You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

EPIC Alert 16.23

                         E P I C   A l e r t
 Volume 16.23                                           December 3, 2009

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.


		"Defend Privacy. Support EPIC."

Table of Contents
[1] EPIC Files Appeal for NSA Network Surveillance Policy
[2] EPIC Files Lawsuit Regarding Passport Record Breaches
[3] EPIC, Coalition, and Experts Champion Privacy for Smart Grid Data
[4] European Countries Approve Sweeping Communications, Privacy Reform
[5] EPIC Complaint Prompts Defense Department to Drop Spyware Product
[6] News in Brief
[7] EPIC Bookstore: "Googled: The End of the World As We Know It"
[8] Upcoming Conferences and Events
- Join EPIC on Facebook
	- Privacy Policy
	- About EPIC
	- Donate to EPIC
	- Subscription Information

[1] EPIC Files Appeal for NSA Network Surveillance Policy

EPIC filed an administrative appeal on November 24, 2009 with the National
Security Agency (NSA) over an ongoing Freedom of Information Act (FOIA)
request regarding national cybersecurity policy. EPIC has requested a
copy of National Security Presidential Directive 54 (NSPD 54) from the
agency. The Directive is a secret order issued by President Bush in
January 2008 restructuring the federal government's approach to

According to reports, the document established the Comprehensive
National Cybersecurity Initiative and greatly increased the NSA's
authority over security for both government and commercial networks. In
March 2009, the head of the Department of Homeland Security National
Cybersecurity Center resigned because he felt that he was unable to do
his job with the level of authority and influence that the NSA has over
his now-former office.

EPIC has requested the text of NSPD 54, the full text of any executing
protocols of the Cybersecurity Initiative, and any privacy policies and
contracts for information shared with third parties related to either
the Directive or the Initiative. The NSA has twice failed to
effectively respond to EPIC's request. Most recently, the agency
notified EPIC that it had located NSDP 54 and two other documents
responsive to EPIC's request, but failed to provide copies of any of

Instead the agency withheld the Directive and instead referred the
request to the National Security Council, which is not subject to the
FOIA. The agency withheld the other two documents by asserting a number
of vague exemptions. EPIC has appealed these withholdings as improper
violations of the Act, as well as violations of President Obama's FOIA
guidelines, which require federal agencies to operate under a
"presumption of disclosure."  Once the agency has received EPIC's
appeal, it must respond within 10 working days.

NPSD 54 is of particular concern to  policy makers because it creates
a secret and largely accountable framework for cyber security. EPIC
has argued that it is vitally important that the policy be made public.

EPIC: Administrative Appeal:

White House: Policy on Open Government:

Department of Justice: FOIA Guidelines Memo:

EPIC: Open Government:

[2] EPIC Files Lawsuit Regarding Passport Record Breaches

On November 24, 2009, EPIC filed a Freedom of Information Act (FOIA)
lawsuit against the United States Department of State. The lawsuit
arose from a 2008 FOIA request EPIC submitted to the Office of the
Inspector General for its full, unredacted report regarding several
high profile 2008 passport records breaches.

In the period leading up the 2008 elections, there were numerous
reports that private contractors working for the State Department
snooped through the Passport files of Presidential candidates,
celebrities, and others. The victims included Senators Hilary Clinton,
Barack Obama, and John McCain.

In July 2008, the Department of State's Office of Inspector General
(OIG) released of a heavily redacted report prompted by the highly
publicized breaches.  The internal watchdog of the State Department
"found many [institutional] control weaknesses relating to the
prevention and detection of unauthorized access to passport and
applicant information" and the subsequent disciplinary response.

The report, however, was highly redacted. In fact, only 6 of 22
recommendations were not completely redacted. The OIG used vague
language, like "consider", "determine the feasibility of", and
"evaluate" to recommend that the State Department implement
comprehensive strategies to those weaknesses. The report also
recommended assessments of existing security controls, the provision of
in-house breach notification, and the extension of authorized access
policies to other agencies. In a limited review of 150 high-profile
people's passport files, the report found that 127 of 150 prominent
figures' files were accessed at least once; 42 files were viewed at
least 26 times.

In response to these redactions, EPIC filed a July 10, 2008 FOIA
request for the complete, unredacted report.  The Department of State
denied EPIC's request. When EPIC filed an appeal to challenge this
determination, the agency failed to respond. After exhausting all
administrative remedies, EPIC filed suit in Federal District Court.

EPIC's complaint:

EPIC's Senate Testimony on Passport Breaches:

EPIC: Passport Privacy:

State Department's Office of the Inspector General Recommendations:

[3] EPIC, Coalition, and Experts Champion Privacy for Smart Grid Data

EPIC, members of the Privacy Coalition, and privacy and security
experts urged a federal agency to establish Smart Grid safeguards that
protect consumer electricity usage information from unauthorized
collection, use, disclosure, or sale. The National Institute of
Standards and Technology, which is the federal agency taking comments,
requested comments on a report it produced addressing Smart Grid cyber
security. The report also addressed Smart Grid and privacy and
contained a privacy impact assessment.

EPIC's comment argued that Smart Grid networks, which uniquely identify
individual devices and appliances, create new privacy risks and could
reveal intimate details of home life. For instance, misuse of Smart
Grid data could lead to new forms of identity theft. The proposed
ability of the Smart Grid to coordinate power supply in real time could
reveal intimate, personal details about consumers' lives, such as their
medical needs, interactions with others, and personal habits.

Smart Grid data also presents the possibility of physical danger to
consumers, as criminals, domestic abusers, or stalkers could use the
data to monitor and spy on consumers. Finally, Smart Grid data can be
misused by both authorized and unauthorized parties. For instance,
authorized parties may misuse the data by mining it for sensitive

EPIC recommended that policies be established to safeguard consumer
privacy, including limitations on data collection, enforceable privacy
practices, new security standards, and independent oversight. EPIC
urged NIST to closely mirror fair information practices that have long
been established both in the United States and internationally, and to
abandon the "notice and consent" model of privacy protection. EPIC also
argued for an independent privacy oversight office. Finally, EPIC urged
NIST to verify techniques for the anonymization of data and to
establish robust cryptographic standards.

EPIC Comments:

EPIC: Smart Grid and Privacy:

Privacy Coalition:

National Institute of Standards and Technology:

[4] European Countries Approve Sweeping Communications, Privacy Reform

On November 24, the European Parliament established new Internet
policies, including a right to Internet access, net neutrality
obligations, and stronger consumer protections. EU citizens will
benefit from these reforms, which will enhance competition in Europe's
telecoms markets, improve internet coverage throughout Europe, and
strengthen the right to privacy with respect to telecoms operators.
EU's Telecoms Commissioner Viviane Reding remarked, "a true single
market for Europe's telecoms operators and consumers is now within

In a press release, Reding identified the twelve most prominent reforms
in the EU Telecoms Reform package. Most of the twelve listed reforms
focus on transparency and consumer protections. These reforms include
provisions that require better consumer information in consumer
contracts and protecting consumers against personal data breaches.

Under the ePrivacy directive, communications service providers will
also be required to notify consumers of security breaches, persistent
identifiers ("cookies") will become opt-in, there will be enhanced
penalties for spammers, and national data protection agencies will
receive new enforcement powers.

The amended directive takes effect with publication on December 18 in
the EU Official Journal. Member states then have 18 months to transpose
the Directive into national law. The new reforms also require that a
European Body of Telecoms Regulators be established by spring of 2010.

EPIC Privacy Law Sourcebook:

Europe's Information Society: Reforming the Current Telecom Rules:

Press Release: 12 Most Prominent EU Telecoms Reforms:

Amended ePrivacy Directive:

[5] EPIC Complaint Prompts Defense Department to Drop Spyware Product

Documents obtained by EPIC, pursuant to a Freedom of Information Act
(FOIA) request, revealed the Defense Department canceled a contract
with a parental control software company due to privacy concerns. In
October 2009, the Army and Air Force Exchange Service (AAFES) agreed to
provide for sale to military families "My Military Sentry," a software
product sold by Echometrix. My Military Sentry is parental control
software that monitors the activity of military children online.
Echometrix also analyzes the information collected from children and
sells the data to third parties for market-intelligence research.

Following a complaint to the Federal Trade Commission earlier this year
about privacy concerns with Echometrix products, EPIC filed a FOIA
request with the Department of Defense for contracts and correspondence
between the AAFES and Echometrix relating to My Military Sentry. The
agency provided to EPIC a six-page contract and sixty-five pages of
e-mail correspondence.

According to the documents obtained by EPIC, the AAFES expressed
concern about Echometrix's information collection practices. In one
email, the AAFES stated, "I was forwarded the attached complaint
submitted to the [Federal Trade Commission] by EPIC. It is very
unfortunate that you did not inform me of this issue. Our customer's
privacy and security is very important to us, and we trust our Mall
Partners to maintain the security of our customers." Echometrix
responded that "there is no matter with the [Federal Trade Commission]
to resolve."

The AAFES had established a strong privacy policy for military families
that purchase products through the Online Mall, managed by the Defense
Department office. The privacy policy states that use of customer
information is prohibited "except to provide quality service."
Documents obtained by EPIC revealed that after a phone call with the
Echometrix Chief Executive Officer to discuss the company's information
collection practices, the AAFES decided to remove the Echometrix
product from its website.

In a final email to Echometrix, an the AAFES manager explained: "The
collection of AAFES customer information (personal or otherwise) for
any other purpose than to provide quality customer service is
prohibited … Giving our customers the ability to opt out does not
address this issue."

The Federal Trade Commission complaint cited in the AAFES email was
filed by EPIC on September 25, 2009. The EPIC complaint alleged that
Echometrix violated the Children's Online Privacy Protection Act and
the Federal Trade Commission Act by collecting information from
children through its Sentry Parental Controls products and selling the
data to third parties for market-intelligence research purposes. The
Commission has not yet responded to the complaint.

EPIC: In re Echometrix:

EPIC FTC Complaint:

EPIC FOIA Request:

Excerpts from FOIA Documents Sent by AAFES:

[6] News in Brief

DHS Announces "Global Entry" Biometric Identification

The Department of Homeland Security proposed this week to make
permanent Global Entry, a program the agency says will "streamline the
international arrivals and admission process at airports for trusted
travelers through biometric identification." Under the proposed system,
pre-registered international travelers can bypass conventional security
lines by scanning their passports and fingerprints at a kiosk,
answering customs declaration questions, and then presenting a receipt
to Customs officials. The DHS announcement follows the recent news that
Clear, a Registered Traveler program administered through the
Transportation Security Administration, had entered bankruptcy, raising
questions about the possible sale of the biometric database that was
created. In 2005, EPIC testified before Congress that the absence of
Privacy Act safeguards for Registered Traveler programs would
jeopardize air traveler privacy and security. The agency is taking
comments on the proposal.

Global Entry

DHS Press Release

Federal Register: Proposed Rule

EPIC: Biometrics

EPIC: Air Travel Privacy

ENISA Report Examines Cloud Computing and Privacy

The European Network and Information Security Agency has released a new
report on Cloud Computing. The ENISA report recommends that European
officials determine the application of data protection laws to cloud
computing services. The report also considers whether personal data may
be transferred to countries lacking adequate privacy protection,
whether customers should be notified of data breaches, and rules
concerning law enforcement access to private data. Earlier this year,
EPIC filed a complaint with the Federal Trade Commission, urging the
Commission to examine the adequacy of privacy safeguards for cloud
computing services. A subsequent letter by computer researchers,
addressed to Google Chief Executive Officer, Eric Schmidt, raised
similar concerns.

ENISA Report:

EPIC: Cloud Computing:

EPIC: Cloud Computing & Google:

Letter to Google:

European Network and Information Security Agency:

EPIC Prepares for Annual Privacy Coalition Meeting

The 15th Privacy Coalition annual meeting will be held January 21, 2010
in Washington, D.C. Speakers confirmed so far include Alex Joel (Civil
Liberties Protection Officer, Office of the Director of National
Intelligence), and Nancy Libin (Chief Privacy Officer, United States
Department of Justice). Many more speakers and attendees are in the
works and will be announced as the event draws nearer. Contact Lillie
Coney at for more information.

Privacy Coalition:

Office of the Director of National Intelligence:

United States Department of Justice:

Congressional Research Service Reports on Advertising in Digital Age

The Congressional Research Service issued a report discussing the
advertising industry in the digital age. The report is in response to
the shifting structure of the advertising market from print,
television, and radio advertising to online advertising. Lawmakers are
now forced to consider how to update advertising laws in this Internet
age, "without stifling growth or unduly hurting media outlets dependent
on advertising revenue."  The report identifies behavioral advertising
as one of the main concerns of consumers with respect to digital
advertising. Representative Boucher plans to address this concern by
introducing legislation that would impose stricter online privacy
standards on advertisers. The advertising industry, however, is opposed
to such regulation, arguing that the industry should remain
self-regulated. Whatever the outcome of pending regulatory and
legislative initiatives, the report concludes "consumers must figure
out how to determine the value and veracity of advertising and media,
as regulators determine how to craft a workable oversight system [in
the digital world]."

CRS Report on Advertising in the Digital Age:

EPIC: Deep Packet Inspection and Privacy:

EPIC: Google/DoubleClick Merger:

Facebook to Change Privacy Controls, Issues Still Remain

Facebook CEO Mark Zuckerberg announced a number of changes to the
social networking site's privacy controls. The company will eliminate
regional networks, online communities for a school, workplace, or
geographical area. The company will also add settings for users to
decide who can see individual content that is created or uploaded.
Further, in an effort to simplify the privacy settings page, many of
the settings will now be combined. Facebook will prompt users to review
and update their privacy settings in the coming weeks, suggesting
privacy settings based on a user's current settings. One main concern
with this process is that when Facebook removes the network based
privacy option, users may automatically be opted in to disclosure by
having their privacy settings default to "everyone", rather than having
a default with the highest privacy settings.

EPIC, Quoted in TechNewsWorld Article on Facebook Privacy Settings:

Open Letter from Mark Zuckerberg:

EPIC: Facebook Privacy:

Federal Trade Commission to Host First Privacy Round table

On December 7, the Federal Trade Commission will host the first of
three privacy roundtables on consumer privacy.  These discussions will
explore many issues, including consumer information collection,
information management practices, new business practices, and the
adequacy of existing privacy laws. Roundtable participants will include
privacy and technology experts, including EPIC president Marc
Rotenberg. The meetings are open and public comments are encouraged.
EPIC has supported the FTC's privacy mission, but has also said that
the agency needs to do more to safeguard consumer privacy.

FTC: Exploring Privacy: A Roundtables Series:

FTC Invitation to Comment:

EPIC Letter to Senate Commerce Committee: FTC Reauthorization Hearing:


Senate Judiciary Committee Holds DHS Oversight Hearing

The Senate Judiciary Committee will hold a full committee hearing this
week to consider the activities of the Department of Homeland
Security(DHS). Committee Chairman Patrick Leahy (D-Vt.) has called for
an oversight hearing, in which Department of Homeland Security
Secretary Janet Napolitano will testify before the Committee. This will
be Secretary Napolitano's second time appearing before the Committee
since assuming the role earlier this year. In a letter to a House
oversight committee, EPIC and members of the Privacy Coalition said
that the DHS Privacy Office is failing to safeguard the privacy rights
of Americans and cited the Fusion Center program, Whole Boding Imaging,
CCTV systems, and the ineffective enforcement of Privacy Act
safeguards. EPIC has asked Congress to consider alternative means of
oversight for the agency.

EPIC: DHS and Privacy:

EPIC's Letter to the DHS Chief Privacy Officer:

Senate Judiciary Committee: DHS Oversight Hearing and Webcast:

Leahy To Chair Department Of Homeland Security Oversight Hearing:

[7] EPIC Bookstore: "Googled: The End of the World As We Know It"
"Google takes seriously its motto, 'Don't be evil.' But because we're
dealing with humans not algorithms, intent sometimes matters less than
effect." "

In "Googled: The End of the World As We Know It", Ken Auletta chronicles
the ascension of Google as a new media company and its transformative
effect on the way people live and work. Culling stories from more than
two years of interviews and access to closed-door meetings, Auletta
reports on the innovative philosophy and pioneering engineers that have
spurred the creation of a wide variety of successful products.

However, as Auletta explains, the same strengths that have allowed
Google to become a dominant new media force are also a source of
weakness. Google's singular strength lies in its unrivaled mountains of
data culled from web searches and other user data. Google's cofounders
"often say that their ideal is to have so much information about their
users that Google can devise an algorithm that provides a single
perfect answer" to search queries. However, that strength leaves Google
vulnerable to other challenges: "Google depends for its continued
success on users and governments that trust it will not abuse this

Auletta reports that one reason users and governments may distrust
Google's use of data derives from Google's flippant attitude towards
privacy. In a chapter entitled "Waking the Government Bear," Auletta
explains how the Center for Digital Democracy and EPIC helped catalyze
government inquiry into Google's activities, specifically its proposed
merger with online advertising giant Doubleclick.

Auletta examines both sides of the Google privacy debate: from the
privacy advocate's perspective, "the central question should not be,
'Is Google invading people's privacy?' Rather it should be, 'Why does
Google need to collect all of this information?'" From Google's
perspective, many privacy concerns are "irrational fears that all of a
sudden [Google would] do evil things."

Although Auletta does not editorialize regarding Google's privacy
issues, he argues that privacy is one of the many obstacles that Google
will have to avoid in order to continue "surfing a huge wave that seems
not to have crested." Only by protecting users' privacy and otherwise
maintaining its "deposit of public trust" can Google continue to be a
"company that has swept so swiftly across the media horizon."

--Matthew Phillips

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years.


"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the Video Voyeurism Prevention Act,
and the CAN-SPAM Act.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Law in Cyberspace:  Legal Blogging & the Courts, Northwestern School of
Law, Chicago, IL, 4th Annual Judicial Symposium on Civil Justice
Issues, December 7, 2009.
For more information:

FTC Privacy Roundtable: Exploring Existing Regulatory Frameworks,
FTC Conference Center, Washington, DC, December 7, 2009.
For more information:

"Reconceptualizing the FTC's Understanding of Privacy", Willard Hotel
Washington, DC, IAPP Confernce, December 8, 2009.
For more information:

Annual Privacy Coalition meeting, EPIC, Washington, DC,
January 21-23, 2010.
For more information:

"Reader Privacy: Should Library Standards Apply Online?," University
of North Carolina, Chapel Hill, January 22, 2010.

Data Privacy Day, January 28, 2010.
For more information:

"Computers, Privacy, and Data Protection: An Element of Choice,"
Brussels, Belgium, January 29-30, 2010.
For more information:

RSA 2010, San Francisco, March 1-5, 2010.
For more information:

Association for Practical and Professional Ethics, Cincinnati,
March 5, 2010.
For more information:

Privacy 2010, Stanford, March 23 - 25, 2010.
For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook


Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

------------------------- END EPIC Alert 16.23 ------------------------


Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security