Previous Top News: 2009
- EPIC Seeks Facebook Communications Detailing Privacy Changes
EPIC filed a Freedom of Information Act (FOIA) request with the Federal Trade Commission (FTC), seeking communications with Facebook discussing the site’s recent privacy changes. In November and December 2009, Facebook made several changes to the website’s privacy policy and settings. In response to these changes, which no longer allow users to control the visibility of certain types of information, EPIC submitted a complaint to the FTC, alleging Facebook is engaging in “unfair and deceptive practices.” Facebook spokespersons issued a statement shortly after the complaint was filed, asserting, “We discussed the privacy program with many regulators, including the F.T.C., prior to launch.” EPIC requested documents pertaining to the communications Facebook allegedly had with the federal agency. For more information, see EPIC: In re Facebook. (Dec. 29, 2009) - President Obama Issues Order Regarding Classification Practices
President Obama has issued a new executive order regarding Classified National Security Information. President Obama's classified information order establishes a National Declassification Center to streamline the declassification process and sets timetables for declassification. The order states that "No information may remain classified indefinitely." The order also reverses an order by President George W. Bush that had allowed the intelligence community to block the release of a specific document, even if an interagency panel decided the information wouldn't harm national security. The new order prohibits agencies from classifying documents after the fact and also prohibits the withholding of documents that were created by one agency but are being held by another, which should assist EPIC's pending Freedom of Information Act request to the National Security Agency regarding NSPD 54, a classified Directive that describes a NSA program to monitor American computer networks. EPIC's request was previously denied by the NSA because NSPD 54 “did not originate with” the NSA. For more information see EPIC: Open Government. (Dec. 29, 2009) - Attempted Bombing on U.S. Flight Prompts Renewed Debate Over Body Scanners
On December 25, 2009, Umar Farouk Abdul Mutallab, a Nigerian citizen, attempted to detonate explosives hidden in his underwear during a Christmas Day flight. Abdul Metallab was en route from Amsterdam, Netherlands to Detroit, Michigan when he attempted to detonate the device, which resulted in a fire on board the aircraft. In the days following the attack, some advocated for wider implementation of whole body imaging machines. Privacy organizations and others have continued to object to these devices, citing the invasive nature of the scans, the ineffectiveness of the machines and the lack of government transparency concerning privacy safeguards. For more information see EPIC: Whole Body Imaging Technology. (Dec. 26, 2009) - EPIC Files Lawsuit for Information about "Digital Strip Search" Devices
On December 17, 2009, EPIC filed a lawsuit against the Department of Justice concerning the use of devices that capture images of individuals stripped naked. The Transportation Security Administration has confirmed the Whole Body Imaging machines are being used in at least one Virginia federal court by the US Marshal Service. EPIC submitted a FOIA request for information about these devices including the contracts with the manufacturer of the machines, and information about technical specifications and training materials. The Marshal Service failed to respond adequately to the request. EPIC filed suit, said that the agency had not performed a sufficient search and should disclose the documents requested. For more information, see EPIC's Open Government Page and Whole Body Imaging Page. (Dec. 18, 2009) - EPIC's Lillie Coney Appointed to Election Advisory Committee
House Speaker Nancy Pelosi appointed EPIC Associate Director and leading election reform advocate, Lillie Coney to the Election Assistance Commission (EAC) Board of Advisors. EAC is an independent, bipartisan commission charged with developing guidance to meet Help America Vote Act requirements, adopting voluntary voting system guidelines, and serving as a national clearinghouse of information about election administration. The EAC also accredits testing laboratories and certifies voting systems, as well as audits the use of HAVA funds. Ms. Coney leads EPIC’s voting project and has worked on developing voting technology standards, statewide-centralized voter registration systems with privacy safeguards, and voter identification policy. For more information, see EPIC: Lillie Coney and EPIC’s Voting Privacy Page. (Dec. 17, 2009) - EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission
EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Facebook’s revised privacy settings. The EPIC complaint, signed by nine other privacy and consumer organizations, states that the "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." EPIC cites widespread opposition from Facebook users, security experts, bloggers, and news organizations. A previous EPIC complaint to the FTC, concerning the data broker industry, produced the largest settlement in the FTC's history. For more information, see EPIC: In re Facebook, Frequently Asked Questions Regarding EPIC's Facebook Complaint, and EPIC Facebook Privacy. EPIC PRESS RELEASE. (Dec. 17, 2009) - Supreme Court to Hear Workplace Privacy Case, Rule on Safeguards for Text Messages
The Supreme Court agreed to hear a case that will determine what privacy safeguards apply to text messages transmitted through government employees' pagers. In City of Ontario v. Quon, a federal appeals courts held that California police officers "have a reasonable expectation of privacy" in some personal text messages sent while at work. The Supreme Court will review the ruling. For more, see EPIC Workplace Privacy. (Dec. 14, 2009) - House Passes Data Breach Bill
Today, legislators passed the Data Accountability and Trust Act, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. The bill now moves to the Senate, which is also considering a similar measure sponsored by Senator Patrick Leahy. In May, EPIC Director Marc Rotenberg testified before Congress, urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. TFor more, see EPIC Identity Theft. (Dec. 11, 2009) - Media Shield Law Moves Forward in Senate
The Free Flow of Information Act of 2009 was passed by the Senate Judiciary Committee with a vote of 14-5 and has been sent to the full Senate for a vote. The bill will make it more difficult to compel journalists to disclose information, including the identities of their sources, by requiring the government or other party requesting disclosure to demonstrate that the information sought is "essential" to a case and that all reasonable alternatives have been exhausted before a judge will consider ordering disclosure. A version of the bill was passed by the House earlier this year. For more information, see EPIC Privileges. (Dec. 11, 2009) - Facebook Asks Users to Review Privacy Settings, Recommends Privacy Options, Questions Remain
Facebook is asking users to review and update their privacy settings. However, the privacy recommendations, suggested by Facebook, may result in greater disclosure than users intend. Facebook faces ongoing privacy scrutiny following Beacon, proposed changes to the Terms of Services, and a settlement now pending in California. EPIC has urged Facebook to respect user privacy settings. EPIC is also defending the privacy rights of Facebook users who participated in Beacon. For more information, see EPIC: Facebook Privacy. (Dec. 9, 2009) - White House Releases Open Government Directive
The White House announced a new Directive to promote transparency, collaboration, and accountability across the federal government. The Directive builds on President Obama's Open Government Memo, issued in January 2009. The Directive will establish benchmarks, and require agencies to create new websites and plans to promote transparency. Competitions are also planned. EPIC submitted comments on the Directive, calling for both stronger privacy safeguards and greater transparency. For more information, see EPIC Open Government. (Dec. 9, 2009) - FTC Considers Emerging Privacy Concerns at First Privacy Roundtable
The Federal Trade Commission held the first of three privacy roundtables this week in Washington, DC. The well-attended event featured privacy and security experts from around the country, with each panel consisting of at least one industry representative and one privacy advocate. The failure of the current notice and choice model, the need to regulate behavioral targeting, concerns about government access to data, and the high privacy expectations of consumers were among recurring topics throughout the day. EPIC's Marc Rotenberg said it was important for the Commission to focus on emerging business practices and the impact on consumer privacy. The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law. The FTC welcomes comments from the public in advance of the roundtable. (Dec. 9, 2009) - EPIC Supports Privacy Safeguards for Genetic Information, Recommends Robust Techniques for Deidentification
EPIC filed comments with the Department of Health and Human Services, advising the federal agency to strengthen the requirements for classifying data as “de-identified” under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. HHS proposed a rule that would clarify HIPAA and the Genetic Information Nondiscrimination Act (GINA), by providing that genetic information is “health information” and prohibiting the use of such information for underwriting purposes or other discriminatory purposes. EPIC supports this proposed regulation but warned that a safe harbor provision for de-identified data could undercut privacy safeguards unless the techniques were shown to be "robust, scalable, transparent, and provable." For more information, see EPIC: Reidentification. (Dec. 8, 2009) - Google Expands Control of Internet Architecture
Google has announced Google Public DNS, which will route all requests for internet addresses, a core Internet function, through Google's servers. These requests would normally only pass through the servers of the users' internet service providers. Google's DNS service does not use the new authentication standard DNSSEC, but instead uses a proprietary security method. By tradition, DNS is a distributed function, subject to an open standard-setting process. For more information, see EPIC DNSSEC. (Dec. 8, 2009) - Facebook to Drop Regional Networks, Change Privacy Settings
Facebook announced that it intends to eliminate regional networks, which allow users to restrict information shared with others based geography. The social networking service will also modify the site's privacy settings and require users to update the rules governing who can access their data. In February, revisions to Facebook's terms of service prompted users to revolt and Facebook to rescind the changes hours before EPIC planned to file a complaint with the Federal Trade Commission. Prior changes to the service resulted in disclosure of Facebook users' video rental records without their permission, prompting federal lawsuits. For more, see EPIC Facebook Privacy and Social Networking Privacy (Dec. 4, 2009) - Defense Department Pulls Parental Control Software Product Following EPIC Complaint
Documents obtained by EPIC, pursuant to a Freedom of Information Act (FOIA) request, revealed the Defense Department canceled a contract with Echometrix, following an EPIC complaint to the Federal Trade Commission earlier this year. According to the documents obtained by EPIC, the Army and Air Force Exchange Service pulled My Military Sentry, which collects data for marketing purposes, from its online store: “The collection of AAFES customer information (personal or otherwise) for any other purpose than to provide quality customer service is prohibited . . . . Giving our customers the ability to opt out does not address this issue.” For more information, see EPIC: In re Echometrix. (Dec. 4, 2009) - EPIC, Coalition and Experts Champion Privacy Safeguards for Smart Grid Data
EPIC, members of the Privacy Coalition, and privacy and security experts urged a federal agency to establish safeguards for Smart Grid systems that protect consumer electricity usage information from unauthorized collection, use, disclosure, or sale. Smart Grid networks, which uniquely identify individual devices and appliances, create new privacy risks and could reveal intimate details of home life. EPIC recommended that policies be established to safeguard consumer privacy, including limitations on data collection, enforceable privacy practices, new security standards, and independent oversight. See EPIC Smart Grid and Privacy. (Dec. 2, 2009) - European Countries Approve Sweeping Communications, Privacy Reforms
On November 24, the European Parliament established new Internet policies, including a right to Internet access, net neutrality obligations, and strengthened consumer protections. Under the ePrivacy directive, communications service providers will also be required to notify consumers of security breaches, persistent identifiers ("cookies") will become opt-in, there will be enhanced penalties for spammers, and national data protection agencies will receive new enforcement powers. The amended directive takes effect with publication on December 18 in the EU Official Journal. Member states then have 18 months to transpose the Directive into national law. See EPIC Privacy Law Sourcebook. (Nov. 30, 2009) - ENISA Report Examines Cloud Computing and Privacy
The European Network and Information Security Agency has released a new report on Cloud Computing. The ENISA report recommends that European officials determine the application of data protection laws to cloud computing services. The report also considers whether personal data may be transferred to countries lacking adequate privacy protection, whether customers should be notified of data breaches, and rules concerning law enforcement access to private data. Earlier this year, EPIC filed a complaint with the Federal Trade Commission, urging the Commission to examine the adequacy of privacy safeguards for cloud computing services. A subsequent letter by computer researchers, addressed to Google CEO Eric Schmidt, raised similar concerns. See EPIC Cloud Computing. (Nov. 25, 2009) - EPIC Files Appeal for NSA Policy on Network Surveillance
Today, EPIC filed a Freedom of Information Act appeal, seeking disclosure of NPSD 54, the classified Directive that describes a National Security Agency program to monitor American computer networks. EPIC submitted the original request to shed light on the extent of the federal government's surveillance of civilian computer systems, but the agency refused to disclose the document. EPIC's appeal warns that the NSA’s improper withholding of the Directive "flatly contravenes" the President's policy on open government and "explicit FOIA guidance promulgated by the Attorney General." EPIC further stated, without public disclosure of the Directive, "the government cannot meaningfully make assurances about the adequacy of privacy and civil liberties safeguards." For more information, see EPIC Open Government. (Nov. 24, 2009) - DHS Announces "Global Entry" Biometric Identification System for U.S. Airports
Today, the Department of Homeland Security proposed to make permanent Global Entry, a program the agency says will “streamline the international arrivals and admission process at airports for trusted travelers through biometric identification.” Under the proposed system, pre-registered international travelers can bypass conventional security lines by scanning their passports and fingerprints at a kiosk, answering customs declaration questions, and then presenting a receipt to Customs officials. The DHS announcement follows the recent news that Clear, a Registered Traveler program, had entered bankruptcy, raising questions about the possible sale of the biometric database that was created. In 2005, EPIC testified before Congress that the absence of Privacy Act safeguards for Registered Traveler programs would jeopardize air traveler privacy and security. The agency is taking comments on the proposal. For more information, see EPIC Air Travel Privacy, EPIC Biometric Identifiers, EPIC Automated Targeting System, and EPIC Whole Body Imaging. (Nov. 19, 2009) - EU and US Officials Examine Safe Harbor, Cross Border Data Flow and Privacy
