EPIC logo

                              E P I C  A l e r t
Volume 15.15                                            July 25, 2008

                               Published by the
                  Electronic Privacy Information Center (EPIC)
                               Washington, D.C.


Table of Contents
[1] Court Rules that Data Breach Violates Fundamental Human Rights
[2] Federal Court Strikes Down Internet Censorship Law, Again
[3] Google Complies with California Privacy Policy Law After 30 Days
[4] First European Privacy Seal Awarded to Search Engine Ixquick
[5] DNS Security Standard Implemented into .org Domain
[6] News in Brief 
[7] EPIC Bookstore: "Distracted"
[8] Upcoming Conferences and Events 
	- Subscription Information 
	- Privacy Policy 
	- About EPIC 
	- Donate to EPIC http://www.epic.org/donate
	- Support Privacy '08 http://www.privacy08.org

[1] Court Rules that Data Breach Violates Fundamental Human Rights

The Finnish government will be required to pay a fine because it failed
to protect patient data against the risk of unauthorized access,
according to a ruling from the European Court of Human Rights. The
ruling establishes a nexus between the right to privacy under human
rights law and the protection of personal information. The European
Court of Human Rights held that Article 8 of the European Convention on
Human Rights, which guarantees respect for every citizen's private life
against needless interference by the government, includes an affirmative
obligation to ensure the security of personal data. According to the
court, a government hospital's failure to guarantee the security of the
petitioner's data against the risk of unauthorized access constituted a
"breach of the state's positive obligation to secure respect for her
private life by means of a system of data protection rules and

The hospital ran afoul of the Convention's guarantee of personal privacy
because its records system violated Finland's own law requiring
hospitals to secure personal data against unauthorized access. The
petitioner, who worked as a nurse at the same hospital where she was
being treated for HIV, began to suspect that her co-workers had learned
about her disease by reading her confidential medical records. Although
hospital rules stated that records could only be accessed for treatment
purposes, as a practical matter patient records could be viewed by any
hospital staff. Despite the plain privacy violation, the petitioner was
unable to meet her burden under the Finnish privacy law. The hospital's
failure to sufficiently document access to medical records made it
difficult to prove that loose policies caused the rumors.

Nevertheless, the court held that the simple fact that the hospital had
an insecure medical records system was enough to make the health care
facility responsible for the otherwise unexplained spread of the
employee's private medical information. "The mere fact that the domestic
legislation provided the applicant with an opportunity to claim
compensation for damages caused by an alleged unlawful disclosure of
personal data was not sufficient to protect her private life," said the
court. "What is required in this connection is practical and effective
protection to exclude any possibility of unauthorized access occurring
in the first place. Such protection was not given here."

The European Court of Human Rights was established in 1950 by the European
Convention on Human Rights. It has issued many important privacy decisions
based on Article 8 of the European Convention.

European Court of Human Rights:

I v. Finland, Eur. Ct. H.R., No. 20511/03 (17 July 2008):

EPIC's Privacy And Human Rights Report: 

EPIC's Medical Privacy Page: 

[2] Federal Court Strikes Down Internet Censorship Law, Again

The Third Circuit Court of Appeals struck down the Child Online
Protection Act, a federal law that sought to prohibit the publication of
information on the Internet that could be considered "harmful to
minors." The Court held that the law violated the First and Fifth
Amendments because it is "impermissibly overbroad and vague."

The censorship law also failed a strict scrutiny analysis because it did
not employ less restrictive alternatives, like internet content filters
that can be programmed or configured according to the values of
individual families. The Court affirmed a District Court's permanent
injunction that prevents the Government from enforcing this law.

The Court also criticized the law's encroachment on the right of
Internet users to receive information anonymously, a claim that EPIC
raised early in the litigation. Without anonymity, many users are
deterred from accessing online content. Forcing people to provide
personally identifiable information to content providers for age
verification purposes exposes them to fraud and identity theft, a
rapidly growing problem in the United States. The internet censorship
law would also "chill protected free speech" by requiring Web publishers
to either self-censor or bear the cost of implementing age verification

The lawsuit challenging the Child Online Protection Act began nearly ten
years ago, following the Supreme Court's invalidation of Congress' first
attempt to censor the Internet with the Communications Decency Act.
Immediately after the Child Online Protection Act's enactment in 1998,
the plaintiffs, consisting of speakers, content providers, and users of
the Web, sought an injunction to bar the law's enforcement. In 2002, the
Supreme Court upheld the district court's preliminary injunction with
grave doubts about the law's ultimate constitutionality. The case was
remanded to the district court for a ruling on the merits.

EPIC was plaintiff and co-counsel in the case and specifically urged the
court to consider the impact on privacy of the age verification procedures.

ACLU, EPIC, et al v. Mukasey, No. 07-2359 (3rd Cir., July 22, 2008):

Child Online Protection Act:

EPIC Alert on the Original Grant of the Preliminary Injunction:

EPIC page on the Child Online Protection Act:

EPIC page on the Communications Decency Act:

[3] Google Complies with California Privacy Policy Law After 30 Days

Following a public request by EPIC and other privacy organizations,
Google posted a link to its privacy policy on its homepage. On June 3,
2008, EPIC, along with a dozen other groups including the Privacy
Rights Clearinghouse and the World Privacy Forum, sent a letter to 
Google notifying them that they were in violation of a California statute 
requiring commercial websites to conspicuously post links to their privacy 
policies on the main page of their websites.

Google did not comply immediately, explaining that they liked a clean
looking homepage that wasn't cluttered with links. Google also claimed
that it would be easy for anyone seeking the Google privacy policy to
use the search engine itself. However, using the Google search engine to
search for the privacy policy is an insufficient solution, because users
must surrender some privacy in order to engage the search engine, but
may not know this until they read the privacy policy.

Under the California law, Google was required to post the link within 30
days of the advocates' letter notifying them of the violation and, on
day 30, a link entitled "privacy" appeared on the Google homepage. For
the first time since its creation, Google users can access the privacy
policy from Google's front page without searching through the other
front page links and without engaging the search engine, which would
store their search and IP address.

Google's posting conforms with the widespread practice of commercial web
sites. Google has also instituted a privacy transparency program,
accessible through this link, which includes YouTube videos, blog posts,
and other resources explaining the various privacy issues likely to be
encountered by Google consumers.

Google has been no stranger to consumer privacy issues. After a blogger
discovered a weakness in Gmail's security last week, Google promised to
take steps to repair the problem. Aviram Jenik, of SecuriTeam blog,
published a blog post about a feature of Google calendar which allows
any Gmail user to see the registered full name of any other Gmail user
by merely sharing a Google Calendar with them. Although the problem has
since been repaired, Google claimed that it was "not a security issue"
and was an intentionally included feature of the calendar system.

EPIC's page on Google privacy issues:

The letter from EPIC and other advocacy organizations:

Google's announcement of privacy link on homepage:

Blog post about the Gmail security hole:

[4] First European Privacy Seal Awarded to Search Engine Ixquick

On July 14, 2008, search engine Ixquick was presented with the first
European Union (EU) Privacy Seal by EuroPriSe. The European Privacy Seal
ensures that internet technology (IT) products and services comply with
EU laws and regulations on privacy and data security. "The awarding of
the first European Privacy Seal to the meta-search engine Ixquick marks
an important milestone to implement privacy on the World Wide Web and
highlights this privacy-friendly service," said EU Data Protection
Supervisor Peter Hustinx.

Ixquick offers solutions to many of the privacy concerns created by the
internet. Search engines and other websites have been criticized because
searches and visits are routinely recorded and combined into personal
and behavioral profiles. In 2006, Ixquick became the first search engine
to delete information like IP-addresses and eliminate the use of ID
cookies. Unlike Facebook and Google, Ixquick does not reveal personal
data of its users to third parties.

