EPIC Alert 20.07
E P I C A l e r t
Volume 20.07 April 16, 2013
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC Sues FBI to Obtain Details on Massive Biometric ID Database
 EPIC Comments on Federal Cybersecurity Framework
Comments on FTC FOIA Procedures
 President May Veto Controversial
 News in Brief
 EPIC in the News
 EPIC Book Review: 'SuperVision'
 Upcoming Conferences and Events
TAKE ACTION: Comment on the TSA's 'Nude' Airport Body Scanners!
- COMMENT to the TSA: http://epic.org/redirect/TSAcomment
- LEARN More: http://epic.org/TSAcomment/
- SUPPORT EPIC: http://www.epic.org/donate/
 EPIC Sues FBI to Obtain Details on Massive Biometric
EPIC has filed a Freedom of Information Act lawsuit against the FBI to
obtain documents on "Next Generation Identification", a massive
database with biometric identifiers on
millions of Americans. NGI
aggregates fingerprints, DNA profiles, iris scans, palm prints, voice-
identification profiles, photographs,
and other identifying information
culled from numerous federal, state, and local law enforcement agencies.
The FBI intends to use
facial recognition to identify individuals within
In addition to data from suspects and convicts, NGI will contain
records on millions of US persons with no arrest records or reason for
suspicion. The FBI also plans to collect surveillance camera
and other publicly accessible images to add to the agency's facial
EPIC v. FBI, filed April 8 in the
District of Columbia federal court,
focuses on the FBI's failure to respond to EPIC's earlier FOIA requests
for technical specifications
and contracts. After more than six months,
the FBI has yet to provide any responsive documents.
According to EPIC's complaint, "When
completed, the NGI system will be
the largest biometric database in the world." Non-law-enforcement
civilian agencies, such as DMVs
and other licensing entities, also will
be able to submit their records to NGI, and over 18,000 law-enforcement
agencies will have
access to the database.
EPIC: Complaint filed against FBI re: FOIA Request (Apr. 8, 2103)
FBI: Next Generation Identification
EPIC: Information on EPIC v. FBI
EPIC: Biometric Identifiers
EPIC: Facial Recognition
 EPIC Comments on Federal Cybersecurity Framework
In response to the agency's request, EPIC has submitted comments on the
National Institute of Standards and Technology's review
a national cybersecurity framework.
EPIC supports civilian control of cybersecurity and privacy protections
on the Fair Information Practices. In the comments to NIST, EPIC
emphasized the need for all federal agencies to comply with the
and Freedom of Information Acts. EPIC also recommended that the
cybersecurity framework should clearly define what constitute
security threats" and emphasized the need to avoid equating all
cybersecurity issues with national security issues.
order to promote transparency and public engagement, EPIC's comments
recommended that "[w]ithin the scope of the Cybersecurity Framework,"
NIST: (1) with respect to any cybersecurity legislation, urge Congress
to include protections for civil liberties and privacy in
the Cybersecurity Framework; (2) abide by the Obama Administration's
commitment to civilian control of cybersecurity; (3)
urge the release
of documentation concerning purported cybersecurity authority for
agencies, including the National Security Agency
("NSA"), involved in
the Cybersecurity Framework; (4) distinguish between cybercrimes that
fall under law enforcement and cyberterrorism
that falls under
national security; (5) acknowledge the 1992 OECD Guidelines for the
security of information systems; and (6) fully
adhere to the Privacy
Act of 1974 and the Freedom of Information Act." EPIC's comments also
emphasized the need for the National Security Agency to release
documentation concerning its own cybersecurity
EPIC has previously submitted comments on the Federal Cybersecurity
Research and Development Strategic Plan and on the
Department's cybersecurity program. In both instances, EPIC urged
robust privacy protections and adherence to the both the
and the Freedom of Information Act.
NIST: Request for Comments on Cybersecurity Standards (Feb. 26, 2013)
EPIC: Comments to NIST on Cybersecurity (Apr. 8, 2013)
The White House: Executive Order 13636 (Feb. 19, 2013)
EPIC: EPIC v. NSA - Cybersecurity Authority
EPIC: Comments on Federal Cybersecurity Strategic Plan (Dec. 19, 2012)
EPIC: Comments on DoD Cybersecurity (July 10, 2012)
 EPIC Comments on FTC FOIA Procedures
EPIC has submitted comments to the Federal Trade Commission pursuant
to the agency's February 2013 notice to revise Freedom of Information
Act fee regulations. EPIC generally supports many of the agency's
changes, and applauded the FTC for reducing request fees, explaining,
"The proposed revisions impact various agency practices concerning FOIA
fee processing, and on the whole, the agency's proposals
requesters." For example, the Commission proposes increasing the
threshold for small charge fee waivers "from those
that do not exceed
$14 to those under $25."
However, EPIC's comments also noted that several of the Commission's
fee proposals create
barriers for FOIA requesters or otherwise
frustrate the spirit of the law. Specifically, EPIC urged the FTC to
"(1) update its definition
for news media representative; (2) clarify
which documents are public information and ensure that hyperlinks to
those records work
properly; (3) disclose private sector contract rates
for FOIA processing; (4) refrain from prematurely closing FOIA
(5) adopt alternative dispute resolution or arbitration
when resolving delinquent FOIA fees."
EPIC routinely comments on agency
proposals that impact the rights of
FOIA requesters. In 2012, EPIC submitted extensive comments to the
Department of Defense, noting
that the DoD's proposals would
substantially alter FOIA requirements and modify key terms governing
FOIA processing, general FOIA
policy, exemptions under the FOIA, and
fee waivers. EPIC's comments argued that several of the proposals are
contrary to law, exceed
the scope of the agency's authority, and should
be withdrawn. EPIC further stated that the proposals contravene "the
of the President and Attorney General concerning
government transparency, and warned the agency not to erect new
obstacles for FOIA
EPIC also filed comments with the Department of the Interior in 2012,
pursuant to the agency's notice of a change to
EPIC's comments observed that the Interior Department's proposed
revisions and adoptions would impact not only
the requirements for
making requests under the agency's FOIA rules, but also the processing
fees and agency consultations and referrals.
EPIC further objected to
several of the proposed changes, and similarly cautioned that those
changes undermined the FOIA, were contrary
to law, and exceeded the
agency's rulemaking authority.
EPIC: Comments to FTC on Fee Schedule Rulemaking (Mar. 29, 2013)
Federal Register: FTC Request for Comments on FOIA (Feb. 28, 2013)
EPIC: Comments to Interior Dept. on FOIA Regulations (Nov. 13, 2012)
EPIC: Comments to DLA on FOIA (Dec. 5, 2012)
EPIC: Open Government
Data protection agencies in six European countries
enforcement actions against Google. These agencies, representing
France, Germany, Italy, the Netherlands, Spain, and
the United Kingdom,
form part of a data protection coalition called the Article 29 Working
Party, headed by the French data protection
bureau CNIL. In March
2012 the Article 29 Working Party launched an investigation into
Google's new privacy policies in order to
ensure that the policies met
the requirements of the European Data Protection Directive. At the
October 2012 conclusion of the investigation,
Working Party agencies
"asked Google to comply with their recommendations within 4 months."
As of March 2013, the Working Party
reports, "Google ha[d] not
implemented any significant compliance measures."
According to an April 2 CNIL report, Google has ignored
to comply with European data protection law, and"[i]t is now up to each
national data protection authority to carry
out further investigations
according to the provisions of its national law transposing European
legislation. Each agency represented
in the working group will launch
individual investigations based on their independent enforcement
authority," and all member agencies
have done so.
The enforcement action follows Google's March 2012 decision to combine
user data across 60 Internet services to create
detailed profiles of
Google users - resulting in, for example, a Google user's YouTube login
information being combined into one
user profile with his or her Gmail
account, Google Docs account, and browsing history. This switch in
privacy policies prompted objections
from US state attorneys general,
members of Congress, and IT managers in both the government and private
sectors, as well as EPIC
and other consumer and privacy groups. The
National Association of Attorneys General sent a letter to Google
founder Larry Page to
express "strong concerns." NAAG noted
particularly that "Google has not only failed to provide an 'opt-in'
option, but has failed
to provide meaningful 'opt-out' options as well."
EPIC sued the Federal Trade Commission in 2012 to force the FTC to
terms of a settlement with Google that would have
prohibited Google's changes in business practices. That consent order,
October 2011, established privacy safeguards for users of all
Google products and services and subjected the company to regular
audits. The order bars Google from misrepresenting the
company's privacy practices, requires the company to obtain user
disclosing personal data, and mandates the development
of and compliance with a comprehensive privacy program.
CNIL: Press Release
on Actions Against Google (Apr. 2, 2013)
CNIL: Letter to Google (Oct. 16, 2012)
NAAG: Letter to Google (Feb. 22, 2012)
US House: Letter to the FTC re: Google (Feb. 17, 2012)
EPIC: Google Buzz
EPIC: Enforcement of Google Consent Order
 President May Veto Controversial Cybersecurity Bill
The White House has announced that the President's senior
will recommend a veto if improvements are not made to the controversial
Cyber Intelligence Sharing and Protection Act (CISPA).
follows a recent closed door hearing by a House Committee over
the objections of EPIC and other groups. An April 1 letter
signed by EPIC and a coalition of privacy and civil liberty
organizations, urged the House Intelligence Committee to make
CISPA's markup process. The Committee had considered the bill behind
closed doors, removing opportunities for accountability
despite the current prominence of cybersecurity issues both with the
public and in Congress.
CISPA suspends privacy
safeguards so that companies can disclose vast
amounts of customer and client information to the government, including
Security Agency, for "cybersecurity purposes." The
coalition's letter explained that CISPA's threats to privacy and civil
require fundamental changes: "The public has a right to
know how Congress is conducting the people's business, particularly
such important wide-ranging policies are at stake. There have been
many public calls by Members of Congress and administration officials
about the importance of adopting cybersecurity legislation. Yet, many
of our organizations have raised serious concerns about the
privacy and civil liberties and to the public's right to know posed by
CISPA, and the need for fundamental changes to
this bill to protect
those rights. Although the base bill, HR 624, has been made public, it
is also critical that the public be aware
of any amendments under
consideration, and the debate over such amendments," the letter stated.
"All congressional committee hearings
and votes should be conducted in
accordance with our country's highest principles of transparency and
openness and made accessible
to the public," the letter continued.
"Certainly, there are special exceptions when a committee can and
should move to closed session
to consider properly classified
information, but this step should be taken only in specific instances
where needed. The general rule
should be open government…. By keeping
the proceedings secret the Committee obscures any potential amendments
to the bill and
the process by which they are adopted or rejected.
This prevents constituents from holding their individual
on this issue."
EPIC is an advocate for government transparency and currently is
pursuing a lawsuit against the NSA stemming from
a FOIA request for
National Security Presidential Directive 54, which grants the NSA broad
authority over computer networks in the
EPIC: Letter from Coalition of Civil Liberties Groups (Apr. 1, 2013)
US House: Text of HR 624 (CISPA) (Feb. 12, 2013)
EPIC: FOIA request to NSA re: NSPD54 (Jun. 25, 2009)
EPIC: EPIC v. NSA - Cybersecurity Authority
 News in Brief
EPIC's Rotenberg Urges State AGs to Safeguard Consumer Privacy
Speaking at the annual conference of the National Association of
Attorneys General, EPIC President Marc Rotenberg said that state AGs
cannot sit on the sidelines as consumers face increasing risks
identity theft, security breaches, and secretive profiling. Rotenberg
stated that the onus should not be on consumers to keep
up with ever-
changing policy practices: "There is no reason that a customer should
have to go back and check their privacy settings
when a company changes
its business practice," he said. States Attorneys General recently
fined Google $7 million for violating state
consumer protection laws
when the company's "Street View" vehicles, loaded with Internet packet
sniffers, intercepted private residential
communications. EPIC has also
created a promotional video, "Good to Really Know," with consumer
information about online privacy.
NAAG: Annual Conference (Apr. 15, 2013)
NAAG: Settlement with Google re: Street View Violations (Mar. 12, 2013)
EPIC: "Good to Really Know" Video
EPIC: Google Street View
EPIC: Consumer Privacy Bill of Rights
EPIC: Consumer Privacy
Supreme Court Will Not Review Email Privacy Case
The US Supreme Court has declined to review a lower court's decision
privacy. In the case Jennings v. Broome, the South Carolina
Supreme Court held in 2012 that the federal Electronic Communications
Privacy Act (ECPA) does not protect emails stored on remote computer
servers. As a result of this case, users in South Carolina have
privacy protections than users in California, where a federal court has
reached the opposite conclusion. EPIC, joined by 18
organizations, filed an amicus brief in favor of petitioner Jennings,
urging the US Supreme Court to clarify the scope of
US Supreme Court: Decision Not to Review Jennings (Apr. 15, 2013)
Jennings et al.: Petition for Supreme Court Review (Jan. 2013)
EPIC: "Friend of the Court" Brief in Jennings v. Broome (Feb 17, 20130
EPIC: Jennings v. Broome
EPIC: Electronic Privacy Communications Act
Appeals Court: Fed Agencies Must Make "Determinations" in FOIA Requests
The DC Circuit Court has reversed a lower court's decision
with the group Citizens for Responsibility and Ethics in Washington
(CREW) in a case surrounding a federal agency's obligation
to a Freedom of Information Act request. CREW argued that the Federal
Election Commission's response to a FOIA request did not meet the
statutory obligations of
a "determination" under the Act. The federal
appeals court held that an agency must make and communicate a
or not to comply with a FOIA request, as well as
specific exemptions claimed on any withheld documents, within 20
working days of
receiving the request, or within 30 days in exceptional
circumstances. EPIC joined five other prominent open government groups
a "friend of the court" brief in support of CREW.
DC Circuit Court: Decision in CREW FOIA Case (Apr. 2, 2013)
EPIC: "Friend of the Court Brief" in CREW v. FEC (Jun. 18, 2012)
EPIC: Open Government
FTC Releases 2013 Annual Report
The Federal Trade Commission has released its annual report for the
period from April 2012-2013.
The report begins with a description of
the FTC's accomplishments on consumer privacy, and lists the data-
breach lawsuit against
Wyndham, Google's $22.5 million fine for
tracking Safari users, settlements with credit agency Equifax and
data broker Spokeo, and
a survey of the credit reporting industry.
EPIC has previously recommended that the FTC enforce existing consent
orders with Google
and Facebook, require adoption of the Consumer
Privacy Bill of Rights, and modify proposed settlements in response
to public comment.
FTC: Annual Highlights Report for 2012-2013 (Apr. 2013)
EPIC: Letter to Congress re: FTC Legal Enforcement (Dec. 4, 2012)
EPIC: EPIC v. FTC (Enforcement of Google Consent Order)
EPIC: Federal Trade Commission
 EPIC in the News
"Privacy group urges rules distinguish between Cyber crime and Cyber
terror." Government Security News, Apr. 15, 2013.
"Facebook Partners with Attorneys General in Teen Online Safety
Campaign." Pew Stateline, Apr. 15, 2013.
"Trying Passenger Patience." The New York Times, Apr. 15, 2013.
"FBI Sued for Info on Supersnooping Program." Courthouse News, Apr.
"House Intelligence panel OKs CISPA after closed door meeting."
ComputerWorld, Apr. 10, 2013.
"EPIC presses FBI for access to biometric database." The Inquirer,
Apr. 9, 2013.
"EPIC files FOIA lawsuit against FBI for details on biometric
database." BiometricUpdate.com, Apr. 9, 2013.
"EPIC presses FBI in lawsuit for details on biometric database."
NetworkWorld, Apr. 8, 2013.
"The 5 biggest online privacy threats of 2013." PC World, Apr. 8, 2013.
"Domestic drones gain ground." Politico, Apr. 4, 2013.
"Facebook's New Mobile Software Raises Privacy Questions." MediaPost,
Apr. 4, 2013.
"Border Drones Fall Short of Target." The Wall Street Journal, Apr. 2,
"More Privacy Troubles for Google in Europe." CIO Today, Apr. 2, 2013.
"How Data Brokers Profit Off You Without Your (or the Law's)
Knowledge." Digital Trends, Apr. 1, 2013.
For More EPIC in the News: http://epic.org/news/epic_in_news.html
 Book Review: 'SuperVision'
"SuperVision: An Introduction to the Surveillance Society," John
Gilliam and Torin Monahan
John Gilliam and Torin Monahan's engrossing overview of modern
surveillance society steers clear of the conventional paradigms usually
rehashed around surveillance. Instead of invoking privacy and Big
Brother, Gilliam and Monahan explore how deeply surveillance has
integrated into modern life, and the complex relationship we have with
it; the end result is an engaging, practical, and insightful
"SuperVision" begins by describing what encompasses surveillance, which,
in their words, is the "monitoring [of] people in
order to regulate or
govern behavior," then covers a number of important ideas to shape
readers' critical thinking as they read the
book: examples include how
the private sector, not the government, is the main innovator of
surveillance technology; how surveillance
inequalities; how we desire surveillance in some contexts; and how more
surveillance does not necessarily mean
more security. These concepts
lay the groundwork for the different forms of and reasons for the
surveillance described in the rest
of the book.
Professors Gilliam and Monahan are excellent guides of a very large
topic, and their examples are relevant and thought-provoking.
SuperVision describes surveillance in different settings, including
school, the workplace, and on the Web, and our everyday use of
phones, ID cards, loyalty cards, and credit cards; in fact, they call
the cell phone the "perfect symbol of the surveillance
"SuperVision"'s use of common technological items to demonstrate the
depth and pervasiveness of modern surveillance destroy
notion that only malefactors should be concerned about surveillance. As
the authors correctly points out, technologies
shape human behavior and
adaptations and thus increased use of surveillance technology should
concern us all.
an important perspective on the current state of
our surveillance society and reminds us of the importance of critically
about surveillance's ubiquity and complexity; in Gilliom's and
Monahan's words, "technologies are never neutral."
- Jeramie D. Scott
"Litigation Under the Federal Open Government Laws 2010," edited by
A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark
S. Zaid (EPIC 2010). Price: $75.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the
Video Voyeurism Prevention Act, and the
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, and constitutional values can be ordered at:
EPIC Bookstore http://www.epic.org/bookstore
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
FCBA Young Lawyers Committee - Apps: The Legal and Business Landscape."
Speaker: Alan Butler, Appellate Advocacy Counsel, 16 April
Washington, DC. For More Information: http://www.fcba.org/wp-content/
"ASAP 6th Annual National Training Conference." Speaker: Ginger McCall,
Director, EPIC Open Government Project. 15 May 2013, Arlington,
More Information: http://www.accesspro.org/programs/trainingconf/
EPIC Champion of Freedom Awards Dinner. 3 June 2013, Washington, DC. For
More Information: http://epic.org/june3.
2013 Health Privacy Summit, 5-6 June 2013, Washington, DC. For More
22nd Annual Computers, Freedom, & Privacy Conference. 25-26 June 2013,
Washington, DC. For More Information: Contact Chris Calabrese
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Join us on Twitter for #privchat, Tuesdays, 11:00am ET.
Start a discussion on privacy. Let us know your thoughts. Stay up to
date with EPIC's events. Support EPIC.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent
or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe
your e-mail address
from this list, please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
Donate to EPIC
If you'd like to support the work of the
Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and
sent to 1718 Connecticut Ave. NW, Suite
200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government and private-sector
infringement on constitutional values.
Thank you for your support.
Subscribe/unsubscribe via web interface:
Back issues are available at: http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 20.07------------------------