA entered into a cooperative cybersecurity agreement; EPIC subsequently filed a Freedom of Information Act request with the agency, seeking disclosure of records and communications related to the attack and any cooperative agreement between the NSA and Google. In response, the NSA invoked the controversial "Glomar Response," refusing to acknowledge the existence or non-existence of any documents, and similarly refusing to search for documents responsive to EPIC's FOIA request. EPIC Executive Director Marc Rotenberg argued that the NSA's "Glomar response" was improper in this case, and that the Freedom of Information Act requires the agency to search for and release r esponsive records. Rotenberg also contended that the NSA had already publicly disclosed its views on the security of Google services, and thus could not deny the existence of related records. The government's attorney argued that the agency can neither confirm nor deny the existence of responsive records because the NSA Act protects the agency's "functions and activities" from disclosure. Judge Douglas Ginsburg asked the government attorney how an unsolicited communication from Google could reveal protected NSA information. The attorney argued that such records would tend to reveal a relationship between the NSA and Google. In the original FOIA request, EPIC asked for: "All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cyber security; "All records of communication between NSA and Google concerning Gmail, including but not limited to Google's decision to fail to routinely encrypt Gmail messages prior to January 13, 2010; "All records of communications regarding NSA's role in Google's decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs." EPIC: EPIC v. NSA - Google/NSA Relationship DC District Court: EPIC Lawsuit Against NSA (July 8, 2012) NSA/CSS: About Information Assurance ======================================================================== [3] EPIC Urges Court to Uphold Location Privacy in Mobile Tracking Case ======================================================================== EPIC has filed a "friend of the court" brief in the Fifth Circuit, urging the court to uphold Fourth Amendment protections for cellphone users. The issue presented in "In re Application of US for Historical Cell- Site Data" is whether a government or law enforcement application for cellphone location records under the Stored Communications Act (SCA), without probable cause, violates the Fourth Amendment. A lower court held that the application must be denied because the cellphone records at issue would reveal 60 days worth of private location information, which is protected by the Fourth Amendment. The Fifth Circuit Court of Appeals will now review the lower court opinion in light of the Supreme Court's recent decision in US v. Jones, which held that the warrantless attachment and use of a GPS car-tracking device for 24 days violated the defendant's Fourth Amendment rights. EPIC's brief argues that the lower court's opinion should be upheld in context of the Jones decision because cellphone location records are collected without users' knowledge or consent. The records in this case, EPIC maintains, create a "comprehensive map of an individual's movements, activities, and relationships . . . precisely the type of information that individuals reasonably and justifiably believe will remain private." The individual privacy interest in these records is even stronger than the interest in Jones, the brief states, because the records were collected over two months rather than 24 days, and individuals keep cellphones with them at all times, whereas cars are used variably. The government will file a reply to EPIC's and other "friend of the court" briefs on March 30. The court has not yet determined whether it will hold oral argument. A decision is expected later this year. Fifth District Court: Order in Cell-Site Data Case (Nov. 11, 2011) http://epic/org/redirect/032812-5th-cellsite-order.html EPIC: "Friend of the Court Brief" in Cell-Site Case (Mar. 16, 2012) EPIC: In re US Application for Historic Cell-Site Data EPIC: Locational Privacy ======================================================================= [4] Facebook Policy Changes Raise 2011 Consent Order Compliance Issues ======================================================================= Facebook recently announced changes to its "Statement of Rights and Responsibilities." The most-discussed change involves Facebook app access to user data; although Facebook's practices have not changed, the company now states that a user's information is disclosed to apps used by that person's Facebook friends. Facebook also allows user- downloaded software or plugins to automatically download updates, upgrades, and additional features, and prohibits users from tagging others who do not wish to be tagged. Allowing apps to access the personal information of a Facebook user's friends raises questions about Facebook's compliance with a 2011 settlement with the Federal Trade Commission, in which the agency found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." In particular, the FTC found that Facebook had misled users about the extent to which their personal information would be made available to their friends' Facebook apps. The settlement, which follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010, bars Facebook from changing privacy settings without users' affirmative consent, or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC said that the existing settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." The new Facebook app access provisions also raise doubts about the effectiveness of Facebook's privacy settings. Facebook's "How People Bring Your Info To Apps They Use" privacy setting allows users to or to turn off Platform Apps altogether if they don't use any Apps themselves. Facebook's terms do not include any reference to those settings, thus leaving users without necessary information about the interaction between the privacy settings and the Statement of Rights and Responsibilities. The changes were open for public comment until March 23. Facebook received 526 comments, which it plans to review in the coming weeks. Facebook: Statement of Rights and Responsibilities Facebook: Statement of Rights and Responsibilities (Tracked Changes) FTC: Facebook Settlement EPIC: In re Facebook (Dec. 17, 2009) EPIC: In re Facebook 2 (May 5, 2010) EPIC: Comments to FTC on Facebook Settlement (Dec. 27, 2011) EPIC: Facebook Privacy EPIC: Facebook Settlement ======================================================================= [5] US, EU Privacy Officials Hold Joint Conference on Personal Data ======================================================================= Policymakers from the United States and the European Union participated in a March 19 joint conference on the Privacy and Protection of Personal Data. The conference was held simultaneously in Washington, DC, and Brussels via videoconference link, and included panels on privacy protections, compliance, and enforcement. The conference featured several prominent panelists and keynote speakers, including EPIC Executive Director Marc Rotenberg and US Representative Ed Markey (D-MA). EU Vice President Viviane Reding and US Commerce Secretary John Bryson, who also participated as keynote speakers, issued a joint statement reaffirming a commitment to privacy protection. The statement emphasized the need for a consistent regulatory structure to protect privacy: "As the EU and the United States continue to work on significant revisions to their respective privacy frameworks over the next several years, the two sides will endeavor to find mechanisms that will foster the free flow of data across the Atlantic," the statement reads. US and EU consumer and privacy organizations also issued a statement commending the new US Consumer Privacy Bill of Rights but cautioning that the US must continue to improve safeguarding the interests of users of new Internet-based services. Both statements urged the United States to ratify the International Privacy Convention, published by the Council of Europe in 1981 and adopted by more than 40 countries. In 2009, a broad coalition of civil society groups from around the world, including EPIC, signed the Madrid Privacy Declaration, affirming "that privacy is a fundamental human right." The Declaration makes 10 key recommendations for countries to follow in order to preserve privacy and civil rights on the Internet. EU Conference: Privacy and Protection of Personal Data (Mar. 19, 2012) EU-US Coalition: Joint Statement on Data Protection (Mar. 19, 2012) US-EU Organizations: Joint Statement on Data Privacy (Mar. 19, 2012) The Public Voice: The Madrid Privacy Declaration The White House: New Consumer Privacy Framework (Feb. 2012) EPIC: EU Data Protection Directive ======================================================================= [6] News in Brief ======================================================================= Congress Calls for Investigation of Body Scanner Radiation Risks Both the House and Senate have introduced bills that would require the Department of Homeland Security "to contract with an independent laboratory to study the health effects of backscatter x-ray machines used at airline checkpoints operated by the Transportation Security Administration," and to provide airline passengers with improved notice of those health effects. The bills focus on the health effects of certain groups of individuals screened by the backscatter x-ray machines, including frequent air travelers, flight crews, and persons with greater sensitivity to radiation, such as children, pregnant women, the elderly, and cancer patients. In 2010, EPIC filed a Freedom of Information Act lawsuit asking a court to force the Department of Homeland Security to disclose documents about radiation testing results as well as agency fact sheets on radiation risks. House Bill on Backscatter Radiation (H.R. 4068) (Feb. 16, 2012) Senate Bill on Backscatter Radiation (S. 2044) (Jan. 31, 2012) EPIC: Whole Body Imaging Technology EPIC v. DHS: Full Body Scanner Radiation Risks House of Representatives Issues FOIA Request Management Report Card The US House of Representatives Committee on Oversight and Government Reform has issued the 2012 "Report Card on Federal Government's Efforts to Track and Manage FOIA Requests." The Report Card assigns letter grades to agencies based upon their "ability and willingness . . . to submit information" to the House Committee about their FOIA tracking systems. This information includes the FOIA requester's name, date of the request, a description of the records requested, the date the request was closed, and whether the agency provided responsive records to the request. The Federal Trade Commission was one of the highest- scoring agencies, earning an "A+" for its FOIA management. The Department of Justice, the Department of Defense, and the Department of Homeland Security each received a "D" letter grade for their FOIA tracking systems. US House Oversight Committee: FOIA Report Card (Mar. 15, 2012) US House: Committee on Oversight and Government Reform EPIC: FOIA Cases EPIC: Open Government Open Government Groups Oppose McCain Cybersecurity FOIA Exemption Open-government organizations have sent a letter to Sen. John McCain (R-AZ), opposing specific provisions in a cybersecurity bill he introduced. FOIA exemptions limit public access to government information; the SECURE IT Act would create a new Freedom of Information Act exemptions for "cyber threat information" as well as for all information shared with a cybersecurity center. The letter contends that "Unnecessarily wide-ranging exemptions of this type have the potential to harm public safety and the national defense more than they enhance those interests." In a March statement for the Senate hearing on FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. Letter to Senator McCain (Mar. 13, 2012) ttp:// Senate Judiciary Committee: Hearing on FOIA (Mar. 13, 2012) EPIC: Statement for the Record on FOIA Senate Hearing (Mar. 12, 2012) SECURE IT Act of 2012 EPIC: Cybersecurity EPIC: FOIA FTC Settles with RockYou Over Security Flaws, COPPA Violations The Federal Trade Commission has announced a settlement with the social game site over charges that the site's poor security allowed hackers to access the personal information of 32 million users, many of them young people. The FTC also alleged that RockYou violated the Children's Online Privacy Protection Act Rule by knowingly collecting approximately 179,000 childrens' email addresses and associated passwords without parental consent. The settlement prohibits the company from making future deceptive claims about privacy and data security, bars future violations of the COPPA Rule, and requires RockYou to implement a data security program and to pay a $250,000 civil penalty. In 2011, EPIC submitted comments about the FTC's proposed new COPPA rules, which the agency claimed would improve children's online protection in light of new mobile devices and social network services. FTC: Press Release on RockYou Settlement (Mar. 27, 2012) FTC: Press Release on New Proposed COPPA Rules (Sept. 15, 2012) EPIC: Comments to FTC on New Proposed COPPA Rules (Dec. 23, 2011) EPIC: COPPA EPIC: FTC DHS Privacy Office Issues Quarterly Report to Congress The Department of Homeland Security's Privacy Office has issued the First Quarter Fiscal Year 2012 Report to Congress. The report details DHS programs and functions that affect privacy, such as privacy impact assessments and systems of records notices. The report also summarizes the 295 privacy compliance complaints that the agency received between Sept. 1, 2011 and Nov. 30, 2011. EPIC has closely followed DHS Privacy Office activities, and has worked to ensure timely release of DHS privacy reports. DHS Privacy Office: 2012 First Quarter Report (March 2012) EPIC: "Privacy Report Held Hostage" EPIC: DHS Chief Privacy Office and Privacy ======================================================================= [7] EPIC in the News ======================================================================= "FTC online privacy proposals slammed by activists.", March 27, 2012. http://epic/org/redirect/032812-nymag-epic-dhs.html "Dept. of Homeland Security Hopes to Be Anti-NYPD When It Comes to Domestic Surveillance." New York Magazine, March 22, 2012. http://epic/org/redirect/032812-nymag-epic-dhs.html "U.S. Relaxes Limits on Use of Data in Terror Analysis." New York Times, March 22, 2012. http://epic/org/redirect/032812-nytimes-epic-terror.html "Google Customers Sue Over Changes to Privacy Policy Rules." Bloomberg News, March 21, 2012. http://epic/org/redirect/032812-bloomberg-epic-google.html "Searching for Google, NSA connection." The Daily Progress, March 20, 2012. http://epic/org/redirect/032812-daily-progress-epic-nsa.html "Social media role in police cases growing." USA Today, March 18, 2012. http://epic/org/redirect/032812-usa-today-social-police.html For More EPIC in the News: ======================================================================= [8] Book Review: 'Net Locality' ======================================================================= "Net Locality: Why Location Matters in a Networked World," Eric Gordon and Adriana de Souza e Silva If the Internet is all about the Web, and the Web is all about location, then the Internet is all about you and the physical space where you're sitting, reading these words. Not just your geospacial location, mind you - rather, your real-world ability to be sold to (and sold) in real time. The nature of self and identity in the increasingly commonplace merging of physical and virtual worlds is what Communications professors Eric Gordon and Adriana de Souza e Silva call "Net Locality" - "where the experience of 'being there' is the experience of being in a location where data is accessible." "Net Locality," an academic book with a decidedly engaging, un-academic tone, guides readers through the evolution of the Internet's emergence as a player in physical space, from GeoCities to FourSquare, across continents, through physical and virtual communities, mashups, geolocation games, and ultimately into the thorny privacy issues inherent in letting the world know, literally, where you stand. Gordon and de Souza e Silva understand the privacy ramifications of Web users' current obsession with location - at least intellectually. They're cognizant of "top down" government surveillance of locational data, and ad companies that use your coordinates to offer you real-time coupons or reviews, or collect your data for some other, unexplained purpose. They sympathize with user fears of "collateral surveillance" by jealous exes and anonymous stalkers. They discuss the psychological fears of having one's self either excluded from or overly exposed by location-based community and discourse. But, honestly, their joyful enthusiasm for location-based technology makes these self-described "privacy pragmatists" only moderatelyconcerned about inherent location- based privacy risks. The authors do fault Google for "selling the cultural shift" towards locational disclosure, for effectively privatizing public space and for the de facto philosophy "that it is better to apologize than ask for permission." But they also portray, if subtly, critics of Google StreetView as slightly paranoid whiners: "If location is public, then how can one maintain any claims of privacy as it pertains to location?" they wonder. (It's worth noting, however, that their chapter on globalization criticizes repressive governments for using location- based services to track dissenting citizens.) Like Wordsworth, Gordon and de Souza e Silva wonder whether the geolocational "world is too much with us." But they don't fret over it too much: "On the one hand," they say, "we might think that national boundaries are eroding, and cities are losing their unique characteristics." But, they affirm, "'nation-states, despite their multidimensional crises, do not disappear; they transform.'" So, too, they suggest, should we. -- EC Rosenberg ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= Symposium on 'Internet Privacy: A Culture of Privacy and Trust on the Internet.' 26 March 2012, Berlin. For More Information: NYU/Princeton Conference: 'Mobile and Location Privacy: A Technology and Policy Dialog.' 13 April 2012, New York, NY. For More Information: We Robot 2012: 'Setting the Agenda.' 21-22 April 2012, Miami, FL. For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 19.06 ------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback