You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Previous Top News: 2011


  • EPIC sent a letter requesting that the Federal Trade Commission determine whether changes Facebook has made to the profiles of its users are consistent with the terms of a settlement reached between Facebook and the FTC. EPIC's letter states that "with Timeline, Facebook has once again taken control over the user's data from the user and has now made information that was essentially archived and inaccessible widely available without the consent of the user." The settlement requires Facebook to give users clear and prominent notice and obtain users' express consent before changing their privacy settings. EPIC sent a similar letter to the FTC about Timeline and the secret tracking of users in September 2011. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Dec. 28, 2011)

  • EPIC submitted comments to the FTC on a proposed settlement with Facebook. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. However, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." In order to address the issues raised by the complaints, respond to recent changes in Facebook's business practices like Timeline, and fulfill the FTC's duty to act in the public interest, EPIC recommended that the settlement be improved. Specifically, EPIC recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Dec. 28, 2011)

  • The Justice Department has blocked South Carolina's voter ID law, calling it a violation of the federal Voting Rights Act. The Department said the new photo ID requirements would dispropotionately exclude eligible minority voters from federal elections. The South Carolina law prohibits voting by anyone who does not possess a state driver's license, US Passport, Military ID, or voter registration card. Many eligible voters who participated in the 2008 and 2010 elections may be prevented from voting in 2012. Earlier, EPIC filed an amicus brief in the Supreme Court, challenging an Indiana voter ID law. See EPIC: Voter Photo ID and Privacy and NCSL: State Voter ID Laws. (Dec. 28, 2011)

  • EPIC has asked a federal court seeking to enforce a July 15, 2011 order requiring the Department of Homeland Security to take public comment on the agency's controversial airport body scanner program. As a result of an EPIC lawsuit, the DC Circuit Court of Appeals ruled that the agency violated federal law when it installed body scanners in airports for primary screening without first soliciting public input. In July, the Court ordered Homeland Security to "promptly" seek public comment, but the agency has failed to respond. EPIC, and a coalition of privacy and civil liberties organizations, first petitioned DHS to undertake a public rulemaking in 2009. This is EPIC's second motion to compel the agency to comply with the court's order. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology. (Dec. 23, 2011)

  • EPIC filed papers urging a federal court to order the National Security Agency to disclose National Security Presidential Directive 54, a key document governing national cybersecurity policy. The directive grants the NSA broad authority over the security of American computer networks. But the agency has refused to make the document public in response to an EPIC Freedom of Information Act request. EPIC noted that "The NSA’s position amounts to a claim that the President may enact secret laws, direct federal agencies to implement those laws, and shield the content of those laws from public scrutiny." EPIC argued that the law "does not support such a sweeping result." For more, see EPIC v. NSA - Cybersecurity Authority. (Dec. 23, 2011)

  • EPIC submitted comments to the FTC on a proposed rule for the Children's Online Privacy Protection Act. The proposed rule would revise the definition of Personally Identifiable Information to include identifiers such as cookies, IP addresses, and geolocation information. The new rules also contain data minimization and deletion requirements and simplified methods of obtaining parental consent for data collection. "The proposed revisions update the COPPA Rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses," EPIC said. However, EPIC urged the FTC to further improve the rule by applying it to SMS and MMS messaging services, extending the definition of "personal information" to cover the combination of date of birth, gender, and ZIP code, and adding a data-breach notification requirement. EPIC previously testified before the Senate and filed comments with the agency. For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Dec. 22, 2011)

  • EPIC has submitted comments to the Department of Homeland Security, objecting to the agency's plan to disclose internal agency records to former DHS employees, third party employers, and foreign and international agencies. DHS plans to disclose criminal conviction records, employee records, and foreclosures, about a broad category of individuals, including members of the public, individuals who file administrative complaints with DHS, and even individuals who are named parties in cases "in which DHS believes it will or may become involved." All of this information is protected under the federal Privacy Act, but the DHS proposes to invoke the "routine use" exemption to allow disclosure. EPIC said the plan would "undermine privacy safeguards set out in the Privacy Act and would unnecessarily increase privacy risks for individuals whose records are maintained by the federal government." EPIC also noted that the agency has failed to allow sufficient time to meaningfully consider public comment on the plan. For more information, see EPIC: the Privacy Act of 1974. (Dec. 22, 2011)

  • A document obtained by a European civil liberties organization indicates that the US Department of Commerce is actively opposing efforts by the European Union to update and strengthen its privacy law. The "Informal Note on Draft EU General Data Protection Regulation" argues that the proposed updates to the EU Data Protection Directive could adversely impact the "global interoperability of national and international privacy regimes." The US assessment follows a multi-year effort by the Europeans and others to establish a comprehensive framework for privacy protection, which the US has opposed, opting instead for "self-regulation." The European Digital Rights Initiative (EDRi) has prepared a brief analysis of the "most prominent exaggerations and misunderstandings in the US paper." For more information, see EPIC - "U.S. and European Consumer Groups Encourage Congress to Learn from EU Data Directive." (Dec. 22, 2011)

  • According to Wired, although the war in Iraq is officially over US Central Command will retain a massive database with retinal scans, thumb prints, religious affiliation, as well as other personal data on millions of Iraqis. In 2007, EPIC, Privacy International, and Human Rights Watch sent a letter to then Secretary of Defense Robert Gates to warn that the collection of biometric data in the region poses a direct risk to human rights and could result in genocidal violence. The Defense Science Board also warned that the database could "become a hit list if it gets in the wrong hands." For more information, see EPIC - "Iraqi Biometric Identification System." (Dec. 21, 2011)

  • EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency's social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy. (Dec. 20, 2011)

  • Senator Herb Kohl (D-WI) and Mike Lee (R-UT), Chairman and Ranking member of the Judiciary Antitrust Subcommittee, have sent a letter to FTC Chairman Jon Leibowitz, expressing concern about Google's business practices and the company's impact on competition in Internet search and commerce. In September, EPIC wrote to the FTC and described how Google biased YouTube search rankings to give preferential treatment to its own content following the acquisition of the Internet's largest video service provider. The EPIC letter preceded a Senate hearing on "The Power of Google: Serving Consumers or Threatening Competition?" EPIC testified before the Senate Antitrust Subcommittee in 2007 on Google's growing dominance of essential Internet services. (Dec. 20, 2011)

  • Without user consent, Facebook announced today that it would post archived user information, making old posts available under Facebook's current downgraded privacy settings. Users have just a week to clean up their history before Timeline goes live. The surprising announcement follows a recent decision by the Federal Trade Commission which found that the company had engaged in "unfair and deceptive" trade practices when it changed the privacy settings of its users. EPIC initiated that complaint and is now urging FB users to submit comments to strengthen the proposed settlement. For more information, see EPIC - In Re Facebook and EPIC - Facebook and Privacy. (Dec. 15, 2011)

  • EPIC launched the "Fix FB Privacy Fail" campaign to encourage the public to support improvements to a settlement between Facebook and the FTC. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. Although the proposed settlement is far-reaching, there are several ways in which it could be improved. EPIC has recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. The period for public comment on the proposed settlement ends on December 30. The campaign also allows users to sign on to the petition without using Facebook. For more information, see EPIC: FTC Facebook Settlement. (Dec. 13, 2011)

  • EU Justice Minister Viviane Reding warned this week at a speech in Brussels that a US plan for privacy self-regulation will "not be sufficient" to protect the flow of personal data between Europe and the United States. Reding also said that European companies were likely to rely on European cloud service providers as long as the US Patriot Act remained the law in the US. A draft of the European Union’s new General Data Protection Regulation is now available. The Regulation is a sweeping and comprehensive update of the 1995 EU Data Protection Directive that sets out new enforcement powers for privacy agencies. Meanwhile, a spokesperson for the White House again pledged that a long-delayed paper on privacy would soon be available. For more information, see EPIC: EU Data Protection Directive. (Dec. 7, 2011)

  • In response to a request from Congressman Melvin Watt (D-NC), EPIC sent a letter explaining that HR 2471, a bill to amend the Video Privacy Protection Act, would reduce privacy for Internet users by weakening the consent provision in current law. The proposal, backed by Netflix, would make the personal information of Facebook users more widely available. EPIC’s letter points out that the bill does not “modernize” the video privacy law, it simply makes it more difficult for users to protect their data. The bill is being rushed through Congress without a public hearing or debate. For more information, see EPIC: Video Privacy Protection Act. (Dec. 6, 2011)

  • The FTC has released the 2011 National Do Not Call Registry Data Book, which includes extensive information on the Do Not Call Registry as well as tips for consumers. Over 209 million telephone numbers are now listed on the Do Not Call Registry. In 2011, over 2 million consumers filed complaints over unwanted telemarketing calls. In announcing the Data Book, the FTC also warned consumers that scammers are calling consumers and claiming to sign them up for the National Do Not Call Registry. The FTC said that these calls were not coming from the Commission or the Registry, and that consumers should ignore them. For more information, see EPIC: Federal Trade Commission, or EPIC: Telemarketing and the Telephone Consumer Protection Act. (Dec. 5, 2011)

  • Over 30 organizations, including EPIC, have asked DHS Secretary Janet Napolitano to undertake an independent audit of the TSA to determine whether TSA airport screeners are engaged racial profiling. According to news reports, TSA agents have subjected Mexican, Dominican, and Sikh travelers to additional screening based solely on race. In EPIC v. DHS, a federal court of appeals in July ordered the TSA to undertake a formal rulemaking, but the agency has yet to solicit comments from the public on its airport screening procedures. For more information, see EPIC: Air Travel Privacy and EPIC: Passenger Profiling. (Dec. 5, 2011)

  • The Department of Education has released final regulations concerning the Family Educational Rights and Privacy Act (FERPA). These regulations exceed the agency's legal authority and expose students to new privacy risks. The new rules permit educational institutions to release student records to non-governmental agencies without first obtaining parents' written consent. The new rules also broaden the permissible purposes for which third parties can access students records without first notifying parents. The agency rules also fail to appropriately safeguard students from the risk of re-identification. In response to the Department of Education's request for public comments, EPIC submitted extensive comments to the agency in May 2011, addressing the student privacy risks and the agency's lack of legal authority to make changes to FERPA without explicit Congressional intent. For more information, see EPIC: Student Privacy. (Dec. 5, 2011)

  • The Senate has unanimously adopted an amendment authored by Senator Patrick Leahy (D-VT) to the National Defense Authorization Act. Senator Leahy's amendment will limit an overbroad legislative exemption to the Freedom of Information Act. The amendment requires the Secretary of Defense to consider whether the disclosure of critical infrastructure information would reveal vulnerabilities that would result in harm to government property or facilities, and whether the public interest in the disclosure of this information outweighs the government’s need to withhold the information. The Senate will vote on final passage of the National Defense Authorization Act later this evening. For more information, see EPIC: Open Government. (Dec. 5, 2011)

  • Over 20 organizations in the EU and the US have sent an open letter to the European Parliament, opposing a new agreement that would allow European companies to transfer the personal data of European travelers to the United States government in apparent violation of the EU Data Protection Directive. The European Court of Justice struck down the original Passenger Name Record (PNR) agreement in 2006 after members of the European Parliament charged that there was no legal basis to disclose the data to the US. The revised agreement is still subject to approval by the Parliament, which has also gained new legal powers since the earlier dispute. For more information, see EPIC: EU-US Airline Passenger Data Disclosure, EPIC: Air Travel Privacy, EPIC: Passenger Profiling. (Dec. 5, 2011)

  • EPIC has filed a reply motion in EPIC v. DHS, No. 1:11-cv-01991-ABJ, a Freedom of Information Act lawsuit for information, held by the DHS, about the radiation risks of airport body scanners. EPIC is asking the court to force the agency to disclose documents about radiation testing results, agency fact sheets on radiation risks, and an image produced by the machines. A recent report from ProPublica states that the "U.S. Government Glossed Over Cancer Concerns As It Rolled Out Airport X-Ray," and the European Union recently prohibited the use of "back-scatter x-ray" devices in EU airports. EPIC has already obtained hundreds of pages of documents discussing the risks of radiation exposure. For more information, see EPIC: EPIC v. DHS - Full Body Scanner Radiation Risks. (Dec. 5, 2011)

  • A PBS Newshour special highlights the radiation risks and security flaws of airport body scanners. The program follows EPIC's Freedom of Information Act lawsuits against the Department of Homeland Security. EPIC's suits forced disclosure of documents detailing the health risks and privacy hazards posed by the scanners as well as the proposed use of the scanners on public streets and in train stations. EPIC also sued the agency, asking the DC Circuit Court of Appeals to suspend the airport body scanner program. The court ruled that the TSA violated federal law when it installed body scanners in airports for primary screening across the country without first soliciting public comment. The European Union recently adopted strict guidelines that effectively prohibit the use of backscatter x-ray body scanners. For more, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology (Dec. 1, 2011)

  • Senator Al Franken (D-Minn) has sent a letter to Carrier IQ about reports that it has been collecting sensitive consumer information from millions of smartphone users. The data includes text message content, websites visited, user locations, and detailed call records. This may be an "unlawful intercept" under the Electronic Communications Privacy Act of 1986 (ECPA). EPIC recently asked the FTC to investigate similar practices involving Verizon, For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (Dec. 1, 2011)

  • The US Supreme Court heard arguments on Wednesday in FAA v. Cooper. At issue is whether "actual damages" recoverable for "willful and intentional" violations of the Privacy Act include mental and emotional damages. A federal appeals court held that Congress "unambiguously" intended to allow recovery of such non-pecuniary damages when it drafted the Privacy Act. The Government argued that the term "actual damages" is ambiguous, and that the Court should adopt a narrower interpretation in light of the Privacy Act's waiver of sovereign immunity. EPIC filed a brief in support of respondent Cooper and argued that proper enforcement of the Privacy Act requires recovery of a broad range of provable damages, including mental and emotional distress, which are the common and expected injuries resulting from privacy violations. For more information, see EPIC: FAA v. Cooper. (Dec. 1, 2011)

  • In comments to the Department of Homeland Security regarding a proposal to expand the Privacy Act "routine use" exemption, EPIC has said that the agency is exceeding its legal authority. The DHS is seeking to disclose information about current and former government employees, including members of the US Secret Service, for the the development of "civil, administrative, or background investigation." The information includes names, social security numbers, addresses, and dates of birth. The "routine use" exemption allows federal agencies to disclose personal information in their possession in certain, narrow circumstances, not for open-ended investigations. EPIC stated that the change would "undermine privacy safeguards set out in the Privacy Act and would unnecessarily increase privacy risks for individuals whose records are maintained by the federal government." For more information, see EPIC: the Privacy Act of 1974. (Nov. 30, 2011)

  • The Federal Trade Commission has announced an agreement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. In 2009, the EPIC first asked the FTC to investigate Facebook's decision to change its users' privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. The violations are also detailed in the FTC’s 8-count complaint against the company. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. The settlement does not adopt EPIC's recommendation that Facebook restore users' privacy settings to pre-2009 levels. Facebook CEO Mark Zuckerberg reacted to the settlement in a post on Facebook's blog, saying that he was "first to admit that we've made a bunch of mistakes." For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 29, 2011)

  • The Federal Trade Commission has scheduled a 1:00 pm EDT press conference to announce a privacy settlement with Facebook, following a complaint that was filed by EPIC and other consumer and privacy organizations. More news to follow. (Nov. 29, 2011)

  • The US Supreme Court heard arguments on Monday in First American Financial Corp. v. Edwards. At issue is whether Congress can pass a law that gives customers the ability to sue companies that engage in illegal kickback schemes for mortgage settlement services, or whether those customers must also show additional injury. A federal appeals court held that the existence of the kickback arrangement violated the Real Estate Settlement Procedures Act of 1974, and was an "injury in fact" for the Constitutional standing requirement. After several Internet firms filed a brief in support of First American Financial, arguing that privacy laws with similar enforcement provisions result in "no injury" claims, EPIC filed a brief in support of respondent and argued that enforcement provisions in federal statues are the cornerstone of federal privacy law. For more information, see EPIC: First American v. Edwards. (Nov. 28, 2011)

  • The Federal Trade Commission has announced the agenda and panelists for a workshop exploring the privacy and security issues raised by the increased use of facial recognition technology. The workshop will be held December 8, 2011 at the FTC Conference Center, and will feature diverse panelists with consumer protection, privacy, business, international, and academic backgrounds. EPIC Senior Counsel John Verdi will speak on the panel "Facial Detection & Recognition: Exploring the Policy Implications." EPIC has a complaint pending before the FTC over Facebook's use of facial recognition technology to build a secret database of users' biometric data and to enable the company to automatically tag users in photos. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 22, 2011)

  • A federal appeals court rejected a proposed settlement that would terminate a class action lawsuit brought by AOL users. The Court held that the proposed deal was inconsistent with the "cy pres" doctrine, a legal principle that allows courts to allocate funds to groups that protect the class' interests. The Court ruled that cy pres distributions should be based on the nature of the lawsuit, the objectives of the relevant law, and the interests of the class members including their geographic diversity. AOL users sued the company for inserting footers containing promotional messages into users' email messages. The lawsuit alleged violations of several laws, including the Electronic Communications Privacy Act. The parties settled the suit, agreeing to distribute $110,000 to several charities, none of which work to protect internet users' privacy. EPIC previously highlighted the dangers of improper cy pres distributions in Lane v. Facebook and In re: Google Buzz. (Nov. 22, 2011)

  • The Federal Trade Commission has issued the 2011 Performance and Accountability Report. The report summarizes the agency’s accomplishments, shows how the agency has managed its resources, and explains how it plans to address future changes. According to the FTC, during 2011 the agency exceeded its privacy goals by providing 52 comments to foreign consumer protection and privacy agencies, conducting 14 technical assistance missions, and hosting one international consumer protection fellow. The agency’s privacy goals for the coming year include "issu[ing] a final report on protecting consumer privacy," and "examin[ing] malware and spyware threats to mobile devices . . . and malware distributed through social networks." The FTC report made no mention of several pending complaints, including EPIC's 2009 complaint regarding the changes by Facebook to its users' privacy settings. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition. (Nov. 22, 2011)

  • Republican Members of Congress have released "A Decade Later: A Call for TSA Reform," a staff report examining the effectiveness of the Transportation Security Administration, which was formed shortly after the September 11th attacks. The Report blasted the failure of the TSA to improve aviation security while spending billions dollars on ineffective equipment and programs including airport body scanners that are "easily thwarted." Over 30,800 people have signed a petition to the White House to abolish the TSA. The Obama Administration has promised to formally respond to any petition that receives 25,000 signatures (formerly 5,000). In a lawsuit filed by EPIC, a federal appellate court found that the TSA had violated the law by deploying full-body scanners at airports nationwide without first soliciting public comment. For more information, see EPIC: Whole Body Imaging Technology and Body Scanners. (Nov. 18, 2011)

  • The Minnesota Supreme Court has ruled that the state Genetic Privacy Act limits the use of blood samples collected from newborns. Minnesota initiated the Newborn Screening Program in 1965 in order to screen children for certain metabolic disorders. Over 73,000 samples are added to the database every year, but the sample were used for other purposes by the Department of Health and outside research organizations. In overruling a lower courts decision, the state Supreme Court found that the samples are "Genetic Information" under the State Genetic Privacy Act and held that "unless otherwise provided, the Department must have written informed consent to collect, use, store, or disseminate [the blood samples]." For more information, see EPIC: Genetic Privacy. (Nov. 17, 2011)

  • A federal district judge in Virginia has ordered Twitter to make available to the Justice Department the personal information - including IP addresses, session times, and relationships between other Twitter users - of people who may have supported Wikileaks. In reaching this decision, Judge O'Grady relied on a revised version of Twitter's privacy policy, which was not in place when the users signed up. Under the Court's order the Department of Justice may obtain the data with a warrant under the Stored Communications Act. The targets of the Department of Justice's investigation are the WikiLeaks' Twitter account, and the accounts of three people connected to the group: Seattle coder and activist Jacob Appelbaum; Birgitta Jonsdottir, a member of Iceland's parliament; and Dutch businessman Rop Gonggrijp. EPIC has several FOIA requests pending with US federal agencies concerning the investigation of Wikileaks. For more information see EPIC: Social Networking Privacy. (Nov. 17, 2011)

  • The European Union has adopted strict new guidelines limiting the use of body scanners at EU airports. Under the new guidelines, European Union member states may only deploy airport body scanners if they comply with new regulations that protect health, privacy, and fundamental rights. The European Commission has also prohibited any devices that store, record, or transfer images of travelers as well as devices that display an image of the naked human body. As a result, backscatter x-ray devices are now effectively prohibited in airports in the European Union. The European Commission has also made clear that passengers may not be required to go through body scanners, following the conclusion reached by the federal appellate court in the United States in the EPIC v. DHS case, which held that passengers have a legal right to opt-out of body scanners. The body scanners have not done well during trials in Europe. Most recently a test in Germany found that the devices were ineffective. For more information, see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS (Suspension of the Body Scanner Program). (Nov. 14, 2011)

  • The Wall Street Journal reports that the Federal Trade Commission is finalizing a settlement with Facebook that follows from a complaint from EPIC and a coalition of US consumer and privacy organizations. In 2009, the organizations urged the Commission to investigate Facebook's decision to change its users' privacy settings which made the personal information of Facebook users more widely available to Facebook's business partners and the public. According to the Wall Street Journal, the settlement would require Facebook to obtain "express affirmative consent" if Facebook makes "material retroactive changes," and to submit to independent privacy audits for 20 years. For more information, see EPIC: In re Facebook, EPIC: Facebook Privacy and EPIC: Federal Trade Commission. (Nov. 10, 2011)

  • The Federal Trade Commission settled a complaint against the website Skid-e-kids after the operator violated both the Commission’s Children's Online Privacy Protection Act Rule and the website's own privacy policy by collecting personal information from approximately 5,600 children without obtaining prior parental consent. The settlement bars future violations of COPPA and misrepresentations about the collection and use of children’s information, and requires the operator to destroy information collected in violation of the Rule and to allow for oversight of any future website that he might run. Skid-e-kids is a social networking site that allows children ages 7-14 to create profiles, upload pictures and videos, and become friends with and send messages to other members. The Children's Online Privacy Protection Act requires that website operators obtain parental consent before they collect, use or disclose personal information from children under 13. EPIC's complaint regarding Facebook's facial recognition and EPIC's complaint regarding Facebook’s changes to its privacy settings are still pending before the FTC. For more information, see EPIC: Children's Online Privacy. (Nov. 9, 2011)

  • According to a study conducted by the Institute of Medicine, software errors and defects in electronic health records pose threats to patient safety, and can even result in death. To combat the problem, the Institute recommends the establishment of an investigative agency, to be charged with examining and charting the safety performance of electronic health records in use, according to a press release from the National Academies panel. The Institute also recommends that clauses purported to "hold harmless" electronic health record suppliers be removed from their sales contracts. Although experts in the medical field acknowledge that this study is a positive step in regulating health information technology, the New York Times reports that some experts believe the Food and Drug Administration should regulate electronic health records safety. EPIC participated in a 2009 IOM study on Privacy and Medical Research. For more information, see EPIC: Medical Record Privacy. (Nov. 9, 2011)

  • Senator Daniel Akaka (D-HA) has introduced the Privacy Act Modernization for the Information Age (PAMIA) Act of 2011 bill (S. 1732). The PAMIA Act would update the Privacy Act of 1974, the law that regulates the collection and use of personal information by federal agencies. Among other changes, the PAMIA Act would strengthen civil and criminal penalties for improper disclosure of information, update exceptions for when agencies do not have to notify individuals of record disclosures, and create a new Federal Chief Privacy Officer at the Office of Management and Budget. For more information, see EPIC: The Privacy Act of 1974. (Nov. 9, 2011)

  • The United States Supreme Court will hear arguments on November 8 to determine whether the warrantless use of a GPS tracking device by the police violates the Fourth Amendment. EPIC filed a "friend of the court" brief in US v. Jones, urging the Supreme Court to uphold robust Fourth Amendment protections. Along with 30 legal and technical experts, EPIC argued that 24-hour GPS surveillance by law enforcement constitutes a "search" under the Fourth Amendment and requires judicial oversight. Arguing in support of a lower court decision, EPIC warned that, "it is critical that police access to GPS tracking be subject to a warrant requirement." The Supreme Court will consider both whether persistent GPS tracking constitutes a "search" and also whether the installation of a GPS tracking device on a private vehicle is a "seizure." For more information, see EPIC: US v. Jones, and EPIC: Location Privacy. (Nov. 4, 2011)

  • In response to widespread criticism from EPIC and other open government groups, the Department of Justice has agreed to withdraw one of its proposed Freedom of Information Act revisions. The section would have allowed the agency to make misrepresentations about the existence of documents subject to the FOIA. In extensive comments to the Department of Justice, EPIC said that the Justice Department proposal would undermine the FOIA and is contrary to law as well as the views expressed by the President and the Attorney General. But EPIC also pointed to proposed changes that would place new burdens on FOIA requesters, make it more difficult to qualify for educational and news media fee status, allow the agency to terminate FOIA requests, and even destroy records subject to FOIA. For more information see EPIC: Open Government. (Nov. 4, 2011)

  • EPIC has filed a motion for summary judgment in EPIC v. DHS, No. 1:11-cv-01991-ABJ, a pending Freedom of Information Act lawsuit against the Department of Homeland Security for information about the radiation risks posed by body scanners. EPIC has asked the court to force the agency to disclose documents containing radiation testing results, agency fact sheets on body scanner radiation risks, and an image produced by the machines. A new report from ProPublica states that the "U.S. Government Glossed Over Cancer Concerns As It Rolled Out Airport X-Ray." EPIC has already obtained hundreds of pages of documents detailing the radiation risks presented by the machines. For more information, see EPIC: Body Scanners and Radiation Risks (FOIA). (Nov. 1, 2011)

  • A recent report by Carnegie Mellon University finds that internet privacy tools designed to protect consumers from online behavioral advertising are ineffective because they are difficult for users to understand and to configure. The researchers investigated whether users could protect themselves from online tracking by utilizing the privacy settings on popular web browsers, such as Firefox and Internet Explorer. The report also analyzed privacy tools such as Adblock Plus and IE9 Tracking Protection. The report found that the settings are confusing and that users are unable to make informed decisions. Further, unbeknownst to the average user, internet privacy tools' default settings largely fail at blocking online tracking. For more information, see EPIC: Online Tracking and Behavioral Profiling. (Nov. 1, 2011)

  • Lawmakers in Washington have sent a letter to Mark Zuckerberg, Facebook's CEO, asking questions about the company's data retention practices, following a news report that a single European Facebook user obtained more than 1,200 pages of his own personal data from the company, including information that he had previously deleted. Following an effort of privacy advocates in Europe, EPIC has launched the KWTK (Know What They Know) campaign and is urging Facebook users to obtain their complete "data dossier" from the company. For more information, see EPIC: Facebook Privacy and EPIC:#kwtk. (Oct. 31, 2011)

  • EPIC filed a complaint with the Federal Trade Commission charging that Verizon Wireless has engaged in unfair and deceptive trade practices in violation of consumer protection law. After consumers entered into long-term contracts with Verizon Wireless, the company changed its business practices, and revealed detailed personal information of its customers, including location data, web browsing and search histories, and demographic data, to other companies EPIC also charges that Verizon Wireless has failed to establish adequate techniques to deidentify its customers. "Such practices are unfair and deceptive, contrary to the privacy and security interests of Verizon Wireless customers, and actionable by the Federal Trade Commission," the complaint states. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. (Oct. 31, 2011)

  • Privacy experts from around the world convened at the Privacy is Freedom civil society conference, held in conjunction with the annual meeting of the data protection and privacy commissioners. More than 200 participants from 25 countries are attending the event which includes discussions on The Madrid Declaration, the Right to be Forgotten, and Cultures of Privacy Around the World. The Public Voice conference is sponsored by EPIC and the Federal Institute for Access to Information and Data Protection (IFAI). The Georgetown University Law Center is webcasting the event. The hashtag is #tpv11. (Oct. 31, 2011)

  • EPIC filed papers in federal court today seeking to enforce an order that requires the Department of Homeland Security to detail the agency's controversial airport body scanner program. As a result of the EPIC lawsuit, the DC Circuit Court of Appeals ruled that the agency violated federal law when it installed body scanners in airports for primary screening without first soliciting public comment. In July, the Court ordered Homeland Security to "promptly" seek public comment, but the agency has failed to respond. EPIC, and a coalition of privacy and civil liberties organizations, first petitioned DHS to undertake a public rulemaking in 2009. EPIC's subsequent lawsuit alleged that airport body scanners are "invasive, unlawful, and ineffective." For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology. (Oct. 28, 2011)

  • In extensive comments to the Department of Health and Human Services, Professor Latanya Sweeney of the Data Privacy Lab, EPIC, Patient Privacy Rights, and 50 data privacy researchers, warned the federal agency that medical privacy standards for deidentification are "gravely inadequate" and that proposed changes to the Common Rule would deprive the public and policymakers information about the risks of reidentification. The group urged support for stronger techniques for deidentificaiton, based on recent advances in theoretical computer science. Earlier this year, EPIC filed an amicus brief in a Supreme Court case IMS Health v. Sorrell, warning that the deidentification technique adopted by dataminers was not sufficient to protect patient privacy. For more information, see EPIC: Privacy and the Common Rule and EPIC: Medical Record Privacy. (Oct. 27, 2011)

  • The Federal Trade Commission has finalized the settlement with Google regarding Buzz, the social network service launched in early 2010. The Commission action follows a complaint filed by EPIC on behalf of Gmail subscribers and other Internet users. The FTC agreement with Google is far-reaching and bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. However, the Commission failed to adopt any of the recommendations submitted during the public comment process." In a letter to EPIC and to others who submitted suggestions, the FTC wrote "the Commission has determined that the public interest would best be served by issuing the Decision and Order in final form without any modifications." For more information, see EPIC - In re Google Buzz and Fix Google Privacy. (Oct. 25, 2011)

  • In extensive comments to the Department of Justice, EPIC has urged the federal agency not to weaken the Freedom of Information Act (FOIA) as it has proposed. The Justice Department is considering regulations that would place new burdens on FOIA requesters, make it more difficult to qualify for educational and news media fee status, and allow agencies to terminate FOIA requests, and even make misrepresentations about the existence of documents and destroy records subject to a FOIA request. EPIC said that the Justice Department proposal would undermine the FOIA, is contrary to law as well as the views expressed by the President and the Attorney General. EPIC has an extensive FOIA practice and has recently uncovered documents regarding the FBI's Watchlist and the Department of Homeland Security's "Minority Report" Pre-crime Detection Program. The Justice Department must now decide whether to adopt the changes it has proposed, withdraw the rule, or make modifications. For more information, see EPIC: Open Government. (Oct. 20, 2011)

  • EPIC has uncovered more complaints from travelers about the TSA airport body scanners. In response to a FOIA request, the federal agency turned over 241 pages of passenger complaints about body scanners to EPIC. The documents reveal that travelers are angry and frustrated about TSA screening procedures. Travelers expressed concern about radiation risks to children, the elderly, and those with special needs. Other travelers wrote the fact that the machines could capture naked images as unacceptable. One traveler said, "using [the full body scanners] is an extreme invasion of privacy." EPIC previously obtained hundreds of pages of complaints (sample) after filing a Freedom of Information Act lawsuit against the Agency. Earlier this year, in EPIC v. DHS, EPIC also obtained a judgment from the federal appeals court in Washington, requiring the TSA to conduct a public rulemaking on the program and ensuring that passengers have a right to opt-out. For more information see EPIC: Whole Body Imaging Technology. (Oct. 20, 2011)

  • Senator John D. Rockefeller (D-WV) sent a letter requesting that the Federal Trade Commission assess the use of facial recognition technology and recommend legislation to protect privacy. Facial recognition technology is being used by technology firms and also police agencies, which has raised civil liberties concerns. The letter cited mobile applications such as SceneTap, which "tracks the male/female ratio and age mix of the crowd [in bars]" and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on recognition of that person’s age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, and EPIC: Facial Recognition. (Oct. 20, 2011)

  • EPIC filed a "friend of the court" brief in the United States Supreme Court urging the Court to affirm Congress' power to enact strong statutes that protect consumer privacy. First American v. Edwards presents the question of whether a person can sue to enforce a provision of the Real Estate Settlement Procedures Act (RESPA), which gives individuals a right to untainted real estate referral services, and enforces this right by specifying an amount of damages for which violators are liable. Surprisingly, Facebook, Linkedin, Yahoo, and Zynga filed a brief in support of the bank First American and arguing against enforcement of privacy statutes in certain circumstances. EPIC then filed a brief in support of the consumer Edwards and argued that if the Court did not uphold statutory damage provisions, "it would become virtually impossible to enforce privacy safeguards in the United States." Statutory damage provisions help ensure compliance with Fair Information Practices, the foundation of modern privacy law. For more information, see EPIC: First American v. Edwards, and EPIC: Privacy Act. (Oct. 17, 2011)

  • The United States Supreme Court heard oral arguments on Wednesday in Florence v. Board of Chosen Freeholders of the County of Burlington. At issue in the case is whether the Fourth Amendment permits a jail to conduct a suspicionless strip search of every suspect, even those arrested for minor traffic offenses. The Petitioner Albert Florence was arrested based on an inaccurate police record of his previously resolved traffic fine. Florence was held for six days and subject to multiple strip searches before he was eventually brought before a judge and released. EPIC successfully argued before the Third Circuit in Doe v. Luzerne that an individual has a reasonable expectation of privacy in remaining free from the government’s recording of nude images. EPIC also filed a “Friend of the Court” brief in Herring v. US, involving a Fourth Amendment challenge to an arrest and search based on incorrect information in a government database. For more information, see EPIC: Herring v. US. (Oct. 13, 2011)

  • The Third Circuit Court of Appeals ruled that a police deputy's privacy claims against her employer can proceed despite the government's objections. The case involves Jane Doe, who was secretly videotaped by a co-worker during a mandatory decontamination shower. The digital footage was uploaded onto a government computer and disclosed over the municipal network. The appeals court held that Ms. Doe had a reasonable expectation of privacy in remaining free from videotaping during the shower, and wrote "the potential harm of nonconsensual disclosure [of the video] is exacerbated by the existence of the Internet, where one can upload image and video files and irretrievably share them with the world in a matter of moments." EPIC filed a brief and presented oral argument in the case, stating that the case "presents novel privacy issues involving new technology" and that "the District Court failed to appreciate the unique damage caused by unlawful disclosures over computer networks." For more, see EPIC: Doe v. Luzerne. (Oct. 12, 2011)

  • The Government Accountability Office has performed a detailed evaluation of data mining practices at the Department of Homeland Security. According to the report, privacy protections and transparency are vital to data mining operation, however the Department's practices did not "adequately ensure the protection of privacy-related information." in 2009, EPIC called for an investigation of the Department's Privacy Office and said that the Chief Privacy Officer was not complying with the statutory requirements to protect privacy. For more information, see EPIC: Department of Homeland Security Chief Privacy Office and Privacy. (Oct. 11, 2011)

  • Through a Freedom of Information Act request, EPIC has obtained documents from the Department of Homeland Security about a secretive "pre-crime" detection program. The "Future Attribute Screening Technology" (FAST) Program gathers "physiological measurements" from subjects, including heart rate, breathing patterns, and thermal activity, to determine "malintent." According to the documents obtained by EPIC, the agency is considering the use of the device at conventions and sporting events, and has already conducted field testing. CNET first reported on the EPIC FOIA request. For more information, see: EPIC: Future Attribute Screening Technology Project. (Oct. 7, 2011)

  • A federal appeals court has ruled in Suzlon Energy v. Microsoft Corp. that foreign citizens are protected by the Electronic Communications Privacy Act. The decision is not that surprising as the Electronic Communications Privacy Act protects consumer data, without regard to nationality, by forbidding companies from disclosing communications data with third parties in most circumstances. Suzlon involved a civil suit in which Microsoft refused to disclose data from the Hotmail email account of Rajagopalan Sridhar, an Indian citizen. The court ruled that Sridhar was protected by the Electronic Communications Privacy Act and that Microsoft correctly refused to disclose communications from Sridhar's email account. For more information, see EPIC: Wiretapping. (Oct. 4, 2011)

  • EPIC filed a "friend of the court" brief in the United States Supreme Court urging the Court to enforce the rights granted under the Privacy Act, which regulates the use of personal information held by federal agencies. EPIC argued that the government should not be allowed to avoid liability by asserting that it caused only mental and emotional harm when it intentionally and willfully violated the federal statute. FAA v. Cooper involves the Social Security Administration's disclosure of a pilot’s HIV status. The lower court held that "the term 'actual damages'" in the Privacy Act "unequivocally encompasses nonpecuinary damages." EPIC urged affirmance of the decision, stating that the Privacy Act "provides compensation for harm suffered" and aims to "ensure compliance with statutory obligations." For more information, see EPIC: US v. Cooper, and EPIC: Privacy Act. (Oct. 4, 2011)

  • EPIC filed a "friend of the court" brief in the United States Supreme Court urging the Court to limit the scope of pervasive GPS surveillance by upholding robust Fourth Amendment protections. Along with 30 legal and technical experts, EPIC argued that 24-hour GPS surveillance by law enforcement constitutes a "search" under the Fourth Amendment. US v. Jones involves the government's use, without a judicial warrant, of a GPS device to track a person "24/7." The lower court held that "the use of the GPS device violated [Jones'] 'reasonable expectation of privacy,' and was therefore a search subject to the reasonableness requirement of the Fourth Amendment." Arguing in support of the earlier decision, EPIC said "it is critical that police access to GPS tracking be subject to a warrant requirement." For more information, see EPIC: US v. Jones, and EPIC: Locational Privacy. (Oct. 3, 2011)

  • The US Court of Appeals for the Seventh Circuit heard oral arguments today in Chicago Tribune v. University of Illinois. EPIC filed a "friend of the court" brief in the case, which concerns student privacy rights protected by the Family Educational Rights and Privacy Act ("FERPA"). EPIC's brief argued that Congress intended to protect student records, including admissions files, from unauthorized release and that Illinois' open government law must yield to the federal privacy law. In this case, the Tribune requested documents from the University of Illinois, under Illinois' open government law, while investigating alleged corruption in the admissions practices of the University. The University denied the Tribune's request, stating that the requested documents contained the personally identifiable information of students and were thereby protected by federal law. A lower federal court found that Illinois law required the documents to be released. The Depart of Justice also filed a brief in support of student privacy in the case. For more information, see EPIC: Chicago Tribune v. University of Illinois and EPIC: Student Privacy. (Sep. 30, 2011)

  • EPIC, joined by other privacy, consumer, and civil liberties groups, which include the American Civil Liberties Union, Consumer Action, American Library Association, and the Center for Digital Democracy asked the Federal Trade Commission to investigate Facebook. Facebook had been secretly tracking users after they logged off of Facebook’s webpage, and had recently announced changes in business practices that “[gave] the company far greater ability to disclose the personal information of its users to its business partners...” EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: Facebook Privacy and EPIC: Federal Trade Commission. (Sep. 29, 2011)

  • A bankruptcy court in New York has approved the sale of customer information, including email addresses, phone numbers, mailing addresses, and birthdates, from Borders to Barnes & Noble, following an earlier determination that the transfer violated Border's privacy policy. The judge has now required that former Borders customers receive an email notification and that the companies place prominent notices on their web sites and take outs ads in USA Today. Customers will have 15 days to opt-out of the transfer. (Sep. 28, 2011)

  • EPIC has obtained documents that reveal new details about standards for adding and removing names from the FBI watch list. The documents were obtained as the result of an EPIC Freedom of Information Act request to the Federal Bureau of Investigation. The FBI's standard for inclusion on the list is "particularized derogatory information," which has never been recognized by a court of law. Also, individuals may remain on the FBI watch list even if charges are dropped or a case is dismissed. The New York Times broke the story and posted the documents obtained by EPIC. For more information, see EPIC: FBI Watch List FOIA and EPIC: Open Government. (Sep. 28, 2011)

  • Representatives Joe Barton (R-TX) and Ed Markey (D-MA) wrote a letter asking the FTC to investigate whether the use of "supercookie" - cookies placed on users' computers by websites such as Hulu.com that cannot be deleted -constitutes an unfair or deceptive business practice. The representatives called this kind of tracking "unacceptable" and said that the cookies "take away consumer control over their own personal information." EPIC had earlier opposed the White House's use of persistent Google Analytics cookies that track users for up to two years and supported opt-in requirements for Internet tracking techniques that are transparent for the user and easily disabled. For more information, see EPIC: Cookies and EPIC: Federal Trade Commission. (Sep. 27, 2011)

  • Three data breach bills are headed to the Senate floor after a favorable vote in the Senate Judiciary Committee. The bills [S. 1151, S. 1535, S. 1408] set out a variety of approaches to protecting user data and warning users when personal data is improperly released. Testifying recently before the Senate and the House, EPIC has supported new measures for online privacy but warned against a federal law that would "preempt" stronger state laws. (Sep. 26, 2011)

  • A coalition of civil liberties and civil rights organizations have asked the Inspector General of the Department of Justice to investigate the FBI's Next Generation Identification program, a "billion-dollar initiative to create the world's largest biometric database." The 70 organizations, including EPIC, have also urged an assessment of "Secure Communities," the mismanaged federal deportation effort. Several states, including Illinois, Massachusetts, and New York, have already withdrawn from the DHS program. For more information, see EPIC - "Secure Communitities." (Sep. 26, 2011)

  • Senator Charles Schumer (D-NY) wrote a letter to the Federal Trade Commission requesting an investigation into OnStar's announcement that it would track the location of its customers' vehicles even after the customers canceled their service. OnStar also reserved the right to sell such locational information to advertisers. In an interview with FOX News last week, EPIC Executive Director Marc Rotenberg warned that the company would make data of former customers available to third parties. For more information, see EPIC: Locational Privacy. (Sep. 26, 2011)

  • Today Netflix announced that it has launched a DC lobbbying campaign against a federal privacy law that protects customer video rental information. The company, which is already under fire for dramatic hikes in the subscription price of its once popular DVD rental program, now claims that the privacy law prevents Facebook users from posting information about NetFlix on Facebook. According to OpenSecrets, operated by the Center for Responsive Politics, Netflix has ramped up its Washington influence, spending almost $200,000 in 2011, up from $20,000 in 2009. EPIC has described the Video Privacy Protection Act as "one of the strongest protections of consumer privacy against a specific form of data collection." The law always had an exception for user consent, which means that Facebook users are free to disclose information about the videos they rent. But NetFlix wants "blanket consent" so that all Netflix use will be posted routinely to Facebook. For more information, see EPIC: Video Privacy Protection Act. (Sep. 22, 2011)

  • EPIC has filed a motion for summary judgment in EPIC v. DHS, No. 1:11-cv-00945-ABJ, a FOIA case against the Department of Homeland Security for information about the planned expansion of the body scanner program. EPIC has asked the court to force the agency to disclose documents containing communications with Rapiscan and other vendors about the deployment of mobile body scanners. EPIC has already obtained hundreds of pages of documents describing how the agency is exploring the use of body scanners on people who travel by train, attend sporting events, enter federal buildings, or travel along public highways. For more information, see: EPIC: Body Scanner Technology and EPIC: FOIA Note #20. (Sep. 22, 2011)

  • Today's Senate Judiciary Committee hearing "The Power of Google: Serving Consumers or Threatening Competition?” examined Google’s use of its dominance in the search market to suppress competition. The company’s executive chairman, Eric Schmidt, testified on the first panel, while witnesses from Google’s rivals Yelp and Nextag appeared on the second panel. The hearing covered a wide range of issues, including search bias, Google’s proprietary search algorithm, and the downgrading of search rankings. EPIC testified before the the same committee in 2009 on Google’s growing dominance of essential Internet services, and recently sent a letter to the Federal Trade Commission regarding Google’s biasing of Youtube search rankings to give preferential treatment to its own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Sep. 21, 2011)

  • The Federal Trade Commission announced that it will host a workshop on December 8, 2011, on the privacy and security issues raised by the increasing use of facial recognition technology. Facial recognition technology has been used by Facebook to build a secret data base of users’ biometric data and to enable Facebook to automatically tag users in photos. The Army has also used facial recognition technology to collect biometric data from Iraqi and Afghan civilians at checkpoints, workplaces, the sites of attacks, and door-to-door canvasses. EPIC, Privacy International, and Human Rights Watch wrote to the US Secretary Defense in 2007 to warn that the system could lead to reprisals and further killings. Police agencies are also using facial recognition to identity political protesters. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, EPIC: Face Recognition, and EPIC: Iraqi Biometric Identification System. (Sep. 20, 2011)

  • EPIC filed comments today against the Department of Homeland Security's REAL ID compliance requirements, noting the recent death of college basketball legend Lewis Brown, who could not afford a state identification card. The DHS prohibits individuals from flying on commercial airlines without federally approved identification documents. According to the New York Times, Brown was sick with cancer and homeless but had not yet raised enough money to pay for the ID card so that he could see his family. EPIC's letter demanded that the DHS report annually on the number of people who are prevented from seeing family members because of the ID requirement For more information, see EPIC: REAL ID. (Sep. 17, 2011)

  • Today the FTC proposed new rules for the Children’s Online Privacy Protection Act. The FTC rules would revise the definition of Personally Identifiable Information to include identifiers such as cookies and IP addresses, video and audio files containing a child's image or voice, and geolocation information. The new rules also contain data minimization and deletion requirements that promote Internet security, as well as simplified methods of obtaining parental consent for data collection, such as electronic submission and video verification. EPIC Executive Director Marc Rotenberg said that the proposed rules were "a well-reasoned and innovative approach to online privacy." EPIC had previously testified before the Senate and submitted comments to the agency. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: Children’s Online Privacy. (Sep. 15, 2011)

  • The Transatlantic Consumer Dialog, a coalition of 85 organizations from America and Europe sent a letter today to the House Subcommittee on Commerce, Manufacturing and Trade on the eve of a hearing on the EU's approach to protecting Internet privacy. The TACD letter pointed out that "US privacy laws lag woefully behind current technology and business practices" and encouraged Congress to "learn from a fair and balanced review of the EU Data Directive, just as the EU has learned much from the US experience." According to TACD, the EU Data Directive is a concise, technology-neutral legal framework that promotes trade, protects privacy, and is less burdensome than such US privacy laws as "HIPAA." EPIC is a member of TACD. For more information, see EPIC: EU Data Protection Directive. (Sep. 14, 2011)

  • EPIC Senior Counsel John Verdi argued before the Third Circuit Court of Appeals in Doe v. Luzerne County that secretive video surveillance, coupled with the storage and dissemination of sensitive personal information, violates the right to information privacy and should not be permitted. The case involves a Jane Doe police deputy who is suing to recover monetary damages for privacy violations. A coworker captured semi-nude video footage of Ms. Doe without her consent during a mandatory decontamination shower. The digital footage was uploaded onto a government computer and disclosed over the municipal network. EPIC argued that the case "presents novel privacy issues involving new technology" and that "the District Court failed to appreciate the unique damage caused by unlawful disclosures over computer networks." EPIC previously filed an amicus brief in the case. For more, see EPIC: Doe v. Luzerne. (Sep. 14, 2011)

  • EPIC Executive Director Marc Rotenberg testified today before the House Subcommittee on Financial Institutions and Consumer Credit. EPIC highlighted several recent high-profile data breaches, including those involving the digital security certificates used to authenticate websites, that have compromised the private data of thousands of consumers. Citing reports from the Privacy Rights Clearinghouse, EPIC's Rotenberg said "These attacks on financial institutions produce both direct and indirect costs for consumers who must contend with the risk of identity theft and financial fraud." EPIC previously testified before the Senate Banking Committee on cybersecurity in the financial sector and the growing threat to consumer data. For more information, see EPIC: Cybersecurity and Privacy. Webcast. (Sep. 14, 2011)

  • A Federal Court has ruled that EPIC "substantially prevailed" in its open government lawsuit against the Department of Homeland Security for information about the agency's airport body scanner program and has awarded attorneys fees to EPIC. EPIC's Freedom of Information Act case led to the disclosure of hundreds of pages of documents, including procurement specifications, operational requirements, contracts, and traveler complaints and revealed that the machines are designed to store and transfer images. The Court found that "The records disclosed to the plaintiff in the course of this litigation have provided a public benefit in that they were covered extensively in the news and cited frequently as a news source during the public debate surrounding the use of whole body imaging devices in airports." EPIC had also asked the Court to reconsider an earlier ruling, in light of a recent Supreme Court FOIA decision Milner v. Dept. of Navy. The Court denied that request. For more information, see EPIC: EPIC v. DHS (FOIA, Body Scanners) and EPIC: EPIC v. DHS (Suspension of the Body Scanner Program). (Sep. 12, 2011)

  • The Transatlantic Consumer Dialogue has sent a letter to U.S. and European Union officials, urging them to reject an advertising industry proposal to protect online privacy through self-regulation. The industry proposal relies on opt-out techniques that force consumers to click on small icons, hidden on the websites they visit. The TACD letter described the icon regime as “inadequate,” and said that it “is an insufficient means of [giving] notice to a user about the wide range of data collection that they routinely face.” In 1998, EPIC conducted the first evaluation of industry self-regulation to protect online privacy and concluded that "Notice is Not Enough." For more information, see EPIC: Online Tracking and Behavioral Profiling, and EPIC: FTC. (Sep. 9, 2011)

  • EPIC has filed a notice of appeal in EPIC v. NSA, a recent court decision that allowed the National Security Agency to neither confirm or deny the existence of government records EPIC sought under the Freedom of Information Act. EPIC is seeking information about the relationship between Google and the NSA, which could reveal that the NSA is developing technical standards that would enable greater surveillance of Internet users. The NSA provided a "Glomar Response," a controversial legal claim that allows federal agencies to conceal the existence of records that might otherwise be subject to public disclosure. In related FOIA matters, EPIC is also seeking government documents relating to the NSA's cybersecurity authority and the NSA's "Perfect Citizen" program. For more information, see EPIC: Open Government. (Sep. 9, 2011)

  • EPIC sent a letter to the FTC urging the Trade Commission to investigate the extent to which Google has used its dominance in the search market to influence the marketplace of online video content. EPIC pointed specifically to the Google acquisition of YouTube and the change in the YouTube search rankings that followed. EPIC said that Google substituted its own subjective, "relevance" ranking in place of objective search criteria, such as "Hits" or "Rankings," to preference Google's own video material over non-Google material. EPIC's letter includes detailed examples using the search term "privacy." Google has acknowledged that the Commission has opened an investigation into the company's business practices for possible antitrust violations. EPIC previously testified before the Senate Judiciary Antitrust Subcommittee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Sep. 8, 2011)

  • The Circuit Court for the District of Columbia has ruled that the Department of Justice must release information regarding government surveillance of cell phone location data. The American Civil Liberties Union had filed a Freedom of Information Act request for information regarding current and past cases where the Department of Justice had accessed cell phone location data without a warrant. The agency sought to keep this information secret, claiming that releasing cell phone tracking data could implicate privacy of investigation subjects. The court, however, disagreed, stating, "The disclosure sought by the plaintiffs would inform this ongoing public policy discussion by shedding light on the scope and effectiveness of cell phone tracking as a law enforcement tool." For more information, see EPIC: Wiretapping and EPIC: Electronic Surveillance 1968-2010. (Sep. 7, 2011)

  • The Center for Public Affairs Research, a joint project of the Associated Press and the National Opinion Research Center, has published "Civil Liberties and Security: 10 Years After 9/11." The detailed report analyzed public opinions on national security and civil liberties issues a decade after 9/11. The survey found that Americans are divided on the war on terrorism. Of those surveyed, 86% said that the events following 9/11 have had some impact on their individual rights and freedoms. A majority also said that the protection of civil liberties should take priority over national security, and only 23% favored the government’s warrantless wiretapping program. For more information, see EPIC: The 9/11 Commission Report and EPIC: Public Opinion on Privacy. (Sep. 6, 2011)

  • After extensive testing, Germany has decided not to deploy body scanners at the nation's airports. Germany field-tested the scanners with more than 800,000 passengers over ten months and concluded the devices produced too many false alarms and were not effective. In an interview with ABC News EPIC’s John Verdi said, "when they can't distinguish between body sweat and explosives, they aren’t making anyone safer." Italy also recently removed the scanners from airports after the Italian Civil Aviation Authority concluded that they were inaccurate and inconvenient. EPIC has petitioned a federal appeals court to rehear the organization's challenge to the controversial program, citing erroneous findings that the devices would detect liquid and powdered explosive. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program). (Sep. 2, 2011)

  • California has enacted Senate Bill 24, first introduced in 2001 by Senator Joe Simitian, which strengthens existing state breach notification law. Since 2002, California law has required data holders to notify individuals if their data is breached, but the law did not specify what information should be included in the notification. This new law specifies the information that should be provided, including instructions on how to contact credit agencies. The law also requires that the state Attorney General be notified in the event of a breach. EPIC testified in 2009 before the House Commerce Committee against "federal preemption" in national data breach legislation, citing important legislative innovations to protect consumers that take place in states such as California. For more information, see EPIC: ID Theft. (Sep. 1, 2011)

  • In a case concerning the arrest of a person who used a cell phone camera to film a police officer, the First Circuit Court of Appeals has held in Glik v. City of Boston that the First Amendment protects "the filming of government officials engaged in their duties in a public place." The Court found that members of the public enjoy the same rights as credentialed members of the press, stating that "the public's right of access to information is coextensive with the press." The Court further held that, in arresting Glik, the City of Boston violated the Fourth Amendment probable cause requirement as there was no reason to believe that Gilk had violated any state law. EPIC agreed that the Massachusetts state wiretap law was not intended to limit the ability of the public to record police activity, but did not file an amicus brief in the case. For more information, see EPIC: EPIC Amicus Curiae Briefs. (Sep. 1, 2011)

  • Former 9-11 Study Commission Chairs Lee Hamilton and Thomas Keen have released a "Tenth Anniversary Report Card," assessing the status of the recommendations made by the 9-11 Commission. The report found that even "with significant federal funding," "explosive detection technology lacks reliability" and that "the next generation of whole body scanning machines are not effective at detecting explosives hidden within the body and raise privacy and health concerns that DHS has not fully addressed." EPIC has made very similar arguments in EPIC v. DHS, the challenge to the TSA body scanner program. For more information, see EPIC - The 9/11 Commission Report. (Aug. 31, 2011)

  • EPIC has obtained more than one hundred fifty pages of documents detailing the Department of Homeland Security’s development of mobile body scanners and other crowd surveillance technology. The documents were obtained as a result of a Freedom Information Act lawsuit brought by EPIC against the federal agency. According to the documents obtained by EPIC, vehicles equipped with mobile body scanners are designed to scan crowds and pedestrians on the street and can see through bags, clothing, and even other vehicles. The documents also reveal that the mobile backscatter machines cannot be American National Standards Institute “certified people scanners” because of the high level of radiation output and because subjects would not know they have been scanned. For more information see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS (Suspension of the Body Scanner Program). (Aug. 31, 2011)

  • Citing significant errors in an earlier decision, EPIC has petitioned a federal appeals court to rehear the organization's challenge to the TSA's controversial body scanner program. "The court overstated the effectiveness of the body scanner devices and understated the degree of the privacy intrusion to the travelling public," stated EPIC President Marc Rotenberg. EPIC's petition challenged the Court's finding that the devices detect “liquid and powders," which was never established and was not claimed by the government. EPIC also argued that the court wrongly concluded that the TSA is not subject to a federal privacy law that prohibits video voyeurism. The panel found that TSA body scanner employees are “engaged in law enforcement activity," contrary to the TSA's own regulations. EPIC is pursuing related litigation on the government's deployment of mobile body scanners. For more information, see EPIC: EPIC v. DHS. (Aug. 30, 2011)

  • In response to several complaints filed by EPIC with the Federal Trade Commission, Facebook announced that it would make some changes in its business practices, including providing more accurate information about the disclosure of user data to others and new safeguards for photo tagging. EPIC, along with several privacy organizations, filed several complaints with the FTC about FB's automated tagging of users, changes in Privacy settings, and transfers of personal data, stating that Facebook's practices were "unfair and deceptive." Facebook's recent actions address some but not all of the issues raised by the consumer organizations. The complaint at the FTC are still pending. For more information see EPIC: Facebook Privacy. (Aug. 29, 2011)

  • EPIC and the Federal Trade Commission have agreed to settle an open government lawsuit concerning the FTC's decision to close the investigation of Google Street View. EPIC sought documents from the Commission after Members of Congress had urged the agency to pursue an aggressive investigation and many privacy agencies around the world found that Google violated national privacy laws. The agency turned over to EPIC agency records which suggested that the agency believed it lacked enforcement authority. However, the closing letter in the case also indicated that the Commission never undertook an independent investigation to determine whether other violations of law may have occurred. The case is EPIC v. FTC, No. 11-cv-00881 (D.C. Dist. Ct 2011). For more information, see EPIC: Google Street View. (Aug. 26, 2011)

  • A Federal judge has ruled that to law enforcement officers must have a warrant to access cell phone locational data. Courts are divided regarding whether or not this type of data should be protected by a warrant requirement. Judge Garaufis of the Eastern District of New York, found that "The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by 'choosing' to carry a cell phone must be rejected…In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user's reasonable expectation of privacy in cumulative cell-site-location records." EPIC has filed amicus briefs in several related cases. For more information see: EPIC: Commonwealth v. Connolly, EPIC: US v. Jones, and EPIC: Locational Privacy. (Aug. 25, 2011)

  • Twitter has joined the ranks of Gmail with a decision to implement HTTPS functionality by default for all users in order to encrypt data and protect privacy. The change stems from several security problems in early 2011, including two incidents where hackers gained administrative control of the popular service and led to a settlement with the Federal Trade Commission requiring Twitter to adopt stronger security measures. Earlier, EPIC had pointed out the importance of HTTPS by default in a complaint to the Commission regarding Google and Cloud Computing Services. For more information, see EPIC: Social Networking Privacy and EPIC: In re Google and Cloud Computing. (Aug. 24, 2011)

  • New documents released by the Department of Homeland Security to EPIC indicate the the agency continues to hide details about body scanners. In November 2010, EPIC filed a Freedom of Information Act request with the agency regarding the deployment of body scanners in surface transit and street-roving vans. In its latest document release the agency supplied several papers that were completely redacted. As a result of the agency's failure to comply with the Freedom of Information Act, EPIC has filed suit to force disclosure of the records. For more information, see: EPIC: Body Scanner Technology and EPIC: FOIA Note #20. (Aug. 17, 2011)

  • W3 Innovations, a company that develops mobile phone games, settled charges with the Federal Trade Commission for violations of the Children's Online Privacy Protection Act (COPPA). In the first settlement concerning a mobile application, the Commission imposed a fine of $50,000 against the company for "illegally collecting and disclosing personal information from tens of thousands of children under age 13 without their parents prior consent." EPIC previously testified before the Senate Commerce Committee and submitted comments to the FTC on the need to update COPPA and to clarify the law's application to mobile and social networking services. EPIC also has pending complaints at the FTC regarding Facebook's facial recognition program and changes Facebook made to user privacy settings. For more information, see EPIC: FTC and EPIC: COPPA. (Aug. 16, 2011)

  • The Department of Homeland Security wrote to State Governors, stating that the agency intends to terminate agreements with state and local governments concerning the Secure Communities program. The agency states that it intends to unilaterally pursue the program despite the termination, though it fails to cite any legal authority in support of the tactic. The statement follows lawmakers' recent criticism of Secure Communities. The program collects and discloses biometric information obtained from individuals who come into contact with police. In June, California legislators urged Governor Jerry Brown to suspend the state's participation in Secure Communities, citing a “crisis of confidence” in the program. The lawmakers identified numerous risks raised by the program and noted that "victims of domestic violence have been [wrongfully] placed into deportation proceedings as the result of Secure Communities when they simply called the police for help." Previously, Illinois, New York and Massachusetts ended their participation in the program. For more, see EPIC: Secure Communities. (Aug. 12, 2011)

  • The California Public Utility Commission has established new rules to protect information about consumer use of "smart meter" electrical services. The California decision, the first in the country, establishes fair information practice requirements, including a consumer right of access and control, data minimization obligations, use and disclosure limitations, and data quality and integrity requirements. Electric utilities and their contractors, as well as third party who receive electricity usage data from utilities are subject to the new rules. EPIC submitted extensive comments to the Public Utility Commission regarding privacy safeguards for consumer energy usage data. For more, see EPIC Smart Grid Privacy. (Aug. 6, 2011)

  • EPIC and a coalition of privacy, consumer rights, and civil rights organizations filed a statement to the Department of Homeland Security. The group opposed proposed changes to the Watchlist Service, a secretive government database filled with sensitive information. The agency has solicited comments on the program, which entails developing a real-time duplicate copy of the database and expanding the groups and personnel with immediate access to the records. The groups focused on the security and privacy risks posed by the new system, as well as The Privacy Act. Passed by Congress in 1974, the Act requires DHS to notify subjects of government surveillance in addition to providing a meaningful opportunity to correct information that could negatively affect them. EPIC has testified before Congress and published a "Spotlight on Surveillance" report about the Watchlist program. For more information, see EPIC: Secure Flight and EPIC: Passenger Profiling. (Aug. 5, 2011)

  • The Transportation Security Administration has begun training screeners at Logan International Airport in Boston to engage in behavioral profiling of air travelers. The program authorizes Transportation Security Officers to ask airline passengers personal questions concerning their travel plans and employment. Some travelers will be subjected to additional, invasive searches based on their responses. For more, see EPIC: Air Travel Privacy. (Aug. 3, 2011)

  • The Senate unanimously approved bipartisan legislation, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), to improve Freedom of Information Act (FOIA) processing. The Faster FOIA Act will create an advisory panel to examine agency backlogs and provide recommendations to Congress. The bill awaits action by the House of Representatives. EPIC previously testified before the House Oversight Committee about FOIA delays and politicized processing within the Department of Homeland Security. For more information see: EPIC: Open Government and EPIC: Litigation Under the Federal Open Government Laws. (Aug. 2, 2011)

  • An independent report recommends that federal agencies "improve their development and implementation of policies and procedures for managing and protecting information associated with social media use." The Government Accountability Office, an independent, nonpartisan agency, surveyed twenty-three agencies concerning privacy and security policies. Only half of the agencies have updated their privacy policies to take account of personal information collected through social media monitoring. Only a quarter conducted privacy impact assessments of agency social media activities. The GAO also noted that only seven of the surveyed agencies have identified and documented social-media security risks. In March, EPIC filed comments regarding DHS's Social Media Monitoring and Situational Awareness Initiative, identifying substantial privacy and security risks. For more information, see EPIC: Social Networking Privacy. (Aug. 2, 2011)

  • The House of Representatives Judiciary Committee voted to approve a bill that will require Internet Service Providers (ISPs) to retain data on every customer to allow the government to identify and track their online activity for one year. EPIC Director Marc Rotenberg testified against the bill at the subcommittee hearing, and his arguments were cited by committee members including Representative Jerrold Nadler (D-NY). After two days of deliberation, the bill was passed with an amendment to require ISPs to retain even more information: not only internet protocol addresses, but also customer names, addresses, phone records, type and length of service, and credit card numbers. This retention is a radical contradiction of the core American value that we are innocent until proven guilty, said Representative Jason Chaffetz (R-UT). The bill purports to use the data to prosecute child pornography, but Representative James Sensenbrenner (R-WI) was "not convinced it will contribute in any meaningful way to prosecuting child pornography," and Representative Zoe Lofgren (D-CA) stated that it is an "unprecedented power grab by the federal government - it goes way beyond fighting child pornography." Representative Bobby Scott (D-VA) pointed out the data would be available for many other uses, including copyright prosecution and divorce cases. This data will be made available to law enforcement officers without a warrant or judicial oversight, and is a convenient way for law enforcement to get powers they couldn't get in the Patriot Act, said Representative Darrell Issa (R-CA). For more information, see EPIC- Data Retention. (Aug. 1, 2011)

  • In response to a letter from the Connecticut Attorney General, Facebook agreed to run ads that link users to their privacy settings and show them how to opt-out of Facebook's facial recognition program. The ads are new, but Facebook has failed to implement an opt-in model for its facial recognition technology. EPIC, along with several other organizations, filed a complaint with the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices regarding biometric data collection. EPIC urged the FTC to require Facebook to suspend the program pending a full investigation. EPIC also urged the Commission to require Facebook to establish stronger privacy safeguards and an opt-in regime for the facial recognition scheme. For more information, see EPIC: In re Facebook and the Facial Identification of Users. (Jul. 27, 2011)

  • EPIC filed a 'friend of the court' brief in US v. Pool. The Ninth Circuit case challenges the constitutionality of a federal law requiring every felony defendant to submit a DNA sample as a condition of pre-trial release. The DNA is used to create profiles in a national DNA index system. EPIC observed that "today's science shows that DNA reveals vastly more personal information than a fingerprint," noting "DNA samples contain genetic information that can reveal personal traits such as race, ethnicity and gender, as well as medical risk for conditions such as diabetes." The government keeps the full DNA sample indefinitely, retaining all of an individual's genetic information. A three-judge panel previously upheld the law, but an eleven-judge panel is now rehearing the case. For more information, see EPIC: US v. Pool, and EPIC: Genetic Privacy. (Jul. 26, 2011)

  • EPIC, joined by the Liberty Coalition, has submitted comments to the National Institute for Standards and Technology (NIST) on governance topics associated with the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC’s comments called for a structure that would "include[e] protection of consumer information and implementation of strong privacy practices." EPIC further asked for legislation that will protect sensitive personal information in the Identity Ecosystem. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace. (Jul. 22, 2011)

  • EPIC filed a "friend of the court" brief in Chicago Tribune v. University of Illinois, a case involving student privacy rights protected by the Family Educational Rights and Privacy Act ("FERPA"). EPIC's brief argues that Congress intended to protect student records, including admissions files, from unauthorized release and that Illinois' open government law must yield to the federal privacy law. While investigating alleged corruption in the admissions practices of the University of Illinois, the Tribune sought documents from the University under Illinois' open government law. The University denied the Tribune's request, stating that the requested documents contain the personally identifiable information of students and are thereby protected by federal law. A lower federal court found that Illinois law required the documents to be released.The Depart of Justice has also filed a brief in support of student privacy in the case. For more information, see EPIC: Chicago Tribune v. University of Illinois and EPIC: Student Privacy. (Jul. 21, 2011)

  • The TSA has announced that it will begin installing software on millimeter wave body scanners that will display a generic stick figure on a computer monitor and not the naked bodies of individual air travelers. The TSA said this will address privacy concerns. However, there is no plan to install similar software on the more widely used backscatter x-ray devices. It is also still unclear whether t the body scanners are capable of capturing, storing, or transferring the underlying graphic naked image. Seeking to answer this question, EPIC filed a lawsuit, following the TSA's failure to provide an adequate response to EPIC's FOIA request. For more information see: EPIC: Body Scanner Technology. (Jul. 21, 2011)

  • A House Commerce Subcommittee voted in favor of the SAFE Data Act, a data breach bill sponsored by Rep. Bono Mack (R-CA). The bill requires companies to act quickly in the case of breach and encourages minimization of data collection. However, the bill preempts stronger state laws and does not adequately protect personal information. EPIC Executive Director Marc Rotenberg testified before the Subcommittee on this bill. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. For more information, see EPIC: Identity Theft. Webcast. (Jul. 21, 2011)

  • As a result of a lawsuit brought by EPIC, the D.C. Circuit Court of Appeals has ruled that the TSA violated federal law when it installed body scanners in airports for primary screening across the country without first soliciting public comment. The Administrative Procedure Act requires federal agencies to provide notice and opportunity for comment when implementing a rule that affects the rights of the public. Writing for a unanimous court, Judge Ginsburg found there was "no justification for having failed to conduct a notice-and-comment rulemaking," and said, "few if any regulatory procedures impose directly and significantly upon so many members of the public." EPIC's brief alleged that airport body scanners are "invasive, unlawful, and ineffective," and that the TSA's deployment of the devices for primary screening violated the U.S. Constitution and several federal statutes. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology. Press Release. (Jul. 15, 2011)

  • A federal judge has issued an opinion in EPIC v. NSA, and accepted the NSA's claim that it can "neither confirm nor deny" that it had entered into a relationship with Google following the China hacking incident in January 2010. EPIC had sought documents under the FOIA because such an agreement could reveal that the NSA is developing technical standards that would enable greater surveillance of Internet users. The "Glomar response," to neither confirm nor deny, is a controversial legal doctrine that allows agencies to conceal the existence of records that might otherwise be subject to public disclosure. EPIC plans to appeal this decision. EPIC is also litigating to obtain the National Security Presidential Directive that sets out the NSA's cyber security authority. And EPIC is seeking from the NSA information about Internet vulnerability assessments, the Director's classified views on how the NSA's practices impact Internet privacy, and the NSA's "Perfect Citizen" program. (Jul. 13, 2011)

  • In testimony before the House Judiciary Committee, EPIC President Marc Rotenberg said that a proposal to retain identifying information on Internet users would put at risk "99.9% of Internet users." H.R. 1981, a bill to address concerns about children pornography, would require Internet Service Providers to store temporarily assigned IP addresses for future government use. And the bill would create a new immunity so that ISPs would not be liable if problems resulted. EPIC also pointed out with the increased risk of data breaches and identity theft, best practices now follow data minimization rather than data retention. Prospects for passage of H.R. 1981 dimmed at the hearing after Chairman James Sensenbrenner (R-WI) said he would oppose the measure. For more information, see EPIC - Data Retention. (Jul. 13, 2011)

  • FCC Chairman Julius Genachowski, responding to letters from Congressmen Graves Rogers and Barrow Scalise regarding Google Street View, wrote[1][2][3] that "the Bureau's inquiry seeks to determine whether Google's actions were inconsistent with any rule or law within the Commission's jurisdiction." The FCC Chairman declined to provide specifics, though there is growing frustration in Congress about the investigation, which has been pending for more than a year following a complaint filed by EPIC. Recently, in a case in which EPIC filed an amicus brief, a federal judge found that Google's purposeful and secretive collection of wi-fi data as part of its "Street View" activities could constitute illegal wiretapping. For three years in thirty countries, Google's Street View cars collected data, including the content of personal emails, from wireless routers located in private homes and businesses. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. For more information, see EPIC: Google Street View. (Jul. 8, 2011)

  • A District of Columbia federal court ordered an EPIC lawsuit against the National Security Agency to proceed, holding that EPIC can "pursue its claim against the NSA for wrongfully withholding an agency record in its possession." EPIC's Freedom of Information Act suit seeks disclosure of National Security Presidential Directive 54 - the document that provides the legal basis for the NSA's cybersecurity activities. The NSA failed to disclose the document in response to EPIC's FOIA request, instead forwarding the request to the National Security Council. The Court held that the NSC is not subject to FOIA, but that the NSA's transfer of EPIC's request does not absolve the agency of its responsibility to respond to EPIC. For more, see: EPIC: EPIC v. NSA. (Jul. 8, 2011)

  • The European Parliament has adopted a resolution that sets out strict safeguards for airport body scanners. The resolution requires that Member States only "deploy technology which is the least harmful for human health" and establish substantial privacy protection. The resolution prohibits the use of body scanners that use ionizing radiation. New guidelines also state that airport body scanners "must not have the capabilities to store or save data." EPIC currently is pursuing a lawsuit to suspend the use of body scanners in the United States, citing several federal laws and the US Constitution. EPIC has called the US airport body scanner program "invasive, ineffective, and unlawful." For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology. (Jul. 6, 2011)

  • According to the newly released 2010 Wiretap Report, federal and state courts issued 3,194 orders for the interception of wire, oral, or electronic communications in 2010, up from 2,376 in 2009, a 34% increase. Only one request for authorization was denied. The average number of persons whose communications were intercepted rose from 113 per wiretap order in 2009 to 118 per wiretap order in 2010. Only 26% of intercepted communications in 2010 were incriminating. The report also indicated that encryption did not prevent officials from obtaining the plaintext of communications in the six cases in which it was encountered. The 2010 Wiretap Report does not include interceptions regulated by the Foreign Intelligence Surveillance Act (FISA) or interceptions approved by the President outside the exclusive authority of the federal wiretap law and the FISA. For more information, see EPIC: Wiretapping and EPIC: Title III Order Statistics. (Jul. 6, 2011)

  • A coalition of 15 privacy and consumer groups, representing millions of consumers and Internet users, sent a letter to the Senate Commerce Committee urging Congress to do more to protect consumer information. "Consumers today face an unfair choice: either stay offline and ignore the benefits of new technology, or plug in and run extraordinary risks to privacy and security," they wrote. "It shouldn't be this way. Consumers are more concerned about the privacy threat from big business than from big government," the letter continues. The coalition, which includes the Consumer Federation of America! Consumers Union, and the National Consumers League, argues that current privacy laws are inadequate, and that industry self-regulation has failed, as evidenced by millions of records compromised in data breaches. The consumer letter follows one sent by industry groups urging lawmakers not to pass any additional legislation. For more information, see Privacy Coalition. (Jul. 1, 2011)

  • In a lawsuit filed by several private citizens, a federal judge has found that Google's purposeful and secretive collection of Wi-Fi data as part of its "Street View" activities could constitute illegal wiretapping. EPIC filed an amicus brief in the case, providing a detailed legislative history of the Electronic Communications Privacy Act (ECPA) and arguing that private Wi-Fi communications are entitled to privacy protection under ECPA. EPIC said that Congress established "a presumption in favor of confidentiality except in those circumstances where the user has knowingly chosen to broadcast communications to the general public." For three years in thirty countries, Google's Street View cars collected data, including the content of personal emails, from wireless routers located in private homes and businesses. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, but the Commission has failed to announce a ruling. For more information, see EPIC: Google Street View. (Jul. 1, 2011)

  • The House of Representatives Financial Services Appropriations bill contains an amendment requiring the Federal Communications Commission to report on its Google Street View Wi-Fi investigation within 180 days. The bill was voted out of committee and is headed for a full House vote. The Commission opened an investigation into Google Street View after EPIC filed a complaint, asking the Commission to investigate possible violations of federal wiretap law and the Communications Act. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. For more information, see EPIC: Google Street View. (Jul. 1, 2011)

  • The Supreme Court will decide if warrantless locational tracking violates the Fourth Amendment. The Court granted review of a District of Columbia Circuit Court of Appeals opinion on two legal questions. The first is whether police need a warrant to monitor the movements of a car with a tracking device. The second is whether policy can legally install such a device without their target's consent, and without a valid warrant. EPIC previously filed an amicus brief in Commonwealth v. Connolly, a Massachusetts case which established that the state Constitution prohibited warrentless GPS tracking. The Massachusetts Supreme Judicial court imposed time limits on GPS monitoring, ruling that warrants will expire fifteen days after they are issued. For more information, see EPIC: US v. Jones and EPIC: Locational Privacy. (Jun. 27, 2011)

  • The Trans-Atlantic Consumer Dialogue (TACD), a coalition of consumer groups in Europe and North America, adopted a report on privacy and electrical services at the 12th Annual TACD meeting held recently in Brussels. The Smart Meter White Paper warns the "dramatic increase in the granularity of data available and frequency of collection of household energy consumption means that the smallest detail of household life can be revealed." The TACD report sets out recommendations to protect the privacy of users of new energy services. For more information, see EPIC - Smart Grid and Privacy. (Jun. 27, 2011)

  • Google has acknowledged that the Federal Trade Commission has opened an investigation into the search company's business practices for possible antitrust violations. The investigation likely focuses on whether Google uses its dominance in the search field to inhibit competition in other areas. EPIC had previously opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of then Commissioner Pamela Harbor. EPIC later testified before the Senate Judiciary Antitrust Subcommittee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Jun. 27, 2011)

  • In a FOIA lawsuit against the Department of Homeland Security, EPIC has just obtained documents concerning the radiation risks of TSA's airport body scanner program. The documents include agency emails, radiation studies, memoranda of agreement concerning radiation testing programs, and results of some radiation tests. One document set reveals that even after TSA employees identified cancer clusters possibly linked to radiation exposure, the agency failed to issue employees dosimeters - safety devices that could assess the level of radiation exposure. Another document indicates that the DHS mischaracterized the findings of the National Institute of Standards and Technology, stating that NIST "affirmed the safety" of full body scanners. The documents obtained by EPIC reveal that NIST disputed that characterization and stated that the Institute did not, in fact, test the devices. Also, a Johns Hopkins University study revealed that radiation zones around body scanners could exceed the "General Public Dose Limit." For more information, see EPIC: EPIC v. Department of Homeland Security - Full Body Scanner Radiation Risks and EPIC: EPIC v. DHS (Suspension of Body Scanner Program). (Jun. 24, 2011)

  • The Federal Communications Commission adopted new rules that provide for increased penalties for Caller ID "spoofing," the practice of faking caller ID information that is often used to harm consumers. Under the new rules, the FCC can fine violators up to $10,000 each time they change their caller ID information with the intent to cause harm. The intent requirement is important because "spoofing" can also be used for privacy protection, such as at a domestic violence shelter. EPIC previously recommended adoption of the intent requirement in its comments to the Commission and in testimony before the House in 2006 and 2007 and before the Senate in 2007. For more information, see EPIC: Caller ID. (Jun. 24, 2011)

  • In a 6-3 decision, the Supreme Court struck down Vermont's prescription privacy law. IMS Health, Inc. v. Sorrell held that the Vermont statute, which bars disclosure of prescription data for marketing purposes, violates data mining firms' free speech rights. Vermont "burdened a form of protected expression that it found too persuasive. At the same time, the State has left unburdened those speakers whose messages are in accord with its own views. This the State cannot do." the Court wrote. The Court suggested that a more privacy-protective statute might have withstood Constitutional scrutiny, writing "the State might have advanced its asserted privacy interest by allowing the information’s sale or disclosure in only a few narrow and well-justified circumstances. A statute of that type would present quite a different case than the one presented here." EPIC filed an amicus brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the "de-identification" techniques adopted by data-mining firms do not protect patient privacy. For more information, see EPIC: IMS Health v. Sorrell. (Jun. 23, 2011)

  • EPIC Executive Director Marc Rotenberg testified before the Senate Banking Committee, urging lawmakers to apply breach notification regulations to financial institutions and promote authentication techniques that reduce risks to consumers. EPIC observed that "current laws do not adequately protect consumers," and highlighted a series of recent high profile data breaches in the financial sector. The hearing, "Cybersecurity and Data Protection in the Financial Sector" follows May 2011 data breaches at Citigroup and Bank of America. The breaches exposed sensitive financial data linked to hundreds of thousands of consumers; individuals lost millions of dollars from their accounts. EPIC previously testified before the House concerning data breach legislation. For more, see EPIC: Identity Theft and EPIC Testifies in Congress on Data Breach Legislation. (Jun. 21, 2011)

  • At the 2011 EPIC awards dinner, Congressman Jason Chaffetz (R-UT), Congressman Rush Holt (D-NJ), The Wall Street Journal, and TV actress and former Miss USA, Susie Castillo received the EPIC awards for the defense of civil liberties and human rights, and for raising public awareness of new challenges to privacy. Rep. Chaffetz pursued meaningful oversight of the TSA and helped strengthen the FOIA. Rep. Holt is a leading champion for Patriot Act reform. The Wall Street Journal's investigative series "What They Know" exposed how the world's most popular web sites secretly track and monitor consumers' online behavior. Jeffrey Rosen danah boyd cohosted the event in Washington, D.C. Ralph Nader presented the EPIC Citizen Activist award to Susie Castillo, a leading advocate for the dignity of air travelers. For more information, see EPIC Champion of Freedom Awards Dinner. (Jun. 15, 2011)

  • EPIC Executive Director Marc Rotenberg testified today before the House Commerce Committee on the SAFE Data Act, a bill introduced by Rep. Bono-Mack to require greater protection for sensitive consumer data and timely notification in case of breach. EPIC emphasised the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC supported recent changes in the bill that would require companies to act more quickly in case of breach and encourage minimization of data collection. EPIC recommended changes in the bill to strengthen enforcement, require notification, protect identifiers linked to individuals, and ensure that state governments are able to respond on behalf of consumers as new problems emerge. Webcast (Jun. 15, 2011)

  • Congressman Ed Markey today expressed support for the complaint filed last week by EPIC and privacy groups concerning Facebook's new scheme for online tagging. In a published statement, Congressman Markey said, "The Federal Trade Commission should investigate this important privacy matter, and I commend the consumer groups for their filing. When it comes to users’ privacy, Facebook’s policy should be: 'Ask for permission, don’t assume it.' Rather than facial recognition, there should be a Facebook recognition that changing privacy settings without permission is wrong. I encourage the FTC to probe this issue and will continue to closely monitor this issue." EPIC and consumer groups now have several complaints regarding Facebook pending at the FTC. For more information, see EPIC - In re Facebook and EPIC - In re Facebook II, and EPIC - Facebook and Privacy. (Jun. 14, 2011)

  • Today EPIC, and several privacy organizations, filed a complaint with the Federal Trade Commission about Facebook's automated tagging of Facebook users. EPIC alleged that the service was unfair and deceptive and urged the FTC to require Facebook to suspend the program, pending a full investigation, the establishment of stronger privacy standards, and a requirement that automated identification, based on user photos, require opt-in consent. EPIC alleged that "Users could not reasonably have known that Facebook would use their photos to build a biometric database in order to implement a facial recognition technology under the control of Facebook." EPIC warned that "absent injunctive relief by the Commission, Facebook will likely expand the use of the facial recognition database it has covertly established for purposes over which Facebook users will be able to exercise no meaningful control." EPIC has previously filed two complaints with the Commission regarding Facebook. For more information see EPIC: Facebook Privacy. (Jun. 10, 2011)

  • EPIC and a coalition of privacy, consumer rights, and civil rights organizations filed a statement to the Department of Homeland Security in opposition to the proposed expansion of the employment verification system, "E-Verify." The agency announced plans to incorporate state driver license records that could significantly expand the use of the Homeland Security database. The groups said that the DHS proposal is unlawful and looks very similar to the REAL ID scheme that was previously defeated. EPIC has testified before Congress and published a "Spotlight on Surveillance" report about E-Verify. For more information, see EPIC: Employment Eligibility Verification System and EPIC: National ID. (Jun. 10, 2011)

  • Senator Leahy introduced the Data Privacy Bill of 2011, which is aimed at increasing protection for Americans' personal information and privacy. The bill establishes a national breach notification standard, and requires businesses to safeguard consumer information and allow consumers to correct inaccurate information. Leahy previously sponsored the Personal Data Privacy and Security Act in 2005 and has introduced similar legislation in the last three Congresses. For more information, see EPIC: Identity Theft and Summary of Legislation. (Jun. 8, 2011)

  • The U.S. Department of Commerce has released a green paper on "Cybersecurity, Innovation, and the Internet Economy." The paper is the latest deliverable published by Secretary Locke's Internet Policy Task Force, established in April 2010 as collaboration between technical, policy, trade, and legal experts. The Department’s goal is to provide voluntary standards and incentives for Internet stakeholders who fall outside of the scope of "critical infrastructure." The White House released draft cybersecurity legislation in May 2011 that would designate the Department of Homeland Security as the lead administrative agency for critical infrastructures. The Department of Commerce poses several questions in the green paper, and is encouraging stakeholders to submit comments, which are due in 45 days. For more information, see EPIC: Cybersecurity and Privacy. (Jun. 8, 2011)

  • The White House modified its privacy policy for WhiteHouse.gov on June 3, 2011. The new policy is more than twice as long as the old policy. The new policy states the White House web site now uses persistent Google Analytics cookies that track users for up to two years. Previously the site employed only single-session cookies, which were automatically deleted when users closed their browsers. The site does not provide a means for visitors to opt out of receiving cookies. The present policy reflects changes the administration made last year to allow for use of tracking cookies by federal websites. For more information, see EPIC: White House Adopts Weird Opt-Out Privacy Policy for Public Access to Government Web Sites. (Jun. 8, 2011)

  • The House has approved the 2012 budget for the Transportation Security Administration, cutting $270 million from the amount originally requested by the Agency. The cuts include $76 million that had been designated for the purchase of 275 airport body scanners. Leading lawmakers and activists have called attention to the health risks associated with the scanners, as well as their invasiveness. Representative Jason Chaffetz (R-UT) criticized the machines as “slow” and “ineffective.” Later this month, the Campaign for Liberty will host a Ban the Scan rally in New York that will feature anti-TSA activist and former Miss USA, Susie Castillo. The Campaign is working to eliminate body scanners in New York city. Rep. Chaffetz and Ms. Castillo will be among those honored at EPIC’s Annual Champion of Freedom Awards. For More Information, see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS: Suspension of Body Scanner Program. (Jun. 6, 2011)

  • A new survey from the Center for the Digital Future at the University of Southern California found that almost half of Americans over 16 who use the Internet are worried about businesses watching their online activities. Only 38% worried about the Government doing so. The poll found also limited enthusiasm for online voting. For more information on public attitudes toward privacy, see EPIC: Public Opinion on Privacy. (Jun. 3, 2011)

  • The European Data Protection Supervisor Peter Hustinx has raised the possibility of repealing Europe's Data Retention Directive. which requires telecommunication companies and ISPs to retain user data for law enforcement purposes. According to Hustinx, the Directive does not provide clear guidance about why this data must be retained or who will have access to it. In his opinion, Hustinx stated that the Directive does not meet the requirements set out by the rights to privacy and data protection, and asked the European Commission to consider all options "including the possibility of repealing the Directive." Several European courts have also found that the Directive violates Article 8 of the European Convention on Human Rights. For more information, see EPIC: Data Retention. (Jun. 3, 2011)

  • A federal district court overseeing a class action case concerning Google Buzz has revised a proposed settlement agreement to ensure that EPIC receives part of the settlement fund. EPIC's complaint about Buzz to the Federal Trade Commission resulted in sweeping new privacy safeguards for Google users. But EPIC was excluded from a proposed agreement in which a Court had ordered distribution of settlement funds to organizations "who would reasonably benefit the class through established Internet privacy education and policy programs." Judge Ware held that "the Court does not find good cause to exclude EPIC from the list of recipients of the cy pres funds. EPIC has demonstrated that it is a well-established and respected organization within the field of internet privacy and that it has sufficiently outlined how the cy pres funding will be used to further the interests of the class." For more information, see EPIC - In re Google Buzz. (Jun. 1, 2011)

  • The Senate has unanimously approved bipartisan legislation, sponsored by Senators Leahy (D-VT) and Cornyn (R-TX), that will improve the Freedom of Information Act (FOIA). The Faster FOIA Act will establish an advisory panel to examine agency backlogs in processing FOIA requests and provide recommendations to Congress for legislative and administrative action to enhance agency processing. The bill now moves on to the House of Representatives for consideration. EPIC testified earlier this year in a House Oversight Committee hearing on the need to strengthen FOIA. For more information, see EPIC: Open Government. (Jun. 1, 2011)

  • EPIC submitted a statement to the Federal Trade Commission in response to a public request for feedback about new trends in technology, consumer protection, and the debt collection industry. EPIC argued that Congress has authorized the FTC to bring much stronger regulations to bare on the debt collection industry. The Federal Debt Collection Practices Act prohibits debt collectors from publicizing consumers' debts to any third party. Section 5 of The FTC Act bars unfair and deceptive trade practices. The Gramm-Leach-Bliley Act gives debt collectors an affirmative legal duty to protect the sensitive information they collect. Congress gave the FTC authority to enforce all three of these laws. EPIC cited the sharp rise in complaints to the agency about debt collectors and a recent criminal case against debt collectors who coordinated with an identity theft scheme in Buffalo, New York as compelling reasons for the agency to introduce meaningful enforcement actions. For more information, see EPIC: Identity Theft. (May. 27, 2011)

  • A draft agreement between the United States and the European Union will allow the U.S. Department of Homeland Security to store passenger data for up to 15 years. The passenger data includes names, addresses, phone numbers, and credit card information, and even ethnic origin, political opinions, and details of health or sex life. The 15 year time period in the proposed agreement is three times that allowed under Europe's existing Passenger Name Record regime. Members of the European Parliament have said that the draft agreement violates fundamental rights and violates data protection laws. An earlier EU-US agreement on Passenger Name Records was struck down by the European Court of Justice. For more information, see EPIC: EU-US Airline Passenger Data Disclosure. (May. 27, 2011)

  • The House of Representatives has held two hearings on the White House legislative plan for cybersecurity. The House Oversight and House Judiciary Committees questioned government officials and members of private industry on the proposal. Committee members showed particular interest in provisions that pre-empted stronger state laws and those that offered immunity to private industry for complying with government requests for information on data breaches. Rep. Watt (D-NC) asked how the proposal was unlike the controversial telecom immunity contained in the Patriot Act. The White House proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC has called for cybersecurity legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. For more information, see EPIC: Cybersecurity and Privacy and EPIC: National Strategy for Trusted Identities in Cyberspace. (May. 26, 2011)

  • The Federal Communications Commission and the Federal Trade Commission will co-host a Location Based Services Forum on June 28, 2011. The event will include representatives from industry, consumer advocacy groups, and academia discussing the benefits and risks of location based services and industry best practices. The agencies are calling for public comment on location based services. EPIC previously submitted comments to the FCC on locational privacy in 2001 and 2006, requesting that the Commission establish guidelines for the protection of users' locational privacy. In 2010, EPIC specifically warned two Congressional committees about the privacy risks of location services in mobile phones. For more information, see EPIC: Locational Privacy. (May. 25, 2011)

  • As Congress consider renewal of the PATRIOT Act, Senator Patrick Leahy (D-VT) has proposed adoption of an amendment that will establish new privacy and civil liberties safeguards. The Amendment, cosponsored with Senator Rand Paul [R-KY], would sunset National Security Letter authority authority, mandate public reporting requirements, and create other protections. A similar amendment was endorsed by a majority of the Senate Judiciary Committee earlier this year. EPIC has obtained over 1,500 pages of government documents obtained through a related Freedom of Information Act lawsuit against the Department of Justice concerning PATRIOT Act abuses. For more information, see EPIC: USA PATRIOT Act. (May. 24, 2011)

  • EPIC submitted a detailed statement to the Department of Education in response to a request for public comment on a proposal to expand exemptions in a law that protects the privacy of student information. The Family Educational Rights and Privacy Act limits the release of students' educational records. However, the Department of Education has proposed to relax privacy safeguards to permit widespread disclosure of student data, including unique students identification numbers, across federal and state agencies. EPIC said that the agency lacks the legal authority to establish the exemptions and that proposal would result in an "Unprecedented and Unlawful Release of Confidential Student Information." Individuals can submit their own comments on the Regulations.gov website. For more information, see EPIC: Student Privacy. (May. 23, 2011)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security for unlawfully withholding documents concerning mobile body scanners. The mobile scanners can be used to monitor crowds, peering under clothes and inside bags. EPIC previously obtained documents describing the federal agency's plans to expand the use of these systems at railways, stadiums, and elsewhere. EPIC's suit asks a federal court to order disclosure of nearly 1,000 pages of additional records detailing the controversial program - records the agency has refused to make public. EPIC also has an ongoing lawsuit to suspend the controversial airport body scanner program. For more information see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS: Suspension of Body Scanner Program. (May. 20, 2011)

  • Lawmakers in the House and the Senate have reached an agreement that would renew key provisions of the Patriot Act, though amendments are still possible. One of the sections, known as the "lone wolf" provision, allows terrorist investigations of non-citizens without having to show connections to a terrorist organization. The Patriot Act expanded the authority of law enforcement and intelligence agencies to monitor private communications and access personal information. Among other things, the Patriot Act amended the Foreign Intelligence Surveillance Act (FISA) to allow the FBI to use National Security Letters for In place of court-approved warrants. In 2010, 24,287 NSLs were issued, up 64% from the previous year. For more Information, see EPIC: USA Patriot Act and EPIC: Foreign Intelligence Surveillance Act. (May. 20, 2011)

  • The Senate Commerce Committee today explored "Consumer Privacy and Protection in the Mobile Marketplace." Chairman Rockefeller said that users of mobile services have "an expectation of privacy . . . a right to privacy." The FTC's David Vladeck stated that consumers face new threats in the mobile marketplace and described the agency's recent actions against Twitter and Google. In 2010, EPIC recommended new privacy safeguards for location data. For more information, see EPIC: Locational Privacy. (May. 19, 2011)

  • A report from the Data Protecting Working Party on Geolocation Services and Smart Mobile Devices recommends new privacy safeguards, including limitations on data collection and retention. Other recent reports from the Data Protection Working Party cover such topics as Data Breaches, Smart Meters, and RFID Applications. For more information, see EPIC - International Privacy Standards. (May. 19, 2011)

  • Senator Patrick Leahy (D-VT) has introduced the Electronic Communications Privacy Act (ECPA) Amendments Act to update the 1986 law for electronic mail and stored communications. Senator Leahy said "Since the Electronic Communications Privacy Act was first enacted in 1986, ECPA has been one of our nation’s premiere privacy laws. But today this law is significantly outdated and out-paced by rapid changes in technology . . ." The bill includes new provisions that clarifies access by government agents to locational data, but stops short of regulating the use of locational data by private firms. EPIC has said that safeguards for locational data are critical for users of new modern communications services. For more information, see EPIC: Wiretapping and Summary of Legislation. (May. 17, 2011)

  • EPIC will host a Capitol Briefing on Wednesday, May 18, 2011 on "Street View, Privacy, & the Security of Wireless Networks." The luncheon symposium will feature a panel with FTC Director of Consumer Protection David Vladeck and Former FTC Commissioner Pamela Harbour, and other experts. Sky Hook CEO Ted Morgan will demonstrate Wi-Fi scanning. Many countries have launched investigations of Google Street View after investigators found that Google unlawfully collected Wi-Fi data and intercepted private communications traffic. EPIC has recommended that the US FCC undertake an investigation. The Briefing will be held at the Capitol Visitor’s Center in room HVC-201 from 11:30 am to 1:30 pm. Registration information. For More Information, see EPIC: Street View and EPIC: FTC and follow #wifiprivacy. (May. 17, 2011)

  • Following the release of proposed cyber security legislation last week, the White House today unveiled "International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World." The Strategy is ambitious and far-reaching, covering economic policy, foreign affairs, homeland security, and defense. The Strategy also emphasizes the need to safeguard fundamental freedom and privacy rights. To address growing concerns about online privacy, EPIC has recommended that the United States begin the process of ratifying the International Privacy Convention, which has been adopted by more than 40 countries. For more information see, EPIC - Privacy Convention. (May. 17, 2011)

  • A House Appropriations Subcommittee has stripped $76 m out of the TSA budget for 2012, designated for the purchase of 275 airport body scanners. Chairman Jason Chaffetz (R-UT) said that the body scanners are "a nuisance. They’re slow. And they’re ineffective." Earlier this year, EPIC held a conference in Washington on "The Stripping of Freedom: A Careful Scan of the TSA Security Procedures." For more Information, see EPIC: Whole Body Imaging Technology, EPIC: EPIC v. DHS: Suspension of Body Scanner Program, and EPIC: Spotlight on Surveillance. (May. 13, 2011)

  • The White House has announced a far-reaching legislative proposal for cyber security. The plan proposal would standardize data breach reporting requirements, clarify penalties for computer crime, and create a regulatory framework for critical infrastructure. However, the plan also enables greater data collection across the federal government and expanded electronic surveillance. EPIC has previously called for cyber security legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. EPIC has several pending FOIA lawsuits concerning the Administration's cyber security programs, including the Google/NSA collaboration. For more information, see EPIC: Cybersecurity and Privacy. (May. 13, 2011)

  • EPIC filed a Freedom of Information Act lawsuit against the Federal Trade Commission over the agency's failure to disclose to EPIC information about the FTC's decision to end the Google Spy-Fi investigation. EPIC is specifically seeking documents that the FTC widely circulated to members of Congress and their staff that provide the basis for the agency's decision. Privacy agencies around the world found that Google unlawfully intercepted private communications traffic. Yet documents obtained earlier by EPIC under the FOIA suggest that the FTC did not even examine the data Google gathered from private residential Wi-Fi routers in the United States. EPIC is hosting a Capitol Briefing on May 18th on "Street View, Privacy, and the Security of Wireless Networks." For more information, see EPIC: Street View and EPIC: FTC. (May. 12, 2011)

  • Playdom has agreed to pay $3 million to settle charges that it violated the Children's Online Privacy Protection Act (COPPA). The virtual game company failed to obtain notice and consent from parents before the collection and use of children's information. EPIC previously testified before the Senate Commerce Committee on the need to update COPPA and to clarify the law's application to mobile and social networking services. EPIC submitted similar comments to the Federal Trade Commission. For more information, see EPIC: COPPA. (May. 12, 2011)

  • The Senate Judiciary Subcommittee on Privacy, Technology, and Law held a hearing on "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy." Lawmakers heard testimony from the Federal Trade Commission, as well as from from Apple and Google representatives. Chairman Leahy said that safeguarding privacy "is one of the most important and challenging issues facing the nation," and indicated that he would introduce legislation to update the Electronic Communications Privacy Act. EPIC previously recommended new privacy safeguards for location data. For more information, see EPIC: Locational Privacy and EPIC: In re Google Buzz. (May. 10, 2011)

  • The Department of Justice has released the 2010 Foreign Intelligence Surveillance Act (FISA) report. In 2010, the Justice Department submitted 1,579 FISA search applications to the Foreign Intelligence Surveillance Court, a 19% increase over 2009. The court did not deny or modify any applications. Also in 2010 the FBI made 24,287 National Security Letter requests for information pertaining to 14,212 different U.S. persons. This is a substantial increase from the 14,788 national security letter requests concerning 6,114 U.S. persons in 2009. EPIC has recommended greater accountability for the Foreign Intelligence Surveillance Court. For more information, see: EPIC: Foreign Intelligence Surveillance Act Court Orders 1979-2010 and EPIC: Foreign Intelligence Surveillance Act. (May. 9, 2011)

  • Rep. Markey (D-MA) and Rep. Barton (R-TX) released a discussion draft of the "Do Not Track Kids Act of 2011." This Act establishes enhanced protections for the use and disclosure of the personal information of children and teens online. In February, Rep. Speier (D-CA) introduced the broader Do Not Track Me Online Act. And in California, the Senate Judiciary Committee voted to move their Do Not Track bill, SB 761, to the next stage in the Appropriations Committee. EPIC submitted a statement to Congress saying that an effective Do Not Track initiative must ensure that a consumer's decision to opt-out is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Advertising. (May. 6, 2011)

  • In response to concern over the collection of location data, Apple released a software update for mobile devices, available through iTunes. The update will limit the storage of location data to one week, stop the transfer of location data when the device is synced, and erase all location data from a device if a user turns off Location Services. Location data stored on the device will also now be encrypted. The recent changes were sparked by a research paper which revealed that Apple was routinely storing tracking data on Apple iPhones and iPads in a secret file "consolidated.db.". EPIC has commended Apple for moving quickly to address this problem. Last year EPIC warned Congress about the need to update federal privacy laws to address privacy risks with the collection of location data. For more information, see EPIC: iPhone and Privacy and EPIC: Locational Privacy. (May. 4, 2011)

  • At a Justice Department oversight hearing, Senate Judiciary Chairman Patrick Leahy today urged Congress to enact the bipartisan Personal Data Privacy and Security Act. He also said that the "collection, use and storage of Americans’ sensitive personal information, including by mobile technologies, is an important privacy issue." He asked the Attorney General to work with the Congress on updates to the Electronic Communications Privacy Act and other Federal laws implicating Americans’ privacy. During the hearing, the Attorney General confirmed an investigation into the Sony network attack, considered the most serious data breach to date. For more information, see EPIC - Wiretapping, EPIC - Identity Theft. (May. 4, 2011)

  • Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices, as part of the Privacy Program. EPIC also recommended encryption for Google's cloud-based services, new safeguards for reader privacy, limitations on data collection, and warrant requirements for data disclosures to government officials. EPIC said that similar privacy safeguards should be established for other Internet companies. The FTC investigation and settlement arises from a complaint filed by EPIC with the Commission in February 2010. For more information, see EPIC: In re Google Buzz and FTC - Public Comments on In Re Google. (May. 3, 2011)

  • Today marks the end of the public comment period for the Federal Trade Commission's landmark Consent Order with Google regarding Buzz, Gmail, and all Google products and services. As part of the legal order, Google must adopt a "Comprehensive Privacy Plan" to safeguard its users data and personal information. EPIC launched an online petition and a "Fix Google Privacy" page to promote public participation in the FTC's deliberations. The FTC's action against Google follows a Complaint and an Amended Complaint, filed by EPIC on behalf of Gmail subscribers and other users. For more information, see EPIC: In re Google Buzz. (May. 2, 2011)

  • Senator Richard Blumenthal (D-CT) wrote to Attorney General Eric Holder asking that the Department of Justice open an investigation into the Sony PlayStation security breach. Sony recently informed PlayStation Network customers that an "unauthorized user" had obtained the personal and financial information of 70 million gamers, including minors. Blumenthal wrote that whomever hacked into the PlayStation Network violated the Computer Fraud and Abuse Act. He also expressed concern about Sony's week-long delay in notifying users about the breach. In 2009, EPIC testified before Congress about the need to strengthen data breach notification laws, noting "in the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." For more information, see EPIC: Identity Theft. (Apr. 29, 2011)

  • Representatives Ed Markey (D-MA) and Joe Barton (R-TX) announced they had received responses from the four major U.S. wireless carriers about privacy and location data -- At&T; Verizon; Sprint; and T-Mobile. The wireless carriers say that third-party applications are the biggest privacy threat to users of mobile services. Reps. Markey and Barton sent a letter to the companies after security researchers revealed that Apple was recording the location data of iPhone and iPad users.  For more information, see EPIC: iPhone and Privacy and EPIC - Locational Privacy. (Apr. 29, 2011)

  • EPIC has filed comments with the State Department regarding Form DS-5513, a new passport application that requires unusually detailed information about the background of some passport applicants. For example, applicants are asked to provide their mother's place of employment at the time of their birth. The agency claims that such information is necessary "when the applicant submits citizenship or identity evidence that is insufficient to meet his/her burden of proving citizenship or identity." EPIC wrote that the State Department needs to provide more information about the purposes of the data collection for the public to meaningfully assess the impact. For more information, see EPIC National ID and REAL ID. (Apr. 28, 2011)

  • More than 30 states are considering new laws that would require voters to obtain government-issued photo identification. Voter photo identification laws have been routinely challenged in federal court, and many have been set aside or altered. Currently eight states have photo identification requirements. Prior to the Help America Vote Act, most states allowed several forms of identification to establish residence. In 2007, EPIC filed an amicus brief in the Supreme Court, joining a challenge to an Indiana voter ID law. The Court upheld the law 6-3. Justice Souter wrote in dissent, "this statute imposes a disproportionate burden upon those without" government-issued photo IDs. For more information, see EPIC Voter Photo ID and Privacy and EPIC - Crawford v. Marion County. (Apr. 27, 2011)

  • In response to growing public concern about the collection of location data, Apple announced today four changes to iOS4. Apple said it will (1) limit the storage of locational data to one week; (2) stop transferring locational data from the device to the user's computers, (3) allow users to delete all locational data collection on the device; and (4) encrypt the locational data stored on the device. The update should be available in the next few weeks. The recent change was sparked by a research paper which revealed that Apple was routinely storing tracking data on Apple iPhones and iPads in a secret file "consolidated.db." Congressman Markey and others wrote to Apple to express concern. Apple pledged that the company "has no plans to ever" track iPhone users. EPIC has commended Apple for moving quickly to address this problem. For more information, see EPIC: iPhone and Privacy and EPIC: Locational Privacy. (Apr. 27, 2011)

  • A spirited dialogue about the right of privacy dominated oral argument in a Supreme Court case on medical record data mining. Justice Breyer implied that the Federal Trade Commission could prevent existing commercial uses of private medical data by deeming the practices to be unfair and deceptive. Justices Sotomayor and Kennedy both pressured the data mining companies to focus on the constitutionality of preventing the spread of sensitive medical information. Justice Scalia even challenged the Vermont Medical Privacy Statute under review as insufficiently dedicated to protecting prescriber privacy. EPIC filed an amicus brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the de-identification techniques adopted by data mining firms do not protect patient privacy. For more information, see EPIC: IMS Health v. Sorrell. (Apr. 27, 2011)

  • As details continue to emerge following the revelation that Apple’s iPhone and 3G iPad are collecting and recording locational data of users and storing it on the device, a class action lawsuit has been filed alleging violations of the Computer Fraud and Abuse Act, as well as state claims of unfair and deceptive trade practices. Illinois Attorney General Lisa Madigan has asked for a meeting with Apple. Apple has still not made a statement about the security vulnerability, which came to light at an April 20, 2011 locational conference. For more information, see EPIC: iPhone and Privacy and EPIC: Locational Privacy. (Apr. 27, 2011)

  • A federal appeals court held that the Privacy Act provides monetary damages for harms stemming from inaccurate government records. The case arose in 2006 when Julia Shearson and her four-year-old daughter, both U.S. citizens, reentered the country over the Canadian border. A customs database incorrectly identified Shearson as "ARMED AND DANGEROUS," after which she was handcuffed, questioned for several hours, and then released without explanation. Shearson sued under the Privacy Act and sought damages from the Department of Homeland Security for the agency's failure to ensure the accuracy of its computer records. DHS argued that the Privacy Act permitted the agency to exempt itself from monetary damages provision of the law. The Sixth Circuit disagreed and held that Congress specifically intended that the Privacy Act provide civil remedies for government failures to comply with the Act's mandatory duties. EPIC routinely files comments on the obligation of federal agencies to comply with the Privacy Act and EPIC has also filed a Supreme Court brief in support of damage awards in Privacy Act cases. For more information, see EPIC: Doe v. Chao (US 2004). (Apr. 25, 2011)

  • Oral argument for IMS Health, Inc. v. Sorrell will take place in the Supreme Court on Tuesday, April 26, 2011. The case concerns a state privacy law that seeks to regulate data-mining of prescription records for commercial purposes. EPIC filed an amicus brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the "de-identification" techniques adopted by data-mining firms do not protect patient privacy. For more information, see EPIC: IMS Health v. Sorrell. (Apr. 25, 2011)

  • Security researchers have found that Apple records detailed location data of iPhone and iPad users. The information, which includes latitude/longitude and a time stamp, is captured by the devices and then transferred to a user's computer where it is stored unencrypted. It is not clear whether Apple is able to access the file directly. Senator Al Franken (D-MN) and Rep. Ed Markey (D-MA) have asked Apple CEO Steve Jobs to explain why the company is storing information on its users in a secret file. Apple may have violated Section 222 of the Communications Act, which requires companies to obtain customer consent before location data is used or disclosed for commercial purposes. A recent Nielsen poll finds that US smartphone users are concerned with privacy when it comes to location. For more information, see EPIC: iPhone and Privacy, EPIC: Locational Privacy and EPIC: Consumer Proprietary Network Information. (Apr. 21, 2011)

  • The Solicitor General filed a petition with the Supreme Court about the growing dispute in the federal courts over warrantless locational tracking. There is a split among the appellate court about GPS tracking by police agencies. The petition appeals a decision from the DC Circuit which held that the warrantless tracking of a motor vehicle violates the Constitutional right against unlawful searches. Earlier, EPIC filed an amicus brief in the Massachusetts Supreme Judicial Court case that also held that a warrant is required for the use of a GPS tracking device. For more information, see EPIC - Commonwealth v. Connolly and EPIC - Locational Privacy. (Apr. 18, 2011)

  • The White House has published the National Strategy for Trusted Identities in Cyberspace (NSTIC), which provides guidance for an Internet identity system to be designed and built by the private sector. The plan comes nearly two years after the White House first released its Cyberspace Policy Review, which set forth a national plan for Internet identities. In 2010, the White House released the draft NSTIC, and accepted public comments via an online forum. EPIC responded with comments that emphasized the need for strong privacy safeguards for Internet users. "The President endorsed 'Privacy Enhancing Technologies' for online credentials. That is historic," said EPIC Executive Director Marc Rotenberg today. "But online identity is complex problem and the risk of 'cyber-identity theft' with consolidated identity systems is very real. The US will need to do more to protect online privacy." In a press release, the White House emphasized that NSTIC should be privacy-enhancing and voluntary, interoperable, and cost-effective. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace. (Apr. 15, 2011)

  • A federal judge has issued a final order in favor of privacy advocate Betty Ostergren, who challenged a state law designed to prosecute her for drawing attention to the state's poor security practices. Ostegren had posted public records on her website that included Social Security Numbers made available by the state of Virginia. A district court held that Virginia may not prosecute her for re-publishing the Social Security Numbers of state officials. On appeal, a federal appeals court ruled that the court’s holding was too limited, and on remand the court said that Ostergren can re-publish any publicly available documents. EPIC filed a "friend of the court" brief in support of Ostergen, urging the court to hold that the First Amendment protects Ostergren's speech. For more information, see EPIC: Ostergren v. McDonnell, EPIC: Social Security Numbers, and EPIC: Identity Theft. (Apr. 15, 2011)

  • EPIC filed an amicus brief in federal court arguing that users of private residential routers are entitled to privacy protection. The EPIC brief is in response to a series of questions asked by a federal judge as to whether private WiFi communications are covered under the Federal Wiretap Act. EPIC explained that a "Wireless Local Area Network (WLAN)" provides functionality for those within the home who take advantage of shared services, such as printers and Internet access. In contrast, WiMAX, WWAN, and WiLD are wireless devices that broadcast over a long distance and are intended for public access. EPIC also pointed out that users of residential WLANS can configure their devices to operate as "Hot Spots," but few choose to do so. EPIC said that Congress established "a presumption in favor of confidentiality except in those circumstances where the user has knowingly chosen to broadcast communications to the general public." For more information, see EPIC: Google Street View. (Apr. 15, 2011)

  • EPIC has filed an amicus brief in the Third Circuit Court of Appeals in support of a Jane Doe police deputy, who is suing to recover monetary damages for privacy violations. A coworker captured semi-nude video footage without her consent during a mandatory decontamination shower at a local hospital. The footage was uploaded onto a government computer. EPIC argued in support of Doe that the case implicates "freedom, intimacy, autonomy, and human dignity," and urged the Federal appeals court to hold that the Sheriff's Department violated the Constitutional right to informational privacy. EPIC has filed similar briefs in other cases, including NASA v. Nelson, decided by the Supreme Court earlier this year. For more information, see EPIC: Doe v. Luzerne. (Apr. 14, 2011)

  • Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the "Commercial Privacy Bill of Rights Act of 2011," aimed at protecting consumers' privacy both online and offline. The Bill endorses several "Fair Information Practices," gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information. But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a "Safe Harbor" arrangement that exempts companies from significant privacy requirements. EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies' to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Federal Trade Commission. (Apr. 12, 2011)

  • The Senate Judiciary Committee has approved bipartisan legislation, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), to improve the Freedom of Information Act (FOIA) processing. The Faster FOIA Act will create an advisory panel to examine agency backlogs and provide recommendations to Congress. EPIC recently testified before the House Oversight Committee about FOIA delays and politicized processing within the Department of Homeland Security. For more information see: EPIC: Open Government and EPIC: Litigation Under the Federal Open Government Laws. (Apr. 12, 2011)

  • The Department of Education has proposed new regulations to transfer student data from schools to state agencies. The regulations will revise key provisions of the Federal Educational Rights and Privacy Act, which was enacted to protect privacy, security, and confidentiality of student data. The proposal is part of a new federal program that requires schools to disclose student data, including enrollment information, degree of success transitioning from secondary to post-secondary institutions, and demographic data, to states to receive federal funding. The student information will be compiled into large databases and used to track and analyze student's progress through the education system. The Department is accepting comments on the proposed regulations. Deadline for comment is May 23, 2011. For More Information, see EPIC: Student Privacy. (Apr. 8, 2011)

  • Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data. For more information, see EPIC: Identity Theft. (Apr. 7, 2011)

  • Switzerland's top Court ruled against Google's Street View mapping service, forcing Google to blur faces and license plate numbers before putting images on the Internet. The Swiss Court stated, "the interest of the public in having a visual record and the commercial interests of the defendants in no way outweighs the rights over one's own image." Other countries, including the U.K., France, and Spain, have found that Google broke privacy laws when Street View cars collected wi-fi data from private wireless networks. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint asking the Commission to investigate violations of federal wiretap law and the U.S. Communications Act. For more information, see EPIC: Google Street View. (Apr. 5, 2011)

  • In response to the recent announcement that Google has agreed to adopt a "Comprehensive Privacy Plan," EPIC has launched "Fix Google Privacy," a campaign to encourage Internet users to offer their suggestions to improve safeguards for Google's products and services. Submissions to EPIC will be forwarded to the Federal Trade Commission and considered by the agency as part of the final Privacy Plan. All comments must be sent before May 2, 2011. For more information, see EPIC - In Re Google Buzz and FTC - Analysis to Aid Public Comments. (Apr. 5, 2011)

  • EPIC has announced the 2011 members of the EPIC Advisory Board.They are Ross Anderson, Professor of Security Engineering at Cambridge University, Jack Balkin, Knight Professor at Yale, danah boyd, Senior Researcher at Microsoft Research, Susan Crawford, professor at Cardozo Law School and a Visiting Research Collaborator at Princeton’s Center for Information Technology Policy, Brewster Kahle, director and co-founder of the Internet Archive, and Sherry Turkle, Abby Rockefeller Mauzé Professor at MIT. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy. Press Release. For more information, see EPIC: EPIC Advisory Board. (Apr. 4, 2011)

  • The Federal Trade Commission released the 2011 Annual Report, which emphasized the agency's actions in the consumer protection and anti-trust areas. The agency highlighted its work on privacy, data security, and technology and noted the settlement of several privacy cases, including Echometrix, Lifelock, Twitter, and U.S. Search. EPIC filed a complaint with the Commission concerning Echometrix, and still has complaints pending regarding changes in Facebook's privacy settings and Google cloud computing. For more information, see EPIC: Federal Trade Commission. (Apr. 1, 2011)

  • EPIC and a coalition of consumer and privacy organizations have filed an objection to the "cy pres" allocation proposed by the attorneys in the Google Buzz matter. "Cy pres" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. In these cases, courts are often concerned about collusion between attorneys that produces quick settlements and does not protect the interests of the class members. EPIC, which filed the successful complaint with the Federal Trade Commission that led to the Google Buzz agreement, and the other groups say that the proposed settlement does not satisfy the "cy pres" requirement. They note that several of the organizations proposed by Google are currently funded by Google. Other parties in the case have also objected to the proposed settlement. The Court has already stated that "the final approval list of cy pres organizations may draw, but need not be drawn, entirely from the submission of nominations by Class Counsel." The Court also said, "The Court reserves the right to designate cy pres recipients who would reasonably benefit the Class through established Internet privacy education and policy programs on its own motion." For more information, see In re Google Buzz. (Apr. 1, 2011)

  • EPIC testified today before the House Oversight Committee hearing "Why Isn't The Department Of Homeland Security Meeting The President's Standard On FOIA?" The hearing examined the DHS's political review of open government requests. The DHS "Awareness" program singled out FOIA requests for additional scrutiny by political appointees based on the subject of the requests and the identities of the requesters. EPIC Senior Counsel John Verdi called the program "uniquely harmful" and "unlawful." He pointed to Supreme Court precedent and the additional delay in FOIA processing. Also testifying at the hearing were the DHS General Counsel, the DHS Chief FOIA Officer, and the DHS Inspector General. For more information, see EPIC: Open Government and EPIC: Litigation under the Federal Open Government Laws 2010. (Mar. 31, 2011)

  • The Federal Trade Commission has reached a agreement with Google regarding Buzz, the social network service launched in early 2010. The FTC action follows a complaint and an amended complaint filed by EPIC on behalf of Gmail subscribers and other Internet users. The FTC agreement with Google is far-reaching. It is the most significant privacy decision by the Commission to date. For Internet users, it should lead to higher privacy standards and better protection for personal data. EPIC has pursued similar successful complaints at the FTC in the past, including Microsoft Passport and Choicepoint, the databroker firm. For more information, see EPIC - In re Google Buzz. (Mar. 30, 2011)

  • EPIC Senior Counsel John Verdi will testify before the House Oversight Committee on March 31, 2011 regarding Homeland Security’s political review of FOIA requests and the effects of the agency’s policies on requesters. The hearing arises as the AP reports that DHS career staff repeatedly questioned the political review policy. This report also follows an earlier release of 1,000 agency documents revealing the long-standing process of vetting FOIA requests by political appointees. In a previous letter to the Committee, EPIC and a coalition of open government groups wrote that FOIA does not permit agencies to select requests for political scrutiny. For more information, see EPIC: Open Government and EPIC: Litigation under the Federal Open Government Laws 2010. (Mar. 28, 2011)

  • EPIC asked a federal court in Washington, DC to reconsider its earlier decision allowing the Department of Homeland Security to keep secret 2,000 airport body scanner images in EPIC's Freedom of Information Act lawsuit. The Court relied on a legal theory in its decision, "Exemption High b(2)," that was recently struck down by the Supreme Court in Navy v. Milner. In Milner, the Court held that FOIA exemption 2 only applies to records concerning employee relations and human resources issues. Milner overturns previous lower court decisions that applied the exemption to broader categories of records, allowing federal agencies to block disclosure of documents to the public. EPIC argues in its motion that the Department of Homeland Security is unlawfully withholding information about the airport scanners from the public. For more information, see EPIC-Milner v. Dept. of Navy and EPIC v. DHS - Body Scanners. (Mar. 25, 2011)

  • Judge Denny Chin struck down a proposed settlement between Google and copyright holders that would have imposed significant privacy risks on e-book consumers. Google's proposal would have entitled the company to collect each users' search queries as well as the titles and page numbers of the books they read. In a February 2010 hearing before the Court, EPIC President Marc Rotenberg explained that this settlement would "turn upside down" well established safeguards for reader privacy, including state privacy laws, library confidentiality obligations, and the development of techniques that minimize privacy intrusions. Judge Chin determined that the proposed opt-out settlement was "not fair, adequate and reasonable." He further stated that "the privacy concerns are real" and that "certain additional privacy protections could be incorporated" in a revised settlement. For more information, see EPIC Press Release: EPIC Urges Court To Reject Google Books Settlement; EPIC: Google Books Settlement and Privacy. (Mar. 22, 2011)

  • Pursuant to EPIC v. DOJ, the Justice Deparment has turned over two legal memos concerning the Bush-era warrantless wiretapping program. EPIC sought these memos within hours after the New York Times first reported on the wiretapping program in 2005. The memos, dated November 2, 2001 and May 6, 2004, contain portions of the Bush Administration's justifications for the program, but are heavily redacted. The Obama Administration withheld three other memos in their entirety. For more information, see EPIC: Wiretapping, EPIC: Foreign Intelligence Surveillance Act (FISA), and Lawfare, "DOJ Releases Redacted Version of 2004 Surveillance Opinion." (Mar. 22, 2011)

  • France's National Commission for Computing and Civil Liberties fined Google 100,000 euros for violating French privacy rules when Google’s Street View cars collected peoples' e-mails and passwords without their knowledge. The Commission cited the "established violations and their gravity, as well as the economic advantages Google gained," as reasons for the highest fine it has ever levied. Several other countries, including the U.K., Canada, Germany, and Spain have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, asking the Commission to investigate possible violations of federal wiretap law and the Communications Act. For more information, see EPIC: Google Street View. (Mar. 22, 2011)

  • Viviane Reding, European Commission Vice President and European Union Justice Commissioner, announced that data protection would be her "top legislative priority." She said the Commission will focus on "four pillars" of privacy rights: the "right to be forgotten . . . transparency . . . privacy by default . . . [and] protection regardless of data location." Reding also spoke about the importance of enforcement to ensure a "high level of protection." EPIC President Marc Rotenberg spoke before the European Commission recently and EPIC has urged the United States to ratify Convention 108, the International Privacy Convention. For more information, see EPIC: EU Data Protection Directive. (Mar. 18, 2011)

  • Oral argument for the Supreme Court case Tolentino v. New York will take place on Monday, March 21, 2011. The case concerns an unlawful police stop. Tolentino asserts that that police had no basis for pulling his car over and then running his license. EPIC has filed a "friend of the court" brief arguing that the Constitution protects individuals from suspicionless searches of government databases. For more information, see EPIC: Tolentino v. NY. (Mar. 18, 2011)

  • In a hearing before the House Oversight Subcommittee on National Security, EPIC urged Congress to suspend the use of airport body scanners for primary screening. EPIC said the devices were not effective and were not minimally intrusive, as courts have required for airport searches. EPIC cited TSA documents obtained in EPIC's FOIA lawsuit which showed that the machines are designed to store and transfer images, and not designed to detect powdered explosives. EPIC was joined on the panel by radiation expert Dr. David Brenner, who has frequently pointed out the radiation risks created by these machines. The TSA, which is a federal agency funded by taxpayer dollars and responsible for the body scanner program, originally refused to testify at hearing. Eventually they showed up. Chairman Jason Chaffetz, who had previously sponsored a bill regarding body scanners, grilled the TSA officials and said the hearing would continue with more questions. For more information see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS. (Mar. 16, 2011)

  • Senator Kohl (D-WI) has announced the agenda for the Senate Subcommittee on Antitrust, Competition Policy, and Consumer Rights. Among other issues, the Subcommittee will focus on competition in online markets and internet search, as well as oversight of the Justice Department and the Federal Trade Commission. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Mar. 14, 2011)

  • In celebration of Sunshine Week, EPIC published the EPIC FOIA Gallery: 2011. The gallery highlights key documents obtained by EPIC in the past year, including records detailing the privacy risks posed by airport body scanners, agency plans to expand the scanner program to non-airport locations, FBI abuse of surveillance authorities, and the Federal Trade Commission's failure to investigate Google Street View. EPIC regularly files Freedom of Information Act requests and pursues lawsuits to force disclosure of critical documents that impact privacy. EPIC also publishes the authoritative FOIA litigation manual. For more, see EPIC Open Government and EPIC Bookstore: FOIA. (Mar. 14, 2011)

  • The Subcommittee on National Security of the House Committee on Oversight and Government Reform will hold a hearing on "TSA Oversight: Whole Body Imaging" On March 16, 2011. EPIC President Marc Rotenberg has been asked to testify. The hearing is expected to explore the privacy impact, health concerns, and questions of effectiveness that have been raised about the program. Committee Chairman Jason Chaffetz (R-UT) introduced legislation in 2009 that passed the House, 310-108, that would prevent the TSA from deploying body scanners as the primary screening technique in US airports. EPIC held a public conference earlier this that explored public objections to the TSA program. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology. (Mar. 10, 2011)

  • The Department of Homeland Security told a federal court that the agency believes it has the legal authority to strip search every air traveler. The agency made the claim at oral argument in EPIC's lawsuit to suspend the airport body scanner program. The agency also stated that it believed a mandatory strip search rule could be instituted without any public comment or rulemaking. EPIC President Marc Rotenberg urged the Washington, DC appeals court to suspend the body scanner program, noting that the devices are "uniquely intrusive" and ineffective. EPIC's opening brief in the case states that the Department of Homeland Security "has initiated the most sweeping, the most invasive, and the most unaccountable suspicionless search of American travelers in history," and that such a change in policy demands that the TSA conduct a notice-and-comment rule making process. The case is EPIC v. DHS, No. 10-1157. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology. (Mar. 10, 2011)

  • On March 10, 2011, EPIC President Marc Rotenberg will present arguments against the TSA body scanner program before the US Court of Appeals for the District of Columbia Circuit. EPIC has said that body scanners are "invasive, unlawful, and ineffective," and that the TSA's deployment of the devices for primary screening violates the U.S. Constitution and several federal statutes. EPIC's opening brief states that the Department of Homeland Security "has initiated the most sweeping, the most invasive, and the most unaccountable suspicionless search of American travelers in history." EPIC has also cited the agency's failure to respond to the First EPIC Petition and the Second EPIC Petition, widely supported by a broad coalition of organizations, which challenged the deployment of the devices and called for a public rule making. The case is EPIC v. DHS, No. 10-1157. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology. (Mar. 8, 2011)

  • In Navy v. Milner, the Supreme Court held that the Freedom of Information Act’s “Exemption 2” is limited to employee relations and human resources issues. The decision overturns previous decisions by lower courts that applied the exemption to broader categories of records, allowing federal agencies to block disclosure of documents to the public. The Court stated that this practice contravened Congress’s intent. The Court emphasized that Congress intended all nine FOIA exemptions to be construed narrowly. EPIC is currently challenging the use of Exemption 2 in its lawsuit to force disclosure of records concerning full body scanners at airport checkpoints. The Court's decision in Navy v. Milner demonstrates that the Department of Homeland Security is improperly withholding information about the scanners from the public. For more information, see EPIC-Milner v. Dept. of Navy, and EPIC: OPEN Government. (Mar. 7, 2011)

  • Despite the fact that twenty-four states have rejected the REAL ID Act of 2005, Rep. Lamar Smith (R-TX), Rep. Peter King (R-NY), and Rep. James Sensenbrenner (R-WI) issued Homeland Security Secretary Janet Napolitano a letter warning against any further extension of REAL ID. The letter stated that not implementing REAL ID "threatens the security of the United States." The letter follows the arrest of Khalid Ali-M Adawsari on charges of attempting to use a weapon of mass destruction. According to the House Judiciary Committee, DHS is planning to extend the deadline for implementation to January 15, 2013. The current deadline for states to be materially compliant is May 11, 2011. EPIC previously released a report, testified to Congress, and submitted comments stating that REAL ID included few protections for individual privacy and security in its massive national identification database. For related information see EPIC: National ID and the REAL ID Act, EPIC: Biometric Identifiers, and the Privacy Coalition’s Campaign Against REAL ID. (Mar. 4, 2011)

  • The Inspector General of the Department of Homeland Security released a report finding that the agency's contract files did not "contain[] sufficient evidence of justification and approval, market research, and acquisition planning" for the $1.3 billion dollars in noncompetitive contracts the agency entered into in fiscal year 2010. The noncompetitive process raises doubts that the agency secured the "best possible value" for the goods and services and that the contracts were awarded to "eligible and qualified vendors." The IG recommended that the agency’s Chief Procurement Officer pursue corrective action plans. EPIC previously criticized the agency’s contracting practices regarding whole body scanners. For related information see EPIC: EPIC v. DHS: Body Scanners (Suspend the Program) and EPIC: EPIC v. DHS (FOIA). (Mar. 2, 2011)

  • Facebook indicated in a letter to Rep. Markey (D-MA) and Rep. Barton (R-TX) that it will go forward with a proposal to provide users' addresses and mobile phone numbers to third-party application developers. The Congressman earlier expressed concern about the proposal. Facebook also wrote that it may disclose the home addresses and mobile numbers of minors who use the social networking service. Facebook suspended the plan after EPIC and others objected. EPIC and several consumer organizations have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In re Facebook, EPIC: In re Facebook II, and EPIC: Facebook Privacy. (Mar. 2, 2011)

  • Documents obtained by EPIC under the Freedom of Information Act reveal that the Department of Homeland Security has spent millions of dollars on mobile body scanner technology that could be used at railways, stadiums, and elsewhere. EPIC has already challenged the use of the devices in airports, calling them "invasive, ineffective, and unconstitutional." According to the documents obtained by EPIC, the federal agency plans to expand the use of these systems to monitor crowds, peering under clothes and inside bags away from airports. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology. (Mar. 2, 2011)

  • In FCC v. AT&T, The Supreme Court held that federal protections for "personal privacy" do not permit corporations to prevent disclosure of government records. AT&T sought to prevent the disclosure of documents the company had submitted to a federal agency, claiming that the corporation's "personal privacy" prevented release of the records pursuant to the Freedom of Information Act. EPIC filed a "friend of the court" brief in the case urging the Justices to reject AT&T's claim. The Court agreed with the FCC, EPIC and other amici, writing, "The protection in FOIA against disclosure of law enforcement information on the ground that it would constitute an unwarranted invasion of personal privacy does not extend to corporations. We trust that AT&T will not take it personally." EPIC's brief cited the commonly understood meaning of "personal privacy" in the work of legal scholars and technical experts, as well as the use of these terms in an extensive survey of US privacy laws. For more information, see EPIC: FCC v. AT&T. (Mar. 1, 2011)

  • EPIC has filed an amicus brief in Sorrell v. IMS Health, a case now before the US Supreme Court concerning a state privacy law that seeks to regulate datamining of prescription records for commercial purposes. Datamining companies have challenged the Vermont law, arguing that it violates the First Amendment and also that there is no privacy interest in the transfer of "deidentified" prescriber records. The EPIC brief, filed on behalf of 27 technical experts and legal scholars, as well as 9 consumer and privacy groups, argues that the privacy interest in safeguarding medical records is substantial and that the "deidentification" techniques adopted by data-mining firms do not protect patient privacy. EPIC's amicus brief for the lower appellate court was cited in the opinion of Judge Deborah Ann Livingston. As Judge Livingston explained, "neither appellants nor the majority advances any serious argument that the state does not have a legitimate and substantial interest in medical privacy . . . " For more information, see EPIC: IMS Health, Inc. v. Sorrell. (Feb. 28, 2011)

  • Rep. Darrell E. Issa (R-CA), Chairman of the House Committee on Oversight and Government Reform, issued subpoenas to two Department of Homeland Security employees for depositions to take place on March 7 and March 8. Rep. Issa has undertaken an investigation of DHS’s policy of submitting FOIA requests to political review. EPIC and a coalition of open government organizations sent Rep. Issa and Ranking Member Elijah Cummings (D-MD) a letter supporting the investigation. The political review policy came to light after the release of over 1,000 agency documents revealed a long-standing process of submitting FOIA requests from watchdog organizations to review by political appointees. EPIC has also recommended that the FOIA Ombudsman undertake an investigation of this practice. For related information see EPIC: Open Government and EPIC: Litigation under the Federal Open Government Laws 2010. (Feb. 25, 2011)

  • The Department of Health and Human Services has determined that Cignet Health violated the privacy rule of the Health Insurance Portability and Accountability Act of 1996. The agency fined Cignet 4.3 million for denying patients access to their medical records and for failing to cooperate with the investigation. This is the first time that the agency has used its legal authority to penalize a company for privacy violations. For more information, see EPIC: Medical Privacy. (Feb. 23, 2011)

  • In response to an EPIC Freedom of Information Act request, the Department of Justice sent back only heavily redacted documents with no justification for data retention legislation. EPIC filed the request in 2010, seeking the Department's views on he Internet SAFETY Act, which would require internet service providers to retain user records for at least two years. The DOJ publicly supported the Act but has refused to provide a single substantive reason for that support. The Internet SAFETY Act has not yet been reintroduced in the 112th Congress. For more information, see EPIC: Data Retention. (Feb. 18, 2011)

  • In a Freedom of Information Act lawsuit filed by EPIC against the National Security Agency for information about the NSA's relationship with Google, the NSA has replied that "confirming or denying the existence of any such records would reveal information relating to its core functions and activities . . ." EPIC sought the information, including a widely discussed cooperative research agreement between NSA and Google, because the agency's practices would impact the privacy interests of millions of Internet users both in the United States and around the world. The case is EPIC v. NSA, Civ. Action No. 10-1533 (RJL). EPIC has a related release against the NSA concerning the agency's cybersecurity authority. For more information, see EPIC - EPIC v. NSA. (Feb. 18, 2011)

  • In response to a request for comments on an FTC report on future action, EPIC criticized the Commission for failing to act on numerous privacy complaints currently pending before the Commission, including those involving Facebook privacy settings, Google Buzz, and Cloud Computing Services. EPIC recommended a comprehensive federal privacy law based on Fair Information Practices, support for Privacy Enhancing Technologies, and the establishment of an independent privacy agency.  The FTC report recommended the creation of a Do Not Track mechanism, the adoption of "privacy by design" techniques, and the use of simplified consumer privacy notices. For more information, see EPIC - Federal Trade Commission. (Feb. 18, 2011)

  • The White House Office of Management and Budget has released the federal budget for fiscal year 2012. The stated goal of the budget is to reduce the national deficit by eliminating wasteful programs. However, the budget proposal includes funding for 275 airport body scanners, which EPIC has called "invasive, unlawful, and ineffective." There is funding for federal "fusion centers," widely viewed as unregulated government databases that are used to track people suspected of new crime. The White House budget proposes expansion of the “Secure Communities” program, which has been the target of harsh criticism by civil liberties groups. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Information Fusion Centers and Privacy. (Feb. 18, 2011)

  • The Senate and the House each passed short-term extensions of the Patriot Act. The Senate passed a three-month extension while the House extended the provisions until Dec. 8. The extensions included the “lone wolf” provision permitting surveillance of individuals and groups not connected to identified terrorist groups, the “library law” provision granting access to “any tangible items” of individuals under surveillance, and the provision authorizing the FBI’s use of roving wiretaps. A Judiciary Committee hearing on Senator Leahy’s proposal to extend the provisions until 2013 with increased oversight is expected soon. Senator Patrick Leahy (D-VT) opposed efforts to extend the provisions that “undercut important oversight and government accountability of these intelligence gathering tools.” EPIC has in the past urged the Senate Judiciary Committee to require the Attorney General to report to Congress on potentially unlawful investigations. For related information, see EPIC: USA Patriot Act and EPIC: PATRIOT FOIA Litigation. (Feb. 16, 2011)

  • EPIC and a coalition of over 30 organizations and open government experts sent a letter to Rep. Darrell E. Issa (R-CA), Chairman of the House Committee on Oversight and Government Reform, urging public hearings on the DHS policy of vetting FOIA requests by political appointees. Rep. Issa has undertaken an investigation of this "political review" policy. The coalition also recommended that the Committee support the Office of Government Information Services, the "FOIA Ombudsman," and encourage the Government Accountability Office to conduct investigations of agency FOIA practices. EPIC previously requested an investigation into DHS's FOIA practices. EPIC said that the FOIA does not permit agencies to sect requests for political scrutiny. For related information see EPIC: Open Government and EPIC: Litigation under the Federal Open Government Laws 2010. (Feb. 16, 2011)

  • Sen. Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, has established a new Subcommittee on Privacy, Technology and the Law as part of his commitment to protecting “Americans’ privacy in the digital age.” Sen. Al Franken (D-MN) will chair the subcommittee, which will will cover privacy laws and policies, new business practices, social networking sites, privacy standards, and the privacy implications of emerging technologies. For related information, see EPIC: Social Networking Privacy, EPIC: Cloud Computing. (Feb. 16, 2011)

  • EPIC has filed an administrative appeal with the Federal Trade Commission, challenging the agency's failure to disclose to information about the FTC's decision to end the Google Spy-Fi investigation. EPIC is specifically seeking a slide presentation that the FTC provided to Congress about the matter. The agency has claimed that the presentation to Congress is exempt from disclosure under the Freedom of Information Act. Privacy agencies around the world found that Google intercepted private communications traffic. Yet documents obtained earlier by EPIC under the FOIA suggest that the FTC did not even examine the data Google gathered from private residential wifi routers in the US. For more information, see Google: Street View. (Feb. 11, 2011)

  • In Pineda v. William Sonoma, the California Supreme Court has determined that merchants may not require credit card customers to provide ZIP codes. In a unanimous decision, the Court found that ZIP codes are "personal identification information" under the state Credit Card Act of 1971. In the Pineda case, the customer believed that providing an SSN was necessary to complete a credit card transaction. The merchant subsequently used the SSN to determine the customer's home address. The California court said that the Credit Card Act "intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction." For more information, see EPIC - Social Security Numbers and EPIC - Reidentification. (Feb. 11, 2011)

  • EPIC has opposed an effort by the Transportation Security Administration to provide secret evidence to the court in EPIC's challenge to the the airport body scanner program. The TSA claimed that it can withhold documents that it has designated "Sensitive Security Information" and scientific studies because they are "copyrighted materials." EPIC responded that the TSA failed to establish that the documents are Sensitive Security Information, and also that the TSA cannot withhold materials in a judicial proceeding because they are subject copyright. The argument before the DC Circuit in the case is scheduled for March 10. For more information, see EPIC: EPIC v. DHS: Body Scanners (Suspend the Program) and EPIC: EPIC v. DHS (FOIA). (Feb. 10, 2011)

  • A House vote on extending provisions of the Patriot Act that will lapse on February 28 failed. The three provisions concerned authorizing the FBI’s use of roving wiretaps, granting the government access to “any tangible items” of individuals under surveillance, and allowing the surveillance of individuals and groups not connected to identified terrorist groups. The House bill would have extended these provisions until December. The Senate Judiciary Committee is considering a bill that would extend the expiring provisions to 2013. Senator Patrick Leahy (D-VT) issued a statement explaining that he did not support efforts to extend the provisions that “undercut important oversight and government accountability of these intelligence gathering tools.” EPIC, through the Freedom of Information Act, recently obtained from the Intelligence Oversight Board, internal reports of intelligence law violations by the FBI that do not comply with Attorney General guidelines for oversight. EPIC has in the past urged the Senate Judiciary Committee to require the Attorney General to report to Congress on potentially unlawful investigations. For related information, see EPIC: USA Patriot Act and EPIC: PATRIOT FOIA Litigation. (Feb. 9, 2011)

  • Senator Udall (D-NM) has introduced a Senate Amendment 51 that would require the Transportation Security Administration to install "Automatic Target Recognition" software in all body scanners by January 1, 2012. The technology creates a "generic image" of airline passengers instead of the "peep show" images now produced by TSA devices and viewed by TSA officials. The TSA recently announced that it will begin testing new software at select U.S. airports. However, the TSA has not resolved concerns about image retention, health risks, or the effectiveness of the procedures. EPIC has filed a Freedom of Information Act lawsuit against the TSA for unlawfully withholding information about the body scanner technology. EPIC has a case in Federal Appellate court to suspend the use of the devices for primary screening in airports. For more information see EPIC - Whole Body Imaging Technology, EPIC - EPIC v. DHS (Suspend the program), EPIC - EPIC v. DHS (FOIA). (Feb. 8, 2011)

  • Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA," to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy. (Feb. 7, 2011)

  • The National Institute for Standards and Technology (NIST) has announced that it is accepting comments on two draft documents on cloud computing: the NIST Definition of Cloud Computing and the Guidelines on Security and Privacy in Public Cloud Computing. The documents were prepared after the Federal Chief Information Officer asked NIST to develop standards and guidelines to assist the federal government’s secure adoption of cloud computing. EPIC has warned of the ongoing privacy risks associated with cloud computing since its expansion into the public sphere in 2008. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Comments on both NIST documents are due no later than February 28, 2011. For more information, see EPIC: Cloud Computing and EPIC: In re Google and Cloud Computing. (Feb. 3, 2011)

  • EPIC has filed a Freedom of Information Act lawsuit against the TSA for unlawfully withholding documents about software modifications to the Full-Body Scanners. EPIC submitted requests for these documents in June 2010 and October 2010. In response to mounting public criticism about the passenger screening program, the TSA recently announced that it would use "Automatic Target Recognition" software to mask the nude images of airline travelers that TSA officials currently view. However, documents obtained by EPIC in an earlier Freedom of Information Act lawsuit established that these procedures have the capability to store and record unfiltered images of passengers. EPIC has since filed a lawsuit to suspend the controversial screening program. The new case is EPIC v. Dep't of Homeland Security, No. 1:11-cv-00290. For more information see EPIC: Whole Body Imaging Technology and EPIC v. DHS (Suspension of Body Scanner Program). (Feb. 2, 2011)

  • A letter from Rep. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) to Mark Zuckerberg asks about Facebook's plans to make users' addresses and mobile phone numbers available to websites and application developers. Facebook suspended the plan after EPIC and others objected. EPIC Executive Director Marc Rotenberg said that "Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used." EPIC, and several consumer organizations, have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy. (Feb. 2, 2011)

  • Rep. Darrell E. Issa (R-CA), chair of the House Committee on Oversight and Government Reform, has issued a letter to Secretary Janet Napolitano demanding that DHS release all documents regarding the agency's policy of vetting FOIA requests through political appointees. Rep. Issa also asked that DHS political appointees appear before the Committee for interviews regarding the policy. Previously, EPIC urged the FOIA Ombudsman to conduct an investigation of the DHS. EPIC said the "political review" policy is contrary to federal law and Supreme Court holdings; the FOIA does not permit agencies to select requests for political scrutiny. For related information see EPIC: Open Government and EPIC: Litigation under the Federal Open Government Laws 2010. (Feb. 2, 2011)

  • In response to widespread public opposition to airport body scanners, the TSA has announced that it will begin testing new body scanner software at select U.S. airports that it claims is less revealing. But the new scanners will also allow TSA officials to observe the passengers as they are being scanned. Previously, TSA operators were stationed in a remote viewing room. The TSA has also not resolved concerns about image retention, health risks, or the effectiveness of the procedures. In June 2010, EPIC submitted a FOIA request for information about the technology. The agency has yet to respond. For more information see EPIC: Whole Body Imaging Technology and EPIC v. DHS (Suspension of Body Scanner Program). (Feb. 2, 2011)

  • EPIC has supported a global initiative, led by Access Info, to urge the LIBE Committee of the European Parliament to safeguard government transparency. Under consideration is a proposal to limit open government by withholding documents that are not "formally" transmitted. 180 organizations, journalists, and activists support the campaign, and over 90 countries worldwide have adopted laws, constitutional amendments or regulations protecting the right to freedom of information. For related information, see EPIC: Open Government and EPIC: Privacy & Human Rights: An International Survey of Privacy Laws and Developments. (Jan. 31, 2011)

  • In G.D. v. Kenny, a case raising both defamation and privacy tort claims, the Supreme Court of New Jersey has held that defendants are entitled to assert truth as a defense, even when the relevant facts are subject to an expungement order under a state statute. The Court relied on the fact that criminal conviction information is disseminated before the entry of an expungement judgement. In an amicus brief, EPIC had urged the New Jersey Supreme Court to preserve the value of expungement and further argued that data broker firms will make available inaccurate and incomplete information if expungement orders are not enforced by the state. The case may have implications for the "Right to be Forgotten." For more information, see EPIC - G.D. v. Kenny, EPIC - Expungement. (Jan. 31, 2011)

  • Privacy International, EPIC, and the Center for Media and Communications Studies (CMSC) released "European Privacy and Human Rights (EPHR) 2010," a report investigating the scope of privacy and data protection laws a in Europe. The study includes 33 individual reports covering issues from privacy enforcement to ID cards, biometrics, and data-sharing and video surveillance The study ranks privacy protection across the European Union (EU). An interactive map allows is available. The EPHR is based on EPIC's report Privacy & Human Rights: An International Survey of Privacy Laws and Developments.  (Jan. 28, 2011)

  • Speaking before the Council of Europe and the European Commission at a high-level meeting in Brussels, EPIC President Marc Rotenberg urged the United States to ratify "Convention 108," the International Privacy Convention. Rotenberg pointed out that the United States had recently ratified the Council of Europe Convention on Cybercrime and had urged its allies to do so as well. Rotenberg's remarks followed a letter from EPIC to Secretary of State Hilary Clinton a year earlier asking that the United States begin the process of ratification. Rotenberg said the Convention is a "remarkable document that recognizes the value of innovation and the importance of fundamental freedoms." For more information, see Public Voice - The Madrid Declaration and EPIC - EU Data Directive. (Jan. 28, 2011)

  • EPIC has presented the 2011 International Privacy Champion Award to European Parliament Member Sophie in't Veld and the 2011 Domestic Privacy Champion Award to Jeff Chester, founder and executive director of the Center for Digital Democracy. In't Veld was recognized for her work as "leading defender of fundamental freedoms," Chester as a "tireless champion of consumer rights." Professor Stefano Rodotà and Justice Michael Kirby have previously received the EPIC International Privacy Champion Award. The 2010 EPIC Domestic Privacy Champion Award went to Beth Givens, founder and director of the Privacy Rights Clearinghouse. (Jan. 28, 2011)

  • EPIC submitted comments on the Commerce Report, "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework." EPIC called for an independent privacy agency with enforcement powers, and a comprehensive federal privacy law based on robust Fair Information Practices. EPIC also urged the Department to push forward an international framework for privacy protection and explained how effective regulation will promote innovation for privacy as it has for alternative energy. EPIC warned the Commerce Department not to "repeat the dreadful mistake of P3P," a privacy protocol widely viewed as one of the failures of self regulation. For more information, see EPIC: Internet Privacy, EPIC: EU Data Protection Directive, and EPIC: Privacy Act of 1974. (Jan. 26, 2011)

  • The Department of Homeland Security has released the Freedom of Information Act Report for 2010. The report analyzes the processing of FOIA requests made throughout the year by each DHS component, detailing the disposition of each request, response times, and the number of backlogged requests. DHS is under scrutiny for their policy of referring FOIA requests to political appointees before processing. The release of over 1,000 agency documents revealed a persistent agency practice of flagging FOIA requests from EPIC and other watchdog organizations for referral.The FOIA does not permit agencies to select FOIA requests for political scrutiny and the Supreme Court has stated that neither the identity of the FOIA requester nor the reason for the request is relevant to the processing of requests. EPIC has recommended that the FOIA Ombudsman investigate the Department’s policy. For related information see EPIC: Open Government and EPIC: Litigation under the Federal Open Government Laws 2010. (Jan. 24, 2011)

  • A New Mexico jury exonerated civil rights activist Phil Mocek for refusing to show his identification to the TSA before boarding a plane and for filming TSA agents. Mocek has published footage of the incident, stemming from his attempt to board a flight in Albuquerque in 2009. Agents instructed Mocek to put down his camera. When he refused, insisting that TSA rules and regulations do not prohibit filming in publicly-accessible areas of the airport, agents raised their voices and accused him of "causing a disturbance." Police officers arrived on scene and informed Mocek that he was under criminal investigation for "disturbing the peace," demanding that he produce identification. Mocek carried no identification and was brought up on four separate charges relating to the incident. The jury in the case took an hour to deliberate and returned with a verdict of NOT GUILTY on all charges. EPIC is currently suing to strike down the TSA's body scanner checkpoint program and recently submitted a "Friend of the Court" brief urging the Supreme Court to limit police access to identity documents. For more information, see EPIC: EPIC v. DHS and EPIC: Tolentino v. New York. (Jan. 24, 2011)

  • To provide business groups more time to express their views on consumer privacy, the FTC has extended the deadline for submitting comments on the agency's Internet privacy report to February 18th. The preliminary staff report "Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers" recommends the creation of a Do Not Track mechanism, the adoption of "privacy by design" techniques, and the use of simplified consumer privacy notices. However, the FTC's report did not address the privacy implications of cloud computing and social networking, the need for a US privacy agency, or a comprehensive federal privacy law based on "Fair Information Practices," as privacy groups had urged. For more information, see EPIC: Federal Trade Commission and EPIC: Online Tracking and Behavioral Profiling. (Jan. 24, 2011)

  • Chairman Rockefeller's (D-WV) priorities for the Senate Commerce Committee in the new Congress will include consumer privacy, oversight of the Federal Trade Commission, airport screening, and cybersecurity, according a recent statement. Senator Rockefeller has specifically called for strong Internet privacy laws. "There are no baseline privacy protections for most consumer online activity," he stated. "Industry self-regulation has largely failed, and I hope that the Department of Commerce . . .will reach the conclusion that legislation is necessary to protect consumers." EPIC has testified previously before the Committee on the Childrens' Online Privacy Protection Act (COPPA), protecting consumers' phone records, and spam e-mail. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Cybersecurity Privacy Practical Implications. (Jan. 21, 2011)

  • In documents obtained by EPIC through a Freedom of Information Act request, a senior attorney with the Federal Trade Commission describes the Google WiFi investigation as a "wasted summer" and hopes that a Hill briefing on Google WiFi "won't be too much of a time suck." EPIC sought these documents after the FTC dropped its investigation of Google Streetview. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, asking the Commission to investigate violations of US wiretap law and the Communications Act. For more information, see EPIC: Google Street View. (Jan. 20, 2011)

  • The Supreme Court has issued a decision in NASA v. Nelson, a case brought by NASA scientists who argued that the government's invasive background checks violated the Constitution. The Supreme Court found that the inquiries implicate "a privacy interest of Constitutional significance" but that the requests were reasonable and that the information would be protected under the Privacy Act. Writing in concurrence, Justice Scalia said the Court's opinion "will dramatically increase the number of lawsuits claiming violations of the right to informational privacy." EPIC authored a amicus brief, cosigned by 27 technical experts and legal scholars, which highlighted problems with the Privacy Act, including the "routine use" exception, security breaches, and the agency's authority to carve out its own exceptions. For more information, see EPIC: NASA v. Nelson and EPIC: Workplace Privacy.   (Jan. 19, 2011)

  • The Supreme Court heard oral argument in FCC v. AT&T. EPIC has filed a "friend of the court" brief in the case, which concerns the meaning of "personal privacy." EPIC urged the Justices to reject AT&T's claim that the corporation's "personal privacy" prevents the public disclosure of records subject to the Freedom of Information Act. EPIC cited the commonly understood meaning of "personal privacy" in the work of legal scholars and technical experts, as well as the use of these terms in an extensive survey of US privacy laws. The records at issue in the case pertain to contract work for the federal government. The Supreme Court agreed to review a lower court opinion which held that AT&T could assert a personal privacy interest. EPIC's brief argued that if upheld, the lower court's "interpretation of 'personal privacy' would stand as an outlier, untethered to common understanding, legal scholarship, technical methods, or privacy law." For more information, see EPIC: FCC v. AT&T. (Jan. 19, 2011)

  • Facebook has retreated from its decision to allow third-party access to users home addresses and phone numbers. Facebook backed off after criticism of the new policy, but said it would go forward once it has made further changes. EPIC Executive Director Marc Rotenberg said "Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used." EPIC, and several consumer organizations, have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy. (Jan. 18, 2011)

  • EPIC filed an amicus brief in Tolentino v. New York, a Supreme Court case concerning police access to government databases, enabled by patrol cars with Mobile Device Terminals. EPIC urged the Court to uphold Fourth Amendment protections for the Petitioner, who asserted that police had no basis for pulling him over and running his license. EPIC's brief states that "the risk is real that car stops will increasingly become pretextual because of the opportunity to search a government database for data unrelated to the reason that gave rise to the original stop." EPIC has filed briefs in related cases, including Hiibel v. Sixth Judicial District, in which the Supreme Court upheld, by a 5-4 margin, a state identification law because the individual did not have to produce his drivers license. In that case, Justice Stevens wrote "a name can provide the key to a broad array of information about the person, particularly in the hands of a police officer with access to a range of law enforcement databases." For more information, see EPIC: Tolentino v. NY, EPIC: Herring v. US, and EPIC: Drivers Privacy Protection Act. (Jan. 18, 2011)

  • A federal district court has granted the Department of Homeland Security's motion to conclude one of EPIC's Freedom of Information Act lawsuits. EPIC was seeking more than 2,000 images generated by airport body scanners held by the TSA. The DHS objected to the disclosure and the court sided with the government. The court relied on a legal theory, "Exemption High (b)(2)" that is currently under review by the Supreme Court in Milner v. Dept. of Navy. As a result of this lawsuit, EPIC obtained many documents concerning the airport screening program, including Procurement Specifications, Operational Requirements, traveler complaints, and vendor contracts with L3 and Rapiscan, that were subsequently made available to the public. EPIC may appeal the district court's decision as to the release of the body scanner images. For more information see EPIC:EPIC v. DHS and EPIC: Body Scanners. (Press Release) (Jan. 12, 2011)

  • The Supreme Court granted review of Sorrell v. IMS Health Inc., after the Second Circuit Court of Appeal's decision to strike down Vermont's prescription confidentiality law. The law regulates data mining companies that sell or use doctors' prescribing records containing personal information on patients. The Court of Appeals' decision, which relied on the First Amendment, diverged significantly from other decisions upholding similar laws. EPIC filed a "friend of the court" brief in support of the Vermont law, arguing that the state has a substantial interest in protecting the privacy of medial records and that the data miners' de-identification practices do not, in fact, protect patient privacy. For more, see EPIC: IMS Health v. Sorrell, EPIC: IMS Health v. Ayotte, and EPIC: Medical Privacy. (Jan. 7, 2011)

  • EPIC hosted "The Stripping of Freedom: A Careful Scan of TSA Security Procedures" at the Carnegie Institute for Science in Washington, DC. Speakers included Representative Rush Holt, Ralph Nader, New York City Councilman David Greenfield, and representatives of the Libertarian Party, the Council on American Islamic Relations, Flyer’s Rights, and the CATO Institute. The conference, covered by CSPAN, was fully interactive, with a videocast and a Twitter feed (#ScanTSA). For more information, see EPIC v. DHS (Suspension of Body Scanner Program). (Jan. 6, 2011)

  • EPIC has filed its reply brief in the suit to suspend the Department of Homeland Security's controversial airport body scanner program. The brief argues that "the TSA has acted outside of its regulatory authority and with profound disregard for the statutory and constitutional rights of air travelers, the agency’s rule should be set aside and further deployment of the body scanners should be suspended." EPIC filed its opening brief on November 1, 2010, arguing that the body scanners are "unlawful, invasive, and ineffective." On January 6, EPIC held a one-day public conference "The Stripping of Freedom: A Careful Scan of TSA Security Procedures" in Washington, DC. Oral argument will be heard in the case on March 10. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology. (Jan. 6, 2011)

  • In People v. Diaz, the California Supreme Court has held that an exception to the Fourth Amendment permits warrantless searches of a person's cellphone following an arrest. The court said that the search in this case was "incident to a lawful arrest." In a dissenting opinion, Judge Werdegar said that the exception was intended to permit warrantless searches of clothing or small physical containers, and that accessing electronic data storage devices is uniquely invasive. "Never before has it been possible to carry so much personal or business information in one's pocket or purse" the judge stated. In a recent Supreme Court "friend of the court" Brief, EPIC explained that modern communications devices contain extensive personal information and should be entitled to privacy protection. For more information, see City of Ontario v. Quon. (Jan. 4, 2011)

  • The Department of Homeland Security has filed its answer brief in EPIC's suit to suspend the agency's controversial airport body scanner program. EPIC filed its opening brief on November 1, 2010, arguing that the body scanners are "unlawful, invasive, and ineffective." Since then, a national grassroots movement of citizens, advocates, and lawmakers staged protests, sent letters, held hearings (2), and introduced legislation (2, 3) to stop the program. DHS has repeatedly attempted to delay resolution of EPIC's lawsuit, but the Court has scheduled oral argument for March 10, 2011. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology. (Jan. 4, 2011)

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security