Defend Privacy. Support EPIC.

EPIC's Mission
Focusing public attention on emerging privacy and civil liberties issues

EPIC Alert 19.22

======================================================================= E P I C A l e r t ======================================================================= Volume 19.22 November 27, 2012 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ========================================================================== Table of Contents ========================================================================== [1] EPIC Argues for Driver Privacy in Supreme Court Case [2] NSA Withholds Presidential Cybersecurity Directive; EPIC to Appeal [3] Congress Scrutinizes TSA's 'Scanner Shuffle' [4] EPIC Urges Interior Dept. to Preserve Strong Open Government Rules [5] CRS Publishes Report on Executive Branch Transparency [6] News in Brief [7] EPIC in the News [8] EPIC Publications [9] Upcoming Conferences and Events ======================================================================== [1] EPIC Argues for Driver Privacy in Supreme Court Case ======================================================================== EPIC has filed a "friend of the court" brief in the US Supreme Court case Maracich v. Spears, which centers around provisions in the US Drivers Privacy Protection Act, or DPPA. The DPPA bans the disclosure of drivers' personal information from states' Department of Motor Vehicles, except for specific permissible uses. EPIC's brief argues that the amount of identifying information contained in driver records is so staggering that the Court should place strict limits on its disclosure. The brief identifies over 50 categories of information held by DMVs, including Social Security Numbers, biometric data used for facial recognition, immigration documents, and medical records. Because of the REAL ID Act of 2005, which creates a minimum standard for information in drivers licenses, DMVs are now collecting more information than when the DPPA was passed in 1994. EPIC contends that this information is at risk of abuse by identity thieves and data brokers. "Almost twenty years after the enactment of the DPPA, the information DMVs possess has grown increasingly more sensitive. "In order for Americans to maintain privacy and control over their own information, the definition of 'personal information' must include new types of data that can identify an individual," the brief maintains. EPIC has participated as a friend of the court in several Drivers Privacy Protection Act cases. In Reno v. Condon (2000), the US Supreme Court upheld the constitutionality of the federal law. EPIC filed an brief in that case, stating, "The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest." The Court agreed: "The DPPA establishes a regulatory regime that restricts the States' ability to disclose a driver's personal information without the driver's consent." In previous DPPA cases, EPIC has asserted the need for strong protections of motor vehicle records. Recently, in Gordon v. Softech International (2nd Circuit, 2012), EPIC argued that resellers of driver records should be held strictly liable in order to discourage misuse of private information. In Kehoe v. Fidelity Federal Bank and Trust (11th Circuit, 2004), EPIC and the American Civil Liberties Union argued that individuals are entitled to damages when businesses or data brokers impermissibly access driver personal data. EPIC: "Friend of the Court" Brief in Maracich v. Spears (Nov. 16, 2012) EPIC: "Friend of the Court" Brief in Kehoe v. Fidelity Trust (2004) EPIC: "Friend of the Court" Brief in Gordon v. Softech (June 20, 2012) US Supreme Court: Maracich v. Spears EPIC: Maracich v. Spears US House of Representatives: Text of DPPA EPIC: The Drivers Privacy Protection Act EPIC: National ID and REAL ID Act ========================================================================= [2] NSA Withholds Presidential Cybersecurity Directive; EPIC to Appeal ========================================================================= EPIC has appealed a decision by the National Security Agency to deny EPIC's Freedom of Information Act Request for the public release of Presidential Policy Directive 20. The Policy Directive expands the NSA's cybersecurity authority and has raised concerns about government surveillance of the Internet. EPIC's FOIA appeal points to numerous substantive and procedural defects in the NSA's response, and highlights the importance of public discussion of cybersecurity authority. EPIC is litigating similar claims against the NSA, including for the release of NSPD 54, a 2008 presidential directive setting out the NSA's cybersecurity authority. At the time, EPIC requested the text of the NSPS-54, the full text of the Comprehensive National Cybersecurity Initiative, and any documented privacy policies related to the Directive or the Initiative. Although the George W. Bush White House publicly issued a description of the Initiative, indicating that it covered a wide range of government activity, from cyber education to intrusion detection, the NSA withheld the documents requested by EPIC, causing the basis of the underlying legal authority to remain a secret. EPIC subsequently sued for disclosure. The case remains pending in the District Court for the District of Columbia. EPIC has also sought public release of the 2010 arrangement between the NSA and Google following a cyber-attack that was widely reported in the national media, including The New York Times, The Wall Street Journal, and The Washington Post. EPIC filed a FOIA request with the NSA, requesting any communications between the NSA and Google relating to Google's practices or failures regarding data encryption. In an official statement to