WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2014 >> [2014] EPICAlert 15

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 21.15 [2014] EPICAlert 15

EPIC Alert 21.15

======================================================================= E P I C A l e r t ======================================================================= Volume 21.15 August 19, 2014 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ========================================================================= Table of Contents ========================================================================= [1] EPIC FOIA: FISA Criticized, Congress Ignored, NSA Pen Trap Program [2] EPIC Demands Report Detailing CIA's Surveillance of Congress [3] EPIC Sues FBI for Missing Privacy Reports [4] EPIC Seeks Information About Secret Surveillance Authority [5] Consumer Privacy Groups Urge Court to Reject Google Settlement [6] News in Brief [7] EPIC in the News [8] EPIC Bookstore [9] Upcoming Conferences and Events TAKE ACTION: Vote for EPIC's 2015 SXSW Panels! VOTE for Privacy/Innovation Panel: VOTE for Brand Creepiness Panel: SUPPORT EPIC: ========================================================================= [1] EPIC FOIA: FISA Criticized, Congress Ignored, NSA Pen Trap Program ========================================================================= In a Freedom of Information Act lawsuit against the US Department of Justice, EPIC has obtained hundreds of pages of documents about the NSA's Pen Register "trap and trace" program, operational from 2005 to 2011. The documents EPIC received in response to the lawsuit include the US government's original FISA application seeking authorization to collect metadata from millions of emails, as well as declarations from NSA officials describing the program. The documents also show that FISA Court Judge John Bates chastised the agency for "long-standing and pervasive violations of the prior [court] orders in this matter." The documents prove that although the FISA Court first authorized the program in 2004, the legal justification was not provided to Congress until 2009. According to the documents, the then-US Attorney General Alberto Gonzalez withheld information about the program in testimony before the Senate Intelligence Committee prior the reauthorization of the legal authority. The pen register program was shut down in 2011 after a detailed review showed numerous problems. Under the Wiretap Act, government agencies must report to Congress annually about the use of pen registers and other communications surveillance devices. EPIC's initial October 2013 FOIA request asked for more information from the agency about how many surveillance requests were being filed by the federal government, what information the agencies were reporting to Congress, and what Congressional oversight mechanisms were in place. EPIC plans to challenge several withholdings in these documents. EPIC: FOIA Documents on FISA Pen Register Program (Aug. 8, 2014) EPIC: Memorandum Opinion on FISA Judge John Bates [Date Redacted] EPIC: DOJ Application for Use of Pen Registers (2005) EPIC: AG Gonzales Congressional Testimony (Apr. 27, 2005) EPIC: NSA Pen Register/Trap and Trace NSA Review [Date Redacted] EPIC: Complaint Against DOJ re: FOIA Request (Dec. 9, 2013) EPIC: Original FOIA Request to DOJ re: Pen Register (Oct. 3, 2013) EPIC: EPIC v. DOJ (Pen Register Reports) EPIC: Foreign Intelligence Surveillance Court ======================================================================== [2] EPIC Demands Report Detailing CIA's Surveillance of Congress ======================================================================== EPIC has filed a Freedom of Information Act request for the CIA Inspector General's report detailing the agency's surveillance of the US Senate Intelligence Committee. EPIC is seeking "all final reports of the CIA Inspector General regarding the CIA's involvement in the penetration of the Senate Intelligence Committee's computer network." In March 2014, Senator Dianne Feinstein (D-CA), head of the Senate Intelligence Committee, publicly accused the CIA of secretly removing documents accessible to the Committee, searching computers used by the Committee, and attempting to intimidate congressional investigators by requesting an FBI inquiry of their conduct. The Committee had been investigating the CIA's torture program of the early and mid-2000s. After Senator Feinstein's accusations, the CIA's Inspector General conducted an investigation and concluded that the agency's actions had been improper. On July 31, the IG published a redacted summary of the official findings in The Washington Post. Among other findings, the IG revealed that five CIA employees, consisting of "two attorneys and three information technology (IT) staff members, improperly accessed or caused access to" the intelligence committee's networks. The IG also stated that the CIA had surveilled Congressional emails, including "a keyword search of all and a review of some of the emails." However, the CIA's Inspector General has failed to make the actual report public. As EPIC's FOIA request noted, "[T]his summary does not provide sufficient detail for the public to evaluate the agency's actions. It does not include essential details, for instance: the level of seniority of the agency officials who accessed the Committee computers, the number of times the computers were accessed, specifically what files or documents were accessed, what was done with the improperly accessed data from the computers, and what remedies the Inspector General recommends." EPIC: FOIA Request to CIA IG re: Senate Surveillance (Jul. 31, 2014) The Washington Post: Redacted CIA IG Report (Jul. 31, 2014) National-Security/Graphics/Cleaned2014-07-30%20Unclass%20Summary%20 of%20RDI%20ROI%2031%20Jul%2014.pdf US Senate: Sen. Feinstein Speech on CIA Surveillance (Mar. 11, 2014) EPIC: EPIC v. CIA (Domestic Surveillance) EPIC: FOIA Cases ========================================================================= [3] EPIC Sues FBI for Missing Privacy Reports ========================================================================= EPIC has filed a Freedom of Information Act lawsuit to obtain details about the Federal Bureau of Investigation's surveillance programs. The FBI is required to conduct Privacy Impact Assessments whenever it collects and uses personal data. However, the agency has failed to publicly release these assessments for many programs, including facial recognition, drones, and license plate readers. According to E-Government Act and Justice Department guidelines, all privacy assessments should be made public if practicable. EPIC, joined by a coalition of organizations, recently urged the US Attorney General to immediately conduct a privacy assessment of the FBI's Next Generation Identification (NGI) program, which collects massive amounts of biometric data on US citizens. According to the Department of Justice, government privacy assessments are tools "used to facilitate the identification of potential privacy issues; assess whether additional privacy documentation is required; and ultimately, to ensure the Department's compliance with applicable privacy laws and policies," as well as to "help promote trust between the public and the Department by increasing transparency of the Department's systems and missions." The FBI has stated to Congress that it has drafted several privacy assessments, but EPIC's complaint notes that the Bureau has not publicly released the reports. According to EPIC, "[Privacy Impact Assessments] provide an important means for the public to assess the government's efforts to protect its privacy and serve as a check against the encroachment on privacy by the government." EPIC has long worked to bring transparency and accountability to law enforcement efforts to use new surveillance and information technology to collect and store personal information on US citizens. EPIC's lawsuit follows a letter earlier in 2014 that urged the Attorney General to review the goals of the FBI's NGI program to ensure that the biometric information collection "does not become a tool for surveillance of innocent Americans." EPIC previously requested FOIA documents regarding the FBI's Facial Analysis Comparison and Evaluation (FACE) Services unit. In June 2013 comments to the Department of Homeland Security, EPIC urged DHS to conduct a comprehensive privacy impact assessment on the Office of Biometric Identity Management's collection of biometrics at ports of entry to the United States. EPIC: EPIC v. FBI FOIA Complaint (Aug. 1, 2014) GPO: E-Government Act of 2002 DOJ Privacy Office: PIA Official Guidance (March 2012) EPIC: FBI Next Gen. ID System (NGI) Letter (June 24, 2014) DOJ Privacy Office: Initial PIA Instructions & Template (Mar. 2010) US Senate: Hearing on Facial Recognition Technology (Jul. 2012) US Senate: Oversight of FBI (June 2013) EPIC: EPIC v. FBI -- Privacy Assessments EPIC: FOIA Request for FBI FACE Services Unit (March 2013) EPIC: Comments on DHS Biometric Data Collection (June 2013) ========================================================================= [4] EPIC Seeks Information About Secret Surveillance Authority ========================================================================= EPIC has filed a series of Freedom of Information Act requests for documents related to the US government's collection of private communications data under Executive Order 12333. Established in 1981 by President Reagan, Executive