EPIC logo

=======================================================================
                              E P I C   A l e r t
=======================================================================
Volume 16.15                                            August 12, 2009
-----------------------------------------------------------------------

                                Published by the
                   Electronic Privacy Information Center (EPIC)
                                Washington, D.C.

                 http://www.epic.org/alert/EPIC_Alert_16.15.html

			"Defend Privacy. Support EPIC."
			     http://epic.org/donate


=======================================================================
Table of Contents
=======================================================================
[1] EPIC Urges Administration to Maintain Cookie Ban, Uphold Privacy
[2] Judge Sotomayor Sworned-In as Supreme Court Justice
[3] Data Privacy Legislation Introduced in Congress
[4] Senate Considers National Identification Systems
[5] EPIC Pursues Open Government Requests 
[6] News in Brief
[7] EPIC Bookstore: "Privacy Protection and Minority Rights"
[8] Upcoming Conferences and Events
        - Join EPIC on Facebook http://facebook.com/epicprivacy
  	- Privacy Policy
  	- About EPIC
  	- Donate to EPIC http://epic.org/donate
  	- Subscription Information

=======================================================================
[1] EPIC Urges Administration to Maintain Cookie Ban, Uphold Privacy
=======================================================================

EPIC submitted comments to the Office of Management and Budget
recommending that the existing ban on the use of cookies at federal
government websites be maintained. Such technologies typically use
persistent identifiers. A White House policy memorandum of June 2,
1999, on "Privacy Policies on Federal Web Sites," directs agencies
to post clear privacy policies on agency principal websites, as well
as at any other known, major entry points to sites, and at any web
page where substantial amounts of personal information are posted.
The memo states that privacy policies must be clearly labeled and 
easily accessed when someone visits a web site.

The memorandum directs that "cookies" should not be used at Federal
web sites, or by contractors when operating web sites on behalf of
agencies, unless, in addition to clear and conspicuous notice, the
following conditions are met: a compelling need to gather the data
on the site; appropriate and publicly disclosed privacy safeguards
for handling of information derived from "cookies"; and personal
approval by the head of the agency.

The OMB is now considering a policy change with the implementation
of a three-tiered approach to the use of internet tracking technologies
on Federal Government websites: The first tier consists of
single-session cookies which track users over a single session;
the second tier consists of using tracking technology to track users
over multiple sessions to "gather data to analyze Web traffic
statistics;" the third tier attempts to track users over multiple
visits with the intent of remembering data, settings, or preferences
unique to that visitor through the use of persistent identifiers.
This change in framework will encourage tracking of users who visit
government websites.

EPIC also proposed several safeguards if the new framework on
persistent identifiers is ultimately adopted. EPIC's recommendations
included not tracking users once they have left the government
websites; prohibiting commercialization of information gathered from
users; the application of meaningful rules for public participation;
promoting open government and protecting privacy; availability of
federal agency sponsored cookie data; respecting browser privacy and
security settings; and prohibiting web-analytics or publishing the
algorithm used.

EPIC also suggested that the OMB publish an annual survey outlining
each federal government agency's use of Web tracking technology that
should reflect the URLs, cookies, tracking technologies and processes
adopted and their intended purpose. The placing of tracking technology
for law enforcement, fusion center, national intelligence must conform
to court oversight, and be subject to an annual reporting requirement
to the appropriate Congressional Oversight Committees, EPIC urged.

The OMB had invited public comments on the framework that should govern
Federal agency use of web-tracking technology including appropriate
tiers, basic principles of use, degree of clear and conspicuous notice
on each site, the applicability and scope of such framework on Federal
use of third-party applications or websites.

In May, EPIC submitted comments to the President's Office of Science
and Technology and urged the Government to not track users on
Government websites. EPIC stated that since President Obama established
the collaboration between executive departments and agencies and the
public, tracking individuals who access government information would
contradict these goals.

EPIC's Comments to the Office of Management and Budget:
     http://epic.org/privacy/cookies/comnts-to-OMB-cookie.pdf

Office of Management and Budget:
     http://www.whitehouse.gov/omb/

Federal register: July 27, 2009: Proposed Revision of the Policy on Web
Tracking Technologies for Federal Web Sites:
     http://edocket.access.gpo.gov/2009/E9-17756.htm

M-00-13, OMB Memorandum for the Heads and Executive Departments and
Agencies:
     http://www.whitehouse.gov/omb/memoranda_m03-22/

EPIC's Submission to White House Open Government Initiative -
Users Are Not Tracked on Government Sites:
     http://opengov.ideascale.com/akira/dtd/3544-4049

