======================================================================= E P I C A l e r t ======================================================================= Volume 16.09 May 15, 2009 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_16.09.html "Defend Privacy. Support EPIC." http://epic.org/donate ======================================================================= EPIC 15th Anniversary Dinner and the EPIC Champion of Freedom Awards Cosmos Club, Washington, DC June 9, 2009 EPIC@15 Invitation: http://www.epic.org/epic15/invite.pdf Your Reply: http://epic.org/epic15/reply.pdf Register (or donate to EPIC@15): http://epic.org/register ======================================================================= Table of Contents ======================================================================= [1] "Identity Theft Law Applies Only to Intentional Impersonation" [2] FOIA Documents Sought on Government Social Networking Agreements [3] EPIC Urges Greater Accountability for Network Surveillance [4] EPIC Testifies Before Congress on Data Breach Bill, Urges Changes [5] Report Find Failure and Delay in Watchlist Name Removal [6] News in Brief [7] EPIC Bookstore: "Identity in the Age of Cloud Computing" [8] Upcoming Conferences and Events - Join EPIC on Facebook http://epic.org/facebook - Privacy Policy - About EPIC - Donate to EPIC http://epic.org/donate - Subscription Information ======================================================================= [1] "Identity Theft Law Applies Only to Intentional Impersonation" ======================================================================= On May 4, 2009, the Supreme Court held that, to convict a person under the federal "aggravated identity theft" law, the government must prove that a defendant knew the identification numbers at issue belonged to another person. The decision means that individuals who provide inaccurate ID numbers, but don't intentionally impersonate others, cannot be subject to enhanced criminal punishments under federal law. EPIC filed an amicus brief in the case, arguing that the "unknowing use of inaccurate credentials does not constitute identity theft," and warning that an averse decision "threaten[ed] to impose aggravated identity theft penalties on individuals who present inaccurate credentials in an effort to protect their privacy through pseudonymous or anonymous activities." The Supreme Court ruled that "ordinary English usage" supports its reading of the ID theft statute, and observed that the government's proposed contrary interpretation "leads to exceedingly odd results." In Flores-Figueroa v. United States, the Court was asked to determine whether individuals who proffer identification numbers that are not theirs, but don't intentionally impersonate others, can be subject to harsher punishments under federal law. On December 19, 2008, EPIC filed a "friend of the court" brief in the case, urging the Supreme Court to protect anonymous and pseudonymous activities by ruling that unintentional use of another person's ID number does not constitute "identity theft" under federal law. The brief was filed on behalf of 17 legal scholars and technical experts. EPIC explained that anonymous and pseudonymous behavior is a cornerstone of privacy protection in the identity management field. The brief urges the Court to not "set a precedent that might inadvertently render the use of privacy enhancing pseudonyms, anonymizers, and other techniques for identity management unlawful." The EPIC amicus brief stated that the term "identity theft" "has a specific meaning among technologists, academics, security professionals, and other experts in the field of identity management." "Identity theft" refers to the knowing impersonation of one person by another. "The unknowing use of inaccurate credentials does not constitute identity theft," amici argued. The EPIC brief explains that precise use of technical concepts is crucial, particularly in a case that could have imposed enhanced criminal identity theft penalties on a person who presented an identity document that contained his own name, but an inaccurate ID number. The EPIC brief details the importance of anonymous and pseudonymous credentials in identity management systems, and explains how an averse decision in this case "threatens to impose aggravated identity theft penalties on individuals who present inaccurate credentials in an effort to protect their privacy through pseudonymous or anonymous activities." EPIC also described the long and distinguished history of pseudonymous activity, from the American founders' pseudonymous advocacy for liberty through Mary Ann Evans' "George Eliot" nom de plume and the U.S. government's issuance of pseudonymous credentials to enrollees in the Department of Justice's Witness Protection Program. In Flores-Figueroa v. United States, the petitioner challenged his conviction for "aggravated identity theft" under the Identity Theft Penalty Enhancement Act. Flores-Figueroa maintained that he did not commit identity theft when he used an identity document with his real name and an identity number that was not his to maintain employment. Federal law provides for enhanced penalties when a person "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person." Flores-Figueroa identified himself by his real name to his employer, but provided a false Social Security Number and false Permanent Resident Number. Both ID numbers were issued to someone else, but neither person shared Flores-Figueroa's name, and the government presented no evidence that Flores-Figueroa knew that the ID numbers were assigned to real people. The case resolved whether a person can be convicted of aggravated identity theft if he does not "knowingly" use an ID number assigned to "another person." EPIC has advocated for strong protections against identity theft, and opposed burdensome ID requirements. In 2008, EPIC encouraged federal regulators to impose monetary penalties on companies that exposed their customers' data to criminals. In addition, EPIC has long supported the right of individuals to preserve their anonymity, particularly in the face of ever more intrusive government identification requirements. Supreme Court Opinion in Flores-Figueroa v. United States: http://www.supremecourtus.gov/opinions/08pdf/08-108.pdf "Friend-of-the-court," Brief by EPIC, Legal Scholars, Technical Experts, and Privacy and Civil Liberty Groups (Dec. 19, 2008): http://epic.org/privacy/flores-figueroa/121908_brief.pdf US Supreme Court Docket page for Flores-Figueroa v. United States: http://www.supremecourtus.gov/docket/08-108.htm EPIC's Flores-Figueroa v. United States page: http://epic.org/privacy/flores-figueroa/ EPIC's Identity Theft Page: http://epic.org/privacy/idtheft/ EPIC's Support for Constitutional Right to Anonymity in Watchtower Bible v. Stratton: http://epic.org/free_speech/watchtower.html Petitioner's Brief for Supreme Court Review in Flores-Figueroa v. United States: http://epic.org/privacy/flores-figueroa/pet_amicus.pdf The Government's Brief Regarding Supreme Court Review in Flores-Figueroa v. United States: http://epic.org/privacy/flores-figueroa/gov_amicus.pdf ======================================================================= [2] FOIA Documents Sought on Government Social Networking Agreements ======================================================================= EPIC submitted a Freedom of Information Act request to the General Services Administration seeking agency records concerning agreements the GSA negotiated between federal agencies and social networking services, including Flickr, YouTube, Vimeo, Blip.tv, and Facebook. News reports in March and April of 2009 stated that the GSA signed agreements with social networking and cloud computing service providers on the behalf of federal government agencies. The report revealed that several government agencies had been seeking arrangements with Internet service providers, but companies were reluctant to negotiate separate agreements with each agency. Further, it was reported that the government wanted to address three areas of concern: liability limitations, endorsements, and freedom of information requests. The GSA leverages the buying power of the federal government to acquire goods, and services. The agency has the power to negotiate government wide contracts and agreements with manufacturers and service providers. EPIC is seeking disclosure of these agreements, which have not been made public. Social networking applications make it easy for users to share information about themselves with others. Many online services relay information about online associations as users create new relationships. While government agencies may use social networking, cloud computing, and Internet services to create greater transparency on their activities, it remains unclear if there are data collection, use, and sharing limitations. In the FOIA request, EPIC is asking for the public release of the contracts and any legal opinions concerning the application of the Privacy Act of 1974 and Freedom of Information Act to the services that collect information on citizens. EPIC's Freedom of Information Request: http://epic.org/privacy/socialnet/gsa_foia_4-30-09.pdf U.S. General Services Administration: http://gsa.gov Social Networking Privacy, EPIC: http://epic.org/privacy/socialnet/default.html "GSA signs agreements with Web 2.0 providers," Doug Beizer, Federal Computer Week, March 25, 2009: http://fcw.com/articles/2009/03/25/web?gsaagreement.Aspx "GSA signs agreement with Facebook," Doug Beizer, Federal Computer Week, April 10, 2009: http://fcw.com/articles/2009/04/10/web?facebook?gsa.aspx ======================================================================= [3] EPIC Urges Greater Accountability for Network Surveillance ======================================================================= EPIC asked Senator Patrick Leahy to investigate the Department of Justice's failure to make public statistics detailing the federal use of "pen registers" and "trap and trace" devices by requiring the DOJ to submit the annual pen register reports to the Administrative Office of U.S. Courts. The Omnibus Crime Control and Safe Streets Act of 1968 requires the Administrative Office of the United States Courts to report to Congress the number and nature of federal and state applications for orders authorizing or approving wiretaps. The statute requires that specific information be provided to the court agency, including the offenses under investigation, the location of the intercept, the cost of the surveillance, and the number of arrests, trials, and convictions that directly result from the surveillance. The Administrative office has a proven track record of reliably collecting information and publicly disseminating statistics regarding such wiretap orders. Although law enforcement agents are not required to obtain search warrants before using pen registers or trap and trace devices, the Electronic Communications Privacy Act of 1986 requires the Attorney General to "annually report to Congress on the number of pen register orders, and orders for trap and trace devices applied for by law enforcement agencies of the Department of Justice." Complying with public reporting requirements is critical to ensuring transparency and ensuring Congressional oversight. Law enforcement agencies use pen registers and trap and trace devices to conduct covert surveillance. Pen registers record outgoing non- content information regarding telephone calls and Internet communications. Non-content information includes telephone numbers dialed and the length of calls, as well as the identities of an email message's sender and recipient. Trap and trace devices capture the same information concerning incoming communications. Between 1999 and 2003, the Department of Justice failed to comply with this requirement. The report provided failed to include all of the information that the Pen Register Act required to be shared with lawmakers and did not include information regarding the offenses for which the pen register and trap and trace orders were obtained. Further, the DOJ has failed to provide annual pen register reports to Congress since 2004. EPIC stated that such "failure would demonstrate ongoing, repeated breaches of the DOJ's statutory obligations to inform the public and the Congress about the use of electronic surveillance authority." EPIC also called to attention the accuracy of the pen register reports for the period 1999-2003. "Hybrid orders," which are used to determine location information through the use of a suspect's cellular phone is based on non-content information and therefore should also be included in the DOJ's annual reports to Congress. Such surveillance had been invoked using a combination of authorities under the Pen Register Act and the Stored Communications Act. EPIC specifically suggested that the Attorney General make public pen register and trap and trace reports from 2004 through the present, and to publicly disclose all future reports as a matter of course. EPIC contended that if such information was made available in web 2.0 compatible formats, it would enable a more extensive analysis and further the President's goal of enabling the use of new technology for a more informed public. EPIC's letter to Senator Leahy: http://epic.org/privacy/wiretap/ltr_pen_trap_leahy_final.pdf Reporting Requirement on the Use of Pen Registers and Trap and Trace Devices, Section 3126: http://www.usdoj.gov/criminal/cybercrime/pentrap3121_3127.htm Wiretap Applications Decline in 2008: http://epic.org/redirect/051509_Wiretap_2008_decline.html 2008 Wiretap Report: http://www.uscourts.gov/wiretap08/contents.html EPIC's Page on Wiretapping: http://epic.org/privacy/wiretap/ Title III Electronic Surveillance 1968-2005: http://epic.org/privacy/wiretap/stats/wiretap_stats.html EPIC's Page on Foreign Intelligence Surveillance Act (FISA): http://epic.org/privacy/terrorism/fisa/ ======================================================================= [4] EPIC Testifies Before Congress on Data Breach Bill, Urges Changes ======================================================================= EPIC Director Marc Rotenberg testified before Congress on the Data Accountability and Trust Act. The proposed statute requires the implementation of policies and procedures regarding information security practices of personal information and regulate the information broker industry. The Act also sets up special requirements for information brokers which includes submission of security policies to the Federal Trade Commission and issuing of breach notifications. Rotenberg said, "there is a need to make clear fundamental obligations on the companies and organizations that collect and use personal data on consumers and Internet users. It is simply too easy for firms today to capture the benefits of data collection and ignore the risks. In the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." The EPIC Director urged Congress to focus on broad obligations of these companies, to make clear the incentives, and to encourage the development of the best solutions." The recommendations included the use of text messaging and social networking services to supplement the prescribed methods of email and written notifications. Rotenberg also recommended that the security obligation upon companies should continue to apply even if the information disclosed was "public record" and there was no immediate harm to the individual as it was likely that the breach would occur again if the problem was left uncorrected. Other suggestions included adopting a broader definition of personally identifiable information to include any information that "identifies or could identify a particular person." A major issue that arose in the new act was that of preemption and the circumstances under which the federal law would overwrite possibly more effective state information security information. EPIC opposed the preemption of stronger state laws and warned that adopting such a law would be a mistake as security issues are rapidly changing and the states required the ability to respond to emerging issues and "placing all of the authority to respond here in Washington in one agency would be ... a critical failure point." The EPIC President also urged the Committee to add a private right of action to the bill with a stipulated damage award against a company who might improperly leak personal data as it would provide a necessary backstop to the envisaged enforcement scheme which relied almost exclusively on the FTC to act on its own discretion and without any form of judicial review. Another problem highlighted in the breach notification mechanism was the measure of discretion given to a company in suspending notice requirements if it decided there was "no reasonable risk of identity theft, fraud, or other unlawful conduct." Rotenberg concluded the testimony by saying "many companies have poor security practices and collect far more information than they need or can safeguard" and "companies need to know that they will be expected to protect the data they collect and that, when they fail to do so, there will be consequences." Marc Rotenberg - Testimony, May 5, 2009: http://epic.org/linkedfiles/rotenberg_house_ctcp2221_1319.pdf House Committee on Energy and Commerce, Subcommittee on Commerce, Trade and Consumer Protection - Hearings, May 5, 2009: http://epic.org/redirect/051509_House_CTCP_0505.html H.R. 2221, the Data Accountability and Trust Act: http://epic.org/redirect/051509_HR2221.html FTC Page on Identity Theft: http://www.ftc.gov/bcp/edu/microsites/idtheft/ EPIC's Page on Identity Theft: http://epic.org/privacy/idtheft ======================================================================= [5] Report Finds Failure and Delay in Watchlist Name Removal ======================================================================= The Office of the Inspector General at the Department of Justice recently conducted an audit and found that many watchlist nominations were processed in an untimely manner and the FBI had not consistently nominated known or suspected terrorists to the consolidated terrorist watchlist in accordance with FBI policy. The consolidated terrorist watchlist was created in March 2004 and is managed by the Federal Bureau of Investigation through its supervision of the Terrorist Screening Center. The watchlist is meant to be used by screening personnel at U.S. points of entry and by federal, state, local, and tribal law enforcement officials. As of December 31, 2008, the consolidated terrorist watchlist contained more then 1.1 million known or suspected terrorist identities. Last year, an audit report that examined the nomination process found that initial watchlist nominations created by FBI field offices often contained inaccuracies or were incomplete, leading to delays in the inclusion of known or suspected terrorists on the watchlist. The audit had determined that the FBI did not consistently update or remove watchlist records when appropriate and FBI field offices had, at times, bypassed some of the FBI's quality control mechanisms by excluding FBI headquarters and submitting watchlist nominations directly to the National Counterterrorism Center. EPIC testified on cleaning up the nation's watchlists last year and bringing to the attention of the Congress the lack of transparency surrounding the process of removing one's name from the watchlist. EPIC highlighted problems with the security watchlist - first, the databases in the system are not subject to the full safeguards of the Privacy Act of 1974 as the Transportation Security Administration had sought wide-ranging exemptions; and, the security watchlists on which the system was based are riddled with inaccurate and obsolete data. EPIC had also criticized the Secure Flight program as it could severely restrict an individual's right to travel. Secure Flight receives passenger and certain non-traveler information, conducts watchlist matching against the consolidated terrorist watchlist, and transmits boarding pass printing instructions back to aircraft operators. However, relying on a flawed database would restrict legitimate travelers from obtaining a boarding pass. The OIG report found flaws in the watchlist maintenance even after several reports were published calling attention to the same. The report states that 78 percent of the initial watchlist nominations reviewed were not processed in established FBI timeframes. In other cases, the FBI failed to modify records as necessary, remove subjects names within designated timeframes or altogether fail to remove names even in closed cases. The agancy also found failure to place appropriate individuals on the watchlist. Additionally, the report also found that the FBI did not have a designated process to modify or remove from a watchlist those subjects who were nominated through the use of Information Intelligence Reports based on FBI sources overseas. The FBI's Terrorist Watchlist Nomination Practices, U.S. Department of Justice, Office of the Inspector General, Audit Division, Audit Report 09-25, May 2009: http://www.usdoj.gov/oig/reports/FBI/a0925/final.pdf Audit of the DOJ Terrorist Watchlist Nomination Processes: http://www.usdoj.gov/oig/reports/plus/a0816/final.pdf EPIC Testimony, "Ensuring America's Security: Cleaning Up the Nation's Watchlists: http://epic.org/privacy/airtravel/watchlist_test_090908.pdf EPIC's page on Secure Flight: http://epic.org/privacy/surveillance/spotlight/0807/default.html EPIC's page on Air Travel Privacy: http://epic.org/privacy/airtravel/ EPIC's page on Registered Traveler Card: A Privatized Passenger ID: http://epic.org/privacy/surveillance/spotlight/1005/ EPIC's FOIA Note #8: http://epic.org/foia_notes/note8.html ======================================================================= [6] News in Brief ======================================================================= New Administration Reverses Antitrust Policies, Focuses on Consumers The head of the Justice Department's antitrust division, Christine A. Varney, announced a change in the antitrust policies of the new administration. The new policy is aimed at encouraging smaller companies to bring complaints to the Justice Department about possible inappropriate business practices by large companies. Ms. Varney stated, "the current economic challenges raise unique issues for antitrust authorities and private sectors... [a]ntitrust must be among the frontline issues in the Government's broader response to the distressed economy....[t]he Antitrust Division will be ready to take a lead role in this effort." Criticizing the Section 2 Report of the previous administration on various issues, the Antitrust Division Chief withdrew the former policy and said the courts, antitrust practitioners, and the business community could no longer rely on the report as DOJ Policy. In 2007, EPIC requested the FTC to open an investigation into the proposed acquisition of DoubleClick by Google. In a hearing last year, EPIC President Marc Rotenberg testified before the European Commission urging privacy safeguards and that stated Google was beginning to reveal the characteristics of an "information monopolist" and that it was important for governments to act and preserve the rights of citizens and to safeguard competition and innovation in the information economy. Justice Department Withdraws Report on Antitrust Monopoly Law: http://www.usdoj.gov/opa/pr/2009/May/09-at-459.html Christine A. Varney, Assistant Attorney General for Antitrust: http://epic.org/redirect/051509_Varney_Antitrust.html EPIC - Privacy? Proposed Google/DoubleClick Deal http://epic.org/privacy/ftc/google/ CRS Publishes Report on Airport Passenger Screening A Congressional Research Service report on Airport Passenger Screening stated that policymakers and aviation security planners had not agreed upon a well-defined strategy and plan for evolving airline passenger and baggage screening functions to incorporate new technologies, capabilities, and procedures to detect potential threats to aviation security. The report also states that the whole-body imaging technologies were deployed in an effort to reduce an elevated security risk, while maintaining privacy rights and dignity of passengers identified for secondary screening. However, earlier this year, the TSA announced that the use of these devices would be the default screening method. Last month, Congressman Jason Chaffetz (R-UT) introduced legislation before Congress seeking a ban on these devices from being used by the Transportation Security Administration in various airports across America. Airport Passenger Screening: Background and Issues for Congress, April 23, 2009: http://assets.opencrs.com/rpts/R40543_20090423.pdf Congressman Chaffetz Seeks to Ban Whole-Body Imaging at Airports: http://epic.org/redirect/042809_Chaffetz_WBI.html Joe Sharkey, Whole-Body Scans Pass First Airport Tests, April 6, 2009: http://www.nytimes.com/2009/04/07/business/07road.html Testimony of Secretary Napolitano: http://www.dhs.gov/ynews/testimony/testimony_1235577134817.shtm Spotlight on Surveillance- Plan to X-Ray Travelers Should Be Stripped of Funding: http://epic.org/privacy/surveillance/spotlight/0605/ EPIC's Page on Air Travel Privacy: http://epic.org/privacy/airtravel/ X-Ray Backscatter Technology and Your Personal Privacy: http://www.tsa.gov/research/privacy/backscatter.shtm TSA's page on Backscatter: http://www.tsa.gov/approach/tech/backscatter.shtm Privacy and Consumer Groups Seek New FTC Commissioner EPIC joined other privacy and consumer organizations in a letter to President Obama urging the appointment of a pro-consumer Commissioner to the Federal Trade Commission. The groups called for the appointment of someone with a "distinguished record of achievement in consumer affairs, with a demonstrated commitment to protecting the public from all manner of unfair, deceptive, fraudulent, and non-competitive monopolistic/oligopolistic business practices." The Commission has been one person short of its full membership since former Chair Deborah Platt Majoras left the agency last year. The President appointed Jon Leibowitz to serve as the current chair of the FTC. Letter to President Obama: http://epic.org/linkedfiles/Obamaletter042709-1.pdf EPIC's Page on the Federal Trade Commission: http://epic.org/privacy/internet/ftc/ Red Flags Rule Enforcement Postponed Until August The Federal Trade Commission postponed the enforcement of the "Red Flags" identity theft rule which require financial institutions and creditors to maintain identity theft prevention programs that identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. "Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further," FTC Chairman Jon Leibowitz said. The rules were developed pursuant to the Fair and Accurate Credit Transactions Act of 2003. EPIC had testified before Congress regarding the FACTA, supporting the inclusion of stronger privacy and identity theft protections in the law. "Americans need greater protections to address problems with identity theft, privacy, and inaccuracy," EPIC argued. FTC Will Grant Three-Month Delay of Enforcement of 'Red Flags' Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs: http://www2.ftc.gov/opa/2009/04/redflagsrule.shtm Letter from the House Committee on Small Business to FTC Chairman Jon Leibowitz: http://epic.org/redirect/051509_House_Letter_Leibowitz.html Federal Register Notice Issuing "Red Flags" ID Theft Rules: http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf Agencies Issue Final Rules on Identity Theft Red Flags, October 31, 2007: http://ftc.gov/opa/2007/10/redflag.shtm EPIC's Page on Identity Theft: http://epic.org/privacy/idtheft Federal Commission Investigating Cloud Computing Issues The FTC acknowledged examining privacy issues associated with cloud computing networks at a testimony before Congress on a proposed statute, the Data Accountability and Trust Act. In March, EPIC had filed a complaint before Commission requesting it to open an investigation into Google's Cloud Computing Services to determine "the adequacy of the privacy and security safeguards" following reports of a breach in Google Docs. EPIC had cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and had urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Subsequently, the Commission had agreed to review EPIC's complaint. FTC Testifies on Data Security, Peer-to-Peer File Sharing: http://www.ftc.gov/opa/2009/05/peer2peer.shtm EPIC's complaint to the FTC: http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf FTC's letter to EPIC: http://epic.org/privacy/cloudcomputing/google/031809_ftc_ltr.pdf In re Google and Cloud Computing: http://epic.org/privacy/cloudcomputing/google/default.html EPIC's Page on Cloud Computing: http://epic.org/privacy/cloudcomputing/default.html MIT Calls for Papers on New Privacy Standards for PII Management The SENSEable City Lab of the Massachusetts Institute of Technology is launching the Engaging Data Initiative by hosting an international forum on the application and management of personal electronic information. The event includes a series of discussion panels and conferences at MIT and seeks to understand and explore the societal values of data and the influence it has on society by its use. The initiative aims to address issues and questions through invited talks, paper presentations, and panel discussions. The forum strives to serve as a platform to exchange ideas, discuss the latest developments in the field, address significant issues, and create visions for the future. The position papers must be 4-6 pages in length; technical papers must be 6-8 pages in length. For further details, see links below. Engaging Data: http://senseable.mit.edu/engagingdata Call for papers: http://senseable.mit.edu/engagingdata/call_for_papers.html Registration: http://senseable.mit.edu/engagingdata/registration.html TACD Publishes Resolution on Social Networks: The Trans Atlantic Consumer Dialogue made a Resolution on Social Networking and made several recommendations directed towards the EU and US governments and social network operators. The suggestions to the governments included the prevention of access to social network contingent on use of data for marketing purposes, requirement of affirmative consent before data use, limiting personal information available to applications running on them. The suggestions also declared that social networks must enable an user to delete PII obtained by third party services. Other recommendations included the integration of privacy and security by design, preventing access by search engines by default, and developing common ethical codes for behavioral tracking and advertising online. In February, EPIC prepared to file a complaint with the FTC against Facebook which threatened to take ownership of user data. Facebook reverted to its earlier terms of service just before the complaint was about to be filed. TACD - Resolution on Social Networking, May 2009: http://epic.org/redirect/051509_TACD_SocNet_Res.html EPIC's Page on Social Networking Privacy: http://epic.org/privacy/socialnet/default.html EPIC's Group Page on Facebook: http://epic.org/facebook EU Parliament adopts Harbour Report Amendments on e-Privacy Directive The European Parliament adopted a large majority of the Harbour Report amendments on the revision of the E-Privacy Directive. The amendments involve mandatory notification of breaches affecting personal data, treating IP addresses as personal data instead of public information, ensuring the processing of personal information for network security purposes subject to Directive 95/46, requiring the informed consent of user for using cookies or storing information. Stavros Lambrinidis, Member of the European Parliament, also obtained a formal declaration of the Commission, supporting the position of the Parliament and affirming that legislative reforms and proposals will be defined in order to extend the scope to all personal data inappropriately released, handled, or used by service providers through the medium of an electronic communications service, to all providers of information society services and others. EU Parliament Press Release: http://www.europarl.europa.eu/news/public/default_en.htm Press Release, Office of Stavros Lambrinidis: http://epic.org/redirect/051509_StavrosLam_ePriv_PR.html Stavros Lambrinidis, Socialist Group in the European Parliament: http://epic.org/redirect/051509_StavrosLambrinidis_EuroParl.html ======================================================================= [7] EPIC Bookstore: "Identity in the Age of Cloud Computing" ======================================================================= "Identity in the Age of Cloud Computing" by J.D. Lasica http://tinyurl.com/IACCAI In the summer of 2008, 28 leaders and experts from the information and communications technology world, financial, government, academic and public policy leaders convened at Aspen, Colorado, to better understand the implications of cloud computing and suggest policies for the betterment of society. Out of these discussions emerged the substance of this report. As the introduction suggests, the concept of identity is undergoing a radical shift. No longer are recognized offline parameters the sole criteria in defining "the very essence of who we are." Instead, online reputation and digital socialization are the new auras of one's identity. The report presents factual developments in the evolution of cloud computing, the current state of growth, and the factors blowing the cloud forward. Based on the discussion of the participants, the publication provides a birds-eye view on the possibilities and the probabilities of things to come. While reading the book, one barely notices the obvious technological advances that have already taken place, but by taking a step back, it is easy to marvel at the full spectrum of developments while trying to fathom the true impact the internet has had on the people, society and human interactions. Analyzing the changing concept of identity through the prism of cloud computing is no elementary task. In the cloud ecosystem, the control over the smattering of personal information is what defines the boundaries between ensuring identity and losing privacy. And, if the report is to be taken at face value, the commercial development of the cloud is only at its nascent stage with old business models just beginning to face the challenge of the new wave of cloud based commerce. To ensure that a trade thrives in the digital economy, it is imperative that young industries start off with their eyes gazed at the cloud. The discussions held last year bore ominously true earlier this year. When revised Facebook policies threatened to take user information out of the hands of their owners, the social networking giant faced widespread criticism and public relations damage. Google Docs suffered a security breach and the dangers of security in the cloud computing environment became apparent even to the uninitiated. While the perceived threats of last year may sound like a portentous foreboding this year, the clock keeps ticking on the rate with which we can analyze dangers in cloud computing and commence corrective action. Overall, the report does a brilliant job at capturing the thoughts of the experts and extracting the essence of the conference. An insightful expedition into the realm of future cloud computing, this publication is a must-read for anyone who desires to sojourn into the inevitable destiny of the internet. -- Anirban Sen ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60. http://epic.org/bookstore/foia2008/ Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore "EPIC Bookshelf" at Powell's Books http://www.powells.com/bookshelf/epicorg.html ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes ======================================================================= [8] Upcoming Conferences and Events ======================================================================= IEEE/SP 2009 Symposium on Security and Privacy, "The IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field." Sunday, May 17, 2009 - Thursday, May 21, 2009, Oakland, California. For more information, http://oakland09.cs.virginia.edu/ Web 2.0 Security & Privacy 2009, Thursday, May 21, The Claremont Resort, Oakland, California. For more information, http://w2spconf.com/2009/ Computers, Freedom, and Privacy, 19th Annual Conference, Washington, D.C., June 1-4, 2009. For more information, http://www.cfp2009.org/wiki/index.php/Main_Page EPIC 15th Anniversary Dinner and the EPIC Champion of Freedom Awards, Cosmos Club, Washington, DC, June 9, 2009. For invitation, see http://www.epic.org/epic15/invite.pdf. Register at http://epic.org/register IAPP - Practical Privacy Series - "Data Breach," "Data Governance,", "Human Resources," and "Information Security and Privacy." Network Meeting Center at Techmart, Santa Clara, CA. June 17-18, For more information, https://www.privacyassociation.org/index.php "The Transformation of Privacy Policy," Institutions, Markets Technology Institute for Advanced Studies (IMT)Lucca, Italy, July 2-4, 2009. Engaging Data: First International Forum on the Application and Management of Personal Electronic Information hosted by SENSEable City Lab, Massachusetts Institute of Technology. For more information, http://senseable.mit.edu/engagingdata ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook http://epic.org/facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: http://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 16.09 ------------------------ . .