You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

EPIC Alert 17.01

                            E P I C   A l e r t
Volume 17.01                                            January 15, 2010

                           Published by the
               Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


		  "Defend Privacy. Support EPIC."

Table of Contents
[1] Christmas Day Attack Prompts Renewed Debate about Body Scanners
[2] Documents Prove that Scanners Record, Store, and Transmit Images
[3] FTC Tells FCC that it is Pursuing EPIC's Cloud Computing Complaint
[4] EPIC Files Supplemental Complaint Regarding Facebook
[5] Google to Stop Filtering Search Results in China
[6] News in Brief
[7] EPIC Bookstore: "Media Ownership and Concentration in America"
[8] Upcoming Conferences and Events

TAKE ACTION: Stop Airport Strip Searches!
- JOIN Facebook Group "Stop Airport Strip Searches" and INVITE Friends

[1] Christmas Day Attack Prompts Renewed Debate about Body Scanners

On December 25, 2009, a Nigerian man named Umar Farouk Abdulmutallab
concealed explosives in his underwear and attempted to detonate them on
a Northwest Airlines flight from Amsterdam to Detroit. The attempt was
unsuccessful, thanks in part to the efforts of other passengers. The
public response to the incident has reignited the debate over airport
security, especially body scanners.

In the days following the attack, some advocated for wider
implementation of whole body imaging machines. Privacy organizations
and others have continued to object to these devices, citing the
invasive nature of the scans, the ineffectiveness of the machines, and
the  lack of government transparency concerning privacy safeguards.

In a series of responses to the American public, President Obama and
Homeland Security Secretary Janet Napolitano have hesitated to put
forth body scanners as a wholesale solution to the problem. Instead
they have focused primarily on the "failure to integrate and understand
the intelligence we already had," and recommended "smarter screening."
Obama noted that "There's no silver bullet to securing the thousands of
flights into America each day."

The President pledged to investigate and address intelligence failures
that allowed an Al Qaeda operative to board a plane with an explosive
device. President Obama stated "this was not a failure to collect
intelligence, it was a failure to integrate and understand the
intelligence we already had." The President said that steps would be
taken to improve watch lists.

Currently the Transportation Security Administration (TSA) operates
forty of the whole-body imaging machines at nineteen domestic
airports as a secondary screening tool. In the wake of the attempted
attack, the agency has ordered 150 more, and secured funding for
another 300, as part of a plan to begin implementing the machines as a
primary screening tool, instead of reserving them for secondary
screening only, as had been the original policy. Britain, the
Netherlands, France, and Italy have all announced their intention to
install the scanners at their own airports as well, although the
European Union's justice commissioner-designate has urged the European
Parliament to look at less intrusive methods of screening.

Reactions around the world are mixed. In widely reported remarks,
Viviane Reding, the Justice Minister for the 27-member European Union,
expressed opposition to the US proposal to deploy body scanners.
Minister Reding told the European Parliament, "Our citizens are not
objects. They are human beings." Ms. Reding also emphasized data
protection and the Charter of Fundamental Rights, which establishes new
rights for EU citizens, including a right to information privacy.
Previous post-9/11 disputes between the US and the EU have involved the
transfer of Passenger Name Records and financial information.

EPIC: Whole Body Imaging

EPIC: Whole Body Imaging Documents Obtained by FOIA from TSA

EPIC: Open Government

TSA: Imaging Technology

Privacy Coalition: Stop Whole Body Imaging

[2] Documents Prove that Scanners Record, Store, and Transmit Images

This week, EPIC obtained documents that prove that whole body imaging
machines can record, store, and transmit images.  This contradicts
repeated assurances made by the TSA on its website and in the media.

These documents were obtained as part of a Freedom of Information
lawsuit against the Department of Homeland Security. The lawsuit was
filed over a request that EPIC originally submitted to the Department
of Homeland Security in April 2009.

EPIC submitted the FOIA request after the TSA unilaterally decided to
replace metal detectors with body scanners, over the objections of air
travel organizations, security experts, and members of the United
States Congress. In fact, more than 300 members of Congress voted for
legislation to stop the deployment of body scanners as the primary
screening device.

The documents obtained by EPIC include TSA Procurement Specifications,
TSA Operational Requirements, a TSA contract with L3, and two TSA
contracts with Rapiscan . The DHS has withheld other documents that
EPIC is seeking.

The documents state that an unspecified number of Level Z users can
exercise the full storage and data transfer capabilities of the
machines. These users can turn off image privacy filters, export raw
image data, and access test mode. Test mode allows the user to transfer
raw image data in real time to a USB device.  These documents also
reveal that there are numerous security threats inherent in the WBI
machines' design.  The WBI machines are subject to outside security
threats because they employ Windows XP operating system and the
Ethernet network.

Contrary to TSA's claims about WBI machines, these documents make clear
that the WBI machines are designed to allow for the production of
images with no privacy filters and to allow for the storage and
transfer of those images. The capability to create unfiltered images
and to store and transmit those images was expressly required by TSA in
its Operational Requirements and Procurement Specifications.

EPIC is continuing to pursue the unreleased documents that are
responsive to its April 2009 request, as well as another related
request to the Department of Homeland Security.

The documents obtained by EPIC from the DHS concerning the actual
operation of the  body scanners has been widely report in the national
and the international meda, including CNN and The New York Time.

The Canadian Civil Liberties Association has also obtained a copy of a
redacted report by the Canadian Air Transport Security Authority
regarding a pilot project that was done with WBI machines. 

TSA, Procurement Specifications Document (September 23, 2008)

TSA, Operational Requirements Document (July 2006)

TSA, Contract with L3

TSA, Contract with Rapiscan (1)

TSA, Contract with Rapiscan (2)

Canadian Air Transport Security Authority, report on WBI machines

[3] FTC Tells FCC that it is Pursuing EPIC's Cloud Computing Complaint

In response to a Federal Communications Commission (FCC) Notice of
Inquiry into how broadband relates to cloud computing and privacy, the
Federal Trade Commission (FTC) announced it is investigating the
privacy implications of cloud computing for consumers. The FTC, which
shares jurisdiction with the FCC over broadband issues, is now urging
the FCC to consider the privacy implications of cloud computing in
formulating the National Broadband Plan, due to Congress next month.

The FTC's interest in cloud computing was prompted by an EPIC complaint
to the FTC in March 2009, in which EPIC described numerous privacy and
security risk involving cloud-based applications. More specifically,
the complaint asked the FTC to investigate Google's cloud computing
services and to determine the adequacy of the company's privacy and
security safeguards.

A subsequent letter from computer researchers and security experts
supported EPIC's findings. The letter, written to Google's CEO Eric
Schmidt, asked the company to "honor the important privacy promises it
has made to its customers and protect users' communications from theft
and snooping by enabling industry standard transport encryption
technology (HTTPS) for Google Mail, Docs, and Calendar." The letter
was signed by 38 researchers and academics in the fields of computer
science, information security and privacy law.

In a filing to the FCC, David Vladeck, head of FTC's consumer
protection bureau, recognized the cost-saving value of cloud computing
services. At the same time, Vladeck and the FTC believe such services
raise privacy and security concerns for consumers: "For example, the
ability of cloud computing services to collect and centrally store
increasing amounts of consumer data, combined with the ease with which
such centrally stored data may be shared with others, create a risk
that larger amounts of data may be used by entities not originally
intended or understood by consumers."

FCC: National Broadband Plan

EPIC, Cloud Computing Complaint (March 17, 2009)

EPIC, Letter to Google Regarding Cloud Computing (June 16, 2009)

FTC, Filing for FCC Notice of Inquiry (December 9, 2009)

EPIC: Cloud Computing 

[4] EPIC Files Supplemental Complaint Regarding Facebook

On January 14, 2010, EPIC filed a supplemental complaint to the Federal
Trade Commission (FTC) discussing Facebook's recent privacy changes.
The supplemental complaint provides further evidence of Facebook's
ongoing "unfair and deceptive trade practices" and relates to CEO Mark
Zuckerberg's public statements, the most recent version of the Facebook
for iPhone application, Facebook Connect, and "web-suicide"

The supplemental filing comes after Facebook made public statements
implying that the FTC approved the privacy changes. The original
complaint alleged that the Facebook privacy "changes violate user
expectations, diminish user privacy, and contradict Facebook's own
representations." Subsequent to the original FTC filing, Facebook
spokespersons made several public statements, asserting, "We discussed
the privacy program with many regulators, including the FTC, prior to

EPIC filed a Freedom of Information Act (FOIA) request with the Federal
Trade Commission, seeking communications with Facebook discussing
the site's recent privacy changes. Specifically, EPIC requested
documents pertaining to the communications Facebook allegedly had with
the federal agency.

Shortly after EPIC filed the FOIA request, FTC Chairman Jon Leibowitz
denied Facebook's assertions that the federal agency approved
Facebook's privacy changes. He stated, "We aren't generally in the
business of giving general advisory opinion in advance. I certainly
don't think anyone would suggest that we would pre-clear their new
privacy policy. It may be good. It may be better or it may not be
better. But we aren't the film industry; we don't greenlight like the
film industry does."

EPIC, Supplemental Complaint (January 14, 2010)

Facebook, statements regarding FTC complaint (January 14, 2010)

EPIC, Facebook FOIA request (December 23, 2009)

Chairman Leibowitz's statement:

EPIC: In re Facebook:

[5] Google to Stop Filtering Search Results in China

Google has announced that it will no longer censor results on the
Chinese version of its search engine,, after discovering
serious security breaches on its corporate cloud infrastructure
originating from China.

Chinese law requires Internet companies to install Internet filters,
and up until now Google has complied. According to Human Rights Watch,
China has enacted several sets of regulations aimed at controlling
Internet content, including access to content hosted outside of China,
since commercial Internet accounts were first authorized in 1994. The
Chinese government continues to control journalists, and sanctions
individuals who "write or post articles critical of the political system
or send news outside China."

Civil society groups have widely opposed mandated filtering, censorship
of Internet content, surveillance of Internet users. In the Seoul and
the Madrid Declaration, advocates urged governments and Internet firms
to uphold national and international human rights law that protects
privacy and freedom of expression. Advocates warned that "the failure
to safeguard privacy jeopardizes associated freedoms, including freedom
of expression, freedom of assembly, freedom of access to information."

The Declaration made clear objections to the "dramatic expansion of
secret and unaccountable surveillance, as well as the growing
collaboration between governments and vendors of surveillance
technology that establish new forms of social control," and warned
about "the growing consolidation of Internet-based services, and the
fact that some corporations are acquiring vast amounts of personal data
without independent oversight."

In June 2009, EPIC has formally asked the Federal Trade Commission to
open an investigation into Google's Cloud Computing Services to
determine "the adequacy of the privacy and security safeguards." EPIC
cited the growing dependence of American consumers, businesses, and
federal agencies on cloud computing services, and urged the Commission
to take "such measures as are necessary" to ensure the safety and
security of information submitted to Google.

The Madrid Declaration is a substantial document that reaffirms
international instruments for privacy protection, identifies new
challenges, and recommends specific actions. More than 250 individuals
and organizations have signed the Declaration. To sign on, please send
an email to

Google, A new approach to China (January 12, 2010)

EPIC: Privacy and Human Rights Report: China

EPIC: Filters & Freedom 2.0

EPIC: Faulty Filters

Open Net Initiative: China Report

Human Rights Watch World Report 2005 & 2009: China Country Report

CSISAC, The Seoul Declaration (2008)

The Public Voice, The Madrid Declaration (2009)

[6] News in Brief

Oral Arguments Begin in FB Beacon case

Oral arguments in Harris v. Blockbuster are scheduled to be heard on
March 1, 2010. The case involves violations of the Video Privacy
Protection Act. The lawsuit was filed by Cathryn Harris and other
Facebook users after Blockbuster made public their private video rental
information through Facebook Beacon. EPIC filed an amicus brief with
the Fifth Circuit Court of Appeals urging the Court to enforce federal
privacy protections for Facebook users who rented videos from

EPIC: Harris v. Blockbuster

Video Privacy Protection Act

EPIC’s amicus brief in Harris v. Blockbuster

EPIC: Facebook Privacy
Facebook CEO, Zuckerberg, says privacy is no longer a "social norm"

Last week Facebook CEO Marc Zuckerberg stated in an interview that
privacy is no longer a "social norm" and that recent changes to
Facebook's privacy policy merely reflect that change in social norms.
However, the response of Facebook users and critics to recent actions
by Facebook indicate that privacy is a robust social norm. Facebook has
recently come under fire by EPIC and others for its Beacon advertising
platform, terms of service changes, and privacy policy changes. That
inconsistency led the New York Times to argue that the "company's
justifications of the claim that they are reflecting broader social
trends just aren't credible."

New York Times Story

PC World Story

EPIC: Facebook Privacy

EPIC: In re Facebook

EPIC: Frequently Asked Questions Regarding EPIC's Facebook Complaint

EPIC: Social Networking Privacy

Obama Names Howard Schmidt Cybersecurity Czar

On December 22, 2009, President Obama announced Howard Schmidt as his
pick for the position of Cybersecurity Coordinator. This is a new
position in the Obama administration and exists within the Executive
Office of the President. According to the White House, the new
"cybersecurity czar" will be responsible for protecting America's
public and private computer networks from attack. Schmidt has
previously served as special adviser for cyberspace security under
George W. Bush from 2001 to 2003, and has also worked at Microsoft and
eBay in addition to serving in the Air Force and the FBI. He will
report to deputy national security adviser John O. Brennan.

White House, Introducing the New Cybersecurity Coordinator (December 22, 2009)

EPIC: Critical Infrastructure Protection

White House: Executive Office of the President
President Obama Issues Order Regarding Classification Processes

President Obama has issued a new executive order regarding Classified
National Security Information. President Obama's classified information
order establishes a National Declassification Center to streamline the
declassification process and sets timetables for declassification. The
order states that "No information may remain classified indefinitely."
The order also reverses an order by President George W. Bush that had
allowed the intelligence community to block the release of a specific
document, even if an interagency panel decided the information wouldn't
harm national security. The new order prohibits agencies from
classifying documents after the fact and also prohibits the withholding
of documents that were created by one agency but are being held by
another, which should assist EPIC's pending Freedom of Information Act
request to the National Security Agency regarding NSPD 54, a classified
Directive that describes a NSA program to monitor American computer
networks. EPIC's request was previously denied by the NSA because NSPD
54 "did not originate with" the NSA. For more information see EPIC:
Open Government.

President Obama, Executive Order (December 29, 2009)

President Bush's Previous Order
EPIC, FOIA Appeal for NSPD 54 (November 24, 2009)
EPIC: Open Government

DHS Privacy Office Releases Data Mining Report 

The Department of Homeland Security Privacy Office released its 2009
Data Mining Report to Congress on January 4, 2010. The annual report,
which is required by statute as part of the Implementing
Recommendations of the 9/11 Commission Act of 2007, contains the
office's report regarding all DHS activities that meet the law's
definition of "data mining." The report identifies three such programs.
The first is the Customs and Border Protection's Automated Targeting
System, which analyzes traveler, cargo and conveyance information and
compares it against law enforcement information. The second,
Immigration and Customs Enforcement's Data Analysis and Research for
Trade Transparency , "analyzes trade and financial data to identify
statistically anomalous transactions that may warrant investigation."
 The third identified program is the Transportation Security
Administration's Freight Assessment System, which analyzes freight
transportation data to identify cargo that might present a risk to
passenger aircraft.  The report concluded that for each project,
"necessary privacy protections have been implemented."

DHS: Data Mining Reports

DHS: Privacy Office

EPIC: DHS Privacy Office and Privacy

Implementing Recommendations of the 9/11 Commission Act of 2007

[7] EPIC Bookstore: "Media Ownership and Concentration in America"

To purchase:

"When it comes to media concentration, views are strong, theories
abound, but numbers are scarce..." - Eli M. Noam

Eli Noam's new book more than makes up for the previous dearth of
numbers regarding media concentration. Noam carefully investigates the
concentration of media ownership in America by analyzing 100 key
industries to figure out whether or not fears about media mergers and
concentration are really well founded. This book puts forth his
complex, objective, and detailed analysis on media ownership trends.

Noam begins with an analysis of historical media trends. He breezes
through a brief and fascinating history of media in America and
concludes that there has never truly been a "golden age" of American
media diversity. The research presented here and elsewhere in the book
suggest that there is a frequently repeated cycle of competitive entry,
instability, and consolidation in media. Through these cycles, sources
of media expand and contract regularly.

Noam also addresses the ways in which technology changes the media
game. For example, he confronts the oft-repeated idea the more voices
means more diversity of opinion. Noam argues that this is not
necessarily true if one takes into consideration how loud some voices
are. Today's technology creates opportunities for a host of new voices,
but they are relatively small, quiet voices, compared to big media
companies.  A blog, for example, may present a unique viewpoint, but
may never be heard by more than its small group of readers.

Noam then charts the market concentration trends for 100 separate
information industries, including cable TV, radio, local phone service,
internet service providers, daily newspapers, and TV set makers. He
analyzes the trends in each industry carefully, with the help of
numerous charts and graphs.

In the end, Noam concludes that previous measurements of both
concentration and diversity have proved insufficient, and he proposes a
new "Media Ownership Concentration and Diversity Index", a complex
equation that takes into account not only the concentration
considerations of the Herfindahl-Hirschman Index, but also the
diversity considerations of the Federal Communications' Voice Count
Index. Using this new index, as well as more traditional measures, Noam
concludes that there is reason for both fear and optimism regarding
media concentration: media is, overall, becoming more concentrated, but
in a way that is well within the cyclical nature of media concentration
over time. 

--Ginger McCall

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years.


"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the Video Voyeurism Prevention Act,
and the CAN-SPAM Act.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

"Critical Reflections on the Growth of CCTV in the UK"
University of Toronto, Toronto, ON, January 20, 2010
For more information:

"Annual Privacy Coalition meeting" 
EPIC, Washington, DC,, January 21-23, 2010.
For more information:

"Reader Privacy: Should Library Standards Apply Online?" 
University of North Carolina, Chapel Hill, January 22, 2010.

"Body Scanners and Privacy"
EPIC Panel Discussion with Bruce Schneier, Security Expert, and Author,
and Anita Allen, Deputy Dean University of Penn. Law School,
Washington, DC, January 25, 2010.
For more information:

"Privacy By Design: The Gold Standard"
Toronto Board of Trade, Toronto, ON, January 28, 2010.
For more information:

"Data Privacy Day" 
Worldwide, January 28, 2010. 
For more information:

"Computers, Privacy, and Data Protection: An Element of Choice,"
Brussels, Belgium, January 29-30, 2010.
For more information:

"RSA 2010"
San Francisco, March 1-5, 2010.
For more information:

"7th Conference on Privacy and Public Access to Court Records"
Williamsburg, VA, March 3-5, 2010.
For more information:

"Association for Practical and Professional Ethics"
Cincinnati,OH, March 5, 2010.
For more information:

"Privacy 2010"
Stanford, CA, March 23 - 25, 2010.
For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook


Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

------------------------- END EPIC Alert 17.01 ------------------------


Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security