WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2014 >> [2014] EPICAlert 17

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 21.16 [2014] EPICAlert 17

EPIC Alert 21.16

======================================================================= E P I C A l e r t ======================================================================= Volume 21.16 September 3, 2014 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ========================================================================= Table of Contents ========================================================================= [1] Federal Judge: Proposed Google Settlement "Doesn't Pass Smell Test" [2] EPIC FOIA Finds $1.6B DC Army Blimps Loaded with Spy Gear, Missiles [3] Security Experts: EPIC Correct on Body Scanner Flaws, Dangers [4] European Facebook User Privacy Lawsuit Moves Forward [5] Senator Rockefeller Investigates Airline Privacy Practices [6] News in Brief [7] EPIC in the News [8] EPIC Book Review: 'What Stays in Vegas' [9] Upcoming Conferences and Events TAKE ACTION: Vote for EPIC's 2015 SXSW Panels! VOTE for Privacy/Innovation Panel: VOTE for Brand Creepiness Panel: SUPPORT EPIC: ========================================================================= [1] Federal Judge: Proposed Google Settlement "Doesn't Pass Smell Test" ========================================================================= A federal judge reviewing a proposed class action settlement in a case over Google’s disclosure of user data to third parties has said that the settlement "doesn't pass the smell test." A coalition of consumer privacy organizations, including EPIC, had urged the judge to reject the settlement because it required no substantial change in Google’s business practices and provided no benefit to class members. Plaintiffs in the case allege that Google transferred personal information contained in their searches to third parties including data brokers and marketers. Specifically, the plaintiffs challenged Google's sharing of "referrer header" information generated during their web searches. Under the proposed settlement, Google will be allowed to continue to engage in this practice, which class counsel originally argued provided the basis for the lawsuit. EPIC and the coalition of consumer privacy organizations urged the court to reject the proposed settlement because it would result in no substantial change in Google’s business practices and would provide no benefit to class members. The consumer privacy organizations also pointed out the cy pres funds would be directed to the schools that the attorneys in the case attended and not to organizations aligned with the interests of class members. The consumer privacy organizations wrote to the judge when the settlement was first proposed and again last week, before the final fairness hearing. The groups cited the skepticism expressed by Supreme Court Chief Justice John Roberts about a similar privacy settlement. The consumer privacy groups also alerted the FTC Class Action Fairness Project and the California Attorney General about the pending settlement. Both the Federal Trade Commission and the California Attorney General recently objected to a similar proposed cy pres settlement. Bloomberg News: "Google's Accord with Harvard Tie Fails Judge's Smell Test" (Aug. 29, 2014) privacy-accord-not-sufficient.html EPIC: Letter to Judge in Google Referrer Header Case (Aug. 22, 2013) 9th Circuit: Proposed Settlement in Google Case (Mar. 26, 2014) EPIC: Class Action Settlement in Google Case (Jul. 25, 2014) EPIC: Letter to FTC re: Google Referrer Header (Jul. 31, 2014) FTC: Letter to EPIC re: Google Referrer Header (Aug. 6, 2014) Supreme Court: Statement of Chief Justice re Marek v. Lane (Nov. 2013) EPIC: Fraley v. Facebook EPIC: Search Engine Privacy ======================================================================== [2] EPIC FOIA Finds $1.6B DC Army Blimps Loaded with Spy Gear, Missiles ======================================================================== EPIC has received substantial new documentation about the surveillance blimps now deployed over Washington, DC. The surveillance blimp program, called JLENS, is based at the Aberdeen Proving Grounds in Maryland and will continue to be deployed over Washington, DC over the next three years. JLENS is comprised of two 250-foot blimps. One blimp conducts aerial and ground surveillance, while the other has targeting capability including HELLFIRE missiles. The JLENS was originally deployed in Iraq. The documents were released to EPIC in a Freedom of Information Act lawsuit against the Department of the Army. EPIC sent the initial FOIA request in November 2013, seeking technical specifications as well as any policies limiting domestic surveillance. After the Army failed to respond to the request, EPIC filed a FOIA lawsuit in DC District Court. On August 20 EPIC received a first interim release of 139 pages of documents from the Department of the Army. These pages contain two documents: the majority of the Performance Specification for the JLENS, and the Amendment/Modification of Contract between the Department of the Army and contractor Raytheon. The documents state that the Army paid Raytheon $1.6 billion for JLENS. They also describe event data recording equipment that records for at least 12 continuous hours, as well as surveillance equipment that initiates target identification and automatic tracking. According to the documents, the blimps' equipment can operate at a distance of 550 km (341.7 miles), and the surveillance equipment can differentiate between humans and vehicles at a range of 5 km. EPIC will continue to receive documents related to JLENS through October 10, the Army's deadline for completing the document production. EPIC's goal in this lawsuit is to determine what surveillance data the Army plans to collect during the 3-year JLENS test, as well as how the Army plans to process, store, redact, or delete that data. US Army: First Interim Document Production (Aug. 19, 2014) EPIC: EPIC v. Army Complaint (May 6, 2014) EPIC: FOIA Request to Army (Nov. 1, 2013) The Washington Post: "Blimplike surveillance craft set to deploy over Maryland heighten privacy concerns" (Jan. 22, 2014) surveillance-crafts-set-to-deploy-over-maryland-heighten-privacy- concerns/2014/01/22/71a48796-7ca1-11e3-95c6-0a7aa80874bc_story.html EPIC: EPIC v. Army - Surveillance Blimps ========================================================================= [3] Security Experts: EPIC Correct on Body Scanner Flaws, Dangers ========================================================================= The first independent analysis of backscatter x-ray body scanners corroborates EPIC's longstanding claims: The scanners are invasive and ineffective. The study, conducted by researchers at institutions including the University of Michigan, Johns Hopkins University, and UC San Diego and first publicized at the August 2014 Usenix Security Symposium, confirmed it was possible to conceal knives, guns, and explosives from the x-ray body scanners. The researchers also demonstrated how the security of the machine, and thus any privacy protections, could be compromised by hardware- and software-based attacks. The researchers concluded that the Rapiscan Secure 1000 scanner could be effective against a "na├»ve attacker." However, they stated, the machines' threats to privacy, potential threats to health, and the fact that they are "ineffective as a contraband screening solution against an adaptive adversary who has access to a device to study and use for testing and refining attacks" make them far less effectual than the products the TSA had promoted. In a detailed report published in 2005, EPIC warned that the x-ray body scanners amounted to a "virtual strip search." EPIC's report argued that the scanners' utility for airport screening was limited and did not justify the invasive search. Freedom of Information Act documents obtained by EPIC in 2010 revealed that the TSA could disable the body scanner's privacy settings; that the nude images could be stored on the machines, and that the scanners ran on a standard operating system, making them vulnerable to outside security threats. During a 2011 Congressional oversight hearing on TSA body scanners, EPIC's testimony brought these issues to Congress's attention. EPIC and a coalition of civil liberties organizations then petitioned DHS Secretary Napolitano to suspend the program. When DHS failed to do so, EPIC sued the agency. The DC Circuit Court of Appeals ruled in 2011 in EPIC v. DHS that the agency must begin a public rulemaking. The backscatter X-ray scanners were removed from US airports in 2013, replaced by the less controversial millimeter wave body scanners. "Security Analysis of a Full-Body Scanner" (Aug. 2014) EPIC: Spotlight on Surveillance (Backscatter Machines) (June 2005) EPIC: Analysis of EPIC FOIA Docs re: body scanners (Jan. 11, 2010) EPIC: Congressional Testimony re: Body Scanners (Mar. 16, 2011) EPIC: Petition for Suspension of TSA Backscatter Program (Apr. 2010) EPIC: Court Opinion: EPIC v. DHS - Petition for Review (July 15, 2011) EPIC: Comments to TSA re: body scanners (June 24, 2013) EPIC: EPIC v. DHS (Suspension of Body Scanner Program) EPIC: Whole Body Imaging Technology. ========================================================================= [4] European Facebook User Privacy Lawsuit Moves Forward ========================================================================= A Viennese court has determined that a group of over 25,000 European Facebook users may proceed with their lawsuit against Facebook. The users, led by privacy activist Max Schrems, charge Facebook with violating EU privacy law by improperly handling users' data. Now that the court has approved the class action suit, Facebook must respond to the complaints. Facebook users filed the class action in August 2014. The lawsuit is "based on the following unlawful acts of Facebook Ireland: (1) data use policy which is invalid under EU law; (2) the absence of effective consent to many types of data use; (3) support of the NSA's 'PRISM' surveillance programme; (4) tracking of Internet users on external websites (e.g. through 'Like buttons'); (5) monitoring and analysis of users through 'big data' systems; (6) unlawful introduction of 'graph search'; and unauthorised passing on of user data to external applications [.]" In 2011, Schrems brought a similar lawsuit against Facebook in an Irish court. That same year, following a complaint filed by EPIC and a group of American consumer privacy organizations, Facebook signed a privacy consent order with the Federal Trade Commission. EPIC has also filed a "friend of the court" brief in a federal class action lawsuit, opposing Facebook's use of children's images for advertising purposes. In 2013, EPIC gave Schrems the International Privacy Champion of Freedom Award, calling him "an innovative and effective spokesperson for the right to privacy." Facebook Class Action