You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

EPIC Alert 17.15

=======================================================================                           E P I C   A l e r t ======================================================================= Volume 17.15                                              July 30, 2010 -----------------------------------------------------------------------                          Published by the              Electronic Privacy Information Center (EPIC)                          Washington, D.C.                        "Defend Privacy. Support EPIC."                 ======================================================================= Table of Contents ======================================================================= [1] DHS Announces Dramatic Expansion of Airport Body Scanner Program [2] Court Finds in Favor of Privacy Activist [3] EPIC Urges Congress to Protect Social Network Users [4] State Attorneys General Press Google on Street View Scandal [5] EPIC Obtains Medical Record Database Contract [6] Personal Information of 100 Million Facebook Users Leaked Online [7] News in Brief [8] Upcoming Conferences and Events TAKE ACTION: Stop Airport Strip Searches! - JOIN Facebook Group "Stop Airport Strip Searches" and INVITE Friends - DISPLAY the IMAGE - SUPPORT EPIC ======================================================================= [1] DHS Announces Dramatic Expansion of Airport Body Scanner Program ======================================================================= On July 20, the Department of Homeland Security announced a substantial change in the deployment of body scanners in US airports. According to DHS Secretary Janet Napolitano, the devices, which had once been part of a pilot program for secondary screening, will now be deployed in 28 additional airports. The devices are designed to capture and store photographic images of naked air travelers. EPIC and several other groups have opposed the body scanner program on the grounds that it passengers' rights. Earlier this month EPIC filed a petition for review and an emergency motion in federal court, urging the immediate suspension of the program and citing violations of the Administrative Procedures Act, the Privacy Act, the Religious Freedom Restoration Act,  and the Fourth Amendment. EPIC's Freedom of Information Act requests have revealed evidence that The Transportation Securiy Administration has repeatedly misrepresented the program and the scanners' capabilities, including their ability to capture, store, and transmit naked pictures of travelers. Air travelers have objected to the program's invasions of their privacy, as reported by USA Today and other media. Travelers have been subject to overly invasive searches without being consistently informed of alternate screening methods. In addition, the scanners have not been demonstrably superior to less invasive screening methods, and the health effects upon travelers have not been adequately documented. By expanding the program, TSA has ignored both EPIC's concerns and the public's objections. In related news, Dubai International Airport, one of the largest airports in the Middle East, has announced that it will not deploy full body scanners because they "contradict Islam." The devices are widely opposed in by those of Muslim faith. The effectiveness of the machines has also been questioned by Israeli officials. In a recent address to members of the Canadian Parliament, Rafi Sela, former chief security officer at the Israel Airport Authority and a 30-year veteran in airport security and defence technology, called the machines "useless," and said that he could "overcome the body scanners with enough explosives to bring down a Boeing 747." EPIC: Petition for Review EPIC: Motion for Emergency Stay of the Full Body Scanner Program EPIC: Reply in EPIC v. DHS EPIC and Coalition: Letter to House Committee on Homeland Security Urging Investigation of DHS Privacy office EPIC: Petition to DHS to Suspend FBS Program The Economist: No Full Body Scanners for Dubai Vancouver Sun: Full Body Scanners Useless, Security Expert Says ======================================================================= [2] Court Finds in Favor of Privacy Activist ======================================================================= On July 26, 2010, the Fourth Circuit Court of Appeals ruled in favor of privacy advocate Betty Ostergren. Ostergren had challenged a Virginia state law designed to prosecute her for drawing attention to the state's online publication of Social Security Numbers (SSNs). EPIC filed a "friend of the court" brief in support of Ostergren, urging the court to hold that Ostergren's speech is protected by the First Amendment. Virginia provides "secure remote access" to certain public records, including court records with millions of SSNs. Even though, by statute, clerks are required to redact SSNs, this provision did not go into effect due to lack of funding. Ostergren runs a website that republishes SSNs collected from public records obtained by this" secure remote access" in order to inform the public about the online availability of personal information. Publishing these SSNs exposed Ostergren to liability under a revised provision on Virginia's Personal Information Privacy Act that states that "a person shall not . . . [i]ntentionally communicate another individual's social security number to the general public." The Act provides an exception for records that are required to be made public by law. Ostergren filed a complaint alleging that the revised provision was unconstitutional under the First Amendment. EPIC's brief urged the Fourth Circuit Court of Appeals to uphold the lower court's ruling that the First Amendment protects Ostergren's speech. The Court agreed that the provision was unconstitutional as applied to Ostergren's speech via her website. The Court found that Ostergren's website addressed a matter of public concern and that Virginia did not seem to hold protection of SSNs a strong state interest given that it did not provide funding to redact SSNs. The Court entered a permanent injunction against enforcement of the revised provision as applied to Ostergren's website "that simply republished publicly obtainable documents containing unredacted SSNs of Virginia [state officials]." Opinion in Ostergren v. Cuccinelli, No. 09-723 (4th Cir. July 26, 2010) EPIC's "Friend of the Court" Brief, October 19, 2009 Ostergren's Website: The Virginia Watchdog EPIC: Social Security Numbers ======================================================================= [3] EPIC Urges Congress to Protect Social Network Users ======================================================================= On July 28, 2010, EPIC Executive Director Marc Rotenberg testified before the House Judiciary Committee at a hearing on"Online Privacy, Social Networking and Crime Victimization." The hearing focused on the danger of phishing scams, social engineering tactics and poor privacy controls that make social network users' personal information vulnerable. Also testifying at the hearing were witnesses from the FBI, the Secret Service, Symantec, and Facebook. In his testimony, Mr. Rotenberg urged lawmakers to update federal law to protect the privacy of social network users by requiring the explicit consent of users to privacy changes. He said that Facebook's constant changes to the privacy settings of users have made it virtually impossible for users to control who gets access to their personal information. In May, EPIC raised some of these same concerns in its Complaint with the Federal Trade Commission (FTC) charging that Facebook's conversion of private information to publicly available information and the disclosure of user data to third parties without consent "violate user expectations, diminish user privacy, and contradict Facebook's own representations." The FTC has, to date, failed to investigate Facebook's business practices. As Mr. Rotenberg pointed out, this means that Congress must now amend the federal privacy law to limit the ability of Social Network companies to disclose user information to third parties without informed and explicit consent. As consumers are placing more of their personal information online, members of Congress are becoming increasingly concerned about issues of online privacy. In May 2010, John Conyers, House Judiciary Committee Chairman, sent a letter to Facebook, Inc. asking for "a detailed explanation of the information about Facebook users that your company has provided to third parties without the knowledge of the account holders, particularly in circumstances in which the users did not expressly opt for this type of information sharing." On Tuesday, the Senate Commerce Committee held a hearing on Consumer Online Privacy. During the hearing, Senator John Kerry, Chairman of the Communications Subcommittee, said he plans to introduce an online privacy bill to create standards for how consumer data is collected and used for marketing. EPIC Testimony to House Judiciary Committee Hearing on Online Privacy, Social Networking and Crime Victimization EPIC Complaint to the FTC Regarding Facebook Conyers' Letter to Mark Zuckerberg Hearing on Consumer Online Privacy EPIC: Social Networking Privacy EPIC: Facebook Privacy EPIC: In re Google Buzz ======================================================================= [4] State Attorneys General Press Google on Street View Scandal ======================================================================= Connecticut Attorney General Richard Blumenthal announced in a press release that thirty-eight states and the District of Columbia are seeking additional information about Google's collection of wi-fi data from private, residential computer networks. In his press release, Blumenthal states "Google's responses continue to generate more questions than they answer." Mr. Blumenthal also sent a letter to Google, asking for information about Google's packet-sniffing software, the testing and review procedures, and the internal investigation of the code that "accidentally" recorded unencrypted wi-fi traffic in 30 countries over a three-year period. On May 18, 2010, EPIC wrote a letter to the Federal Communications Commission recommending the Commission open an investigation into the significant communications privacy issues arising from the data collected by Google's Street View vehicles. Congressmen Joe Barton (R-TX) and Edward Markey (D-MA) also wrote a letter to the Federal Trade Commission inquiring into the legality of Google's actions and asking the Commission to investigate on May 19, 2010 on the matter. Connecticut Attorney General Richard Blumenthal's Press Release Connecticut Attorney General Richard Blumenthal's Letter to Google EPIC's Letter to FCC House Members' Letter to FTC EPIC: Street View Investigations ======================================================================= [5]  EPIC Obtains Medical Record Database Contract ======================================================================= EPIC has obtained and published a contract awarded last September by the Food and Drug Administration (FDA) to Harvard Pilgrim Health Services, Inc. The contract, obtained by EPIC under the Freedom of Information Act, tasks Harvard Pilgrim with developing a working version of the "Sentinel" system. Sentinal is a national database containing millions of electronic medical records. Much of the data involved in the Sentinel Initiative will be covered by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), which provides a floor of privacy protections for health information in the United States. However, at a December 2008 public workshop on the Sentinel Initiative, experts stated that the FDA will have a great deal of discretion in the kind of privacy policies and protections in place for the Sentinel Program. Experts have speculated that HIPAA would permit disclosure of some de-identified, identifiable data. Research on data mining shows that even where data is "de-identified" before it is shared, personal details can often be matched back to true identities in a process known as "re-identification." In June 2009, the Government Accountability Office evaluated privacy issues surrounding the Sentinel System and reported that, as of the date of the report, "FDA [had] not yet developed a plan or set milestones for when it expect[ed] to have these issues addressed." In spite of this criticism, FDA has failed to publish a detailed description of how Sentinel will honor patients' privacy expectations. The contract obtained by EPIC indicates that FDA plans to perpetuate its hands-off approach to privacy issues and outsources responsibility for privacy protections to Harvard Pilgrim, ordering it to ensure that "the uses of the data are compliant with HIPAA and any applicable state and local laws." The contract also indicates that Sentinel will operate on an ambitious scale, linking not only to "health record systems, administrative claims databases, and patient registries," but also, ideally, to "vital records, chronic disease and/or cancer registries, birth defect registries, and medical device registries." The scope of information to be included in Sentinel is vast, covering such details as race/ethnicity, body mass index, smoking status, alcohol use, blood and tissue product use, special diets, and family health history. According to the contract, Sentinel will access and utilize data "primarily for active medical product surveillance," leaving open the possibility that the system may also be used for other purposes. As of January 2010, Sentinel was interacting with records relating to 60 million individuals, with that number expected to grow to 100 million by July 2012. EPIC: FDA's Sentinel Initiative EPIC: Medical Record Privacy EPIC: Re-identification FDA: Contract with Harvard Pilgrim Regarding the Sentinel Initaitive FOIA Letter to FDA seeking documents regarding the Sentinel Initiative ======================================================================= [6] Personal Information of 100 Million Facebook Users Leaked Online ======================================================================= Ron Bowes, a security consultant of Skull Security, created a web crawler program that harvested data on users contained in Facebook's open access directory. Bowes then made a 2.8GB torrent available which lists all users whose privacy settings make their pages available to search engines. The file contains 171 million entries, relating to more than 100 million individual users?more than one in five of Facebook's recently trumpeted half billion user base. It contains user account names and a URL for each user's profile page, from which details such as addresses, dates of birth or phone numbers can be accessed. Accessing a user's page from the list will also enable the user to click through to friends' profiles?even if those friends have made themselves non-searchable. Bowes claims that he did it as part of his work on a security tool. The tool, he said, "is designed to test password policies of organizations by using brute force attacks; in other words, guessing every username and password combination." By downloading the data from Facebook, and compiling a user's first initial and surname, Bowes was able to make a list of the most common probable usernames to use in the tool. In theory, researchers could then combine this list with a catalogue of the most commonly used passwords to test the security of sites. Similar techniques could be used by criminals for more nefarious means. Bowes' posting underscores the continuing inadequacies of Facebook's privacy settings which have resulted, largely, from the company's continued - and often confusing - changes to privacy settings and policies. On February 4, 2009, Facebook revised its Terms of Service, asserting broad, permanent, and retroactive rights to users? personal information?even after they deleted their accounts. Facebook stated that it could make public a user?s ?name, likeness and image for any purpose, including commercial or advertising.? Because Facebook's current privacy settings work on an opt-out basis, those users who did not actively change the default to limit the publicity of their information left that information vulnerable to Bowes' web crawler program. EPIC Executive Director Marc Rotenberg recently urged lawmakers to update federal law to protect the privacy of Facebook users. Mr. Rotenberg said that Facebook's constant changes to the privacy settings of users have made it virtually impossible for users to control who gets access to their personal information. He also said that the failure of the Federal Trade Commission to investigate Facebook's business practices means that Congress must now amend the federal privacy law to limit the ability of Social Network companies to disclose user information to third parties without informed and explicit consent. News article on Facebook user data disclosure Instructions on how to change one's Facebook privacy settings Facebook terms of service Marc Rotenberg's written testimony before the House Judiciary Committee, Wednesday, July 28, 2010 ======================================================================= [7] News in Brief ======================================================================= Public Voice to Host Privacy Conference in Israel The Public Voice will hold a privacy conference in Israel in conjunction with the 32nd Annual Meeting of Information and Privacy Commissioners. "Next Generation Privacy Challenges and Opportunities" will feature civil society leaders, academic experts, and data protection officials from more than twenty countries. It will include discussions on full body scanners, biometric identifiers, electronic health records, and international frameworks for privacy protection. The Public Voice "Next Generation Privacy Challenges and Opportunities" The Madrid Declaration Steve Bellovin speaks to the Cybersecurity Policy Working Group On Monday, July 26, 2010, noted researcher of computer networking and security, Steve Bellovin, discussed the recently released White House draft of the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC outlines the federal government's plan to use third-party identification to reduce online crime and attacks. Speaking to members of the EPIC-coordinated Cybersecurity Policy Working Group, Bellovin pointed out that such a system creates major privacy concerns but does little to increase online security. According to Bellovin, third-party authentication does not prevent private companies from sharing and aggregating user information. Moreover, Bellovin pointed out, authentication does not ameliorate the danger of identity theft or security breach posed by buggy and exploitable software. Bellovin also said that better security could be achieved by more research into how to build and manage large computer networks. Steve Bellovin's Blog Post on NSTIC National Strategy for Trusted Identities in Cyberspace (NSTIC) Draft Public Commenting on NSTIC EPIC: Cybersecurity and Privacy Coalition Letter to White House Cybersecurity Coordinator Wal-Mart Begins Tagging and Tracking Merchandise with RFID Wal-Mart has announced that it will begin inserting Radio Frequency Identification (RFID) chips into some of its men's clothing, including jeans, underwear, and socks, starting August 1. The retailer has stated that its goal is to expand the use of the tags to its other merchandise as well. Previously RFID tags have only been used in larger packages for warehouse and distribution use, but this will be the first time the tags are used in the stores for individual products that will be taken home by consumers. The tags will remain readable from a short range even after they are removed from the store. Wall Street Journal Article Describing Walmart's RFID Plans, July 23, 2010 EPIC: RFID Katherine Albrecht: Spychips Website New York Ends "Stop and Frisk" Data Collection New York Governor David Paterson signed a bill into law last week requiring the NYPD to expunge the names and addresses in a database of people who had been stopped and questioned by police but never charged with any crimes. In signing the bill, Governor Paterson said that "simple justice as well as common sense suggest that those questioned by police and not even accused of a crime should not be subjected to perpetual suspicion." Bill requiring expunging of names and addresses NYPD FAQ page on stop-an-frisk encounters EPIC: New York's Stop and Frisk Database and Privacy ======================================================================= ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60. Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https:/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Privacy and Identity Management for Life (PrimeLife/IFIP Summer School 2010) Helsingborg, Sweden, August 2-6, 2010. For more information: Privacy and Security in the Future Internet 3rd Network and Information Security (NIS'10) Summer School Crete, Greece, September 13-17 2010. For more information: Internet Governance Forum 2010 Vilnius, Lithuania, 14-16 September 2010. For more information: "32nd Int'l Conference of Data Protection and Privacy Commissioners" Jerusalem, October 2010. For more information: The Public Voice Civil Society Meeting: "Next Generation Privacy Challenges and Opportunities" Jerusalem, October 25, 2010 For more information: ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook http// Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 17.15 ------------------------

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security