E P I C A l e r t
Volume 20.20 October 16, 2013
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC Appeals Secrecy of Body Scanner Radiation Documents
 Gov. Brown Signs New California Privacy Laws
 EPIC FOIA Docs
Shed Light on Secret FBI Mobile Phone Tracking Team
 Court Rules that Gmail Case Can Go Forward
 EPIC Urges Congress on Student
Privacy after Court Decision
 News in Brief
 EPIC in the News
 EPIC Bookstore
 Upcoming Conferences and Events
ACTION: Tell Facebook: "Stop Changing Our Privacy Settings!"
- READ about the Changes: http://epic.org/redirect/090313-facebook.html
- LEARN More about Facebook Privacy: http://epic.org/privacy/facebook/
- SUPPORT EPIC: http://www.epic.org/donate/
 EPIC Appeals Secrecy of Body Scanner Radiation Documents
EPIC has challenged two decisions by a federal district
allow the Department of Homeland Security and the Transportation
Security Administration to withhold factual information
body scanners, including test results, fact sheets, and estimates of
radiation risks. In the opening brief to the
court, EPIC argued that
federal agencies may not withhold factual information under the
"deliberative process privilege" in the
Freedom of Information Act.
EPIC maintained that "under the standard adopted by the lower court,
not only would the judgment of agency officials be exempt,
but so too
would reports or studies of any significance."
The challenge combines two separate cases EPIC appealed to the DC
EPIC filed a motion to consolidate both appeals because they
raise substantially similar legal issues. EPIC then presented the
of whether the lower court erred in failing to apply the "inextricably
intertwined" test before determining that records
could be withheld in
full despite containing non-deliberative and factual materials normally
released under the Freedom of Information Act.
The two cases combined in EPIC's appeal also include a case against the
Department of Homeland Security. That FOIA lawsuit sought
the radiation risks posed by body scanners. The other FOIA lawsuit,
against the Transportation Security Administration,
sought to obtain
agency records that detailed the operation and capabilities of the
"Automated Targeting Recognition" software
used on body scanners.
According to the government Automated Targeting Recognition software
allows TSA agents to see only a generic
human image rather than the
traveler's naked body. After several EPIC lawsuits and an act of
Congress, TSA was required to adjust
the devices to produce only
generic images. However, earlier in 2013 the TSA was finally forced
to unplug and box up the backscatter
x-ray body scanners after the
agency could not meet the Congressional mandate. The TSA was also
required to take public comments
on the use of body scanners after
EPIC sued the agency for the unilateral decision to make body
scanners the primary screening
technique in US airports -
a rule change that violated the Administrative Procedures Act.
EPIC: EPIC v. DHS - Body Scanner FOIA
EPIC: Opening Brief in EPIC v. DHS (Oct. 1, 2013)
EPIC: EPIC v. DHS - Full Body Scanner Radiation Risks
EPIC: EPIC v. TSA - Body Scanner Modifications (ATR)
EPIC: Comments to TSA re: Passenger Screening Using AIT (June 24, 2013)
DC District Ct.: Decision in EPIC v. DHS (Scanners) (Mar. 7, 2013)
DC District Ct.: Decision in EPIC v. DHS (PowerPoint) (Mar. 7, 2013)
EPIC: Initial Documents from DHS re: Body Scanners (Feb. 11, 2013)
EPIC: EPIC v. DHS: Suspension of Body Scanner Program
Whole Body Imaging Technology and Body Scanners
 Gov. Brown Signs New California Privacy Laws
California Governor Jerry Brown (D) has signed three state privacy
bills into law. Assembly Bill 370 amends the California Online
Privacy Protection Act by requiring that businesses disclose how they
respond to Do Not Track signals or other mechanisms used
to prevent the surreptitious collection of their browsing history.
Senate Bill 568 provides for an "eraser button"
that would require
websites to allow minors to remove their own information. Finally,
Senate Bill 255 prohibits "revenge porn,"
or the posting of explicit
images or videos without the victim's consent.
