WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2014 >> [2014] EPICAlert 7

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 21.07 [2014] EPICAlert 7

EPIC Alert 21.07

======================================================================= E P I C A l e r t ======================================================================= Volume 21.07 April 21, 2014 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ========================================================================= Table of Contents ========================================================================= [1] FTC Responds to EPIC Complaint on WhatsApp and Privacy [2] European High Court Strikes Down Data Retention Law [3] EPIC Warns White House About 'Big Data' Privacy Risks [4] EPIC Appeals Lower Court's Decision in EPIC v. NSA [5] Judge Approves Google Settlement Over Objection of Privacy Groups [6] News in Brief [7] EPIC in the News [8] EPIC Bookstore [9] Upcoming Conferences and Events TAKE ACTION: Speak Out on the New Internet Registration Directory! TAKE the Survey: LEARN about Domain Name Privacy: SUPPORT EPIC: ========================================================================= [1] FTC Responds to EPIC Complaint on WhatsApp and Privacy ========================================================================= The Federal Trade Commission has notified Facebook and WhatsApp that both companies must honor their privacy commitments to users if WhatsApp is purchased by Facebook. According to a letter from Jessica Rich, Director of the FTC Bureau of Consumer Protection, "[I]f the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook. . . .[H]undreds of millions of users have entrusted their personal information to WhatsApp." "The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users," the letter adds. The FTC's letter follows a detailed complaint from EPIC and the Center for Digital Democracy concerning the privacy implications of WhatsApp's $19B sale to Facebook. WhatsApp had assured users of strong privacy safeguards and had promised to keep the app free from advertisements prior to the sale. However, Facebook regularly incorporates the user data of companies it acquires; for example, when Facebook purchased Instagram in 2012, Instagram users were not subjected to advertisements based on the content they uploaded to the site. After the acquisition, Facebook accessed Instagram users' data and changed the Instagram Terms of Service to reflect this change. EPIC's complaint urged the Federal Trade Commission to block the WhatsApp sale to Facebook unless adequate privacy safeguards for WhatsApp user data were established. EPIC's supplemental complaint provided further evidence that WhatsApp users object to the acquisition, highlighted the importance of the FTC's pre-merger review process, and asked the FTC to use authority under Section 5 of the Federal Trade Commission Act to investigate, block, or alter the sale for unfair and deceptive trade practices. FTC: Press Release on Facebook/WhatsApp Deal (Apr. 10, 2014) FTC: Letter to Facebook and WhatsApp re: Proposed Sale (Apr. 10, 2014) EPIC: Complaint to FTC re: Facebook and WhatsApp (Mar. 6, 2014) EPIC: Supp. Complaint to FTC re: Facebook and WhatsApp (Mar. 21, 2014) EPIC: In re WhatsApp EPIC: In re: Facebook EPIC: Big Data and the Future of Privacy EPIC: Federal Trade Commission EPIC: FTC Regulatory Authority ======================================================================== [2] European High Court Strikes Down Data Retention Law ======================================================================== In a far-reaching and dramatic opinion, the European Court of Justice has ruled that the mass storage of telecommunications data violates the fundamental right to privacy and is illegal. The EU's Data Retention Directive, established in 2006, had required telephone and Internet companies to retain traffic and location data as well as Personally Identifying Information for use in investigations of serious crimes. According to the Court, the Directive imposed "a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary." The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the EU Charter of Rights. The Court also stated that, to find a privacy violation, "it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way." EPIC and a coalition of US organizations have urged the Obama Administration to recognize the opinion by the European Court of Justice in an upcoming report on big data and privacy. In 2013, EPIC Executive Director Marc Rotenberg addressed the European Parliament on the issue of electronic mass surveillance of EU citizens. The Committee on Civil Liberties, Justice, and Home Affairs has convened a series of hearings to examine reports of the monitoring and surveillance of Europeans. Mr. Rotenberg explained that there is now a vigorous debate in the United States and that there would be some changes to the Foreign Intelligence Surveillance Act concerning surveillance within the United States. But he also warned that US lawmakers were unlikely to make changes that respond to the concerns of European citizens. Rotenberg urged EU lawmakers to suspend trade negotiations with the US pending an adequate resolution of the surveillance inquiry. He also suggested a review of the PNR and SWIFT data transfer arrangements, which lack Privacy Act safeguards. Finally, Mr. Rotenberg recommended the adoption of an international framework for privacy protection. European Court of Justice: Judgment of the Court (Apr. 8, 2014) EPIC: Comments on Big Data and Privacy (Apr. 4, 2014) EPIC et al.: Coalition Letter to WH re: ECJ Opinion (Apr. 16, 2014) EU: Inquiry on Mass Surveillance of EU Citizens (Sep. 25, 2013) EPIC: Testimony of Marc Rotenberg before EU Parliament (Sep. 30, 2013) ========================================================================= [3] EPIC Warns White House About 'Big Data' Privacy Risks ========================================================================= In response to a request from the Obama Administration, EPIC has submitted extensive comments on "Big Data and the Future of Privacy." EPIC's comments warned the White House about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974, which was enacted in response to the challenges of "data banks." EPIC argued that the use of predictive analytics by government and private industry undermines freedom of association. The fact that "our online social connections, participation in online debates, and our interests expressed through our online activities can now be used by the government and companies to make determinations about our ability to fly, to obtain a job, a clearance, or a credit card" inhibits online interaction and participation. EPIC's comments also detailed how using big data to predict sensitive information about individuals, e.g. race or religion, raises the potential for abuse by both the government and private sector. EPIC's comments further noted recent dramatic increases in identity theft and security breaches and called for the swift enactment of the White House's Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. "It is vitally important to update current privacy laws to minimize collection, secure the information that is collected, and prevent abuses of predictive analytics," EPIC wrote. EPIC and more than 20 organizations previously urged the White House to establish privacy protections for user data gathered by large companies and government agencies. That same week the Government Accountability Office issued a report warning that federal agencies "have not been consistent or fully effective in responding to data breaches." "The increasing number of cyber incidents at federal agencies, many involving the compromise of personally identifiable information, highlights the need for focused agency action to ensure the security of the large amount of sensitive personal information collected by the federal government," the report concluded. EPIC: Comments on Big Data and Privacy (Apr. 4, 2014) GPO: Request for Comments on Big Data and Privacy (Mar. 4, 2014) The White House: Big Data and the Future of Privacy (Jan. 23, 2014) GAO: Report on Federal Agencies and Data Breaches (Apr. 2, 2014) EPIC: Big Data and the Future of Privacy ========================================================================= [4] EPIC Appeals Lower Court's Decision in EPIC v. NSA ========================================================================= EPIC has filed an opening brief in EPIC v. NSA, seeking to obtain NSPD-54, a 2008 Presidential Directive on cybersecurity widely circulated to federal agencies and senior policy advisors but whose actual text was withheld from the public. In 2009, EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the requested documents but withheld the Directive itself. EPIC then sued the agency to force disclosure of the Directive but a court ruled in 2013 that the NSA lacked control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. EPIC's appeal argues that the agency is in possession of NSPD-54 and that "Both the Supreme Court and this Court have held that the agency, not the requestor" bear the burden of demonstrating "that the materials sought are not 'agency records.'" EPIC also maintained that the lower court "failed to apply" the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. Several open government organizations have filed a "friend of the court" brief supporting EPIC's appeal. EPIC: Opening Brief in EPIC v. NSA (NSPD-54) (Mar. 31, 2014) EPIC: EPIC v. NSA - Cybersecurity Authority EPIC: FOIA Request to NSA re: NSPD-54 (Jun. 25, 2009) DC District Court: Opinion in EPIC v. NSA (Oct. 21, 2013) Open Government Groups: Letter in Support of EPIC (Apr. 7, 2014) EPIC: EPIC v. NSA: NSPD-54 Appeal EPIC: Presidential Directives and Cybersecurity ========================================================================= [5] Judge Approves Google Settlement Over Objection of Privacy Groups ========================================================================= A federal judge in California has approved a settlement agreement in a lawsuit against Google that will allow the company to continue to sell data about users' browsing history to advertisers. In the case In re Google Referrer Header, Google users alleged that Google unlawfully sold information contained in the "referrer header," also known as the "referer header," to third-party advertisers. According to EPIC and several other consumer privacy organizations, the settlement reached between the users and Google left the users no better off than prior to the lawsuit. Information about the last site a user visited is coded and placed on the top, or the "header," the user server's request. When a user clicks on a website link, the user's server asks the website's server for permission to connect. Many commercial websites use that information for advertising purposes. EPIC and the coalition wrote to the presiding judge in 2013, arguing that the settlement required no change in Google's business practices and provided no benefit to those on whose behalf the case was brought. "It is absurd to argue that a benefit is provided to the Class where the company makes no material change in its business practices and is allowed to continue the practice that provides the basis for the putative class action," EPIC's letter stated. EPIC argued that under the terms of the proposed settlement, "a company that manufactures a faulty toaster that catches fire because of poor wiring is permitted post-settlement to continue to manufacture the toaster as before with no change to the wiring that created the risk to the customers, as long as it notifies customers of the risk arising from its ongoing negligence." EPIC and the coalition also recommended that the court adopt an objective basis for distributing cy pres funds. "Cy pres" is a legal doctrine that allows courts to allocate funds to protect the interests of individuals in a class action settlement. Under Ninth Circuit Court precedent, cy pres funds must be used to advance the interests of the class members. In this case, however, EPIC argued, "the proposed cy pres allocation is not aligned with the interests of the purported Class members." EPIC noted that cy pres awards are often made for the benefit of the lawyers settling the case and not the class members. Under the proposed Google settlement specifically, only one of the seven organizations that would receive the cy pres funds has the protection of privacy as part of its mission and is therefore aligned with the interests of class members. 9th Circuit Court: In re Google Referrer Header (Apr. 23, 2013) EPIC: Letter to Judge in Google Referrer Header Case (Aug. 22, 2013) EPIC: Search Engine Privacy EPIC: Google Buzz ======================================================================== [6] News in Brief ======================================================================== EPIC Supports Challenge to National Security Letter "Gag Orders" EPIC has filed a "friend of the court" brief in In re National Security Letter, a case challenging the government's bulk collection of customer records without judicial approval. Under the current law, companies are not allowed to discuss these subpoenas or reveal information about the number of NSLs they receive each year. EPIC's brief argues that the "gag order" provision frustrates the public's right to know about a far-reaching government surveillance program. EPIC routinely provides information to the public about government surveillance programs, but is unable to inform the public about NSL surveillance because of the provision now under review by a federal appeals court. EPIC: In re National Security Letter EPIC: National Security Letters EPIC to Commerce Department: Uphold the Public's Right to Know EPIC has urged the US Commerce Department not to prematurely close Freedom of Information Act requests. EPIC's comments to the agency support some proposed changes to the Commerce Department's FOIA policy that will make it easier for the public to obtain information, but EPIC objects to a specific proposal that would allow the agency to terminate pending FOIA requests if requesters do not "reasonably describe the records sought." EPIC said the change was contrary to the purpose of the open government law. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. The Privacy and Civil Liberties Oversight Board, the Federal Trade Commission, and the Interior Department have adopted EPIC's recommendations on proposed FOIA rule changes. EPIC: Comments to Commerce Dept. re: FOIA Changes (Mar. 31, 2014) Federal Register: US Commerce Dept. FOIA Changes (Feb. 27, 2014) Federal Register: PCLOB Final Rules on FOIA (Nov. 8, 2013) Federal Register: FTC Final Rules on FOIA (Mar. 21, 2014) Federal Register: Interior Dept. Final Rules on FOIA (Dec. 31, 2012) EPIC: Comments to PCLOB on FOIA Regulation (Jul. 15, 2013) EPIC: Comments to Interior Dept. on FOIA Regulation (Nov. 13, 2012) EPIC: Open Government Court Upholds FTC Authority to Safeguard Data Privacy A federal judge has ruled that the Federal Trade Commission has the power to enforce data security standards. In the case FTC v. Wyndham, the Commission alleged that criminals stole hundreds of thousands of credit card numbers from hotel guests because Wyndham Hotels maintained lax data security. Wyndham responded that the FTC could not bring an enforcement action against the company without first publishing regulations. Judge Esther Salas of the New Jersey US District Court held that the FTC's authority to investigate "unfair or deceptive" business practices included data protection. FTC Chairwoman Edith Ramirez had stated earlier, "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." EPIC: Decision in FTC v. Wyndham (Apr. 7, 2014) FTC: FTC v. Wyndham EPIC: FTC: Overview of Authority to Remedy Privacy Infringements EPIC: Federal Trade Commission EPIC: Big Data and the Future of Privacy FTC Commissioner Wright Meets with Industry, Not Consumer, Reps Via a Freedom of Information Act request, EPIC has obtained the appointment calendar of FTC Commissioner Joshua Wright. The Commissioner's calendar, provided from his swearing-in in January 2013 through the end of February 2014, reveals numerous meetings with corporate representatives, including from Apple, Microsoft, Verizon, Qualcomm, the Network Advertising Initiative, and the Consumer Data Industry Association, but no meetings with public interest organizations representing consumers. According to the calendar, Commissioner Wright also has attended industry conferences and given talks at trade association meetings. One of the FTC's primary missions is to protect consumers from unfair and deceptive business practices. EPIC has made several attempts to arrange a meeting between Commissioner Wright and the Privacy Coalition, a nonpartisan coalition of consumer, civil liberties, educational, family, library, and technology organizations that has hosted meetings with many FTC Commissioners over the past decade. After Wright's repeated declines of the Privacy Coalition's invitation, EPIC filed a FOIA request for the his appointment calendar. EPIC: FOIA Request for Commissioner Wright's Calendar (Feb. 18, 2014) EPIC: Commissioner Wright's Calendar (via FOIA) (Mar. 24, 2014) FTC: 'What We Do' The Privacy Coalition EPIC: Federal Trade Commission After Public Outcry, Microsoft Reverses Course on Email Search After criticism by bloggers, consumers, and privacy advocates - including EPIC - Microsoft will change a troubling provision in its privacy policy. In March, Microsoft searched a blogger's private Hotmail account to determine whether the subscriber received leaked versions of Windows 8. At the time, Microsoft claimed that the search was permissible under the Microsoft Online Terms of Service. Microsoft has now announced it would no longer search customers' accounts itself and would instead refer such matters to law enforcement. According to Microsoft, Hotmail has 170 million active users. CNN Money: Blog Post on Microsoft (Mar. 21, 2014) Microsoft TechNet: Blog Post on Hotmail Investigation (Mar. 28, 2014) Microsoft TechNet: 1st Blog Post on Investigation (Mar. 20, 2014) Microsoft: Microsoft Online Privacy Statement (Aug. 2013) EPIC: Consumer Privacy Bill of Rights ======================================================================== [7] EPIC in the News ======================================================================== "White House unveils updated online privacy policy." CTV News, Apr. 18, 2014. privacy-policy-1.1781712 "Louisiana Lawmakers Consider Student Privacy Bill." Heartland Magazine, Apr. 18, 2014. lawmakers-consider-student-privacy-bill "Facebook plays offense in D.C. for new feature." Politico, Apr. 17, 2014. washington-105802.html#ixzz2zRUwNjFP "Data Privacy Policies from Major Ed-Tech Players Draw Scrutiny." Government Technology, Apr. 17, 2014. Tech-Players-Draw-Scrutiny.html "Twitter Wants To Sell Information On Your Daily Routine To Advertisers." ThinkProgress, Apr. 16, 2014. acquisition-of-gnip/ "Arne Duncan Responds to Criticism Over Student Data Privacy." Education Week, Apr. 15, 2014. on_data_privacy_technol.html "Google, once disdainful of lobbying, now a master of Washington influence." The Washington Post, Apr. 12, 2014. transforming-power-and-politicsgoogle-once-disdainful-of- lobbying-now-a-master-of-washington-influence/2014/04/12/51648b92- b4d3-11e3-8cb6-284052554d74_story.html "Deciding Where to Set the Limits on Surveillance." New York Times Letter to the Editor by EPIC President Marc Rotenberg, Apr. 11, 2014. the-limits-on-surveillance.html?ref=opinion&_r=0 "FTC Says Facebook, WhatsApp Must Honor Consumer Privacy." Bloomberg News, Apr. 10, 2014. whatsapp-must-honor-consumer-privacy.html "2 ways Facebook could fix its top privacy risk." Consumer Reports, Apr. 10, 2014. could-fix-its-top-privacy-risk/index.htm "European Court of Justice rules data retention directive too invasive.", Apr. 8, 2014. rules-data-collection-too-invasive.php#.U1BoHq1dWkQ "Internet companies' growing ambitions spook 51 percent of Americans: Reuters/Ipsos poll." Reuters, Apr. 4, 2014. idUSBREA331R520140404 "FTC Commissioner Wright's calendar heavy on lobbyists, light on consumer groups." Network World, Apr. 4, 2014. wright39s-calendar-heavy-280438.html "Spyware becomes a tool for stalking, domestic abuse." CBS MoneyWatch, Apr. 2, 2014. domestic-abuse/ For More EPIC in the News: ======================================================================== [8] EPIC Bookstore ======================================================================== "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75. Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore: ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= "Worthwhile Tradeoffs: Surveillance in a Constitutional Democracy Part 1." Featuring EPIC Appellate Advocacy Counsel Alan Butler. Philadelphia, April 17, 2014. For More Information: surveillance-in-a-constitutional-democracy-part-1. "When Bytes Bite Back." Featuring EPIC Associate Director Ginger McCall. Kansas City, MO, April 25, 2014. For More Information: Fourth Annual International Summit on the Future of Health Privacy. Washington, DC, June 4-5, 2014. For More Information: IEEE Presents "Reintroducing Norbert Wiener in the 21st Century." Boston, 24-26 June 2014. For More Information: SAVE THE DATE: EPIC's 2014 Champions of Freedom Dinner, Hosted by Bruce Schneier: ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Support EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government and private-sector infringement on constitutional values. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 21.07------------------------

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback