======================================================================== E P I C A l e r t ======================================================================== Volume 14.08 April 20, 2007 ------------------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_14.08.html ======================================================================== Table of Contents ======================================================================== [1] EPIC Files Federal Trade Commission Complaint [2] Justice Department Proposes Vast Expansion of Domestic Surveillance [3] EPIC Brief Seeks to Protect Domestic Violence Victims [4] Attorney General Testifies before Senate Judiciary Committee [5] Pew Reports on Teens' Online Activity [6] News in Brief [7] EPIC Bookstore: "A Crowd of One" [8] Upcoming Conferences and Events ======================================================================== [1] EPIC Files Federal Trade Commission Complaint ======================================================================== EPIC, the Center for Digital Democracy and the US Public Interest Research Group filed a complaint this week with the Federal Trade Commission (FTC), urging the Commission to open an investigation into the impact on consumer privacy of Internet advertising practices and the specific issues that arise in the proposed acquisition of DoubleClick, Inc. by Google, Inc. On April 13, 2007, Google announced an agreement to acquire online advertising giant DoubleClick, Inc. for $3.1 billion. The acquisition of DoubleClick will permit Google to track both a person's Internet searches and a person's web site visits, and Google has already expressed its intent to merge data from Google and DoubleClick to profile and target Internet users. This could impact the privacy interests of 233 million Internet users in North America, 314 million Internet users in Europe, and more than 1.1 billion Internet users around the world, giving Google access to more information about the Internet activities of consumers than any other company in the world. Google will operate with virtually no legal obligation to ensure the privacy, security, and accuracy of the personal data that it collects. As noted in the complaint, neither Google nor DoubleClick have taken adequate steps to safeguard the personal data that is collected. Moreover, the proposed acquisition will create unique risks to privacy and will violate previously agreed standards for the conduct of online advertising. The federal government has established policies for privacy and data collection on federal web sites that acknowledge particular privacy concerns “when uses of web technology can track the activities of users over time and across different web sites” and has discouraged the use of such techniques by federal agencies. The Organization for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data recognize that “the right of individuals to access and challenge personal data is generally regarded as perhaps the most important privacy protection safeguard.” Further, privacy laws routinely require that information about consumers be deleted once it is no longer needed. Courts have recognized a privacy interest in the collection of information that concerns Internet use even where the information may not be personally identifiable. The complaint states, “there is simply no consumer privacy issue more pressing for the Commission to consider than Google's plan to combine the search histories and web site visit records of Internet users.” The groups seek an order from the FTC that would require DoubleClick to remove user identified cookies and other persistent pseudonymic identifiers from its data, and require Google to present a public plan for how it plans to comply with such well established government and industry privacy standards as the OECD Privacy Guidelines. Further, Google should provide reasonable access to all personally identifiable data maintained by the company to the person to whom the data pertains; establish a meaningful data destruction policy, and destroy all cookies and other persistent identifiers resulting from Internet searches that are or could be personally identifiable once the user terminates the session with Google. Pending an adequate resolution of the issues identified in this complaint, the groups call on the Commission to use its authority to review mergers to halt Google's proposed acquisition of DoubleClick. EPIC's Complaint to the FTC (pdf): http://www.epic.org/privacy/ftc/google/epic_complaint.pdf Google's Press Release Announcing Agreement: http://www.google.com/intl/en/press/pressrel/doubleclick.html EPIC's FTC Google Complaint page: http://www.epic.org/privacy/ftc/google/default.html ======================================================================== [2] Justice Department Proposes Vast Expansion of Domestic Surveillance ======================================================================== The Justice Department released a legislative proposal to amend the Foreign Intelligence Surveillance Act (FISA). The law would allow the president "acting through the Attorney General, may authorize electronic surveillance without a court order under this title to acquire foreign intelligence information for periods of up to one year." The president would also have to power to approve physical searches under the proposed amendment. The proposed legislation would remove the terms "wire" and "radio communication" from the current legislation, and amend the definition of electronic surveillance as follows: "electronic surveillance would mean: (1) the installation or use of an electronic, mechanical, or other surveillance device for acquiring information by intentionally directing surveillance at a particular, known person who is reasonably believed to be located within the United States under circumstances in which that person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes; or (2) the intentional acquisition of the contents of any communication under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes, if both the sender and all intended recipients are reasonably believed to be located within the United States." This amendment would capture a wider range of communications technologies, and provides for future innovations. The legislation would require less specificity in applications to the court by changing the current law's requirement for "detailed descriptions" or statements to a "summary description" or a "summary statement." The proposal for new legislation would give the Attorney General the power to direct a person to "immediately provide the Government with all information, facilities, and assistance necessary…" for investigations. The draft proposal also allows for compensation and immunity for individuals (but not for entities) who aid in the collection of information. The proposal would also increase flexibility in the appointment of judges from the federal circuit courts to serve on the FISA court. The proposal would also create a role for the Director of National Intelligence in the securing of information collected and communications for coordination and cooperation among local, state, and federal law enforcement agencies to prevent attacks. New areas that will be addressed under the bill include prohibitions on the proliferation of weapons of mass destruction. EPIC's domestic surveillance page: http://www.epic.org/features/surveillance.html DOJ's proposed legislation (pdf): http://www.fas.org/irp/news/2007/04/fisa-proposal.pdf DOJ's press release and fact sheet: http://www.usdoj.gov/opa/pr/2007/April/07_nsd_247.html EPIC's FISA page: http://www.epic.org/privacy/terrorism/fisa/ EPIC's FISA Order 1979-2005 page: http://www.epic.org/privacy/wiretap/stats/fisa_stats.html ======================================================================== [3] EPIC Brief Seeks to Protect Domestic Violence Victims ======================================================================== EPIC filed an amicus brief in a divorce discovery dispute, urging a Colorado district court to limit the release of cell phone records. The requesting party had previously been ruled to be harassing the owner of the records and her associates. The request asked for several years' worth of telephone records and was not limited to particular parties or area codes called. A recent Federal Communications Commission (FCC) Order requires telecommunications and voice-over-IP providers to take steps to protect their costumer's records. Significantly, consumers must opt in to the sharing of their calling records. The FCC declared in the Order that giving consumers control over their private information "directly and materially advances privacy and safety interests." In addition to the Order, EPIC also highlighted privacy advances in the Violence Against Women Act (VAWA) of 2005. Both VAWA and Colorado law recognize that "placing [someone] under surveillance" can be a form of stalking. Surveillance causes unease, and if done with certain harmful intent can be illegal. Individuals have an interest in carrying out their daily lives, even in public, free from the anxiety, discomfort, and safety risks of surveillance. Lastly, EPIC urged the court to consider such privacy interests as security and use limitation. Privacy interests in personal information are not limited to simply keeping the data confidential. Individuals should also gain assurances that information disclosed for one purpose will not be used for other purposes. Furthermore, data that is disclosed should be held securely and be free from the danger of further unauthorized disclosures. EPIC's Amicus Brief (pdf): http://www.epic.org/privacy/dom_violence/cellrecord_amicus.pdf EPIC's Domestic Violence and Privacy page: http://www.epic.org/privacy/dv/ EPIC's Telephone Record Privacy page: http://www.epic.org/privacy/iei/ ======================================================================== [4] Attorney General Testifies before Senate Judiciary Committee ======================================================================== On April 19, Attorney General Alberto R. Gonzales testified