EPIC Alert 20.03
E P I C A l e r t
Volume 20.03 February 15, 2013
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC Petitions FAA on Drone Privacy; Agency Responds
 White House Issues New Cybersecurity Executive Order,
 EPIC, Coalition Seek Privacy Safeguards for Car Data
 EPIC to Supreme Court: Protect Genetic Privacy
 US NGOs
Press Federal Government to Support EU Privacy Proposals
 News in Brief
 EPIC in the News
 EPIC Bookstore
 Upcoming Conferences
TAKE ACTION: Support Europe v. Facebook!
- LEARN about the Project: http://www.europe-v-facebook.org/EN/en.html
- DEMAND Your Facebook Data: http://epic.org/redirect/020113-fb.html
- JOIN Forces with Europe v. Facebook: https://www.crowd4privacy.org/
- SUPPORT EPIC: http://www.epic.org/donate/
 EPIC Petitions FAA on Drone Privacy; Agency Responds
In response to an extensive petition submitted by EPIC
2012, the Federal Aviation Administration (FAA) has announced it will
begin a public rulemaking on the privacy impact
of aerial drones. The
EPIC petition, joined by over 100 organizations, experts, and members
of the public, urged the FAA to develop
privacy standards for drone
operators. In a February 14 letter to EPIC Executive Director Marc
Rotenberg, the FAA Chief Counsel
stated, "the FAA recognizes that
increasing the use of [drones] raises privacy concerns. The agency
intends to address these issues
through engagement and collaboration
with the public." The FAA's announcement comes exactly one year after
President Obama signed
the FAA Modernization and Reform Act of 2012,
which directed the FAA to loosen restrictions on government and
flights in the United States.
A recent report published by the Congressional Research Service
outlines the scope of the Federal
Aviation Administration's power to
regulate unmanned aerial vehicles in US airspace. The report further
investigates Fourth Amendment
and privacy implications of domestic
drone use, stating, "Perhaps the most contentious issue concerning the
introduction of drones
into U.S. airspace is the threat that this
technology will be used to spy on American citizens."
Drones' potential threats to
privacy rights have spurred many states to
consider legislation limiting drone surveillance. Oregon has become the
most recent state
to consider limits on the deployment of drones within
the US. A new bill sets out licensing requirements for drone use in
and fines those who use unlicensed drones to conduct
surveillance. New limitations are also being proposed for federal
collected by drone use in a state court. The Florida State
Senate is considering a bill that would flatly prohibit law enforcement
from using drones "to gather evidence or other information." North
Dakota and Missouri are among the other states considering drone
In July 2012, EPIC testified before the US House Committee on Homeland
Security on the use of domestic drones.
EPIC's testimony explained that
"there are substantial legal and constitutional issues involved in the
deployment of aerial drones
by federal agencies," some of which pose
truly unique threats to citizens' privacy. EPIC cautioned Congress that
safeguards are inadequate to protect against these
threats, and that Congress should pass drone legislation that would
retention and use limits for data gathered by drones, as well
as transparency measures to ensure that the public understands domestic
EPIC: Letter from FAA Chief Counsel to EPIC (Feb. 14, 2013)
FAA: Unmanned Aircraft Systems Test Site Selection
Congressional Research Service: Drone Report (Jan. 30, 2013)
State of Oregon: Senate Bill 71 (2013)
State of Missouri: House Bill 46 (2013)
State of North Dakota: Bill 13.0664.01000 (2013)
EPIC: Testimony before US House on Drones (July 19, 2012)
EPIC: Petition to FAA on Drones (Feb. 24, 2012)
EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones
 White House Issues New Cybersecurity Executive Order,
During his 2013 State of the Union address,
President Obama announced
an Executive Order on cybersecurity and "critical infrastructure."
Executive Order 21213 grants new powers
to federal agencies to share
cybersecurity information with private companies. Affected federal
agencies will assess the privacy
and civil liberties impact of their
actions under the Executive Order on an annual basis. The assessments
against the Fair Information Practice Principles
- a set of eight principles that safeguard privacy when implemented
President Obama further urged Congress to pass "legislation to give our
government a greater capacity to secure our networks and
The new Congress has reintroduced the Cyber Intelligence Sharing and
Protection Act (CISPA) - a bill scuttled in
2012 because of sustained
opposition from Internet activists outraged by the bill's privacy
ramifications. CISPA's provisions include
allowing the private sector
to share detailed information about Internet users with the government.
In addition to Executive Order
21213, the President also issued
Presidential Policy Directive 21, which directs the Secretary of the
Department of Homeland Security
to take specific, discrete actions
on cybersecurity practices. The Directive requires DHS to set up
national centers that can analyze
the information shared between the
government and private sector quickly enough to provide near real-time
The information analyzed by DHS will include
intelligence from the Intelligence Community (e.g. National Security
Department of Defense, and other agencies with "relevant
intelligence or information."