Officials from the United States and the European Union are meeting in Washington this week to review "Safe Harbor," a framework that allows the processing of data on EU citizens by US firms without traditional legal protections. Safe Harbor has been challenged by the European Parliament and questioned by academic experts. The Federal Trade Commission recently took action against US firms that incorrectly claimed current Safe Harbor certification, but the only penalty imposed was that the companies may not in the future misrepresent membership in any privacy, security, or other compliance program. (Nov. 17, 2009) - President Obama Nominates Brill and Ramirez for Federal Trade Commission
President Obama nominated Julie Brill and Edith Ramirez to be commissioners of the Federal Trade Commission. Brill, North Carolina’s top consumer advocate, serves as the senior deputy attorney general and chief of consumer protection and antitrust for the North Carolina Department of Justice. Ramirez, who specializes in intellectual property and complex litigation matters, is a partner in a Los Angeles, California law firm and has experience representing companies such as Mattel, Inc. and Northrop Grumman Corp. In a press release, President Obama stated, “These individuals bring a depth of experience to their respective roles, and I am confident they will serve my administration and the American people well. I look forward to working with them in the months and years ahead.” (Nov. 17, 2009) - Revised Google Books Settlement Announced, Privacy Problems Remain
The parties in the Google Books Settlement have filed an amended settlement. The Department of Justice, authors, EPIC and other privacy advocates criticized the original settlement. The revised settlement attempts to address price fixing and concerns about orphan works. However, the revised settlement does little to address privacy. Professor Pamela Samuelson stated “There are dozens of provisions in the settlement agreement that call for monitoring of what users do with books and essentially no privacy protections built into the settlement agreement.” For more information, see EPIC Google Books Settlement and Privacy, EPIC Google Books Litigation, and EPIC Google Books: Policy Without Privacy. (Nov. 17, 2009) - Congressional Committee Investigating Privacy Office at Homeland Security, Acknowledges Privacy Coalition Letter
House Homeland Security Committee Chairman Bennie Thompson has responded to the Privacy Coalition letter regarding the Chief Privacy Officer of the Department of Homeland Security. Chairman Thompson said that "the Committee is in the process of reviewing the programs outlined" in the letter, and thanked the Coalition for bringing the issues to the attention of the committee. He further stated that the Committee "will continue to examine the Department's programs and policies and vigorously address privacy concerns and issues." For more information, see EPIC DHS Privacy Office and Privacy Coalition. (Nov. 12, 2009) - EPIC Urges Government to Protect Privacy in the Smart Grid
Today, EPIC filed comments with the National Institute of Standards and Technology (NIST), urging it to implement robust privacy protections in the Smart Grid. The Smart Grid refers to a host of technologies that will allow unprecedented communication between American energy providers and energy consumers. However, it will also dramatically transform the ability of providers of power services in the United States to track the activities of consumers. For that reason, EPIC urged NIST to establish comprehensive privacy regulations that limit the collection and use of consumer data. For more information, see EPIC Smart Grid and Privacy. (Nov. 10, 2009) - Privacy Legislation Moves Forward in Senate
The Senate Judiciary Committee approved bipartisan legislation aimed at improving cybersecurity. The Personal Data Privacy and Security Act would establish a national standard for data breach notification and would require companies with databases containing sensitive personal information to establish data privacy and security programs. The bill was drafted in response to the growing number of Internet crimes in recent years. According to Senator Leahy (D-VT), who authored the bill, this legislation “strikes the right balance to protect privacy, promote commerce, and successfully combat identity theft.” The bill has been sent to the Senate for consideration. (Nov. 10, 2009) - EPIC Sues Homeland Security for Information About Digital Strip Search Devices
EPIC filed a Freedom of Information Act lawsuit challenging the Department of Homeland Security's failure to make public details about the agency's Whole Body Imaging program. The devices capture detailed naked images of air travelers in the United States. After the agency announced that the body scanners would become the primary screening device in US airports, EPIC demanded that the agency disclose records that describe the scanners' capacity to save and transmit images. In June, EPIC sent a letter to the Secretary of Homeland Security Janet Napolitano urging her to suspend the digital strip searches. For more, see EPIC Backscatter X-ray, Whole Body Imaging and EPIC Air Travel Privacy. (Nov. 9, 2009) - EPIC Urges Court to Enforce Video Privacy Law
Today, EPIC filed a friend of the court brief with the Fifth Circuit Court of Appeals, urging the Court to enforce federal privacy protections for Facebook users who rented videos from Blockbuster, a Facebook business partner. The Video Privacy Protection Act prohibits companies from revealing consumers' video rental histories. EPIC wrote, "Congress established a private right of action to ensure that there would be a meaningful remedy when companies failed to safeguard the data they collected" and warned, "absent a private right of action, there would be no effective enforcement, no remedy for violations, and no way to ensure that companies complied with the intent of the Act." The lawsuit was filed by Cathryn Harris and other Facebook users after Blockbuster made public their private video rental information. Blockbuster, a participant in Facebook's Beacon program, claimed that consumers cannot sue the company and must submit to mandatory arbitration. EPIC's brief, which includes a detailed history of the video privacy law, urges the appeals court to uphold a lower court ruling, which held that the plaintiffs are allowed to pursue their claim that a federal law was violated. For more information, see EPIC Harris v. Blockbuster, EPIC The Video Privacy Protection Act, and EPIC Facebook Privacy. (Nov. 4, 2009) - Civil Society Groups and Privacy Experts Release Madrid Declaration, Reaffirm International Privacy Laws, Identify New Challenges and Call for Concrete Action to Safeguard Privacy
In a crisply worded declaration, over 100 civil society organizations and privacy experts from more than 40 countries have set out an expansive statement on the future of privacy. The Madrid Declaration affirms that privacy is a fundamental human right and reminds "all countries of their obligations to safeguard the civil rights of their citizens and residents." The Madrid Declaration warns that "privacy law and privacy institutions have failed to take full account of new surveillance practices." The Declaration urges countries "that have not yet established a comprehensive framework for privacy protection and an independent data protection authority to do so as expeditiously as possible." The civil society groups and experts recommend a "moratorium on the development or implementation of new systems of mass surveillance." Finally, the Declaration calls for the "establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions." The Madrid Declaration was released at the Public Voice conference in Madrid on Global Privacy Standards. Multiple translations of the Declaration are available. (Nov. 3, 2009) - Public Voice Hosts Global Privacy Conference in Madrid
Almost two hundred privacy experts, advocates, and governments officials from around the world gathered in Madrid for the "Global Privacy Standards" conference, organized by the Public Voice. The event features panel discussions on “Privacy and Human Rights: The Year in Review,” "Privacy Activism: Major Campaigns," “Your Data in the Cloud: What if it Rains?,” "Transborder Data Flow: Bridges, Channels or Walls?," and "“Toward International Privacy Standards." Leading privacy officials from Spain, the European Union, the European Parliament, the OECD, and Canada are participating. The event is being held in conjunction with the annual meeting of the Privacy and Data Protection Commissioners, which is expected to draw more than 1,000 participants from over fifty countries. The Public Voice event will also be cybercast and tweeted. @thepublicvoice #globalprivacy. (Nov. 3, 2009) - Study Finds that Children’s Privacy has been Compromised
A Fordham Law School study found that state educational databases across the country ignore key privacy protections for the nation’s school children. The study reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Some states outsource the data processing without any restrictions on use or confidentiality for children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. These findings come as Congress is considering the Student Aid and Financial Responsibility Act, which would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. For more information on children’s privacy issues see EPIC Children’s Online Privacy Protection Act and EPIC DOD Recruiting Database. (Nov. 2, 2009) - Facebook Updates Privacy Policy in Response to Canadian Privacy Investigation
Facebook released a revised privacy policy. The updated policy provides a more concise description of the privacy practices of the developers of third-party applications. Facebook also announced that it will evaluate the collection of user data by application developers. According to a blog post, the revised policy is a response to a complaint filed by Canadian Internet Policy and Public Interest Clinic in 2008, and attempts to “[fulfill] our commitment to the Privacy Commissioner of Canada to update our privacy policy to better describe a number of practices.” Concerns remain about the use of Facebook users' data. For more information, see EPIC Facebook Privacy. (Oct. 30, 2009) - European Commission Takes Action Against UK, Deep Packet Inspection
The European Commission announced that the UK government has failed to comply with Europe's ePrivacy Directive and Data Protection Directive. European laws state that EU countries must ensure the confidentiality of electronic communications by prohibiting unlawful interception and surveillance. The EC statement specifically cited unlawful interception under the UK Regulation of Information Powers Act. This marks the second phase of an infringement proceeding that was filed earlier this year against the UK. The case follows complaints about the use of Phorm's Deep Packet Inspection technology. For more information, see EPIC Deep Packet Inspection and Privacy and Human Rights Report. (Oct. 29, 2009) - Privacy Coalition Seeks Investigation of DHS Chief Privacy Office
EPIC joined the Privacy Coalition letter sent to the House Committee on Homeland Security urging them to investigate the Department of Homeland Security's (DHS) Chief Privacy Office. DHS is unrivaled in its authority to develop and deploy new systems of surveillance. The letter cited DHS use of Fusion Center, Whole Body Imaging, funding of CCTV Surveillance, and Suspicionless Electronic Border Searches as examples of where the agency is eroding privacy protections. EPIC Fusion Centers, EPIC Whole Body Imaging, and EPIC CCTV. (Oct. 23, 2009) - Public Knowledge, EPIC, Other Public Interest Groups Urge FCC to Ensure Open Internet
EPIC has signed on to a letter from Public Knowledge to the Federal Communications Commission supporting the FCC's decision to begin public proceedings on preserving an open internet. EPIC joins many other public interest groups who have also expressed support for the FCC's initiative. The FCC's proceedings will focus on proposed rulemaking policies that would preserve open internet. EPIC favors the general principles of "network neutrality" and has called on the FCC to preserve privacy safeguards against measures that Internet Service Providers may use to limit access to the internet. For more information, see also EPIC Deep Packet Inspection. (Oct. 22, 2009) - House Members Introduce PATRIOT and FISA Reform Bills
Representatives Conyers, Nadler, and Scott introduced two bills today that would amend the PATRIOT Act and the Foreign Intelligence Surveillance Act. The Patriot Amendments Act of 2009 will enhance reporting and judicial oversight of law enforcement powers, including the National Security Letter process. The FISA Amendments Act of 2009 will place new limits on the government's ability to collect and store Americans' communications without a warrant and repeals retroactive immunity. For more information, see EPIC FISA, EPIC PATRIOT Act. (Oct. 20, 2009) - EPIC Urges Court to Protect Speech of Privacy Advocate
Today, EPIC filed a "friend of the court" brief with the Fourth Circuit Court of Appeals, urging the court to hold that the First Amendment protects the speech of Betty Ostergren, a privacy advocate. Ostergren runs a Website that republishes Social Security Numbers, collected from public records, to persuade Virginia lawmakers to stop releasing documents that reveal Social Security Numbers. Under Virginia law, Ostergren could be prosecuted for publishing SSNs, even though Virginia makes the numbers widely available. A lower court held that the law violated Ostergren's First Amendment rights. Virginia appealed. EPIC's brief urges the appeals court to uphold the lower court's ruling. For more information, see EPIC Ostergren v. McDonnell, EPIC Social Security Numbers, and EPIC Identity Theft. (Oct. 19, 2009) - California Governor Vetoes Consumer Privacy Bill, but Signs Bill to Strengthen Celebrity Privacy
Governor Schwarzenegger has terminated S.B. 20, a bill that would have strengthened California's data breach laws by requiring that consumers be notified every time their privacy was compromised. But the Governor and "Terminator" star signed A.B. 524, an amendment to California's current anti-paparazzi law that will protect the privacy of celebrities by making it easier to sue photographers and media outlets for taking or purchasing unauthorized pictures. For more information about privacy in California, see the California Office of Information Security and Privacy Protection. (Oct. 16, 2009) - HHS to Explore Scope of Personally Identifiable Health Information, Seeks Public comments
The Department of Health and Human Services plans to modify sections of the federal Privacy Rule, issued under HIPAA. The proposed changes would clarify the scope of privacy and confidentiality of genetic information. More specifically, HHS proposes to modify the Privacy Rule, taking into account the Genetic Information Nondiscrimination Act, to prohibit health plans from using or disclosing personally identifiable health information, which would explicitly include genetic information, for underwriting purposes. Public comments on the proposed rule are due December 7, 2009. EPIC is recommending that HHS pay particular attention to the problem of data reidentification. For more information, see EPIC's Genetic Privacy Page. (Oct. 13, 2009) - European Commissioner Calls for Privacy Safeguards for Internet
Commissioner Viviane Reding, head of European policy for Information Society and Media, reaffirmed support for an open Internet and called for new initiatives for "the protection of privacy and personal data in the online environment." Reding cited three commercial developments that require close attention: social networking, behavioral advertising and RFID "smart chips." EPIC will be hosting an international conference on privacy protection in Madrid, in conjunction with the annual meeting of the Data Protection Commissioners, that will explore these topics and other related issues. (Oct. 7, 2009) - TSA Expands Passenger Electronic Strip Search Program
The Transportation Security Administration (TSA) has plans to greatly expand its use of whole body imaging machines at airports around the country. The x-ray machines, which each cost over $100,000, capture detailed, graphic images of passengers' naked bodies. In June, the House of Representatives overwhelmingly passed a measure that would restrict TSA's use of these machines. The measure is pending in the Senate. The Privacy Coalition has urged the Department of Homeland Security to suspend the program until privacy and security risks can be fully evaluated. EPIC has also filed Freedom of Information Act requests for the contracts with the vendor Rapiscan. For more information, see EPIC Whole Body Imaging Technology and EPIC Spotlight on Surveillance. (Oct. 6, 2009) - House Committee Examines Future of Registered Traveler Program
A Congressional committee will hold a hearing today on the the Registered Traveler Program. The program, which operated under the brand name "Clear," shut down and the company that operated it has declared bankruptcy, leaving open the question of what will happen to the biometric identifiers, including fingerprints and iris scans, that were obtained from customers. The New York Times reports that the company's assets have been purchased and the program may restart within the year. EPIC testified before Congress in 2005 that the absence of Privacy Act safeguards would jeopardize air traveler privacy and security. See also EPIC Air Travel Privacy, EPIC Secure Flight, and EPIC Spotlight on Surveillance - Registered Traveler Card. (Sep. 30, 2009) - House Committee to Consider Data Breach Bill
On September 30, the House Energy and Commerce Committee will consider a proposed federal law that would establish national standards for data breaches notifications. The Data Accountability and Trust Act (DATA) also regulates information brokers and requires companies to adopt security policies. The Senate is considering a similar bill that protects additional categories of consumer information. In May, EPIC testified before Congress on the DATA bill, highlighting the importance of regulating data brokers, but warning of the dangers posed by federal laws that preempt stronger state privacy safeguards. In May, President Obama stated that "executive departments and agencies should be mindful that in our Federal system, the citizens of the several States have distinctive circumstances and values, and that in many instances it is appropriate for them to apply to themselves rules and principles that reflect these circumstances and values." For more information, see EPIC Identity Theft. (Sep. 29, 2009) - EPIC to FTC: "Parental Control" Software Firm Gathers Data for Marketing
EPIC filed a complaint with the Federal Trade Commission against Echometrix, the developer of parental control software that monitors children’s online activity. Echometrix analyzes the information collected from children and sells the data to third parties for market-intelligence research. The EPIC complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity. The complaint further alleges that Echometrix’s practices violate the Children’s Online Privacy Protection Act by collecting and disclosing information from children under the age of 13. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and ensure that Echometrix’s collection and disclosure practices comply with COPPA. For more information on the Children’s Online Privacy Protection Act, see EPIC COPPA. (Sep. 29, 2009) - EPIC Celebrates International Right to Know Day
Today, EPIC celebrates International Right to Know Day, which was established to raise awareness of every individual's right of access to government-held information. EPIC is speaking at American University's Third Annual International Right-To-Know Day Celebration concerning opportunities to restore US leadership in government transparency. Recently, the Obama Administration announced revisions to the "state secrets" privilege and increased access to White House visitor records. Both initiatives aim to expand disclosure of information. Last week, EPIC filed papers to force the Department of Homeland Security to comply with federal open government law, citing the President's commitment to transparency. For more information, see EPIC Open Government and EPIC FOIA Litigation Manual 2008. (Sep. 28, 2009) - Department of Justice Limits Use of State Secrets Privilege
Today, the Department of Justice announced a new policy that limits the government’s use of the state secrets privilege. The state secrets privilege is a rule of evidence intended to prevent genuine matters of national security from being disclosed in open court. However, recently it has been misused by both the Bush and Obama administrations in order to derail litigation completely. For instance, in 2007 EPIC filed a “friend-of-the-court” brief in a warrantless wiretapping case, Hepting v. United States, in which the government argued that the case should be dismissed because it would reveal “state secrets.” Under the new policy, the privilege will be invoked only "to the extent necessary to protect against the risk of significant harm to national security." The Attorney General will also have to approve each determination. The State Secret Protection Act of 2009, legislation with a similar purpose, is now pending in Congress. For more information, see EPIC Open Government. (Sep. 23, 2009) - EPIC Reminds Homeland Security Agency to Publish Privacy Report
In a letter to the Chief Privacy Officer of the Department of Homeland Security, EPIC asked when the annual privacy report will be made available. The Department is required by law to provide an annual report "on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters." The last privacy report was published in July 2008. EPIC has previously sent similar letters to the Department, reminding the agency of its legal obligation to inform the public about its activities. For more information, see EPIC’s Privacy Report Held Hostage page. (Sep. 22, 2009) - Facebook to End Beacon, Establish Privacy Foundation
Facebook has entered into a proposed agreement to end Beacon, the controversial advertising technique that broadcast user purchases in their public profile. EPIC and other privacy advocates objected to Beacon’s privacy implications and successfully persuaded Facebook to adopt opt-in for the service. Under the terms of a class-action lawsuit in California, Facebook will now terminate Beacon and contribute $9.5 million towards the creation of a foundation dedicated to protecting online privacy. A class-action lawsuit concerning Beacon is also pending in Texas. For more information, see EPIC Facebook Privacy and EPIC Testimony on the "Impact and Policy Implications of Spyware on Consumers and Businesses." (Sep. 22, 2009) - Office of Legal Counsel Reaffirms Legality of Einstein 2.0
The Office of Legal Counsel has released two opinions regarding Einstein 2.0, the federal cyber-security initiative that monitors network activity. The Bush administration opinion concluded that Einstein 2.0 complied with the Constitution and applicable federal laws, provided that users are properly warned that it is operating. The Obama administration opinion, signed August 14, 2009, concurred with the earlier opinion, and also concluded that the system does not violate “state wiretapping or communications privacy laws.” EPIC has stated that Einstein should be subject to the Privacy Act. Also, documents previously obtained by EPIC under the Freedom of Information Act revealed that network monitoring tools often exceed their legal authority. For more information, see EPIC Carnivore (FBI tracking tool). (Sep. 21, 2009) - EPIC Pursues DHS Official's Public Calendar
EPIC has filed a FOIA appeal with the Department of Homeland Security for the calendar of the Chief Privacy Officer. EPIC submitted the original request to find out why the DHS Privacy Officer could not meet with privacy groups in Washington, DC. The agency turned over many pages from the calendar, but the entries were all blacked out. In the appeal, EPIC said the agency has failed to comply with the open government law and also cited the President's commitment to government transparency concerning the activities of public officials. For more information, see EPIC Open Government. (Sep. 18, 2009) - Indiana Court Strikes Down State Voter ID Law
Yesterday, the Indiana Court of Appeals ruled that the Indiana Voter ID law, which requires certain individuals to present government-issued photo identification before they could vote, violates the state Constitution. The law is unconstitutional, the court held, because it “regulates voters in a manner that is not uniform and impartial.” The United States Supreme Court previously ruled that the law did not violate the federal Constitution, but did not address the law’s validity under the Indiana Constitution. EPIC and ten legal scholars and technical experts filed a “friend-of-the-court” brief in that case, urging the Court to invalidate the law because of its disparate impact and its reliance on REAL-ID, a "flawed federal identification system.” For more information, see Crawford v. Marion County Election Board and EPIC Voting Privacy. (Sep. 18, 2009) - EPIC Renews Call for Release of Bush Warrantless Wiretap Memos
In court papers filed this week in Washington, DC, EPIC and the ACLU asked a federal judge now reviewing an open government case to consider the publication of the Inspectors General Unclassified Report on the President's Surveillance Program. EPIC and the ACLU are seeking the release of the relevant legal memos relating to the program, but the government contends that the entire matter is secret. However, the Inspector General's report, which is widely available, discusses several of the memos at issue in the case. EPIC filed the original request for the legal memos in December 2005 after the New York Times first reported on the warrantless wiretapping program. The case is EPIC v. Dep't of Justice. (Sep. 18, 2009) - PATRIOT Act Revisions Introduced in Senate
Today, Sen. Russ Feingold (D-WI) and seven cosponsors introduced the Judicious Use of Surveillance Tools In Counterterrorism Efforts (JUSTICE) Act. The bill would amend the PATRIOT Act, the FISA Amendments Act, and other surveillance and intelligence laws. Among other changes, the JUSTICE Act would reform the National Security Letter process, revise the guidelines for business records orders, eliminate the catch-all provision for "sneak-and-peek" searches, and add new safeguards for FISA roving wiretaps. The JUSTICE Act would also repeal retroactive immunity for telecommunications companies, and is supported by many civil liberties organizations. For more information, see EPIC USA PATRIOT Act, EPIC FISA, EPIC Wiretapping, and EPIC National Security Letters. (Sep. 17, 2009) - Massachusetts Supreme Court Requires Warrant for GPS Tracking
Today, the Massachusetts Supreme Judicial Court ruled that police must obtain a warrant before using GPS devices to monitor vehicles, as it constitutes a seizure under the Massachusetts Constitution. The court also imposed time limits on GPS monitoring, ruling that warrants will expire fifteen days after they are issued. A concurring opinion raised the issue of whether the use of a GPS is a "seizure" or a "search." EPIC filed a “friend of the court” brief (pdf) in the case, urging the court to adopt a warrant requirement. For more information, see EPIC Commonwealth v. Connolly. (Sep. 17, 2009) - Administration Announces Cloud Computing Initiative, but Privacy Umbrella Missing
Chief Information Officer Vivek Kundra announced the launch of “Apps.gov”, a website where federal agencies can obtain cloud-based IT services. The initiative is aimed at "lowering the cost of government operations while driving innovation." Currently, the administration's main goal is to increase the size and scale of cloud computing, but key concerns, such as security and privacy, have received little attention. In March, EPIC filed a complaint with the FTC urging the agency to open and investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." Subsequently, thirty-eight computer security researchers and privacy academics sent a letter to Google's CEO, asking Google to uphold privacy promises made to users of Google Cloud Computing services. The FTC investigation is ongoing; no response has been received from Google. For more information, see EPIC's page on “Cloud Computing”. (Sep. 17, 2009) - Federal Trade Commission to Host Privacy Roundtables
The Federal Trade Commission has announced a series of roundtables on consumer privacy, beginning December 7. These discussions will explore many issues, including consumer information collection, information management practices, new business practices, and the adequacy of existing privacy laws. Roundtable participants will include individuals from a wide range of related fields, including privacy and technology experts. The meetings are open and public comments are encouraged. EPIC has supported the FTC's privacy mission, but has also said that the agency needs to do a lot more to safeguard consumer privacy. For more information, see EPIC FTC page. (Sep. 16, 2009) - EPIC Urges Appeals Court to Protect Prescription Data
EPIC filed a friend of the court brief in the Court of Appeals for the Second Circuit today, urging the judges to uphold a Vermont law that regulates companies that sell or use prescriber-identifiable data for marketing. Several data-mining companies challenged the law after it was upheld by a district court. EPIC's amicus brief supports the district court's conclusion. The EPIC brief argues that Vermont has a substantial state interest in privacy protection and that the data miners' de-identification practices do not, in fact, protect patient privacy. For more, see IMS Health v. Sorrell and EPIC Medical Privacy. (Sep. 15, 2009) - California Moves to Strengthen Data Breach Law
The California State Legislature passed S.B. 20, a bill that would improve California's current security breach notification law. Senator Joe Simitian said S.B. 20 "is designed to make a good law better." Under current California law, a company that loses unencrypted personal information must notify affected consumers of the security breach. If signed by Governor Schwarzenegger, S.B. 20 would require that notifications include information that helps consumers safeguard their privacy. The bill is one more example of the many state efforts to address the growing problem of security breaches. In May, EPIC testified in Congress on the need to improve security breach notification. (Sep. 15, 2009) - European Privacy Seal Awarded to Online Ad Service and Video Anonymizer
The European Privacy Seal (EuroPriSe) has been awarded to two privacy services, following a review by privacy experts and an independent body. The first EuroPriSe was awarded to German company nugg.ad's Predictive Targeting Networking service, an online advertising service that follows principles of data avoidance and minimization by not maintaining multi-website tracking profiles, deleting IP address records, and offering a blocking cookie for users to opt out. The second certification was awarded to Austrian company Kiwi Security's KiwiVision Privacy Protector, a software module that performs real-time anonymization of video data by obfuscating faces, license plates, and other identifying imagery. For more on Privacy Enhancing Technologies, see EPIC Practical Privacy Tools.
(Sep. 11, 2009) - New Report on Government Secrecy Released
The 2009 Secrecy Report Card, from Openthegovernment.org, chronicles slight decreases in government secrecy during the last year of the Bush-Cheney Administration. The report, released by a coalition of more than 70 open government advocates, also provides an overview of the Obama Administration’s proposed transparency policies. Among the issues discussed are the Open Government Directive, Classified Information, the Freedom of Information Act (FOIA) memo, signing statements, and the state secrets doctrine. For more on open government and transparency, see EPIC Open Government. (Sep. 11, 2009) - EPIC Gives Obama Administration Mixed Grades for Privacy
EPIC released the Privacy Report Card for the Obama Administration at a morning briefing held at the National Press Club. EPIC gave the Administration an “Incomplete” for Consumer Privacy, A- for Medical Privacy, C+ for Civil Liberties, and a B for Cyber Security. Privacy Coalition members participating in the event included US PIRG, Consumer Federation of America, the Liberty Coalition, Association of American Physicians and, Surgeons, and the Bill of Rights Defense Committee. In December 2008, the Privacy Coalition urged the new Administration to address growing public concerns about privacy protection. EPIC's Consumer Privacy Issue Page. (Sep. 9, 2009) - Obama Administration Privacy Report Card Scheduled for Release at the National Press Club
EPIC will release a Privacy Report Card at the National Press Club on Wednesday, September 9, 2009. Grades will be given to the Obama Administration for Consumer Privacy, Medical Privacy, Civil Liberties, and Cybersecurity. A Panel of experts will speak. In December 2008, the Privacy Coalition urged the President to address key privacy issues. For more information, see EPIC Media Alert. (Sep. 8, 2009) - White House Announces New Transparency Policy for Visitor Logs
Today the White House announced a new policy to release the records of White House visitors, an initiative that is intended to promote open government. The White House will release information on all individuals who come to the White House for an appointment, a tour, or to conduct official business, with certain exceptions for confidential or particularly sensitive meetings. The White House agreed not to release visitors' personal information, such as dates of birth, social security numbers, or contact phone numbers. However, the White House will release the names of tourists and other visitors who are not meeting with government officials, which raises privacy questions. For more information, see EPIC's Open Government page. (Sep. 4, 2009) - EPIC Moves to Intervene in Google Book Settlement, Cites Absence of Privacy Safeguards
Today, EPIC filed papers in federal district court on the proposed settlement between Google, authors, and publishers. The Google Books settlement would create a single digital library, operated by Google, but currently fails to limit Google's use of the personal information collected. EPIC stated that the settlement "mandates the collection of the most intimate personal information, threatens well-established standards that safeguard intellectual freedom, and imperils longstanding Constitutional rights, including the right to read anonymously." EPIC further warned that the Google Books deal "threatens to eviscerate state library privacy laws that safeguard library patrons in the United States." EPIC has previously participated as a "friend of the court" in many cases involving privacy issues. PRESS RELEASE - Media Call at 1 pm ET, Friday (9/4/09). For more information, see EPIC Google Books Settlement and Privacy. (Sep. 4, 2009) - Federal Trade Commission Issues Statements on Google Books Settlement and Privacy
With the Google Books Settlement now under consideration in federal court, FTC Chairman John Liebowitz today issued a statement, calling attention to privacy concerns and the vast amount of consumer information that could be collected. The Chairman expressed the Commission's commitment to evaluating the privacy issues presented by Google Books, a sentiment that was echoed by Commissioner Pamela Jones Harbour in her statement. In a separate letter, FTC Consumer Protection Director David C. Vladeck urged Google to address consumer privacy concerns and to limit the secondary use of user data. For more information, see EPIC Google Books Settlement and Privacy. (Sep. 4, 2009) - Privacy Groups Call for New Safeguards for Online Advertising
A coalition of consumer organizations is urging Congress to adopt new legislation for behavioral tracking and ad targeting. Led by the Center for Digital Democracy, the groups say that self-regulation has failed to protect privacy. The consumer groups have issued Principles on Online Behavioral Tracking and Targeting and an overview. Earlier this year, the FTC recommended new principles for online advertising but stopped short of recommending legislation. (Sep. 1, 2009) - Trade Commission Prohibits Robocalls
The Federal Trade Commission is prohibiting commercial telemarketing calls to consumers after September 1, 2009. The agency amended the Telemarketing Sales Rule, which imposes a penalty of $16,000 per call, to cover sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages. The Telemarketing Rule is authorized under the Telemarketing and Consumer Fraud and Abuse Prevention Act. The new rule does not prohibit informational messages or calls by politicians, banks, telephone carriers, and charities. EPIC has urged the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. See also EPIC Telemarketing and Telephone Consumer Protection Act. (Aug. 28, 2009) - Homeland Security Privacy Office Okays Suspicionless Seizure of Personal Information Stored on Digital Devices of US Citizens
The Department of Homeland Security released a Privacy Impact Assessment for searching electronic devices possessed by travelers, including US citizens, at US borders. The agency determined that laptops and cell phones are equivalent to briefcases and backpacks and granted itself broad authority to seize these devices from travelers and to copy stored data whether or not wrongdoing is suspected. The DHS policy fails to comply with the intent of the federal Privacy Act and leaves US citizens returning to the United States subject to surveillance by government and an enhanced risk of identity theft. See EPIC Traveler Privacy. (Aug. 28, 2009) - Following Canadian Investigation, Facebook Upgrades Privacy
The Canadian Privacy Commissioner issued a report last month raising concerns over Facebook business practices. The Office asked the social networking firm to cease the sharing of user information with application developers, clarify the policy on deactivation and deletion of accounts, protect the personal information of non-users, and "memorialize" the account of deceased users. In complying with the Commissioner's report, Facebook will include new notifications, update its Privacy Policy, and implement technical changes to enable more user control over information accessed by third-party applications. EPIC had previously raised similar concerns about the use of Facebook data by application developers. See also EPIC Facebook and EPIC Social Network Privacy. (Aug. 28, 2009) - FTC Issues Final Breach Notification Rule for Electronic Health Information
The Federal Trade Commission issued a final rule requiring breach notification by vendors of medical records and related entities. In June, EPIC submitted comments recommending that all entities handling electronic health records be subject to the regulation and that the FTC should establish a central location to track and announce breaches. The FTC modified the rule accordingly. EPIC had also recommended that information "accessed" be treated as "acquired", substitute media notices be used as supplemental notification, verification of data breach notices be required, minimum security standards be created, penalties for violations be assessed, and the creation of "safe-harbors" for de-identified data be opposed. The rule was mandated under the American Recovery and Reinvestment Act. See EPIC Medical Privacy and EPIC Identity Theft. (Aug. 21, 2009) - Canadian Privacy Commissioner's Deadline for Facebook Arrives, Some Changes are Made at the Social Network Company
In mid-July, the Canadian Privacy Commissioner released a report recommending several changes to Facebook's business practices. The Commissioner's Office advised the social networking firm to limit application developers' access to user information, and inform users specifically about the nature and use of shared information. The Office also said that deactivated account information should be deleted, and that the privacy policy be amended to include all intended uses of personal information. Facebook was given 30 days. Facebook updated its privacy policy last week and has asked application developers to respect user privacy settings. See also EPIC Facebook and EPIC Social Network Privacy. (Aug. 17, 2009) - EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing
In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes. For more information see EPIC Social Network Privacy, EPIC Facebook, and EPIC Cloud Computing. (Aug. 12, 2009) - EPIC Urges Administration to Maintain Cookie Ban, Uphold Privacy
EPIC submitted comments to the Office of Management and Budget recommending that the existing ban on the use of cookies at federal government websites be maintained. The OMB is considering a policy change that will encourage tracking of users who visit government websites. EPIC also proposed several safeguards if the new framework on persistent identifiers is adopted. For more information, see EPIC Cookies and EPIC Privacy and Consumer Profiling. (Aug. 11, 2009) - Senators Consider PATRIOT Act Reforms
Senators Russ Feingold (D-WI) and Dick Durbin (D-IL) are drafting legislative reforms to revise the USA PATRIOT Act. The USA PATRIOT Act allows authorities to conduct surveillance without judicial review through the use of National Security Letters. The Senators asked the Attorney General and the Chairmen of the Senate Judiciary and Intelligence Committee to consider two previous bills that add protections to PATRIOT ACT. Pursuant to a EPIC lawsuit, a federal judge had ordered the Justice Department to provide for independent judicial inspection of documents relating to warrantless wiretapping. For more information, see EPIC USA PATRIOT Act, EPIC FISA, EPIC Wiretapping, and EPIC National Security Letters. (Aug. 7, 2009) - Senate Confirms Sotomayor for Supreme Court
The United States Senate voted 68-31 to confirm Judge Sonia Sotomayor to be an Associate Justice of the United States Supreme Court. The full Senate vote was held after the Senate Judiciary Committee approved her nomination, 13-6, at an executive business meeting on July 28, 2009. As a judge on the Second Circuit, Judge Sotomayor has ruled on various cases affecting privacy. EPIC has an extensive page on Judge Sotomayor's view on privacy and other related issues. For more information, see EPIC Sotomayor and Privacy. (Aug. 6, 2009) - White House Seeks Comments on Web Tracking, EPIC Urges Ban be Maintained on Persistent Identifiers
The Office of Management and Budget is seeking public comments on the use of Web tracking techniques on federal government websites. Government agencies are currently prohibited from using persistent identifiers, such as cookies, except when there is a compelling need. EPIC, in comments to the President's Office of Science & Technology, said that the government should not track users who are seeking online access to public information. EPIC is also pursuing a FOIA request concerning the transfer of personal information collected by federal agencies to private vendors. Comments are due to OMB by Aug. 10, 2009. Suggestions may also be submitted at the OSTP blog. For more information on persistent tracking, see EPIC Cookies. (Jul. 27, 2009) - Privacy Opposition to Google Books Settlement Grows
Civil liberties organizations are urging Internet users to tell Google to adopt privacy protections for the Google Book Search. A judge in New York will determine later this year whether to approve the proposed settlement that would establish the service and give Google access to detailed personal information without any privacy safeguards. For more information, see EPIC Google Books Settlement and Privacy. (Jul. 23, 2009) - New Cybersecurity Legislation Introduced in Congress
Senator Patrick Leahy (D-Vt) introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and establishes an Office of Federal Identity Protection within the FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see EPIC Identity Theft, EPIC Personal Data and Privacy Protection, and EPIC Preemption Page. (Jul. 23, 2009) - Senate Judiciary Committee Considers National Biometric Identification System
Senator Schumer (D-NY) is proposing a new system to track all US workers to determine employment eligibility. The plan for the employment verifiability system involves the collection of biometric information. The Department of Homeland Security would approve or disapprove individuals for employment. Automated biometric identification systems raise questions about the scalability, reliability, accuracy, and security of the data collected. See EPIC Biometric Identification. (Jul. 22, 2009) - Canadian Privacy Commissioner Holds that Facebook Must Strengthen Privacy Safeguards
The Office of the Privacy Commissioner of Canada today released a Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic against Facebook Inc. The complaint, filed under the Personal Information Protection and Electronic Documents Act, contained twenty-four allegations concerning a range of Facebook business practices, including Default Privacy Settings, Advertising, and Third-Party Applications. The Commissioner found that Facebook has taken some steps to address privacy, but that more safeguards are necessary. Facebook has 30 days to respond. See EPIC Facebook Privacy and EPIC Social Networking Privacy. (Jul. 16, 2009) - EPIC LiveTweeting Sotomayor Hearing
EPIC Executive Director Marc Rotenberg, a former counsel to the Senate Judiciary Committee, is tweeting the Sotomayor nomination hearing this week. The tweets cover #privacy #sotomayor and #scotus. Recap and updates available at @privacy140. EPIC has prepared an extensive background page on Judge Sotomayor. See EPIC Nomination of Judge Sotomayor. (Jul. 16, 2009) - Sotomayor Hearings Begin
The Senate Judiciary Committee hearings begin this week for Judge Sonia Sotomayor, who has been nominated for the United States Supreme Court. EPIC has prepared an extensive page on the nomination process and the notable cases of Judge Sotomayor on privacy, open government, and the First Amendment. See EPIC Nomination of Judge Sotomayor. (Jul. 13, 2009) - Inspector Generals Release Report on President's Surveillance Program
The Inspector Generals of the Intelligence Community released a report on the President's Surveillance Program. The report summarizes the unclassified collective results of the reviews. The Program involved the massive, warrantless surveillance of Americans in the United States. The IG Report finds that the absence of effective oversight contributed to the ineffectiveness of the program. In December 2005, EPIC had requested the legal opinions that were prepared to justify the program. The government has refused to produce many key documents, and EPIC sued under the Freedom of Information Act. In March this year, the Attorney General released several related memos, which previously were secret, following President Obama's statement on government transparency. See EPIC FISA, EPIC Surveillance FOIA, EPIC Wiretapping, and EPIC National Security Letters. (Jul. 10, 2009) - Administration Will Require E-Verify for All Federal Contractors
The Obama Administration announced that it is moving forward with a plan to require all federal government contractors and subcontractors to verify a employment eligibility with the federal government. The program known as E-Verify is run by the Department of Homeland Security. E-Verify operated as a voluntary employment verification system, and served about 3,000 employers. In 2007, EPIC testified in Congress that the employment eligibility database is filled with errors and warned that determination errors are likely. The Administration also said it would rescind the use of the "No Match" requirement. See EPIC E-Verify. (Jul. 10, 2009) - Privacy Commissioners Conference Program Announced
The 31st international conference of data protection and privacy commissioners will be held in Madrid, Spain, November 4-6, 2009. The program and registration details for "Privacy Today is Tomorrow" are now available. A wide range of speakers from government, industry, and civil society will be participating. The Public Voice will host a civil society conference on November 3 - "Global Privacy Standards for a Global Economy." (Jul. 7, 2009) - Facebook to Change User Privacy Settings
Facebook announced planned changes to user privacy controls today. Chris Kelly, Facebook's Chief Privacy Officer, stated that the new policy will promote "control, simplicity and connection" for user data. The announcement states there will be no changes in term of "the information Facebook provides to advertisers" but does not address concerns about the information provided by Facebook to app developers. In June, European Privacy Commissioners warned about the secondary use of personal data collected by social network services. The officials issued an opinion requiring robust security, privacy-friendly default settings, and the application of European privacy law. In April, EPIC supported the adoption of the new Facebook Terms of Service when Facebook said that "users own and control their information." See EPIC Social Networking Privacy. (Jul. 1, 2009) - Supreme Court Maintains California Financial Privacy Law
Today the Supreme Court denied review of the California law that provides customers with privacy safeguards for financial data. The law limits the sale of personal information by financial firms to affiliates, and imposes opt-in requirements. The Ninth Circuit upheld substantial portions of the California Financial Information Privacy Act. EPIC filed a brief in that case favoring the law. Financial firms argued that the California statute conflicts with other federal rules. The Justice Department recommended that the Supreme Court leave the state statute in place. See EPIC ABA v. Brown and EPIC Privacy and Preemption Watch. (Jun. 29, 2009) - House Committee Opens Investigation into Clear Data
Leaders of the House Homeland Security Committee sent a letter to the Transportation Security Administration regarding the bankruptcy of Verified Identity Pass, the parent company for the Clear registered traveler (RT) program. Clear was the largest RT program in the nation operating out of 20 airports with about 165,000 members. The TSA established RT security, privacy and compliance standards for the Clear program and bolstered the company's credentials with the traveling public. The Clear RT application process collected a great deal of personal information from members, such as proof of legal name, data of birth, citizenship status, home address, place of birth, and gender. The information was used to pre-screen travelers for express service through airport security checkpoints. The committee is investigating among other things: when the TSA became aware of the bankruptcy; whether they have asked the company for its plan regarding its RT data; if the agency is seeking a privacy impact assessment on the bankruptcy; and whether the agency has a contingency plan for safeguarding the data now that the company has gone out of business. See EPIC Air Travel Privacy and EPIC Secure Flight (Jun. 29, 2009) - Supreme Court Lets Stand New Hampshire Prescription Privacy Law
The Supreme Court refused to hear a challange to the Prescription Confidentiality Act, which prohibits the sale of prescription information. The First Circuit had upheld the ban on the sale of such information. EPIC and 16 experts in privacy and technology filed a "friend of the court" brief, in support of the law, detailing the substantial privacy interests in de-identified patient data. The petitioners claimed that the law infringed on their free speech rights. See EPIC IMS Health v. Ayotte. (Jun. 29, 2009) - Rod Beckstrom to Head ICANN
The Internet Corporation for Assigned Names and Numbers appointed Rod Beckstrom as its new CEO and president. ICANN manages the administration of the internet including assignment of domain names, IP addresses, preserving operational stability, and developing policies. Beckstrom is an author, entrepreneur, non-profit board member, and expert in decentralized organizations. He resigned as the Director of the National Cybersecurity Center in March 2009 warning of the increasing role of the National Security Agency in domestic security. See EPIC DNSSEC, EPIC WHOIS and The Public Voice. (Jun. 29, 2009) - Supreme Court: Strip-Search of Teenager Violated Constitutional Rights
The Supreme Court delivered a 8-1 opinion ruling that a strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet violated the Fourth Amendment. Justice Souter writing for the Court held that the search was unreasonable and that school searches are permissible when they are "not excessively intrusive in light of the age and sex of the student and the nature of the infraction." But a majority of the Justices also said that the school officials were not liable for damages because it had not been "clearly established" that the search was unlawful. Justices Stevens and Ginsburg disagreed and said that a previous Supreme Court case made clear that the search was "excessively intrusive." Justice Thomas wrote in dissent that the search was permissible. See also EPIC's page on Student Privacy. (Jun. 25, 2009) - TSA Responds to Whole Body Imaging Objections
The Transportation Security Administration has replied to the Privacy Coalition statement on whole body imaging systems. The agency claims that the Privacy Impact Assessment (PIA) provides adequate protection. The Privacy Coalition letter pointed out that "the devices are designed to capture, record, and store detailed images of individuals undressed" and said that "If the public understood this, they would be outraged by the use of these devices by the US government on US citizens." The Privacy Coalition said that the use of the devices should be suspended pending an investigation. The letter was prompted by the TSA's announcement that Whole Body Imaging would replace metal detectors as the primary screening technique at US airports. The House of Representatives recently passed legislation that would establish clear privacy safeguards for the devices. See also EPIC's page on Whole Body Imaging. (Jun. 23, 2009) - Airport Security Program Closes Operations - What Happens to the Data?
Verified Identity Pass, a company that provided the Registered Traveler program, under the brand name "Clear" shut down operation on June 22, 2009 citing inability to "negotiate an agreement with its senior creditor." The Clear program provided travelers who had undergone an extensive background check to go through special security lines at airports. The screening process required extensive data collection, including biometric identifiers, from passengers. The closure raises concern about the transfer of the customer data, which may be attached by creditors in a bankruptcy proceeding. Clear's Privacy Policy is silent on the issue. At a 2005 Congressional hearing, EPIC warned that the absence of Privacy Act safeguards would post a security risk to Clear customers. See also EPIC's page on Registered Traveler Card. (Jun. 23, 2009) - Supreme Court Rejects DNA Access to Prove Innocence
In a 5-4 decision, the Supreme Court rejected the constitutional right of a convicted individual to access his DNA to prove innocence. Chief Justice Roberts held that the task of harnessing "DNA's power to prove innocence without unnecessarily overthrowing the established system of criminal justice...belongs primarily to the legislature." Justice Stevens, writing for four of the justices in dissent, said that "a decision to recognize a limited right of postconviction access to DNA testing would not prevent the States from creating procedures [to] ensure [] that [it] is nonarbitrary." EPIC has filed several amicus briefs advocating limits on the collection and use of genetic material. However, EPIC has also stated that DNA evidence should be available to prove innocence. See EPIC's pages on District Attorney's Office v. Osborne and Genetic Privacy. (Jun. 19, 2009) - EPIC Urges Comprehensive Strategy for ID Theft
With ID theft rapidly increasing in the United States, EPIC Executive Director Marc Rotenberg today urged a Congressional Committee to address the root causes of the problem. In testimony before the House Oversight Committee, Mr. Rotenberg said that the government typically acts only after the crime has occurred and warned that the problem will get worse if current trends continue. EPIC recommended a comprehensive strategy for ID Theft that would include: (1) Establishing privacy safeguards for web 2.0 services; (2) Ensuring privacy protections for outsourcing; (3) Enacting comprehensive privacy legislation; (4) Making privacy protection a focal point of cybersecurity policy; and (5) Developing better techniques for Identity Management. See EPIC pages on Identity Theft. (Jun. 17, 2009) - European Advisory Group Issues Opinion on Social Networking
The European expert group on data protection and privacy issued a guidance to Social Network Service providers on measures needed to ensure compliance with EU law. The key concern of the group is the dissemination and use of information available on such networks for secondary, unintended purposes. The opinion recommended robust security and privacy-friendly default settings. Topics included processing of sensitive data and images, advertising and direct marketing, and data retention. In January, EPIC suggested regulation of Social Network Service partners, including advertisers and application developers. See EPIC's Page on Social Networking Privacy. (Jun. 17, 2009) - Expert Group Asks Google to Improve Cloud Computing Privacy
A letter signed by 38 researchers and academics in the fields of computer science, information security and privacy law was sent to Google's CEO. The letter asks Google to uphold privacy promises made to users of Google Cloud Computing services. In March, EPIC filed a complaint with the FTC urging an investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." The EPIC complaint specifically recommended the adoption of encryption to help safeguard privacy and security. Addressing concerns about data vulnerability and interception, the expert group has asked Google to enable HTTPS (web-based encryption) by default in several Google apps, including Gmail. See also EPIC's page on Cloud Computing and EPIC's Page on In re Google and Cloud Computing. (Jun. 16, 2009) - Senators Take a Pass on REAL ID
Senators Daniel K. Akaka (D-HI) and George V. Voinovich (R-OH) have introduced the Providing for Additional Security in States' Identification Act of 2009. PASS ID, should it become law, would replace the controversial REAL ID Act of 2005. The REAL ID Act has faced ongoing criticisms from state governments, technical experts, and privacy advocates. In 2007 EPIC and the Privacy Coalition organized a national campaign against REAL ID implementation. The PASS ID proponents say the bill follows the recommendations of the 9/11 Commission for improving the security of drivers licenses while avoiding the problems of REAL ID. For more information on National ID, visit EPIC National ID and the REAL ID Act page. (Jun. 16, 2009) - Sotomayor Nomination Hearings To Begin July 13
Senate Judiciary Committee Chairman Patrick Leahy has set Judge Sonia Sotomayor’s Supreme Court nomination hearings for July 13. Judge Sotomayor is currently a Judge for the Second Circuit and was formerly a District Court judge in New York. EPIC has launched a new web page providing background on the nomination process, brief summaries of Sotomayor’s opinions that are relevant to privacy law, and various commentaries. (Jun. 11, 2009) - Rep. Markey, Paul Smith, D.J. Caruso Receive 2009 EPIC Champion of Freedom Awards
On the occasion of EPIC's 15th anniversary, EPIC awarded the 2009 Champion of Freedom Awards to Congressman Edward Markey, Supreme Court litigator Paul M. Smith and Hollywood director and producer D.J. Caruso. Slate Supreme Court correspondent Dahlia Lithwick emceed the event. Congressman Markey is a leading champion of privacy protections for all Americans. Paul Smith, a partner with Jenner & Block, has argued groundbreaking cases in the Supreme Court, defending privacy, freedom of expression, and voting rights. D.J. Caruso is the director of the hit movie Eagle Eye, about identification, automation, and surveillance in Washington D.C. Calling the award "an incredible honor", Caruso thanked the people at EPIC who "dedicate their lives to educating Americans and preserving our right to privacy." (Jun. 10, 2009) - EPIC Calls on FCC to Continue Privacy Commitments for Broadband Deployment
In response to a request from the Federal Communication Commission concerning the future of the US Broadband Infrastructure, EPIC urged the FCC to secure the privacy interests of consumers and Internet users. EPIC recommended the Commission desist from collecting personal information, adopt robust privacy safeguards, avoid use of Deep Packet Inspection, and require protections for electronic medical records. EPIC noted the long tradition of establishing privacy protections as new communications technologies emerged in the United States. EPIC previously advocated for the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. See EPIC's page on CPNI and Deep Packet Inspection and Privacy. (Jun. 9, 2009) - Obama Administration Recommends that Supreme Court Preserve California Financial Privacy Law, Dismiss Bankers' Appeal
In a filing this week, the Department of Justice urged the nation's highest court to leave intact California's financial privacy law, saying the law does not impose hardships on banks. The California law provides strong financial privacy safeguards, including the right to curtail sale of personal information by financial firms to affiliated companies, and to bar the sale of data to non-affiliates unless consumers explicitly "opt-in." A consortium of financial services companies have challenged the law and, in December 2008, asked the Supreme Court to consider the case. The firms argued that the California statute conflicts with other federal rules. The Supreme Court requested the Administration's view on the case, and has often followed the Department's opinions. Earlier in the litigation, EPIC urged a federal appeals court to uphold the California privacy law. For more information, see EPIC's ABA v. Brown and Privacy and Preemption Watch pages. (Jun. 5, 2009) - Congress Approves Bill Limiting TSA's Use of Whole-Body Imaging
Today, the House approved a bill that will limit the use of Whole-Body Imaging machines, installed by the Transportation Security Administration, in US airports. The devices photograph American air travelers stripped naked and could easily be programmed to record images. Congressman Jason Chaffetz (R-UT) sponsored the bill that will prohibit the use of the devices as the sole or primary method of screening aircraft passengers; require that passengers be provided information on the operation of such technology and offered a pat-down search in lieu of such screening; and prohibit the storage of an image of a passenger after a boarding determination is made. EPIC launched a campaign and a Facebook Group seeking to raise public awareness about Whole Body Imaging. See EPIC's Backscatter X-ray, Whole Body Imaging, and Air Travel Privacy pages. (Jun. 4, 2009) - Administration Moves to Second Phase of Open Government Directive
Last week, the White House received public comments in the First Phase of its open government proposal, "Brainstorming." The next phase, "Discussion," invites comments focusing on several transparency themes: principles, governance, access, data, and operations, to be followed by a series of posts on participation and collaboration. In the first phase, EPIC made five recommendations to promote government transparency and accountability. See EPIC's page on Open Government. (Jun. 3, 2009) - Congress Holds Open Markup Session on Data Breach Bill
The Committee on Energy and Commerce held an open markup session on the Data Breach Bill. The Chairman of the subcommittee intends to have a law that is strong and adequately protects consumers. EPIC testified before Congress on this bill, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. For more information, see EPIC's page on Identity Theft. (Jun. 3, 2009) - EPIC Endorses Better Approaches on Government Transparency
In response to President Obama's plan to develop a new open government policy, EPIC submitted comments recommending that users are not tracked on government sites; promoting open government; allowing meaningful public participation in government decisions; stopping commercialization of personal data; and the application of Privacy Act to all data collected by the Government. See also EPIC's page on Open Government and consider purchasing EPIC's FOIA litigation manual. (Jun. 3, 2009) - EPIC Urges Privacy Protections for Government's Use of Social Media
The DHS Privacy Office is seeking public comments on developing best practices on the government's use of social media. EPIC submitted comments on the benefits, issues and privacy best practices. EPIC recommended Privacy Act protections to the data collected, prohibit commercialization and sharing, and the use of a model certification system. See also EPIC's page on Social Networking Privacy, Network Advertising Initiative, and Deep Packet Inspection and Privacy.. (Jun. 3, 2009) - EPIC Urges Homeland Security to Stop Digital Strip-Searches
EPIC sent a letter to the Secretary of Homeland Security, Janet Napolitano, urging the suspension of the Whole Body Imaging program. The devices would capture detailed naked images of all passengers at US airports. EPIC and thirty organizations asked Napolitano to begin a formal rulemaking and investigate less invasive means of screening. EPIC has also launched a campaign and established a Facebook Group to stop the program. See EPIC's Backscatter X-ray, Whole Body Imaging, and Air Travel Privacy pages. (Jun. 2, 2009) - EPIC Submits Comments on Health Breach Notification to the FTC
The Federal Trade Commission proposed a rule requiring notification when the security of medical information is compromised. EPIC recommends that all entities handling health records be subject to standard security; tightening exemptions for de-identified data, enhancing media notification of health data breaches, ensuring additional breach notification through means such as text messages and social networking sites, and verification of receipt of notifications. See also EPIC's Page on Medical Privacy. (Jun. 1, 2009) - Despite Privacy Objections, Enhanced Identity Documents Required for Travel
The Western Hemisphere Travel Initiative went into effect today despite substantial privacy and security risks. The federal government now requires US citizens to present identity documents when entering the US. These documents incorporate RFID technology that jeopardizes the privacy and security of US travelers. EPIC has previously urged the State Department to abandon the proposal. Senator Leahy has also criticized the program. See also EPIC's Spotlight on Surveillance. (Jun. 1, 2009) - President Announces Privacy Safeguards for Cybersecurity Initiative
Today, the President announced the Administration’s Cybersecurity Policy. President Obama stressed privacy protections in several aspects of the new initiative, including the selection of a privacy and civil liberties officer. Anticipating concerns that the Administration would establish new surveillance mandates, President Obama pledged that “our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.” For more information, see EPIC’s web pages on critical infrastructure protection and the Computer Security Act of 1987. (May. 29, 2009) - White House Seeks User Comments on Government Transparency
The White House is seeking public comments on the open government proposal. President Obama's memorandum on Transparency and Open Government directed the Chief Technology Officer, the Office of Management and Budget, and the General Services Administration to develop these recommendations. The Open Government Directive will instruct executive departments and agencies on specific actions to implement transparency principles. The first phase of the initiative involves an online brainstorming session and comments are due by May 28, 2009. To learn more about transparency and open government, consider purchasing EPIC's FOIA litigation manual. (May. 21, 2009) - FBI's Use of FISA Increasing
In a report to Congress, the Justice Department revealed a substantial increase in the use of National Security Letters to acquire information on American citizens without court order. In 2008, the FBI made 24,744 NSL requests pertaining to 7,225 persons compared to 16,804 requests pertaining to 4,327 persons in 2007. The report also detailed 2,082 applications by the FBI to the Foreign Intelligence Surveillance Court for authority to conduct surveillance and physical searches. An earlier audit had revealed that some "blanket-NSLs" did not document the relevance of the information sought to a national security investigation and the statistics were not reported to the Congress. For more information, see EPIC's Page on Foreign Intelligence Surveillance Act, National Security Letters, and Wiretapping. (May. 20, 2009) - EPIC Launches Campaign to Suspend 'Whole Body Imaging' at Nation's Airports
EPIC announced a national campaign today to suspend the use of "Whole Body Imaging" -- devices that photograph American air travellers stripped naked in US airports. The campaign responds to a policy reversal by the TSA which would now make the the "virtual strip search" mandatory, instead of voluntary as originally announced. EPIC and others say that there are inadequate safeguards to prevent the misuse of the images. They are asking Homeland Security Secretary Janet Napolitano to suspend the program and to allow for public comment. For more information, see EPIC's Backscatter X-ray, Whole Body Imaging page. (May. 18, 2009) - European Commission Sets Out RFID Privacy Guidelines
The European Commission has announced Recommendations and provided a Citizens Summary for the implementation of privacy and data protection safeguards for radio-frequency identification. RFID applications transfer personal data wirelessly between an embedded tag, typically in an ID card or product, and a reader. Many privacy concerns have been raised. The EC Recommendations reaffirm the privacy rights and obligations in the European Privacy Directives. The guidance directs organizations to perform privacy impact assessments, apply risk minimization techniques, and inform individuals about RFID. In the US, EPIC has urged strong consumer protections for RFID before the Alaska and New Hampshire state legislatures, the Federal Trade Commission and the DHS on the use of RFID embedded passports. For more information, see EPIC's page on Radio Frequency Identification (RFID) Systems. (May. 13, 2009) - State Courts Split on Warrantless GPS Tracking
Today, the New York Court of Appeals ruled that police must obtain a warrant before installing GPS tracking devices on individuals' vehicles. The decision prohibits law enforcement from secretly using GPS trackers to compile comprehensive travel histories on citizens without a warrant. The case follows last week's Wisconsin Appeals Court decision authorizing warrantless GPS surveillance by police. Other states have split on the application of a warrant requirement. On April 20, 2009, EPIC filed a brief in Commonwealth v. Connolly, urging the Massachusetts Supreme Judicial Court to require a warrant before police track drivers using concealed surveillance technology. The EPIC brief warned that warrantless GPS tracking "raises the specter of mass, pervasive surveillance without any predicate act that would justify this activity." For more information see EPIC's Commonwealth v. Connolly page. (May. 12, 2009) - Justice Department Restores Antitrust Enforcement
Speaking at the Center for American Progress, Assistant Attorney General Christine Varney announced that the Antitrust Division will be "aggressively pursuing cases where monopolists try to use their dominance in the marketplace to stifle competition and harm consumers." Ms. Varney withdrew a 2008 Department report on monopolization offenses that generally allows monopoly practices to go unchallenged. In 2007, EPIC objected to the merger of Internet advertisers Google and Doubleclick, arguing that it was vital to impose privacy safeguards and to preserve a advertising options for web publishers. More information, see EPIC, "Privacy? Proposed Google/Doubleclick Deal." (May. 11, 2009) - EPIC Testifies Before Congress on Data Breach Bill, Urges Changes to Strengthen Act
EPIC Director Marc Rotenberg testified before Congress on the Data Accountability and Trust Act, which would require security policies for consumer information, regulate the information broker industry, and establish a national breach notification law. Rotenberg said "companies need to know that they will be expected to protect the data they collect and that, when they fail to do so, there will be consequences." The EPIC Director opposed the preemption of stronger state laws, and recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that "identifies or could identify a particular person." To learn more about Identity Theft, see EPIC's Identity Theft page. (May. 5, 2009) - DHS Seeks Nominations to the Agency's Data Privacy and Integrity Advisory Committee
The Department of Homeland Security is seeking applications for appointments to the agency's Data Privacy and Integrity Advisory Committee. The committee provides advice at the request of the Secretary of DHS and the agency's Chief Privacy Officer on privacy related matters. The agency is seeking to fill two terms that would expire in January 2012, and January 2013. Applications for the positions must be received by the agency on or before June 8, 2009. For more information, see: EPIC's Web page Spotlight on Surveillance. (May. 5, 2009) - For Identity Theft Law, Supreme Court Rules that the Government Must Prove Intent to Impersonate
In a critical case for the emerging field of identity management, the Supreme Court today reversed a lower court opinion and ruled unanimously in favor of the petitioner. The Court held that individuals who provide identification numbers that are not their own, but don’t intentionally impersonate others, cannot be subject to harsh criminal punishments under federal law. The case involved a mandatory 2-year prison term, added on to a prior conviction, for presenting a fake Social Security Number to an employer. EPIC filed an amicus brief in support of the petitioner, arguing that the "unknowing use of inaccurate credentials does not constitute identity theft." For more information, see EPIC, Flores-Figueroa v. United States. (May. 4, 2009) - EPIC Seeks Government Agreements with Social Networking Companies
EPIC submitted a Freedom of Information Act request to the Government Services Administration seeking agency records concerning agreements the GSA negotiated between federal agencies and social networking services, including Flickr, YouTube, Vimeo, Blip.tv, and Facebook. In the FOIA request, EPIC is asking for the public release of the contracts and any legal opinions concerning the application of the Privacy Act of 1974 and Freedom of Information Act to the services that collect information on citizens. For more information see EPIC’s pages Social Networking, Facebook, and Cloud Computing. (Apr. 30, 2009) - EPIC Urges Greater Accountability for Network Surveillance
Today, EPIC asked Senator Patrick Leahy to investigate the Department of Justice's failure to make public statistics detailing federal use of "pen registers" and "trap and trace" devices, which record "non-content" information about telephone calls, email and web traffic. In a letter to the Chairman of the Senate Judiciary Committee, EPIC observed that the Attorney General is required to provide to Congress detailed statistics concerning the use of these techniques. Yet, "the DOJ does not publicly disclose pen register reports as a matter of course." EPIC also raised questions regarding the agency's compliance with reporting requirements for the period 2004-2008. The lack of public accountability for these network monitoring techniques contrasts with the U.S. Courts' routine public reporting of federal wiretaps, EPIC said. The Courts released the most recent wiretap report on April 27, 2009. For more information, see EPIC's Wiretapping page. (Apr. 29, 2009) - Applications for Court Approved Wiretaps Down in 2008
According to the 2008 Wiretap report, federal and state courts issued 1,891 orders for the interception of wire, oral or electronic communications in 2008, down from 2,208 in 2007. (Dept. of Justice Press release.) As in the last three years, no applications for wiretap authorizations were denied by either state or federal courts. The total number of authorized wiretaps had grown in each of the six past calendar years, beginning in 2003. The 2008 Wiretap Report does not include interceptions regulated by the Foreign Intelligence Surveillance Act or interceptions approvedby the President outside the exclusive authority of the federal wiretap law and the FISA. See EPIC Wiretapping page and EPIC Title III Orders. (Apr. 28, 2009) - Privacy and Consumer Groups Seek New FTC Commissioner
EPIC joined other privacy and consumer organizations on a letter to President Obama urging the appointment of a pro-consumer Commissioner to the Federal Trade Commission (FTC). The groups called for the appointment of someone with a “distinguished record of achievement in consumer affairs, with a demonstrated commitment to protecting the public.” The Commission has been one person short of its full membership since former Chair Deborah Platt Majoras left the agency last year. The President appointed Jon Leibowitz to serve as the current chair of the FTC. For more information, see EPIC’s page on the Federal Trade Commission. (Apr. 27, 2009) - Congressman Seeks Ban on Whole-Body Imaging at Airports
Congressman Jason Chaffetz has introduced legislation seeking a ban on Whole-Body Imaging machines installed by the Transportation Security Administration in various airports across America. Describing the method as unnecessary to securing an airplane, Congressman Chaffetz stated that the new law was to "balance the dual virtues of safety and privacy." The TSA recently announced plans to make the scanners, which capture a detailed picture of travelers stripped naked, the default screening device at all airport security checkpoints. For more information, see EPIC's Whole Body Imaging page. (Apr. 24, 2009) - Facebook Gets Ready to Adopt Terms of Service
Facebook has announced the results of the vote on site governance. The initial outcome indicates that approximately 75 percent of users voted for the new terms of service which includes the new Facebook Principles and Statement of Rights and Responsibilities. Under the new Principles, Facebook users will "own and control their information." Facebook also took steps to improve account deletion, to limit sublicenses, and to reduce data exchanges with application developers. EPIC supports the adoption of the new terms. For more information, see EPIC's page on Social Networking Privacy. (Apr. 24, 2009) - EPIC Urges Congress to Act on Internet Privacy
In testimony before a Congressional Committee, EPIC Director Marc Rotenberg urged lawmakers to address the growing threat to online privacy of new tracking techniques. Mr. Rotenberg said, "From the user perspective, the threats to privacy online are increasing. Unregulated data collection continues. Privacy policies are opaque and ineffective. Users are unable to exercise any meaningful control over the personal information that is obtained by firms when they visit sites, purchase online, or participate in the rapidly growing world of social networking." EPIC warned that these practices also pose a threat to technical standards that are necessary to protect network integrity, as well as the revenue of web publishers. For more information, see EPIC's page on Deep Packet Inspection and NCTA v. FCC. (Apr. 23, 2009) - Supreme Court Hears Case on Strip-Search of Young Student by Schools Officials Looking for Advil
The Supreme Court heard a case involving a traumatic strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet. The search was conducted based on allegation by another student, who had been caught with drugs. A federal appelate court held that the search of the student was unreasonable and that a school official could be liable for violating the girl's Fourth Amendment rights. The school appealed to the Supreme Court and argued that the search was reasonable and the school official had qualified immunity. The respondent student replied that the search was highly invasive and the official should be held responsible. See also EPIC's page on Student Privacy. (Apr. 21, 2009) - Facebook Seeks Vote on Site Governance
In February, Facebook announced that it was opening its site governance to user voting after the new Terms of Service were widely criticized, and were to be the subject of an EPIC complaint to the Federal Trade Commission. Facebook restored the old terms and sought user feedback on the new Facebook Principles and the Statement of Rights and Responsibilities. These governing documents have now been updated to reflect feedback from users and experts. The voting to adopt the new terms or to maintain the previous terms is now open till April 23, 11:59 a.m. PDT. For more, see the efforts of People Against the New Terms of Service, and EPIC's Social Networking Privacy page. (Apr. 20, 2009) - EPIC Urges Massachusetts High Court to Protect Drivers From Warrantless Tracking by Law Enforcement, Warns of "Pervasive Mass Surveillance"
Today, EPIC filed a "friend of the court" brief in the Massachusetts Supreme Judicial Court, urging the Justices to require a warrant before police covertly track drivers using concealed surveillance technology. In Commonwealth v. Connolly, the Court will determine whether the police must obtain a search warrant before covertly installing location tracking devices on individuals' cars. The systems record a vehicle's location and speed around the clock, and transmit the data to police. EPIC said the profileferation of police tracking devices "creates a large, and largely unregulated, repository containing detailed travel profiles of American citizens." The EPIC brief warned that "law enforcement access to such information raises the specter of mass, pervasive surveillance without any predicate act that would justify this activity." For more, see EPIC's Commonwealth v. Connolly page. (Apr. 20, 2009) - Senate to Investigate NSA "Overcollection"
Senator Dianne Feinstein has announced that the Senate Intelligence Committee will hold a hearing on the National Security Agency's interception of phone calls and private e-mail messages of Americans. Recently, the New York Times reported that the NSA's activities went beyond the legal limits established by the Congress last year. EPIC has a related lawsuit asking a federal court to force the release of memos on the legal authority for domestic surveillance of American citizens. For more information, see EPIC's page on Freedom of Information Act Work on the National Security Agency's Warrantless Surveillance Program. (Apr. 17, 2009) - European Commission Seeks to Protect Internet Privacy
Following complaints about Phorm's Deep Packet Inspection Technology with UK internet service providers, the European Commission has opened a formal investigation. The EU e-Privacy and Data Protection Directives protect the confidentiality of communications by prohibiting interception and surveillance without the user's consent. Deep Packet Inspection allows internet service providers to intercept virtually all customers' Internet activity, including web surfing data and other Internet related activities. The Commission charges that the UK government could not permit this activity under European Union privacy law. In the US, Congressional leaders also objected to Deep Packet Inspection. For more information, see EPIC's page on Deep Packet Inspection and Privacy and Human Rights Report. (Apr. 14, 2009) - EPIC Demands Disclosure of Documents Detailing "Virtual Strip Search" Airport Scanners
Today, EPIC filed a Freedom of Information Act request demanding disclosure of records detailing airport scanners that take naked pictures of American travelers. Security experts describe the "whole body imaging" scanners as virtual strip searches. The Transportation Security Administration plans to make the scans mandatory at all airport security checkpoints, despite prior assurances that whole body imaging would be optional. EPIC's request seeks documents concerning the agency's ability to store and transmit detailed images of naked U.S. citizens. For more information, see EPIC's Whole Body Imaging page and EPIC's FOIA Litigation Manual. (Apr. 14, 2009) - FCC Proposes Nationwide Broadband Expansion, Seeks Public Comments on Privacy Safeguards
Today, the Federal Communications Commission announced that it will develop a plan to expand broadband access. The plan will attempt to "ensure that every American has access to broadband capability," and will be submitted to Congress in February 2010. The Commission seeks comments from the public concerning how to best safeguard consumers' privacy in the face of technologies such as deep packet inspection and behavioral advertising. Chairman Michael J. Copps identified priorities for the broadband expansion, including "avoiding invasions of people’s privacy." EPIC previously advocated for the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. For more information, see EPIC's pages on deep packet inspection. (Apr. 8, 2009) - Five Country Study Finds Diminished Protection for Anonymity
A new study by leading scholars from the USA, Canada, UK, Netherlands and Italy has revealed that laws are reinforcing technology's ability to undermine the anonymity of citizens. The law reveals a preference for legislation requiring people to submit to identification and an increasing encroachment of rules into areas where there were previously no regulations prohibiting anonymity. EPIC was a partner in the project. Consider purchasing the Lessons from the Identity Trail. For more information, see EPIC's page on Free Speech and Internet Anonymity. (Apr. 7, 2009) - European Parliament Adopts Report on Fundamental Freedoms and the Internet
The European Parliament adopted with 481 votes a report on Security and Fundamental Freedoms on the Internet. Expressing strong support for privacy, data protection, security and freedom of speech, the report called on Member States to make use of existing law, exchange best practices and draw up a series of regulations to protect privacy. The Parliament also urged Member States to update legislation to protect children using the Internet and called on the Council and Commission to develop a comprehensive strategy to combat cybercrime, identity theft and fraud. A draft of the report was released in January. See also EPIC's report on Privacy & Human Rights 2006. (Mar. 26, 2009) - Federal Trade Commission to Review EPIC Cloud Computing Complaint
The Federal Trade Commission will review EPIC's March 17, 2009 complaint, which describes Google's unfair and deceptive business practices concerning the firm's Cloud Computing Services. EPIC's complaint describes numerous data breaches involving user-generated information stored by Google, including the recently reported breach of Google Docs. EPIC's complaint "raises a number of concerns about the privacy and security of information collected from consumers online," federal regulators said. EPIC urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. For more information, see EPIC's complaint to the FTC. EPIC's Cloud Computing Page. (Mar. 19, 2009) - Senators Introduce Open Government Bill, Celebrate Sunshine Week
Senators Patrick Leahy (D-Vermont) and John Cornyn (R-Texas) introduced legislation to improve government transparency and strengthen the Freedom of Information Act. The proposal comes during Sunshine Week, an annual celebration of open government. The OPEN FOIA Act of 2009 would reduce government secrecy by limiting the circumstances in which government records can be exempted from disclosure. "Excessive government secrecy is a constant temptation and the enemy of a vibrant democracy," Senator Leahy said. In 2007, Senators Leahy and Cornyn co-sponsored the OPEN Government Act, a law that imposed meaningful deadlines on federal agencies, created a FOIA Ombudsman, and provided "news media" standing for freelance journalists and bloggers. For more information, see EPIC's Litigation Under the Federal Open Government Laws. (Mar. 19, 2009) - Attorney General Issues New FOIA Guidelines
The Attorney General today set out new Freedom of Information guidelines pursuant to President Obama's memorandum directing all executive branch departments and agencies to maintain a presumption of openness in releasing information requested from them. In the memorandum, the Attorney General strongly encouraged agencies to make discretionary disclosures of information to the fullest extent possible. Rescinding the FOIA Memorandum of October 12, 2001, the Attorney General stated that the Justice Department will defend a FOIA request only if the disclosure would harm an interest protected by a statutory exemption or its disclosure is prohibited by law. The memorandum also directs that each agency is fully accountable for its administration of FOIA and should be mindful of their obligation to work "in a spirit of cooperation." For more information, see EPIC's Open Government page. (Mar. 19, 2009) - EPIC Petitions FTC to Investigate Google, Cloud Computing Services
EPIC has formally asked the Federal Trade Commission to open an investigation into Google's Cloud Computing Services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards." The petition follows the recent report of a breach of Google Docs. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. (Mar. 17, 2009) - EPIC Celebrates Sunshine Week
Open government and media organizations throughout the country are celebrating Sunshine Week by highlighting the importance of government transparency. EPIC publishes the most comprehensive up-to-date manual on federal open government law. EPIC is pursuing Freedom of Information Act litigation to obtain government memos describing the legal basis for the warrantless wiretapping of American citizens by the Bush Administration. To learn more about your right to access government information, see EPIC's Open Government page and Litigation Under the Federal Open Government Laws 2008. (Mar. 17, 2009) - Cybersecurity Czar Steps Down, Warns of Growing NSA Influence
Rod Beckstrom, Director of the National Cybersecurity Center, has resigned. In a letter to Homeland Security Secretary Janet Napolitano, Beckstrom warned of the increasing role of the National Security Agency in domestic security. The "intelligence culture is very different than a network operation or security culture... the threats to our democratic processes are significant if all top government network and monitoring are handled by any one organization... we have been unwilling to subjugate the NSCS under the NSA," wrote the former NCSC Director. The announcement follows Congressional testimony from the new Director of National Intelligence that the NSA should be responsible for network security. EPIC has long maintained that the NSA, though it plays a vital role in gathering foreign intelligence, should not be the lead agency for domestic network security because it also engages in extensive and unregulated spying. See EPIC Computer Security Act of 1987. (Mar. 9, 2009) - EPIC v. DOJ - EPIC Urges Court to Require Disclosure of Warrantless Wiretap Memos
EPIC, the ACLU, and the National Security Archive asked a federal court in Washington, DC to order the immediate disclosure of government memos describing the legal basis for the warrantless wiretapping of American citizens by the Bush Administration. The court is currently reviewing the documents, prepared by the Office of Legal Counsel, as part of an EPIC Freedom of Information Act lawsuit. This week, the Attorney General released several related memos, which previously were secret. The new release follows President Obama's recent statement on government transparency. "The Freedom of Information Act should be administered with a clear presumption: In the face of doubt, openness prevails," the President said. For more information, see EPIC v. DOJ. (Mar. 6, 2009) - Justice Department Releases Domestic Surveillance Memos and Opinions
Attorney General Eric Holder announced that the Department of Justice will make public memos and opinions concerning warrantless surveillance, and other controversial claims of Presidential authority, that were prepared in the wake of 9/11. The documents describe the legal basis for President Bush's domestic surveillance program. After learning of the warrantless wiretap program, EPIC sued the Department of Justice under the Freedom of Information Act to compel disclosure of legal memos concerning the program. Government lawyers subsequently disavowed the justifications for the warrantless surveillance. For more, see EPIC's "National Security Agency's Warrantless Surveillance Program" page. (Mar. 3, 2009) - Responding to Privacy Concerns, Whitehouse Drops YouTube for Broadcasting Presidential Speeches
Following protests that YouTube was creating persistent cookies for people who visited the White House web site, the latest Weekly Address of President Obama no longer secretly tracks Whitehouse visitors. Federal policy restricts the use of tracking cookies by federal agencies. Privacy concerns remain for media content delivered by Congressional offices. For more information, see EPIC's Cookies Page. (Mar. 2, 2009) - Homeland Security Secretary Proposes Increase in Spending for Domestic Surveillance Programs
Homeland Security Secretary Janet Napolitano testified before the House Committees on Homeland Security, and said that DHS plans to connect governmental databases containing personal information, expand the government's employment tracking system, promote passenger screening, use e-passports, employ watchlists and utilize contactless identity verification cards. EPIC has opposed Fusion Centers, the E-Verify program and the use of Backscatter X-Ray devices. EPIC has also objected to the use of RFIDs in passports, in Air Travel and in driver's licences. (Feb. 27, 2009) - Facebook Announces Governing Principles, Statement of Rights and Responsibilities
Today, Facebook proposed guidelines and a statement of rights and responsibilities governing its relationship with users. The social networking service called for user comment on the principles, which include "Ownership and Control of Information" and "Transparent Process." Facebook further committed to "open up Facebook so that users can participate meaningfully in our policies and our future." Facebook's announcement follows last week's abandonment of changes to its Terms of Service on the eve of an EPIC complaint to federal regulators. For more and see the efforts of People Against the New Terms of Service, and EPIC's "Social Networking Privacy" page. (Feb. 26, 2009) - Supreme Court to Hear Argument in "Identity Theft" Case, EPIC Urges Justices to Protect Privacy Enhancing Technologies
On Wednesday, the Supreme Court will hear arguments in a case that will determine whether individuals who include identification numbers that are not theirs, but don't intentionally impersonate others, can be subject to harsh criminal punishments under federal law. In Flores-Figueroa v. United States, the petitioner challenged his conviction for "aggravated identity theft." EPIC filed a "friend of the court" brief, on behalf of 17 legal scholars and technical experts, urging the Justices to protect techniques that allow individuals to safeguard privacy. EPIC explained that the crime of "identity theft" should require an intent to impersonate another. The EPIC brief urges the Court to avoid "a precedent that might inadvertently render the use of privacy enhancing pseudonyms, anonymizers, and other techniques for identity management unlawful." For more, see EPIC's Flores-Figueroa v. United States page. (Feb. 23, 2009) - On Eve of EPIC Trade Commission Complaint, Facebook Backs Down on Revised Terms of Service
Hours before EPIC planned to file a complaint with the Federal Trade Commission regarding changes to Facebook's Terms of Service, the social network service announced that it will restore the original policy. The new Terms of Service were announced on Feb. 4, were widely criticized, and were to be the subject of the EPIC complaint. Facebook users observed that, under the revised policies, Facebook asserted broad, permanent, and retroactive rights to users' personal information - even after they deleted their accounts. The EPIC complaint was supported by more than a dozen consumer and privacy organizations. Previous EPIC Complaints at the FTC have concerned Choicepoint, Microsoft Passport, and the Google-Doubleclick merger. For more, see EPIC's "Social Networking Privacy" page. Support EPIC's efforts to maintain your privacy in the social networking world. (Feb. 18, 2009) - American Recovery Act Includes Strong Medical Information Safeguards
President Obama signed the American Recovery & Reinvestment Act, which includes comprehensive safeguards for medical information. The Act prohibits the unauthorized sale of medical records and provides exceptions for research, public health and treatment. The Act also limits marketing, requires covered entities and business associates to keep an audit trail of personnel having access to the information, mandates policies setting standards for technology systems to restrict sensitive information, use data encryption and directs breach notifications. The new law prescribes monetary penalties for violations and requires monitoring of contracts and reporting on compliance. Patient Privacy Rights led the campaign for strong medical privacy protection. For more information, see EPIC's page on Medical Privacy. (Feb. 18, 2009) - Trade Commission Issues Voluntary Guidelines for Online Tracking, Targeting, and Advertising
Today, the Federal Trade Commission released voluntary guidelines for Internet advertising and behavioral targeting. The guidelines set out four principles: "1) transparency and consumer control; 2) reasonable security and limited data retention for consumer data; 3) affirmative express consent for material retroactive changes to privacy promises; and 4) affirmative express consent to (or prohibition against) use of sensitive data." There is no means to enforce the guidelines, and Commissioners Jon Leibowitz and warned that they are insufficient to ensure consumers' privacy. Commissioner Harbour cautioned that the guidelines "focus too narrowly" and urged rulemakers to "take a more comprehensive approach to privacy." The guidelines are in part a response to EPIC's 2007 Complaint regarding the Google-Doubleclick merger raising concerns about the profiling of Internet users and the need to establish clear privacy safeguards as a condition of the merger. For more information, see EPIC's Complaint regarding the Google/DoubleClick merger and page Privacy? Proposed Google/DoubleClick Deal. (Feb. 12, 2009) - Report: Google Latitude Poses Significant Privacy Risks
Privacy International has identified a major security flaw in Google's new phone locational tracking service. According to the London-based organization, the tracking feature in Google Latitude can be easily enabled by anyone with access to the phone. Moreover, there is no simple way for a user to determine the tracking status of their phone. Question have also been raised about Google's plan to use cell phone data location records for advertising purposes. For more information, see EPIC's page on Personal Surveillance. (Feb. 5, 2009) - National Academies Report Calls for New Approach to Medical Privacy
As the Congress considers establishing a national network for electronic health records, a report from the Institute of Medicine recommends a new approach to medical record privacy. "Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research" finds that the current medical privacy regulations do not protect privacy and unnecessarily impede health research. The expert panel recommends revising research guidance, enhancing security for personally identifiable information, establishing trusted third parties for clearly defined research purposes, and developing new techniques that enable deidentification. The report also said it was vital to "Apply privacy, security, transparency, and accountability obligations to all health records used in research." EPIC Director Marc Rotenberg participated in the study project. More information, see EPIC Medical Privacy page. (Feb. 4, 2009) - EPIC, Freedom of Information Advocates Endorse President
EPIC joined Freedom of Information advocates from around the world in an Open Letter welcoming "President Obama's Initiative on Transparency." The organizations also supported the President's call for a "clear presumption in favor of disclosure of information." They called on "governments around the world to take similar action to promote transparency and respect for the right of access to information." For more information about open government, see EPIC's Open Government manual. (Jan. 29, 2009) - House Economic Recovery Bill Includes Privacy Safeguards for Medical Information
The American Recovery and Reinvestment Act of 2009, adopted by the House this week, includes strong privacy provisions ("Subtitle D - Privacy") for the proposed medical health network. Among the key provisions: a ban on the sale of health information, audit trails, encryption, rights of access, improved enforcement mechanisms, and support for advocacy groups to participate in the regulatory process. Patient Privacy Rights has expressed support for the legislation. A similar bill, S. 336, is pending in the Senate. Senator Leahy has called for strong safeguards to protect America's health privacy. For more information, see EPIC's page on Medical Privacy. (Jan. 29, 2009) - EPIC Honors Stefano Rodotà
On the occasion of International Privacy Day, EPIC has given the "International Privacy Champion" Award to Stefano Rodotà, an eminent Italian jurist, who has profoundly influenced the public's understanding of human rights in the age of the Internet. The award from EPIC describes Professor Rodotà as "a powerful advocate for the rights of the citizen." Previous recipients of the EPIC Champion of Freedom Award include Senator Patrick Leahy and Professor Pamela Samuelson. Facebook users can Fan Stefano Rodotà. (Jan. 28, 2009) - Civil Society Launches Campaign for Privacy Convention
A coalition organized by the Public Voice is urging support for the Council of Europe Privacy Convention. At present, forty-one countries have ratified the Convention. The coalition is pushing for ratification in the countries that have not adopted the convention. In the United States, the Privacy Coalition has proposed a resolution for the U.S. Senate. According to one source, the "Convention has withstood the test of time by being adaptive and fairly rigorous. Today the principles of this agreement are being examined for their applicability to the collection and processing of biometric data." For more information, sign-up for the International Privacy Day and see the EPIC report "Privacy and Human Rights". (Jan. 27, 2009) - Privacy Problems Plague New White House Web Site
While the public responded very favorably to the announcements this week from President Barack Obama, problems with the privacy practices of the new White House web site where the President's statements are posted emerged. One columnist noted a tracking feature associated with YouTube that violated a long-standing rule to limit the use of persistent cookies in the federal government. A second columnist, who noted a similar problem with YouTube and Congressional offices, said that subsequent changes to the White House privacy policy failed to resolve the problem. In posts to the Interesting People list, several other experts identified privacy related problems with the White House site. For general information about cookies and tracking, see EPIC's Cookies page. (Jan. 24, 2009) - Medical Privacy Legislation Moves Forward in Congress
On Thursday, the House Committee on Energy and Commerce approved Economic Recovery legislation that includes provisions for the adoption of health information technology and establishes standards for interoperability and privacy. Patient Privacy Rights is leading a coalition effort to establish strong privacy safeguards for American consumers. A hearing is scheduled for next Tuesday in the Senate Judiciary Committee. (Jan. 23, 2009) - President Obama Issues New Orders on FOIA
In his first 24 hours in Office, President Obama issued a series of Executive Orders. One of the Orders dealt with the Freedom of Information Act (FOIA) activity of federal government agencies. He stated that prior FOIA rules were governed by a "defensible argument" for not disclosing information to the public. The President said that, "Starting today, every agency and department should know that his administration stands on the side, not of those who seek to withhold information, but with those who seek to make it known." In other initiatives President Obama issued a suspension of legal proceedings against detainees being held in Guantanamo Bay. For more information, see EPIC's page on Former Secrets. (Jan. 21, 2009) - Supreme Court Refuses to Hear Internet Censorship Appeal
The Supreme Court denied the last appeal of the Government from an Appeals Court decision that turned down the enforcement of the Child Online Protection Act (COPA). COPA establishes criminal penalties for any online commercial distribution of material harmful to minors. The Appeals Court held COPA unconstitutional on the ground that COPA made every web communication provider abide by the most restrictive community's standards." EPIC had challenged the implementation of COPA over ten years ago and had been fighting the case along with the ACLU and the EFF. EPIC argued that COPA violated the First Amendment as well as privacy of the individual on the internet. For more information, see EPIC's page on ACLU v. Mukasey. (Jan. 21, 2009) - Federal Intelligence Court Rules Warrantless Wiretapping Legal
The Foreign Intelligence Surveillance Court of Review has ordered the release of a redacted opinion. The federal intelligence court ruled in August, 2008 that warrantless wiretapping of international phone calls and the interception of e-mail messages were permissible. Giving support to the Protect America Act, the Court found that "foreign intelligence surveillance possesses characteristics that qualify" for an exception in the interest of "national security". For more information, see EPIC's page on Foreign Intelligence Surveillance Act. (Jan. 15, 2009) - Supreme Court Permits Arrest Based on Police Database Error, EPIC Amicus Brief Cited in Dissent
In a 5-4 opinion, the Supreme Court has held that the police may use false information contained in a police database as the evidence for an arrest. Chief Justice Roberts held that, "when police mistakes are the result of negligence such as that described here, rather than systemic error or reckless disregard of constitutional requirements, any marginal deterrence does not 'pay its way.'" Justice Ginsburg, writing for four of the Justices in dissent, said that "negligent recordkeeping errors by law enforcement threaten individual liberty, are susceptible to deterrence by the exclusionary rule, and cannot be remedied effectively through other means." EPIC filed a friend of the court brief urging the Justices to ensure the accuracy of police databases, on behalf of 27 legal scholars and technical experts and 13 privacy and civil liberty groups. The EPIC brief was cited by the Justices in dissent. See EPIC Herring v. US ("Concerning a Faulty Arrest Based on Incorrect Information in a Government Database"). (Jan. 14, 2009) - EPIC, Patient Advocates Urge Congress to "ACT" on Privacy
EPIC and more than 25 members of the Coalition for Patient Privacy at a news conference today in Washington, DC urged Congress to include critical privacy safeguards for the medical record network that may be included in the economic stimulus plan. The Coalition partners are recommending that lawmakers "ACT" on privacy and provide Accountability for access to health records, Control of personal information, and Transparency to protect medical consumers from abuse. For more information, see Patient Privacy Rights and EPIC's page on Medical Privacy. (Jan. 14, 2009) - Consumer Groups Urge Trade Commission to Investigate Mobile Marketing
The Center for Digital Democracy and the U.S. Public Interest Research Group filed a complaint with the Federal Trade Commission to investigate the growing threat to consumer privacy in the mobile advertising world. Certain services track, analyze, and target the public and build secret profiles. Users are targeted based on their online behavior and their location. The complaint urges the Commission to define and clarify practices, review self-regulation, require notice and disclosure and also protect the public. Earlier, thirty Privacy Coalition members sent a letter to President-elect Barack Obama highlighting the importance of protecting consumer privacy in new network services. For more information, see EPIC's page on Privacy and Consumer Profiling. (Jan. 13, 2009) - FCC Backs Off Net Filtering Plan
FCC Chairman Kevin Martin has said that he will not pursue a government-mandated content filter as part of a proposal for a nationwide free wireless broadband network. EPIC had opposed the provision and said that it would create a dangerous precedent that would encourage governments to limit access to unpopular or controversial speech. For more information on content filters, see the EPIC publication "Filters and Freedom" available at Powell's and Amazon (Jan. 6, 2009) - Data Breaches on the Rise in the US
A new report from the Identity Theft Resource Center found a 47 percent increase in data breaches in the United States over 2007. Noting 656 reported breaches at the end of 2008, the report identified the company, the category of breach and the number of records exposed. The Center concluded that most breached data was unprotected by either encryption or even passwords. According to the FTC, data breaches are the leading cause of identity theft. For more information, see EPIC's page on Identity Theft. (Jan. 6, 2009)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
