EPIC Alert 19.06
E P I C A l e r t
Volume 19.06 March 29, 2012
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 Supreme Court Limits Privacy Act Remedies
 EPIC Argues in Federal Court for Disclosure of Google-NSA Agreement
Urges Court to Uphold Location Privacy in Mobile Tracking Case
 Facebook Policy Changes Raise 2011 Consent Order Compliance Issues
 US, EU Privacy Officials Hold Joint Conference on Personal Data
 News in Brief
 EPIC in the News
 Book Review: 'Net
 Upcoming Conferences and Events
SAVE THE DATE!
EPIC Annual Champion of Freedom Awards
Dinner, with Host Dahlia
Lithwick. June 11, 2012, The Fairfax at Embassy Row, Washington, DC.
For More Information: http://epic.org/june11/.
 Supreme Court Limits Privacy Act Remedies
The Supreme Court held in a 5-3 opinion March 28 that the Privacy Act
does not allow recovery of mental and emotional damages
suffered as a
result of the government's "willful and intentional violation" of the
Act. In FAA v. Cooper, the Court considered
whether the key term
"actual damages" should be interpreted to include mental and emotional
damages. A lower court held that the
term unambiguously included such
damages in the context of the Privacy Act. The majority Court opinion,
written by Justice Samuel
Alito, however, overturned the lower court's
decision, finding that the term was ambiguous, and should be narrowly
limit government liability.
In a dissenting opinion, Justice Sonia Sotomayor, joined by Justices
Stephen Breyer and Ruth Bader
Ginsburg, argued that the purpose of the
Privacy Act is unambiguous: to protect individuals from "substantial
inconvenience, or unfairness" that result from
government privacy violations.
In 2011, EPIC filed a "friend of the court" brief
in FAA v. Cooper,
stating that privacy laws routinely provide recovery for mental and
emotional harm, that such damages are the
most common result of
privacy violations, and that civil remedies are necessary to ensure
enforcement of the Privacy Act.
is currently considering amendments to the Privacy Act. EPIC
submitted a letter to Senator Daniel Akaka (D-HI) in response to a
Request for Comments on the Privacy Act Modernization bill. The
proposed legislation would strengthen civil and criminal penalties
improper disclosure of individual records. The amendments would also
strengthen Government accountability. However, the proposed
must now account for the Supreme Courts decision in FAA v. Cooper to
eliminate the primary civil remedy in a majority
of Privacy Act cases.
EPIC will file revised comments on the proposed legislation in light of
the Supreme Court's decision in Cooper.
US Supreme Court: Decision in FAA v. Cooper (Mar. 28,2012)
EPIC: Letter to Sen. Akaka re: Privacy Act Comments (Mar. 27, 2012)
EPIC: FAA v Cooper
EPIC: Privacy Act of 1974
 EPIC Argues in Federal Court for Disclosure of Google-NSA
EPIC argued before the DC Circuit Court of Appeals
March 20 that the
National Security Agency must disclose documents related to a January
2010 cyber-attack on Google services. After
the attack it was widely
reported that Google and the NSA entered into a cooperative
cybersecurity agreement; EPIC subsequently
filed a Freedom of
Information Act request with the agency, seeking disclosure of records
and communications related to the attack and any cooperative agreement
the NSA and Google. In response, the NSA invoked the
controversial "Glomar Response," refusing to acknowledge the existence
non-existence of any documents, and similarly refusing to search for
documents responsive to EPIC's FOIA request.
Director Marc Rotenberg argued that the NSA's "Glomar
response" was improper in this case, and that the Freedom of
Information Act requires the agency to search for and release r
esponsive records. Rotenberg also contended that the NSA had already
its views on the security of Google services, and
thus could not deny the existence of related records. The government's
argued that the agency can neither confirm nor deny the
existence of responsive records because the NSA Act protects the
"functions and activities" from disclosure.
Judge Douglas Ginsburg asked the government attorney how an unsolicited
from Google could reveal protected NSA information. The
attorney argued that such records would tend to reveal a relationship
the NSA and Google.
In the original FOIA request, EPIC asked for:
"All records concerning an agreement or similar basis for
final or draft, between the NSA and Google regarding
"All records of communication between NSA and Google concerning
Gmail, including but not limited to Google's decision to fail to
routinely encrypt Gmail messages prior to January 13, 2010;
"All records of communications regarding NSA's role in Google's
decision regarding the failure to routinely deploy encryption
cloud-based computing service, such as Google Docs."
EPIC: EPIC v. NSA - Google/NSA Relationship
DC District Court: EPIC Lawsuit Against NSA (July 8, 2012)
NSA/CSS: About Information Assurance
 EPIC Urges Court to Uphold Location Privacy in Mobile
EPIC has filed a "friend of the court" brief
in the Fifth Circuit,
urging the court to uphold Fourth Amendment protections for cellphone
The issue presented in "In
re Application of US for Historical Cell-
Site Data" is whether a government or law enforcement application for
records under the Stored Communications Act (SCA),
without probable cause, violates the Fourth Amendment. A lower court
the application must be denied because the cellphone records
at issue would reveal 60 days worth of private location information,
which is protected by the Fourth Amendment. The Fifth Circuit Court of
Appeals will now review the lower court opinion in light
of the Supreme
Court's recent decision in US v. Jones, which held that the warrantless
attachment and use of a GPS car-tracking
device for 24 days violated
the defendant's Fourth Amendment rights.
EPIC's brief argues that the lower court's opinion should
be upheld in
context of the Jones decision because cellphone location records are
collected without users' knowledge or consent.
The records in this
case, EPIC maintains, create a "comprehensive map of an individual's
movements, activities, and relationships
. . . precisely the type of
information that individuals reasonably and justifiably believe will
remain private." The individual
privacy interest in these records is
even stronger than the interest in Jones, the brief states, because the
records were collected
over two months rather than 24 days, and
individuals keep cellphones with them at all times, whereas cars are
government will file a reply to EPIC's and other "friend of the
court" briefs on March 30. The court has not yet determined whether
will hold oral argument. A decision is expected later this year.
Fifth District Court: Order in Cell-Site Data Case (Nov.
EPIC: "Friend of the Court Brief" in Cell-Site Case (Mar. 16, 2012)
EPIC: In re US Application for Historic Cell-Site Data
EPIC: Locational Privacy
 Facebook Policy Changes Raise 2011 Consent Order Compliance
Facebook recently announced changes to its "Statement
of Rights and
Responsibilities." The most-discussed change involves Facebook app
access to user data; although Facebook's practices
have not changed,
the company now states that a user's information is disclosed to apps
used by that person's Facebook friends.
Facebook also allows user-
downloaded software or plugins to automatically download updates,
upgrades, and additional features,
and prohibits users from tagging
others who do not wish to be tagged.
Allowing apps to access the personal information of a Facebook
friends raises questions about Facebook's compliance with a 2011
settlement with the Federal Trade Commission, in which
the agency found
that Facebook "deceived consumers by telling them they could keep their
information on Facebook private, and then
repeatedly allowing it to be
shared and made public." In particular, the FTC found that Facebook had
misled users about the extent
to which their personal information would
be made available to their friends' Facebook apps.
The settlement, which follows from
complaints filed by EPIC and other
consumer and privacy organizations in 2009 and 2010, bars Facebook from
changing privacy settings
without users' affirmative consent, or
misrepresenting the privacy or security of users' personal information.
In comments filed
with the FTC, EPIC said that the existing settlement
is "insufficient to address the concerns originally identified by EPIC
the consumer coalition, as well as those findings established by
The new Facebook app access provisions also
raise doubts about the
effectiveness of Facebook's privacy settings. Facebook's "How People
Bring Your Info To Apps They Use" privacy
setting allows users to or to
turn off Platform Apps altogether if they don't use any Apps themselves.
Facebook's terms do not
include any reference to those settings, thus
leaving users without necessary information about the interaction
between the privacy
settings and the Statement of Rights and
The changes were open for public comment until March 23. Facebook
received 526 comments, which it plans to review in the coming weeks.
Facebook: Statement of Rights and Responsibilities
Facebook: Statement of Rights and Responsibilities (Tracked Changes)
FTC: Facebook Settlement
EPIC: In re Facebook (Dec. 17, 2009)
EPIC: In re Facebook 2 (May 5, 2010)
EPIC: Comments to FTC on Facebook Settlement (Dec. 27, 2011)
EPIC: Facebook Privacy
EPIC: Facebook Settlement
 US, EU Privacy Officials Hold Joint Conference on Personal
Policymakers from the United States and the European
in a March 19 joint conference on the Privacy and Protection of
Personal Data. The conference was held simultaneously
DC, and Brussels via videoconference link, and included panels on
privacy protections, compliance, and enforcement.
featured several prominent panelists and keynote speakers, including
EPIC Executive Director Marc Rotenberg and
US Representative Ed Markey
EU Vice President Viviane Reding and US Commerce Secretary John Bryson,
who also participated
as keynote speakers, issued a joint statement
reaffirming a commitment to privacy protection. The statement emphasized
for a consistent regulatory structure to protect privacy: "As
the EU and the United States continue to work on significant revisions
to their respective privacy frameworks over the next several years, the
two sides will endeavor to find mechanisms that will foster
flow of data across the Atlantic," the statement reads.