ZDNet: "Facebook Forced to Respond to Privacy Complaints of 25,000 Europeans" (Aug. 21, 2014) complaints-of-25000-europeans-7000032840/ Europe v. Facebook: Class Action Suit (Aug, 8, 2014) Europe v. Facebook: Response to Irish DP 'Audit' (Dec. 4, 2012) FTC: In the Matter of Facebook, Inc. EPIC: Initial Facebook Complaint ( Dec. 17, 2009) EPIC: "Friend of the Court" Brief in Fraley (Feb. 20, 2014) EPIC et al.: Re Fraley v. Facebook Proposed Settlement (July 11, 2012) FTC: Press Release on Facebook Settlement (Nov. 29, 2011) EPIC: In re Facebook EPIC: Federal Trade Commission ========================================================================= [5] Senator Rockefeller Investigates Airline Privacy Practices ========================================================================= Senator Jay Rockefeller IV (D-WV) is seeking information from 10 US airlines on how those airlines safeguard consumer traveler data. Sen. Rockefeller has requested information regarding: (1) the type of information airlines collect; (2) airlines' data retention periods; (3) airline privacy and security safeguards governing consumer information; (4) whether consumers may access and amend their information; (5) whether airlines sell or disclose consumer information and if so, to whom do they disclose the consumer data; and (6) how airlines inform consumers about airline privacy policies governing consumer information. Senator Rockefeller directed his letter to United, Delta, American, Southwest, US Airways, JetBlue, Alaska, Hawaiian, SkyWest, and Spirit airlines, which are the "top ten revenue generating U.S. passenger airlines." The federal Privacy Act governs how federal agencies like the Department of Homeland Security collect, maintain, use, and disseminate air traveler information. Currently, no federal privacy law controls how commercial airlines maintain passenger information. In his letter, Senator Rockefeller states, "Data collected during ticket purchase can include a passenger's name, credit card numbers, date of birth, addresses, travel destinations, and travel companions, among other information." Rockefeller is the Chairman of the Senate Committee on Commerce, Science, and Transportation and finds that "consumer protection considerations are integral to the Committee's work in reviewing and developing policies to promote a thriving U.S. airline industry." He has requested that the airlines respond to his inquiry by September 5, 2014. EPIC routinely urges the Department of Homeland Security to provide privacy protections for air travelers and end the agency's secret "risk-based" passenger profiling. In 2004, a FOIA lawsuit by EPIC revealed that the Federal Bureau of Investigation obtained one full year’s worth of Northwest Airlines passenger data. The amount of personal data was so large that Northwest provided the data to the FBI on 6000 CDs. EPIC’s FOIA case followed a 2002 reportthat JetBlue Airways provided 5 million passenger itineraries to Torch Concepts,a defense contractor, for proof-of-concept testing of a Pentagon project unrelated to airline security, without the passengers’ consent US Senate: Sen. Rockefeller Inquiry (Aug. 18, 2014) EPIC: Comments to DHS on TSA PreCheck (Oct. 10, 2013) EPIC: Comments to DHS on "Automated Targeting System" (June 21, 2012) EPIC: Comments to DHS on "Automated Targeting System" (June 21, 2012) EPIC: Air Travel Privacy EPIC: Passenger Profiling EPIC: Secure Flight EPIC: EPIC v. DHS (Suspension of Body Scanner Program) EPIC: EPIC v. DHS et al. re: Passenger Data Collection ======================================================================== [6] News in Brief ======================================================================== EU Launches Investigation Into Facebook Acquisition of WhatsApp Antitrust officials in the European Union have begun an investigation into Facebook's acquisition of messaging service WhatsApp. WhatsApp gained popularity based in part on a pro-privacy approach to user data. Following the announcement of Facebook's plan to acquire the company, EPIC filed two complaints with the Federal Trade Commission, urging the FTC to block the sale unless adequate privacy safeguards for WhatsApp users were established. The Commission then notified Facebook and WhatsApp that they must honor their privacy commitments to users, but questions remain about future business practices. Now European antitrust regulators have served Facebook with a questionnaire of more than 70 pages to determine whether the merger violates European antitrust laws. WSJ: "Facebook Seeks EU Antitrust Review of WhatsApp Deal" (May 28, 2014) of-whatsapp-deal-1401269230 WhatsApp EPIC: Initial Complaint to FTC re: WhatsApp (Mar. 6, 2014) EPIC: Supplemental Complaint to FTC re: WhatsApp (Mar. 21, 2014) EPIC: FTC Response to Facebook re: WhatsApp Deal (Apr. 10, 2014) WSJ: "EU Sends Questionnaire to Rivals Over Facebook Deal With WhatsApp" (Sep 1, 2014) over-facebook-deal-with-whatsapp-1409577419 EPIC: In re WhatsApp EPIC: FTC Department of Transportation Seeks Public Comment on Connected Cars The National Highway Traffic Safety Administration, part of the Department of Transportation, is soliciting public comments on the privacy and security implications of connected "vehicle-to-vehicle" technology. According to the agency, the technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes," and will be mandated sometime in the future. NHTSA is also soliciting comments on a connected car research report. Comments on both