California law already requires website operators to
post links to
their privacy policies. AB 370 expands the disclosure requirement to
include the website's response to Do Not Track
signals. Although a Do
Not Track standard has yet to be implemented, the law's disclosure
requirements apply broadly to any "mechanisms
that provide consumers
the ability to exercise choice regarding the collection of personally
identifiable information about an
individual consumer's online
activities . . . ."
SB 568 contains an "eraser button" provision that requires a website or
app to allow registered minors to remove their content or
information. The law has been compared to the federal Children's Online
Privacy Protection Act and the "right to be forgotten" in the EU's
proposed data protection regulation. However, SB 568 differs
in that it applies to users under age 18, whereas COPPA only applies to
users under age 13. Additionally, minors may
only delete information
they post themselves, not information posted by a third party.
SB 255 criminalizes the publication of
intimate photos or videos that
were originally produced "under circumstances where the parties agree
or understand that the image
shall remain private" if the publication
was intended to, and in fact causes, "serious emotional distress." The
law is intended
to prevent "revenge porn" and is the first of its kind
in the nation.
In 2008, EPIC and a coalition of consumer privacy organizations
successfully forced Google to place a prominent link on its homepage
violation of the California Online Privacy Protection Act. As the
groups explained, "California law requires the operator
Google initially said that it would upset
the web page aesthetic
to include the word "privacy," but later made the modification.
State of CA: AB 370 (Sept. 27, 2013)
State of CA: SB 568 (Sept. 27, 2013)
State of CA: SB 255 (Oct. 1, 2013)
State of CA: CalOPPA
EPIC: Online Tracking and Behavioral Advertising
EPIC: Children's Online Privacy
Privacy Rights: Letter to Google CEO Eric Schmidt (Jun. 2008)
 EPIC FOIA Docs Shed Light on Secret FBI Mobile Phone
In response to EPIC's Freedom of Information Act Lawsuit, the Federal
Bureau of Investigation has released more than 400 pages of documents
related to the cell site simulator technology
commonly referred to as
"StingRay." A StingRay is a device that can triangulate the source of a
cellular signal by acting "like
a fake cell phone tower" and measuring
the signal strength of an identified device from several locations.
With StingRays and other
similar "cell site simulator" technologies,
government investigators and private individuals can locate, interfere
with, and even
intercept communications from mobile phones and other
The FBI's most recent release to EPIC is the latest in
a series that
began in 2012, and comprises over 4,000 pages of responsive documents.
The most recent release includes training
and promotional materials
from the "Wireless Intercept & Tracking Team," a specialized unit
within the FBI previously undisclosed
to the public.
According to the documents obtained by EPIC, the FBI's Tracking Team
provides technical and financial support to
a rapidly expanding group
of federal and local law enforcement agents trained to use the
controversial surveillance tools. The
documents also reveal information
about two other cellular surveillance technologies known as
"Loggerhead" and "Triggerfish." While
"Loggerhead" is largely obsolete,
since it was used primarily to eavesdrop on older analog cell phones,
"Triggerfish" is still
apparently in use.
The documents reveal that the FBI believes it can use cell site
simulators without a warrant, but thus far only
one federal court has
considered the Fourth Amendment implications of these devices,
including their interception of innocent users'
data. Earlier in 2013,
a federal court in Arizona permitted police to use evidence gathered by
"StingRay" surveillance technology.
The court held in United States v.
Rigmaiden that investigators did not violate the Fourth Amendment.
EPIC: Stingray/Cell Site
EPIC: FBI's October 2013 Document Production
EPIC: Complaint in EPIC v. FBI (Apr. 26, 2012)
EPIC: EPIC v. FBI - Next Generation ID
 Court Rules that Gmail Case Can Go Forward
A federal district court has ruled that Google may have violated the
federal Wiretap Act when it routinely intercepted, read, and
the contents of user email for advertising purposes. Judge Lucy Koh of
the Northern District Court of California wrote,
"The court finds that
it cannot conclude that any party - Gmail users or non-Gmail users -
has consented to Google's reading of
e-mail for the purposes of
creating user profiles or providing targeted advertising," The court
rejected Google's arguments that
the activity occurred in the "ordinary
course of business."
