======================================================================= E P I C A l e r t ======================================================================= Volume 16.16 August 28, 2009 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_16.16.html "Defend Privacy. Support EPIC." http://epic.org/donate ======================================================================= Table of Contents ======================================================================= [1] EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing [2] FTC Issues Final Breach Notification Rule for Medical Data [3] Privacy Compliance for Facebook, Some Changes Made [4] DHS Proposes to Rescind SSN No-Match Rule [5] Court Enjoins Transfer of "Clear" Data [6] News in Brief [7] EPIC Bookstore: "OECD Communications Outlook 2009" [8] Upcoming Conferences and Events - Join EPIC on Facebook http://facebook.com/epicprivacy - Privacy Policy - About EPIC - Donate to EPIC http://epic.org/donate - Subscription Information ======================================================================= [1] EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing ======================================================================= In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. On April 30, 2009, EPIC filed a FOIA request with the GSA requesting (1) all agreements between federal agencies and social networking services, cloud computing services, and/or vendors of other similar services; (2) all records, including memoranda and legal opinions, concerning the application of the Privacy Act of 1974 and the Freedom of Information Act to social networking services, cloud computing services, and/or other similar services, and (3) all instructions, policies and/or procedures concerning the collection, storage, transmission, and use of information about users of social networking or cloud computing services by federal agencies. The EPIC FOIA request was made after the a news article stated that the GSA had signed agreements with social networking and cloud computing service providers concerning federal agencies' use of Web 2.0 services. The GSA often enters into contracts on behalf of multiple federal agencies in an effort to promote efficiency in government contracting. The news report also stated that a coalition of agencies have been working with private corporations to develop terms of service for federal agencies' participation in social media companies. The article cited a GSA official as stating that some of the areas of concern involved liability limits, endorsements and freedom of information. Generally, the nine agreements obtained by EPIC state the Government's obligation to comply with federal law, and explicitly note obligations to comply with privacy or freedom of information laws. These contracts include companies like MySpace, SlideShare.net, Flickr, Vimeo.com, AddThis.com, Blip.tv, and BLIST. However, Facebook and Google (YouTube) contracts do not affirmatively express the Agency's obligations to comply with these laws. Further, the Google/YouTube contract explicitly authorizes the use of persistent cookies when it states that "[p]rovider acknowledges that, except as expressly set forth in this Agreement, Google uses persistent cookies in connection with that YouTube Video Player. To the extent that any rules or guidelines exist prohibiting the use of persistent cookies in connection with the Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google." EPIC also discovered that contracts with the GSA consistently omit statements concerning Web 2.0 service providers' obligations to protect privacy. Whereas most privacy policies state how a website processes information, it is actually intended as a disclaimer of liability and does not provide any protection in and of itself. Given the fact that the data collection practices of federal agencies and their contractors are routinely subject to the federal Privacy Act, this omission is significant. Privacy and Government Contracts with Social Media Companies: http://epic.org/privacy/socialnet/gsa/ EPIC's FOIA Request to GSA: http://www.epic.org/privacy/socialnet/gsa_foia_4-30-09.pdf GSA's Contract with Google (YouTube): http://www.epic.org/foia/gov2.0/GSA_Google_Contract.pdf GSA's Contract with Blip.tv: http://www.epic.org/foia/gov2.0/GSA_Blip_Contract.pdf GSA's Contract with Blist: http://www.epic.org/foia/gov2.0/GSA_Blist_Contract.pdf GSA's Contract with Yahoo (Flickr): http://www.epic.org/foia/gov2.0/GSA_Yahoo_Contract.pdf GSA's Contract with MySpace: http://www.epic.org/foia/gov2.0/GSA_MySpace_Contract.pdf GSA's Amended Contract with Facebook: http://www.epic.org/foia/gov2.0/GSA_Facebook_Amendment.pdf GSA's Amended Contract with SlideShare.net: http://www.epic.org/foia/gov2.0/GSA_Slideshare_Amendment.pdf GSA's Amended Contract with Vimeo.com: http://www.epic.org/foia/gov2.0/GSA_Vimeo_Amendment.pdf GSA's Amended Contract with AddThis.com http://www.epic.org/foia/gov2.0/GSA_Addthis_Amendment.pdf GSA Training Slides: http://www.epic.org/foia/gov2.0/GSA_Slides.pdf GSA's Letter to EPIC: http://www.epic.org/foia/gov2.0/GSA_EPIC_Letter.pdf EPIC - Social Network Privacy: http://www.epic.org/privacy/socialnet/default.html EPIC - Facebook: http://epic.org/privacy/facebook/ EPIC - Cloud Computing: http://epic.org/privacy/cloudcomputing/ ======================================================================= [2] FTC Issues Final Health Breach Notification Rule ======================================================================= The Federal Trade Commission issued a final rule requiring breach notification by vendors of medical records and related entities. The American Recovery and Reinvestment Act of 2009 establishes provisions for advancing the health information technology while strengthening privacy and security protections for medical data. Recognizing that some web-based entities that collect consumers' health information are not subject to the existing the Health Insurance Portability and Accountability Act, the Recovery Act required the Department of Health and Human Services to study, in consultation with the Federal Trade Commission, potential privacy, security and breach notification requirements and submit a report to the Congress. Until Congress enacts a new legislation implementing the recommendations, the FTC final rule will regulate the requirements. The proposed rule published in April called for public comments. In June, EPIC submitted comments to the FTC on the rule. EPIC commented that the proposed regulation was not broad enough, and should be modified to ensure that all entities handling electronic health records be subject to the regulation so that the privacy interests of citizens are protected. EPIC also advised that entities report all breaches to the FTC via some centralized means because redundant breach messages will be less likely. The FTC modified the rule in support of EPIC's advice, but exempted all federal agencies. EPIC had also suggested that the FTC establish comprehensive privacy and security standards, and create a private right of action for violation of the rule. EPIC further recommended that information "accessed" be treated as "acquired" and substitute media notices like text messaging and social networking be used to notify individuals of breaches. Other suggestions included verification of data breach notices, creation of minimum security standards, assessing penalties for violations. EPIC opposed the creation of "safe-harbors" for de-identified data due to uncertainties and privacy risks associated with such information. The final rule, 16 CFR Part 318, defines "breach of security" as acquisition of unsecured electronic health information without authorization. The rule also defines other terms such as "business associate," "HIPAA-covered entity," "personal health record," "PHR identifiable health information," "PHR related entity," "state," "third party service provider," "unsecured" PHR and "vendor of personal health records." The rule requires each vendor of personal health records to notify both the individual affected by the breach as well as the FTC following the discovery of a "breach of security" of unsecured PHR. Third party service providers are required to notify designated officials or a senior official at the vendor of personal health records, and obtain an acknowledgement from such official that the notice was received. The rule requires the breach notifications be sent without unreasonable delay and no later than 60 calendar days after the discovery of the breach. However, a law enforcement official is entitled to determine if a notification would impede a criminal investigation and delay the notice. The Health Breach rule also prescribes different methods of individual notices; media notices; as well as notice to the FTC. The notice must contain a brief description of what happened including the date of breach and the date of discovery, description of types of unsecured health information that were involved in the breach, steps that should be taken by the individual, a brief statement of action taken by the entity following the breach, and contact procedures for individuals affected by the breach in case they wanted to ask questions or learn additional information. The rule becomes effective 30 days after the publication in the Federal Register and sunsets on the effective date of legislation, if enacted, establishing requirements for notification for health data breaches. The FTC Health Breach notification rule does not apply to HIPAA-covered entities or to any entity's activities as a business associate of a HIPAA-covered entity. FTC Health Breach Notification Rule: http://www.ftc.gov/os/2009/08/R911002hbn.pdf EPIC's Comments to the FTC on the Health Breach Notification Rule: http://epic.org/privacy/medical/Comments_on_FTC_EHR-EPIC.pdf FTC Issues Final Breach Notification Rule for Electronic Health Information: http://www.ftc.gov/opa/2009/08/hbn.shtm FTC Page on Health Data Breach: http://www.ftc.gov/healthbreach/ FTC Page - Privacy Initiative (Health Breach Notification Rule): http://www.ftc.gov/healthbreach/ FTC Health Breach Notification Form: http://www.ftc.gov/os/2009/08/R911002hbnform.pdf The American Recovery and Reinvestment Act of 2009: http://epic.org/redirect/022309_Stimulus_Act.html EPIC - Identity Theft: http://epic.org/privacy/idtheft EPIC - Medical Privacy: http://epic.org/privacy/medical ======================================================================= [3] Privacy Compliance for Facebook, Some Changes Made ======================================================================= In mid-July, the Office of the Privacy Commissioner of Canada released a Report of "Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic" against Facebook, Inc. The complaint was filed by the CIPPIC under the Personal Information Protection and Electronic Documents Act and comprised 24 allegations ranging over 12 distinct subjects. These included default privacy settings, collection and use of users' personal information for advertising purposes, disclosure of users' personal information to third-party application developers, and collection and use of non-users' personal information. Although the Commissioner's Office made several recommendations which were resolved, the Assistant Privacy Commissioner of Canada found that in the subjects of third-party applications, account deactivation and deletion, accounts of deceased users, and non-users' personal information to be in contravention of PIPEDA. The Assistant Commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users' personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers. The Commissioner's Office made several suggestions to Facebook. The Office advised the social networking firm to limit application developers' access to user information, inform users specifically about the nature and use of shared information, and share information after obtaining consent of only users who add an application. The Office also said that deactivated account information should be deleted after a reasonable length of time, and that the privacy policy be amended to include all intended uses of personal information. Facebook was given 30 days. Facebook updated its privacy policy on August 11, 2009 to include "clarifying changes and minor updates." The updated policy asks developers, operators of platform applications, and websites to respect user privacy settings. The modified policy directs developers to use the data received only to operate the specific applications, inform readers on what data is being collected, how it would be used, and whether it would be shared. The policy also states that developers must delete user data if their application is deleted by the user. The updated policy also made some clarifications in terms regulating advertisements and in the special provisions applicable to advertisers. Facebook is complying with the Commissioner's Officer and revising its Privacy Policy to better describe a number of practices, including the reasons for the collection of date of birth, account memorialization for deceased users, the distinction between account deactivation and deletion, and how its advertising programs work. It will also educate users about reviewing their privacy settings to make sure the defaults and selections reflect the user's preferences. The social networking firm has also undertaken the task of increasing the understanding and control a user has over the information accessed by third-party applications. Facebook plans to introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. Further, users would also have to specifically approve any access to their friends' information, which would still be subject to the friend's privacy and application settings. In June, the Article 29 Working Party warned about the dissemination and use of information available on Social Networking Sites for other secondary, unintended purposes. The officials issued an opinion requiring robust security, privacy-friendly default settings. The European Privacy Commissioners recommended that controllers take "appropriate technical and organizational measures, 'both at the time of the design of the processing system and at the time of the processing itself' to maintain security and prevent unauthorized processing, taking into account the risks represented by the processing and the nature of the data." Earlier, in January, EPIC had suggested the regulation of Social Network Service partners, including advertisers and application developers. Office of the Privacy Commissioner of Canada: http://www.priv.gc.ca/index_e.cfm Report of Findings into the Complaint Filed by the CIPPIC against Facebook, Inc. under PIPEDA: http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm Personal Information Protection and Electronic Documents Act (PIPEDA): http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm#appendixB Remarks at a Media Briefing- Jennifer Stoddart (July 16, 2009): http://www.priv.gc.ca/speech/2009/sp-d_20090716_e.cfm Redlined Version of Proposed Changes to Facebook's SRR: http://www.box.net/shared/hi66nsrhss Facebook Announces Privacy Improvements in Response to Recommendations by Canadian Privacy Commissioner : http://www.facebook.com/press/releases.php?p=118816 Facebook agrees to address Privacy Commissioner's concerns: http://www.priv.gc.ca/media/nr-c/2009/nr-c_090827_e.cfm Delivering More Control and Transparency, Facebook Blog, August 27, 2009: http://blog.facebook.com/blog.php?post=126129882130 Article 29 Working Party Opinion of Social Networking Sites: http://epic.org/privacy/socialnet/Opinion_SNS_090316_Adopted.pdf Article 29 Working Party: http://epic.org/redirect/040109_A29WP.html Facebook Privacy Policy: http://www.facebook.com/policy.php Facebook Statement of Rights and Responsibilities: http://www.facebook.com/terms.php EPIC's Suggestion on Social Networking Privacy: http://www.cpdpconferences.org/L-Z/rotenberg.html EPIC - Facebook Privacy: http://epic.org/privacy/facebook/ EPIC - Social Networking Privacy: http://epic.org/privacy/socialnet/ ======================================================================= [4] DHS Proposes to Rescind SSN No-Match Rule ======================================================================= The Department of Homeland Security is proposing to rescind its SSN No-Match Rule and the 2008 Supplemental Final Rule. In August 2007, DHS issued a rule describing legal obligations of an employer when a no-match letter from the Social Security Administration or a letter regarding employment verification forms from the DHS was received. The final rule also described "safe-harbor" procedures that the employer could follow in response to such a letter and thereby be certain that the DHS will not use the letter as any part of an allegation that the employer had constructive knowledge that the employee referred to in the letter was an alien not authorized to work in the United States. Failure to correct discrepancies resulted in liability under US immigration laws. However, due to the cumbersome process involved in correcting errors, employers instead choose to fire workers including citizens and non-citizens. A federal court granted a preliminary injunction in the implementation of the rule. The court raised few issues regarding DHS's rulemaking action which included whether DHS had supplied a reasoned analysis to justify what the court viewed as a change in the Department's position that a no-match letter may be sufficient, by itself, to put an employer on notice, and thus impart constructive knowledge, that employees referenced in the letter may not be work-authorized; and whether the DHS had exceeded its authority (and encroached on the authority of the Department of Justice) by interpreting the antidiscrimination provisions of the an immigration statute. DHS subsequently published a supplemental notice of proposed rulemaking and supplemental final rule to clarify certain aspects of the 2007 No-Match final rule and to respond to the findings underlying the court's injunction. Neither the SNPRM nor final rule, however, changed the safe-harbor procedures or applicable regulatory text. In October 2008, the same court declined to vacate the injunction on the SSN No-Match Rule. The DHS conducted a review of existing programs and regulation under the incumbent Secretary and determined that the U.S. Citizenship and Immigration Services' program, E-Verify, along with other DHS programs "provide better tools for employers to reduce incidences of unauthorized employment" and "better detect and deter" the use of fraudulent identity documents by employees. Consequently, DHS has decided to rescind both the August 2007 No-Match rule as well as the 2008 Supplemental Final Rule. DHS has also decided to focus resources on promoting E-Verify, U.S. Immigration and Customs Enforcement's Mutual Agreement Between Government and Employers, and other similar programs. In May 2008, E-Verify also added the Integrated Border Inspection System realtime arrival and departure information of non-citizens to its databases and in February 2009, USCIS also added Department of State passport data into E-Verify. In 2010, DHS plans to incorporate the Student and Exchange Visitors Information System into E-Verify. EPIC, the Government Accountability Office, the Social Security Administration's Inspector General, and the CATO Institute have detailed many shortcomings of E-Verify, and have highlighted several issues with the program including high levels of inaccuracies in the databases on which the program is based, employer misuse resulting in discrimination and unlawful termination, the lack of privacy protections as well as the program's high costs. Last year, EPIC also filed a Freedom of Information request with the DHS asking for all records, including contracts and related documents, between DHS and NPR concerning the E-Verify promotion that began earlier. The request had included a demand for records involving contracts and related documents involving DHS and other media outlets. In spite of filing a FOIA Appeal, the agency has failed to produce the relevant documents. The agency has called for comments which must be submitted no later than September 18, 2009. The comments may be submitted, identified by DHS Docket No. ICEB-2006-0004. Federal Register, Vol. 74, No. 159, Wednesday, August 19, 2009 - (Proposed Rule Rescinding SSN No-Match Rule): http://edocket.access.gpo.gov/2009/pdf/E9-19826.pdf Federal Register, Vol. 72, No. 157, Wednesday, August 15, 2007 - (Final Rule - Safe-Harbor Procedures for Employers Who Receive a No-Match Letter): http://edocket.access.gpo.gov/2007/E7-16066.htm Department of Homeland Security, Safe Harbor Procedures for Employers, October 28: http://edocket.access.gpo.gov/2008/pdf/E8-25544.pdf EPIC's letter to NPR Ombudsman: http://epic.org/DHS_NPR_ltr_12-08.pdf EPIC's FOIA request to DHS: http://epic.org/privacy/e-verify/dhs_foia_120408.pdf "Employment Verification - Challenges Exist in Implementing a Mandatory Electronic Employment Verification System", United States Government Accountability Office", June 10, 2008: http://www.gao.gov/new.items/d08895t.pdf "Inspector General's Statement on SSA's Major Management and Performance Challenges", Nov. 5, 2008: http://epic.org/redirect/120808_IG_SSA_statement.html E-Verify Debunking Exposes Debunking Errors, The Cato Institute, May 21, 2008: http://epic.org/redirect/120808_CATO_EVerify_error.html EPIC, "Spotlight on Surveillance: E-Verify System - DHS Changes Name, But Problems Remain for U.S. Workers.": http://epic.org/privacy/surveillance/spotlight/0707/default.html ======================================================================= [5] Court Enjoins Transfer of "Clear" Data ======================================================================= A federal court has passed an order prohibiting Verified Identity Pass, Inc., the company behind the Registered Traveler program "CLEAR," from "selling or otherwise transferring, disclosing to third parties or maintaining in an unsecure manner any personal biographic or biometric information that was provided to it by members of the putative class in connection with or as a condition to their membership in the CLEAR program...." The Federal Court for the Southern District of New York found that there was "an immediate need for preliminary injunctive relief preventing the transfer or disclosure of such information" and "there is a risk of disclosure of such confidential private information resulting from the lack of accountability or oversight concerning the manner in which that information is maintained or stored." The court mandate directs VIP to "forthwith take all steps necessary to preserve, through the conclusion of this litigation, all documents, data and other materials relevant to the allegations" and includes biographic information collected by VIP, all communications with CLEAR members, all documents archiving and/or stored websites containing CLEAR marketing materials, promotional membership information, payment and membership history, and financial records. VIP ceased operations on June 22, 2009 after declaring bankruptcy. At that time, VIP was the largest RT program in the nation operating out of 20 airports with about 250,000 members. The CLEAR RT application process collected a vast amount of personal information from members, such as proof of legal name, date of birth, citizenship status, home address, place of birth, and gender. The information was used to pre -screen travelers for express service through airport security checkpoints. After its shutdown in June, the company statement on the fate of information on customers evolved several times. On July 1, 2009, the company stated that "Applicant and Member data is currently secured by Lockheed Martin, and that they are working with Verified Identity Pass on securing the data. According to Steve Brill, Clear's founder who had left the company in February, TSA could quickly reclaim the data under Registered Traveler rules. Brill also warned that the rules might have been altered since he left the company. Clear had "reserve[d] the right to change [its] policies [from time to time]" by informing its "customers by email." On June 25, 2009, leaders of the House Homeland Security Committee sent a letter to the TSA regarding the bankruptcy of VIP. The committee is investigating among other things: when the TSA became aware of the bankruptcy; whether they have asked the company for its plan regarding its RT data; if the agency is seeking a privacy impact assessment on the bankruptcy; and whether the agency has a contingency plan for safeguarding the data now that the company has gone out of business. Eight lawsuits have been filed against VIP by former CLEAR customers and raises claims of breach of contract, fraud and deceptive trade practices violating New York Law, where the company was registered. One case also highlighted the wrongful retention of highly personalized and sensitive personal data. Perkins v. Verified Identity Pass Inc., S.D.N.Y., No. 09-5951, 08/18/09: Complaint: http://epic.org/privacy/airtravel/clear/CLEAR_complaint.pdf Court Order: http://epic.org/privacy/airtravel/clear/sdny_clear_injunction.pdf EPIC - Bankruptcy of Verified Identity Pass and the Privacy of Clear Registered Traveler Data: http://epic.org/privacy/airtravel/clear TSA - Registered Traveler: http://www.tsa.gov/approach/rt/index.shtm TSA - Minimum Required RT Security Standards and Procedures for Assessing Compliance with RT Security Standards: http://www.tsa.gov/assets/pdf/rt_appendix_c.pdf TSA - Registered Traveler Security, Privacy, and Compliance Standards for Sponsoring Entities and Service Providers: http://www.tsa.gov/assets/pdf/rt_standards.pdf House Homeland Security Committee Letter: http://epic.org/dhs-committee_tsa-ltr.pdf Clear's Privacy Policy: http://www.flyclear.com/clear_privacy.pdf Clear's Online Privacy Policy: http://www.flyclear.com/clear_online.pdf CBP - Trusted Traveler Programs: http://www.cbp.gov/xp/cgov/travel/trusted_traveler/ Airports Accepting the Clear Card (Archived): http://epic.org/privacy/airtravel/clear/clear-airports.pdf EPIC Spotlight on Surveillance - Registered Traveler Card: http://epic.org/privacy/surveillance/spotlight/1005/ EPIC - Air Travel Privacy: http://epic.org/privacy/airtravel/ EPIC - Secure Flight: http://epic.org/privacy/airtravel/secureflight.html EPIC - Passenger Profiling: http://epic.org/privacy/airtravel/profiling.html EPIC's testimony before Congress: "The Future of Registered Traveler," November 3, 2005: http://epic.org/privacy/airtravel/rt_test_110305.pdf EPIC's testimony before Congress: "Ensuring America's Security: Cleaning Up the Nation's Watchlists", September 9, 2008: http://epic.org/privacy/airtravel/watchlist_test_090908.pdf ======================================================================= [6] News in Brief ======================================================================= Massachusetts Lowers Privacy Protection in Data Privacy Rule In November 2008, the Commonwealth of Massachusetts became the first state in the United States to enact comprehensive data privacy and security standards and regulations in order to ensure that businesses are taking steps to safeguard personal information. The purpose of the new regulation is to protect against unauthorized access or use in a way that creates a risk of identity theft or fraud. Although it was initially announced that the rules would come into effect from January 1, 2009, it has now been modified and postponed to March 1, 2010. The amended rules changes several definitions, and affects employers with regard to personal data of Massachusetts employees even if these employees do not reside in Massachusetts. The amended rules no longer require an obligation to limit the amount of personal information, or the time period such information is retained and no longer prohibits access to those persons who are required to know the information. Further, the new rules remove the obligation to identify records that contain personal information as well as the obligation to implement a written procedure for how physical access to records is restricted. Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00): http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf FAQs regarding 201 CMR 17.00: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf EPIC - Identity Theft: http://epic.org/privacy/idtheft New Hampshire Enacts Electronic Health Privacy Law New Hampshire signed into law a statute that is aimed at protecting health information privacy in electronic medical records and allows individuals to opt out of sharing their names, addresses, and protected health care information with electronic health data exchanges. A companion statute restricts health data for marketing and fundraising and puts forth breach notifications for health care providers and their business associates. The new statute is scheduled to take effect on January 1, 2010. Earlier this year, the U.S. Supreme Court refused to hear the challenge to another New Hampshire law, the Prescription Confidentiality Act, which prevents data brokers from collecting information on which individual physicians were prescribing which drugs and selling such information to pharmaceutical companies to influence physicians' prescribing habits. The First Circuit had upheld the constitutionality of the statute. EPIC and 16 other experts in privacy and technology submitted a friend of the Court brief highlighting the presence of substantial privacy interest in de-identified patient data. In IMS Health v. Sorrell, the Second Circuit is now considering the constitutionality of a similar statute arising from Vermont. HB 542 – Final version: http://www.gencourt.state.nh.us/legislation/2009/HB0542.html HB 619 – Final version: http://www.gencourt.state.nh.us/legislation/2009/HB0619.html EPIC - IMS Health v. Sorrell: http://epic.org/privacy/ims_sorrell/ IMS Health's Notice of Appeal: http://epic.org/privacy/ims_sorrell/IMS_appeal.pdf PhRMA's 2nd Circuit Brief: http://epic.org/redirect/082809_PhRMA_2dCir_Brief.html IMS Health's 2nd Circuit Brief: http://epic.org/redirect/082809_IMS_2dCir_Brief.html Supreme Court Docket: IMS Health v. Ayotte: http://origin.www.supremecourtus.gov/docket/08-1202.htm First Circuit Opinion: http://epic.org/privacy/imshealth/11_18_08_order.pdf Prescription Confidentiality Act: http://www.gencourt.state.nh.us/legislation/2006/HB1346.html EPIC's Brief - IMS Health v. Ayotte: http://epic.org/privacy/imshealth/epic_ims.pdf EPIC - IMS Health v. Ayotte: http://epic.org/privacy/imshealth/ Health Department Issues Final Rule on Breach Notification The Department of Health and Human Services published a final interim rule requiring individuals be notified by health care providers, health plans, and other entities covered under Health Insurance Portability and Accountability Act when their health information is breached. The rules require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate. The FTC Health Breach notification rule does not apply to HIPAA-covered entities or to any entity's activities as a business associate of a HIPAA-covered entity. The creation of this rule was mandated under the American Recovery and Reinvestment Act of 2009. HHS - Health Information Privacy: http://hhs.gov/ocr/privacy/ HHS - HITECH Breach Notification Interim Final Rule: http://epic.org/redirect/082809_HHS_BreachNotifRule.html Breach Notification Interim Final Regulation (74 FR 42740)-August 2009: http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf Press Release: http://www.hhs.gov/news/press/2009pres/08/20090819f.html HITECH Breach Notification Guidance and RFI (74 FR 19006)-April 2009: http://epic.org/redirect/082809_HHS_BreachNotifGuide.html The American Recovery and Reinvestment Act of 2009: http://epic.org/redirect/022309_Stimulus_Act.html EPIC - Medical Privacy: http://epic.org/privacy/medical EPIC - Identity Theft: http://epic.org/privacy/idtheft DHS Issues PIA for Border Searches of Electronic Devices The Department of Homeland Security released a Privacy Impact Assessment for the searches of electronic devices conducted at U.S. borders. The legality of searching and examining persons and property crossing into the U.S. has been recognized for centuries. A court has also upheld the searching of electronic devices at the border. Privacy concerns have been raised by members of Congress. Senators Russ Feingold (D-Wi) and Patrick Leahy (D-Vt) had urged the Customs and Border Patrol to reconsider the policy of searching laptops, digital cameras, and handheld devices at borders. The PIA analyzes how CBP and Immigration and Customs Enforcement handles the examination, detention, retention, and seizure of electronic devices and information. The two federal agencies identified several privacy risks associated with the examination, detention, retention, and/or seizure of a traveler's electronic device or information during a border search which include the traveler being unaware of the viewing or detention of his personal information; detention of PII when not required; disclosure of PII to other agencies that may misuse or mishandle it; and new privacy risks that may arise due to ever-changing technology. DHS Border Searches of Electronic Devices PIA: http://epic.org/redirect/082809_DHS_Border_ElecDevice_PIA.html Senator Patrick Leahy (D-Vt.), Chairman, Senate Judiciary Committee, "Laptop Searches And Other Violations Of Privacy Faced By Americans Returning From Overseas Travel" (June 25, 2008): http://leahy.senate.gov/press/200806/062508.html CRS - The Department of Homeland Security Intelligence Enterprise: Operational Overview and Oversight Challenges for Congress: http://epic.org/crs-rept_dhs-oversight.pdf "TIME CHANGE -- Laptop Searches and Other Violations of Privacy Faced by Americans Returning from Overseas Travel": http://judiciary.senate.gov/hearings/hearing.cfm?id=3420 Congress Urges Department of Commerce to Oversee ICANN Members of the House Committee on Energy and Commerce wrote a letter to the Secretary for the United States Department of Commerce urging that the oversight of Internet Corporation for Assigned Names and Numbers be made permanent. The letter asked for a "permanent instrument to which ICANN and the Department of Commerce are co-signatories." The representatives asked that the new instrument provide for periodic reviews of ICANN's performance with respect to transparency and accountability, the security and stability of the Internet, management of generic top-level domains and implementation of any new gTLDs. The members also asked for outlining the steps that ICANN would take to maintain and improve its accountability; and create a mechanism for ICANN's implementation of any new gTLDs and internationalized domain names that ensured appropriate consultation with stakeholders. Further, the representatives asked that ICANN adopt measures to maintain timely and public access to accurate and complete WHOIS information, including registrant, technical, billing and administrative contact information that is critical to the tracking of malicious websites and domain names. The committee members also stated that the new instrument include commitments that ICANN will remain a not-for-profit corporation headquartered in the United States. Congress Letter to Gary Locke, Department of Commerce: http://epic.org/linkedfiles/sen_icann.pdf House Committee Energy & Commerce: http://energycommerce.house.gov/ U.S. Department of Commerce: http://www.commerce.gov/ The Pubic Voice http://www.thepublicvoice.org Privacy Advocate Joins FTC Chris Soghoian, a member of the EPIC Advisory Board, is joining the Federal Trade Commission as technical consultant in the Division of Privacy and Identity Protection in the Bureau of Consumer Protection. As a Ph.D. candidate at Indiana University's School of Informatics, Chris's research interests included data security and privacy, cyber law and policy. As a security researcher, he has discovered and disclosed vulnerabilities in software applications made by Google, Yahoo, Facebook and Apple. In the policy sphere, his activism has resulted in the successful passage of an amendment to Indiana's data breach laws and a Congressional investigation into security flaws at the Transportation Security Administration. Earlier this year, Chris raised the issue of using cookies on the White House website within embedded YouTube videos for the President's weekly address. Such cookies could also be used to track individuals who played the President's weekly address on their computer. "Going Fed:" http://paranoia.dubfire.net/2009/08/going-fed.html White House exempts YouTube from privacy rules: http://news.cnet.com/8301-13739_3-10147726-46.html White House acts to limit YouTube cookie tracking: http://news.cnet.com/8301-13739_3-10148844-46.html Chris Soghoian, EPIC Advisory Board: http://epic.org/epic/advisory_board.html#soghoian Report Finds "Leakage" of PII from Social Networks A paper by two researchers from AT&T Labs and Worcester Polytechnic Institute has established that it is possible for personally identifiable information to "leak" from Social Networking Sites to third-party aggregators. The research found that the top-10 third-party servers across a large set of popular web sites had grown from 40% in October 2005 to 70% in September 2008. The study found that leakage in PII could occur via a combination of HTTP header information and cookies being sent to third-party aggregators. The report also stated that while it was not known whether aggregators were recording PII, it was undeniable that information was available to them. The researchers stated that online Social Network Sites were in the best position to prevent such leakage by eliminating social network identifiers from request URLs and consequently, the referrer header. Krishnamurthy and Wills, "On the Leakage of Personally Identifiable Information Via Online Social Networks:" http://epic.org/redirect/082809_PII_SNS_Leak_Report.html EPIC - Social Network Privacy: http://epic.org/privacy/socialnet NIST Published Revised Security Controls for Federal Information Systems and Organizations The Computer Security Division Information Technology Laboratory of the National Institute of Standards and Technology revised and published security controls for federal information systems. The published guideline is a mandatory federal standard developed by NIST in response to the Federal Information Security Management Act. The new guideline is more detailed than its predecessor and advises agencies to write cybersecurity policy and includes several controls to defend against computer threats. The new guidelines would not only be applicable to civilians agencies, but also the Defense Department and other intelligence agencies. A companion document, "Special Publication 800-53A," includes a procedures for testing and evaluating each security control. Recommended Security Controls for Federal Information Systems and Organizations: http://epic.org/redirect/082809_NIST_Sec_Control.html Markup Version: http://epic.org/redirect/082809_NIST_Sec_Control_Markup.html Guide for Assessing the Security Controls in Federal Information Systems: http://epic.org/redirect/082809_NIST_Sec_Control_Guide.html ======================================================================= [7] EPIC Bookstore: "OECD Communications Outlook 2009" ======================================================================= "OECD Communications Outlook 2009" http://www.amazon.com/gp/product/9264059830?tag=e03a6-20 Although the advent of telecommunications technology has crossed many miles in the last few centuries, the human desire to connect and communicate has always pushed mankind into developing novel ways to communicate. The OECD Communications Outlook provides a bird's-eye perspective over not only the development of telecommunications and technology, but also the market forces that shape, hammer and thrust it forward. Drafted by the staff working in the OECD Directorate for Science, Technology and Industry, the book is divided into chapters examining recent changes in communication policy, market size, network dimensions and development, internet infrastructure, broadcasting, and pricing trends. The report confirms the perception that the telecommunications market has expanded and goes on to emphasize how the ability to communicate has seven pathways now as compared to one in 1980. The report uses statistical data analyses to show striking trends in the medium of communication technologies and identifies both the bottlenecks as well as the impetus for future growth. The publication studies the rise of broadband on fixed lines and the increase in demand of bundled services over the specter of abysmal investments in communications infrastructure. The report notes that, although government's ownership of public telecommunication operators have reduced, the current financial situation makes it likely that major reductions in state ownership would be deferred. The OECD book also notes the changing audio visual landscape with both being delivered over a range of different network and devices and the money being poured in new, high-speed broadband networks which allows for a much richer audio-visual experience. This book is not meant as an advice or guide; but rather as a compilation of statistics that would help policy makers comprehend a plethora of simultaneous evolutions in data interchange. The publication gives a technical and informational overview of the digital evolution against the backdrop of ever-changing, dynamic technologies mapped onto competing market forces and leaves the readers to best judge how to realize and apply the learning in their respective fields. -- Anirban Sen ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60. http://epic.org/bookstore/foia2008/ Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes ======================================================================= [8] Upcoming Conferences and Events ======================================================================= EPIC, Privacy Scorecard for the Obama Administration, National Press Club, Washington DC, September 9, 2009. For more information, http://www.theprivacycoalition.org/ Section: Protest Politics | Panel: The Contentious Politics of Intellectual Property, 5th ECPR General Conference, Potsdam, Germany, September 10-12, 2009. For more information, http://www.ecpr.org.uk/potsdam/default.asp 2nd International Action Day "Freedom not Fear - Stop the Surveillance Mania" Demonstrations, Events, Privacy Parties, etc., in many countries. Worldwide, September 12, 2009. For more information, http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2009 Pan-European Dialogue on Internet Governance (EuroDIG), Geneva, Switzerland, September 14-15, 2009. For more information, http://www.eurodig.org/ World Summit on the Knowledge Society WSKS 2009, Crete, Greece, September 16-18, 2009. For more information, http://www.open-knowledge-society.org/ Gikii, A Workshop on Law, Technology and Popular Culture, Institute for Information Law (IViR), University of Amsterdam, September 17-18, 2009. For more information, http://www.law.ed.ac.uk/ahrc/gikii/2009.asp "The Net will not forget," European conference on ICT and Privacy, Copenhagen, Denmark, September 23-24, 2009. For more information, http://www.ict-privacy.dk/ 3rd International Conference "Keeping Children and Young People Safe Online," Warsaw, Poland, September 29-30, 2009. For more information, http://tinyurl.com/KCYPSO "6th Communia Workshop: Memory Institutions and Public Domain" Barcelona, Spain, October 1-2, 2009. For more information, http://www.communia-project.eu/ws06 10th German Big Brother Awards, Bielefeld, Germany, October 16, 2009. For more information, http://www.bigbrotherawards.de eChallenges 2009, Istanbul, Turkey, October 21-23, 2009. For more information, http://www.echallenges.org/e2009/default.asp Big Brother Awards Switzerland, Zurich, Switzerland, October 24, 2009. Deadline for nominations: August 31, 2009. For more information, http://www.bigbrotherawards.ch/2009/ 3rd European Privacy Open Space, Vienna, Austria, October 24-25, 2009. For more information, http://www.privacyos.eu Austrian Big Brother Awards Vienna, Austria, October 25, 2009. Deadline for nominations: 21 September 2009. For more information, http://www.bigbrotherawards.at Free Culture Forum: Organization and Action, Barcelona, Spain, October 29 - November 1, 2009. For more information, http://fcforum.net Free Society Conference and Nordic Summit, Gothenburg, Sweden, November 13-15, 2009. For more information, http://www.fscons.org 3rd European Privacy Open Space, Vienna, Austria, October 24-25, 2009. For more information, http://www.privacyos.eu Global Privacy Standards in a Global World, The Public Voice, Madrid, Spain, November 3, 2009. For more information, http://thepublicvoice.org/events/madrid09/ 31st International Conference of Data Protection and Privacy Commissioners, Madrid, Spain, November 4-6, 2009. For more information, http://epic.org/redirect/072009_31Conf_IntlDPA.html UN Internet Governance Forum, Sharm El Sheikh, Egypt, November 15-18, 2009. For more information, http://www.intgovforum.org/ ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook http//facebook.com/epicprivacy http://epic.org/facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: http://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 16.16 ------------------------ .