EPIC logo

=======================================================================
                              E P I C   A l e r t
=======================================================================
Volume 16.06                                              April 1, 2009
-----------------------------------------------------------------------

                                Published by the
                   Electronic Privacy Information Center (EPIC)
                                Washington, D.C.

                 http://www.epic.org/alert/EPIC_Alert_16.06.html

			"Defend Privacy. Support EPIC."
			     http://epic.org/donate

=======================================================================
Table of Contents
=======================================================================
[1] EPIC Petitions FTC to Investigate Google, Cloud Computing Services
[2] Attorney General Issues New FOIA Guidelines
[3] OECD Welcomes Establishment of CSISAC
[4] Trade Commission Chairman Releases Annual Report
[5] European Parliament Approves Report on Internet Freedoms
[6] News in Brief
[7] EPIC Bookstore: Googling Security
[8] Upcoming Conferences and Events
        - Join EPIC on Facebook http://epic.org/facebook
  	- Subscription Information
  	- Privacy Policy
  	- About EPIC
  	- Donate to EPIC http://epic.org/donate

=======================================================================
[1] EPIC Petitions FTC to Investigate Google, Cloud Computing Services
=======================================================================

On March 17, 2009, EPIC filed a complaint with the Federal Trade
Commission, urging the federal agency to investigate Google's Cloud
Computing Services -- including Gmail, Google Docs, and Picasa -- to
determine "the adequacy of the [service's] privacy and security
safeguards." The complaint follows recent report of a breach of Google
Docs. EPIC observed that Google repeatedly assures consumers that
Google Cloud Computing Services store user-generated data securely.
However, the Google Docs data breach exposed user-generated documents
to users of the service who lacked permission to view the files. EPIC
urged the Commission to take "such measures as are necessary" to ensure
the safety and security of information submitted to Google.

On March 18, 2009, the FTC responded to EPIC's complaint. The
Commission will review EPIC's description of Google's unfair and
deceptive business practices concerning the firm's Cloud Computing
Services. EPIC's complaint "raises a number of concerns about the
privacy and security of information collected from consumers online,"
the agency said. On March 26, 2009, security consultants revealed
additional security flaws in Google Docs. The flaws permit unauthorized
individuals to access user-generated Google Docs content.

EPIC cited the growing dependence of American consumers, businesses,
and federal agencies on cloud computing services. Studies estimate that
69 percent of Americans use webmail services, store data online, or
otherwise use cloud computing software programs, whose functionality is
located on the web. According to the Pew Internet and American Life
Project, an overwhelming majority of cloud users express serious
concern about the possibility that a service provider would disclose
their data to others. Approximately three-quarters of senior IT
executives said that security is the biggest challenge for the cloud
computing model.

The Google Docs breach is only one example of known security flaws
involving Google's Cloud Computing Services. In January 2005,
researchers identified several security flaws in Google's Gmail
service. The flaws allowed theft of usernames and passwords for the
Google Accounts centralized log-in service and enabled outsiders to
access users' email. In December 2005, researchers discovered a
vulnerability in Google Desktop and the Internet Explorer web browser
that exposed Google users' personal data to malicious internet sites.
In January 2007, security experts identified another security flaw
in Google Desktop. The vulnerability could enable malicious
individuals to achieve remote, persistent access to sensitive data,
or gain full control of the system.

Previous EPIC complaints to the FTC led the Commission to order
Microsoft to revise the security standards for Passport and to
require databroker Choicepoint to change its business practices and
pay $15 m in fines. On July 26, 2001, EPIC and twelve organizations
submitted a FTC complaint detailing the serious privacy risks of
Microsoft Windows XP and Microsoft Passport. The complaint alleged
that Microsoft "has engaged, and is engaging, in unfair and deceptive
trade practices intended to profile, track, and monitor millions of
Internet users" in violation of federal law. Approximately one year
later, the FTC announced a settlement in its privacy enforcement
action against Microsoft. The settlement required that Microsoft
establish a comprehensive information security program for Passport,
and prohibited any misrepresentation of its practices regarding
information collection and usage. In December 2004, EPIC filed a
complaint with the Federal Trade Commission against ChoicePoint,
alleging that Choicepoint failed to safeguard sensitive consumer
data. In January 2006, the FTC announced a settlement with the
databroker, requiring Choicepoint to pay $10 million in civil
penalties and provide $5 million for consumer redress. It is the
largest civil penalty in FTC history.

EPIC Complaint to the FTC Concerning Google and
Cloud Computing Services:
     http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf

FTC Letter Concerning Review of EPIC Complaint:
     http://epic.org/privacy/cloudcomputing/google/031809_ftc_ltr.pdf

EPIC's "In re Google and Cloud Computing" page:
     http://epic.org/privacy/cloudcomputing/google/

EPIC's Cloud Computing page:
     http://epic.org/privacy/cloudcomputing/default.html 


=======================================================================
[2] Attorney General Issues New FOIA Guidelines
=======================================================================

The Attorney General issued new Freedom of Information guidelines
pursuant to President Obama's memorandum directing all executive branch
departments and agencies to maintain a presumption of openness in
releasing information requested from them and take affirmative steps to
make information public. In the memorandum, the Attorney General
strongly encouraged agencies to make discretionary disclosures of
information to the fullest extent possible taking reasonable steps to
segregate and release nonexempt information.

Rescinding the FOIA Memorandum of October 12, 2001, the Attorney
General stated that the Justice Department would defend a FOIA request
only if the agency reasonably foresees that the disclosure would harm
a statutorily protected interest or the disclosure was prohibited by
law. The directive also declared that Justice Department lawyers should
consult the guidance with regard to pending litigation when there is a
substantial likelihood that application of the guidance would result in
a material disclosure of additional information.

Instructing each agency to be fully accountable for its administration
of the FOIA, the head of the Department of Justice and chief law
enforcement officer of the Federal Government noted that everyone must
do their part to ensure open government and must address the key roles
played by a broad spectrum of agency personnel who work with agency
FOIA professionals in responding to requests. The memorandum also
clarified that each agency is required by law to designate a senior
official who has direct responsibility for efficient operations and
appropriate FOIA compliance and such official was to recommend
adjustments to agency practices, personnel, and funding as necessary.
Urging agencies to be mindful of their obligation to work "in a spirit
of cooperation," the Attorney General echoed the Presidential
proclamation of removing unnecessary bureaucratic hurdles in the "new
era of open Government."

The executive missive instructed agencies to readily and systematically
post information online before any actual public requests were made.
Pursuant to the OPEN Government Act of 2007, the agencies would be
required to assign individualized tracking numbers to requests taking
more than ten days to process and enable the electronic tracking of
status with up-to-date information. The Chief FOIA officer of
each agency is also charged with reviewing thr FOIA administration and
is to report annually to the Justice Department the measures taken to
improve operations and facilitate disclosure of information. 

The new guidelines were issued during the Sunshine Week which is a
national initiative to open a dialogue about the importance of open
government and  freedom of information.

Attorney General Issues New FOIA Guidelines to Favor Disclosure and
Transparency:
     http://www.usdoj.gov/opa/pr/2009/March/09-ag-253.html

Memorandum for Heads of Executive Departments and Agencies:
     http://www.usdoj.gov/ag/foia-memo-march2009.pdf

Presidential Memorandum of January 21, 2009 - FOIA:
     http://edocket.access.gpo.gov/2009/pdf/E9-1773.pdf

USDOJ OIP Guidance: Assigning Tracking Numbers and Providing Status
Information for Requests:
     http://www.usdoj.gov/oip/foiapost/2008foiapost30.htm

Attorney General FOIA Memorandum, October 12, 2009:
     http://www.usdoj.gov/oip/foiapost/2001foiapost19.htm

Sunshine week:
     http://www.sunshineweek.org

EPIC's Page on Open Government:
     http://epic.org/open_gov/ 


=======================================================================
[3]  OECD Welcomes Establishment of CSISAC
=======================================================================

The Organization for Economic Co-operation and Development welcomed the
establishment of the Civil Society Information Society Advisory Council
in the Committee for Information Computer and Communications Policy
work through a multi-stakeholder cooperation approach. This follows-up
on a decision by the OECD Council to add Civil Society and the Internet
Technical Community to the list of key non governmental stakeholders in
the ICCP's terms of reference, joining business and trade-unions.

Similar in type and function to the Business Industry Advisory
Committee for industry and the Trade Union Advisory Committee for trade
unions, the Civil Society Information Society Advisory Council has been
established to facilitate participation of Civil Society Participants
in the OECD-ICCP Committee.

This proposal followed many years of effort by civil society
organizations at the OECD which was first highlighted in the OECD's
Ottawa ministerial conference on electronic commerce 10 years ago,
affirmed in venues like the World Summit on the Information Society,
and requested by civil society participants of The Public Voice
Coalition in the 1998 Civil Society Declaration in Ottawa as well as in
its 2008 Seoul Declaration.

"This is an enormous achievement, the culmination of a ten-year effort
to formalize civil society participation on Internet policy work at the
OECD," Marc Rotenberg, EPIC Executive Director said. A framework to
govern the participation of civil society in OECD-ICCP work and that of
its working parties was approved in the 57th OECD-ICCP held at Paris on
March 11-13, 2009.

Civil society participants of The Public Voice Coalition worked
together to adopt a formal consensus charter for participation at the
OECD-ICCP Committee through the recently established CSISAC. The CSISAC
charter creates a Membership, a Steering Committee, and a Liaison, as
well as making clear the goals of civil society participation at the
OECD-ICCP. An interim Liaison is provided by EPIC's The Public Voice
Project for 2009-2010 and is serving as the initial point of contact
with the OECD and is also responsible for facilitating CSISAC
participation.

The main CSISAC purposes are:

- Engage in constructive input and dialogue with the OECD Committee
  for Information, Computer and Communications Policy (ICCP) about
  policy issues of interest to civil society;
- Pursue the agenda set out in the Civil Society Seoul Declaration
  of 2008;
- Report to civil society organizations about the OECD publications,
  events, and policy recommendations of interest to civil society;
- Identify and publicize opportunities for participation by civil
  society organizations in the work of the OECD;
- Maintain appropriate communications tools (e.g. content management
  system, mailing list, social network platform) that highlight key
  OECD-ICCP developments of interest to civil society and facilitate
  broader civil society participation; and
- Report on an annual basis the accomplishments of the past year and
  the goals for the next year.


Civil Society Information Society Advisory Council (CSISAC):
     http://www.csisac.org 

The CSISAC Charter:
     http://thepublicvoice.org/documents/CSISAC-Final.pdf

The OECD Civil Society Seoul Declaration:
     http://thepublicvoice.org/events/seoul08/seoul-declaration.pdf

Principles for the Participation of Non-governmental Stakeholders
in the Work of the ICCP Committee and its Working Parties:
     http://www.oecd.org/dataoecd/38/34/42399492.pdf

Resolution of the OECD Council regarding ICCP's Term of Reference:
     http://epic.org/redirect/040109_OECD_ICCP_terms.html

OECD, "The Future of the Internet Economy OECD Ministerial Meeting,"
June 17-18, 2008, Seoul, South Korea:
     http://www.oecd.org/FutureInternet 

"Closing remarks by Angel Gurrķa, OECD Ministerial Meeting on the
Future of the Internet Economy," June 18, 2008:
     http://epic.org/redirect/112008_OECD_MM_closeremarks.html 

OECD: "The Public Voice in the Development of Internet Policy"
(Ottawa 1998):
     http://gilc.org/events/ottawa98/



=======================================================================
[4] Trade Commission Chairman Releases Annual Report
=======================================================================

The Chairman of the Federal Trade Commission issued the FTC Annual
Report for the year 2009. The report describes the agency's competition
and consumer protection accomplishments over the past year. The report
also stated that data security and the protection of consumer privacy
remained a central focus of FTC's consumer protection goals. The report
further highlighted that although new technologies provided benefits to
consumers, the developments posed new threats to sensitive consumer
data and the security of personal computers and email.

The Federal Trade Commission brought actions challenging inadequate
data security practices by companies that handle sensitive consumer
data. The Commission announced a settlement with TJX after an intruder
exploited security loopholes to prevent unauthorized access to obtain
credit card information as well as personal information of
approximately 455,000 consumers. The Commission had also made a
settled with Reed Elsevier with respect to data security breaches. Due
to security failures, identity thieves obtained access to sensitive
information concerning at least 316,000 consumers which was
subsequently used to activate credit cards and open new accounts.
EPIC had filed comments with the FTC urging the Commission to include
civil penalties in the settlements. EPIC wrote that civil penalties are
necessary to provide incentives for companies to safeguard personal
data. EPIC had also noted that the FTC imposed $10 million in civil
penalties in the Choicepoint case. The final agreements imposed
security and audit responsibilities, but no financial penalties. The
FTC also reached a settlement agreement with CVS Caremark when it left
information in unsecured dumpsters in locations across the country.

The report elaborated that complaints collected by the FTC are entered
into a secure, online database within the Commission's Consumer
Sentinel Network. The agency shares the information with law
enforcement officials to spot trends quickly, target the serious
illegal practices and coordinate law enforcement efforts. The FTC, the
U.S. Secret Service, and the Justice Department have provided local
and state law enforcement officers with tools to assist victims of
identity theft, investigate the crime and work with local prosecutors.
The report identifies Identity Theft as the top most consumer complaint
in 2008 with 26% reporting with 313,982 complaints.

The Trade Commission published several studies and reports which
included a report on social security numbers and identity theft
recommending measures to help prevent identity theft using SSNs.
Another study focused on online behavioral advertising principles in
which the staff recommended four self-regulatory principles for online
behavioral advertising. A report was also published on the protection
of customers in face of emerging technologies in the next 10 years.

Hearings and workshops held to address consumer concerns and privacy
included a roundtable discussion on phishing; best practices for
protecting personal information; privacy and security issues associated
with RFID applications. A report on identity theft was published by the
President's Identity Theft Task Force which was led by the Attorney
General and the FTC Chairman and discussed expansion of the Task
Force's existing data security and identity theft business and consumer
education campaign; improving consumer authentication mechanisms; and
launching of new initiatives to help identify theft victims. The FTC
also testified before the Congress on a number of issues including
behavioral advertising, and spyware and other malware.

Annual Report of the Chairman - Federal Trade Commission (2009):
     http://www.ftc.gov/os/2009/03/2009ftcrptpv.pdf

Chairman Issues Commission's Annual Report at ABA Spring Meeting:
     http://www.ftc.gov/opa/2009/03/annualrpt.shtm

The Federal Trade Commission:
     http://www.ftc.gov/opa/2009/03/annualrpt.shtm

EPIC's Page on Identity Theft:
     http://epic.org/privacy/idtheft/


=======================================================================
[5] European Parliament Approves Report on Internet Freedoms
=======================================================================

The European Parliament adopted with 481 votes a report on Security and
Fundamental Freedoms on the Internet on March 26, 2009. The report is
the first recommendation from the Members of the European Parliament
concerning the fight against cybercrime and preserving the rights of
internet users. The report contained recommendations to the Council by
Stavros Lambrinidis, a Greek Member of the European Parliament.