Proposed Cookie Policy:
     http://blog.ostp.gov/category/cookie-policy/

Office of Science, Technology and Policy:
     http://www.ostp.gov/

EPIC FOIA Request to the GSA:
     http://epic.org/privacy/socialnet/gsa_foia_4-30-09.pdf

EPIC Cookies:
     http://epic.org/privacy/internet/cookies/



=======================================================================
[2] Judge Sotomayor Sworned-In as Supreme Court Associate Justice
=======================================================================

Judge Sonia Sotomayor was sworned-in as the 111th Justice of the
Supreme Court of the United State by Chief Justice John Roberts on
August 8, 2009. Earlier, on August 6, 2009, the United States Senate
voted 68-31 to confirm Judge Sotomayor to be an Associate Justice.
On July 28, 2009, the Senate Judiciary Committee approved the
nomination of Judge Sonia Sotomayor, 13-6.

The Committee action had paved the way for a full Senate vote and a
confirmation required only simple majority of Senators present and
voting. The Senate vote was held after the Judiciary Committee
delivered of a report, which presented the views both of committee
members supporting and those opposing the nominee's confirmation.
The Senate usually, but not always, has agreed with Judiciary
Committee recommendations that a Supreme Court nominee be confirmed.

According to a CRS Report, after the Senate confirms a nomination,
the secretary of the Senate usually attests to a resolution of
confirmation and transmits it to the White House. In turn, the
President signs a "commission," officially appointing the nominee to
the Supreme Court. The signed commission is returned to the
Justice Department for engraving the date of appointment and for
the signature of the attorney general and the placing of the Justice
Department seal. The deputy attorney general then sends the commission
by registered mail to the appointee, along with the oath of office
and a photocopy of the confirmation document from the Senate.

During the closing statement on the nomination hearings, Senator
Patrick Leahy thanked the Senators who evaluated the nomination.
"I believe that experience, perspective, an understanding of how the
world works and people live and the effect decisions will have on the
lives of people, are very important qualifications," Senator Leahy said.
"By striving for a more diverse bench drawn from judges with a wider
set of backgrounds and experiences we can better ensure that there will
be no prejudices and biases controlling our courts of justice. All
nominees have talked about the value they will draw on the bench from
their backgrounds. That diversity of experience is a strength and not a
weakness in achieving an impartial judiciary."

During the Judiciary Committee hearing, several Senators asked questions
concerning privacy. She was queried on the general right to privacy
under the Constitution, on Open Government issues, Foreign Intelligence
Surveillance Act, and National Security.

Judge Sotomayor has ruled on several cases affecting the Fourth and
First Amendment, and open government issues. Her opinions have
included cases regarding the opening and reading of a prisoner's mail,
strip-searches of young girls at juvenile facilities and of adult males
in jails, concerning errors in police computer databases, addressing
the validity of a warrant based upon lies or questionable facts,
child pornography on the internet, search of state employee's computer,
investigations regarding FBI misconduct, inter-agency documents and tax
law administration, gag orders on the media from publishing jury names,
contract formation in cyberspace, and concerning the sale of illegal
wiretapping devices.

EPIC prepared an extensive page on Judge Sotomayor's view on privacy
and other related issues. EPIC also provided running coverage of the
nomination hearings and the Committee vote over Twitter at
@privacy140 using #sotomayor, #scotus, and #privacy.


Senator Leahy's Closing Statement on the Nomination:
     http://leahy.senate.gov/press/200908/080609c.html

The President's Nominee: Judge Sotomayor, The White House Blog Post,
May 26, 2009:
     http://www.whitehouse.gov/sotomayor/

Supreme Court Appointment Process: Roles of the President,
Judiciary Committee, and the Senate (CRS Report for Congress,
July 6, 2005):
     http://fpc.state.gov/documents/organization/50146.pdf

Testimony of Judge Sonia Sotomayor:
     http://epic.org/redirect/072009_Sotomayor_Senate_Testimony.html

Twitter - privacy@140:
     http://www.twitter.com/privacy140

Statement of the Honorable Patrick Leahy:
     http://epic.org/redirect/072009_Sotomayor_Leahy_Open.html

Rules of Procedure United States Senate Committee on the Judiciary:
     http://judiciary.senate.gov/about/committee-rules.cfm

EPIC - The Nomination of Judge Sotomayor:
     http://epic.org/privacy/sotomayor

Transcript of Sotomayor Senate Judiciary Committee Hearing:
     http://epic.org/privacy/sotomayor/sotomoyor_transcript.pdf


=======================================================================
[3] Data Privacy Legislation Introduced in Congress
=======================================================================

A new bill, the Personal Data Privacy and Security Act of 2009, has
been introduced in Congress. The statute, introduced by Senator Patrick
Leahy, intends to prevent and mitigate identity theft, ensure privacy,
provide notice of security breaches, enhance criminal penalties, law
enforcement assistance, and attempts to provide protections against
security breaches, fraudulent access and misuse of personal
information.

The proposed law defines "personally identifiable information",
"sensitive personally identifiable information" and "identity theft
victim." The statute prescribes penalties for knowingly concealing
data breaches and provides for the review and amendment of the
federal sentencing guidelines related to fraudulent access to or misuse
of PII. The section sets forth various requirements that the United
States Sentencing Commission is required to consider in its review.

The act mandates data brokers engaged in interstate commerce to adhere
to the provisions of the act for any product or service that allows
access or use of sensitive PII. Procedures are outlined for disclosure

of collected information to the concerned individuals upon request and
in case of adverse actions taken by third parties. Processes for
ensuring accuracy and the dispute of personal information are also
detailed. The bill prescribes civil penalties for data brokers for
violations and empowers the Federal Trade Commission to enforce the act
against errant data brokers.

State Attorneys General may be authorized under State consumer
protection laws to bring a civil suit against a data broker for
violation of State laws in a district court of the appropriate
jurisdiction. However, the PDPSA directs the Attorney Generals to
provide the FTC with a written notice and a copy of the complaint.
Further, the statute preserves the right of the FTC to move to stay
the action; intervene in the action; or file petitions for appeal.
The act, however, expressly forbids the establishment of a private
cause of action against a data broker for a violation.

Title III of the statute states that business entities engaged in
interstate commerce that involves the collecting, accessing,
transmitting, using, storing, or disposing of sensitive personally
identifiable information is subject to the requirements of the data
privacy and security program as outlined in the concerned title.
The program directs business entities to comply with the safeguards
outlined in the section as well as safeguards identified by the FTC
in a rulemaking process. A business entity is however deemed to be
in compliance with the privacy and security program if it complies
with or provides protection equal to industry standards as identified
by the FTC. The FTC in turn is precluded from endorsing any regulation
requiring the application of any specific technology.

The proposed law also addresses the obligation to issue security breach
notifications, the timeframe for such issuance and delays or exemptions
for law enforcement or national security purposes. Other provisions of
the bill describes methods of notice, content of notification, notice
to law enforcement and reporting to Congress by the US Secret Service
on the number and nature of security breach notification exemptions.

The Personal Data Privacy and Security Act of 2009 also establishes
the Office of Federal Identity Protection within the FTC. The FIP
is charged with assisting consumers with identity theft and all related
issues including addressing consequences of compromise of PII,
accessing remedies and restoring the accuracy of PII.

Similar legislation has been introduced before the Congress twice
before. The version before the 109th Congress (S.1332) did not
preclude a private right of actions and also preserved the State
laws with respect to access and use of PII by data brokers.

EPIC has advocated for strong protections against identity theft. In
2008, EPIC encouraged the FTC to impose monetary penalties on companies
that exposed their customers' data to criminals. In addition, EPIC has
long supported the right of individuals to preserve their anonymity,
particularly in the face of ever more intrusive government
identification requirements. Earlier this year, EPIC testified before
the House Subcommittee on Information Policy, Census and National
Archives. EPIC's testimony had also pointed out that the loss of
control over the credentials that allow financial transactions and
receive medical care poses a different problem than the hazards
associated with traditional theft. In another testimony on the Data
Accountability and Trust Act, EPIC had opposed the preemption of
stronger state laws and warned that adopting such a law would be a
mistake as security issues are rapidly changing. EPIC had also urged
the Committee to add a private right of action to the bill.


Personal Data Privacy and Security Act of 2009:
     http://thomas.loc.gov/cgi-bin/query/z?c111:S.1490:

Press Release - Leahy Introduces Cybersecurity Legislation:
     http://leahy.senate.gov/press/200907/072209b.html

Personal Data Privacy and Security Act of 2005:
     http://thomas.loc.gov/cgi-bin/query/z?c109:S.1332:

EPIC Testimony - House Subcommittee on Information Policy,
Census and National Archives:
     http://epic.org/privacy/idtheft/epic_idtheft_rotenberg_6-09.pdf

EPIC Testimony - House Subcommittee on Commerce, Trade and Consumer
Protection:
     http://epic.org/linkedfiles/rotenberg_house_ctcp2221_1319.pdf

H.R. 2221, the Data Accountability and Trust Act:
     http://epic.org/redirect/051509_HR2221.html

Federal Trade Commission:
     http://www.ftc.gov

EPIC - Identity Theft:
     http://epic.org/privacy/idtheft

EPIC - Personal Data and Privacy Protection:
     http://epic.org/privacy/consumer/



=======================================================================
[4] Senate Considers National Identification Systems
=======================================================================

The Senate Committee on Homeland Security and Government Affairs held a
Business Meeting on July 29, 2009 on the "Providing for Additional
Security in States' Identification Act of 2009." (S.1261). The PASS ID
Act declares that beginning one year after the final regulations are
issued, no federal agency can accept a driver's license or state issued
ID card unless the issuing state is "materially compliant." Material
compliance is determined by the Secretary of Homeland Security, based
on whether a state has begun to issue PASS ID drivers licenses and
state issued ID cards.

The Committee conducted a mark-up session and approved several
substituted amendments on substantive provisions of the underlying bill.
The amendments pertained to directing states to provide valid and
verifiable birth records. Also discussed at the hearing was the
discretion granted to a TSA official in denying an individual the
right to board an aircraft if he or she did not have a compliant
identification. Concerns were expressed that the bill did not provide
for a review or an appeal in case of such denials. Sen. Akaka also
suggested to the Committee to include an amendment requiring the
Department of Homeland Security to perform annual report on the
privacy implication of PASS ID. The markup was reported to the
Senate favorably.

The PASS ID bill sets a deadline of 6 years after the final rule that
prohibits all federal agencies from accepting any non-compliant
driver's license or state identification card for any official purpose
which includes boarding an airplane; applying for Social Security
benefits; opening a post office box; and entering a federal building.
This raises questions regarding the physically challenged, children,
poor people, and the elderly who received benefits from federal
government agencies and there are reasons why each may not hold a
federally sanctioned state issued identification document. The PASS ID
Act does not specify limits on the requirement of an approved
identification document to access federal government services,
benefits, or meet with federal employees in official settings.

Another hearing was held by the Subcommittee on Immigration, Border
Security and Citizenship of the Senate Judiciary Committee. At the
hearing, "Ensuring a Legal Workforce: What Changes Should be Made to
Our Current Employment Verification System?" Sen. Charles Schumer
proposed the implementation of a "non-forgeable, complete and accurate
immigration system" that relies on biometric identifiers and identifies
legal employees. Sen. Schumer stated that the biometric card should
include fingerprint or enhanced biometric pictures and apply uniformly
to all US citizens and non-citizens alike. Sen. Schumer also added that
such system must have extensive checks at the inception to prevent
illegal aliens from entering into the database. Sen. Cornryn stated
that the E-Verify system, although flawed, was headed in the right
direction and suggested that the program be given expanded legal
authority, additional resources and improvements.

The use of PASS ID and identification cards with biometric data can
become a de facto national ID card. National ID cards have long been
advocated as a means to enhance national security, unmask potential
terrorists, and guard against illegal immigrants. The REAL ID Act
of 2005 created a national identification card. The implementation of
the statute posed a number of privacy threats because of document
collection, retention, sharing, and use. EPIC and 24 experts
in privacy and technology submitted detailed comments to the DHS in
May 2007 on the draft regulations explaining the many privacy and
security threats raised by the REAL ID Act. "The fundamentally flawed
national identification system is unworkable and the REAL ID Act must
be repealed," EPIC stated. Further, EPIC and the Privacy Coalition
had organized a national campaign against REAL ID implementation.
DHS's own Data Privacy and Integrity Advisory Committee has refused
to endorse the agency's plan.

National Identification systems are established for a variety of
reasons. In the past, the fear of insurgence, religious differences,
immigration, or political extremism have been all too common motivators
for the establishment of ID systems that aim to force undesirables in a
State to register with the government, or make them vulnerable in the
open without proper documents. EPIC has urged the alternative model of
a system of decentralized identification which reduces the risks
associated with security breaches and the misuse of personal
information. Technological innovation can enable the development of 
context-dependent identifiers and a decentralized approach to
identification is consistent with commonsense understanding of
identification. However, Federal, state, and local government agencies
are already engaged in efforts to develop an Information Sharing
Environment through the use of Fusion Centers which seeks to breakdown
barriers to information controlled by all levels of government. 

Senate Hearing on Biometrics:
     http://judiciary.senate.gov/hearings/hearing.cfm?id=3982

The Senate Committee on Homeland Security and Government Affairs,
Business Meeting, July 29, 2009:
     http://epic.org/redirect/081209_Senate_DHS_Biomet.html
     
National Campaign:
     http://privacycoalition.org/stoprealid/

Privacy Office - DHS Data Privacy and Integrity Advisory Committee:
     http://www.dhs.gov/xinfoshare/committees/editorial_0512.shtm

Comments of the DHS Data Privacy & Integrity Advisory Committee,
May 2007:
     http://epic.org/privacy/id-cards/dpiac_comm_050707.pdf

EPIC - ID-Cards:
     http://epic.org/privacy/id-cards/

EPIC's Comments on Minimum Standards for Driver’s Licenses and
Identification Cards:
     http://epic.org/privacy/id-cards/epic_realid_comments.pdf

REAL ID Implementation Review: Few Benefits, Staggering Costs:
     http://epic.org/privacy/id-cards/epic_realid_0508.pdf


=======================================================================
[5] EPIC Pursues Open Government Requests
=======================================================================

EPIC, in promoting open government, frequently requests documents under
the Freedom of Information Act to obtain information from the
government regarding surveillance. Public disclosure of obtained
information improves government oversight and keeps the public informed
about the activities of the government. EPIC is currently pursuing
records to gain more information regarding several government
surveillance programs.

On June 25, 2009, EPIC sent FOIA requests to the Department of Homeland
Security and the National Security Agency requesting the release of the
National Security Presidential Directive 54 and the subsequent
Comprehensive National Cybersecurity Initiative. It was under the
purview of the Directive, issued in 2008, that the intelligence
community developed the CNCI to "improve how the federal government
protects sensitive information from hackers and nation states trying to
break into agency networks."  Although these documents are the
foundation of national policies to protect citizens' information held
by government agencies, neither document has been released in full to
the public. EPIC filed an appeal with both the agencies for failing to
disclose these records. 

EPIC also is pursuing records requests for information regarding the
Whole Body Imaging systems being used by the Transportation Security
Administration for passenger security screening in airports. This
millimeter wave technology produces photo-quality images of travelers
as if they were undressed. Although the TSA claims it is not storing
images of passengers screened by the system, the scanners are capable
of such storage and there is no law that prevents this practice. EPIC
filed requests with the TSA, the Department of Defense, and the U.S.
Marshal's Service. EPIC is seeking information including: the contracts
with the companies providing the scanners; materials used for training
TSA employees operating the scanners; copies of images produced by the
scanners; and other uses of the technology, such as security screening
in federal court buildings. No documents have been approved, but
appeals have been filed with the TSA and the Marshal's Service.

EPIC also filed a FOIA request with the Food and Drug Administration,
which announced the "Sentinel Initiative" in May 2008. One of the goals
of this Initiative is to develop an integrated system, using electronic
data from healthcare information holders, to analyze electronic health
data in order to identify potential risks concerning medical products
that have been approved by the FDA and are available to the public.
EPIC is seeking records regarding FDA’s readiness for compliance with
statutory privacy protections in the development and use of this
extensive database of sensitive personal information. The FDA has
provided some documents regarding the development of the database, but
has not responded to the requests specifically seeking information on
privacy policies. EPIC filed an appeal with the FDA for the release of
this information.

In addition to these requests, EPIC has also filed FOIA requests with
the Federal Bureau of Investigation regarding use of the powers granted
under the Patriot Act and resulting in potential legal violations; the
Department of Education and the Department of Defense regarding
collection of student data for military recruitment purposes. EPIC also
is pursuing an appeal under FOIA with the General Services
Administration for contracts between the U.S. government and social
network service providers.


EPIC - Open Government:
     http://epic.org/open_gov/

Freedom of Information Act Gallery:
     http://www.epic.org/open_gov/foiagallery/

EPIC's FOIA Litigation Docket:
     http://epic.org/privacy/litigation/

FOIA Letter to NSA Seeking Documents on National Cybersecurity
Policies:
     http://epic.org/open_gov/foia2009/foia-nsa-cybersec.pdf

FOIA Letter to DHS seeking Documents on National Cybersecurity
Policies:
     http://epic.org/open_gov/foia2009/foia-dhs-cybersec.pdf

FOIA Appeal to NSA regarding documents on National Cybersecurity
Policies:
     http://epic.org/open_gov/foia2009/foia-appeal-nsa-cybersec.pdf

FOIA Appeal to DHS regarding documents on National Cybersecurity
Policies:
     http://epic.org/open_gov/foia2009/foia-appeal-dhs-cybersec.pdf

EPIC - Whole Body Imaging Technology
     http://epic.org/privacy/airtravel/backscatter/

FOIA Letter to DHS seeking documents regarding Whole Body Imaging
(4/14/2009):
     http://epic.org/open_gov/foia2009/foia-dhs-wbi-4142009.pdf

FOIA Letter to DHS seeking documents regarding Whole Body Imaging
(7/3/2009):
     http://epic.org/open_gov/foia2009/foia-dhs-wbi-732009.pdf

FOIA Letter to USMS seeking documents regarding Whole Body Imaging:
     http://epic.org/open_gov/foia2009/foia-usms-wbi.pdf

FOIA Letter to DOD seeking documents regarding Whole Body Imaging:
     http://epic.org/open_gov/foia2009/foia-dod-wbi.pdf

FOIA Appeal to TSA regarding the April 14, 2009 request:
     http://epic.org/open_gov/foia2009/foia-appeal-tsa-wbi.pdf

FOIA Appeal to TSA regarding the July 3, 2009 request:
     http://epic.org/open_gov/foia/foia2009/foia-appeal-tsa-wbi.pdf

FOIA Appeal to USMS:
     http://epic.org/open_gov/foia/foia2009/foia-appeal-usms-wbi.pdf

FOIA Letter to FDA seeking documents regarding the Sentinel Initiative:
     http://epic.org/open_gov/foia/foia2009/foia-fda-sentinel.pdf

FOIA Appeal to FDA:
     http://epic.org/open_gov/foia/foia2009/foia-appeal-fda-sentinel.pdf



=======================================================================
[6] News in Brief
=======================================================================


DHS Outlines Progress in 9/11 Recommendation Report

The Department of Homeland Security has released a progress report
on 9-11 Commission Recommendations. The recommendations pertain to
guarding against terrorism and ensuring transportation security,
border security; increasing "preparedness efforts;" protecting
privacy and civil liberties; and improving collaboration and
information sharing. The recommendation include developing a risk-based
plan for transportation security, airline passenger pre-screening,
airline passenger explosive screening, and checked bag screening.
The tracking and disrupting terrorist financing, standardizing secure
identification, integrating border security into larger network of
screening points including transportation system are also recommended.
The DHS also advised allocating homeland security funds based
on risk and improving interoperability of communications at all levels
of government and establishing a unified incident command system.
The DHS report also recommended balancing security and civil liberties
and safeguarding individual privacy when sharing information. EPIC
had testified before the 9-11 Commission and had emphasized the
important history of privacy protection, the problems with new systems
of surveillance, and the specific need to preserve constitutional
checks and balances. EPIC also urged the Commission to consider the
important role of public oversight in evaluating the federal
government's intelligence-gathering authority rather than focusing
exclusively on Congressional oversight.


Progress in Implementing 9/11 Commission Recommendations:
     http://epic.org/redirect/081209_911Comm_Prog_Rpt.html

DHS: Secretary Napolitano and National Security Preparedness Group
Discuss DHS Progress in Fulfilling 9/11 Commission Recommendations:
     http://www.dhs.gov/ynews/releases/pr_1248455026046.shtm

EPIC - The 9/11 Commission Report:
     http://epic.org/privacy/terrorism/911comm.html

The 9/11 Commission Report:
     http://epic.org/privacy/terrorism/usapatriot/sec12.pdf



Social Network Privacy Study Reports Serious Concerns

A Cambridge University study covering 45 social networks has reported
serious concerns about the extent such sites fail to keep users'
personal information private. While inaccurate privacy policies and
inaccessible guidelines have been reported before, the Cambridge report
provides numerical statistics to confirm their scope. The researchers
found faults with the amount of personal information required to be
handed over, the standards of encryption protocols, default privacy
settings, and confusing user-interfaces. Testing each site against 260
criteria, the researchers examined features such as log-in procedures
and configuration controls. The study concluded that "the naive
application of utility maximization theory fails to capture all the
intricacies of the market for privacy in social networking." The report
also stated that "a major problem was the lack of accessible
information for users, encouraged by the sites' strong incentives to
limit privacy salience as part of the privacy communication game: the
data suggests that sites may have evolved specifically to communicate
differently to users with different levels of privacy concern."
Recently, the Canadian Privacy Commissioner held that although Facebook
had taken some steps to address privacy, more safeguards were
necessary.


The Privacy Jungle: On the Market for Data Protection in Social
Networks:
     http://epic.org/redirect/081209_SNS_Study_Cambridge.html

Report of Findings into the Complaint Filed by the CIPPIC against
Facebook, Inc. under PIPEDA:
	http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm

Article 29 Working Party Opinion of Social Networking Sites:
     http://epic.org/privacy/socialnet/Opinion_SNS_090316_Adopted.pdf

EPIC - Facebook Privacy:
	http://epic.org/privacy/facebook/

EPIC - Social Networking Privacy:
	http://epic.org/privacy/socialnet/



FTC Postpones Red Flags Rule

The Federal Trade Commission has delayed the enforcement of the Red
Flags Rule until November 1, 2009 in an effort to give creditors and
financial institutions more time to review, develop and implement
written Identity Theft Prevention Programs. The Rule was scheduled to
come into force on August 1, 2009. The Red Flags Rule require financial
institutions and creditors to maintain identity theft prevention
programs that identify, detect, and respond to patterns, practices, or
specific activities that could indicate identity theft. The program was
supposed to become effective on November 1, 2008 and subsequently was
postponed to May 1, 2009. The FTC decided to further extend the
enforcement so as to enable businesses to gain a better understanding
of the Rule and any obligations that such businesses may have under it.
The delay in enforcement does not affect other federal agencies'
enforcement of the original November 1, 2008 compliance deadline for
institutions subject to oversight. The rules were developed pursuant to
the Fair and Accurate Credit Transactions Act of 2003. EPIC had
testified before Congress regarding the FACTA, supporting the inclusion
of stronger privacy and identity theft protections in the law.
"Americans need greater protections to address problems with
identity theft, privacy, and inaccuracy," EPIC argued.

FTC Announces Expanded Business Education Campaign on "Red Flags" Rule:
     http://www2.ftc.gov/opa/2009/07/redflag.shtm

FTC Red Flags Guide and other documents:
      http://www.ftc.gov/redflagsrule

Federal Register Notice Issuing "Red Flags" ID Theft Rules:
     http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf

Agencies Issue Final Rules on Identity Theft Red Flags,
October 31, 2007:
     http://ftc.gov/opa/2007/10/redflag.shtm

EPIC's Page on Identity Theft:
     http://epic.org/privacy/idtheft



Privacy Opposition to Google Books Settlement Grows

Civil liberties organizations are urging Internet users to tell
Google to adopt privacy protections for the Google Book Search
Settlement. The Google service creates a framework that gives the
company access to substantial personal information concerning book
buyers, library patrons, and rightsholders while placing no meaningful
restrictions on the company's use of the data. A judge in New York will
determine later this year whether to approve the proposed settlement.
EPIC has an extensive page on the settlement and highlights the privacy
concerns faced by readers if the settlement is approved as it is.

EPIC - Google Book Settlement and Privacy
     http://epic.org/privacy/googlebooks

ACLU - Google: Don't Close the Book on Reader Privacy:
     http://epic.org/redirect/081209_ACLU_Google_campaign.html

Google Books:
     http://books.google.com/

Google Books Settlement:
     http://www.googlebooksettlement.com/r/view_settlement_agreement


Bill to Curb SSN Misuse Introduced Before House

A bill to preclude federal, state and local government from selling or
displaying Social Security Numbers to the general public has been
introduced in the House. Rep. John Tanner (D-Tenn.) introduced and Sam
Johnson (R-Texas) co-sponsored the "Social Security Number Privacy and
Identity Theft Prevention Act of 2009" (H.R. 3306). The bill would
amend the Social Security Act to enhance SSN privacy protections,
prevent fraudulent misuse of SSN, and attempts to enhance protection
against identity theft. The bill also restricts display of SSN on
government IDs and tags, and prescribes uniform standards for
truncation of SSN. The proposed law also prescribed criminal penalties
for SSN misuse and extends civil monetary penalty authority.  Similar
legislation was introduced before the last Congress, and although
approved, the bill was never voted on by the entire House.


Social Security Number Privacy and Identity Theft Prevention Act of
2009 (H.R. 3306):
     http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.3306:

Social Security Number Privacy and Identity Theft Prevention Act
of 2007:
     http://thomas.loc.gov/cgi-bin/query/z?c110:H.R.3046:

EPIC - Social Security Numbers:
     http://epic.org/privacy/ssn/

EPIC - Identity Theft:
     http://epic.org/privacy/idtheft

EPIC - Personal Data and Privacy Protection:
     http://epic.org/privacy/consumer/



=======================================================================
[7] EPIC Bookstore: "Privacy Protection and Minority Rights"
=======================================================================

"Privacy Protection and Minority Rights"
Edited by Mate Daniel Szabo

http://www.ekint.org/ekint_files/File/kiadvanyok/privacy_minority.pdf


The protection of a minority group in any country envisages the grant
of protection by the state and in some cases, preferential selection
in the grant of employment, education, and business from which such
group has been historically excluded. Conferring such benefits
necessarily begins with identifying members and then granting them
protections. However, according to the editor, the freedom of identity
means that the state does not have power to interfere with the decision
of an individual to affirm or conceal one's ethnic identity or force
someone to make a declaration to that effect.

This book is a collection of three essays and the compilation starts
off by educating the readers about the foundation of minority
registration in Hungarian Law. Ivan Szekely's article focuses on
affirmative action and data protection. Szekely highlights the conflict
when the realization of one fundamental right can conflict with another
- the ban on compiling registers of minority origin and identities under
data protection laws one the one hand is at cross purposes with fighting
the abuses of claiming election seats or a role in distributing state
subsidies on the other. As a solution, Szekely endorses the use of a
"central registration of aggregate data" which does not attract data
protection laws while allowing group-level realization of subsidies. The
author also suggests various other solutions like application of
unidirectional data transformation procedures, data dividing, application
of privacy enhancing technologies and then discusses consequent
advantages.

The next essay of the book addresses whether ethnic data in Hungary
should be standardized. This article also examines the relationship
between protection of sensitive data and the free flow of ethnic data
required for unimpeded provision of additional rights. At the outset,
Balazs Majtenyi and Laszlo Andras Pap point out people in need of
protection are defined differently in cases of discrimination than when
affirmative measures are at stake. The writers then review the
constitutional background and regulatory environment with regard to
data processing and make suggestions that could be implemented under
Hungarian law. Majtenyi and Pap also suggest that although a
legislative effort may rectify human rights violations, a shift in the
mindset of lawyers would be equally desirable. The authors further call
upon lawmakers and officials to have the courage to create and run a
"genuinely functional system of minority protection."

The final essay of the compilation pertains to identification checks
based on racial or ethnic stereotypes. Written by Kadar, Korner,
Moldova and Toth, this paper cites to several reports which show that
Roma - the minority community of Hungary - had a much lesser chance of
avoiding liability if caught during the commission of a crime. The
essay goes on to describe the "Strategies for Effective Police Stop and
Searches," the proportion of ID checks in relation to the population
and its effectiveness. Pointing out the ethnic disproportionality in
the "ID-checked" population, the researchers conclude that ethnic
profiling by police officers is a problem that must be acknowledged.
The authors suggest amending the Police Act, institutionalizing
relationship between local communities and the police, and the training
of police officers.

While the book pertains to privacy protection and honoring minority
rights in Hungary, it is equally applicable in a more macrocosmic
sense. Virtually every country in the world has a minority population
which are targeted by another group - be it the majority or a
state-backed authority. These groups always end up suffering some sort
of discrimination or another. Some suggestions contained in this book
would indeed be helpful to anyone looking to understand human rights
violations, offer possible remedies, and is certainly worth a read to
human rights activists and lawmakers alike.

-- Anirban Sen


================================
EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.

http://epic.org/bookstore/foia2008/
	
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years. 

================================

"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.

================================

"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.

================================

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.

================================

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.

http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the Video Voyeurism Prevention Act,
and the CAN-SPAM Act.

================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.

================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore
http://www.epic.org/bookstore


================================

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https:/mailman.epic.org/mailman/listinfo/foia_notes


=======================================================================
[8] Upcoming Conferences and Events
=======================================================================


Pan-European Dialogue on Internet Governance (EuroDIG), 
Geneva, Switzerland, September 14-15, 2009. For more information,
http://www.eurodig.org/

ASAP FOIA/Privacy Act Workshop, Chicago, Illinois, September 21-23,
2009. Registration: July 7, 2009 - September 11, 2009. For more
information, http://www.accesspro.org/

2nd International Action Day "Freedom not Fear - Stop the
Surveillance Mania," September 12, 2009, Worldwide Demonstrations,
Events, Privacy Parties etc. in many countries. For more information,
http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2009

3rd European Privacy Open Space,
October 24-25, 2009, Vienna, Austria.
For more information, http://www.privacyos.eu

Global Privacy Standards in a Global World, The Public Voice,
Madrid, Spain, November 3, 2009. For more information,
http://thepublicvoice.org/events/madrid09/

31st International Conference of Data Protection and Privacy
Commissioners, Madrid, Spain, November 4-6, 2009. For more information,
http://epic.org/redirect/072009_31Conf_IntlDPA.html

UN Internet Governance Forum,
November 15-18, 2009, Sharm El Sheikh, Egypt.
For more information, http://www.intgovforum.org/


=======================================================================
Join EPIC on Facebook
=======================================================================

Join the Electronic Privacy Information Center on Facebook

http//facebook.com/epicprivacy

http://epic.org/facebook

Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.


=======================================================================
Privacy Policy
=======================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."


=======================================================================
About EPIC
=======================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

=======================================================================
Donate to EPIC
=======================================================================

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.


=======================================================================
Subscription Information
=======================================================================

Subscribe/unsubscribe via web interface:
http://mailman.epic.org/mailman/listinfo/epic_news

Back issues are available at:
http://www.epic.org/alert


The EPIC Alert displays best in a fixed-width font, such as Courier.


------------------------- END EPIC Alert 16.15 ------------------------

.