You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

EPIC Alert 16.21

                          E P I C   A l e r t
Volume 16.21                                          November 9, 2009

                            Published by the
                  Electronic Privacy Information Center (EPIC)
                            Washington, D.C.


					 "Defend Privacy. Support EPIC."

Table of Contents
[1] EPIC Urges Court to Protect Privacy Rights in Facebook Case
[2] Study Finds Privacy of Nation's School Children At Risk
[3] Public Voice Hosts Madrid Civil Society Conference
[4] Civil Society Groups Issue Privacy Declaration in Madrid
[5] EPIC Audits First Public Election to use Scantagrity Voting System
[6] News in Brief
[7] EPIC Bookstore: "Privacy By Design . . . Take the Challenge"
[8] Upcoming Conferences and Events
- Join EPIC on Facebook
	- Privacy Policy
	- About EPIC
	- Donate to EPIC
	- Subscription Information

[1] EPIC Urges Court to Protect Privacy Rights in Facebook Case
On November 3, EPIC filed a friend of the court brief with the Fifth
Circuit Court of Appeals, urging the Court to enforce federal privacy
protections for Facebook users who rented videos from Blockbuster, a
Facebook business partner.

Congress passed the Video Privacy Protection Act of 1988 to prevent the
wrongful disclosure of video rental information by companies that
collect detailed personal information from customers. To achieve this
goal, Congress established a private right of action to ensure that
there would be a meaningful remedy when companies failed to safeguard
the data they collected. A private right of action is a statutory
clause that gives individual citizens the right to sue companies who
violate the individual's rights under the law.

Accordingly, Cathryn Harris and other Facebook users filed suit under
the Act after Blockbuster made public their private video rental
information. Blockbuster made the information public as part of its
participation in Facebook's Beacon program, which revealed the private
information on the news feeds of other users. In response to the
lawsuit, Blockbuster claimed that, under the "clickwrap" agreement that
consumers clicked through while signing up for Blockbuster's online
service, consumers could not sue the company and had to submit to
mandatory arbitration.

EPIC wrote that "absent a private right of action, there would be no
effective enforcement, no remedy for violations, and no way to ensure
that companies complied with the intent of the Act." EPIC's brief,
which includes a detailed history of the video privacy law, urges the
appeals court to uphold a lower court ruling, which held that the
plaintiffs are allowed to pursue their claim that a federal law was

EPIC Amicus Brief:

EPIC: Harris v. Blockbuster:

EPIC: The Video Privacy Protection Act:

EPIC: Facebook Privacy:

[2] Study Finds Privacy of Nation's School Children At Risk
A Fordham Law School study found that state educational databases
across the country ignore key privacy protections for the nation's
school children. The study, prepared by the Center on Law and
Information Policy, reports that at least 32% of states warehouse
children's social security numbers; at least 22% of states record
student pregnancies; and at least 46% of the states track mental
health, illness, and jail sentences as part of the children's
educational records. Almost all states with known programs collect
family wealth indicators.

Moreover, most states use third party vendors for at least part of
their data collecting and reporting needs. Some states outsource the
data processing without any restrictions on use or confidentiality for
children's information. The study therefore recommended that states
which outsource data processing have comprehensive agreements
explicitly addressing the privacy obligations of the third party
vendors. Furthermore, access to the information and the disclosure of
personal data may occur for decades and follow children well into their
adult lives. More than 80% of states fail to have data-retention
policies and may retain the information indefinitely. Thus, the study
recommended that states should limit data collection to necessary
information and should have specific data retention policies and

The Fordham report also recommended that data at the state level be
made anonymous, that the collection of information by the state be
minimized and specifically tied to an articulated audit or evaluation
purpose, and that states should have a Chief Privacy Officer in the
department of education who monitors the privacy protections of
educational record databases and who publicly reports privacy impact

These findings come as Congress is considering the Student Aid and
Financial Responsibility Act, which would expand and integrate the 43
existing state databases without taking into account the critical
privacy failures in the states' electronic warehouses of children's

Study Website:

Fordham Law School, Center on Law and Information Policy:

Student Aid and Financial Responsibility Act:

EPIC: Children's Online Privacy Protection Act:

EPIC: DOD Recruiting Database:

[3] Public Voice Hosts Madrid Civil Society Conference
Almost two hundred privacy experts, advocates, and government officials
from around the world gathered in Madrid for the "Global Privacy
Standards" conference, organized by the Public Voice, and held in
conjunction with the International Conference for Data Protection and

The event featured five panel discussions. The "Privacy and Human
Rights: The Year in Review" panel, which released the most current
edition of the Privacy and Human Rights report, focused on recent
developments in privacy law. "Privacy Activism: Major Campaigns"
featured a discussion on privacy and data protection campaigns around
the world, concentrating on the role of public education. The third
panel, "Your Data in the Cloud: What if it Rains?" discussed the
privacy implications of cloud computing for internet users.
"Transborder Data Flow: Bridges, Channels or Walls?," centered on a
discussion of when data flows should be facilitated and when they
should be blocked.  Finally, in the "Toward International Privacy
Standards" discussion, Marc Rotenberg offered a presentation of the
Madrid Civil Society Declaration on Global Privacy Standards, and
respondents from four different countries reacted to his statements.

Leading privacy officials from Spain, the European Union, the European
Parliament, the OECD, and Canada all participated. Each panel featured
representatives from at least three different countries. Opening
remarks were made by Marc Rotenberg, President, EPIC; Mr. Alejandro
Perales, President, Asociación de Usuarios de la Comunicación; and Mr.
Artemi Rallo Lombarte, Director, Agencia Española de Protección de
Datos. Conference attendees heard closing remarks from Mr. Stavros
Lambrinidis, Vice President, European Parliament; and Mr. Peter
Hustinx, Supervisor, European Data Protection Supervisor (Netherlands).
The privacy commissioner's conference drew more than 1,000 participants
from over fifty countries.

Global Privacy Standards Conference:

International Conference of Data Protection and Privacy:

Public Voice:

Conference Cybercast:

[4] Civil Society Groups Issue Privacy Declaration in Madrid
In a crisply worded declaration, over 100 civil society organizations
and privacy experts from more than 40 countries have set out an
expansive statement on the future of privacy. The Madrid Privacy
Declaration was released at the Public Voice conference in Madrid on
Global Privacy Standards.

The Madrid Declaration affirms that privacy is a fundamental human
right. The declaration reminds the European Union member countries and
Organization for Economic Co-operation and Development member countries
of their obligations to protect the civil rights of their citizens
under national constitutions and laws.  Noting the increase in secret
surveillance and lack of independent oversight in corporations' data
collection practices, the Madrid Declaration sets forth warnings and
urges action on the part of the European Union countries.

The Madrid Declaration warns that "privacy law and privacy institutions
have failed to take full account of new surveillance practices." Such
failures to protect the privacy interests of citizens "jeopardize[]
associated freedoms . . . and ultimately the stability of
constitutional democracies."

The Madrid Privacy Declaration urges countries who have not done so to
ratify the Council of Europe Convention 108, establish a comprehensive
framework for privacy protection, develop means of properly
implementing and enforcing such legal frameworks, and ensure that
individuals are notified after a data breach has occurred. Furthermore,
the Declaration encourages research into the effectiveness of data
anonymization techniques, in an effort to determine whether such
practices properly safeguard personal information.

The civil society groups and experts recommend a "moratorium on the
development or implementation of new systems of mass surveillance."
Finally, the Declaration calls for the "establishment of a new
international framework for privacy protection, with the full
participation of civil society, that is based on the rule of law,
respect for fundamental human rights, and support for democratic

Madrid Declaration: Global

Privacy Standards Conference:

Translations of Madrid Declaration: 

Council of Europe Convention 108:

EPIC Reidentification:

[5] EPIC Audits First Public Election to use Scantagrity Voting System
The city of Takoma Park Maryland’s Clerk of Elections sought EPIC's
assistance in conducting a manual audit of their November 3, 2009
election. The city chose the Scantagrity voting system for its biannual
election for mayor and city council. Scantagrity is an original concept
developed by David Chaum and has been refined for use in elections
through the collaboration of Ron Rivest, MIT and Poorvi Vora, Computing
Science Department at George Washington University.

Scantagrity’s implementation for the Takoma Park election allowed
voters the option of performing a post-voting verification of the
capture of their ballots for the tabulation phase of the election.
Takoma Park voters also had the option of second chance voting, which
allowed the selection of primary and secondary choice for the public
offices on Tuesday’s ballot.

This marked the first time in the U.S. that voters had the option to
check that their private votes are correctly recorded and included in
the election results. Selections on each ballot used unique codes for
each possible selection on the ballot. The codes correspond to the
ballot number. It is important to note, however, that ballots are not
associated with a specific voter. Poll book registration logging of
voters participating in the election was separate from the issuance of
ballots to voters.

Voters were given ballots in a privacy sleeve. They then voted using
optical scan ballots behind privacy screens, which allowed voters the
option of noting the codes and ballot numbers on a form they could take
with them. Voters then deposited completed ballots into one of two
scanners. Later, voters could verify that their ballot was included in
the final results by going to the City Election Office’s web site and
entering the ballot number. The process was not as accessible for
unassisted voting for persons vision related disabilities, when
compared with touch screen voting systems. However, the ability of
voters with a wide range of disability challenges were able to vote
independently, or with little assistance with their privacy sleeve
enclosed ballot’s insertion in the scanner.

EPIC was asked to randomly select ballots from the choice of ballots
provided to voters from each of the 6 wards. Over 1600 Takoma Park
voters participated in the election. The audit ballots were selected
at varying times throughout the Election Day, under the supervision of
election officials. Takoma Park elections officials voided each audit
ballot and marked ballots stubs to indicate that they were part of the
manual audit. Then EPIC processed each manual audit ballot by revealing
all possible selections for each ballot, then a copy of the original
manual audit ballot was made. The original ballots were placed in a
spoiled manual audit ballot envelope held by another election official
stationed in the polling location. Each ballot copy was then endorsed
by the Chief Election Judge, which will aid in authentication of the
copies when they are submitted to the City Clerk’s office. The manual
audit ballots and their selections will be verified and the results
reported to the Takoma Park Clerk’s office.


Links: Takoma Park Election’s Office:

Takoma Ballot verification Web page:

EPIC’s Voting Privacy Page:

[6] News in Brief
European Commission Takes Action Against United Kingdom

The European Commission announced that the United Kingdom government
has failed to comply with Europe's ePrivacy Directive and Data
Protection Directive. European laws state that European Union countries
must ensure the confidentiality of electronic communications by
prohibiting unlawful interception and surveillance. The Commission's
statement specifically cited unlawful interception under the United
Kingdom Regulation of Information Powers Act. This marks the second
phase of an infringement proceeding that was filed earlier this year
against the United Kingdom. The case follows complaints about the use
of Phorm's Deep Packet Inspection technology.

European Commission Statement:

Press Release on theInfringement Proceeding:

ePrivacy Directive:

Europe's Data Protection Directive:

EPIC: Deep Packet Inspection:

EPIC: Privacy and Human Rights Report:

Privacy Groups Urge Government to Ensure OpenInternet

EPIC has signed on to a letter from Public Knowledge to the Federal
Communications Commission supporting the Commission's decision to begin
public proceedings on preserving an open internet. EPIC joins many
other public interest groups who have also expressed support for the
FCC's initiative. The Commission's proceedings will focus on proposed
rulemaking policies that would preserve open internet. EPIC favors the
general principles of "network neutrality" and has called on the
Commission to preserve privacy safeguards against measures that
Internet Service Providers may use to limit access to the internet. For
more information, see also EPIC Deep Packet Inspection.

FCC Letter:

Public Knowledge:

FCC Proceedings:

EPIC Deep Packet Inspection:

HHS Changes Breach Notification Rules

The Department of Health and Human Services issued new breach
notification regulations that require health care providers, health
plans, and business associates of covered entities, to notify
individuals when their health information is breached. As an effort to
strengthen the Health Insurance Portability and Accountability Act, the
new rules subject business associates of covered entities to federal
law in this area for the first time. The Department also included a
provision that states a breach only occurs when access, use, or
disclosure of the data poses a significant risk of financial or other
harm to an individual, as determined by covered entities. These rules
implement provisions of the Health Information Technology for Economic
and Clinical Health Act, which was passed as part of the American
Recovery and Reinvestment Act.

Department of Health and Human Services:

HITECH Breach Notification Interim Final Rule:

HHS Breach Notification Rule Page:



EPIC Medical Record Privacy:

EPIC Submits Letter Requesting Participation in Privacy Roundtable

The Federal Trade Commission announced a series of roundtables on
consumer privacy, beginning December 7, 2009. These discussions will
explore many issues, including consumer information collection,
information management practices, new business practices, and the
adequacy of existing privacy laws. EPIC submitted a letter to the
Commission requesting to participate in the first privacy roundtable
discussion. In its letter, EPIC made several recommendations to the
Commission as it explores new internet consumer protection strategies.
The recommendations include treating fair information practices as a
fundamental requirement for companies collecting personal data,
focusing more attention on the major Internet firms that are shaping
business practices in the online environment, and investigating the
extent to which security breaches contribute to identity theft.

EPIC: Letter to the FTC:

Federal Trade Commission:

FTC Press Release:

FTC Privacy Roundtable:


FB Updates Privacy Policy in Response to Canadian Investigation

In response to a September ruling by the Canadian Privacy Commissioner
that Facebook's business practices violated Canadian law, Facebook
announced a new privacy policy this week. In order to comply with
Canada's Personal Information Protection and Electronic Documents Act,
the new Facebook policy provides a more concise description of the
privacy practices of the developers of third-party applications. It
also explains more clearly what data Facebook retains and what
abilities users do and do not have to control their data stored on
Facebook. The new policy was open to comments for one week and will
presumably be implemented sitewide soon.

Facebook: New Privacy Policy:

Facebook: Current Privacy Policy:

Facebook: New Third-Party Developer Policies:

EPIC: Facebook Privacy:

Office of the Privacy Commissioner of Canada: Facebook Findings:

Reporter Confidentiality Law Moves Forward in Senate

A revised version of the proposed federal media shield law moved
forward in the Senate this week. The Free Flow of Information Act of
2009 will make it more difficult for the government to compel
journalists to disclose information, including the identities of their
sources. The White House, which had previously endorsed a much weaker
version, has come out in favor of stronger statutory text which
requires the government or other party requesting disclosure to
demonstrate that the information sought is "essential" to a case and
all reasonable alternatives have been exhausted. A judge would then
balance the case for disclosure against the public interest in
effective journalism. A version of the bill was passed by the House
earlier this year, and with the Obama administration's support, the
Senate Judiciary Committee passed the revised bill this week, sending
it to the full Senate for a vote.

Senate: S. 448 - Free Flow of Information Act of 2009:

H.R. 985 - Free Flow of Information Act of 2009:

Amendment 9794 to S. 448 (White House-supported revised version):

Amendment 9860 to S. 448:

[7] EPIC Bookstore: "Privacy By Design . . . Take the Challenge"
"Privacy By Design . . . Take the Challenge" by Ann Cavoukian, Ph.D.

Available at:

Ann Cavoukian is a rare breed—a government official working with
privacy and technology who genuinely seems to understand both. In
Privacy By Design, the current Information and Privacy Commissioner of
Ontario Canada proves it. Dr. Cavoukian's recent work compiles a number
of reports, guidelines, speeches, and essays published by her and her
office in recent years. These various pieces combine to show a
comprehensive approach to privacy in a modern world.

Dr. Cavoukian's work over the last twenty years has been a steady
evolution of ideas.  In 1995, she promoted Privacy-Enhancing
Technologies (PETs) with the Netherlands Data Protection Authority.
This term has been instrumental in guaranteeing the continued presence
of privacy protections by building them into technology. Later in the
decade, she argued for the concept of "privacy by design," a philosophy
in which privacy is embedded into the technology itself during
development, such that privacy and data protection become part of
designers' original goals. While this view has become more prominent,
Dr. Cavoukian was instrumental in its adoption.

In her current work, Dr. Cavoukian expands her idea of PETs into a new
concept, which she calls "PETs Plus." This concept is the idea that
privacy needs not be part of a zero-sum model, in which increasing
privacy comes at a cost to efficacy. Instead, Cavoukian argues for a
positive-sum model, in which privacy can be increased alongside
security, or alongside business practices, so that focusing on data
protection has only net benefits for designers and implementers of

Many of the essays in Privacy by Design include examples of these PETs
Plus, and many of them are quite impressive. In her discussion of CCTV,
Dr. Cavoukian describes a new development in which people's images in
the video stream are encrypted. This allows a person to monitor the
video live for suspicious behavior without ever seeing anyone's
identity. If the video contains evidence of a crime, proper law
enforcement officials can decrypt that section, with a suitable audit
trail ensuring that only the necessary information is decrypted.

Another excellent PET Plus is a design from IBM for radio frequency
identification (RFID) tags that can be disabled or even reprogrammed by
the consumer, which would allow the tags to be useful in inventory and
sales management, while giving individuals the ability to decide
exactly how they will be used at home. Dr. Cavoukian also discusses an
advanced method for securing and encrypting biometric authentication
systems, and privacy-maximizing best practices for a number of security
processes, including CCTV, RFID in healthcare, and airport
searches. Privacy By Design is a must-read for anyone in the security
or privacy fields looking for the best approach to new technology.

--Jared Kaprove

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years.


"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the Video Voyeurism Prevention Act,
and the CAN-SPAM Act.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events
Biometrics and the Law, Georgetown Law Center, Washington, DC, November
10, 2009.
For more information:

Louis Brandeis and the Development of the Right to Privacy, American
Constitution Society, Center for American Progress, Washington, DC,
November 10, 2009.
For more information:

Free Society Conference and Nordic Summit, Gothenburg, Sweden, November
13-15, 2009.
For more information:

UN Internet Governance Forum, Sharm El Sheikh, Egypt, November 15-18,
For more information:

Privacy 2010, Stanford, March 23 - 25, 2010.
For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook


Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

------------------------- END EPIC Alert 16.21 ------------------------


Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security