You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

EPIC Alert 17.13

                            E P I C   A l e r t
Volume 17.13                                               July 2, 2010

                           Published by the
               Electronic Privacy Information Center (EPIC)
                           Washington, D.C.


		      "Defend Privacy. Support EPIC."

Table of Contents
[1] EPIC Urges US Senate to Explore Kagan's Views on Privacy
[2] Federal Trade Commission Takes Action Against Twitter
[3] Supreme Court Permits Disclosure of Petitioner Signatures
[4] EPIC Urges Congress to Reform ECPA, Safeguard Locational Data
[5] EPIC Forces Disclosure of Report on Obama Passport Breach
[6] News in Brief
[7] EPIC Bookstore: "Please Remove Your Shoes" (Documentary)
[8] Upcoming Conferences and Events

TAKE ACTION: Stop Airport Strip Searches!
- JOIN Facebook Group "Stop Airport Strip Searches" and INVITE Friends

[1] EPIC Urges US Senate to Explore Kagan's Views on Privacy

In anticipation of Elena Kagan's confirmation hearings this week, EPIC
sent a letter to Senators Patrick Leahy (D-VT) and Jeff Sessions
(R-AL). In addition to asking the Senators to consider Kagan's record
on privacy, the letter encouraged them to ask the nominee probing
questions about her views on body scanners, consumer privacy and the
Fourth Amendment, among other emerging privacy issues.

As Deputy Assistant to the President for Domestic Policy and Deputy
Director of the Domestic Policy Council for the Clinton Administration,
Kagan wrote on several privacy issues with present-day analogues. She
wrote in support of "hand held gun detector devices" that would enable
"police...[to] potentially scan people in public places without their
knowledge." Kagan also proposed guidelines to "allow officers to scan
liberally, particularly in airports, train stations and traffic stops."
She expressed these views pre-September 11, 2001, and the writings hint
at her views on controversial new search techniques like the TSA's full
body scanner program.

Also during her time under President Clinton, Kagan expressed views on
consumer privacy. She gave her support to the Administration's health
care agenda, including " consumer protection reforms (to ensure
quality, prevent discrimination, and protect privacy." Kagan also
supported privacy protection legislation to "establish strong federal
standards to ensure the confidentiality of medical records."

More recently, as Solicitor General under President Obama, Kagan argued
against two important lower court rulings, Comprehensive Drug Testing
v. United States and City of Ontario v. Quon. In Comprehensive Drug
Testing, the Ninth Circuit set forth five guidelines meant to protect
privacy for law enforcement when conducting electronic searches. Kagan
argued that the Comprehensive Drug Testing standards are too
cumbersome, and that they will undermine the ability of law enforcement
to catch criminals. Kagan also filed an amicus brief on behalf of the
petitioners in Quon. In it, she argued that the government has no
obligation to limit searches of text messages to protect individual
privacy. This position is in direct opposition to the position taken in
EPIC's amicus in Quon, which argued that petitioners' searches were
overbroad and unnecessary.

Solicitor General Kagan did make several comments during the hearing
about Constitutional interpretation and the Fourth Amendment. In
response to the first question she received from Chairman Leahy, Kagan
said that the framers of the Constitution were wise to use broad terms.
She noted that they, "didn't live with bomb sniffing dogs and heat
detecting devices." The statement was a reference to two important
Supreme Court cases, Illinois v. Caballes (2005) and Kyllo v. US (2001).

EPIC, Letter to Senators Leahy and Sessions

EPIC, Elena Kagan and Privacy

EPIC, City of Ontario v. Quon

EPIC, Amicus Brief in City of Ontario v. Quon

Kagan's Amicus Brief in Support of Reversal in City of Ontario v. Quon

[2] Federal Trade Commission Takes Action Against Twitter

On June 24, the Federal Trade Commission announced that Twitter agreed
to settle the Commission's charges that it had deceived consumers and
put their privacy at risk by failing to safeguard their personal
information. According to the Commission's complaint, Twitter
represented that users had the ability to keep certain information
private and that it employed various measures to protect users'
information from unauthorized access. Despite these assurances, Twitter
engaged in a series of practices that "taken together, failed to
provide reasonable and appropriate security...and honor the privacy
choices exercised by its users..."

The Commission's complaint alleged that hackers were twice able to gain
unauthorized administrative control of Twitter in early 2009. 
Administrative control gave the hackers access to non-public tweets and
user information.  In the first security breach, a hacker used an
automated password guessing tool to guess the weak password Twitter
used for its administrator account.  The second security breach
occurred when a hacker compromised a Twitter employee's personal email
and inferred the employee's administrative password from other
passwords stored in the employee's inbox. In light of these security
breaches and Twitter's lax security policies, the Commission charged
that Twitter's representations regarding its privacy and security
measures were false and deceptive in violation of Section 5(a) of the
Federal Trade Commission Act.

Under the terms of the settlement, "Twitter will be barred for 20 years
from misleading consumers about the extent to which it maintains and
protects the security, privacy, and confidentiality of nonpublic
consumer information."  This will allow the FTC to fine Twitter up to
$16,000 per violation of the settlement agreement for the life of the
agreement. In addition, Twitter will also be required to establish a
comprehensive information security program which will be assessed by an
independent security auditor ever other year for the next 10 years.

Commenting on the settlement agreement, David Vladeck, Director of the
Commission's Bureau of Consumer Protection said "When a company
promises consumers that their personal information is secure, it must
live up to that promise. Likewise, a company that allows consumers to
designate their information as private must use reasonable security to
uphold such designations."

The settlement was the Commission's first enforcement action against a
social networking service. EPIC has filed several FTC complaints
against Facebook, another social networking service. These complaints
allege that Facebook engaged in unfair and deceptive trade practices
through its disclosure of previously restricted private user

The FTC is inviting public comment on the proposed settlement until
July 26, 2010. 

FTC Press Release Announcing Settlement

FTC Complaint

Settlement Agreement

FTC: Invitation for Public Comment

EPIC: Facebook Privacy 

[3] Supreme Court Permits Disclosure of Petitioner Signatures

On June 24, 2010, the Supreme Court held in Doe v. Reed that the
state's interest in ensuring election integrity outweighs the First
Amendment interest of petitioner signatories. In an 8-1 decision
written by Chief Justice Roberts, the Court ruled that disclosure of
signatures under a state open records law “would not violate the First
Amendment with respect to referendum petitions in general.” However,
citing Buckley v. Valeo, the Court also left open the possibility that
disclosing the identities of signatories in other circumstances could
violate the First Amendment.

Doe v. Reed concerned a Washington law that treated referendum
petitions as public records subject to disclosure. In 2009, about
137,000 individuals signed a referendum petition in support of
repealing a new state law that expanded the rights of same-sex domestic
partners. Signatories to this referendum filed suit in federal court to
block disclosure. The plaintiffs made two arguments: (1) there is a
constitutional right, in general, to anonymity for signatories; (2)
there is a right to anonymity in this particular case. The Supreme
Court upheld the ruling by the Ninth Circuit as to the first argument
and remanded for the lower courts to decide whether this constitutional
right was violated in the particular case of the gay-rights referendum.

EPIC submitted an amicus brief in this case, which urged the Justices
to protect the privacy of those who sign petitions. EPIC's brief argued
that revealing the names of the signatories would subject signatories
to the risk of retribution, signing petitioners constitutes anonymous
speech, and signing petitions is similar to casting a vote and should
be protected accordingly. EPIC wrote that the anonymity of petitioner
signatories “safeguards First Amendment interests and helps to ensure
meaningful participation in the political process without fear of

Justices Scalia, Alito, Stevens, Breyer, and Sotomayor, joined by
Stevens and Ginsberg, all wrote concurring opinions, mostly dealing
with the plaintiffs' as-applied challenge. Justice Thomas, the only
dissenter, rejected the argument that it was necessary for the state to
publish the names of petitions' signatories in order to ensure valid
elections. He described techniques that could protect privacy and
safeguard election integrity.

This decision may have especial significance for disclosure provisions
in pending campaign finance legislation in response to the Court's
recent Citizens United decision. 

Doe v. Reed, 09-559, June 24, 2010

EPIC Amicus Brief, Doe v. Reed

EPIC Webpage on Doe v. Reed

[4] EPIC Urges Congress to Reform ECPA, Safeguard Locational Data

EPIC has filed a statement for the record in a hearing on the
Electronic Communications Privacy Act (ECPA). ECPA, which was passed in
1986, modifies the Wiretap Act and restricts the government from
accessing electronic communications. However, Congress has not updated
ECPA to ensure that it keeps up with new business practices.

EPIC has a strong interest in reforming ECPA, as the law does not
adequately safeguard location-based data. Devices such as smartphones
may be equipped with global positioning system (GPS) devices that
broadcast the user's location to advertisers and other third parties.
Google, in deploying its Street View product, has obtained vast amounts
of location-based information regarding wireless networks. And Apple's
new iOS product contains terms of service that allow the company to
collect location data from consumers.

EPIC recommended that Congress consider how Europe updates its
communications privacy laws to address challenges brought about by new
technologies an new business practices. For example, locational data is
explicitly covered under the recent revisions to the EU's E-Privacy
Directive. EPIC argued that consumers must be able to control their
data and opt-out of any collection by companies or advertisers. 

EPIC's Statement for the Record on ECPA Reform 

EPIC's Google Street View Page

EPIC's Letter on Location Privacy to the FCC

[5] EPIC Forces Disclosure of Report on Obama Passport Breach

EPIC's Freedom of Information Act lawsuit against the State Department,
EPIC v. State, has produced a report detailing security breaches of
passport data for several Presidential candidates. The Office of the
Inspector General (OIG) prepared the 134-page report in the wake of a
series of 2008 breaches that exposed (then) presidential candidates
Barack Obama, Hillary Clinton, and John McCain's personal information.
Previously secret sections of the OIG's report on the incident state,
"the Department was ineffective at detecting possible incidents of
unauthorized access," and criticize the agency's failure to "provide
adequate control or oversight." OIG reports that it has made 22
recommendations to address identified shortcomings. As of April 2008,
the passport database contained records on about 127 million passport
holders, including passengers' names, social security numbers, previous
names, citizenship status of parents and spouses, passport photos, and
passport application records.

The 2008 breaches mirrored a similar incident which took place during
the 1992 election season, when the State Department discovered that
Bill Clinton's passport file had been accessed illegally in an attempt
to influence the outcome of the presidential election. An investigation
following the 1992 breach led to the resignation of one State
Department official and the dismissal of the Assistant Secretary of
State for Consular Affairs.

EPIC appeared before the Senate in 2008 concerning passport security
breaches, urging lawmakers to limit employee and contractor access to
personal data, increase accounting requirements, and create an
independent privacy agency. EPIC's Executive Director Marc Rotenberg
stated in written testimony, "Recent federal surveillance efforts have
increased the likelihood that an American will become a victim of a
privacy breach, and heightened the risks associated with a breach."
Rotenberg noted, "These measures have not been accompanied by stronger
privacy protections."

Shortly after the Senate hearing, EPIC submitted a FOIA request with
the State Dept. for information about the agency's security practices.
When the agency provided a heavily redacted version of a critical
report, EPIC filed a lawsuit.

The report obtained by EPIC suggests that the agency has not fully
implemented investigators' recommendations.

EPIC v. Department of State

EPIC: Passport Privacy

EPIC: Open Government

EPIC: Senate Testimony Regarding Passport Privacy

Office of Inspector General's Report Regarding Passport Breaches

[6] News In Brief

Cybersecurity Legislation Moves Forward in Congress

The Senate Homeland Security Committee voted unanimously to approve the
Protecting Cyberspace as a National Asset Act of 2010 to the Senate at
a markup session on June 24th. An earlier version of the bill was
introduced on June 10th and a hearing was held on June 15th. The bill
would establish a National Center for Cybersecurity and Communications
at the Department of Homeland Security. Critics' had said that the bill
would also give the President an "internet kill switch" to take over
private networks. Before committee passage, the bill was amended to
include limitations on the proposed Presidential powers to declare a
"cybersecurity emergency" and to better define what parts of critical
infrastructure are covered by the bill.

EPIC: Cybersecurity and Privacy

EPIC: Critical Infrastructure Protection

Protecting Cyberspace as a National Asset Act, Amended

Introduction of the Protecting Cyberspace as a National Asset Act

Senate Homeland Security Committee Vote

Supreme Court to Review FOIA Exemption in Milner v. Dep't of Navy

Last week, the Supreme Court agreed to hear Milner v. Department of the
Navy. The case concerns the scope of Exemption 2 of the Freedom of
Information Act, which exempts records "related solely to the internal
personnel rules and practices of an agency" from mandatory disclosure.
Specifically, Milner concerns whether the Navy can withhold information
under a specific interpretation of Exemption 2 referred to as "high 2"
that permits agencies to withhold information related to internal
matters where the disclosure would risk circumvention of a legal
requirement. The Ninth Circuit allowed the Navy to withhold the records
at issue as "high 2" information. Writing in dissent, Judge Fletcher
said that the Freedom of Information Act exemptions "must be narrowly

Ninth Circuit: Milner v. Department of the Navy

The Freedom of Information Act, 5 U.S.C. ยง552

EPIC: Open Government FOIA Litigation


White House Adopts Weird Opt-Out Policy for Government Web Sites

The White House has announced a new "Clear Notice and Personal Choice"
policy for the use of Web Measurement and Customization Technologies
for government web sites. The policy is remarkable in that there does
not appear to be any legal basis to allow federal agencies to routinely
disclose personal information of citizens to private companies. The
policy is accompanied by new Guidance for Agency Use of Third-Party
Websites and Applications. The White House also announced a National
Strategy for Trusted Identities in Cyberspace. EPIC had urged the White
House to uphold Privacy Act obligations in use of web 2.0 services.

Memo from the Office of the President Providing Guidance for Online Use
of Web Measurement and Customization Technologies

Memo from the Office of the President Providing Guidance for Agency Use
of Third-Party Websites and Applications

National Strategy for Trusted Identities in Cyberspace

 EPIC: Privacy Act of 1974
EPIC: Privacy and Government Contracts with Social Media Companies

European Privacy Officials Publish Opinion on Online Advertising
The European Union's data protection authorities have released an
opinion declaring that online advertisers must obtain “informed”
consent before tracking consumers' web browsing to target ads at
consumers. A press release explaining the opinion states that "although
online behavioural advertising may bring advantages to online business
and users alike, its implications for personal data protection and
privacy are significant.” The opinion of the Article 29 Working Party
clarifies how the Article 5(3) of the ePrivacy Directive and Directive
95/46/EC apply to online behavioral advertising, stressing that
companies engaging in online behavioral advertising using cookies are
bound by the new EU rules on electronic privacy that require “informed”
consent from consumers.
EU Opinion
Press Release about EU Opinion
ePrivacy Directive
Directive 95/46/EC

Scotland Yard Commences Probe of Google Street View

Adding to a worldwide flood of investigations into Google's collection
of private Wi-Fi data, London's Metropolitan Police Service began
reviewing a criminal complaint filed against Google by London-based
Privacy International on June 22, 2010. The Police Service estimates
that it will spend eight to ten days conducting an initial inquiry,
during which time it will determine basic facts. If London police
determine that Google has broken any laws, the case will be referred to
a specialist team working at the national level. The complaint was
brought under two UK laws: the Regulation of Investigatory Powers Act
and the Wireless Telegraphy Act. The filing of a criminal complaint in
London echoes similar actions undertaken in Spain, where criminal
complaints have been filed against Google in two courts.

EPIC - Investigations of Google Street View

Privacy International Complaint

UK Regulation of Investigatory Powers Act

UK Wireless Telegraphy Act

EPIC - Spanish Investigation of Google Street View

[7] EPIC Bookstore: "Please Remove Your Shoes"

In "Please Remove Your Shoes," director/producer Rob Delgado examines
the many flaws of the Transportation Security Administration (TSA) and
its predecessor, the Federal Aviation Administration (FAA).  The film
uses the narratives of several TSA and FAA workers to explore the
myriad of agency failings that put national security at risk on a daily

"Please Remove Your Shoes" presents the story of current and former FAA
and TSA managers, inspection team leaders, and Federal Air Marshals in
an approachable and human way, and uses this narrative to frame a
larger discussion of the agency's many problems. Former FAA employees
discuss bureaucratic bloat and the Agency's unwillingness to make
necessary improvements or correct weaknesses identified by its own
employees. A Federal Air Marshal describes the continual lowering of
standards for Marshals and the ways that TSA has undermined the
Marshals' effectiveness. Several of the employees describe harassment
and retaliation that they suffered as a result of well-meaning

The film identifies several ways that TSA (and FAA) have failed
travelers. The agency lacks transparency and accountability, it fails
to respond to its own employees concerns, engages in cronyism, and
spends vast amounts of money on ineffective technologies (like the
puffer machines and current WBI rollout).

Ultimately, "Please Remove Your Shoes," builds its case in an
interesting and compelling fashion and should leave viewers asking
important questions about the cost and effectiveness of America's
transportation security programs.

For more information about "Please Remove Your Shoes," see:

--Ginger McCall
EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years.


"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the Video Voyeurism Prevention Act,
and the CAN-SPAM Act.


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

W3C Workshop on Privacy for Advanced Web APIs
London, England, July 12-13, 2010.
For more information:

Seventh Annual Collaboration, Electronic Messaging, Anti-Abuse, and
Spam Conference
Redmond, WA, July 13-14, 2010.
For more information:

Developing a Social Media Policy That Limits Risk: Practical Advice for
Companies in Regulated Industries
Webinar, July 15, 2010.
For more information:

Eleventh Annual Institute on Privacy and Data Security Law
Chicago, IL, July 19-20, 2010.
For more information:

Privacy and Identity Management for Life
(PrimeLife/IFIP Summer School 2010)
Helsingborg, Sweden, August 2-6, 2010.
For more information:

Privacy and Security in the Future Internet
3rd Network and Information Security (NIS'10) Summer School
Crete, Greece, September 13-17 2010.
For more information:

Internet Governance Forum 2010
Vilnius, Lithuania, 14-16 September 2010.
For more information:

"32nd Int'l Conference of Data Protection and Privacy Commissioners"
Jerusalem, October 2010.
For more information:

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook

Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

------------------------- END EPIC Alert 17.13 ------------------------


Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security