The European Privacy Seal is a simple uniform method to identify whether
an IT product meets the high privacy standards of the EU. The seal is
given to an IT product only after it has been audited to determine if it
meets compliance with European regulations on privacy and data security.
First, legal and IT experts evaluate the product or service. Second, an
accredited certification body cross-checks the evaluation report. Over
120 experts from various EU countries have been trained to provide

The award "underlines that a balance between the open nature of the
internet, providers' interests, and the protection of personal data of
internet users is possible" said EU Commissioner Vivian Reding.

EU Data Protection Supervisor

European Privacy Seal Press Release:

Ixquick's Press Release: 

Ixquick's Homepage: 

EPIC's Page on Search Engine and Privacy:

EPIC's Privacy and Human Rights Report: 

[5] DNS Security Standard Implemented for .ORG Domain

The Internet Corporation for Assigned Names and Numbers (ICANN) recently
announced that the Domain Name Security Extensions (DNSSEC) will be
implemented on the domain name service system for .ORG domain names. The
added security layer will primarily protect users from attempts by
hackers to spoof, masquerade, and hijack websites, which are attacks to
which users of wireless networks are particularly vulnerable. The .org
domain is now the first generic Top Level Domain authorized to implement
the security extensions on its domains.

Domain names substitute Internet Protocol (IP) addresses for actual
names. Instead of using a series of numbers, an actual "www.website.org"
address, or domain name, identifies a website. However, the distribution
of domain names is not protected against hackers. An unauthorized
network operator can redirect an unsuspecting user's DNS requests from
the desired website to a totally different website. Because the user
would not know that the corrupted website is not the actual domain name
requested, the user's personal information could be exposed to a
malicious website. With security extensions, however, users are
protected from hackers pretending to be a domain name distributor.

EPIC submitted comments to ICANN in support of the DNSSEC standard. The
implementation provides protection against hacker attacks by adding
cryptographic information to the domain name system, which will make
redirecting to malicious websites especially difficult. Also, when a
client requests a domain name for an IP address, the DNS will provide
origin authentication of data, data integrity, and authenticated denial
of existence. The DNS security extensions have already been implemented
in Sweden, Bulgaria, Brazil, and Puerto Rico.

.ORG Announces DNSSEC Implementation:

EPIC's Page on DNSSEC: 

.ORG to consider secure DNS: 

[6] News in Brief

Under Pressure, Embarq Scraps Internet Snooping Plan

A week after senior members of Congress criticized Embarq's test of
Internet snooping technology, the ISP announced that it will shut down
its controversial behavioral advertising partnership with NebuAd. Embarq
was intercepting customers' browsing activity "to create consumer
profiles for the purpose of serving ads to consumers based upon their
search and surfing habits," the Congressmen said in a letter to Embarq.
They also observed that Embarq's secret Internet surveillance raised
substantial questions of compliance with federal law. "Embarq's apparent
use of this technology without directly notifying affected customers
that their activity was being tracked, collected, and analyzed raises
serious privacy red flags," said Congressman Edward Markey. Congressmen
Markey (D-MA) and Joe Barton (R-TX) previously urged Charter
Communications, the nation's fourth-largest cable company, to back off
on a similar venture with NebuAd. The cable giant scrapped the
controversial plan in June.

Letter To Embarq Sent By Senior Members Of Congress:

July 21, 2008 Letter From Embarq Detailing Internet Surveillance Test:

July 23, 2008 Letter From Embarq Detailing Internet Surveillance Test:

EPIC's Page On Deep Packet Inspection And Privacy:

Facebook's new design does not address privacy problems

On July 20, 2008, Facebook released a new webpage design, but still
fails to meet previous privacy problems that have plagued the company.
According to Facebook CEO Mark Zuckerberg, the changes were designed "to
highlight the most recent and relevant information that users value,
give users even more control and ownership over their profiles and
simplify the user experience." The new design allows Facebook users to
adjust the size and prominence of stories published on their profiles.
Users can also utilize the "Publisher" feature to upload photos and
videos, or write notes. None of these changes, however, address the
privacy issuess that continue to plague Facebook. Developers of Facebook
applications still enjoy access to users' detailed personal information
and the detailed personal information of the users' friends - even if
these friends choose not to install the application.

Facebook Press Release:

EPIC Facebook Page: 

Lawsuit uncovers Maryland police spying on peace groups

Undercover Maryland state troopers have been conducting surveillance
three groups advocating peace and protesting the death penalty.  The
police infiltrated the group by attending meetings and sending reports
on the groups' activities to U.S. intelligence and military agencies,
according to documents released as part of a Freedom of Information 
Act lawsuit filed by the Maryland chapter of the American Civil 
Liberties Union. The documents show at least 288 hours of surveillance 
over the 14-month period. Information sharing databases similar to 
HIDTA exist elsewhere in the country and have frequently been 
criticized for privacy problems. EPIC recently won a Freedom of Information 
lawsuit against the Virginia State Police regarding the role of the
federal government in the operation of the state Virginia Fusion Center 
and EPIC is currently pursuing similar FOIA requests in all 50 states.

ACLU Press Release:

EPIC page on fusion centers: 

Social Security Unveils New Earnings Calculator

On July 21, 2008, the U.S. Social Security Commissioner introduced a new
online calculator to help people plan their retirement. The Social
Security Commissioner stated that the new calculator is "easy-to-use and
will provide highly accurate benefit estimates for those nearing
retirement age." The calculator allows the user to compare and contrast
several different retirement options. For instance, it allows the user
to change expected future earnings and modify retirement dates. The new
calculator addresses privacy problems that were raised by previous
versions. The previous calculator was problematic because it temporarily
stored earnings records on local computers while the user was on the
page. The new calculator displays only estimates of retirement benefits
and not other personal information, such as previous earnings.

New Social Security Calculator: 

Social Security New Calculator Press Release:

EPIC's Social Security Section: 

TSA Expands Testing of Full-Body Backscatter Scanners

The Transportation Security Administration will expand usage of new
backscatter scanning systems to screen airline passengers. The new
SmartCheck Z Backscatter Personnel Screening System will be installed at
John F. Kennedy International Airport in New York. Similar systems are
already in place at airports in Phoenix and Los Angeles. EPIC and others
have raised privacy concerns about the scanners, which can create
photo-quality images of travelers as if they were undressed. The
scanner's manufacturer claims that the new system creates a less
detailed image than previous backscatter scanners, does not show
detailed images of genitalia, and does not store and transmit saved
images. Like previous scanners, the new devices are a voluntary
alternative to pat-downs. Approximately 90% of passengers so far have
chosen to be screened by the SmartCheck rather than a pat-down.

American Science & Engineering's Page on the Privacy Enhanced System:

EPIC's page on Backscatter Screening Technology:

EPIC's Spotlight on TSA Backscatter Use:

Library Association Launches "Privacy Revolution"

The American Library Association, in partnership with EPIC and other
groups, has called for a national privacy revolution. The initiative
aims to inspire Americans to join librarians in a call for new privacy
standards for the digital age. The campaign responds to the
organization's 2006 resolution calling for a "national discussion on
privacy." As part of the plan, local libraries will solicit public
support for legislative and agency-level reforms that protect and
preserve personal privacy. Internet users can take a survey on Library
Association's website and watch video of the launch at the 2008
conference. Previous ALA initiatives, including a campaign for reader
privacy, led to amendments protecting library privacy in the Patriot

American Library Association Privacy Revolution:

EPIC's Privacy 08 Campaign: 

Health IT Bill Moves Forward in House with Some Privacy Safeguards

The House Commerce Committee approved H.R. 6357, the Protecting
Records, Optimizing Treatment, and Easing Communication through
Healthcare Technology Act of 2008. The PRO(TECH)T Act will promote the
adoption of health information technology that is intended to improve
the delivery of healthcare services. The bill includes some security and
privacy safeguards, such as data breach notification, though Patient
Privacy Rights believes that stronger protections are necessary. EPIC
made several suggestions to strengthen the privacy provisions. For more
information see EPIC Medical Privacy.

PRO(TECH)T Act Passes Houses Committee:

EPIC Comments on PRO(TECH)T Act:

EPIC Medical Privacy Page

[7] EPIC Bookstore: "Distracted"

"Distracted: The Erosion of Attention and the Coming Dark Age" by Maggie
Jackson (Prometheus Books 2008)


Increasingly, our thought is shaped by distraction, argues Maggie
Jackson in her riveting and convincing diagnosis of our cultural
malaise. In every area of life, from consumer gadgetry to our patterns
of work and play, the relentless change that we associate with progress
are eroding our capacity for deep, sustained, perceptive attention. And
she warns that all our material riches, abundant information, and
creative leaps will not save us from a coming cultural "dark age"-unless
we learn to value and nurture undivided attention as the bedrock of
healthy mental and social life.

A recurrent theme in her account is the connection between the
fragmentation of attention and the fragmentation of trusting
relationships. To show the cumulative impact of technology on our
attention spans and communal bonds, Jackson points out trends among
disparate corners of social life, ranging from the nineteenth century's
reactions to the telegraph, the transformation of family relationships
viewed through meals and funerals, and new documentation of the damage
to child development of using television as a babysitter. Reflecting on
the evidence of Bentham's Panopticon in today's technologies for
conducting social relationships, she writes, "Surveillance can't
cohabitate with trust, that slow-to-bud, immeasurable essence of close
relations that thrives only outside the panoptic gaze.  By choosing
surveillance-based attention, we are ushering in an age of mistrust."

It takes a nuanced cultural critic to weave to together the disparate
symptoms of this disease, but Jackson does so without a trace of
shrillness. She deftly threads together her own observations as a
journalist with her survey of the insights of a century of like-minded
historians, psychologists, sociologists, and novelists. Her account is a
pleasure to read because it is a powerful articulation of both sides of
our ambivalence towards the rapid encroachment of communications
technology into our lives. To the reader who feels fragmented by the
staccato of bullet points, text messages, and microwave dinners that
increasingly characterizes every facet of modern life, Distracted feels
like a long, honest look in the mirror.

-- Andrew Gradman


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.


This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.


This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry A.
Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors (EPIC
2007). Price: $50.


This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 23nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:


The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.


A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore


"EPIC Bookshelf" at Powell's Books



EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:


[8] Upcoming Conferences and Events

The 8th Privacy Enhancing Technologies Symposium (PETS 2008), July 23-
25, 2008.  Leuven, Belgium.  For more information:

The Privacy Symposium - Summer 2008: An Executive Education Program on
Privacy and Data Security Policy and Practice, August 18-21, 2008,
Harvard University, Cambridge, MA. For more information:

Privacy Awareness Week. August 24, 2008. Australia, New Zealand, Hong
Kong, Korea and Canada. For more information:

Youth Privacy Online: Take Control, Make It Your Choice! September 4,
2008, Eaton Centre Marriott, Toronto. For more information:

Access to Information: Twenty-five Years on. September 8, Minto Suites
Hotel, Ottowa. For more information: http://www.rileyis.com/seminars/

Workshop on Applications of Private and Anonymous Communications.
September 22, 2008. Istanbul, Turkey. For more information:

Europe-wide action day "Freedom not fear." October 11, 2008. Multiple
sites. For more information:

International Symposium on Data Protecion in Social Networks. October
13, 2008, Strasbourg. For more information:

Protecting Privacy in a Borderless World. October 15-17, 2008,
Strasbourg. For more information: http://www.privacyconference2008.org

Privacy in Social Network Sites Conference October 23-24, 2008. Delft
University of Technology, Faculty of TPM, The Netherlands. For more
information: http://www.ethicsandtechnology.eu

Third Internet Governance Forum. December 3-6, 2008. Hyderabad, India.
For more information: http://www.intgovforum.org

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.
Support Privacy '08

If you would like more information on Privacy '08, go online and search
for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08
at Twitter, a Privacy08 Channel on YouTube to come soon, and much more.
You can also order caps and t-shirts at CafePress Privacy08.

Start a discussion. Hold a meeting. Be creative. Spread the word. You
can donate online at epic.org. Support the campaign.

Facebook Cause:






------------------------- END EPIC Alert 15.15 -------------------------