EPIC is currently pursuing a Freedom of
Information Act request with
the National Security Agency for Presidential Policy Directive 20, a
secret directive that grants cybersecurity authority
to the National
The White House: State of the Union Address (Feb. 12, 2013)
The White House: Executive Order 21213 (Feb. 12, 2013)
The White House: Presidential Policy Directive 21 (Feb. 12, 2013)
EPIC: "Flawed Cybersecurity Bill Passes House" (Apr. 27, 2012)
US House: Text of CISPA
EPIC: EPIC v. NSA - Cybersecurity Authority
EPIC: Cybersecurity Privacy Practical Implications
 EPIC, Coalition Seek Privacy Safeguards for Car Data
EPIC, joined by a coalition of privacy, consumer rights,
rights organizations, as well as members of the public, have urged the
National Highway Traffic Safety Administration
to protect driver
privacy and establish privacy safeguards for "event data recorders"
(EDRs). Event data recorders are often referred
to as "black boxes"
because they record a number of data points that can be examined in the
event of an automobile crash. These
data points include speed of the
automobile, the status of the brake and accelerator pedals, and the use
or non-use of seatbelts.
Data stored in EDRs may be accessed by third
parties such as vehicle manufacturers, law enforcement for post-crash
or repair shops for diagnostic purposes.
The agency's proposed rule would mandate the installation of EDRs in
all cars and small
trucks sold in the US by 2014; currently most
vehicles already come equipped with EDRs, but they are not mandated.
In the proposal,
the NHTSA conceded that data collected by EDRs
raise significant privacy issues, Nevertheless, the proposal has no new
safeguards, although the agency maintains that it treats the
vehicle owner as the owner of the EDR data, adheres to applicable
Privacy Act and FOIA provisions, and that EDR data does not contain
Personally Identifiable Information.
In recent comments to
the NHTSA, EPIC recommended that the agency:
(1) restrict the amount of data collected by EDRs; (2) conduct a
impact assessment; (3) uphold Privacy Act
protections; (4) require security standards for EDR data; and
(5) establish best practices
to fully protect the privacy rights of
vehicle owners and operators. EPIC argued that "[i]t is contrary to
for the agency to mandate massive data
collection and not fully amend its current regulations to protect
individual privacy. "
EPIC has previously commented on proposed rules put forth by the
National Highway Traffic Safety Administration. When the agency
proposed a rule in 2002 expanding its role in the development of
event data recorders and another in 2004 standardizing EDR data
formats, EPIC urged it to adhere to the Fair Information Practices
and the Privacy Act of 1974 in order to protect driver privacy.
also has supported the privacy of information collected by the
Department of Motor Vehicles.
Federal Register: Request
for Comments on EDRs (Dec. 13, 2012)
EPIC: Comments on EDR Privacy (Feb. 11, 2013)
EPIC: Comments to NHTSA on Event Data Recorder Privacy (Feb. 2003)
EPIC: Comments to NHTSA on Event Data Recorder Privacy (Aug. 2004)
EPIC: Automobile Event Data Recorders and Privacy
EPIC: The Drivers Privacy Protection Act
 EPIC to Supreme Court: Protect Genetic Privacy
EPIC has filed a "friend of the court" brief in the US Supreme Court
case Maryland v. King, arguing that law enforcement's warrantless
collection of DNA is unconstitutional because such collection
"constitutes an unreasonable search and seizure under the Fourth
Amendment [and] poses unnecessary and ongoing risks to privacy without
serving any legitimate government interest."
v. King centers on whether the Fourth Amendment permits law
enforcement to systematically collect DNA samples from every arrestee.
This DNA is searched, without any probable cause or reasonable
suspicion, against a central database to investigate unrelated cases
In King, the defendant was arrested for assault and his DNA was used to
convict him in an unrelated cold case.
EPIC's brief describes
the government's "dramatic and unpredictable"
expansion of DNA collection over the past decade. The FBI's national
CODIS, accessible by every law enforcement agency in the
country, was created in 1994 for the limited purpose of linking sex
with crime scene evidence. However, in the past 20 years,
"the government has continuously and incrementally broadened CODIS'
allowing law enforcement to collect and retain DNA samples from
many new categories of individuals. When a program like CODIS develops
in this statutory step-by-step fashion, it is difficult to divine a
EPIC's brief also states that the Fourth
Amendment limits "the
otherwise unbounded collection and use of the individual's DNA
sample by the government." An individual's
DNA contains sensitive
data about physical traits, predisposition to diseases, and familial
relations. An entire genome does not
have to be sampled or retained to
identify a criminal; however, the government permanently retains
complete DNA samples and uses
those DNA databases to search not only
those arrested, but their family members as well. The brief maintains
that the most privacy-protecting
means of handling criminal DNA samples
is to destroy them immediately after analysis, as was recommended by
the National Academy
of Sciences nearly 20 years ago. "As our knowledge
of genetics and its capabilities continues to expand," EPIC's brief
"it brings with it new challenges to privacy. Once an
individual's DNA sample is in a government database, protecting
from future exploitation becomes more difficult."
