WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2013 >> [2013] EPICAlert 24

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 20.24 [2013] EPICAlert 24

EPIC Alert 20.24

======================================================================= E P I C A l e r t ======================================================================= Volume 20.24 December 11, 2013 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ========================================================================= Table of Contents ========================================================================= [1] EPIC Files Lawsuit to Determine Legal Authority for PRISM Program [2] EPIC Asks Federal Court for Release of Govt. Surveillance Reports [3] White House Previews New Open Government Plan [4] Europe May Suspend Data Transfer Agreement with US [5] Spotlight on Surveillance: FBI Pushes Forward with Massive Biometric Database Despite Privacy Risks [6] News in Brief [7] EPIC in the News [8] EPIC Bookstore [9] Upcoming Conferences and Events ========================================================================= [1] EPIC Files Lawsuit to Determine Legal Authority for PRISM Program ========================================================================= EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice's Office of Legal Counsel for the secret legal analysis that justifies the use of the NSA's PRISM program. The PRISM program allows the FBI and NSA to warrantlessly collect information, including the contents of Internet users' communications, directly from Internet service providers. The PRISM program has been in operation since 2008 and allows the National Security Agency to obtain real-time electronic communications from Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple. The Foreign Intelligence Surveillance Court found in 2011 that the PRISM program accounts for 91% of the roughly 250 million Internet communications acquired each year under Section 702 of the FISA Amendments Act. The CIA also uses PRISM data and can search for communications between US persons. Through this lawsuit, EPIC seeks to clarify which, if any, legal authority would permit such extensive domestic surveillance. The Department of Justice's Office of Legal Counsel definitively interprets law for the Executive Branch, and the Office's legal opinions are binding on all federal agencies. The OLC also interprets the legality of the Intelligence Community's access to the electronic communications, including content information, of US persons. No legal analysis of the PRISM program has been provided to the public. EPIC's lawsuit requests that the court order OLC to 1) promptly provide EPIC with "responsive agency records"; 2) "file, within 14 days of the date of the Court's Order . . . an affidavit: 1) identifying each document withheld from disclosure; 2) stating [OLC's] claimed statutory exemption as to each withheld document (or portion of a document); and 3) explaining why each withheld document is exempt from disclosure;" and 3) award EPIC legal costs and attorneys' fees. The secrecy of OLC opinions is of increasing concern to open-government advocates. Earlier in 2013, EPIC, joined by a coalition of FOIA organizations, filed a "friend of the court" brief in support of a New York Times lawsuit for opinions of the Office of Legal Counsel. The brief argues that "establishing secret law is antithetical to democratic governance" and that the Freedom of Information Act "does not allow for secret law." EPIC: FOIA Lawsuit against DOJ regarding PRISM Program (Nov. 26, 2013) EPIC: FOIA Request to DOJ Regarding PRISM Program (June 6, 2013) EPIC: EPIC v. DOJ - PRISM EPIC et al.: "Friend of the Court" Brief in NYT v. DOJ (Apr. 22, 2013) EPIC: New York Times v. DOJ ======================================================================== [2] EPIC Asks Federal Court for Release of Govt. Surveillance Reports ======================================================================== EPIC has filed a lawsuit to compel the Department of Justice to release reports on the NSA's use of certain legal authority to collect Internet and email metadata. The Foreign Intelligence Surveillance Act requires that these reports be sent to Congress biannually, but they have never been released to the public. In a Motion for Preliminary Injunction, EPIC had sought the immediate release of these reports, citing the importance in providing the public with the information to participate in the current debate over NSA surveillance authorities. EPIC filed the original FOIA request with the Department of Justice in October 2013. The Department determined EPIC's FOIA request qualified for expedited processing, but failed to process the request in 20 days as required by law. DOJ has not communicated with EPIC since November 2013. EPIC's suit alleges that DOJ has failed "to comply with statutory deadlines" and has unlawfully withheld agency records. The reports sought by EPIC pertain to the use of legal authority to collect vast amounts of metadata on individuals worldwide, including US persons. Earlier in 2013, The Washington Post and The Guardian revealed that the NSA had been collecting bulk, suspicionless Internet metadata since 2004. The Office of the Director of National Intelligence has since published an undated opinion from the Foreign Intelligence Surveillance Court authorizing such collection. The program was allegedly halted in 2011 under pressure from Senators Ron Wyden (D-OR) and Mark Udall (D-CO). These revelations have sparked debate over similar collection of telephone metadata under separate FISA authority. Both programs were based on a similar interpretation of the "relevance" standard found in the USA PATRIOT Act. Earlier in 2013, EPIC petitioned the Supreme Court to rule that the Foreign Intelligence Surveillance Court exceeded its authority when it compelled the Verizon corporation to turn over the telephone records of all US telephone customers. EPIC said that it was not possible that all customer records could be "relevant" to a foreign intelligence investigation. EPIC: EPIC v. DOJ (Pen Register / Trap and Trace) EPIC: FOIA Lawsuit Against DOJ (Dec. 9, 2013) EPIC: Original FOIA Request to DOJ (Oct. 3, 2013) EPIC: Motion for Preliminary Injunction in EPIC v. DOJ (Nov. 2013) FISA Court: Approval of NSA Request to Collect Metadata (2004) ========================================================================= [3] White House Previews New Open Government Plan ========================================================================= The Obama Administration has released a preview of the second Open Government National Action Plan. The National Action Plan was released as part of the Administration's commitment to the Open Government Partnership, an international transparency initiative that includes the US and seven other nations in Africa, Europe, South America, and Asia. The Open Government Partnership has the stated goal of securing "concrete commitments from governments to promote transparency, empower citizens, fight corruption, and harness new technologies to strengthen governance." In 2011, the US composed an initial version of an Action Plan that set out those goals. The second Action Plan, to be released in December 2013, sets out more specific commitments to improve both public access to information and government information management. The report focuses on three broad goals that the Obama White House hopes to achieve through increased government transparency: "to increase public integrity," "to manage resources more effectively," and "to improve public services." Within these categories, the report covers a wide range of topics, including efforts to improve public participation in government, and proposals to modernize management of government records and update the Freedom of Information Act (FOIA). The report also contains plans to transform the security classification system, increase transparency of foreign intelligence surveillance activities, make privacy compliance information more accessible, and strengthen protections for whistleblowers. Specifically, the Administration proposes to establish a five-part FOIA modernization process. The components include a unified online FOIA service, to consolidate and streamline the FOIA process for requesters; a set of standardized FOIA practices consistent across all agencies; a FOIA Modernization Committee, composed of both government and civil society advisers, to improve dialogue between the government and requesters; and improved FOIA training for government employees and improved administration within agencies. If adopted, the proposed commitments would clarify the records requesting process and make the FOIA more accessible to the public. EPIC joined other open government organizations to advise the White House on modernizing the FOIA. EPIC also regularly comments on proposed changes to agency FOIA regulations. Earlier in 2013, EPIC submitted extensive comments to the President's Privacy and Civil Liberties Oversight Board on the Board's initial draft of a set of FOIA regulations. The Board adopted almost all of EPIC's proposed changes and issued a final set of FOIA regulations that reflected EPIC's considerable input. The White House: Preview of National Action Plan (Dec. 6, 2013) The White House: National Action Plan Press Release (Dec. 6, 2013) EPIC: Administrative Procedure Act Comments EPIC: Open Government Project ========================================================================= [4] Europe May Suspend Data Transfer Agreement with US ========================================================================= The European Commission has released a report questioning the effectiveness of the US-EU Safe Harbor framework. The Safe Harbor agreement allows data to be transferred from EU member states to companies in the US that have promised to adhere to a set of privacy practices. The report cited "large scale access by intelligence agencies to data transferred to the US by Safe Harbour certified companies" as a key concern. Companies wishing to participate in the Safe Harbor framework must identify that they comply with the Safe Harbor principles and must self-certify on an annual basis to the US Department of Commerce. In the US, both the Department of Commerce and the Federal Trade Commission have authority to enforce the arrangement. In the EU, data protection authorities of the member states may suspend data transfers to Safe Harbor certified companies, and the Commission may suspend Safe Harbor altogether in light of information about its implementation. The European Commission's report cites several flaws in the current arrangement. First, "information recently released on US surveillance programmes [] raises new questions on the level of the protection the Safe Harbour arrangement is deemed to guarantee." The report explains that German data protection authorities have expressed concerns that Safe Harbor was being violated, and the Irish data protection authority reported receiving two complaints over the practices of the US intelligence community. Second, the Commission notes, "Over the years a substantial number of self-certified companies had not made their privacy policy public and/or had not made a public statement of adherence to the Privacy Principles." Finally, the Commission reports that a certain percentage of companies were falsely claiming to adhere to the Safe Harbor principles. The report recommends a variety of measures designed to strengthen Safe Harbor by improving transparency, redress, enforcement, and access by US authorities. For example, the Commission recommends increasing investigations into compliance, limiting the national security exception to cases that are "strictly necessary or proportionate," and facilitating EU citizens' access to alternative dispute resolution providers. EPIC has previously recommended that the US support the EU Data Protection Regulation and adopt an international framework for privacy protection. European Commission: Safe Harbor Report (Dec. 2013) U.S.-EU Safe Harbor Agreement EPIC: Testimony before LIBE Committee on US-EU Agreement (Sep. 30, 2013) US NGOs: 2013 Letter to EU Parliament re: Safe Harbor (Oct. 15, 2013) US NGOs: 2012 Letter to EU Parliament re: Safe Harbor (Sep. 5, 2012) EU: Data Protection Regulation (2012) EU: 1995 Data Protection Directive: EU: Inquiry on Mass Surveillance of EU Citizens (Sep. 30, 2013) EU: NSA Inquiry (Sep. 30, 2013) EPIC: EU Data Protection Directive ======================================================================== [5] Spotlight on Surveillance: FBI Pushes Forward with Massive Biometric Database Despite Privacy Risks ======================================================================== The Federal Bureau of Investigation is spending over $1 billion to develop a biometric database program called "Next Generation Identification" (NGI), also called Next-Gen ID. The project will increase the FBI's ability to collect, use, and store multiple biometric identifiers on millions of criminals and non-criminals. EPIC's "Spotlight on Surveillance" project returns to scrutinize this massive surveillance program. The Next-Gen ID program will build on the FBI's current biometric database of fingerprints, which is accessible to over 18,000 local, state, tribal, federal, and international partners. The FBI is in the process of adding facial, iris, and voice recognition to the database, which will greatly increase the Bureau's ability to perform domestic surveillance. The FBI already has signed Memoranda of Understanding with several states for access to DMV driver license and identification databases, and the agency plans to harvest the data for facial recognition programs. EPIC filed a Freedom of Information Act lawsuit in 2012 to obtain more information about Next-Gen ID. The documents received through the FOIA lawsuit revealed the FBI's acceptance of a 20% error rate for the facial recognition software used on the NGI database. Technical specifications for another facial recognition project reveal that the FBI is extending access to the biometric database to state and local law enforcement for the purpose of running facial recognition queries. The NGI program will greatly increase the FBI's potential database of facial recognition photos by adding non-criminal photos. FBI Deputy Director Jerome Pender testified before Congress in July 2012 that the agency was in the process of renewing the 2008 Interstate Photo System Privacy Impact Assessment to focus on facial recognition. The FBI has not released any Privacy Impact Assessment with respect to facial recognition or the NGI program. EPIC has recommended increased Congressional scrutiny of the Next Generation Identification program and new regulations to address privacy concerns. FBI: Next Generation Identification EPIC: Spotlight on Surveillance: The FBI's Next-Gen ID Program EPIC: FOIA Docs on Next-Gen ID (Oct. 1, 2010) EPIC: EPIC v. FBI - Next Generation Identification EPIC: Face Recognition ======================================================================== [6] News in Brief ======================================================================== Nation Mourns Death of Nelson Mandela, World Leader Who Appeared on US 'Terrorist' Watch List Former South African President and Nobel Peace Prize laureate Nelson Mandela has died at age 95. He is revered in the US and worldwide for helping to bring about the end of apartheid, leading his country into a new era, and championing the cause of human rights. Until 2008, Mr. Mandela, a member of the African National Congress, also appeared on the US "Terrorist" Watch List. Documents obtained by EPIC under the Freedom of Information Act in 2012 revealed a broad legal standard that allows the US to place someone on the Terrorist Watch List virtually forever. Mr. Mandela's name was taken off the list in 2008 by a formal act of Congress. Approximately 700,000 people are currently tracked by the US Terrorist Screening Center. US Congress: Amendment Removing ANC from Terrorist Watchlist (2008) EPIC: FBI Watchlist (National Terrorist Screening Center) EPIC: Nelson Mandela and Privacy Willis Ware, Tech Innovator, Privacy Pioneer, Dies at 93 Willis Ware, who helped usher in the computer age and provided the foundation for modern privacy law, passed away recently at his home in Santa Monica, CA, at age 93. An electronic engineer by training, Ware had worked with John von Neumann at Princeton on the early designs for digital processing. Fascinated by the social impact of computer technology, he turned quickly to the key challenge of privacy protection. In 1973, as the chair of an influential government committee wrestling with the increased automation of recordkeeping, Ware conceived of "Fair Information Practices", or the allocation of rights and responsibilities in the collection and use of personal data. The report, "Records, Computers and the Rights of Citizens," became the foundation of the Privacy Act of 1974, the most comprehensive privacy law ever enacted in the US. Ware also served as chairman of the Security and Privacy Board, established by Congress in 1987, which helped loosen controls on the public use of cryptography in the 1990s and made possible the adoption of critical security technologies for the Internet. Ware joined the EPIC Advisory Board not long after the organization was established in 1994, and received the EPIC Lifetime Achievement Award in 2012. Rand Corp.: Obituary for Willis Ware (Nov. 27, 2013) EPIC: Code of Fair Information Practices EPIC: Records, Computers and the Rights of Citizens (Jul. 1973) EPIC: Privacy Act of 1974 NIST: Information Security and Privacy Advisory Board EPIC: Willis Ware Lights Out for Flashlight App Developer in Privacy Case The Federal Trade Commission has announced a settlement with the developer of a flashlight app for Android mobile devices that deceptively collected and then disclosed consumers' personal information to third parties. "Brightest Flashlight Free" secretly collected users' location information and unique identifiers and then provided that information to third parties, including advertising networks. The developer even included a dummy privacy setting that had no actual effect. The settlement prohibits the company, Goldenshores Technologies LLC, from misrepresentations and requires it to obtain consumers' affirmative express consent before using and disclosing personal information. Jessica Rich, Director of the FTC's Bureau of Consumer Protection, said the flashlight app left users "in the dark about how