EPIC Alert 21.15
E P I C A l e r t
Volume 21.15 August 19, 2014
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 EPIC FOIA: FISA Criticized, Congress Ignored, NSA Pen Trap Program
 EPIC Demands Report Detailing CIA's Surveillance of
 EPIC Sues FBI for Missing Privacy Reports
 EPIC Seeks Information About Secret Surveillance Authority
Privacy Groups Urge Court to Reject Google Settlement
 News in Brief
 EPIC in the News
 EPIC Bookstore
 Upcoming Conferences
TAKE ACTION: Vote for EPIC's 2015 SXSW Panels!
VOTE for Privacy/Innovation Panel: http://panelpicker.sxsw.com/vote/39903
VOTE for Brand Creepiness Panel: http://panelpicker.sxsw.com/vote/39657
SUPPORT EPIC: https://epic.org/support/
 EPIC FOIA: FISA Criticized, Congress Ignored, NSA
Pen Trap Program
In a Freedom of Information Act lawsuit against the US Department of
Justice, EPIC has obtained hundreds of pages of documents about the
NSA's Pen Register "trap
and trace" program, operational from 2005 to
The documents EPIC received in response to the lawsuit include the US
original FISA application seeking authorization to collect
metadata from millions of emails, as well as declarations from NSA
describing the program. The documents also show that FISA
Court Judge John Bates chastised the agency for "long-standing and
violations of the prior [court] orders in this matter."
The documents prove that although the FISA Court first authorized the
in 2004, the legal justification was not provided to Congress
until 2009. According to the documents, the then-US Attorney General
Alberto Gonzalez withheld information about the program in testimony
before the Senate Intelligence Committee prior the reauthorization
the legal authority. The pen register program was shut down in 2011
after a detailed review showed numerous problems.
the Wiretap Act, government agencies must report to Congress
annually about the use of pen registers and other communications
devices. EPIC's initial October 2013 FOIA request asked
for more information from the agency about how many surveillance
were being filed by the federal government, what information
the agencies were reporting to Congress, and what Congressional
mechanisms were in place.
EPIC plans to challenge several withholdings in these documents.
EPIC: FOIA Documents on FISA Pen
Register Program (Aug. 8, 2014)
EPIC: Memorandum Opinion on FISA Judge John Bates [Date Redacted]
EPIC: DOJ Application for Use of Pen Registers (2005)
EPIC: AG Gonzales Congressional Testimony (Apr. 27, 2005)
EPIC: NSA Pen Register/Trap and Trace NSA Review [Date Redacted]
EPIC: Complaint Against DOJ re: FOIA Request (Dec. 9, 2013)
EPIC: Original FOIA Request to DOJ re: Pen Register (Oct. 3, 2013)
EPIC: EPIC v. DOJ (Pen Register Reports)
EPIC: Foreign Intelligence Surveillance Court
 EPIC Demands Report Detailing CIA's Surveillance of
EPIC has filed a Freedom of Information Act request for the CIA
Inspector General's report detailing the agency's surveillance of the
US Senate Intelligence Committee. EPIC
is seeking "all final reports
of the CIA Inspector General regarding the CIA's involvement in the
penetration of the Senate Intelligence
Committee's computer network."
In March 2014, Senator Dianne Feinstein (D-CA), head of the Senate
Intelligence Committee, publicly
accused the CIA of secretly removing
documents accessible to the Committee, searching computers used by the
Committee, and attempting
to intimidate congressional investigators by
requesting an FBI inquiry of their conduct. The Committee had been
CIA's torture program of the early and mid-2000s.
After Senator Feinstein's accusations, the CIA's Inspector General
an investigation and concluded that the agency's actions had
been improper. On July 31, the IG published a redacted summary of the
official findings in The Washington Post. Among other findings, the IG
revealed that five CIA employees, consisting of "two attorneys
three information technology (IT) staff members, improperly accessed or
caused access to" the intelligence committee's networks.
The IG also
stated that the CIA had surveilled Congressional emails, including "a
keyword search of all and a review of some of
However, the CIA's Inspector General has failed to make the actual
report public. As EPIC's FOIA request noted, "[T]his
summary does not
provide sufficient detail for the public to evaluate the agency's
actions. It does not include essential details,
for instance: the
level of seniority of the agency officials who accessed the Committee
computers, the number of times the computers
specifically what files or documents were accessed, what was done with
the improperly accessed data from the computers,
and what remedies the
Inspector General recommends."
EPIC: FOIA Request to CIA IG re: Senate Surveillance (Jul. 31, 2014)
The Washington Post: Redacted CIA IG Report (Jul. 31, 2014)
US Senate: Sen. Feinstein Speech on CIA Surveillance (Mar. 11, 2014)
EPIC: EPIC v. CIA (Domestic Surveillance)
EPIC: FOIA Cases
 EPIC Sues FBI for Missing Privacy Reports
EPIC has filed a Freedom of Information Act lawsuit to obtain details
about the Federal Bureau of Investigation's surveillance programs.
The FBI is required to conduct Privacy
Impact Assessments whenever it
collects and uses personal data. However, the agency has failed to
publicly release these assessments
for many programs, including facial
recognition, drones, and license plate readers. According to
E-Government Act and Justice Department
guidelines, all privacy
assessments should be made public if practicable. EPIC, joined by a
coalition of organizations, recently
urged the US Attorney General to
immediately conduct a privacy assessment of the FBI's Next Generation
Identification (NGI) program,
which collects massive amounts of
biometric data on US citizens.
According to the Department of Justice, government privacy assessments
are tools "used to facilitate the identification of potential privacy
issues; assess whether additional privacy documentation is
and ultimately, to ensure the Department's compliance with applicable
privacy laws and policies," as well as to "help
promote trust between
the public and the Department by increasing transparency of the
Department's systems and missions." The FBI
has stated to Congress that
it has drafted several privacy assessments, but EPIC's complaint notes
that the Bureau has not publicly
released the reports. According to
EPIC, "[Privacy Impact Assessments] provide an important means for the
public to assess the
government's efforts to protect its privacy and
serve as a check against the encroachment on privacy by the government."
long worked to bring transparency and accountability to law
enforcement efforts to use new surveillance and information technology
to collect and store personal information on US citizens. EPIC's
lawsuit follows a letter earlier in 2014 that urged the Attorney
General to review the goals of the FBI's NGI program to ensure that
the biometric information collection "does not become a tool
surveillance of innocent Americans." EPIC previously requested FOIA
documents regarding the FBI's Facial Analysis Comparison
(FACE) Services unit. In June 2013 comments to the Department of
Homeland Security, EPIC urged DHS to conduct a
impact assessment on the Office of Biometric Identity Management's
collection of biometrics at ports of entry
to the United States.
EPIC: EPIC v. FBI FOIA Complaint (Aug. 1, 2014)
GPO: E-Government Act of 2002
DOJ Privacy Office: PIA Official Guidance (March 2012)
EPIC: FBI Next Gen. ID System (NGI) Letter (June 24, 2014)
DOJ Privacy Office: Initial PIA Instructions & Template (Mar. 2010)
US Senate: Hearing on Facial Recognition Technology (Jul. 2012)
US Senate: Oversight of FBI (June 2013)
EPIC: EPIC v. FBI -- Privacy Assessments
EPIC: FOIA Request for FBI FACE Services Unit (March 2013)
EPIC: Comments on DHS Biometric Data Collection (June 2013)
 EPIC Seeks Information About Secret Surveillance
EPIC has filed a series of Freedom of Information Act requests for
documents related to the US government's collection of private
communications data under Executive Order 12333. Established
in 1981 by
President Reagan, Executive Order 12333 created broad surveillance
authorities for the Intelligence Community, largely
outside the scope
of public law. EO 12333 often serves an alternate basis of authority
for surveillance activities, above and beyond
the provisions of the
Foreign Intelligence Surveillance Act.
EPIC has sent FOIA requests to Intelligence Community agencies
the US Attorney General's Office, the Office of the Director
of National Intelligence, and the NSA, seeking secret policies that
govern US intelligence agencies' collection of Internet data outside of
the United States. EPIC has asked specifically for "Any
regulations, white papers, final memoranda, guidelines, or training
materials interpreting or addressing the collection,
dissemination, or sharing of electronic communications or meta data
under EO J2333," as well as "[t]he most recent version
of IC member
agency procedures adopted under EO 12333." The Washington Post reported
in 2013 that the NSA had infiltrated private
communications held on
EPIC recently won a suit against the NSA for release of documents
related to the agency's
pen-register "trap and trace" program. In
2013, EPIC filed a Petition for Mandamus with the US Supreme Court,
seeking to end the
bulk collection of American's phone records. EPIC's
petition was supported by legal scholars, technical experts and former
of the Church Committee.
EPIC: Executive Order 12333
The Washington Post: "Meet Executive Order 12333: The Reagan rule that
lets the NSA spy on Americans" (Jul. 18, 2014)
The Washington Post: "NSA infiltrates links to Yahoo, Google data
centers worldwide, Snowden documents say" (Oct. 30, 2013)
EPIC: FOIA Request to US AG re: EO 12333 (Jul. 31, 2014)
EPIC: FOIA Request to the ODNI re: EO 12333 (Jul. 31 2014)
EPIC: FOIA Request to NSA re: EO 12333 (Jul. 31, 2014)
EPIC: EPIC v. DOJ - Pen Register Reports
EPIC: In re EPIC - NSA Telephone Records Surveillance
 Consumer Privacy Groups Urge Court to Reject Google
The Federal Trade Commission has responded
to a letter written by EPIC
and a group of other leading privacy organizations urging the agency to
oppose a collusive Google class
action settlement. In the “Google
Referrer Header" case, a group of Google users alleged that Google
information about "referrer headers." EPIC and the
same privacy groups had written a 2013 letter to Judge Davila of the
District of California, urging him to reject the settlement.
When users browse the Internet, information about the most recent
a user visits is coded and placed on the top, or the "header," of the
user’s server's request. When the user clicks
on a website link, the
user's server asks the website's server for permission to connect. Many
commercial websites use that information
for advertising purposes.
Thus, users' previous web browsing activity can be disclosed to third-
Under the Google
Referrer Header proposed settlement agreement,
Google will distribute several million dollars to a handful of
of which already have ties to the company. EPIC and
the other consumer privacy groups have pointed out that this
does nothing to remediate the underlying privacy
harms to consumers, nor does it require Google to change its practices.
EPIC reminded the Commission that the Referrer Header
settlement agreement violates a 2011 Consent Order forbidding Google
disclosing users'data without users' permission. "The proposed
settlement is bad for consumers, bad for online privacy, and does
nothing to change Google's business practices. It is not just a bad or
imperfect settlement; it is a farce," the coalition's letter
Privacy groups, members of the plaintiff class, and even potential
recipients of the settlement money have recognized
the settlement as
unfair and bad for consumers. In addition to EPIC and the other
consumer groups, the Center for Class Action
Fairness, an advocacy
group focused on fighting class action settlements that do not fairly
compensate consumers, has filed a brief
on behalf of two of the
Referrer Header class members. Recently, the MacArthur Foundation
withdrew as a named recipient of settlement
funds because of concerns
about the cy pres allocation.
Judge Davila will decide on August 28 whether to approve the final
FTC: Letter to EPIC (Aug. 6, 2014)
EPIC: Letter to FTC (Jul. 31, 2014)
EPIC: Plaintiffs' Notice in Class Action Settlement (Jul. 25, 2014)
9th Circuit Court: In re Google Referrer Header (Apr. 23, 2013)
EPIC: Letter to Judge in Google Referrer Header Case (Aug. 22, 2013)
EPIC: "Friend of the Court" Brief in Fraley (Mar. 20, 2014)
EPIC: Fraley v. Facebook
EPIC: EPIC v. FTC (Enforcement of Google Consent Order)
FTC: In the Matter of Google, Inc. (Oct. 24, 2011)
EPIC: Search Engine Privacy
 News in Brief
Senator Schumer Calls On Regulators to Make Fitness Data Private
Senator Charles Schumer (D-NY) has denounced the data collection
practices of "activity trackers" such as FitBit. Activity trackers are
mobile devices that record highly personal information about
and constantly analyze the wearer's activities, including their diet,
exercise, sleep, and even sexual habits. However,
it is not clear
whether federal privacy law protects this personal data from disclosure
to third parties. EPIC has commented extensively
on the privacy
protections that are necessary in the "Internet of Things," and has
frequently pointed out the potential for misuse
when companies collect
data about sensitive consumer behavior. EPIC also has made several
recommendations to improve the privacy
protections on devices such as
activity trackers, including requiring companies to adopt Privacy
Enhancing Techniques, respect
a consumer's choice not to tracked,
profiled, or monitored, minimize data collection, and ensure
transparency in both design and
operation of Internet-connected devices.
Sen Charles Schumer (D-NY): Activity Tracker Privacy (Aug. 10, 2014)
EPIC: Comments to FTC on "Internet of Things" (Jun. 1, 2013)
EPIC: Practical Privacy Tools
 EPIC in the News
"Eight Ways to Protect Student Data." Harvard Education Letter, July/
"Digital Lineups." Reason, August/September 2014.
"Newly Released Documents Show NSA Abused Its Discontinued Internet
Metadata Program Just Like It Abused Everything Else." TechDirt,
"Are activity trackers a 'privacy nightmare'?" Fox News, Aug. 13, 2014.
"Naughty NSA was so drunk on data it forgot collection rules." The
Register UK, Aug. 13, 2014.
"Surveillance Court Judge Criticized NSA 'Overcollection' of Data."
The Wall Street Journal, Aug. 11, 2014.
"Baby steps toward more security online for users." USA Today, Aug. 7,
"Facebook's new friends: Researchers studying you." USA Today, Aug. 7,
"Tech Experts See Good and Bad Sides of Robots." The Wall Street
Journal, Aug. 6, 2014.
"Some districts shine, others falter in coupling of learning and
online media." Chalkbeat, Aug. 6, 2014.
"U.S. Military Plugs Into Social Media for Intelligence Gathering."
The Wall Street Journal, Aug. 6, 2014.
"EPIC sues the FBI over missing citizen-surveillance reports." V3 UK,
Aug. 4, 2014.
"Tips for protecting your online privacy." Consumer Affairs, Aug. 1,
"Watching Google's European privacy show." San Jose Mercury News,
Aug. 1, 2014.
"Leahy Bill Aims to Rein In Government Snooping." TechNews World,
July 31, 2014.
"Virginia Woolf, Meet Marc Rotenberg." Privacy Perspectives, Jul. 30,
For More EPIC in the News: http://epic.org/news/epic_in_news.html
 EPIC Bookstore
"Litigation Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall,
S. Zaid (EPIC 2010). Price: $75.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the
Video Voyeurism Prevention Act, and the
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, and constitutional values can be ordered at:
EPIC Bookstore: http://www.epic.org/bookstore
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
"Developing Policies for the Internet of Things," Featuring EPIC
President Marc Rotenberg. Aspen, CO: Aspen Institute Communication
Society Program, Aug. 13-16, 2014. For More Information:
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Start a discussion on privacy. Let us know your thoughts. Stay up to
date with EPIC's events. Support EPIC.
The EPIC Alert mailing list is used only
to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend
to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list,
please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718
Connecticut Ave. NW, Suite
200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government and private-sector
infringement on constitutional values.
Subscribe/unsubscribe via web interface:
Back issues are available at: http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 21.15------------------------