Order 12333 created broad surveillance authorities for the Intelligence Community, largely outside the scope of public law. EO 12333 often serves an alternate basis of authority for surveillance activities, above and beyond the provisions of the Foreign Intelligence Surveillance Act. EPIC has sent FOIA requests to Intelligence Community agencies including the US Attorney General's Office, the Office of the Director of National Intelligence, and the NSA, seeking secret policies that govern US intelligence agencies' collection of Internet data outside of the United States. EPIC has asked specifically for "Any policies, regulations, white papers, final memoranda, guidelines, or training materials interpreting or addressing the collection, retention, dissemination, or sharing of electronic communications or meta data under EO J2333," as well as "[t]he most recent version of IC member agency procedures adopted under EO 12333." The Washington Post reported in 2013 that the NSA had infiltrated private communications held on servers abroad. EPIC recently won a suit against the NSA for release of documents related to the agency's pen-register "trap and trace" program. In 2013, EPIC filed a Petition for Mandamus with the US Supreme Court, seeking to end the bulk collection of American's phone records. EPIC's petition was supported by legal scholars, technical experts and former members of the Church Committee. EPIC: Executive Order 12333 The Washington Post: "Meet Executive Order 12333: The Reagan rule that lets the NSA spy on Americans" (Jul. 18, 2014) the-reagan-rule-that-lets-the-nsa-spy-on-americans/2014/07/18/ 93d2ac22-0b93-11e4-b8e5-d0de80767fc2_story.html The Washington Post: "NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say" (Oct. 30, 2013) infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden- documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_ story.html EPIC: FOIA Request to US AG re: EO 12333 (Jul. 31, 2014) EPIC: FOIA Request to the ODNI re: EO 12333 (Jul. 31 2014) EPIC: FOIA Request to NSA re: EO 12333 (Jul. 31, 2014) EPIC: EPIC v. DOJ - Pen Register Reports EPIC: In re EPIC - NSA Telephone Records Surveillance ========================================================================= [5] Consumer Privacy Groups Urge Court to Reject Google Settlement ========================================================================= The Federal Trade Commission has responded to a letter written by EPIC and a group of other leading privacy organizations urging the agency to oppose a collusive Google class action settlement. In the “Google Referrer Header" case, a group of Google users alleged that Google unlawfully disclosed information about "referrer headers." EPIC and the same privacy groups had written a 2013 letter to Judge Davila of the Northern District of California, urging him to reject the settlement. When users browse the Internet, information about the most recent site a user visits is coded and placed on the top, or the "header," of the user’s server's request. When the user clicks on a website link, the user's server asks the website's server for permission to connect. Many commercial websites use that information for advertising purposes. Thus, users' previous web browsing activity can be disclosed to third- party advertisers. Under the Google Referrer Header proposed settlement agreement, Google will distribute several million dollars to a handful of organizations, many of which already have ties to the company. EPIC and the other consumer privacy groups have pointed out that this distribution agreement does nothing to remediate the underlying privacy harms to consumers, nor does it require Google to change its practices. Further, EPIC reminded the Commission that the Referrer Header settlement agreement violates a 2011 Consent Order forbidding Google from disclosing users'data without users' permission. "The proposed settlement is bad for consumers, bad for online privacy, and does nothing to change Google's business practices. It is not just a bad or imperfect settlement; it is a farce," the coalition's letter explains. Privacy groups, members of the plaintiff class, and even potential recipients of the settlement money have recognized the settlement as unfair and bad for consumers. In addition to EPIC and the other consumer groups, the Center for Class Action Fairness, an advocacy group focused on fighting class action settlements that do not fairly compensate consumers, has filed a brief on behalf of two of the Referrer Header class members. Recently, the MacArthur Foundation withdrew as a named recipient of settlement funds because of concerns about the cy pres allocation. Judge Davila will decide on August 28 whether to approve the final settlement. FTC: Letter to EPIC (Aug. 6, 2014) EPIC: Letter to FTC (Jul. 31, 2014) EPIC: Plaintiffs' Notice in Class Action Settlement (Jul. 25, 2014) 9th Circuit Court: In re Google Referrer Header (Apr. 23, 2013) EPIC: Letter to Judge in Google Referrer Header Case (Aug. 22, 2013) EPIC: "Friend of the Court" Brief in Fraley (Mar. 20, 2014) EPIC: Fraley v. Facebook EPIC: EPIC v. FTC (Enforcement of Google Consent Order) FTC: In the Matter of Google, Inc. (Oct. 24, 2011) EPIC: Federal Trade Commission EPIC: Search Engine Privacy ======================================================================== [6] News in Brief ======================================================================== Senator Schumer Calls On Regulators to Make Fitness Data Private Senator Charles Schumer (D-NY) has denounced the data collection practices of "activity trackers" such as FitBit. Activity trackers are mobile devices that record highly personal information about the wearer and constantly analyze the wearer's activities, including their diet, exercise, sleep, and even sexual habits. However, it is not clear whether federal privacy law protects this personal data from disclosure to third parties. EPIC has commented extensively on the privacy protections that are necessary in the "Internet of Things," and has frequently pointed out the potential for misuse when companies collect data about sensitive consumer behavior. EPIC also has made several recommendations to improve the privacy protections on devices such as activity trackers, including requiring companies to adopt Privacy Enhancing Techniques, respect a consumer's choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. Sen Charles Schumer (D-NY): Activity Tracker Privacy (Aug. 10, 2014) EPIC: Comments to FTC on "Internet of Things" (Jun. 1, 2013) EPIC: FTC EPIC: Practical Privacy Tools ======================================================================== [7] EPIC in the News ======================================================================== "Eight Ways to Protect Student Data." Harvard Education Letter, July/ August 2014. protect-student-data "Digital Lineups." Reason, August/September 2014. "Newly Released Documents Show NSA Abused Its Discontinued Internet Metadata Program Just Like It Abused Everything Else." TechDirt, Aug. 14, 2014. released-documents-show-nsa-abused-its-discontinued-internet- metadata-program-just-like-it-abused-everything-else.shtml "Are activity trackers a 'privacy nightmare'?" Fox News, Aug. 13, 2014. privacy-nightmare/ "Naughty NSA was so drunk on data it forgot collection rules." The Register UK, Aug. 13, 2014. collection_rules/ "Surveillance Court Judge Criticized NSA 'Overcollection' of Data." The Wall Street Journal, Aug. 11, 2014. nsa-overcollection-of-data-1407806807?tesla=y "Baby steps toward more security online for users." USA Today, Aug. 7, 2014. encryption-https/13740403/ "Facebook's new friends: Researchers studying you." USA Today, Aug. 7, 2014. "Tech Experts See Good and Bad Sides of Robots." The Wall Street Journal, Aug. 6, 2014. and-bad-sides-of-robots/tab/print/ "Some districts shine, others falter in coupling of learning and online media." Chalkbeat, Aug. 6, 2014. falter-in-coupling-of-learning-and-online-media/#.U-OyP4BdU7c "U.S. Military Plugs Into Social Media for Intelligence Gathering." The Wall Street Journal, Aug. 6, 2014. media-for-intelligence-gathering-1407346557?mod=_newsreel_5 "EPIC sues the FBI over missing citizen-surveillance reports." V3 UK, Aug. 4, 2014. missing-citizen-surveillance-reports "Tips for protecting your online privacy." Consumer Affairs, Aug. 1, 2014. online-privacy-080114.html "Watching Google's European privacy show." San Jose Mercury News, Aug. 1, 2014. watching-googles-european-privacy-show "Leahy Bill Aims to Rein In Government Snooping." TechNews World, July 31, 2014. "Virginia Woolf, Meet Marc Rotenberg." Privacy Perspectives, Jul. 30, 2014. rotenberg/ For More EPIC in the News: ======================================================================== [8] EPIC Bookstore ======================================================================== "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75. Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore: ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= "Developing Policies for the Internet of Things," Featuring EPIC President Marc Rotenberg. Aspen, CO: Aspen Institute Communication and Society Program, Aug. 13-16, 2014. For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Support EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government and private-sector infringement on constitutional values. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 21.15------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback