WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2014 >> [2014] EPICAlert 4

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 21.04 [2014] EPICAlert 4

EPIC Alert 21.04

======================================================================= E P I C A l e r t ======================================================================= Volume 21.04 February 28, 2014 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ========================================================================= Table of Contents ========================================================================= [1] EPIC, Coalition Urge Obama to Act on Privacy Bill of Rights [2] EPIC Urges FTC to Strengthen Safe Harbor Settlements [3] EPIC Files FOIA Suit for Information on 'Hemisphere' Telco Database [4] EPIC Files Brief in Facebook Case, Urges Rejection of Settlement [5] Massachusetts Court Upholds Location Privacy Protection [6] News in Brief [7] EPIC in the News [8] EPIC Bookstore [9] Upcoming Conferences and Events ========================================================================= [1] EPIC, Coalition Urge Obama to Act on Privacy Bill of Rights ========================================================================= EPIC, in conjunction with a coalition of 40 public interest organizations, has urged President Obama to implement the White House's 2012 Consumer Privacy Bill of Rights, a comprehensive framework for privacy protection including individual control and transparency; respect for context; and focused collection and better access, accuracy, and accountability. The coalition's letter marks the two-year anniversary of the Administration's introduction of the Privacy Bill of Rights. "We urge you to work with those in Congress who favor the privacy rights of Americans, who support updates to privacy law, and who understand why this issue is so critical to so many Americans," the letter stated. "And let those who stand in the way explain to their constituents why they believe that it is not necessary for Congress to do anything further to protect the fundamental rights of Americans." President Obama called the Consumer Privacy Bill of Rights framework a "blueprint for privacy in the information age" and said his administration "will work to advance these principles and work with Congress to put them into the law." The White House also stated the desire for Congress to strengthen the authority of the Federal Trade Commission, so the agency could "enforce each element of the statutory Consumer Privacy Bill of Rights." In recent comments to the Federal Trade Commission about pending settlements in several Safe Harbor enforcement actions, EPIC urged the agency to revise proposed orders to require companies to comply with the Consumer Privacy Bill of Rights. EPIC also recommended the Commission revise the proposed consent order in order to publish companies' "compliance reports as they are submitted" and strengthen the sanctions against a DNA testing firm whose "privacy misrepresentations" put genetic information at risk. EPIC et al.: Letter to President re: CPBR (Feb. 24, 2014) The White House: Consumer Privacy Bill of Rights (Feb. 23, 2012) The White House: Fact Sheet on CPBR (Feb. 23, 2012) EPIC: White House Consumer Privacy Bill of Rights (Feb. 2012) EPIC: Comments to FTC re: Safe Harbor Settlements (Feb. 20, 2014) ======================================================================== [2] EPIC Urges FTC to Strengthen Safe Harbor Settlements ======================================================================== EPIC has submitted comments to the Federal Trade Commission, urging the agency to improve pending settlements in several Safe Harbor enforcement actions. The Safe Harbor Framework is an international approach to privacy compliance in which industries set voluntary standards. Coordinated by the US Department of Commerce, the Safe Harbor program allows firms to "self-certify privacy" policies in lieu of establishing substantive privacy protections within the US. The Federal Trade Commission is the agency responsible for penalizing US firms that incorrectly claim current Safe Harbor certification. However, since Safe Harbor is a self-certification program, the FTC can only "sanction" companies by proscribing them from making future misrepresentations. EPIC submitted comments to the FTC after the agency published settlement agreements with 12 companies that misrepresented Safe Harbor compliance. The companies belong to a variety of industries, including retail, professional football, laboratory science, data brokers, debt collectors, and information security. Each of the companies had self- certified to the Safe Harbor Framework, but according to the FTC investigation, the companies failed to renew self-certification while continuing to represent to consumers that they were current members of the Safe Harbor Framework. The FTC's settlement agreements prohibited the companies from making those representations and required them to provide annual reports about their compliance with the agreements, but did not impose any other penalty. EPIC's comments recommended that the FTC revise the proposed orders to: (1) require the companies to comply with the Consumer Privacy Bill of Rights; (2) publish the companies' consent order compliance reports as they are submitted; and (3) strengthen the sanctions against a DNA testing firm, whose misrepresentations puts genetic information at risk. The Consumer Privacy Bill of Rights, a comprehensive framework published by the White House in 2012, lists seven substantive privacy protections for consumers that would ensure that consumers' personal data is protected throughout the data lifecycle. EPIC noted that by requiring companies to comply with the Consumer Privacy Bill of Rights, the FTC would "put in place the baseline privacy standards that are widely recognized around the world and necessary to protect the interests of consumers." EPIC also noted that the Commission's ongoing failure to modify consent orders in response to public comments is "contrary to the interests of American consumers." EPIC: Comments to the FTC re: Safe Harbor (Feb. 20,2014) FTC: Safe Harbor FTC: Press Release on Safe Harbor Settlement (Jan. 21, 2014) EPIC: EU Data Protection Directive EPIC: Federal Trade Commission ========================================================================= [3] EPIC Files FOIA Suit for Information on 'Hemisphere' Telco Database ========================================================================= EPIC has filed a Freedom of Information Act lawsuit for records on "Hemisphere," a massive telephone record collection program operated by the Drug Enforcement Administration in cooperation with AT&T. In September 2013, The New York Times obtained and published a PowerPoint presentation of DEA training slides. The slides revealed some information the collection program's scope and the agencies and companies involved, but the public's knowledge about Hemisphere remains extremely limited. According to the PowerPoint slides published by the Times, the Hemisphere program allows law enforcement agencies to access billions of detailed phone records that pass through AT&T switches. Thus, not only are AT&T customers' calls subject to collection, but also the calls of non-customers if those calls are routed through an AT&T switch. The types of data collected under the program include call duration, origin and destination phone numbers, date and time, and even the caller's location. Furthermore, Hemisphere records date back to 1987, allowing law enforcement to search almost 30 years of phone calls. According to the slides, law enforcement personnel can search the Hemisphere database during routine criminal investigations unrelated to national security. EPIC filed the complaint after the federal agency failed to respond to EPIC's FOIA request for information on Hemisphere's operation and legal authority. EPIC asked the DEA to provide any other training modules and any legal or policy memos addressing the rationale for tethering the program to judicial authority. EPIC also requested any communications to Congress about the program, particularly those that justify Hemisphere's privacy impact. When the DEA failed to issue a determination - that is, grant or deny EPIC's request - EPIC filed the lawsuit to compel the agency to comply with the FOIA. EPIC has previously challenged the NSA's bulk collection of telephone records in a petition to the US Supreme Court. EPIC's petition asked the Court to halt the disclosure of the telephone records of millions of Americans, arguing that the judicial authority claimed by the NSA did not actually have the power to compel Verizon to turn over all domestic telephone "metadata." EPIC's petition argued that an order halting the program was "warranted because the [foreign intelligence court] exceeded its statutory jurisdiction when it ordered production of millions of domestic telephone records that cannot plausibly be relevant to an authorized investigation." EPIC: EPIC v. DEA - Hemisphere EPIC: Complaint in EPIC v. DEA - Hemisphere (Feb. 26, 2014) EPIC: FOIA Request to DEA re: Hemisphere (Nov. 15, 2013) ONDCP: Hemisphere Training PowerPoint Slides (2013) EPIC: In re EPIC - NSA Telephone Records Surveillance EPIC: Petition to the Supreme Court (Jul. 8, 2013) ========================================================================= [4] EPIC Files Brief in Facebook Case, Urges Rejection of Settlement ========================================================================= EPIC has filed a "friend of the court" brief in the 9th Circuit, urging the appeals court to overturn a controversial consumer privacy settlement. The settlement in Facebook v. Fraley purports to conclude a case over Facebook's "Sponsored Stories" advertising scheme. Sponsored Stories showed a user's name and profile picture to their friends when the user "liked" third-party or commercial pages - implying that the user had endorsed the page in question and would recommend it to their friends. If the Fraley v. Facebook settlement is approved, Facebook will continue to display the images of Facebook users, including minors, for commercial endorsement without consent. Many Facebook users opposed "Sponsored Stories," and several have formally objected to the settlement, including a children's advocacy organization that said that the existing "settlement is actually worse than no settlement." The Campaign for Commercial-Free Childhood turned down $290,000 in settlement money - an amount approximately equal to the organization's yearly budget. The group said that the settlement agreement "harms vulnerable teenagers and their families under the guise of helping them . . . we cannot benefit from a settlement which we now realize is harmful to children and will impede future efforts to protect minors' privacy on Facebook." The MacArthur Foundation also withdrew from receiving any settlement money in the case, stating it should not have been designated to receive funds. In a statement, the MacArthur Foundation urged that the funds should be redirected to "other non-profit organizations engaged in the underlying issues." EPIC's brief in support of the objectors explains that the settlement is unfair to Facebook users and should be rejected. The brief highlighted the settlement's structural flaw of allowing Facebook to continue using an advertising method that