The court held that the interception must be "instrumental" to the
provision of an email service and that Google's business interest was
not sufficient to meet that test. The court also found that
not obtained consent from users for the company's ad profiling
practices. According to the opinion, "Google has cited
no case that
stands for the proposition that users who send emails impliedly consent
to interceptions and use of their communications
by other . . . than
the indented recipient of the email."
The recent ruling applies also applies to Google Apps for Education,
through which Google obtains emails from educational organizations of
students, faculty, staff, and alumni.
EPIC Appellate Advocacy
Counsel Alan Butler was quoted in The New York
Times, saying, "What's at stake is a core digital privacy issue for
now, which is the extent to which their digital
communications are protected from use by third parties."
District Court of N.
CA: Ruling in Google Wiretap Case (Sep. 26, 2013)
EPIC: Gmail Privacy FAQ
EPIC: Ben Joffe v. Google
EPIC: Investigations of Google Street View
 EPIC Urges Congress on Student Privacy after Court
In a letter to the US Senate and House Committees
on Education, EPIC
has asked Congress to restore privacy protections for student data.
EPIC's letter follows a court opinion on
recent changes to the Family
Educational Rights and Privacy Act (FERPA), which held that neither EPIC
nor any of EPIC's Board of
Director co-plaintiffs "have standing to
bring the claims asserted in the complaint." The judge did not address
claims asserted in the complaint.
EPIC's letter warned that the changes in the student privacy law allow
the release of student
records for non-academic purposes and undercut
parental and student consent provisions, and urged Congress to
investigate the impact
of the revised regulations. "Students and
families are losing control over sensitive information," EPIC wrote,
"and private companies
are becoming the repositories of student data
and even the data maintained by the schools is far more extensive than
EPIC's original lawsuit argued that the Education Department's changes
to FERPA exceeded the agency's authority and that the revised
regulations violate FERPA itself. Before initiating the lawsuit, EPIC
submitted extensive comments to the Education Department,
regulations. In comments, EPIC stated that the Education Department's
recommendations "would undermine privacy safeguards
set out in the
[FERPA] statute and would unnecessarily expose students to new privacy
After the Education Department
failed to modify the proposed
regulations, EPIC filed suit in early 2012. "Through the FERPA's text,
purpose, and legislative history,
Congress unambiguously guaranteed
students the right to prevent disclosure of directory information,"
EPIC stated. EPIC was joined
in the lawsuit by EPIC Board of Directors
members Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Dr.
EPIC has been a longtime advocate for student privacy rights. In 2011,
EPIC filed a "friend of the court" brief in Chicago Tribune
University of Illinois, a case involving student privacy rights
protected by FERPA. Additionally, EPIC and more than 100 local,
and national organizations previously urged then-Secretary of Defense
Donald Rumsfeld to end the "Joint Advertising and
Studies" Recruiting Database, which discloses personal information
about 16-25-year-old Americans without obtaining
EPIC: Letter to Congress re: FERPA Decision (Oct. 9, 2013)
EPIC: Court Order in EPIC v. Ed. Dept. (Sept. 26, 2013)
EPIC: Memorandum Opinion in EPIC v. Ed. Dept. (Sept. 26, 2013)
EPIC: Complaint in EPIC v. Ed. Dept. (Feb. 29, 2012)
EPIC: Comments to Ed. Dept. on FERPA (May 23, 2011)
EPIC: Brief in Chi.
