You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

EPIC Alert 16.24

                            E P I C   A l e r t
Volume 16.24                                          December 18, 2009

                           Published by the
               Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


					"Defend Privacy. Support EPIC."

Table of Contents
[1] EPIC Files Facebook Privacy Complaint with Trade Commission
[2] EPIC Files Suit Against DOJ About Whole Body Imaging Documents
[3] EPIC Supports Privacy Safeguards for Genetic Information
[4] Google Expands Control of Internet Architecture
[5] Supreme Court Grants Cert in Workplace Privacy Case
[6] News in Brief
[7] EPIC Bookstore: "Change of State: Information, Policy, and Power"
[8] Upcoming Conferences and Events
 - Join EPIC on Facebook
	- Privacy Policy
	- About EPIC
	- Donate to EPIC
	- Subscription Information

[1] EPIC Files Facebook Privacy Complaint with Trade Commission

The Electronic Privacy Information Center (EPIC), joined by nine
privacy and consumer organizations, filed a complaint with the
Federal Trade Commission (FTC) charging that Facebook’s recent
changes to user privacy settings violate federal consumer protection

The EPIC complaint urges the Trade Commission to open an
investigation into the recent changes made by Facebook to the
privacy settings of Facebook users and to require Facebook to
restore privacy safeguards.

On November 19 and December 9, Facebook changed key privacy settings
and required Facebook users to go through a "transition tool" before
they could obtain access to their accounts.

According to the EPIC complaint, far more user information became
publicly available as result of this change. EPIC also said that
more personal information will become available to third party
application developers as a result of the changes to the privacy

The EPIC complaint cites widespread opposition to the changes by
Facebook users, news organizations, bloggers, and security experts.
Ed Felten, a security expert and Princeton University professor,
wrote, "As a user myself, I was pretty unhappy about the recently
changed privacy control. I felt that Facebook was trying to trick me
into loosening controls on my information." Danny Sullivan, the
editor of Search Engine Land and an expert in search engine design,
wrote on his blog, "I was disturbed to discover things I previously
had as options were no longer in my control."

The EPIC complaint also cites the creation of new Facebook user
groups, such as "Against The New Facebook Privacy Settings!" and
"Facebook! Fix the Privacy Settings."

Among the organizations supporting the EPIC complaint are the
American Library Association, the Center for Digital Democracy, the
Consumer Federation of America, FoolProof Financial Education,
Patient Privacy Rights, Privacy Activism, the Privacy Rights Now
Coalition, the Privacy Rights Clearinghouse, and the U. S. Bill of
Rights Foundation.

Previous EPIC complaints to the FTC have led to the largest judgment
in the Commission’s history, substantial changes to online
authentication techniques, and the recent decision of the Department
of Defense to stop selling a spyware program to military families.

EPIC’s Complaint: "In re Facebook," filed December 17, 2009:

Background on EPIC Complaint: "In re Facebook":

EPIC: Facebook and Privacy:

FTC: "ChoicePoint Settles Data Security Breach Charges; to Pay 
$10 Million in Civil Penalties, $5 Million for Consumer Redress"

FTC: "Microsoft Settles FTC Charges Alleging False Security 
and Privacy Promises":

[2] EPIC Files Suit Against DOJ About Whole Body Imaging Documents

On December 17, 2009, EPIC filed a Freedom of Information Act
(FOIA)lawsuit against the United States Department of Justice. The
lawsuit arose from a July 2009 FOIA request EPIC submitted to the
United States Marshals Service (USMS), a component of the DOJ, for
records of Whole Body Imaging.

Whole body imaging technology was originally introduced in 2007, when
the Transportation Security Administration (TSA), a component of
Department of Homeland Security, began testing the imaging technology
to screen travelers.  These machines produced detailed,
three-dimensional images of individuals' naked bodies and are being
used at airport security checkpoints, court houses, and correctional

While TSA originally provided assurances that the technology would not
be mandatory for passengers and would include a privacy algorithm that
blurred faces, the agency later withdrew these assurances. In April
2009, the agency announced plans to expand the mandatory use of body
imaging to all U.S. Airports. This means that Whole Body Imaging
devices will replace metal detectors at the primary screening devices
in US airports. As a consequence, the TSA could obtain naked pictures
of every airline passenger, including children, who travel from a US

In response to TSA's expansion of the program, the U.S. House of
Representatives passed H.R. 2200, a bill that would limit the use of
whole body imaging systems at airports. The measure is still pending
in the Senate.

TSA's website also states that the machines are being used in U.S.
Federal Courts, including at least one court in Virginia. The USMS,
which is responsible for coordinating "the installation of complex
electronic security systems to protect federal judges, courthouse staff
members and the physical court facilities," would be in control of
these Whole Body Imaging machines. In light of this, EPIC submitted a
FOIA request to the USMS for documents related to the Whole Body
Imaging machines, including the images that the machines capture, the
contracts with the manufacturer of the machines, and information about
technical specifications and training materials.

The USMS replied to EPIC's request, stating that it had searched USMS
headquarters - but not the Virginia court(s) where the machines are
housed. In response, EPIC filed suit, arguing that the USMS had not
performed a sufficient search and should find, and disclose, the

EPIC's Complaint:

EPIC: Whole Body Imaging:

TSA: Whole Body Imaging:

H.R. 2200:
Privacy Coalition Letter Regarding Whole Body Imaging:

DHS Response to Privacy Coalition Letter:

[3] EPIC Supports Privacy Safeguards for Genetic Information

EPIC filed comments with the Department of Health and Human Services
(HHS), advising the federal agency to strengthen the requirements for
classifying data as "de-identified" under the Health Insurance
Portability and Accountability Act (HIPAA) Privacy Rule. EPIC's comment
focuses on the risks of re-identification of information when
de-identification techniques are not adequate.

HHS proposed a rule that would clarify HIPAA and the Genetic
Information Nondiscrimination Act, by providing that genetic
information is "health information" and prohibiting the use of such
information for underwriting purposes or other discriminatory purposes.
Group health plans and issuers would no longer be allowed to increase
premiums, deny enrollment, or impose pre-existing condition exclusions
based on the results of an enrollee's genetic information. The rule,
according to HHS Secretary, will increase "[c]onsumer confidence in
genetic testing[, which] can now grow and help researchers get a better
handle on the genetic basis of diseases."

EPIC supports this proposed regulation but warned that HIPAA's safe
harbor provision for de-identified data could undercut privacy
safeguards unless the techniques were shown to be "robust, scalable,
transparent, and provable." The Privacy Rule currently exempts
de-identified health information from the rules governing the uses and
disclosure of protected health information, or individually
identifiable health information.

HIPAA's standard for de-identification affords HIPAA-covered entities
wide discretion in determining whether health information is
identifiable and therefore subject to HIPAA privacy obligations.
According to EPIC's comment, granting such authority poses many
concerns, namely because de-identified data is only anonymous to the
extent that outside information is not obtained which would allow
individuals to be linked to that record.

EPIC's Comment:

HHS News Release:

HIPAA Privacy Rule:

HHS Interim Final Rule:

Genetic Information Nondiscrimination Act:

[4] Google Expands Control of Internet Architecture

Google announced Google Public DNS on December 8, a new service which
would allow users to use Google's servers as a sort of "phonebook" for
internet addresses, instead of the servers provided by their internet
service provider. The internet phonebook is a system called the Domain
Name System, or DNS. When users access the internet, all requests for
website addresses pass through this system.

For example, when a user types "" in the address bar of
their browser, the computer must send that request to a DNS server,
which will return the IP address that identifies the server hosting the
requested address (e.g. By default, most user's
computers are configured to use the DNS servers provided by their
Internet Service Provider. These requests would normally pass through
these servers. Instead, those who have configured their computer to use
Google's new DNS service will send their request to Google's servers.

Google joins at least two other companies offering free DNS
alternatives, although Google is the first of these companies to also
have so many other services in various layers of the internet
architecture. By tradition, DNS is a distributed function, subject to
an open standard-setting process and part of the generally distributed
nature of the internet. A new authentication standard is in the works,
called the Domain Name System Security Extensions (DNSSEC). Google's
DNS service does not use the new authentication standard, but instead
uses a proprietary security method.

Google Public DNS:

Google Public DNS Announcement:

DNSSEC Official Site:


[5] Supreme Court Grants Cert in Workplace Privacy Case

The Supreme Court agreed to decide whether government employees have a
constitutional right to keep text messages private. The case, City of
Ontario v. Quon, is the most important privacy case that the Court has
agreed to hear this term.

The basic issue, whether government employees have a constitutional
right to keep text messages private, will hinge on whether employees
have a "reasonable expectation of privacy" when they text while at
work. The Court will also examine whether government workers' rights
are less extensive if they use government-owned pagers. There are
special constitutional rules for public employees. The Supreme Court
has previously recognized some workplace privacy for public employees,
but warned that government workers' privacy rights aren't absolute.

The case involves Ontario city officials who reviewed text messages
sent by a SWAT team member to his mistress, and also messages he sent
to his wife. Official police policy states that officers have no
privacy in text messages. However, there was an informal policy of not
examining officers' messages as long as they didn't abuse the

The Ninth Circuit held that users of text messaging services ordinarily
have a constitutional expectation of privacy in the contents of their
text messages. It held that the police department's informal policy of
not examining officer's text messages made the officer's expectation of
privacy in those messages reasonable. But, the court did not make clear
whether the department's policies are relevant only because of the
special constitutional rules for public employees.

The lower court's decision provides strong protections for workplace
privacy. EPIC believes it is important for people to be able to keep
their personal lives private, even while at work. Quon also raises
interesting issues for people who send texts to government employees -
it's critical that their privacy be respected too.

Supreme Court order agreeing to hear the case:

Ninth Circuit opinion:

EPIC: Workplace Privacy:

[6] News in Brief

EPIC's Lillie Coney Appointed to Election Advisory Committee

House Speaker Nancy Pelosi appointed EPIC Associate Director and
leading election reform advocate, Lillie Coney to the Election
Assistance Commission (EAC) Board of Advisors.  EAC is an
independent, bipartisan commission charged with developing guidance
to meet Help America Vote Act requirements, adopting voluntary
voting system guidelines, and serving as a national clearinghouse of
information about election administration. The EAC also accredits
testing laboratories and certifies voting systems, as well as audits
the use of HAVA funds. Ms. Coney leads EPIC’s voting project and has
worked on developing voting technology standards,
statewide-centralized voter registration systems with privacy
safeguards, and voter identification policy.

EPIC: Lillie Coney:

EPIC Voting Privacy Page:

White House Releases Open Government Directive 

The White House announced a new Directive to promote transparency,
collaboration, and accountability across the federal government. The
Directive builds on President Obama's Open Government Memo, issued in
January 2009. The Directive will establish benchmarks, and require
agencies to create new websites and plans to promote transparency.
Competitions are also planned. EPIC submitted comments on the
Directive, calling for both stronger privacy safeguards and greater

EPIC: Open Government:

White House:

White House Blog Announcement:

Text of Open Government Directive:

President Obama's Open Government Memo:

EPIC: Comment:

Media Shield Law Moves Forward in Senate The Free Flow of Information

Act of 2009 was passed by the Senate Judiciary Committee with a vote of
14-5 and has been sent to the full Senate for a vote. The bill will
make it more difficult to compel journalists to disclose information,
including the identities of their sources, by requiring the government
or other party requesting disclosure to demonstrate that the
information sought is "essential" to a case and that all reasonable
alternatives have been exhausted before a judge will consider ordering
disclosure. A version of the bill was passed by the House earlier this

Free Flow of Information Act of 2009:

Senate Judiciary Committee Press Release:

House Version of the Bill:

EPIC: Privileges:

House Passes Data Breach Bill

On December 11, legislators in the House of Representatives passed the
Data Accountability and Trust Act, which requires security policies for
consumer information, regulates the information broker industry, and
establishes a national breach notification law. The bill now moves to
the Senate, which is also considering a similar measure sponsored by
Senator Patrick Leahy. In May, EPIC Director Marc Rotenberg testified
before Congress, urging lawmakers to strengthen the proposed law by
adopting a broader definition of "personally identifiable information"
and permitting stronger state laws to remain.

House: Text of the Data Accountability and Trust Act:

Senate: Text of the Personal Data Privacy and Security Act of 2009:

EPIC: Marc Rotenberg's Testimony:

EPIC: Identity Theft:

FTC Considers Emerging Privacy Concerns at First Privacy Roundtable 

The Federal Trade Commission held the first of three privacy
roundtables this week in Washington, DC. The well-attended event
featured privacy and security experts from around the country, with
each panel consisting of at least one industry representative and one
privacy advocate. The failure of the current notice and choice model,
the need to regulate behavioral targeting, concerns about government
access to data, and the high privacy expectations of consumers were
among recurring topics throughout the day. EPIC's Marc Rotenberg said
it was important for the Commission to focus on emerging business
practices and the impact on consumer privacy. The second privacy
roundtable will be held on Data Privacy Day - January 28, 2010 - at the
University of California, Berkeley School of Law. The FTC welcomes
comments from the public in advance of the roundtable.

FTC: Privacy Roundtables:

FTC: Privacy Roundtables Agenda:

Data Privacy Day:

FTC: Comment Submission:

[7] EPIC Bookstore: "Change of State: Information, Policy, and Power"

To purchase:

Sandra Braman's new book posits the end of the bureaucratic welfare
state in America and its replacement with what Braman terms the
"informational state." In a comprehensive approach to the this new
state, she explains that, because information is the key to power in
modern society, information policy now governs the overall power
structure. Braman carefully and deliberately lays out the analysis, and
then argues that this shift negatively affects society.

Braman spends a good portion of the work describing the scope of
informational policy, first detailing a history of information policy
and its precursors from the time of the American Revolution to the
present, then outlining the current scope from the political and social
perspectives in addition to that of the individual. Once she has
defined the boundaries of what she means by "information policy,"
Braman discusses twenty different constitutional principles and how
they affect the areas within these boundaries. She identifies these
principles as explicit in the text, explicit in the amendments, and
implicit in the "penumbra," and includes such principles as Due
Process, Privacy, Open Government, and the Right to Receive

After establishing her constitutional basis, Braman moves into her
argument: that the changes in the information state harm society. She
makes this argument from four perspectives: Identity, Structure,
Borders, and Change. As a matter of Identity, Braman highlights the
ways that the government and corporate entities have become collectors
of personal information, making it difficult for individuals and groups
to maintain their own identities. Structurally, Braman argues that the
increasing complexity of information policy makes it difficult to
effectively regulate. From the Border perspective, the author
discusses informational borders, rather than physical ones, blocking
transfer of information through social and technological means.
Finally, Braman presents her perspective on Information Policy and
Change, arguing that regulations of information hinder social progress
and limit constitutional freedoms.

Braman closes her work with a return to the constitutional principles
outlined at the outset and answers several questions that she has posed
over the course of the text. The piece provides a very intense
analysis on the past several years of information policy, and is an
excellent choice for those wishing to further study the concept.

--Jared Kaprove

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years.


"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the Video Voyeurism Prevention Act,
and the CAN-SPAM Act.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Annual Privacy Coalition meeting, EPIC, Washington, DC,
January 21-23, 2010.
For more information:

"Reader Privacy: Should Library Standards Apply Online?," University
of North Carolina, Chapel Hill, January 22, 2010.

Data Privacy Day, January 28, 2010. 
For more information:

FTC Privacy Roundtable: Exploring Privacy, A Roundtable Series,
University of California, Berkeley, School of Law, Booth Auditorium, 
Boalt Hall, Berkeley, CA, January 28, 2010. 
For more information:

"Computers, Privacy, and Data Protection: An Element of Choice,"
Brussels, Belgium, January 29-30, 2010.
For more information:

RSA 2010, San Francisco, March 1-5, 2010.
For more information:

Association for Practical and Professional Ethics, Cincinnati,
March 5, 2010.
For more information:

Privacy 2010, Stanford, March 23 - 25, 2010.
For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook

Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

------------------------- END EPIC Alert 16.24 ------------------------


Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security