Congress earlier this year, EPIC explained that the NSA was a "black hole for public information about cybersecurity." NSA: Response to EPIC FOIA Request re: Directive 20" (Nov. 20, 2012) EPIC: FOIA re: "Presidential Policy Directive 20" (Nov. 14, 2012) EPIC: Statement to Senate re: NSA and Infrastructure (Mar. 12, 2012) EPIC: Complaint re: Google-NSA Relationship (Feb. 4, 2010) EPIC: Cybersecurity Privacy - Practical Considerations EPIC: EPIC v. NSA (Cybersecurity Authority) EPIC: EPIC v. NSA (Google/NSA Relationship) ======================================================================== [3] Congress Scrutinizes TSA's 'Scanner Shuffle' ======================================================================== The US House Subcommittee on Transportation Security held an oversight hearing November 15 called "TSA's Recent Scanner Shuffle: Real Strategy or Wasteful Smokescreen?" The hearing follows the TSA's decision to remove backscatter x-ray devices from major US airports. The House Subcommittee scrutinized TSA's investment in backscatter x-ray devices and questioned the agency's "spend money, test later" policies. Chairman Mike Rogers (R-AL) expressed concern over how the testing on the updated privacy software suddenly failed. Rep. Rogers also grilled a TSA official over reports that the agency fabricated the test results of privacy software to eliminate backscatter images of naked passengers. The Subcommittee also questioned whether the TSA had underestimated the privacy concerns when it implemented the body scanners as the primary screening device at US airports. In a statement for the record, EPIC highlighted public concerns about the use of body scanners, including health and privacy risks, as well as the TSA's failure to take public comments on the program. "We believe that if the agency had pursued the public comment process at the outset, the decision to deploy backscatter x-ray devices could have been averted, taxpayer dollars saved, privacy and health risks avoided, and more effective techniques to safeguard air travel developed," EPIC maintained. In 2009, EPIC and a coalition of other organizations submitted a petition to Director of Homeland Security Janet Napolitano, requesting that the TSA complete notice-and-comment rulemaking on the body scanners. The TSA denied EPIC's petition for public rulemaking, and the agency stated it intended to continue implementing the backscatter program. EPIC sued DHS and, in July 2011, a Washington, DC federal appeals court ruled that that DHS must "act promptly" to receive public comments. After much stonewalling from TSA, and following several petitions from EPIC, the DC Circuit Court of Appeals made clear that the agency must begin the public comment process by March 2013. US House: Hearing on TSA 'Scanner Shuffle' (Nov. 15, 2012) EPIC: Statement for the Record at House Hearing (Nov. 15, 2012) EPIC: EPIC v. DHS (Suspension of Body Scanner Program) EPIC: Whole Body Imaging Technology and Body Scanners EPIC: Body Scanner FAQ ======================================================================= [4] EPIC Urges Interior Dept. to Preserve Strong Open Government Rules ======================================================================= In recent comments to the US Department of the Interior, EPIC urged the agency not to weaken the Freedom of Information Act (FOIA) provisions as it has recently proposed. The Interior Department is considering regulations that would place new burdens on FOIA requesters by: (1) terminating FOIA requests; (2) denying FOIA requests without providing justifications as required by law; and (3) withholding the identity of agencies to which the Department refers FOIA requests. EPIC's comments state that the Interior Department's proposal would undermine the open government law and is contrary to law as well as the views on FOIA expressed by the President and the US Attorney General. As a rationale for the restrictions, the agency states, "The regulations are being revised to update, clarify, and streamline the language of procedural provisions, and to incorporate certain changes brought about by the amendments to the FOIA under the OPEN Government Act of 2007 . . . Additionally, the regulations are being updated to reflect developments in the case law and to include current cost figures to be used in calculating and charging fees." Many of the Interior Department's proposals stem from current regulations that already impair the abilities of FOIA requesters. For example, the Interior Department will prematurely terminate FOIA requests after only 20 workdays if requesters have not: (1) clarified the scope of their requests; (2) provided assurance that they will pay FOIA processing fees, or (3) paid advanced fees in excess of $250. Some agency proposals significantly revise current FOIA regulations. Under the proposed rules, if the Department refers a FOIA request to another agency, it will notify requesters of the referral "unless that identification will itself disclose a sensitive, exempt fact." Current regulations do not limit the agency's ability to notify requesters that the it has referred FOIA requests to other departments or agencies. EPIC's comments state that the proposed regulations "are contrary to law, exceed the scope of the agency's rulemaking authority, and should be revised [to] remove the . . . barriers to access government information." The comments also encourage the agency to "incorporate new procedures that ease, not burden, the public's efforts to learn about the activities of its government." EPIC has an extensive FOIA practice and routinely comments on agency proposals that impact the rights of FOIA requesters. In 2011, EPIC submitted extensive comments to the Department of