are due October 20, 2014. In 2013, EPIC, joined by a coalition of privacy and consumer rights organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." Fed. Register: NHTSA RFC on Vehicle-to-Vehicle Tech (Aug. 20, 2014) Fed. Register: NHTSA RFC on Connected Car Research (Aug. 20, 2014) EPIC et al.: Comments to NHTSA on Event Data Recorders (Feb. 11, 2013) EPIC: Event Data Recorders EPIC: Comments to FTC on 'Internet of Things' (Jun. 1, 2013) ======================================================================== [7] EPIC in the News ======================================================================== "What Do Schools Risk By Going 'Full Google'?" KQED, Aug. 28, 2014. going-full-google/ "Privacy Groups Seek To Scuttle Google's $8.5 Million Class-Action Settlement." MediaPost, Aug. 27, 2014. groups-seek-to-scuttle-googles-85-milli.html "Is Google's Free Software A Good Deal For Educators?" NPR, Aug. 26, 2014. software-a-good-deal-for-educators "What Are Schools Doing with Your Kids' Data?" Yahoo News, Aug. 25, 2014. data-95682103324.html "This is why you can't trust the NSA. Ever." The Week, Aug. 22, 2014. the-nsa-ever "Senator Probes Airline Privacy Policies." GovInfo Security, Aug. 20, 2014. policies-a-7210 For More EPIC in the News: ======================================================================== [8] EPIC Book Review: 'What Stays in Vegas' ======================================================================== "What Stays in Vegas: The World of Personal Data—Lifeblood of Big Business—and the End of Privacy as We Know It," Adam Tanner In "What stays in Vegas," journalist Adam Tanner retells the now- familiar story of how personal data and predictive analytics have revolutionized the marketing world over the past 15 years. The book's title is a riff on the early 2000s Vegas marketing theme "What Happens Here, Stays Here," oft repeated as "What Happens in Vegas, Stays in Vegas." But the title actually could be a reference to Dr. Gary Loveman, a Harvard Business School professor who consulted for the Caesar's Palace company in the 1990s and became CEO in 2003. Loveman's goal was to use data and quantitative analysis to make Caesars dramatically more profitable, largely by improving the yield of current customers and (eventually) reaching out to new ones. Tanner shows how, under Loveman's direction, the casino was able to use its loyalty program to turn the previously anonymous practice of feeding coins into a slot machine into a tightly monitored activity. To this end, Caesars installed loyalty card readers on each machine, so that gamblers could get points and status in return for their efforts. The most profitable customers eventually received free food, drinks, hotel nights, and even plane tickets — all designed to keep them happy and coming back to Vegas, where their money presumably stayed long after they left for home. But beyond Loveman and gamblers' money, very little else stays in Vegas, it seems. Tanner shows how public records from Vegas, the marriage capital of the US, are systematically harvested by data aggregators and sold to websites offering cut-rate background searches. Neither do these business practices stay in Vegas - aggregators now use the same tactics to obtain records from most other counties in the US. While Tanner works hard to return to Vegas every chapter or two, he manages to summarize many significant privacy news stories of the Internet age, including the re-identification of AOL users from their search terms, Netflix users from their movie rankings, and former Massachusetts Governor William Weld (and many other people) from their medical records. Much is written about Facebook,including how users' personalities can be inferred from their "Likes" and their sexual orientation from that of their "friends." What distinguishes Tanner's efforts from others in this genre is his focus on the personal histories of Vegas business titans. These stories make the book entertaining and memorable — unfortunately, they are so much center stage that the book's would-be technical explanations are frequently superficial or altogether missing. This is a fun book for introducing a wide variety of issues, but those who want to actually understand the emergence of big data and predictive analytics will need to go elsewhere. -- Simson Garfinkel =================================== [8] EPIC Book Store =================================== "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75. Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore: ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= TPRC 42nd Conference on Communication, Information and Internet Policy, Featuring EPIC Consumer Protection Counsel Julia Horwitz. Arlington, VA: Sept. 12-14, 2014. For More Information: OECD Forum of the Knowledge Economy. Speaker: EPIC President Marc Rotenberg. Tokyo: Oct. 2, 2014. For More Information: International Working Group on Data Protection and Telecommunications. Speaker: EPIC President Marc Rotenberg. Berlin: Oct. 14-15, 2014. For More Information: OECD Experts on International Security Guidelines. Speaker: EPIC President Marc Rotenberg. Paris: Oct. 27, 2014. For More Information: review.htm. ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Support EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government and private-sector infringement on constitutional values. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 21.16------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback