Focusing public attention on emerging privacy and civil liberties issues

Defend Privacy. Support EPIC@15.

Latest News - July 5, 2009

Facebook to Change User Privacy Settings

Facebook announced planned changes to user privacy controls today. Chris Kelly, Facebook's Chief Privacy Officer, stated that the new policy will promote "control, simplicity and connection" for user data. The announcement states there will be no changes in term of "the information Facebook provides to advertisers" but does not address concerns about the information provided by Facebook to app developers. In June, European Privacy Commissioners warned about the secondary use of personal data collected by social network services. The officials issued an opinion requiring robust security, privacy-friendly default settings, and the application of European privacy law. In April, EPIC supported the adoption of the new Facebook Terms of Service when Facebook said that "users own and control their information." See EPIC Social Networking Privacy.

Supreme Court Maintains California Financial Privacy Law

Today the Supreme Court denied review of the California law that provides customers with privacy safeguards for financial data. The law limits the sale of personal information by financial firms to affiliates, and imposes opt-in requirements. The Ninth Circuit upheld substantial portions of the California Financial Information Privacy Act. EPIC filed a brief in that case favoring the law. Financial firms argued that the California statute conflicts with other federal rules. The Justice Department recommended that the Supreme Court leave the state statute in place. See EPIC ABA v. Brown and EPIC Privacy and Preemption Watch.

House Committee Opens Investigation into Clear Data

Leaders of the House Homeland Security Committee sent a letter to the Transportation Security Administration regarding the bankruptcy of Verified Identity Pass, the parent company for the Clear registered traveler (RT) program. Clear was the largest RT program in the nation operating out of 20 airports with about 165,000 members.  The TSA established RT security, privacy and compliance standards for the Clear program and bolstered the company's credentials with the traveling public. The Clear RT application process collected a great deal of personal information from members, such as proof of legal name, data of birth, citizenship status, home address, place of birth, and gender. The information was used to pre-screen travelers for express service through airport security checkpoints.   The committee is investigating among other things: when the TSA became aware of the bankruptcy; whether they have asked the company for its plan regarding its RT data; if the agency is seeking a privacy impact assessment on the bankruptcy; and whether the agency has a contingency plan for safeguarding the data now that the company has gone out of business. See EPIC Air Travel Privacy and EPIC Secure Flight

Supreme Court Let Stand New Hampshire Prescription Privacy Law

The Supreme Court refused to hear a challange to the Prescription Confidentiality Act, which prohibits the sale of prescription information. The First Circuit had upheld the ban on the sale of such information. EPIC and 16 experts in privacy and technology filed a "friend of the court" brief, in support of the law, detailing the substantial privacy interests in de-identified patient data. The petitioners claimed that the law infringed on their free speech rights. See EPIC IMS Health v. Ayotte.

Rod Beckstrom to Head ICANN

The Internet Corporation for Assigned Names and Numbers appointed Rod Beckstrom as its new CEO and president. ICANN manages the administration of the internet including assignment of domain names, IP addresses, preserving operational stability, and developing policies. Beckstrom is an author, entrepreneur, non-profit board member, and expert in decentralized organizations. He resigned as the Director of the National Cybersecurity Center in March 2009 warning of the increasing role of the National Security Agency in domestic security. See EPIC DNSSEC, EPIC WHOIS and The Public Voice.

Supreme Court: Strip-Search of Teenager Violated Constitutional Rights

The Supreme Court delivered a 8-1 opinion ruling that a strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet violated the Fourth Amendment. Justice Souter writing for the Court held that the search was unreasonable and that school searches are permissible when they are "not excessively intrusive in light of the age and sex of the student and the nature of the infraction." But a majority of the Justices also said that the school officials were not liable for damages because it had not been "clearly established" that the search was unlawful. Justices Stevens and Ginsburg disagreed and said that a previous Supreme Court case made clear that the search was "excessively intrusive." Justice Thomas wrote in dissent that the search was permissible. See also EPIC's page on Student Privacy.

TSA Responds to Whole Body Imaging Objections

The Transportation Security Administration has replied to the Privacy Coalition statement on whole body imaging systems. The agency claims that the Privacy Impact Assessment (PIA) provides adequate protection. The Privacy Coalition letter pointed out that "the devices are designed to capture, record, and store detailed images of individuals undressed" and said that "If the public understood this, they would be outraged by the use of these devices by the US government on US citizens." The Privacy Coalition said that the use of the devices should be suspended pending an investigation. The letter was prompted by the TSA's announcement that Whole Body Imaging would replace metal detectors as the primary screening technique at US airports. The House of Representatives recently passed legislation that would establish clear privacy safeguards for the devices. See also EPIC's page on Whole Body Imaging.

Airport Security Program Closes Operations - What Happens to the Data?

Verified Identity Pass, a company that provided the Registered Traveler program, under the brand name "Clear" shut down operation on June 22, 2009 citing inability to "negotiate an agreement with its senior creditor." The Clear program provided travelers who had undergone an extensive background check to go through special security lines at airports. The screening process required extensive data collection, including biometric identifiers, from passengers. The closure raises concern about the transfer of the customer data, which may be attached by creditors in a bankruptcy proceeding. Clear's Privacy Policy is silent on the issue. At a 2005 Congressional hearing, EPIC warned that the absence of Privacy Act safeguards would post a security risk to Clear customers. See also EPIC's page on Registered Traveler Card.

Supreme Court Rejects DNA Access to Prove Innocence

In a 5-4 decision, the Supreme Court rejected the constitutional right of a convicted individual to access his DNA to prove innocence. Chief Justice Roberts held that the task of harnessing "DNA's power to prove innocence without unnecessarily overthrowing the established system of criminal justice...belongs primarily to the legislature." Justice Stevens, writing for four of the justices in dissent, said that "a decision to recognize a limited right of postconviction access to DNA testing would not prevent the States from creating procedures [to] ensure [] that [it] is nonarbitrary." EPIC has filed several amicus briefs advocating limits on the collection and use of genetic material. However, EPIC has also stated that DNA evidence should be available to prove innocence. See EPIC's pages on District Attorney's Office v. Osborne and Genetic Privacy.

EPIC Urges Comprehensive Strategy for ID Theft

With ID theft rapidly increasing in the United States, EPIC Executive Director Marc Rotenberg today urged a Congressional Committee to address the root causes of the problem. In testimony before the House Oversight Committee, Mr. Rotenberg said that the government typically acts only after the crime has occurred and warned that the problem will get worse if current trends continue. EPIC recommended a comprehensive strategy for ID Theft that would include: (1) Establishing privacy safeguards for web 2.0 services; (2) Ensuring privacy protections for outsourcing; (3) Enacting comprehensive privacy legislation; (4) Making privacy protection a focal point of cybersecurity policy; and (5) Developing better techniques for Identity Management. See EPIC pages on Identity Theft.

European Advisory Group Issues Opinion on Social Networking

The European expert group on data protection and privacy issued a guidance to Social Network Service providers on measures needed to ensure compliance with EU law. The key concern of the group is the dissemination and use of information available on such networks for secondary, unintended purposes. The opinion recommended robust security and privacy-friendly default settings. Topics included processing of sensitive data and images, advertising and direct marketing, and data retention. In January, EPIC suggested regulation of Social Network Service partners, including advertisers and application developers. See EPIC's Page on Social Networking Privacy.

Expert Group Asks Google to Improve Cloud Computing Privacy

A letter signed by 38 researchers and academics in the fields of computer science, information security and privacy law was sent to Google's CEO. The letter asks Google to uphold privacy promises made to users of Google Cloud Computing services. In March, EPIC filed a complaint with the FTC urging an investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." The EPIC complaint specifically recommended the adoption of encryption to help safeguard privacy and security. Addressing concerns about data vulnerability and interception, the expert group has asked Google to enable HTTPS (web-based encryption) by default in several Google apps, including Gmail. See also EPIC's page on Cloud Computing and EPIC's Page on In re Google and Cloud Computing.

Top News Archive