their information was going to be used." EPIC has commented previously on mobile privacy issues before the FTC, emphasizing the importance of the Fair Information Practices. FTC: Press Release on Flashlight App Settlement (Dec. 5, 2013) FTC: Text of Settlement (Dec. 2013) EPIC: Comments to FTC on Digital Advertising and Privacy (Jul. 2012) EPIC: Federal Trade Commission FTC Announces 2014 Privacy Workshops The Federal Trade Commission has announced a series of workshops on emerging consumer privacy issues. The series, intended to "shine a light on new trends in Big Data and their impact on consumer privacy," includes three topics: the use of mobile devices to track users in real space; predictive scoring algorithms that determine access to products and offers; and consumer-generated health data that falls outside HIPAA. The FTC has invited public comment on the proposed topics for the Spring 2014 workshops. The FTC recently concluded a workshop on the Internet of Things, for which EPIC submitted comments. EPIC has also urged the Commission to enforce prior consent orders, incorporate the Consumer Privacy Bill of Rights in privacy settlements, and respect public comments on proposed settlements. FTC: Press Release on Privacy Workshops (Dec. 2, 2013) FTC: Instructions for Public Comment on Workshops (Dec. 2, 2013) FTC: Announcement on Internet of Things Workshop (Nov. 19, 2013) EPIC: Comments to FTC on Internet of Things (Jun. 1, 2013) EPIC: Federal Trade Commission ======================================================================== [7] EPIC in the News ======================================================================== "Tech Giants Issue Call for Limits on Government Surveillance of Users." The New York Times, Dec. 9, 2013. for-limits-on-government-surveillance-of-users.html?_r=0 "Here's why the FTC couldn't fine a flashlight app for allegedly sharing user location data." The Washington Post, Dec. 9, 2013. heres-why-the-ftc-couldnt-fine-a-flashlight-app-for-allegedly- sharing-user-location-data/ "DC, Maryland and Virginia cops spying on cell phone data." [Video] WUSA-9, Dec. 9, 2013. on-cell-phone-data "Cellphone data spying: It's not just the NSA." [Video] USA Today, Dec. 8, 2013. data-spying-nsa-police/3902809/ "Fighting for Information from DHS." NPR's "On the Media," Dec. 6, 2013. "Will this robot make America safer?" CIO Australia, Dec. 5, 2013. "Square Peg, Round Hole - How the FISC has misapplied FISA to Allow for Bulk Metadata Collection," by EPIC Appellate Advocacy Counsel Alan Butler and Director of EPIC's Domestic Surveillance Project Amie Stepanovich. Just Security, Dec. 2, 2013. round-hole-fisc-fisa/ "Digital era confounds the courts." Politico, Dec. 1, 2013. supreme-court-cases-100410.html "A Night Watchman With Wheels?" The New York Times, Nov. 29, 2013. watchman-with-wheels.html?smid=tw-share&_r=2& "US Government Ordered to Reveal Details of 'Internet Kill Switch' to Deactivate Wi-fi Networks." The News Reports, Nov. 27, 2013. details-of-internet-kill-switch-to-deactivate-wi-fi-networks/2260/ leer "Washington's overall take on data brokers muddled." Politico, Nov. 25, 2013. data-brokers-muddled-100316.html?hp=r4 For More EPIC in the News: ======================================================================== [8] EPIC Bookstore ======================================================================== "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75. Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore: ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= "Who's Watching Little Brother? Local Surveillance, National Concerns," presented by the Cato Institute. Washington, DC, December 11, 2013. For More Information: brother-local-surveillance-national-concerns?. "Protecting Human Rights: Are Drones the New Sheriffs in Town?," presented by the American Bar Association. Speaker: EPIC Domestic Surveillance Counsel Amie Stepanovich. Washington, DC, December 12, 2013. For More Information: meetings/tnt_meetings.cfm?. "Big Data and Security in Europe: Challenges and Opportunities." Speaker: EPIC President Marc Rotenberg. Brussels, January 21, 2014. For More Information: in-europ.html. "Privacy in the Networked World," featuring EPIC Appellate Advocacy Counsel Alan Butler. Waikoloa, Hawaii, January 26, 2014. For More Information: Fourth Annual International Summit on the Future of Health Privacy. Washington, DC, June 4-5, 2014. For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government and private-sector infringement on constitutional values. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 20.24------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback