EPIC Alert 21.16
E P I C A l e r t
Volume 21.16 September 3, 2014
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 Federal Judge: Proposed Google Settlement "Doesn't Pass Smell Test"
 EPIC FOIA Finds $1.6B DC Army Blimps Loaded with Spy
 Security Experts: EPIC Correct on Body Scanner Flaws, Dangers
 European Facebook User Privacy Lawsuit Moves
 Senator Rockefeller Investigates Airline Privacy Practices
 News in Brief
 EPIC in the News
 EPIC Book Review:
'What Stays in Vegas'
 Upcoming Conferences and Events
TAKE ACTION: Vote for EPIC's 2015 SXSW Panels!
VOTE for Privacy/Innovation
VOTE for Brand Creepiness Panel: http://panelpicker.sxsw.com/vote/39657
SUPPORT EPIC: https://epic.org/support/
 Federal Judge: Proposed Google Settlement "Doesn't
Pass Smell Test"
A federal judge reviewing a proposed
class action settlement in a case
over Google’s disclosure of user data to third parties has said that
the settlement "doesn't
pass the smell test." A coalition of consumer
privacy organizations, including EPIC, had urged the judge to reject
because it required no substantial change in Google’s
business practices and provided no benefit to class members.
in the case allege that Google transferred personal
information contained in their searches to third parties including data
and marketers. Specifically, the plaintiffs challenged Google's
sharing of "referrer header" information generated during their
Under the proposed settlement, Google will be allowed to continue
to engage in this practice, which class counsel
provided the basis for the lawsuit.
EPIC and the coalition of consumer privacy organizations urged the
to reject the proposed settlement because it would result in no
substantial change in Google’s business practices and would
provide no benefit to class members. The consumer privacy
organizations also pointed out the cy pres funds would be directed
the schools that the attorneys in the case attended and not to
organizations aligned with the interests of class members.
privacy organizations wrote to the judge when the
settlement was first proposed and again last week, before the
hearing. The groups cited the skepticism expressed
by Supreme Court Chief Justice John Roberts about a similar
The consumer privacy groups also alerted
the FTC Class Action Fairness Project and the California Attorney
General about the pending
settlement. Both the Federal Trade
Commission and the California Attorney General recently
objected to a similar proposed cy pres
Bloomberg News: "Google's Accord with Harvard Tie Fails Judge's Smell
Test" (Aug. 29, 2014)
EPIC: Letter to Judge in Google Referrer Header Case (Aug. 22, 2013)
9th Circuit: Proposed Settlement in Google Case (Mar. 26, 2014)
EPIC: Class Action Settlement in Google Case (Jul. 25, 2014)
EPIC: Letter to FTC re: Google Referrer Header (Jul. 31, 2014)
FTC: Letter to EPIC re: Google Referrer Header (Aug. 6, 2014)
Supreme Court: Statement of Chief Justice re Marek v. Lane (Nov. 2013)
EPIC: Fraley v. Facebook
EPIC: Search Engine Privacy
 EPIC FOIA Finds $1.6B DC Army Blimps Loaded with
Spy Gear, Missiles
EPIC has received substantial new documentation
about the surveillance
blimps now deployed over Washington, DC. The surveillance blimp
program, called JLENS, is based at the Aberdeen
Proving Grounds in
Maryland and will continue to be deployed over Washington, DC over the
next three years.
JLENS is comprised
of two 250-foot blimps. One blimp conducts aerial
and ground surveillance, while the other has targeting capability
missiles. The JLENS was originally deployed in Iraq.
The documents were released to EPIC in a Freedom of Information Act
lawsuit against the Department of the Army. EPIC sent the initial FOIA
request in November 2013, seeking technical specifications
as well as
any policies limiting domestic surveillance. After the Army failed to
respond to the request, EPIC filed a FOIA lawsuit
in DC District Court.
On August 20 EPIC received a first interim release of 139 pages of
documents from the Department of the Army.
These pages contain two
documents: the majority of the Performance Specification for the JLENS,
and the Amendment/Modification
of Contract between the Department of
the Army and contractor Raytheon.
The documents state that the Army paid Raytheon $1.6 billion
They also describe event data recording equipment that records for at
least 12 continuous hours, as well as surveillance
initiates target identification and automatic tracking. According to
the documents, the blimps' equipment can operate
at a distance of 550
km (341.7 miles), and the surveillance equipment can differentiate
between humans and vehicles at a range
of 5 km.
EPIC will continue to receive documents related to JLENS through
October 10, the Army's deadline for completing the document
EPIC's goal in this lawsuit is to determine what surveillance data the
Army plans to collect during the 3-year JLENS
test, as well as how the
Army plans to process, store, redact, or delete that data.
US Army: First Interim Document Production
(Aug. 19, 2014)
EPIC: EPIC v. Army Complaint (May 6, 2014)
EPIC: FOIA Request to Army (Nov. 1, 2013)
The Washington Post: "Blimplike surveillance craft set to deploy over
Maryland heighten privacy concerns" (Jan. 22, 2014)
EPIC: EPIC v. Army - Surveillance Blimps
 Security Experts: EPIC Correct on Body Scanner Flaws,
The first independent analysis of backscatter
x-ray body scanners
corroborates EPIC's longstanding claims: The scanners are invasive and
ineffective. The study, conducted by
researchers at institutions
including the University of Michigan, Johns Hopkins University, and UC
San Diego and first publicized
at the August 2014 Usenix Security
Symposium, confirmed it was possible to conceal knives, guns, and
explosives from the x-ray
body scanners. The researchers also
demonstrated how the security of the machine, and thus any privacy
protections, could be compromised
by hardware- and software-based
The researchers concluded that the Rapiscan Secure 1000 scanner could
be effective against
a "naïve attacker." However, they stated, the
machines' threats to privacy, potential threats to health, and the
fact that they
are "ineffective as a contraband screening solution
against an adaptive adversary who has access to a device to study and
testing and refining attacks" make them far less effectual than
the products the TSA had promoted.
In a detailed report published
in 2005, EPIC warned that the x-ray body
scanners amounted to a "virtual strip search." EPIC's report argued
that the scanners'
utility for airport screening was limited and did
not justify the invasive search. Freedom of Information Act documents
obtained by EPIC in 2010 revealed that the TSA could disable the body
scanner's privacy settings; that the nude images
could be stored on the
machines, and that the scanners ran on a standard operating system,
making them vulnerable to outside security
threats. During a 2011
Congressional oversight hearing on TSA body scanners, EPIC's testimony
brought these issues to Congress's
EPIC and a coalition of civil liberties organizations then petitioned
DHS Secretary Napolitano to suspend the program.
When DHS failed to do
so, EPIC sued the agency. The DC Circuit Court of Appeals ruled in 2011
in EPIC v. DHS that the agency must
begin a public rulemaking. The
backscatter X-ray scanners were removed from US airports in 2013,
replaced by the less controversial
millimeter wave body scanners.
Radsec.org: "Security Analysis of a Full-Body Scanner" (Aug. 2014)
EPIC: Spotlight on Surveillance (Backscatter Machines) (June 2005)
EPIC: Analysis of EPIC FOIA Docs re: body scanners (Jan. 11, 2010)
EPIC: Congressional Testimony re: Body Scanners (Mar. 16, 2011)
EPIC: Petition for Suspension of TSA Backscatter Program (Apr. 2010)
EPIC: Court Opinion: EPIC v. DHS - Petition for Review (July 15, 2011)
EPIC: Comments to TSA re: body scanners (June 24, 2013)
EPIC: EPIC v. DHS (Suspension of Body Scanner Program)
EPIC: Whole Body Imaging Technology.
 European Facebook User Privacy Lawsuit Moves
A Viennese court has determined that a group of
over 25,000 European
Facebook users may proceed with their lawsuit against Facebook. The
users, led by privacy activist Max Schrems,
charge Facebook with
violating EU privacy law by improperly handling users' data. Now that
the court has approved the class action
suit, Facebook must respond to
Facebook users filed the class action in August 2014. The lawsuit is
the following unlawful acts of Facebook Ireland: (1) data use
policy which is invalid under EU law; (2) the absence of effective
consent to many types of data use; (3) support of the NSA's 'PRISM'
surveillance programme; (4) tracking of Internet users on external
websites (e.g. through 'Like buttons'); (5) monitoring and analysis
of users through 'big data' systems; (6) unlawful introduction
'graph search'; and unauthorised passing on of user data to external
In 2011, Schrems brought a similar lawsuit
against Facebook in an Irish
court. That same year, following a complaint filed by EPIC and a group
of American consumer privacy
organizations, Facebook signed a privacy
consent order with the Federal Trade Commission. EPIC has also filed a
"friend of the
court" brief in a federal class action lawsuit, opposing
Facebook's use of children's images for advertising purposes. In 2013,
EPIC gave Schrems the International Privacy Champion of Freedom Award,
calling him "an innovative and effective spokesperson for
the right to
Facebook Class Action
ZDNet: "Facebook Forced to Respond to Privacy Complaints of 25,000
Europeans" (Aug. 21, 2014)
Europe v. Facebook: Class Action Suit (Aug, 8, 2014)
Europe v. Facebook: Response to Irish DP 'Audit' (Dec. 4, 2012)
FTC: In the Matter of Facebook, Inc.
EPIC: Initial Facebook Complaint ( Dec. 17, 2009)
EPIC: "Friend of the Court" Brief in Fraley (Feb. 20, 2014)
EPIC et al.: Re Fraley v. Facebook Proposed Settlement (July 11, 2012)
FTC: Press Release on Facebook Settlement (Nov. 29, 2011)
EPIC: In re Facebook
EPIC: Federal Trade Commission
 Senator Rockefeller Investigates Airline Privacy
Senator Jay Rockefeller IV (D-WV) is seeking
information from 10 US
airlines on how those airlines safeguard consumer traveler data. Sen.
Rockefeller has requested information
regarding: (1) the type of
information airlines collect; (2) airlines' data retention periods;
(3) airline privacy and security
safeguards governing consumer
information; (4) whether consumers may access and amend their
information; (5) whether airlines sell
or disclose consumer
information and if so, to whom do they disclose the consumer data; and
(6) how airlines inform consumers about
airline privacy policies
governing consumer information.
Senator Rockefeller directed his letter to United, Delta, American,
Southwest, US Airways, JetBlue, Alaska, Hawaiian, SkyWest, and Spirit
airlines, which are the "top ten revenue generating U.S. passenger
airlines." The federal Privacy Act governs how federal agencies like
the Department of Homeland Security collect, maintain, use,
disseminate air traveler information. Currently, no federal privacy law
controls how commercial airlines maintain passenger
In his letter, Senator Rockefeller states, "Data collected during
ticket purchase can include a passenger's name,
credit card numbers,
date of birth, addresses, travel destinations, and travel companions,
among other information." Rockefeller
is the Chairman of the Senate
Committee on Commerce, Science, and Transportation and finds that
"consumer protection considerations
are integral to the Committee's
work in reviewing and developing policies to promote a thriving U.S.
airline industry." He has
requested that the airlines respond to his
inquiry by September 5, 2014.
EPIC routinely urges the Department of Homeland Security
privacy protections for air travelers and end the agency's secret
"risk-based" passenger profiling.
In 2004, a FOIA
lawsuit by EPIC revealed that the Federal Bureau of
Investigation obtained one full year’s worth of Northwest Airlines
data. The amount of personal data was so large that Northwest
provided the data to the FBI on 6000 CDs. EPIC’s FOIA case followed
2002 reportthat JetBlue Airways provided 5 million passenger
itineraries to Torch Concepts,a defense contractor, for proof-of-concept
testing of a Pentagon project unrelated to airline security, without
the passengers’ consent
US Senate: Sen. Rockefeller
Inquiry (Aug. 18, 2014)
EPIC: Comments to DHS on TSA PreCheck (Oct. 10, 2013)
EPIC: Comments to DHS on "Automated Targeting System" (June 21, 2012)
EPIC: Comments to DHS on "Automated Targeting System" (June 21, 2012)
EPIC: Air Travel Privacy
EPIC: Passenger Profiling
EPIC: Secure Flight
EPIC: EPIC v. DHS (Suspension of Body Scanner Program)
EPIC: EPIC v. DHS et al. re: Passenger Data Collection
 News in Brief
EU Launches Investigation Into Facebook Acquisition of WhatsApp
Antitrust officials in the European Union have begun an investigation
into Facebook's acquisition of messaging service WhatsApp. WhatsApp
gained popularity based in part on a pro-privacy approach to
Following the announcement of Facebook's plan to acquire the company,
EPIC filed two complaints with the Federal Trade
Commission, urging the
FTC to block the sale unless adequate privacy safeguards for WhatsApp
users were established. The Commission
then notified Facebook and
WhatsApp that they must honor their privacy commitments to users, but
questions remain about future
business practices. Now European
antitrust regulators have served Facebook with a questionnaire of more
than 70 pages to determine
whether the merger violates European
WSJ: "Facebook Seeks EU Antitrust Review of WhatsApp Deal" (May 28,
EPIC: Initial Complaint to FTC re: WhatsApp (Mar. 6, 2014)
EPIC: Supplemental Complaint to FTC re: WhatsApp (Mar. 21, 2014)
EPIC: FTC Response to Facebook re: WhatsApp Deal (Apr. 10, 2014)
WSJ: "EU Sends Questionnaire to Rivals Over Facebook Deal With
WhatsApp" (Sep 1, 2014)
EPIC: In re WhatsApp
Department of Transportation Seeks Public Comment on Connected Cars
The National Highway Traffic Safety Administration,
part of the
Department of Transportation, is soliciting public comments on the
privacy and security implications of connected "vehicle-to-vehicle"
technology. According to the agency, the technology transmits data
between vehicles to "facilitate warnings to drivers concerning
impending crashes," and will be mandated sometime in the future. NHTSA
is also soliciting comments on a connected car research
Comments on both are due October 20, 2014. In 2013, EPIC, joined by a
coalition of privacy and consumer rights organizations
and members of
the public, urged NHTSA to protect driver privacy and establish privacy
safeguards for car "black boxes."
Register: NHTSA RFC on Vehicle-to-Vehicle Tech (Aug. 20, 2014)
Fed. Register: NHTSA RFC on Connected Car Research (Aug. 20, 2014)
EPIC et al.: Comments to NHTSA on Event Data Recorders (Feb. 11, 2013)
EPIC: Event Data Recorders
EPIC: Comments to FTC on 'Internet of Things' (Jun. 1, 2013)
 EPIC in the News
"What Do Schools Risk By Going 'Full Google'?" KQED, Aug. 28, 2014.
"Privacy Groups Seek To Scuttle Google's $8.5 Million Class-Action
Settlement." MediaPost, Aug. 27, 2014.
"Is Google's Free Software A Good Deal For Educators?" NPR, Aug. 26,
"What Are Schools Doing with Your Kids' Data?" Yahoo News, Aug. 25,
"This is why you can't trust the NSA. Ever." The Week, Aug. 22, 2014.
"Senator Probes Airline Privacy Policies." GovInfo Security, Aug. 20,
For More EPIC in the News: http://epic.org/news/epic_in_news.html
 EPIC Book Review: 'What Stays in Vegas'
"What Stays in Vegas: The World of Personal Data—Lifeblood of Big
Business—and the End of Privacy as We Know It,"
In "What stays in Vegas," journalist Adam Tanner retells the now-
familiar story of how personal data and predictive analytics have
revolutionized the marketing world over the past 15 years.
The book's title is a riff on the early 2000s Vegas marketing theme
"What Happens Here, Stays Here," oft repeated as "What Happens in
Vegas, Stays in Vegas." But the title actually could be a reference
to Dr. Gary Loveman, a Harvard Business School professor who consulted
for the Caesar's Palace company in the 1990s and became
CEO in 2003.
Loveman's goal was to use data and quantitative analysis to make
Caesars dramatically more profitable, largely by
improving the yield of
current customers and (eventually) reaching out to new ones.
Tanner shows how, under Loveman's direction,
the casino was able to use
its loyalty program to turn the previously anonymous practice of
feeding coins into a slot machine into
a tightly monitored activity.
To this end, Caesars installed loyalty card readers on each machine, so
that gamblers could get points
and status in return for their efforts.
The most profitable customers eventually received free food, drinks,
hotel nights, and
even plane tickets — all designed to keep them happy
and coming back to Vegas, where their money presumably stayed long
they left for home.
But beyond Loveman and gamblers' money, very little else stays in
Vegas, it seems. Tanner shows how public
records from Vegas, the
marriage capital of the US, are systematically harvested by data
aggregators and sold to websites offering
searches. Neither do these business practices stay in Vegas -
aggregators now use the same tactics to obtain
records from most
other counties in the US.
While Tanner works hard to return to Vegas every chapter or two, he
manages to summarize
many significant privacy news stories of the
Internet age, including the re-identification of AOL users from their
Netflix users from their movie rankings, and former
Massachusetts Governor William Weld (and many other people) from their
records. Much is written about Facebook,including how users'
personalities can be inferred from their "Likes" and their sexual
from that of their "friends."
What distinguishes Tanner's efforts from others in this genre is his
focus on the personal histories
of Vegas business titans. These stories
make the book entertaining and memorable — unfortunately, they are so
stage that the book's would-be technical explanations are
frequently superficial or altogether missing. This is a fun book for
introducing a wide variety of issues, but those who want to actually
understand the emergence of big data and predictive analytics
to go elsewhere.
-- Simson Garfinkel
 EPIC Book Store
"Litigation Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall,
S. Zaid (EPIC 2010). Price: $75.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the
Video Voyeurism Prevention Act, and the
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, and constitutional values can be ordered at:
EPIC Bookstore: http://www.epic.org/bookstore
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
TPRC 42nd Conference on Communication, Information and Internet Policy,
Featuring EPIC Consumer Protection Counsel Julia Horwitz.
VA: Sept. 12-14, 2014. For More Information: http://www.tprcweb.com/.
OECD Forum of the Knowledge Economy. Speaker: EPIC President Marc
Rotenberg. Tokyo: Oct. 2, 2014. For More Information:
International Working Group on Data Protection and Telecommunications.
Speaker: EPIC President Marc Rotenberg. Berlin: Oct. 14-15,
For More Information: http://www.datenschutz-berlin.de/.
OECD Experts on International Security Guidelines. Speaker: EPIC
President Marc Rotenberg. Paris: Oct. 27, 2014. For More Information:
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Start a discussion on privacy. Let us know your thoughts. Stay up to
date with EPIC's events. Support EPIC.
The EPIC Alert mailing list is used only
to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend
to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list,
please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718
Connecticut Ave. NW, Suite
200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government and private-sector
infringement on constitutional values.
Subscribe/unsubscribe via web interface:
Back issues are available at: http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 21.16------------------------