The adopted text of the report took into account various international
covenants, charters, directives, framework decisions and recent
judgments. The parliamentary approval also took notice of the internet
being used for promoting democratic initiatives and its necessity
in providing a suitable regulatory framework for citizen participation
in e-government; transparency, privacy and trust being an
indispensable part of the internet; enhancement and exposure of freedom
of expression and privacy to intrusions and limitations by both private
and public actors; the increasing problems of identity theft and fraud;
recognition of imposing limitations on the exercise of freedom of
expression and the respect for private life which may be imposed if in
accordance with law, proportionate and appropriate; and the ongoing
process of the "Internet Bill of Rights" to take into account all
relevant research and undertakings in the field.

The Parliament urged Member States to update the law to protect
children using the internet and criminalize grooming. The report also
called on Member States to protect fundamental rights affected by the
internet such as privacy, data protection, freedom of speech and
association, freedom of press, political expression and participation,
non-discrimination and education through the use of existing national,
regional and international law, and to exchange best practices. The
text also took notice of the nature of the internet being open to abuse
with a proliferation for violent messages, hate-based criminal acts,
cybercrime and identity theft. The Parliament called on the Council and
the Commission to develop a comprehensive strategy to combat
cybercrime, identity theft and fraud.

The report also raised the question of consent of internet users when
giving personal information to governments or private entities and the
imbalance of negotiating power between the users and the entities.
The Parliament additionally stressed the importance of internet users
being able to retain the right of permanently deleting their personal
information on any internet site or third party storage medium. A draft
of the report was released in January.


The European Parliament:
     http://www.europarl.europa.eu/parliament.do

Adopted Text:
     http://epic.org/linkedfiles/EuroParl032609.pdf

Press Release:
     http://epic.org/redirect/040109_EU_Parl_InternetFreedom.html

EPIC's report on Privacy & Human Rights 2006:
     http://www.epic.org/phr06/



=======================================================================
[6] News in Brief
=======================================================================

Cybersecurity Chief Steps Down Warning of Growing NSA Influence

Rod Beckstrom resigned as the Director of the National Cybersecurity
Center, a component of the Department of Homeland Security. In a letter
to Homeland Security Secretary Janet Napolitano, Beckstrom warned of
the increasing role of the National Security Agency in domestic
security. The "intelligence culture is very different than a network
operation or security culture... the threats to our democratic
processes are significant if all top government network and monitoring
are handled by any one organization... we have been unwilling to
subjugate the NSCS under the NSA," wrote the former NCSC Director.
The announcement follows Congressional testimony from the new Director
of National Intelligence that the NSA should be responsible for network
security. Susan Collins, Ranking Member of the Senate Committee on
Homeland Security and Government Affairs asked DHS to send a number of
documents to show how the department spent its $6 million NCSC budget
and provided other means of support for the NCSC. DHS Secretary
Napolitano appointed Philip Reitinger, a Chief Trustworthy
Infrastructure Strategist at Microsoft, to be deputy undersecretary for
the department's National Protection and Programs Directorate, where
he will be responsible for protecting federal computing systems from
domestic and foreign threats. EPIC has long maintained that the NSA,
though it plays a vital role in gathering foreign intelligence, should
not be the lead agency for domestic network security because it also
engages in extensive and unregulated spying.


Rod Beckstrom:
     http://en.wikipedia.org/wiki/Rod_Beckstrom

National Cyber Security Center:
     http://en.wikipedia.org/wiki/National_Cyber_Security_Center

Resignation Letter:
     http://epic.org/linkedfiles/ncsc_directors_resignation1.pdf

DNI Director Congressional Testimony:
     http://www.dni.gov/testimonies/20090225_transcript.pdf

National Protection and Programs Directorate:
     http://www.dhs.gov/xabout/structure/editorial_0794.shtm

Secretary Napolitano Names Philip Reitinger as Deputy Undersecretary
of National Protection & Programs Directorate:
     http://www.dhs.gov/ynews/releases/pr_1236796289008.shtm

Senate Committee on Homeland Security and Government Affairs
Press Release (Ranking Member):
     http://epic.org/redirect/040109_Senate_Homeland_Press.html



World Privacy Forum Publishes Patient's Guide to HIPAA

The World Privacy Forum has prepared a "Patient's Guide" to Health
Insurance Portability and Accountability Act. The purpose of the
guide is to help health privacy laws work in protecting a patient's
privacy. The guide teaches patients about HIPAA and the "seven basic
rights" - right to inspect and copy of one's record; right to request
confidential communications; right to request amendment; right to
receive an accounting of disclosures; right to complain to the
secretary of HHS; and the right to request restrictions on uses
and disclosures. The third part of the guide aims to educate patients
about what should be known regarding uses and disclosures. The guide
also comes with a "sidebar" to offer an illustration, explanation, or
comment.

Patient's Guide to HIPAA: How to Use the Law to Guard
your Health Privacy:
     http://www.worldprivacyforum.org/hipaa/index.html

HIPAA Privacy Rule:
     http://epic.org/redirect/040109_HIPAA_Privacy_Rule.html

World Privacy Forum:
     http://www.worldprivacyforum.org/

Office of Civil Rights, Department of Health and Human Services (HHS):
     http://www.hhs.gov/ocr/hipaa

EPIC's Page on Medical Privacy:
     http://epic.org/privacy/medical



Article 29 Group to Verify Compliance of Data Retention Laws

The Article 29 Working Party will look into telecommunication providers
and Internet Service Providers and ensure compliance with data
retention laws. The legal basis for the investigation is the e-Privacy
Directive 2002/58/EC and the Data Retention Directive 2006/24/EC.
The Working Party expressed the aim of contributing to a more proactive
stance towards EU wide synchronized enforcement as a means of
increasing compliance. The primary aim of the verification is to
analyze whether and how data protection requirements concerning the
type of retained data, security measures and prevention of abuse and
storage limit requirements are adhered within the telecom sector within
each member state.



Article 29 Working Party:
     http://epic.org/redirect/040109_A29WP.html

Press Release:
     http://epic.org/redirect/040109_A29_DataRetention_PR.htm

Directive 2002/58/EC on data protection and privacy:
     http://epic.org/redirect/091208_eu.html

Directive 2006/24/EC of the European Parliament and of the Council:
     http://epic.org/redirect/022309_Directive200624EC.html

EPIC, Data Retention:
     http://epic.org/privacy/intl/data_retention.html




EC Releases Guide on EU Transborder Data Transfer

The Data Protection Unit of the European Commission has released a
Frequently Asked Questions to better clarify the EU framework on 
transborder data transfer to third countries. In the EU, the Data
Protection Directive usually determines transfer of personal data
which may take place only if the third country in question ensures
an adequate level of protection. However, there are also situations
where the level of protection has not been assessed and determined
but where personal data may nevertheless be transferred to the third
countries.

FAQS relating to Transfers of Personal Data from the EU/EEA to Third
Countries:
     http://epic.org/redirect/040109_EU_IntDataTransfer.html

Council of Europe Privacy Convention:
     http://epic.org/privacy/intl/coeconvention/default.html



Study Finds Most Users Believe Sites Track Behavior

A survey conducted by an advertising provider has revealed that 80
percent of internet users are concerned about privacy. With over 4000
users surveyed, the results indicated that privacy is a significant
concern amongst web users, and the survey also revealed that concern
increased with the age of the respondent. The study also found that
most web users believed that  web sites were tracking their behavior
online with three out of five respondents indicating that it was likely
that a web site they visited collected information on how they navigated
and interacted with it. The study also revealed that personal privacy
was not something people were willing to give up for more relevant
advertising.

Burst Media Study Revealed that 80% of Web Users are Concerned About
Privacy Online:
     http://www.burstmedia.com/about/news_display.asp?id=1

Online Privacy Still A Consumer Concern:
     http://www.burstmedia.com/research/current.asp

Respondents Saying it is Likely Web Sites Are Collecting PII and
Non-PII Information:
     http://epic.org/redirect/040109_BurstMedia_Survey.html



=======================================================================
[7] EPIC Bookstore: Googling Security
=======================================================================

"Googling Security: How Much Does Google Know About You?"
by Greg Conti

     http://www.amazon.com/gp/product/0321518667?tag=e03a6-20

"Ah, the simple search box. Over the course of our lives, we pour
our successes, failures, hopes, dreams, and life events, both
significant and minor, into a small text field and turn our
destinies over to Google in hopes of finding the answers we seek. .
. . it is almost as if the users are communicating with God."

- Greg Conti


If you want to learn more about the privacy risks of Google's many
"free" services, what should you do? One answer is to read the
Google privacy policies. A second answer is to watch the Google
videos on YouTube (a Google company). The best answer is to read
Greg Conti's "Googling Security," a clever, informative, and important
overview of the many ways that Google now captures your data
and the increasing risks that result.

Conti makes clear at the beginning that he is impressed by
the technology wizardry that serves up search results, email
service, mapping and just about everything else that most people do
online. Of course, privacy and security concerns have long dogged
Google. But rather than careening off into the too frequent discussion
about whether Google is/could become "evil," he looks closely at how
these various services operate -- what data is collected, how it is
used, who has access, and what the risks might be. And it is not a
pretty picture.

As Conti makes clear, Google services are not really free. "You pay
big time with the personal information you provide." And few
consumers have any idea about the true extent of Google's data
collection activities. Even the fact that searches histories are
saved is surprising to most users, according to one recent poll. But
the privacy risks of the web taken as a whole, are much more
extensive. As Conti explains, "web browsing isn't a one-to-one
conversation with a single web site. Instead embedded content such
as maps, images, videos, advertisements, web analytics, code, and
social networking widgets immediately disclose each user's visit to
a third party when that user merely view a page in his or her
browser."

Google, for more than any other company, is deeply embedded in
the techniques that make it possible to collect and analyze the
activities of Internet users. And Google's dominance is clearly
growing with increasing market share in the search industry, the
acquisition of Doubleclick. Conti says simply, "Information
disclosure occurs when you use virtually any online tool but is
significantly more risky when a single company offers many
services." Of course, much of Google's attraction is ease of use.
"Counterintuitively, the more easy-to-use these services are, the
more information you are enticed to disclose, and hence the greater
the information disclosure risk." Large amounts of free online
storage present another risk by encouraging users to keep
information online that might otherwise simple delete.

Conti's warning applies broadly to cloud computing, the network model
strongly favored by Google. As he explains, "By placing applications
and their data files on centralized servers, we lose control of our
data. Critical information that was once safely stored on our personal
computers now resides on the servers of online companies."

Although Google makes information widely available and is seen as
promoting transparency, the information that users get from Google is
not what Google can get from Google. Google has access to much more
data and more powerful search techniques. "The publicly accessible
face of Google provide only a small fraction of its capabilities to
end users when compared to the internal capabilities of Google,"
Conti writes. And he warns that advances in data mining and artificial
intelligence will simplify magnify the threat, under the guise of
improving the user experience.

But Conti is also funny and tosses in a few clever lines. He writes
that cookies are "like the tracking darts scientists shoot into wild
animals on nature documentaries." The line is even better when you
realize that DART also refers to the tracking technique of
Doubleclick, the online advertiser that Google acquired last year.
Of course, the scientist's dart is easily removed. Google's
persistent identifier constantly reattaches itself to Internet users.

Conti's chapter on "Countermeasures" describe a whole bunch of
techniques to limit Google's data profiling prowess. But even he
concedes this is a losing campaign - "If you attempt to use all the
techniques presented in this chapter, you will create a nearly
intolerable web-browsing experience." There is the whack-a-mole
strategy that has users turning on and off certain features based on
need, but even that seems unlikely to succeed. Identifying anonymous
Internet users becomes easy over time, "often a very short period of
time," thanks to the steady stream of search and web site visit data.
And all the cookie deletion and anonymizing techniques fail once you
have a Google account.

Conti gets that, too, and proposes advocacy and legislative strategies
to help get to some of the larger problem. His book stops short of a
draft Internet Privacy Act, but he offers a nice segue from real
problems and proposed solutions to a policy debate that could leave
users with more time to use the web and less time worrying about
privacy settings.

It is always tempting when discussing criticisms of Google to add a
line like, "and other companies." In fact, this is what the Google
PR folks routinely tell journalists when the news stories turn to
privacy concerns. But Google really is different. No other company
collects as much data on Internet users as Google. No other company
controls more Internet-based applications than Google. No other
company plays a more dominant role in Internet policy than Google.
And no other company is likely to play a greater role shaping the
future of the Internet than Google.

Perhaps then this is a good time to move beyond the "is Google
evil?" debate and began to ask some tough questions about what
Google is doing with all of this information and what the risks
really are. Greg Conti's Googling Security is the right place to
start.

- Marc Rotenberg


================================
EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.

http://epic.org/bookstore/foia2008/
	
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years. 

================================

"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.

================================

"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.

================================

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.

================================

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.

http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the
CAN-SPAM Act.

================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.

================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore
http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books
http://www.powells.com/bookshelf/epicorg.html

================================

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https:/mailman.epic.org/mailman/listinfo/foia_notes


=======================================================================
[8] Upcoming Conferences and Events
=======================================================================

"Toward a Legal Framework for Identity Management"
Oxford Internet Institute, Oxford, England, April 2-3, 2009.
For more information, http://www.oii.ox.ac.uk/


"2nd Privacy OS Conference," MediaCentre, Berlin, Germany, April 1-3,
2009. For more information, http://www.privacyos.eu


"THE FUTURE OF PRIVACY: What's Next?" - a one day seminar.
April 28, 2009, Cartier Suites Hotel, 180 Cooper Street,
Ottawa, Canada. For more information,
http://www.rileyis.com/seminars/

2009 FTC Workshop: Best Practices for Business: Protecting
Personal Information and Fighting Fraud with the Red Flags Rule:
Pope Auditorium, Lincoln Center Campus, Fordham School of Law's
Center for Law and Information Policy, 113 West 60th Street,
New York, NY 10023. For more information,
http://www.ftc.gov/bcp/workshops/infosecurity/index.shtml

"2nd Annual Research Symposium for the Identity, Privacy and
Security Initiative," , May 6, 2009, University of Toronto.
For more information, http://www.ipsi.utoronto.ca/site4.aspx


IEEE Symposium on Security and Privacy, May 17-20, 2009,
The Claremont Resort, Oakland, California. For more information,
http://oakland09.cs.virginia.edu/


Web 2.0 Security & Privacy 2009, Thursday, May 21,
The Claremont Resort, Oakland, California. For more information,
http://w2spconf.com/2009/


Computers, Freedom, and Privacy, 19th Annual Conference, Washington,
D.C., June 1-4, 2009. For more information,
http://www.cfp2009.org/wiki/index.php/Main_Page


"The Transformation of Privacy Policy," Institutions, Markets
Technology Institute for Advanced Studies (IMT)Lucca, Italy, July 2-4,
2009.



=======================================================================
Join EPIC on Facebook
=======================================================================

Join the Electronic Privacy Information Center on Facebook
http://epic.org/facebook

Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.


=======================================================================
Subscription Information
=======================================================================

Subscribe/unsubscribe via web interface:
https://mailman.epic.org/mailman/listinfo/epic_news

Back issues are available at:
http://www.epic.org/alert


The EPIC Alert displays best in a fixed-width font, such as Courier.

=======================================================================
Privacy Policy
=======================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."


=======================================================================
About EPIC
=======================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

=======================================================================
Donate to EPIC
=======================================================================

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.



------------------------- END EPIC Alert 16.06-------------------------

.