was the source of the very litigation that produced the settlement: "Under the Settlement," EPIC wrote, "Facebook would be allowed to continue the very practice that gave rise to the users' cause of action. The Settlement would authorize the unlawful use of minor images without parental consent, and would provide no meaningful injunctive relief to class members." EPIC also emphasized that by continuing to use minor children's images in Sponsored Stories, Facebook would violate the criminal misappropriation laws of several states. EPIC's brief also highlighted the deficiencies of the proposed cy pres fund. "Cy pres," or "as near as possible," is the doctrine under which advocacy organizations are given settlement money in class action lawsuits where it would be extremely difficult to distribute funds to individual class members. Generally, the organizations selected to be cy pres recipients must have missions that align with the interests of the class members. "[T]he Settlement includes an unfair distribution of potential cy pres funds," EPIC stated. "One of the cy pres beneficiaries designated in the Settlement has even declined to accept the proposed award because of this unfairness. Any benefits to the silent class members will be illusory, and in exchange they will have lost their legal right to challenge Facebook's privacy violations. The Court should reject this settlement because it would authorize unlawful conduct and is fundamentally unfair to class members and provides no meaningful benefit to Facebook users." EPIC: "Friend of the Court" Brief, Fraley v. Facebook (Feb. 20, 2014) EPIC: Fraley v. Facebook Fraley v. Facebook: Settlement Page EPIC: In re: Facebook Complaint to FTC (Dec. 17, 2009) FTC: Decision in In re: Facebook (Jul. 27, 2012) EPIC: In re: Facebook ========================================================================= [5] Massachusetts Court Upholds Location Privacy Protection ========================================================================= The Massachusetts Supreme Judicial Court has ruled in Commonwealth v. Augustine that an individual has a reasonable expectation of privacy in cell phone location records held by a company. Article 14 of the Massachusetts Constitution, similar to the Fourth Amendment, provides that individuals should be free from "unreasonable searches, and seizures." The Massachusetts court held that "the tracking of the defendant's movements in the urban Boston area for two weeks was more than sufficient to intrude upon the defendant's expectation of privacy" and therefore the police actions constituted a search, requiring a warrant. Because the decision is based on the Massachusetts State Constitution, it applies solely to Massachusetts law enforcement. The Massachusetts Supreme Judicial Court is the second state court, after New Jersey, to rule that location data is protected under the state constitution. EPIC filed a "friend of the court" brief in the New Jersey case, State v. Earls, as well as in Commonwealth v. Connolly, a similar Massachusetts case concerning warrantless GPS tracking. EPIC also filed a brief in In re U.S. Application for Historical Cell Site Data, in which an appeals court held that users have no reasonable Fourth Amendment expectation of privacy in location records. The Massachusetts Supreme Judicial Court considered all three cases in reaching the decision. EPIC: Decision in Commonwealth v. Connolly (Feb. 18, 2014) EPIC: State v. Earls EPIC: Commonwealth v. Connolly EPIC: In re Historic Cell-Site Location Information EPIC: Locational Privacy ======================================================================== [6] News in Brief ======================================================================== Supreme Court Allows Warrantless Search of Homes In a case that narrows the warrant requirement for searches of homes, the US Supreme Court upheld the LAPD's warrantless search of a suspect's home after the resident objected. In the case Fernandez v. California, the officers returned to the defendant's apartment after he had been arrested and obtained his roommate's consent to conduct a search. Justice Alito, writing for the 6-3 majority, found that the roommate's consent was sufficient once the defendant was no longer present. Justice Ginsburg, writing in a dissent joined by Justices Sotomayor and Kagan, argued that the decision "tells the police they may dodge" the warrant requirement and is contrary to the Court's 2006 ruling in Georgia v. Randolph. In that case, the Supreme Court held that when one occupant refuses to consent to a search, the other's consent is not sufficient to permit. EPIC has previously filed "friend of the court" briefs in a number of important Supreme Court Fourth Amendment cases. US Supreme Court: Decision in Fernandez v. California (Feb. 25, 2014) EPIC: US v. Jones EPIC: Maryland v. King EPIC: Amicus Curiae Briefs DHS Cancels Nationwide License Plate Tracking System The Department of Homeland Security has canceled a plan to build a national license plate tracking database. The database would have included the license plate records of car owners across the country, obtained from private companies and law enforcement agencies. The request for bids lacked any consideration of privacy protections. EPIC, via several Freedom of Information Act requests, had obtained extensive documents on the current programs operated by the Customs and Border Protection and the Federal Bureau of Investigation. The documents uncovered by EPIC show that both agencies failed to adequately address the privacy implications of license plate readers. Washington Post: DHS License Plate Tracking Cancelation (Feb. 19, 2014) EPIC: DHS Plan for National License Plate Tracking (2009) EPIC: EPIC FOIA - Automated Plate Readers and Border Body Scanners EPIC: EPIC FOIA: Automated License Plate Readers (FBI) EPIC: License Plate Recognition Systems White House and MIT to Host Conference on Big Data and Privacy On March 3 the White House Office of Science and Technology Policy and MIT will cohost "Big Data Privacy: Advancing the State of the Art in Technology and Practice." The conference is part of the White House's "Big Data and the Future of Privacy" initiative and will feature keynotes from Counselor to the President John Podesta and Secretary of Commerce Penny Pritzker. Scholars, privacy advocates, government representatives and private sector leaders will explore the opportunities and challenges of big data and examine the use of Privacy Enhancing Techniques. President Obama has called for a "comprehensive review of big data and the future of privacy." In response, EPIC and a coalition of consumer and scientific organizations outlined key questions for the White House to explore, and also asked the Office of Science and Technology Policy to encourage public participation. MIT/White House: Conference on Big Data Privacy (Mar. 3, 2014) The White House: "Big Data and the Future of Privacy" (Jan. 23, 2014) The White House: President's Speech on NSA reform (Jan. 17, 2014) EPIC et al.: Letter to OSTP re: Big Data and Privacy (Feb. 10, 2014) EPIC: Big Data and the Future of Privacy EPIC: Privacy and Consumer Profiling EPIC: Online Guide to Practical Privacy Tools DHS Report Reveals FOIA Backlog and Use of Law Enforcement Exemptions The Department of Homeland Security has released the 2013 Freedom of Information Act Report, detailing the agency's attempts to comply with the federal open government law. The FOIA requires each agency to provide the numbers of requests received and processed, the time taken to respond, the outcome of each request, and other statistics. In 2013, the DHS reported a significant increase in the FOIA backlog, which rose from 28,553 unanswered requests in 2012 to 53,598 unanswered requests in 2013. Of the nine exemptions that an agency can invoke to withhold documents, DHS relied most heavily on exemption 7(C) (law enforcement records that if released would constitute an invasion of personal privacy) and 7(E) (law enforcement records that if released would disclose law enforcement techniques or procedures), which is significant because the DHS is not a law enforcement agency. DHS reported granting about 7% of requests for expedited processing. EPIC has prevailed in several FOIA lawsuits against DHS, and has also worked to reform the agency's FOIA processing practices for other requesters. DHS Privacy Office: 2013 Freedom of Information Act Report (Feb. 2014) 022814-dhs-2013-privacy-report.html US Justice Dept.: Annual FOIA Report Page EPIC: Letter from US OGS re: FOIA (Oct. 19, 2012) EPIC: EPIC v. DHS - Body Scanner FOIA Appeal EPIC: EPIC v. DHS - SOP 303 ======================================================================== [7] EPIC in the News ======================================================================== "Google Glass warfare fuels San Francisco debate." MarketWatch, Feb. 27, 2014. francisco-debate-2014-02-27?reflink=MW_news_stmp "Data breach at Indiana University: Are colleges being targeted?" The Christian Science Monitor, Feb. 26, 2014. Indiana-University-Are-colleges-being-targeted "The Wild West of Privacy." The New York Times (Op-Ed)., Feb. 24, 2014. privacy.html "Privacy concerns swirl around TSA Pre-check program." USA Today, Feb. 24, 2014. check-expedited-aclu-epic/5208359/ "Education Leaders Tackle Student Data Privacy Issues at Summit." Education Week, Feb. 24, 2014. leaders_tackle_stude.html "EPIC Calls on The FTC to Supplement Safe Harbor with the Privacy Bill of Rights." InfoSecurity, Feb. 24, 2014. ftc-to-supplement-safe-harbor-with-the-privacy-bill-of-rights/ "Consumer Privacy Rights Need Urgent Protection in Washington, Activists Say." The Washington Post, Feb. 24, 2014. need-urgent-protection-in-washington-activists-say/2014/02/24/ 1764ba22-9cb7-11e3-975d-107dfef7b668_story.html "Groups Push Obama To Float 'Privacy Bill Of Rights'." Law360, Feb. 24, 2014. privacy-bill-of-rights- "ICE license plate-reader solicitation canceled." FCW, Feb. 20, 2014. .aspx "Homeland Security is seeking a national license plate tracking system." The Washington Post, Feb. 18, 2014. security-is-seeking-a-national-license-plate-tracking-system/ 2014/02/18/56474ae8-9816-11e3-9616-d367fa6ea99b_story.html?hpid=z4 For More EPIC in the News: ======================================================================== [8] EPIC Bookstore ======================================================================== "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75. Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore: ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= "Privacy and Public Good: Reporting on Student Data." Khaliah Barnes, Director, EPIC Student Privacy Project. SXSWedu, Austin, TX, March 4, 2014. For More Information: "Techno-Snooping: Privacy, Technology and the Evolving Rule of Law." Ginger McCall, EPIC Associate Director. Colby College, Waterville, ME, April 6, 2014. For More Information: Fourth Annual International Summit on the Future of Health Privacy. Washington, DC, June 4-5, 2014. For More Information: IEEE Presents "Reintroducing Norbert Wiener in the 21st Century." Boston, 24-26 June 2014. For More Information: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government and private-sector infringement on constitutional values. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 21.04------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback