You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

EPIC Alert 17.06

                            E P I C   A l e r t
Volume 17.06                                            March 24, 2010

                           Published by the
               Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


		    "Defend Privacy. Support EPIC."

Table of Contents
[1] EPIC Urges Congress to Suspend Body Scanning Program
[2] EPIC Files Supreme Court Brief in Electronic Privacy Case
[3] EPIC Recommends Privacy Safeguards for Smart Grid Services
[4] Open Government Audit Finds Mixed Results for Obama Administration
[5] EPIC to FTC: Adopt Effective Privacy Safeguards
[6] News in Brief
[7] EPIC Bookstore: "Fatal System Error"
[8] Upcoming Conferences and Events

TAKE ACTION: Stop Airport Strip Searches!
- JOIN Facebook Group "Stop Airport Strip Searches" and INVITE Friends

[1] EPIC Urges Congress to Suspend Body Scanning Program

On March 17, 2010, EPIC Executive Director Marc Rotenberg testifies
before the House Commitee on Homeland Security Subcommittee on
Transportation Security and Infrastructure Protection. The hearing "An
Assessment of Checkpoint Security: Are Our Airports Keeping Passengers
Safe?" featured testimony from government officials and industry
representatives, as well as from EPIC.

In his testimony, Mr. Rotenberg urged Congress to halt the plan to
deploy body scanners in the nation's airports. "Based on the documents
we've obtained, the views of experts, the concerns of American, and the
extraordinary cost, Congress should suspend the program," he said. He
cited numerous documents that EPIC has obtained through Freedom of
Information Act litigation from the Department of Homeland Security.
The documents demonstrate the capabilities of the machines to store and
transfer images, as well as security flaws and widespread traveler
complaints regarding the program.

Mr. Rotenberg recommended that aviation security be accomplished
through a mix of technology, baggage security, and human observation,
rather than attempting to find a purely technological solution. To that
end, he cited a report from the Government Accountability Office
questioning the ability of the body scanners to detect the variety of
explosive used in the attempted attack of December 25, 2009. Finally,
when asked about different types of technology, he reminded the
committee that "those that are the most intrusive are the most

Other witnesses at the hearing included  Mr. Robin Kane, Assistant
Administrator, Transportation Security Administration; Mr. Bradley
Buswell, Deputy Under Secretary, Science and Technology
Directorate, Department of Homeland Security;  Dr. Susan 
Hallowell, Director, Transportation Security Laboratory, Department of
Homeland Security; Mr. Stephen Lord, Director, Homeland Security and
justice team, Government Accountability  Office; Mr. Kenneth J.
Dunlap, Director of Security, International Air Transport Association;
Mr. Charles Barclay, President, American Association of
Airport Executives; Col. Eric R. Potts (Ret.), Interim
Aviation Director, Houston Airport System; Mr. Brook Miller, Vice
President, Government Affairs, Smiths Detection; and, Mr. Mitchel J.
Laskey, President and CEO, Brijot Imaging Systems, Inc.

EPIC Summary Statement
EPIC Whole Body Imaging


Hearing: "An Assessment of Checkpoint Security: Are Our Airports
Keeping Passengers Safe?"

Subcommittee on Transportation Security and Infrastructure Protection

[2] EPIC Files Supreme Court Brief in Electronic Privacy Case

EPIC has filed a "friend of the court" brief in the United States
Supreme Court, urging the Justices to protect the privacy of public
employees who use electronic communications devices. In City of Ontario
v. Quon, the Supreme Court has been asked to determine whether a
government employer can search the content of text messages sent from
an employee's pager. The case is on appeal from the Ninth Circuit,
where the court ruled in favor of the employee. Ten technology experts
and legal scholars joined EPIC in filing the brief to bring attention
to the importance of data minimization.

In its brief, EPIC's asserted that while the Government may undertake
reasonable searches of public employees, they may not pursue unbounded
searches of personal communications devices. Such searches run contrary
to best practices in the security industry and expose public employees
to unnecessary risks.

EPIC argued that data minimization practices should be applied to
public sector searches, finding support in the Fourth Amendment
reasonableness requirement. Additionally, the brief details the various
ways employer-issued devices collect and store detailed personal
information, including Internet search history, text messages, emails,
and locational data.

Finally, the EPIC brief includes a discussion of prior court rulings
which have emphasized the importance of establishing data minimization
principles for electronic data. EPIC urged the court to consider the
standards set out in the Ninth Circuit case Comprehensive Drug Testing
v. United States, which instructs a government agency about how to
undertake appropriate searches without unnecessarily violating privacy
interests. Oral argument in this case is scheduled for April 19, 2010.

EPIC's Amicus Curiae Brief in City of Ontario v. Quon

City of Ontario v. Quon ScotusWiki

EPIC: City of Ontario v. Quon

EPIC: Workplace Privacy

[3] EPIC Recommends Privacy Safeguards for Smart Grid Services

EPIC submitted comments to the California Public Utility Commission
(CPUC) on regulations that should protect privacy of Smart Grid
electricity usage information. The term "Smart Grid" encompasses a host
of inter-related technologies rapidly moving into public use to reduce
or better manage electricity consumption. Smart Grid systems allow
electricity service providers to monitor and control electricity use.

Privacy implications for smart grid technology deployment centers on
the electricity consumption information on individuals, homes, or
offices. Fundamentally, smart grid systems enable electricity service
providersto access consumption data. Further, if electric utility smart
grid systems proceed as currently proposed these far reaching networks
will enable data collection and sharing across platforms and great

EPIC recommended a set of Smart Grid fair information practices that
the CPUC could adopt to regulate the collection, retention, use, and
reuse of Smart Grid customer personally identifiable information. The
comments to the CPUC recount an instance in this decade where
California residents have come under suspicion because of their
electricity usage. For example, in 2004 a Carlsbad California family
faced police investigation due to higher electricity consumption than
their neighbors. The Supreme Court ruling in Kyllo v. United States
addressed the privacy implications of the monitoring of electrical use
in the home. The Court found that a search warrant must be obtained
before the government may use new technology to monitor the use of
devices that generate heat in the home.

EPIC also led a coalition effort to submit comments to the National
Institute of Standards and Technology regarding Smart Grid and privacy.

EPIC: CPUC Smartgrid Comments

California PUC Comments

National Institute of Standards and Technology: Smart Grid Comments

[4] Open Government Audit Finds Mixed Results for Obama Administration

The National Security Archive at George Washington University released
the results of its annual government-wide Freedom of Information Act
(FOIA) audit on March 15, 2010. The audit tested agency responsiveness
to President Obama's new directives on government transparency and
openness. Upon taking office, President Obama issued a memorandum on
FOIA, which called on government agencies to adopt a "presumption of
disclosure" when administering FOIA requests. The memo also directed
Attorney General Eric Holder to issue new FOIA guidelines to agency
heads, which was carried out. In Attorney General Holder's guidelines,
the Department of Justice would defend denial of a FOIA request only if
disclosure would harm an interest protected by one of FOIA's statutory
exemptions or if disclosure is prohibited by law.

The Archive report found that ancient requests, some 18 years old, were
still pending in the FOIA system. Only a minority of agencies, 13 out
of 90 agencies, responded to the Obama and Holder Memos with concrete
changes in their FOIA practices. Additionally, the report concluded
that only four agencies out of 28 reporting agencies "show both
increases in releases and decreases in denials under the FOIA."

The audit is based on data obtained from federal agencies through FOIA
requests filed by the Archive in September 2009. The Archive reports
that federal agencies had a wide range of responses to the Obama and
Holder Memos. Some agencies (13 out of 90) implemented concrete
changes; some (14 out of 90) made changes in staff training on the
presumption of disclosure; others (11 out of 90) only circulated the
Obama and Holder memos; and 13 agencies did not respond to the
Archive's FOIA requests five months after it was filed.

Attorney General Eric Holder spoke on March 15 about the
administration's FOIA record. In his speech, he stated that over the
past year he has "been impressed with the creative and proactive ways
that our partners across the government have responded" to his memo.
Holder recognized that the Justice Department was not where it needs to
be, however, he focused on tangible improvements, namely that in 2009,
the Department released more than 1,000 additional full releases and
nearly 1,000 additional partial releases than in 2008.

National Security Archive FOIA Audit

President Obama Memo on FOIA

Attorney General Eric Holder Memo on FOIA

Attorney General Eric Holder Speech on Open Government

EPIC Open Government

[5] EPIC to FTC: Adopt Effective Privacy Safeguards

At the third Federal Trade Commission Privacy Roundtable, EPIC senior
counsel John Verdi recommended that the Commission push forward with
effective and meaningful privacy safeguards for American consumers. Mr.
Verdi stated that the "notice and choice" approach has failed and
recommended that the Commission enforce Fair Information Practices.

When asked by the Commission to offer advice regarding next steps for
the agency, Mr. Verdi emphasized the importance of effective
enforcement, including prompt responses to consumer complaints,
decisive actions, and strong penalties. Throughout the discussion, Mr.
Verdi brought attention to numerous complaints EPIC has filed, and
which the Commission has failed to meaningfully act upon, including
Echometrix, Cloud Computing, Google Buzz, and Facebook.

On the "Lessons Learned and Looking Forward" panel, Mr. Verdi was
joined by six other privacy and industry experts, who agreed that
"notice and choice" was no longer a strong approach. Jennifer
Stoddart, Privacy Commissioner of Canada, participated on the panel and
encouraged the Federal Trade Commission to look to European systems for
privacy protection as guidance, and to take action within the United

This roundtable was the final of three planned by the Commission to
address new and emerging privacy issues. EPIC also participated in the
first and second roundtables. In her opening statements, outgoing
Commissioner Pamela Jones Harbour stated, "Protecting consumer privacy
is of utmost importance. Unfortunately, many of the companies that
consumers look to as leaders - and that we expect to be leaders - still
have not taken this message entirely to heart." Harbour specifically
mentioned the launch of Google Buzz as "irresponsible," a position EPIC
stated in its February complaint to the Commission.

FTC Privacy Roundtable

EPIC: Echometrix

EPIC: Cloud Computing

EPIC: In re Google Buzz

EPIC: In re Facebook

[6] News in Brief
FCC Release National Broadband Plan, Privacy Strategy Unclear 

The Federal Communications Commission released its National Broadband
Plan. The Commission noted that "many users are increasingly concerned
about their lack of control over sensitive personal data" and warned
that "Innovation will suffer if a lack of trust exists between users
and entities with which they interact over the internet." The FCC makes
several recommendations, but there is no clear plan to address growing
concerns about cloud computing, smart grids and unfair and deceptive
trade practices. Last year, EPIC urged the FCC to develop a
comprehensive strategy for online privacy as part of the national
broadband strategy.

Federal Communications Commission

National Broadband Plan

EPIC: Cloud Computing

EPIC: Smart Grids and Privacy

EPIC: Google Buzz Complaint

EPIC: Comments to FCC regarding National Broadband Strategy Relaunches

PRIVACY.ORG, the first web site devoted exclusively to privacy issues,
has a new look and new tools. PRIVACY.ORG provides daily updates on
privacy stories in the news. The website now features a Twitter news
feed with all #privacy tweets. And PRIVACY.ORG highlights important
privacy-related campaigns, such as the current effort to suspend the
deployment of airport body scanners. The relaunched site now allows
Twitter, Facebook, digg, Technorati,, and Linked In users
to tag items to share with others. is a joint project of
the Electronic Privacy Information Center (EPIC) and Privacy



Privacy International

Senators Leahy and Cornyn Introduce Bill to Reduce FOIA Delays

Senators Patrick Leahy and John Cornyn have introduced the Faster FOIA
Act of 2010, S. 3111, which would establish a panel to examine agency
backlogs in processing FOIA requests. Government reports reveal
substantial agency delays in disclosing FOIA records. The bill came at
the beginning of Sunshine Week, a national observance of the importance
of open government. EPIC makes frequent use of the FOIA to obtain
information about privacy issues. EPIC celebrated Sunshine Week by
publishing the EPIC FOIA Gallery: 2010.

Faster FOIA Act, S. 3111

Faster FOIA Act Press Release

EPIC FOIA Gallery: 2010

Netflix Cancels Context over Privacy Concerns

Netflix canceled its second $1 million Netflix Prize after privacy
concerns from the FTC and a federal lawsuit alleging invasion of
privacy and violations of the Video Privacy Protection Act. The Netflix
contest challenged contestants to find a superior movie-recommendation
algorithm from "anonymized" datasets that included movie ratings, date
of ratings, unique ID numbers for Netflix subscribers, and movie
information. In 2006, during the first Netflix Prize contest,
researchers conducted a study that revealed if a person has information
about when and how a user rated six movies, that person can identify
99% of people in the Netflix database. After productive discussions
with the FTC over reidentification concerns which stemmed from this
study, Netflix and the federal agency reached an understanding on how
Netflix would use user data in the future. Netflix also settled the
VPPA lawsuit.

Netflix: Netflix Prize Update

Doe v. Netflix

EPIC: Video Privacy Protection Act

Arvind Narayanan and Vitaly Shmatikov, University of Texas at Austin:
How to Break Anonymity of the Netflix Prize Dataset

FTC: Letter Regarding Netflix

EPIC: Reidentification

Fourth Circuit Hears Oral Arguments in Ostergren v. McDonnell

On March 23, 2010, the Fourth Circuit Court of Appeals will hear oral
arguments in Ostergren v. McDonnell. Betty Ostergren runs a website
that republishes Social Security Numbers, collected from public
records, to persuade Virginia lawmakers to stop releasing documents
that reveal Social Security Numbers. Under Virginia law, Ostergren
could be prosecuted for publishing documents that reveal Social
Security Numbers, even though the state makes the numbers widely
available through public records. A lower court held that the law
violated Ostergren's First Amendment rights. Virginia appealed. EPIC
filed a "friend of the court" brief in October 2009, urging the court
to hold that the First Amendment protects Ostergren's speech and to
uphold the lower court's ruling.

EPIC Ostergren v. McDonnell

Ostergren Website: The Virginia Watchdog

District Court Holding

EPIC Amicus Brief

EDPS Opinion on Privacy in the Digital Age

The European Data Protection Supervisor, Peter Hustinx, adopted an
opinion on "Promoting Trust in the Information Society by Fostering
Data Protection and Privacy," and submitted it to the European
Commission. The opinion recognizes that information and communication
technologies raise new concerns that are not addressed in the European
Union's current data protection/privacy legal framework, and that law
should change in the areas of social media, RFID and targeted
advertising. The opinion further discusses measures that can be
promoted or undertaken to guarantee individuals' privacy and data
protection. For example, "privacy by design" seeks to ensure that
privacy and data protection are embedded within the technology from the
design stage until disposal. This may mean eliminating/reducing
personal data or preventing unnecessary and/or undesired processing
(data minimization) or offering tools to enhance individuals' control
over their personal data.

EDPS: "Promoting Trust in the Information Society by Fostering
Data Protection and Privacy"

EPIC: Data Retention

FTC Fines Lifelock $12 Million for Misleading Claims

The Federal Trade Commission has settled a privacy enforcement
action against Lifelock for false claims about the company’s identity
theft prevention and security measures. The agreement requires that
Lifelock pay $12 million, refrain from making deceptive statements
regarding their identity theft protection and security provisions, and
impose stronger safeguards to protect consumers’ personal information.
The settlement is one of the largest FTC-state enforcement settlements
on record. For more information on privacy and identity theft, see
EPIC: Identity Theft.

FTC Press Release regarding Lifelock Settlement

Stipulated Final Judgment in Fed. Trade Comm’n v. LifeLock, Inc.

EPIC: Identity Theft

FTC: Identity Theft Initiative

[7] EPIC Bookstore: "Fatal System Error"

"Fata System Error: The Hunt for the New Crime Lords who are Bringing
Down the Internet" by Joseph Menn

Joseph Menn's new book, Fatal System Error, presents the evolution of
cybercrime through the life of Barrett Lyon, a twenty-something
California computer whiz, who discovers the identity of a Russian
hacker launching denial of service attacks (making an Internet site
unavailable to users) against gambling websites around the world. Menn
uses Barrett's life story to take his readers deep into the world of
cybercrime, and shows how inadequately prepared the US government is to
responding to technology crime. Through Barrett's story, he tells how
intelligent, young gangs began attacking corporate websites to extort
money and steal valuable personal information from consumers, and how
many get away without any repercussions.

After Barrett uncovers the identity of a Russian hacker who plagues the
online gambling scene, he seeks the authorities' help in prosecuting
the hacker. However, he receives little support from the FBI and
instead finds a more attentive ear in the British authorities. Denial
of service attacks were a top priority in the UK in the early 2000s
because hackers were targeting many UK companies, and almost every
significant UK betting firm had been hit at least once. From this point
forward, a parallel story unfolds following British agent Andy Crocker
to Russia, where his mission is to track down and prosecute the hacker
identified by Barrett. In Russia, Crocker encounters bureaucratic
hurdles, apathetic Russian police officers and corruption that
transform his investigation into a chase after individuals just beyond
his reach.

Partnering with a Russian detective, Igor Yakovlev, Crocker finds some
success and captures three of the hackers in an operating ring.
However, this accomplishment is mired by the fact that the leaders of
the hacking ring escape. Crocker's investigation deepens as one of the
arrested hackers is used as an informant to pursue higher-up
extortionists. Crocker's time in Russia culminates with a ten-month
trial of the three hackers whose crimes are taken seriously and result
in jail time. With some of the most dangerous individuals escaping
justice's grasp, Menn reminds us that cyber criminals commit fraud
worth hundreds of millions of dollars, take over tens of millions of
computers and hold the power to severely damage electronic commerce.

Menn concludes with some insightful suggestions on how to fix what is
realistically fixable. First, consumers have to do a better job
educating themselves about computer security, and children should be
educated about safer online practices. Second, since poorly designed
software is largely to blame for the lack of network security, software
companies should be held accountable for their products. Third, banks
should have to bear a greater stake in credit fraud and require greater
proof of identity before approving transactions and granting credit.
Lastly, law enforcement agencies like the FBI, DHS, NSA and Defense
Department must work together to combat cybercrime if they are to stand
any chance against technologically savvy hackers. Menn's book sheds
light on the thriving underground cybercrime economy and constructs a
cautionary tale that should concern all Internet users.

--Veronica Louie

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years.


"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the Video Voyeurism Prevention Act,
and the CAN-SPAM Act.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

"IAPP 10th Anniversary Webcast"
National Press Club, Washington, DC, March 16, 2010
For more information:

"Third Annual Freedom of Information Day Celebration:
Washington College of Law, Washington, DC, March 16, 2010
For more information:

"Privacy 2010"
Stanford, CA, March 23 - 25, 2010.
For more information:

"Smartgrid Policy Summit"
Washington, DC, April 8, 2010
For more information:

"Developing a Trusted Cyber-Infrastructure"
Toronto, ON, May 12, 2010
For more information:

"Computers, Freedom, and Privacy"
San Jose, June 15-18, 2010.
For more information:

"32nd Int'l Conference of Data Protection and Privacy Commissioners"
Jerusalem, October 2010.
For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook


Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

------------------------- END EPIC Alert 17.01 ------------------------


Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security