US and EU consumer and privacy organizations also issued a statement
commending the new US Consumer Privacy Bill of Rights but cautioning
that the US must continue to improve safeguarding the interests
users of new Internet-based services. Both statements urged the United
States to ratify the International Privacy Convention,
the Council of Europe in 1981 and adopted by more than 40 countries.
In 2009, a broad coalition of civil society
groups from around the
world, including EPIC, signed the Madrid Privacy Declaration,
affirming "that privacy is a fundamental human
right." The Declaration
makes 10 key recommendations for countries to follow in order to
preserve privacy and civil rights on the
EU Conference: Privacy and Protection of Personal Data (Mar. 19, 2012)
EU-US Coalition: Joint Statement on Data Protection (Mar. 19, 2012)
US-EU Organizations: Joint Statement on Data Privacy (Mar. 19, 2012)
The Public Voice: The Madrid Privacy Declaration
The White House: New Consumer Privacy Framework (Feb. 2012)
EPIC: EU Data Protection Directive
 News in Brief
Congress Calls for Investigation of Body Scanner Radiation Risks
Both the House and Senate have introduced bills that would require
Department of Homeland Security "to contract with an independent
laboratory to study the health effects of backscatter x-ray
used at airline checkpoints operated by the Transportation Security
Administration," and to provide airline passengers
with improved notice
of those health effects. The bills focus on the health effects of
certain groups of individuals screened
by the backscatter x-ray
machines, including frequent air travelers, flight crews, and persons
with greater sensitivity to radiation,
such as children, pregnant
women, the elderly, and cancer patients. In 2010, EPIC filed a Freedom
of Information Act lawsuit asking a court to force the Department of
Homeland Security to disclose documents about radiation testing results
as agency fact sheets on radiation risks.
House Bill on Backscatter Radiation (H.R. 4068) (Feb. 16, 2012)
Senate Bill on Backscatter Radiation (S. 2044) (Jan. 31, 2012)
EPIC: Whole Body Imaging Technology
EPIC v. DHS: Full Body Scanner Radiation Risks
House of Representatives Issues FOIA Request Management Report Card
The US House of Representatives Committee on Oversight and
Reform has issued the 2012 "Report Card on Federal Government's Efforts
to Track and Manage FOIA Requests." The Report
Card assigns letter
grades to agencies based upon their "ability and willingness . . . to
submit information" to the House Committee
about their FOIA tracking
systems. This information includes the FOIA requester's name, date of
the request, a description of the
records requested, the date the
request was closed, and whether the agency provided responsive records
to the request. The Federal
Trade Commission was one of the highest-
scoring agencies, earning an "A+" for its FOIA management. The
Department of Justice, the
Department of Defense, and the Department of
Homeland Security each received a "D" letter grade for their FOIA
US House Oversight Committee: FOIA Report Card (Mar. 15, 2012)
US House: Committee on Oversight and Government Reform
EPIC: FOIA Cases
EPIC: Open Government
Open Government Groups Oppose McCain Cybersecurity FOIA Exemption
Open-government organizations have sent a letter to Sen. John
(R-AZ), opposing specific provisions in a cybersecurity bill he
introduced. FOIA exemptions limit public access to government
information; the SECURE IT Act would create a new Freedom of
Information Act exemptions for "cyber threat information" as well as
for all information shared with a cybersecurity center. The letter
that "Unnecessarily wide-ranging exemptions of this type have
the potential to harm public safety and the national defense more
they enhance those interests." In a March statement for the Senate
hearing on FOIA and critical infrastructure information,
warned against new FOIA exemptions and said that the National Security
Agency has become a "black hole" for public information
Openthegovernment.org: Letter to Senator McCain (Mar. 13, 2012)
Senate Judiciary Committee: Hearing on FOIA (Mar. 13, 2012)
EPIC: Statement for the Record on FOIA Senate Hearing (Mar. 12, 2012)
SECURE IT Act of 2012
FTC Settles with RockYou Over Security Flaws, COPPA Violations
The Federal Trade Commission has announced a settlement with the
game site RockYou.com over charges that the site's poor security
allowed hackers to access the personal information of 32
many of them young people. The FTC also alleged that RockYou violated
the Children's Online Privacy Protection Act
Rule by knowingly
collecting approximately 179,000 childrens' email addresses and
associated passwords without parental consent.