Justice, warning the agency not to erect new obstacles for FOIA requesters. In March 2012, in recognition of open-government "Sunshine Week," EPIC published the "2012 FOIA Gallery," highlighting some of the most significant documents that EPIC obtained over the previous year. EPIC also publishes the "Litigation Under Federal Open Government Laws Guide," a leading source for FOIA practitioners and requesters. EPIC: Comments to the Interior Dept. re: FOIA Changes (Nov. 13, 2012) Federal Register: Proposed Interior Dept. FOIA Changes (Sept. 13, 2012) Federal Register: Current Interior Department FOIA Regulations EPIC: Comments to Justice Dept. re: FOIA Changes (Oct. 18, 2011) EPIC: FOIA Gallery 2012 EPIC: Litigation Docket EPIC: Open Government ======================================================================== [5] CRS Publishes Report on Executive Branch Transparency ======================================================================== The Congressional Research Service has published a report on the definition of "transparency" as used by the Executive Branch. The report, "Government Transparency and Secrecy: An Examination of Meaning and Its Use in the Executive Branch," seeks both to define the term "transparency" in the context of open government and to offer an analysis of existing federal open-government efforts. The report examines the tension between government openness and information protection for national security purposes. However, the bulk of the report amounts to an index and history of open government legislation, acknowledging both the perspective of open government advocates and the efforts of the Obama Administration to commit to government transparency. While the report acknowledges that there is no single definition of "transparency," it identifies a set of principles that delineate the role of transparency in an open government. Transparency is described as comprising "not only the disclosure of government information, but also the access, comprehension, and use of this information by the public." The report notes that such a definition "requires a public that can access, understand, and use the information it receives from the federal government." The report also examines "the statutes, initiatives, requirements, and other actions that make information more available to the public or protect it from public release." EPIC uses many of these tools in open government work, including the Freedom of Information Act, the Federal Register for notice-and-comment rulemaking, and the Obama Administration's Open Government Directive. The report devotes a subsection to each of these statutes and actions, discussing their legislative or political history, evolution over time, their goals, and successes and failures. EPIC has a strong commitment to supporting governmental transparency and uses open government legislation as the basis of FOIA and open- government activity. EPIC also frequently advises the government against restricting or narrowing existing transparency legislation. EPIC recently submitted comments to the Department of the Interior, encouraging the federal agency not to impose new burdens on requesters seeking information under the FOIA as the agency had proposed. EPIC submitted similar comments to the Department of Justice in 2011, warning the agency not to erect new obstacles for FOIA requesters. Congressional Research Service: Government Transparency (Nov. 8, 2012) EPIC: Comments to Interior Dept. re: Changes in FOIA (Nov. 13, 2012) EPIC: Comments to Department of Justice re: FOIA (Oct.18, 2011) EPIC: Open Government EPIC: "Litigation Under the Federal Open Government Laws" ======================================================================== [6] News in Brief ======================================================================== Google Transparency Report Reveals Risks of Cloud-based Computing According to a recent report from Google, the company received 20,938 third-party requests for user data in the first half of 2012, up from 18,257 requests in the second half of 2011. The US government accounted for 7,969 requests in 2012; of these requests, Google provided user data in 90% of the cases. Over the last several years, Google has pursued an aggressive effort to promote computing services that store personal data on Google's servers even as the number of government requests has grown. Earlier in 2012, Google reduced safeguards for Gmail users over the objections of many lawmakers and users when it consolidated privacy policies across its various Internet services. In 2009, EPIC urged the Federal Trade Commission to look more closely at the privacy risks of cloud-based services. Google: Transparency Report (Through June 2012) (Nov. 2012) EPIC: EPIC v. FTC (Enforcement of the Google Consent Order) EPIC: Complaint with FTC Against Google Cloud Services (Mar. 17, 2009) EPIC: Cloud Computing Supreme Court Limits Remedies for Credit Card Privacy Violations The US Supreme Court has held in US v. Bormes that the federal government cannot be sued for violating the Fair Credit Reporting Act. The Court used as a basis for its decision an 1887 law that waives governmental immunity for certain claims "premised on other sources of law." The case arose after an attorney paid a federal court-filing fee with his credit card and noticed that the receipt included personal information in violation of the Fair Credit Reporting Act. The attorney sued the government under the Little Tucker Act, which waives sovereign immunity "for claims premised on other sources of law." Justice Antonin Scalia, writing for a unanimous Court, held that the attorney could not sue the government under the Little Tucker Act because the Fair Credit Reporting Act has its own detailed damages provision, and "[w]here . . . a statute contains its own self-executing remedial scheme, we look only to that statute to determine whether Congress intended to subject the United States to damages liability." The Court has sent the case back to the Seventh Circuit Court of Appeals to determine whether the government may be sued under the Fair Credit Reporting Act itself. US Supreme Court: Ruling in US v Bormes (Nov. 13, 2012) EPIC: Fair Credit Reporting Act Cornell University Law School: Little Tucker Act Supreme Court to Review DNA Collection Law The US Supreme Court has agreed to hear Maryland v. King, a challenge to the constitutionality of the State of Maryland's DNA Collection Act, which authorizes law enforcement to collect DNA samples from individuals arrested, but not convicted, for certain crimes. A lower court held earlier in 2012 that the DNA Act was unconstitutional because the warrantless collection of DNA from a mere arrestee was an unlawful search and seizure under the Fourth Amendment. The Maryland court previously had upheld the Act as applied to convicted felons in the case State v. Raines. EPIC filed a "friend of the court" brief in Raines and other cases involving mandatory DNA collection in California, Louisiana, and the District of Columbia. EPIC has argued that the privacy implications of DNA collection are greater than fingerprint collection. A recent report from the President's Commission on Bioethics recommends limiting law enforcement access to DNA information. US Supreme Court: Agreement to Hear Maryland v. King (Nov. 9, 2012) EPIC: Maryland v. King State of Maryland: DNA Collection Act MD State Supreme Appeals Court: Decision in MD v. King (Apr. 24, 2012) EPIC: "Friend of the Court" Brief in MD v. Raines (2003) EPIC: "Friend of the Court" Brief in US v. Kincade (2004) EPIC: "Friend of the Court" Brief in Kohler v. Englade (2005) EPIC: "Friend of the Court" Brief in Johnson (2006) White House Committee on Bioethics EPIC: Genetic Privacy EPIC: DNA Act FTC Releases 2012 Performance Report The Federal Trade Commission has released its performance and accountability report for 2012. The report summarizes the agency’s activities, demonstrates how the agency has managed its resources, and explains how it plans to address future changes. With respect to consumer privacy, the agency cites the release of a new privacy report, the adoption of a consent order with Facebook, and a $22.5 million fine against Google as primary accomplishments. The Commission reported that it acted on 90.6% of all received consumer complaints, though it did not indicate how many of these actions concerned consumer privacy. The agency’s goals for the coming year include “promot[ing] stronger privacy protections through policy initiatives on a range of topics such as data brokers, mobile devices, and comprehensive online data collection.” Earlier this year, EPIC brought suit against the Federal Trade Commission for failure to enforce the 2011 consent order with Google. EPIC has also routinely urged the FTC to take account of public comments. FTC: Performance and Accountability Report for 2012 (Nov. 2012) FTC: Report on Consumer Privacy (March 2012) FTC: Consent Agreement with Facebook (Nov. 29, 2011) FTC: Press Release on Google Settlement (Aug. 9, 2012) EPIC: Federal Trade Commission EPIC: EPIC v. FTC (Enforcement of Google Consent Order) ======================================================================= [7] EPIC in the News ======================================================================= "Data cops: Facebook privacy plans must be 'modified'." The Register, Nov. 27, 2012. "Two consumer groups urge Facebook to back off privacy changes." Los Angeles Times, Nov. 26, 2012. "New code of practice to minimise privacy risks in anonymised data." The Guardian, Nov. 21, 2012. "Senate bill rewrite lets feds read your e-mail without warrants." CNet, Nov. 20, 2012. "Facebook's Mandatory Couples Pages: The Site's Creating Them May Be Legal, But Is It Wise?" Justia, Nov. 20, 2012. "FAA delays selection of Miami Valley as possible test site." Dayton Daily News, Nov. 19, 2012. "Privacy Group files FOIA request over cybersecurity directive." Digital Journal, Nov. 16, 2012. "Privacy Groups Seek Answers on Obama's Secret Cybersecurity Guidelines." Reason, Nov. 15, 2012. "Rapiscan accused of faking privacy tests for airport scanners." Ars Technica, Nov. 15, 2012. "Attorneys: Obama's 'secret' cyber security law may allow 'military deployment within the U.S.'" The Raw Story, Nov. 15, 2012. "EPIC Urges the Interior Department to Preserve Strong Open Government Rules." JD Supra, Nov. 14, 2012. "Online Privacy Issue Is Also in Play in Petraeus Scandal." The New York Times, Nov. 13, 2012. "DHS says it is observing privacy rules in monitoring social media." Government Security News, Nov. 13, 2012. "Do We Need Cyber Cops for Cars?", Nov. 13, 2012. For More EPIC in the News: ======================================================================= [8] EPIC Publications ======================================================================= "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= "Competition & Privacy in Markets of Data." 26 November 2012, Brussels. For More Information: "Computers, Privacy and Data Protection: Reloading Data Protection." 23-25 January 2013, Brussels. For More information: 22nd Annual Computers, Freedom, & Privacy Conference. 5-6 March 2013, Washington, DC. For More Information: Contact Chris Calabrese at ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government and private-sector infringement on constitutional values. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 19.22------------------------
Electronic Privacy Information Center - Contact Info