Twenty-six technical experts and legal scholars also signed onto
the EPIC brief.
The US Supreme Court will hear the case sometime
EPIC: "Friend of the Court" Brief in Maryland v. King (Feb. 1,
US Supreme Court: Maryland v. King Docket
Maryland Court of Appeals: Opinion in King v. State (2011)
EPIC: Maryland v. King
EPIC: Genetic Privacy
 US NGOs Press Federal Government to Support EU Privacy
EPIC has joined a coalition of leading US consumer
and civil liberties
organizations expressing concern about the role of US officials in the
development of European privacy law.
In a letter to the US Secretaries
of State, Justice, and Commerce, the coalition sought a meeting to
ensure that US lobbying efforts
in Europe "are not averse to the views
expressed by the President." The letter states that, "without
exception," members of the
European Parliament reported that US
governmental agencies and businesses were "mounting an unprecedented
lobbying campaign to
limit the protections that European law would
As the President explained last year, "Never has privacy been more
than today, in the age of the Internet, the World Wide
Web and smart phones. In just the last decade, the Internet has
a renewal of direct political engagement by citizens around
the globe and an explosion of commerce and innovation creating jobs
of the future." The Consumer Bill of Rights sets out the principles
of individual control over personal data; transparency of privacy
practices and data use policies; data use consistent with the context
in which consumers supply their data; information security;
that users can access their data and have a means to correct
inaccuracies; the right to reasonable limits on companies'
and retention of the personal data; and corporate accountability for
The President also said that the
Consumer Privacy Bill of Rights
is "a blueprint for privacy in the information age. . . . My
Administration will work to advance
these principles and work with
Congress to put them into law."
EPIC has been a consistent advocate of EU data privacy reform. In
October 2012, EPIC Executive Director Marc Rotenberg testified before
the European Parliament's Committee on Civil Liberties, Justice,
Home Affairs. Mr. Rotenberg's testimony expressed support of a proposed
EU privacy reform, which would accomplish five important
"First," Mr. Rotenberg explained, "it simplifies the existing framework
of European privacy laws. Second, it strengthens
rights for consumers.
Third, it clarifies legal authority for data privacy agencies. Fourth,
it updates privacy protections in
light of new data collection
practices. Fifth, it reaffirms a fundamental right of great importance."
Also in 2012, EPIC co-authored
a letter, along with a group of trans-
atlantic consumer organizations, expressing support for the EU's effort
to update and modernize
privacy law. The letter explains that promotion
of stronger privacy standards in Europe will benefit consumers
worldwide, as businesses
improve their privacy practices and security
standards. "We believe that this approach, which sets out rights and
for the collection and use of personal data, is the
cornerstone of data protection in the modern era," the letter states.
et al.: Letter to US Government on EU Data Privacy (Feb.4, 2013)
EPIC: Testimony Before EU Parliament on Data Privacy (Oct.10, 2012)
EPIC: Letter re: EU General Data Protection Regulation (Sept. 5, 2012)
The White House: Consumer Privacy Bill of Rights (Feb. 2012)
EPIC: EU Data Protection Directive
 News in Brief
EPIC Obtains New Documents on FBI Cellphone Tracking Technology
In the fifth interim release of documents in the Freedom of Information
Act lawsuit EPIC v. FBI, the agency has turned over nearly 300 pages on
a surveillance technique directed toward users of mobile phones.
documents obtained by EPIC reveal that FBI agents have been using "cell
site simulator" technologies, also known as "StingRay,"
or "Digital Analyzers," to monitor cell phones since 1995. Internal FBI
emails also obtained by EPIC reveal that
agents went through extensive
training on these devices in 2007. In addition, a presentation from the
agency's Wireless Intercept
and Tracking Team argues that cell site
simulators qualify for a low legal standard as a "pen register device,"
that was recently rejected by a Texas federal court.
EPIC: FBI Documents on Mobile Surveillance Technologies (Feb. 7, 2013)
EPIC: EPIC v. FBI - Stingray / Cell Site Simulator
US District Court/TX: Decision on Cell Site Simulators (Jun. 2, 2012)
EPIC: Locational Privacy
Congress Challenges Justice Department Commitment to Open Government
In a recent letter to the director of the US Office of Information
Policy, a Congressional oversight committee has asked a series of
questions challenging the federal government's compliance with
FOIA. The Office of Information Policy is tasked with "encouraging
agency compliance with the Freedom of Information Act (FOIA) and
for ensuring that the President's FOIA Memorandum and the Attorney
General's FOIA Guidelines are fully implemented across
government." The letter from Committee Chair Rep. Darrell Issa
(R-CA) and Ranking Member Rep. Elijah Cummings (D-MD) called
the Justice Department to address concerns about "outdated FOIA
regulations, exorbitant and possibly illegal fee assessments,
backlogs, the excessive use and abuse of exemptions, and dispute
resolution services." EPIC makes frequent use of the FOIA
information from the government about surveillance and privacy
policy. EPIC has also raised concerns in comments to federal
agencies and to the Office of Government Information Services about
systemic problems with FOIA compliance.
US House: Letter
to OIP re: FOIA Compliance (Feb. 4, 2013)
US Office of Information Policy
Federal Register: President's 2009 FOIA Memorandum (Jan. 26, 2009)
US AG Office: Attorney General's 2009 FOIA Memorandum (Mar. 19, 2009)
EPIC: Open Government
EPIC: FOIA Litigation Docket
FTC Reaches Settlement with Mobile App Path over Privacy Violations
The Federal Trade Commission has announced a settlement and
order with the social networking app Path over charges that Path
secretly collected information from mobile users' address
their consent. The FTC also fined the company $800,000 for violating
the Children's Online Privacy Protection Act,
which prohibits the
collection of personal information from children without obtaining
parental consent. The consent order requires
Path to implement a
comprehensive privacy program and to submit to independent privacy
assessments for the next 20 years. Over
the last year, the FTC has
released a series of reports documenting privacy problems with mobile
apps that collect the personal
information of children. In September
2012 EPIC submitted comments supporting the FTC's proposed improvements
to the COPPA rule,
which the agency ultimately adopted.
FTC: Press Release on Path Settlement (Feb. 1, 2013)
FTC: Text of Path Settlement (Feb. 8, 2013)
FTC: Press Release on Kids' Mobile Apps Report (Feb. 16, 2012)
FTC: Text of Mobile Kids' Apps Report (Dec. 2012)
EPIC: Comments on FTC Improvements to COPPA (Sept. 24, 2012)
EPIC: Children's Online Privacy
 EPIC in the News
"Genetic Privacy for Suspects?" The Scientist, Feb. 12, 2013.
"Push to Gauge Bang for Buck from College Gains Steam." The Wall
Street Journal, Feb. 11, 2013.
"States and Cities Step Up and Resist Drone Surveillance." The New
American, Feb. 11, 2013.
"Lots of buzz about domestic drones; concerns rise with possibilities."
The Washington Times, Feb. 11, 2013.
"Is Christopher Dorner 'The First Human Target' of Drones on U.S. Soil?"
In These Times, Feb. 11, 2013.
"Software that tracks people on social media created by defence firm."
The Guardian UK, Feb. 10, 2013.
"Tracking Privacy and Ownership In An On-Line World." NPR's "Talk of
the Nation," Feb. 8, 2013.
"Privacy issues may dominate in 2013." Consumer Affairs, Feb. 7, 2013.
"Genetic Privacy Front and Center at Supreme Court." Wired, Feb. 6,
"Basic Privacy Themes Reviewed in Dialogue on Diversity Colloquium."
CapitalWire PR, Feb. 5, 2013.
"Privacy groups call on U.S. government to stop lobbying against EU
data law changes." ZDNet, Feb. 4, 2013.
"Privacy battle against U.S. drone surveillance ramps up." CSO, Feb.
"Data Protection Laws, an Ocean Apart." The New York Times, Feb. 2,
For More EPIC in the News:
 EPIC Bookstore
"Litigation Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall,
S. Zaid (EPIC 2010). Price: $75
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the
Video Voyeurism Prevention Act,
and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, and constitutional values can be ordered at:
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
"The New Frontier: Policy & Politics in the Age of the Internet." 22
February, Washington, DC. For More Information:
"IDP13 in OKC." 23 February 2013, Oklahoma City, OK. For More
"Drones.edu: Hands on the Future in the Classroom." SXSW, 6 March
2013, Austin, TX. For More Information: http://sxswedu.com/.
"Online Privacy: Consenting to your Future." 21-22 March 2013,
Portomaso, Malta. For More Information:
EPIC Champion of Freedom Awards Dinner. 3 June 2013, Washington, DC.
For More Information: http://epic.org/june3.
22nd Annual Computers, Freedom, & Privacy Conference. 25-26 June 2013,
Washington, DC. For More Information: Contact Chris Calabrese
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 11:00am ET.
Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave. NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government and private-sector
infringement on constitutional values.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 20.03------------------------