before the Senate Judiciary Committee regarding his leadership at the Department of Justice. Chairman Patrick Leahy started the hearing by stating that “[t]oday, the Department of Justice is experiencing a crisis of leadership perhaps unrivaled during its 137-year history.” Ranking Member Arlen Specter called the hearing, in a sense, a “reconfirmation hearing.” While the hearing focused on the firing of eight U.S. Attorneys, many Senators mentioned other issues within the Department of Justice, such as the use of national security letters and terrorist watch lists. Sen. Specter re-asserted that flagrant misuse of national security letters by the FBI, and asked what constructive actions have been taken to correct the problem. Gonzales replied that his office is “involved in the oversight and auditing of field offices”, in order to gain a better understanding of the scope of the problem. Senator Leahy said, referring to the misuse of national security letters, “never in this country have we had such an invasion of Americans' privacies.” On March 21, 2007, letter to the Senate Judiciary Committee, EPIC recommended that Congress repeal the FBI's National Security Letter authority. Senator Specter called for a reconfirmation that the domestic surveillance program has been discontinued, which Gonzales provided. Senator Specter also requested written explanations as to why Gonzales feels Justice Department's legislative proposal to amend the Foreign Intelligence Surveillance Act (FISA), released last week, is necessary. Senator Specter said it was up to the president and Gonzales to decide whether he should stay, but that his credibility and the department have been damaged. Prepared Statement of Attorney General Gonzales: http://www.usdoj.gov/ag/testimony/2007/ag_speech_070419.html Statement of Chairman Patrick Leahy: http://www.epic.org/redirect/leahy0407.html Statement of Senator Arlen Specter: http://www.epic.org/redirect/specter0407.html EPIC's National Security Letters page: http://www.epic.org/privacy/nsl/ EPIC's letter to the Senate Judiciary Committee (pdf): http://www.epic.org/privacy/pdf/nsl_letter.pdf ======================================================================== [5] Pew Reports on Teens' Online Activity ======================================================================== The Pew Internet & American Life Project released a report on teens' management of their online identities. Entitled "Teens, Privacy and Online Social Networks: How teens manage their online identities and personal information in the age of MySpace," the report is based on surveys and focus groups of teenage social network software users. Pew has conducted previous studies on online dating and wired seniors. The report concludes that the majority of teens who have online profiles manage them in order to protect sensitive information. Providing a first name and photo are standard, but rarely is information given out that would allow an individual to physically locate a teen. Girls are more concerned about the release of information than boys. Over half of teens protect their privacy by posting false information. A quarter of teens have made friends online, and 1/3 have been contacted by a stranger via social networking. The survey further found that teens are aware of the differences in sharing information offline and posting it online. In 2006, Facebook.com changed how it distributed information online, in that any changes to an individual user's profile was broadcast to other users. Showing that they are sensitive to privacy concerns, hundreds of thousands of users signed a petition requesting that Facebook change the feature. Facebook responded to the petition by allowing users to opt out of the information broadcasting feature. The collection of children's personal information online is subject to the Child Online Privacy Protection Act (COPPA). COPPA requires verifiable parental consent prior to the collection of personal data of children under the age of 13; disclosure to parents of data collected; and a right to revoke the consent and have the data deleted. According to the Pew report, more households have rules about internet usage than other media. Pew Report - Teens, Privacy and Online Social Networks: http://www.pewinternet.org/PPF/r/211/report_display.asp EPIC's page on Social Networking: http://www.epic.org/privacy/socialnet/ EPIC's page on COPPA: http://www.epic.org/privacy/kids/ ======================================================================== [6] News in Brief ======================================================================== North Dakota Is Second State to Ban Forced RFID Implantation North Dakota has become the second state to ban forced RFID implantation in humans. The law makes such action a "Class A misdemeanor," but penalties for violating the law have not been set. Wisconsin passed similar legislation last year. However, voluntary implantation is still permissible under the North Dakota law, and the two-line bill does not address what is considered "voluntary." EPIC has repeatedly warned against the use of RFID to identify individuals, highlighting the risk that people could be tracked in real-time. North Dakota's SB 2415 (pdf): http://www.legis.nd.gov/assembly/60-2007/bill-text/HBPJ0300.pdf EPIC's Radio Frequency Identification (RFID) Systems page: http://www.epic.org/privacy/rfid/ Montana and Washington Formally Reject REAL ID Act This week, Montana and Washington became the first two states to formally reject the REAL ID Act. Previously, Maine, Idaho, and Arkansas passed resolutions declaring opposition to REAL ID, but the laws passed by Montana and Washington go further. Montana's law declares that it "will not participate in the implementation" of REAL ID and prohibits the state from implementing any changes related to the national identification system. Washington's bill forbids use of state funds unless certain protections, including privacy and security safeguards, are met. About 20 states are debating similar legislation. Controversy continues to surround the national ID scheme, and the public is invited to comment on the Department of Homeland Security's draft regulations to implement the REAL ID Act. The deadline for public comment is May 8, 2007. Montana's HB 0287 (pdf): http://www.epic.org/privacy/id_cards/mont_hb0287.pdf Washington's SB 5087: http://apps.leg.wa.gov/billinfo/summary.aspx?bill=5087&year=2007 EPIC's National ID Cards and REAL ID Act page: http://www.epic.org/privacy/id_cards/ Student Loan Database Restricted After Improper Searches The Education Department has restricted all outside access to a database filled with the personal data of student financial aid applicants amid a growing scandal about loan companies' improperly searching the records for advertising purposes. The department will conduct a review of users of the National Student Loan Data System, which contains 60 million student records that include Social Security numbers and sensitive financial data such as loan balances. About 29,000 university financial aid administrators and 7,500 loan company employees had access to the database before the temporary shutdown. The New York attorney general has been investigating ties between lenders and universities for months. The department recently received an F in the annual computer security report card. National Student Loan Data System: http://www.nslds.ed.gov/nslds_SA/ House Committee on Oversight and Government Reform: Federal Computer Security Report Card (pdf): http://republicans.oversight.house.gov/Media/PDFs/FY06FISMA.pdf EPIC's Student Privacy page: http://www.epic.org/privacy/student/ ICANN Seeks Comments on Accountability and Transparency Report One World Trust, a UK-based NGO that conducts research into the accountability of global organizations, has just released its Independent Review of ICANN's Accountability and Transparency. The report identifies a number of areas where ICANN practices observe principles of accountability, and a number of areas where there is room for improvement. ICANN received high marks for its transparency, particularly for the amount of information that it shares on its website, but it was also noted that ICANN should ensure the public are being engaged consistently across the different constituent bodies. ICANN seeks comments and feedback from the public on the report. The comment period runs until April 27, 2007. The public may email comments to transparency-2007@icann.org. Independent Review of ICANN's Accountability and Transparency (pdf): http://www.icann.org/transparency/owt-report-final-2007.pdf ICANN: http://www.icann.org One World Trust: http://www.oneworldtrust.org The Public Voice: http://www.thepublicvoice.org European Human Rights Court Protects Workplace Privacy The European Court of Human Rights issued a decision regarding employees' right to privacy in their correspondence sent from a workplace. In Copland v. The United Kingdom, the Court found that the monitoring of a public employee's telephone, email, or Internet interferes with the right to privacy guaranteed by Article 8 of the European Convention on Human Rights. Article 8 states that “everyone has the right to respect for his private and family life, his home and his correspondence.” The decision prohibits surveillance of private communications in the workplace if there is no legal basis for the monitoring. Copland v.UK http://www.bailii.org/eu/cases/ECHR/2007/253.html European Convention on Human Rights http://conventions.coe.int/Treaty/en/Treaties/Html/005.htm EPIC's Workplace Privacy page: http://www.epic.org/privacy/workplace/ ======================================================================== [7] EPIC Bookstore: "A Crowd of One" ======================================================================== A Crowd of One: The Future of Individual Identity, by John Henry Clippinger (PublicAffairs 2007). http://www.powells.com/partner/24075/biblio/9781586483678 In "A Crowd of One," John Henry Clippinger, an expert on identity and Senior Fellow at the Berkman Center for Internet & Society at Harvard Law School, says his motivation for the book comes from the traditional model for influence, force, and "its instant power and its limitations." Clippinger explores alternative forms of influence, "in pursuit of the ultimate 'virtuous circle,' that might under the right conditions yield trust, reciprocity, and the will to not go to war." The key decisions that we make in life are not necessarily rational, because our personal identity is derived from our relationships with others, and we must understand those social connections. In understanding these connections, we can understand the "social commerce" that is created by our increasingly digitized world. In social commerce, a system where you must have trust and exchange, your reputation is your identity, Clippinger says. He points to eBay and its notion of reputation: buyers rate a seller's claims about an item, speed of delivery - giving feedback the seller's trustworthiness. The importance of the eBay model, and why the site remains a success, is the "genuine insight into the mechanics of how people formed their identities within communities where their actions were visible." The feedback ratings allowed members to achieve a sort of social status and influence. But one must be careful, because untrustworthy people could role-play and take advantage of the system by masking their true identities, also evidenced by eBay's feedback system. Some eBay scammers will create many small-cost transactions - selling camera batteries at a low price to a hundred people - and increase their trustworthiness by gathering many good ratings from these buyers. Then, the seller will list several high-cost items - expensive, high-end digital cameras - and abscond with the money from the sales without delivering the items. The buyers bid on the high-cost items, in part under the influence of the seller's "good reputation" under the eBay ratings system. Much of human activity is being moved in and out of virtual worlds and this will only increase, Clippinger says. He believes that this digital age, where we can build communities of shared interests based on new ideas of reputation and identity, is the next Enlightenment. These theories of influence and social transaction will allow us to continuously evolve new systems of identity management, as distinct individuals within a social structure of crowds. -- Melissa Ngo ================================ EPIC Publications: "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2005: An International Survey of Privacy Laws and Developments" (EPIC 2006). Price: $60. http://www.epic.org/bookstore/phr2005/phr2005.html This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 70 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2005 is the most comprehensive report on privacy and data protection ever published. ================================ "FOIA 2004: Litigation Under the Federal Open Government Laws," Harry Hammitt, David Sobel and Tiffany Stedman, editors (EPIC 2004). Price: $40. http://www.epic.org/bookstore/foia2004 This is the standard reference work covering all aspects of the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. The 22nd edition fully updates the manual that lawyers, journalists and researchers have relied on for more than 25 years. For those who litigate open government cases (or need to learn how to litigate them), this is an essential reference manual. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/features/epic/epic.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https://mailman.epic.org/cgi-bin/control/foia_notes ======================================================================== [8] Upcoming Conferences and Events ======================================================================== Proof Positive: New Directions for ID Authentication Public Workshop. Federal Trade Commission. April 23 and 24, 2007. Washington DC. For more information contact: idmworkshop@ftc.gov 2nd Annual Access to Knowledge conference. Yale. April 27-29, 2007. New Haven, CT. For more information: http://research.yale.edu/isp/eventsa2k2.html CFP2007: Computers, Freedom, and Privacy Conference. Association for Computing Machinery. May 2007. Montreal, Canada. For more information: http://www.cfp2007.org Music, Technology and IP Policy Day. May 2, 2007. Washington, DC. For more information http://www.futureofmusic.org/events/dcpolicyday07/index.cfm Conference on Interdisciplinary Studies in Information Privacy and Security. Rutgers University. May 22, 2007. New Brunswick. For more information: http://www.scils.rutgers.edu/ci/isips/ Privacy Compliance Conference. The Canadian Institute. May 30-31, 2007. Toronto, Canada. For more information: http://www.privcom.gc.ca/events/index_e.asp 29th International Conference of Data Protection and Privacy Commissioners. September 25-28, 2007. Montreal, Canada. For more information: http://www.privacyconference2007.gc.ca/Terra_Incognita_home_E.html ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ------------------------- END EPIC Alert 14.06 ------------------------- .