Facebook announced planned changes to user privacy controls
today. Chris Kelly, Facebook's Chief Privacy Officer, stated that the new policy will promote "control, simplicity and connection" for user data. The announcement states there will be no
changes in term of "the information Facebook provides to advertisers" but does not address concerns about the information provided by Facebook to app developers. In June, European Privacy Commissioners warned about the secondary use of personal data
collected by social network services. The officials issued an
opinion requiring robust security, privacy-friendly default settings, and the application of European privacy law. In April,
EPIC supported the adoption of the new Facebook Terms of Service
when Facebook said that "users own and control their information." See EPIC Social Networking Privacy.
Today the Supreme Court denied review of the California law that provides customers with privacy safeguards for financial data. The law limits the sale of personal information by financial firms
to affiliates, and imposes opt-in requirements. The Ninth Circuit upheld substantial portions of the California Financial Information Privacy Act. EPIC filed a brief in that
case favoring the law. Financial firms argued that the California statute conflicts with other federal rules. The Justice Department recommended that the Supreme Court leave the state statute in place. See EPIC ABA v. Brown and EPIC Privacy and Preemption Watch.
Leaders of the House Homeland Security Committee sent a letter to the Transportation Security Administration regarding the bankruptcy of Verified Identity Pass, the parent company for the Clear registered traveler (RT) program. Clear was the largest RT program in the nation operating out of 20 airports with about 165,000 members. The TSA established RT security, privacy and compliance standards for the Clear program and bolstered the company's credentials with the traveling public. The Clear RT application process collected a great deal of personal information from members, such as proof of legal name, data of birth, citizenship status, home address, place of birth, and gender. The information was used to pre-screen travelers for express service through airport security checkpoints. The committee is investigating among other things: when the TSA became aware of the bankruptcy; whether they have asked the company for its plan regarding its RT data; if the agency is seeking a privacy impact assessment on the bankruptcy; and whether the agency has a contingency plan for safeguarding the data now that the company has gone out of business. See EPIC Air Travel Privacy and EPIC Secure Flight
The Supreme Court refused to hear a challange to the Prescription Confidentiality Act, which prohibits the sale of prescription information. The First Circuit had upheld the
ban on the sale of such information. EPIC and 16 experts in privacy
and technology filed a "friend of the court" brief, in support of the law, detailing the substantial privacy interests in
de-identified patient data. The petitioners claimed that the law infringed on their free speech rights. See EPIC IMS Health v.
Ayotte.
The Internet Corporation for Assigned Names and Numbers appointed Rod Beckstrom as its new CEO and president. ICANN manages the administration of the internet including assignment of domain names, IP addresses, preserving operational
stability, and developing policies. Beckstrom is an author, entrepreneur, non-profit board member, and expert in decentralized organizations. He resigned as the Director of the National Cybersecurity Center in March 2009 warning of the increasing role of the National Security Agency in
domestic security. See EPIC DNSSEC, EPIC WHOIS
and The Public Voice.
The Supreme Court delivered a 8-1 opinion ruling that a
strip-search of a thirteen-year-old girl by school officials
looking for an ibuprofen tablet violated the Fourth Amendment.
Justice Souter writing for the Court held that the search was
unreasonable and that school searches are permissible when they are
"not excessively intrusive in light of the age and sex of the
student and the nature of the infraction." But a majority of the
Justices also said that the school officials were not liable for
damages because it had not been "clearly established" that the
search was unlawful. Justices Stevens and Ginsburg disagreed and
said that a previous Supreme Court case made clear that the search
was "excessively intrusive." Justice Thomas wrote in dissent that
the search was permissible. See also EPIC's page on Student
Privacy.
The Transportation Security Administration has replied to the Privacy Coalition statement on whole body imaging systems. The agency claims that the Privacy Impact Assessment (PIA) provides adequate protection. The Privacy Coalition letter pointed out that "the devices are designed to capture, record, and store detailed images of individuals undressed" and said that "If the public understood this, they would be outraged by the use of these devices by the US government on US citizens." The Privacy Coalition said that the use of the devices should be suspended pending an investigation. The letter was prompted by the TSA's announcement that Whole Body Imaging would replace metal detectors as the primary screening technique at US airports. The House of Representatives recently passed legislation that would establish clear privacy safeguards for the devices. See also EPIC's page on Whole Body Imaging.
Verified Identity Pass, a company that provided the Registered
Traveler program, under the brand name "Clear" shut down operation on June 22, 2009 citing inability to "negotiate an agreement with its senior creditor." The Clear program provided travelers who had undergone an extensive background check to go through special security lines at airports. The screening process
required extensive data collection, including biometric identifiers, from passengers. The closure raises concern about the transfer of the customer data, which may be attached by creditors in a bankruptcy proceeding. Clear's Privacy Policy is silent on the
issue. At a 2005 Congressional hearing, EPIC warned that the absence of Privacy Act safeguards would post a security risk to Clear customers. See also EPIC's page on Registered Traveler
Card.
In a 5-4 decision, the Supreme Court rejected the constitutional right of a convicted individual to access his DNA to prove innocence. Chief Justice Roberts held that the task of harnessing "DNA's power to prove innocence without unnecessarily overthrowing the established system of criminal justice...belongs primarily to the legislature." Justice Stevens, writing for four of the justices in dissent, said that "a decision to recognize a limited right of postconviction access to DNA testing would not prevent the States from creating procedures [to] ensure [] that [it] is nonarbitrary." EPIC has filed several amicus briefs advocating limits on the collection and use of genetic material. However, EPIC has also stated that DNA evidence should be available to prove innocence. See EPIC's pages on District Attorney's Office v. Osborne and Genetic Privacy.
With ID theft rapidly increasing in the United States, EPIC Executive Director Marc Rotenberg today urged a Congressional Committee to address the root causes of the problem. In testimony before the House Oversight Committee, Mr. Rotenberg said that the government typically acts only after the crime has occurred and warned that the problem will get worse if current trends continue. EPIC recommended a comprehensive strategy for ID Theft that would include: (1) Establishing privacy safeguards for web 2.0 services; (2) Ensuring privacy protections for outsourcing; (3) Enacting comprehensive privacy legislation; (4) Making privacy protection a focal point of cybersecurity policy; and (5) Developing better techniques for Identity Management. See EPIC pages on Identity Theft.
The European expert group on data protection and privacy issued a guidance to Social Network Service providers on measures needed to ensure compliance with EU law. The key concern of the group is the dissemination and use of information available on such networks for secondary, unintended purposes. The opinion recommended robust security and privacy-friendly default settings. Topics included processing of sensitive data and images, advertising and direct marketing, and
data retention. In January, EPIC suggested regulation of Social Network Service partners, including advertisers and application developers. See EPIC's Page on Social Networking Privacy.
A letter signed by 38 researchers and academics in the fields of computer science, information security and privacy law was sent to Google's CEO. The letter asks Google to uphold privacy promises made to users of Google Cloud Computing services. In March, EPIC filed a complaint with the FTC urging an investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of
the privacy and security safeguards." The EPIC complaint specifically recommended the adoption of encryption to help safeguard privacy and security. Addressing concerns about data vulnerability and interception, the expert group has asked Google to enable HTTPS
(web-based encryption) by default in several Google apps, including
Gmail. See also EPIC's page on Cloud Computing and EPIC's Page on
In re Google and Cloud Computing.
EPIC FOIA Note #16: 