Tribune v. U. of Illinois (Jul. 20, 2011)
Privacy Coalition: DoD Database Campaign Coalition Letter (2003)
EPIC: EPIC v. The US Department of Education
EPIC: Student Privacy
 News in Brief
NSA Attacked Tor, a Privacy Enhancing Network
The NSA and Britain's GCHQ have attempted to break the privacy
protections of the
Tor anonymity network, according to a series of
documents recently published in The Guardian. The documents describe
efforts to de-anonymize Tor users by using viruses to
compromise their computers and the Tor software, and by following
advertising cookies. The documents also reveal that despite
the NSA's efforts the Intelligence Community has had limited success
compromising the Tor network. One presentation, called "Tor Stinks,"
concludes that the IC will "never be able to de-anonymize
all Tor users
all the time." In May 2013, EPIC filed a FOIA request with the
Broadcasting Board of Governors, seeking evidence
interference with the Tor network. In 2000, EPIC filed a complaint with
the FTC over DoubleClick's efforts to merge
users' browsing activity
with personally identifying information; in 2007, EPIC objected to
Google's acquisition of DoubleClick,
warning that it would place
Internet users' privacy at risk.
The Guardian: 'NSA and GCHQ target Tor network' (Oct. 4, 2013)
The Guardian: '"Tor Stinks" Project' (Oct. 4, 2013)
The Tor Project
EPIC: FOIA Request to BBG re: Tor (May 31, 2013)
EPIC: Complaint to FTC re: DoubleClick (Feb. 2000)
EPIC: EPIC v. BBG - Tor
EPIC: Privacy? Proposed Google/DoubleClick Merger
EPIC FOIA: FBI Says 20% Error Rate Okay for Facial Recognition
EPIC's Freedom of Information Act lawsuit against the FBI has
produced new documents about "Next Generation Identification" and the
FBI's plans for facial recognition
systems. According to one of the
documents obtained by EPIC, "NGI shall return an incorrect candidate a
maximum of 20% of the time",
a percentage much greater than expected.
Earlier in 2013, EPIC received other documents from the FBI on the use
of facial recognition
and state DMV photos. The FBI still has not
updated a 2008 Privacy Impact Assessment on facial recognition
technology despite 2012
Congressional testimony that a new assessment
EPIC: FOIA Complaint Against FBI re: Facial Recognition (Apr. 8,
EPIC: EPIC v. FBI - Next Generation Identification
EPIC: FOIA Docs from FBI on Facial Recognition (Oct. 2010)
EPIC: FOIA Docs on Agreement Between FBI and State of IL (2012-2013)
EPIC: FOIA Request to FBI on Facial Recognition Systems (Mar. 29, 2013)
FBI: Testimony Before US Senate on Facial Recognition (Jul. 18, 2012)
EPIC: Facial Recognition
EPIC FOIA - New Information on Drone Flight Applicants
The Federal Aviation Administration has responded to an EPIC FOIA
request seeking documents related to applications to fly drones in US
airspace by providing a list of nearly 200 entities within
Department of Defense, the Department of Homeland Security, the
Department of Justice, and state and federal law enforcement
The FAA further responded to EPIC's request for information by making
the drone licenses, or "certificates," available
on a public portal.
EPIC has called on the FAA to maintain a searchable database of all
drone operators as the agency seeks to
expand domestic drone use.
FAA: Response to EPIC FOIA Request on Drones (Sep. 24, 2013)
EPIC: FOIA Request to FAA re: Drone Applications (Aug. 5, 2011)
EPIC: List from FAA of Domestic Drone Applicants (Aug. 27, 2013)
FAA: Drone Programs and Initiatives
EPIC: Comments to FAA on Domestic Drone Use (Apr. 23, 2013)
EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones
EPIC Updates and Relaunches 'Practical Privacy Tools'
EPIC has updated and expanded one of its most popular web pages of all
time - "Practical Privacy Tools." EPIC's "Practical Privacy Tools" page
includes a detailed listing of Internet Anonymizers, Proxy
email encryption, secure Internet messaging, password vaults, antivirus
programs, cookie cleaners, and more. Although
EPIC does not endorse any
particular product or service, EPIC strongly supports the widespread
availability of privacy enhancing
techniques. As EPIC explained to
Congress in 1998, "techniques to protect privacy and anonymity should
be encouraged and restrictions
on encryption should be lifted."
