======================================================================= E P I C A l e r t ======================================================================= Volume 16.15 August 12, 2009 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_16.15.html "Defend Privacy. Support EPIC." http://epic.org/donate ======================================================================= Table of Contents ======================================================================= [1] EPIC Urges Administration to Maintain Cookie Ban, Uphold Privacy [2] Judge Sotomayor Sworned-In as Supreme Court Justice [3] Data Privacy Legislation Introduced in Congress [4] Senate Considers National Identification Systems [5] EPIC Pursues Open Government Requests [6] News in Brief [7] EPIC Bookstore: "Privacy Protection and Minority Rights" [8] Upcoming Conferences and Events - Join EPIC on Facebook http://facebook.com/epicprivacy - Privacy Policy - About EPIC - Donate to EPIC http://epic.org/donate - Subscription Information ======================================================================= [1] EPIC Urges Administration to Maintain Cookie Ban, Uphold Privacy ======================================================================= EPIC submitted comments to the Office of Management and Budget recommending that the existing ban on the use of cookies at federal government websites be maintained. Such technologies typically use persistent identifiers. A White House policy memorandum of June 2, 1999, on "Privacy Policies on Federal Web Sites," directs agencies to post clear privacy policies on agency principal websites, as well as at any other known, major entry points to sites, and at any web page where substantial amounts of personal information are posted. The memo states that privacy policies must be clearly labeled and easily accessed when someone visits a web site. The memorandum directs that "cookies" should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval by the head of the agency. The OMB is now considering a policy change with the implementation of a three-tiered approach to the use of internet tracking technologies on Federal Government websites: The first tier consists of single-session cookies which track users over a single session; the second tier consists of using tracking technology to track users over multiple sessions to "gather data to analyze Web traffic statistics;" the third tier attempts to track users over multiple visits with the intent of remembering data, settings, or preferences unique to that visitor through the use of persistent identifiers. This change in framework will encourage tracking of users who visit government websites. EPIC also proposed several safeguards if the new framework on persistent identifiers is ultimately adopted. EPIC's recommendations included not tracking users once they have left the government websites; prohibiting commercialization of information gathered from users; the application of meaningful rules for public participation; promoting open government and protecting privacy; availability of federal agency sponsored cookie data; respecting browser privacy and security settings; and prohibiting web-analytics or publishing the algorithm used. EPIC also suggested that the OMB publish an annual survey outlining each federal government agency's use of Web tracking technology that should reflect the URLs, cookies, tracking technologies and processes adopted and their intended purpose. The placing of tracking technology for law enforcement, fusion center, national intelligence must conform to court oversight, and be subject to an annual reporting requirement to the appropriate Congressional Oversight Committees, EPIC urged. The OMB had invited public comments on the framework that should govern Federal agency use of web-tracking technology including appropriate tiers, basic principles of use, degree of clear and conspicuous notice on each site, the applicability and scope of such framework on Federal use of third-party applications or websites. In May, EPIC submitted comments to the President's Office of Science and Technology and urged the Government to not track users on Government websites. EPIC stated that since President Obama established the collaboration between executive departments and agencies and the public, tracking individuals who access government information would contradict these goals. EPIC's Comments to the Office of Management and Budget: http://epic.org/privacy/cookies/comnts-to-OMB-cookie.pdf Office of Management and Budget: http://www.whitehouse.gov/omb/ Federal register: July 27, 2009: Proposed Revision of the Policy on Web Tracking Technologies for Federal Web Sites: http://edocket.access.gpo.gov/2009/E9-17756.htm M-00-13, OMB Memorandum for the Heads and Executive Departments and Agencies: http://www.whitehouse.gov/omb/memoranda_m03-22/ EPIC's Submission to White House Open Government Initiative - Users Are Not Tracked on Government Sites: http://opengov.ideascale.com/akira/dtd/3544-4049 Proposed Cookie Policy: http://blog.ostp.gov/category/cookie-policy/ Office of Science, Technology and Policy: http://www.ostp.gov/ EPIC FOIA Request to the GSA: http://epic.org/privacy/socialnet/gsa_foia_4-30-09.pdf EPIC Cookies: http://epic.org/privacy/internet/cookies/ ======================================================================= [2] Judge Sotomayor Sworned-In as Supreme Court Associate Justice ======================================================================= Judge Sonia Sotomayor was sworned-in as the 111th Justice of the Supreme Court of the United State by Chief Justice John Roberts on August 8, 2009. Earlier, on August 6, 2009, the United States Senate voted 68-31 to confirm Judge Sotomayor to be an Associate Justice. On July 28, 2009, the Senate Judiciary Committee approved the nomination of Judge Sonia Sotomayor, 13-6. The Committee action had paved the way for a full Senate vote and a confirmation required only simple majority of Senators present and voting. The Senate vote was held after the Judiciary Committee delivered of a report, which presented the views both of committee members supporting and those opposing the nominee's confirmation. The Senate usually, but not always, has agreed with Judiciary Committee recommendations that a Supreme Court nominee be confirmed. According to a CRS Report, after the Senate confirms a nomination, the secretary of the Senate usually attests to a resolution of confirmation and transmits it to the White House. In turn, the President signs a "commission," officially appointing the nominee to the Supreme Court. The signed commission is returned to the Justice Department for engraving the date of appointment and for the signature of the attorney general and the placing of the Justice Department seal. The deputy attorney general then sends the commission by registered mail to the appointee, along with the oath of office and a photocopy of the confirmation document from the Senate. During the closing statement on the nomination hearings, Senator Patrick Leahy thanked the Senators who evaluated the nomination. "I believe that experience, perspective, an understanding of how the world works and people live and the effect decisions will have on the lives of people, are very important qualifications," Senator Leahy said. "By striving for a more diverse bench drawn from judges with a wider set of backgrounds and experiences we can better ensure that there will be no prejudices and biases controlling our courts of justice. All nominees have talked about the value they will draw on the bench from their backgrounds. That diversity of experience is a strength and not a weakness in achieving an impartial judiciary." During the Judiciary Committee hearing, several Senators asked questions concerning privacy. She was queried on the general right to privacy under the Constitution, on Open Government issues, Foreign Intelligence Surveillance Act, and National Security. Judge Sotomayor has ruled on several cases affecting the Fourth and First Amendment, and open government issues. Her opinions have included cases regarding the opening and reading of a prisoner's mail, strip-searches of young girls at juvenile facilities and of adult males in jails, concerning errors in police computer databases, addressing the validity of a warrant based upon lies or questionable facts, child pornography on the internet, search of state employee's computer, investigations regarding FBI misconduct, inter-agency documents and tax law administration, gag orders on the media from publishing jury names, contract formation in cyberspace, and concerning the sale of illegal wiretapping devices. EPIC prepared an extensive page on Judge Sotomayor's view on privacy and other related issues. EPIC also provided running coverage of the nomination hearings and the Committee vote over Twitter at @privacy140 using #sotomayor, #scotus, and #privacy. Senator Leahy's Closing Statement on the Nomination: http://leahy.senate.gov/press/200908/080609c.html The President's Nominee: Judge Sotomayor, The White House Blog Post, May 26, 2009: http://www.whitehouse.gov/sotomayor/ Supreme Court Appointment Process: Roles of the President, Judiciary Committee, and the Senate (CRS Report for Congress, July 6, 2005): http://fpc.state.gov/documents/organization/50146.pdf Testimony of Judge Sonia Sotomayor: http://epic.org/redirect/072009_Sotomayor_Senate_Testimony.html Twitter - privacy@140: http://www.twitter.com/privacy140 Statement of the Honorable Patrick Leahy: http://epic.org/redirect/072009_Sotomayor_Leahy_Open.html Rules of Procedure United States Senate Committee on the Judiciary: http://judiciary.senate.gov/about/committee-rules.cfm EPIC - The Nomination of Judge Sotomayor: http://epic.org/privacy/sotomayor Transcript of Sotomayor Senate Judiciary Committee Hearing: http://epic.org/privacy/sotomayor/sotomoyor_transcript.pdf ======================================================================= [3] Data Privacy Legislation Introduced in Congress ======================================================================= A new bill, the Personal Data Privacy and Security Act of 2009, has been introduced in Congress. The statute, introduced by Senator Patrick Leahy, intends to prevent and mitigate identity theft, ensure privacy, provide notice of security breaches, enhance criminal penalties, law enforcement assistance, and attempts to provide protections against security breaches, fraudulent access and misuse of personal information. The proposed law defines "personally identifiable information", "sensitive personally identifiable information" and "identity theft victim." The statute prescribes penalties for knowingly concealing data breaches and provides for the review and amendment of the federal sentencing guidelines related to fraudulent access to or misuse of PII. The section sets forth various requirements that the United States Sentencing Commission is required to consider in its review. The act mandates data brokers engaged in interstate commerce to adhere to the provisions of the act for any product or service that allows access or use of sensitive PII. Procedures are outlined for disclosure of collected information to the concerned individuals upon request and in case of adverse actions taken by third parties. Processes for ensuring accuracy and the dispute of personal information are also detailed. The bill prescribes civil penalties for data brokers for violations and empowers the Federal Trade Commission to enforce the act against errant data brokers. State Attorneys General may be authorized under State consumer protection laws to bring a civil suit against a data broker for violation of State laws in a district court of the appropriate jurisdiction. However, the PDPSA directs the Attorney Generals to provide the FTC with a written notice and a copy of the complaint. Further, the statute preserves the right of the FTC to move to stay the action; intervene in the action; or file petitions for appeal. The act, however, expressly forbids the establishment of a private cause of action against a data broker for a violation. Title III of the statute states that business entities engaged in interstate commerce that involves the collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information is subject to the requirements of the data privacy and security program as outlined in the concerned title. The program directs business entities to comply with the safeguards outlined in the section as well as safeguards identified by the FTC in a rulemaking process. A business entity is however deemed to be in compliance with the privacy and security program if it complies with or provides protection equal to industry standards as identified by the FTC. The FTC in turn is precluded from endorsing any regulation requiring the application of any specific technology. The proposed law also addresses the obligation to issue security breach notifications, the timeframe for such issuance and delays or exemptions for law enforcement or national security purposes. Other provisions of the bill describes methods of notice, content of notification, notice to law enforcement and reporting to Congress by the US Secret Service on the number and nature of security breach notification exemptions. The Personal Data Privacy and Security Act of 2009 also establishes the Office of Federal Identity Protection within the FTC. The FIP is charged with assisting consumers with identity theft and all related issues including addressing consequences of compromise of PII, accessing remedies and restoring the accuracy of PII. Similar legislation has been introduced before the Congress twice before. The version before the 109th Congress (S.1332) did not preclude a private right of actions and also preserved the State laws with respect to access and use of PII by data brokers. EPIC has advocated for strong protections against identity theft. In 2008, EPIC encouraged the FTC to impose monetary penalties on companies that exposed their customers' data to criminals. In addition, EPIC has long supported the right of individuals to preserve their anonymity, particularly in the face of ever more intrusive government identification requirements. Earlier this year, EPIC testified before the House Subcommittee on Information Policy, Census and National Archives. EPIC's testimony had also pointed out that the loss of control over the credentials that allow financial transactions and receive medical care poses a different problem than the hazards associated with traditional theft. In another testimony on the Data Accountability and Trust Act, EPIC had opposed the preemption of stronger state laws and warned that adopting such a law would be a mistake as security issues are rapidly changing. EPIC had also urged the Committee to add a private right of action to the bill. Personal Data Privacy and Security Act of 2009: http://thomas.loc.gov/cgi-bin/query/z?c111:S.1490: Press Release - Leahy Introduces Cybersecurity Legislation: http://leahy.senate.gov/press/200907/072209b.html Personal Data Privacy and Security Act of 2005: http://thomas.loc.gov/cgi-bin/query/z?c109:S.1332: EPIC Testimony - House Subcommittee on Information Policy, Census and National Archives: http://epic.org/privacy/idtheft/epic_idtheft_rotenberg_6-09.pdf EPIC Testimony - House Subcommittee on Commerce, Trade and Consumer Protection: http://epic.org/linkedfiles/rotenberg_house_ctcp2221_1319.pdf H.R. 2221, the Data Accountability and Trust Act: http://epic.org/redirect/051509_HR2221.html Federal Trade Commission: http://www.ftc.gov EPIC - Identity Theft: http://epic.org/privacy/idtheft EPIC - Personal Data and Privacy Protection: http://epic.org/privacy/consumer/ ======================================================================= [4] Senate Considers National Identification Systems ======================================================================= The Senate Committee on Homeland Security and Government Affairs held a Business Meeting on July 29, 2009 on the "Providing for Additional Security in States' Identification Act of 2009." (S.1261). The PASS ID Act declares that beginning one year after the final regulations are issued, no federal agency can accept a driver's license or state issued ID card unless the issuing state is "materially compliant." Material compliance is determined by the Secretary of Homeland Security, based on whether a state has begun to issue PASS ID drivers licenses and state issued ID cards. The Committee conducted a mark-up session and approved several substituted amendments on substantive provisions of the underlying bill. The amendments pertained to directing states to provide valid and verifiable birth records. Also discussed at the hearing was the discretion granted to a TSA official in denying an individual the right to board an aircraft if he or she did not have a compliant identification. Concerns were expressed that the bill did not provide for a review or an appeal in case of such denials. Sen. Akaka also suggested to the Committee to include an amendment requiring the Department of Homeland Security to perform annual report on the privacy implication of PASS ID. The markup was reported to the Senate favorably. The PASS ID bill sets a deadline of 6 years after the final rule that prohibits all federal agencies from accepting any non-compliant driver's license or state identification card for any official purpose which includes boarding an airplane; applying for Social Security benefits; opening a post office box; and entering a federal building. This raises questions regarding the physically challenged, children, poor people, and the elderly who received benefits from federal government agencies and there are reasons why each may not hold a federally sanctioned state issued identification document. The PASS ID Act does not specify limits on the requirement of an approved identification document to access federal government services, benefits, or meet with federal employees in official settings. Another hearing was held by the Subcommittee on Immigration, Border Security and Citizenship of the Senate Judiciary Committee. At the hearing, "Ensuring a Legal Workforce: What Changes Should be Made to Our Current Employment Verification System?" Sen. Charles Schumer proposed the implementation of a "non-forgeable, complete and accurate immigration system" that relies on biometric identifiers and identifies legal employees. Sen. Schumer stated that the biometric card should include fingerprint or enhanced biometric pictures and apply uniformly to all US citizens and non-citizens alike. Sen. Schumer also added that such system must have extensive checks at the inception to prevent illegal aliens from entering into the database. Sen. Cornryn stated that the E-Verify system, although flawed, was headed in the right direction and suggested that the program be given expanded legal authority, additional resources and improvements. The use of PASS ID and identification cards with biometric data can become a de facto national ID card. National ID cards have long been advocated as a means to enhance national security, unmask potential terrorists, and guard against illegal immigrants. The REAL ID Act of 2005 created a national identification card. The implementation of the statute posed a number of privacy threats because of document collection, retention, sharing, and use. EPIC and 24 experts in privacy and technology submitted detailed comments to the DHS in May 2007 on the draft regulations explaining the many privacy and security threats raised by the REAL ID Act. "The fundamentally flawed national identification system is unworkable and the REAL ID Act must be repealed," EPIC stated. Further, EPIC and the Privacy Coalition had organized a national campaign against REAL ID implementation. DHS's own Data Privacy and Integrity Advisory Committee has refused to endorse the agency's plan. National Identification systems are established for a variety of reasons. In the past, the fear of insurgence, religious differences, immigration, or political extremism have been all too common motivators for the establishment of ID systems that aim to force undesirables in a State to register with the government, or make them vulnerable in the open without proper documents. EPIC has urged the alternative model of a system of decentralized identification which reduces the risks associated with security breaches and the misuse of personal information. Technological innovation can enable the development of context-dependent identifiers and a decentralized approach to identification is consistent with commonsense understanding of identification. However, Federal, state, and local government agencies are already engaged in efforts to develop an Information Sharing Environment through the use of Fusion Centers which seeks to breakdown barriers to information controlled by all levels of government. Senate Hearing on Biometrics: http://judiciary.senate.gov/hearings/hearing.cfm?id=3982 The Senate Committee on Homeland Security and Government Affairs, Business Meeting, July 29, 2009: http://epic.org/redirect/081209_Senate_DHS_Biomet.html National Campaign: http://privacycoalition.org/stoprealid/ Privacy Office - DHS Data Privacy and Integrity Advisory Committee: http://www.dhs.gov/xinfoshare/committees/editorial_0512.shtm Comments of the DHS Data Privacy & Integrity Advisory Committee, May 2007: http://epic.org/privacy/id-cards/dpiac_comm_050707.pdf EPIC - ID-Cards: http://epic.org/privacy/id-cards/ EPIC's Comments on Minimum Standards for Driver’s Licenses and Identification Cards: http://epic.org/privacy/id-cards/epic_realid_comments.pdf REAL ID Implementation Review: Few Benefits, Staggering Costs: http://epic.org/privacy/id-cards/epic_realid_0508.pdf ======================================================================= [5] EPIC Pursues Open Government Requests ======================================================================= EPIC, in promoting open government, frequently requests documents under the Freedom of Information Act to obtain information from the government regarding surveillance. Public disclosure of obtained information improves government oversight and keeps the public informed about the activities of the government. EPIC is currently pursuing records to gain more information regarding several government surveillance programs. On June 25, 2009, EPIC sent FOIA requests to the Department of Homeland Security and the National Security Agency requesting the release of the National Security Presidential Directive 54 and the subsequent Comprehensive National Cybersecurity Initiative. It was under the purview of the Directive, issued in 2008, that the intelligence community developed the CNCI to "improve how the federal government protects sensitive information from hackers and nation states trying to break into agency networks." Although these documents are the foundation of national policies to protect citizens' information held by government agencies, neither document has been released in full to the public. EPIC filed an appeal with both the agencies for failing to disclose these records. EPIC also is pursuing records requests for information regarding the Whole Body Imaging systems being used by the Transportation Security Administration for passenger security screening in airports. This millimeter wave technology produces photo-quality images of travelers as if they were undressed. Although the TSA claims it is not storing images of passengers screened by the system, the scanners are capable of such storage and there is no law that prevents this practice. EPIC filed requests with the TSA, the Department of Defense, and the U.S. Marshal's Service. EPIC is seeking information including: the contracts with the companies providing the scanners; materials used for training TSA employees operating the scanners; copies of images produced by the scanners; and other uses of the technology, such as security screening in federal court buildings. No documents have been approved, but appeals have been filed with the TSA and the Marshal's Service. EPIC also filed a FOIA request with the Food and Drug Administration, which announced the "Sentinel Initiative" in May 2008. One of the goals of this Initiative is to develop an integrated system, using electronic data from healthcare information holders, to analyze electronic health data in order to identify potential risks concerning medical products that have been approved by the FDA and are available to the public. EPIC is seeking records regarding FDA’s readiness for compliance with statutory privacy protections in the development and use of this extensive database of sensitive personal information. The FDA has provided some documents regarding the development of the database, but has not responded to the requests specifically seeking information on privacy policies. EPIC filed an appeal with the FDA for the release of this information. In addition to these requests, EPIC has also filed FOIA requests with the Federal Bureau of Investigation regarding use of the powers granted under the Patriot Act and resulting in potential legal violations; the Department of Education and the Department of Defense regarding collection of student data for military recruitment purposes. EPIC also is pursuing an appeal under FOIA with the General Services Administration for contracts between the U.S. government and social network service providers. EPIC - Open Government: http://epic.org/open_gov/ Freedom of Information Act Gallery: http://www.epic.org/open_gov/foiagallery/ EPIC's FOIA Litigation Docket: http://epic.org/privacy/litigation/ FOIA Letter to NSA Seeking Documents on National Cybersecurity Policies: http://epic.org/open_gov/foia2009/foia-nsa-cybersec.pdf FOIA Letter to DHS seeking Documents on National Cybersecurity Policies: http://epic.org/open_gov/foia2009/foia-dhs-cybersec.pdf FOIA Appeal to NSA regarding documents on National Cybersecurity Policies: http://epic.org/open_gov/foia2009/foia-appeal-nsa-cybersec.pdf FOIA Appeal to DHS regarding documents on National Cybersecurity Policies: http://epic.org/open_gov/foia2009/foia-appeal-dhs-cybersec.pdf EPIC - Whole Body Imaging Technology http://epic.org/privacy/airtravel/backscatter/ FOIA Letter to DHS seeking documents regarding Whole Body Imaging (4/14/2009): http://epic.org/open_gov/foia2009/foia-dhs-wbi-4142009.pdf FOIA Letter to DHS seeking documents regarding Whole Body Imaging (7/3/2009): http://epic.org/open_gov/foia2009/foia-dhs-wbi-732009.pdf FOIA Letter to USMS seeking documents regarding Whole Body Imaging: http://epic.org/open_gov/foia2009/foia-usms-wbi.pdf FOIA Letter to DOD seeking documents regarding Whole Body Imaging: http://epic.org/open_gov/foia2009/foia-dod-wbi.pdf FOIA Appeal to TSA regarding the April 14, 2009 request: http://epic.org/open_gov/foia2009/foia-appeal-tsa-wbi.pdf FOIA Appeal to TSA regarding the July 3, 2009 request: http://epic.org/open_gov/foia/foia2009/foia-appeal-tsa-wbi.pdf FOIA Appeal to USMS: http://epic.org/open_gov/foia/foia2009/foia-appeal-usms-wbi.pdf FOIA Letter to FDA seeking documents regarding the Sentinel Initiative: http://epic.org/open_gov/foia/foia2009/foia-fda-sentinel.pdf FOIA Appeal to FDA: http://epic.org/open_gov/foia/foia2009/foia-appeal-fda-sentinel.pdf ======================================================================= [6] News in Brief ======================================================================= DHS Outlines Progress in 9/11 Recommendation Report The Department of Homeland Security has released a progress report on 9-11 Commission Recommendations. The recommendations pertain to guarding against terrorism and ensuring transportation security, border security; increasing "preparedness efforts;" protecting privacy and civil liberties; and improving collaboration and information sharing. The recommendation include developing a risk-based plan for transportation security, airline passenger pre-screening, airline passenger explosive screening, and checked bag screening. The tracking and disrupting terrorist financing, standardizing secure identification, integrating border security into larger network of screening points including transportation system are also recommended. The DHS also advised allocating homeland security funds based on risk and improving interoperability of communications at all levels of government and establishing a unified incident command system. The DHS report also recommended balancing security and civil liberties and safeguarding individual privacy when sharing information. EPIC had testified before the 9-11 Commission and had emphasized the important history of privacy protection, the problems with new systems of surveillance, and the specific need to preserve constitutional checks and balances. EPIC also urged the Commission to consider the important role of public oversight in evaluating the federal government's intelligence-gathering authority rather than focusing exclusively on Congressional oversight. Progress in Implementing 9/11 Commission Recommendations: http://epic.org/redirect/081209_911Comm_Prog_Rpt.html DHS: Secretary Napolitano and National Security Preparedness Group Discuss DHS Progress in Fulfilling 9/11 Commission Recommendations: http://www.dhs.gov/ynews/releases/pr_1248455026046.shtm EPIC - The 9/11 Commission Report: http://epic.org/privacy/terrorism/911comm.html The 9/11 Commission Report: http://epic.org/privacy/terrorism/usapatriot/sec12.pdf Social Network Privacy Study Reports Serious Concerns A Cambridge University study covering 45 social networks has reported serious concerns about the extent such sites fail to keep users' personal information private. While inaccurate privacy policies and inaccessible guidelines have been reported before, the Cambridge report provides numerical statistics to confirm their scope. The researchers found faults with the amount of personal information required to be handed over, the standards of encryption protocols, default privacy settings, and confusing user-interfaces. Testing each site against 260 criteria, the researchers examined features such as log-in procedures and configuration controls. The study concluded that "the naive application of utility maximization theory fails to capture all the intricacies of the market for privacy in social networking." The report also stated that "a major problem was the lack of accessible information for users, encouraged by the sites' strong incentives to limit privacy salience as part of the privacy communication game: the data suggests that sites may have evolved specifically to communicate differently to users with different levels of privacy concern." Recently, the Canadian Privacy Commissioner held that although Facebook had taken some steps to address privacy, more safeguards were necessary. The Privacy Jungle: On the Market for Data Protection in Social Networks: http://epic.org/redirect/081209_SNS_Study_Cambridge.html Report of Findings into the Complaint Filed by the CIPPIC against Facebook, Inc. under PIPEDA: http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm Article 29 Working Party Opinion of Social Networking Sites: http://epic.org/privacy/socialnet/Opinion_SNS_090316_Adopted.pdf EPIC - Facebook Privacy: http://epic.org/privacy/facebook/ EPIC - Social Networking Privacy: http://epic.org/privacy/socialnet/ FTC Postpones Red Flags Rule The Federal Trade Commission has delayed the enforcement of the Red Flags Rule until November 1, 2009 in an effort to give creditors and financial institutions more time to review, develop and implement written Identity Theft Prevention Programs. The Rule was scheduled to come into force on August 1, 2009. The Red Flags Rule require financial institutions and creditors to maintain identity theft prevention programs that identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. The program was supposed to become effective on November 1, 2008 and subsequently was postponed to May 1, 2009. The FTC decided to further extend the enforcement so as to enable businesses to gain a better understanding of the Rule and any obligations that such businesses may have under it. The delay in enforcement does not affect other federal agencies' enforcement of the original November 1, 2008 compliance deadline for institutions subject to oversight. The rules were developed pursuant to the Fair and Accurate Credit Transactions Act of 2003. EPIC had testified before Congress regarding the FACTA, supporting the inclusion of stronger privacy and identity theft protections in the law. "Americans need greater protections to address problems with identity theft, privacy, and inaccuracy," EPIC argued. FTC Announces Expanded Business Education Campaign on "Red Flags" Rule: http://www2.ftc.gov/opa/2009/07/redflag.shtm FTC Red Flags Guide and other documents: http://www.ftc.gov/redflagsrule Federal Register Notice Issuing "Red Flags" ID Theft Rules: http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf Agencies Issue Final Rules on Identity Theft Red Flags, October 31, 2007: http://ftc.gov/opa/2007/10/redflag.shtm EPIC's Page on Identity Theft: http://epic.org/privacy/idtheft Privacy Opposition to Google Books Settlement Grows Civil liberties organizations are urging Internet users to tell Google to adopt privacy protections for the Google Book Search Settlement. The Google service creates a framework that gives the company access to substantial personal information concerning book buyers, library patrons, and rightsholders while placing no meaningful restrictions on the company's use of the data. A judge in New York will determine later this year whether to approve the proposed settlement. EPIC has an extensive page on the settlement and highlights the privacy concerns faced by readers if the settlement is approved as it is. EPIC - Google Book Settlement and Privacy http://epic.org/privacy/googlebooks ACLU - Google: Don't Close the Book on Reader Privacy: http://epic.org/redirect/081209_ACLU_Google_campaign.html Google Books: http://books.google.com/ Google Books Settlement: http://www.googlebooksettlement.com/r/view_settlement_agreement Bill to Curb SSN Misuse Introduced Before House A bill to preclude federal, state and local government from selling or displaying Social Security Numbers to the general public has been introduced in the House. Rep. John Tanner (D-Tenn.) introduced and Sam Johnson (R-Texas) co-sponsored the "Social Security Number Privacy and Identity Theft Prevention Act of 2009" (H.R. 3306). The bill would amend the Social Security Act to enhance SSN privacy protections, prevent fraudulent misuse of SSN, and attempts to enhance protection against identity theft. The bill also restricts display of SSN on government IDs and tags, and prescribes uniform standards for truncation of SSN. The proposed law also prescribed criminal penalties for SSN misuse and extends civil monetary penalty authority. Similar legislation was introduced before the last Congress, and although approved, the bill was never voted on by the entire House. Social Security Number Privacy and Identity Theft Prevention Act of 2009 (H.R. 3306): http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.3306: Social Security Number Privacy and Identity Theft Prevention Act of 2007: http://thomas.loc.gov/cgi-bin/query/z?c110:H.R.3046: EPIC - Social Security Numbers: http://epic.org/privacy/ssn/ EPIC - Identity Theft: http://epic.org/privacy/idtheft EPIC - Personal Data and Privacy Protection: http://epic.org/privacy/consumer/ ======================================================================= [7] EPIC Bookstore: "Privacy Protection and Minority Rights" ======================================================================= "Privacy Protection and Minority Rights" Edited by Mate Daniel Szabo http://www.ekint.org/ekint_files/File/kiadvanyok/privacy_minority.pdf The protection of a minority group in any country envisages the grant of protection by the state and in some cases, preferential selection in the grant of employment, education, and business from which such group has been historically excluded. Conferring such benefits necessarily begins with identifying members and then granting them protections. However, according to the editor, the freedom of identity means that the state does not have power to interfere with the decision of an individual to affirm or conceal one's ethnic identity or force someone to make a declaration to that effect. This book is a collection of three essays and the compilation starts off by educating the readers about the foundation of minority registration in Hungarian Law. Ivan Szekely's article focuses on affirmative action and data protection. Szekely highlights the conflict when the realization of one fundamental right can conflict with another - the ban on compiling registers of minority origin and identities under data protection laws one the one hand is at cross purposes with fighting the abuses of claiming election seats or a role in distributing state subsidies on the other. As a solution, Szekely endorses the use of a "central registration of aggregate data" which does not attract data protection laws while allowing group-level realization of subsidies. The author also suggests various other solutions like application of unidirectional data transformation procedures, data dividing, application of privacy enhancing technologies and then discusses consequent advantages. The next essay of the book addresses whether ethnic data in Hungary should be standardized. This article also examines the relationship between protection of sensitive data and the free flow of ethnic data required for unimpeded provision of additional rights. At the outset, Balazs Majtenyi and Laszlo Andras Pap point out people in need of protection are defined differently in cases of discrimination than when affirmative measures are at stake. The writers then review the constitutional background and regulatory environment with regard to data processing and make suggestions that could be implemented under Hungarian law. Majtenyi and Pap also suggest that although a legislative effort may rectify human rights violations, a shift in the mindset of lawyers would be equally desirable. The authors further call upon lawmakers and officials to have the courage to create and run a "genuinely functional system of minority protection." The final essay of the compilation pertains to identification checks based on racial or ethnic stereotypes. Written by Kadar, Korner, Moldova and Toth, this paper cites to several reports which show that Roma - the minority community of Hungary - had a much lesser chance of avoiding liability if caught during the commission of a crime. The essay goes on to describe the "Strategies for Effective Police Stop and Searches," the proportion of ID checks in relation to the population and its effectiveness. Pointing out the ethnic disproportionality in the "ID-checked" population, the researchers conclude that ethnic profiling by police officers is a problem that must be acknowledged. The authors suggest amending the Police Act, institutionalizing relationship between local communities and the police, and the training of police officers. While the book pertains to privacy protection and honoring minority rights in Hungary, it is equally applicable in a more macrocosmic sense. Virtually every country in the world has a minority population which are targeted by another group - be it the majority or a state-backed authority. These groups always end up suffering some sort of discrimination or another. Some suggestions contained in this book would indeed be helpful to anyone looking to understand human rights violations, offer possible remedies, and is certainly worth a read to human rights activists and lawmakers alike. -- Anirban Sen ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60. http://epic.org/bookstore/foia2008/ Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Pan-European Dialogue on Internet Governance (EuroDIG), Geneva, Switzerland, September 14-15, 2009. For more information, http://www.eurodig.org/ ASAP FOIA/Privacy Act Workshop, Chicago, Illinois, September 21-23, 2009. Registration: July 7, 2009 - September 11, 2009. For more information, http://www.accesspro.org/ 2nd International Action Day "Freedom not Fear - Stop the Surveillance Mania," September 12, 2009, Worldwide Demonstrations, Events, Privacy Parties etc. in many countries. For more information, http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2009 3rd European Privacy Open Space, October 24-25, 2009, Vienna, Austria. For more information, http://www.privacyos.eu Global Privacy Standards in a Global World, The Public Voice, Madrid, Spain, November 3, 2009. For more information, http://thepublicvoice.org/events/madrid09/ 31st International Conference of Data Protection and Privacy Commissioners, Madrid, Spain, November 4-6, 2009. For more information, http://epic.org/redirect/072009_31Conf_IntlDPA.html UN Internet Governance Forum, November 15-18, 2009, Sharm El Sheikh, Egypt. For more information, http://www.intgovforum.org/ ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook http//facebook.com/epicprivacy http://epic.org/facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: http://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 16.15 ------------------------ .