The settlement prohibits
the company from making future deceptive claims about privacy and data
security, bars future violations
of the COPPA Rule, and requires
RockYou to implement a data security program and to pay a $250,000
civil penalty. In 2011, EPIC
submitted comments about the FTC's
proposed new COPPA rules, which the agency claimed would improve
children's online protection
in light of new mobile devices and social
FTC: Press Release on RockYou Settlement (Mar. 27, 2012)
FTC: Press Release on New Proposed COPPA Rules (Sept. 15, 2012)
EPIC: Comments to FTC on New Proposed COPPA Rules (Dec. 23, 2011)
DHS Privacy Office Issues Quarterly Report to Congress
The Department of Homeland Security's Privacy Office has issued the
Quarter Fiscal Year 2012 Report to Congress. The report details
DHS programs and functions that affect privacy, such as privacy
assessments and systems of records notices. The report also summarizes
the 295 privacy compliance complaints that the agency
Sept. 1, 2011 and Nov. 30, 2011. EPIC has closely followed DHS Privacy
Office activities, and has worked to ensure
timely release of DHS
DHS Privacy Office: 2012 First Quarter Report (March 2012)
EPIC: "Privacy Report Held Hostage"
EPIC: DHS Chief Privacy Office and Privacy
 EPIC in the News
"FTC online privacy proposals slammed by activists." SlashGear.com,
March 27, 2012.
"Dept. of Homeland Security Hopes to Be Anti-NYPD When It Comes to
Domestic Surveillance." New York Magazine, March 22, 2012.
"U.S. Relaxes Limits on Use of Data in Terror Analysis." New York
Times, March 22, 2012.
News, March 21, 2012.
"Searching for Google, NSA connection." The Daily Progress, March 20,
"Social media role in police cases growing." USA Today, March 18, 2012.
For More EPIC in the News:
 Book Review: 'Net Locality'
"Net Locality: Why Location Matters in a Networked World," Eric Gordon
and Adriana de Souza e Silva
If the Internet is all about the Web, and the Web is all about
location, then the Internet is all about you and the physical space
where you're sitting, reading these words. Not just your geospacial
location, mind you - rather, your real-world ability to be
sold to (and
sold) in real time. The nature of self and identity in the increasingly
commonplace merging of physical and virtual
worlds is what
Communications professors Eric Gordon and Adriana de Souza e Silva call
"Net Locality" - "where the experience of
'being there' is the
experience of being in a location where data is accessible." "Net
Locality," an academic book with a decidedly
tone, guides readers through the evolution of the Internet's emergence
as a player in physical space, from
GeoCities to FourSquare, across
continents, through physical and virtual communities, mashups,
geolocation games, and ultimately
into the thorny privacy issues
inherent in letting the world know, literally, where you stand.
Gordon and de Souza e Silva understand
the privacy ramifications of Web
users' current obsession with location - at least intellectually.
They're cognizant of "top down"
government surveillance of locational
data, and ad companies that use your coordinates to offer you real-time
coupons or reviews,
or collect your data for some other, unexplained
purpose. They sympathize with user fears of "collateral surveillance"
exes and anonymous stalkers. They discuss the psychological
fears of having one's self either excluded from or overly exposed by
location-based community and discourse. But, honestly, their joyful
enthusiasm for location-based technology makes these self-described
"privacy pragmatists" only moderatelyconcerned about inherent location-
based privacy risks.
The authors do fault Google for "selling
the cultural shift" towards
locational disclosure, for effectively privatizing public space and for
the de facto philosophy "that
it is better to apologize than ask for
permission." But they also portray, if subtly, critics of Google
StreetView as slightly
paranoid whiners: "If location is public, then
how can one maintain any claims of privacy as it pertains to location?"
(It's worth noting, however, that their chapter on
globalization criticizes repressive governments for using location-
to track dissenting citizens.)
Like Wordsworth, Gordon and de Souza e Silva wonder whether the
geolocational "world is too much
with us." But they don't fret over
it too much: "On the one hand," they say, "we might think that
national boundaries are eroding,
and cities are losing their unique
characteristics." But, they affirm, "'nation-states, despite their
do not disappear; they transform.'" So, too,
they suggest, should we.
-- EC Rosenberg
"Litigation Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall,
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, and constitutional values can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
Symposium on 'Internet Privacy: A Culture of Privacy and Trust on the
Internet.' 26 March 2012, Berlin. For More Information:
NYU/Princeton Conference: 'Mobile and Location Privacy: A Technology
and Policy Dialog.' 13 April 2012, New York, NY. For More
We Robot 2012: 'Setting the Agenda.' 21-22 April 2012, Miami, FL. For
More Information: http://robots.law.miami.edu/.
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 11:00am ET.
Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave. NW,
Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave. NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 19.06 ------------------------