EPIC: Online Guide to Practical Privacy Tools
EPIC: Testimony to Congress on Privacy Tools (Mar. 1998)
Privacy Groups Ask Congress to End Secret Hearings on Data Industry
EPIC, joined by a coalition of consumer privacy
groups, has asked the
US House of Representatives Privacy Task Force to open to the public
meetings now taking place in secret
on Capitol Hill. "We recognize that
there is value in private meetings among Members and staff and with
constituents," the group
wrote, but added, "with public matters of
common concern" meetings should be held "in the open, a public record
should be created,
and various viewpoints should be heard." The groups
thanked Representatives Marsha Blackburn (R-TN) and Peter Welch (D-VT)
examining "the enormously important issue of consumer privacy" but
said, "there is simply no reason for your task force to hold
door sessions." In 2012, both the White House and the Federal Trade
Commission recommended enactment of consumer privacy
EPIC et al.: Letter to Congressional Privacy Task Force (Oct. 1, 2013)
FTC: 'Protecting Consumer Privacy in an Era of Rapid Change' (Mar. 2012)
The White House: 'Consumer Data Privacy in a Networked World' (Feb. 2012)
 EPIC in the News
"Snapchat hack secretly saves images using app." BBC, Oct. 15, 2013.
"Feds Demand Supreme Court Thwart Challenge to NSA Phone Spying."
Wired, Oct. 15, 2013.
"Facial Recognition Software That Returns Incorrect Results 20% Of The
Time Is Good Enough For The FBI." Tech Dirt, Oct. 15, 2013.
"FBI's Facial Recognition Software Could Fail 20 Percent of the Time."
National Journal, Oct. 14, 2013.
"Yahoo to make SSL encryption the default for Webmail users. Finally."
The Washington Post, Oct. 14, 2013.
"Administration looks to dodge Supreme Court challenge to NSA program."
The Hill, Oct. 14, 2013.
"Amid NSA Outrage, Big Tech Companies Plan to Track You Even More
Aggressively." Wired, Oct. 11, 2013.
"FBI Files Reveal New Info on Clandestine Phone Surveillance Unit."
Slate, Oct. 8, 2013.
"Why journalists can still trust Tor." Columbia Journalism Review,
Oct. 8, 2013.
"White House pursues online privacy bill amid NSA efforts." Politico,
Oct. 7, 2013.
"Church and state, executive power on Supreme Court docket." CNN, Oct.
"Deciding Who Sees Students' Data." The New York Times, Oct. 5, 2013.
"Report: NSA tried, largely failed to crack Tor network." The Hill,
Oct. 4, 2013.
For More EPIC in the News: http://epic.org/news/epic_in_news.html
 EPIC Bookstore
"Litigation Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall,
S. Zaid (EPIC 2010). Price: $75.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the
Video Voyeurism Prevention Act, and the
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, and constitutional values can be ordered at:
EPIC Bookstore: http://www.epic.org/bookstore
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
Surveillance Conference, Sponsored by the Chicago Committee to Defend
the Bill of Rights. Speaker: EPIC Domestic Surveillance
Stepanovich. Northwestern University School of Law, Evanston, IL,
19 October 2013. For More Information:
American Civil Liberties Union of Rhode Island 2013 Annual Dinner
Celebration. Keynote Speaker: EPIC Domestic Surveillance Counsel
Stepanovich. Providence, RI, 8 November 8, 2013. For More Information:
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 11:00am ET.
Start a discussion on privacy. Let us know your thoughts. Stay up to
date with EPIC's events. Support EPIC.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave. NW, Suite
200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government and private-sector
infringement on constitutional values.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at: http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 20.20------------------------