Focusing public attention on emerging privacy and civil liberties issues

EPIC Alert 17.16

======================================================================= E P I C A l e r t ======================================================================= Volume 17.16 August 16, 2010 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/epic_alert_1716.html "Defend Privacy. Support EPIC." http://epic.org/donate ======================================================================= Table of Contents ======================================================================= [1] Feds Admit that Body Scanner Machines Store Photos [2] EPIC submits amicus in NASA v. Nelson [3] Maine Law on Prescription Privacy Upheld [4] Elena Kagan Confirmed as Supreme Court Justice [5] Federal Appeals Court Requires Warrant for GPS Tracking [6] News in Brief [7] EPIC Book Review: "Cyberwar" [8] Upcoming Conferences and Events TAKE ACTION: Stop Airport Strip Searches! - JOIN Facebook Group "Stop Airport Strip Searches" and INVITE Friends - DISPLAY the IMAGE http://thepublicvoice.org/nakedmachine.jpg - SUPPORT EPIC http://www.epic.org/donate/ ======================================================================= [1] Feds Admit that Body Scanner Machines Store Photos ======================================================================= In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 collected by the agency. EPIC has also pursued a FOIA lawsuit against the Department of Homeland Security for images produced by the machines. EPIC obtained agency documents which revealed that the agency expressly required that the full body scanners be able to store and transmit images. The agency has admitted to possessing around 2,000 stored images produced by the machines, but refuses to turn them over. EPIC has also filed suit to stop the deployment of the machines in US airports. EPIC filed a petition for review and motion for an emergency stay, urging the D.C. Circuit Court to suspend the TSA's airportÊ full body scanner program. EPIC said that the program is "unlawful, invasive, and ineffective." EPIC argued that the federal agency has violated the Administrative Procedures Act, the Privacy Act, the Religious Freedom Restoration Act, and the Fourth Amendment. EPIC cited the invasive nature of the devices, the TSA's disregard of public opinion, and the impact on religious freedom. EPIC's Press Release Regarding Body Scanner Images http://epic.org/press/EPIC_Body_Scanner_Press_Release_08_03_10.pdf EPIC v. DOJ, EPIC's Complaint http://epic.org/foia/DOJ_USMS_Complaint.pdf EPIC v. DHS (FOIA) http://epic.org/privacy/airtravel/backscatter/epic_v_dhs.html EPIC v. DHS (Suspension of Body Scanner Program) http://www.epic.org/redirect/081110epicvdhs.html ======================================================================= [2] EPIC Submits Amicus in NASA v. Nelson ======================================================================= On August 9, 2010, EPIC filed a "friend of the court" brief in the United States Supreme Court, urging the Justices to protect the privacy of scientists working at NASA's Jet Propulsion Laboratory (JPL). Twenty-seven legal and technical experts signed the brief. In NASA v. Nelson, the Court has been asked to determine whether the scientists' right to "informational privacy" prohibits NASA from collecting information concerning the individuals' medical records as a condition of employment. EPIC's brief argues that compelled disclosure would risk exposing sensitive, personal health information that is insufficiently protected by NASA. In NASA v. Nelson, federal contract employees at the Jet Propulsion Laboratory filed suit against the agency. The scientists allege that NASA's new requirement that they submit to in-depth background investigations violates the Administrative Procedure Act, their constitutional right to informational privacy, and the Fourth Amendment. The scientists are employed by Caltech, and are not government employees. Rather, they are "low risk" contractors, and NASA admits that they perform unclassified, non-sensitive work. The scientists object to NASA's policy requiring every JPL employee to submit to a background investigation. The investigation requires the applicant to disclose information concerning medical treatment. The Supreme Court described the Americans' right to informational privacy - the "individual interest in avoiding disclosure of personal matters." - in two 1977 cases: Whalen v. Roe and Nixon v. Administrator of General Services. EPIC's brief notes: "since the Court's 1977 analysis in Whalen, scholars and international courts have described the importance of the right to informational privacy and opined on the right's vital role in safeguarding individuals from data collection and disclosure." The brief details scholars' analyses of the importance of the right to informational privacy. Further, EPIC's brief describes international courts' "widespread recognition of the right to informational privacy." ÊInternational courts have invoked the right to informational privacy to protect individuals' interests in their personal medical information. International courts have also applied the right to protect employees' interests in refusing to disclose sensitive information to employers. EPIC's brief argues, "constitutional privacy safeguards are particularly important in this case because NASA's failure to meet its obligations under the Privacy Act and the agency's poor data security practices pose substantial risks to the scientists' personal information." The brief details NASA's previous willful disclosure of employees' sensitive health information, as well as the agency's subsequent claims that its disclosures were lawful. Further, EPIC notes that "even if the Scientists' information is ostensibly protected by the Privacy Act, it might be disclosed through a data breach." "The risks of such a disclosure are not, as [NASA] claim[s], a "remote possibility." Instead, the risk of disclosure is substantial: Independent investigators recently highlighted the agency's vulnerability to data breaches," EPIC wrote. "Friend-of-the-court," Brief by EPIC in NASA v. Nelson (Aug. 9, 2010) http://epic.org/amicus/nasavnelson/EPIC_amicus_NASA_final.pdf Supreme Court Docket page for NASA v. Nelson http://epic.org/amicus/nasavnelson/ EPIC's NASA v. Nelson page http://epic.org/amicus/nasavnelson/ ======================================================================= [3] Maine Law on Prescription Privacy Upheld ======================================================================= The First Circuit Court of Appeals has upheld a Maine law that bans the sale of prescriber-identifiable prescription drug data for marketing purposes. The law allows doctors who write prescriptions in Maine to choose to make certain data about their prescription practices unavailable for use by marketers. For doctors who have opted out, the law "prohibits certain entities from licensing, using selling, transferring, or exchanging this information for a marketing purpose." Data mining companies had challenged the law, claiming that the privacy measure violated their free speech rights. In IMS Health v. Mills, the court rejected this argument because "the statute regulates conduct, not speech, and even if it regulates commercial speech, that regulation satisfies constitutional standards." The court also rejected an argument by the companies that the statute should be void for vagueness, finding that the legislature spoke with sufficient specificity for the law to be valid. Finally, the court rejected an argument that Maine does not have the power to protect its citizens' privacy in this way. The decision in IMS Health v. Mills followed a decision by a panel of the same court in IMS Health v. Ayotte, upholding a similar law in New Hampshire. In Ayotte, as well as in a similar case still pending regarding a Vermont law (IMS Health v. Sorrell), EPIC and several privacy and technology experts filed "friend of the court" briefs arguing that there is a substantial state interest in privacy protection and that the data miners' de-identification practices do not, in fact, protect patient privacy. A decision in the Vermont case is expected soon. First Circuit Opinion, IMS Health v. Mills http://www.ca1.uscourts.gov/cgi-bin/getopn.pl?OPINION=08-1248P.01A EPIC: IMS Health v. Ayotte http://epic.org/privacy/imshealth/ EPIC: IMS Health v. Sorrell http://epic.org/privacy/ims_sorrell/ EPIC: Medical Privacy http://epic.org/privacy/medical/ ======================================================================= [4] Elena Kagan Confirmed as Supreme Court Justice ======================================================================= This week the Senate confirmed Elena Kagan as the next Supreme Court justice. Kagan graduated graduated summa cum laude from Princeton University and magna cum laude from Harvard Law School. She is a former dean of Harvard Law School and former Solicitor General in the Clinton Administration. In anticipation of Elena Kagan's confirmation hearings, EPIC sent a letter to Senators Patrick Leahy (D-VT) and Jeff Sessions (R-AL). In addition to asking the Senators to consider Kagan's record on privacy, the letter encouraged them to ask the nominee probing questions about her views on body scanners, consumer privacy and the Fourth Amendment, among other emerging privacy issues. As Deputy Assistant to the President for Domestic Policy and Deputy Director of the Domestic Policy Council for the Clinton Administration, Kagan wrote on several privacy issues with present-day analogues. She wrote in support of "hand held gun detector devices" that would enable "police...[to] potentially scan people in public places without their knowledge." Kagan also proposed guidelines to "allow officers to scan liberally, particularly in airports, train stations and traffic stops." She expressed these views pre-September 11, 2001, and the writings hint at her views on controversial new search techniques like the TSA's full body scanner program. Also during her time under President Clinton, Kagan expressed views on consumer privacy. She gave her support to the Administration's health care agenda, including " consumer protection reforms (to ensure quality, prevent discrimination, and protect privacy." Kagan also supported privacy protection legislation to "establish strong federal standards to ensure the confidentiality of medical records." More recently, as Solicitor General under President Obama, Kagan argued against two important lower court rulings, Comprehensive Drug Testing v. United States and City of Ontario v. Quon. In Comprehensive Drug Testing, the Ninth Circuit set forth five guidelines meant to protect privacy for law enforcement when conducting electronic searches. Kagan argued that the Comprehensive Drug Testing standards are too cumbersome, and that they will undermine the ability of law enforcement to catch criminals. Kagan also filed an amicus brief on behalf of the petitioners in Quon. In it, she argued that the government has no obligation to limit searches of text messages to protect individual privacy. This argument is in direct opposition to the position taken in EPIC's amicus in Quon, which argued that petitioners' searches were overbroad and unnecessary. Solicitor General Kagan did make several comments during the hearing about Constitutional interpretation and the Fourth Amendment. In response to the first question she received from Chairman Leahy, Kagan said that the framers of the Constitution were wise to use broad terms. She noted that they "didn't live with bomb sniffing dogs and heat detecting devices." The Êstatement was a reference to two important Supreme Court cases, Illinois v. Caballes (2005) and Kyllo v. US (2001). EPIC, Letter to Senators Leahy and Sessions http://epic.org/privacy/kagan/EPIC_Kagan_Ltr.pdf EPIC, Elena Kagan and Privacy http://epic.org/privacy/kagan/ EPIC, City of Ontario v. Quon http://epic.org/privacy/quon/ EPIC, Amicus Brief in City of Ontario v. Quon http://epic.org/privacy/quon/Quon_Brief_Draft_final.pdf Kagan's Amicus Brief in Support of Reversal in City of Ontario v. Quon http://epic.org/privacy/quon/08-1332_ReversalAmCuUSA.pdf ======================================================================= [5] Federal Appeals Court Requires Warrant for GPS Tracking ======================================================================= On August 6, 2010, the D.C. Circuit Court of Appeals ruled that police must obtain a warrant before using Global Positioning System (GPS) devices to monitor vehicles. GPS tracking constitutes a seizure under the U.S. Constitution because "prolonged GPS monitoring reveals an intimate picture of the subject's life that he expects no one to have," the Court held. In United States v. Maynard, criminal defendants challenged the constitutionality of warrantless electronic tracking of civilians' cars by the police. DC Police installed a global positioning system ("GPS") device on Jones's Jeep, and tracked his movements around the clock. The tracking data was used as evidence at the criminal trial. GPS-based systems can record a vehicle's location and speed around the clock, and transmit the data to law enforcement agents. Jones argued that the conviction "should be overturned because the police violated the Fourth Amendment prohibition of_unreasonable searches by tracking his movements 24 hours a day for four weeks É without a valid warrant." The court held that the police's GPS surveillance was unlawful, because it enabled the police to "track Jones's movements 24 hours a day for 28 days as he moved among scores of places, thereby discovering the totality and pattern of his movements from place to place to place." The court noted that United States v. Knotts, a 1983 Supreme Court case authorizing rudimentary warrantless electronic surveillance of cars, does not authorize warrantless GPS tracking. The DC Circuit decision follows two other federal appeals court opinions that authorized warrantless GPS tracking, United States v. Pineda-Moreno and United States v. Garcia. Conversely, the New York and Washington state supreme courts have barred warrantless GPS tracking. The Massachusetts Supreme Judicial Court also held that a warrant is required for the use of a GPS tracking device. EPIC filed an amicus brief in the case, Commonwealth v. Connolly. EPIC urged the Justices to require a warrant before police covertly track drivers using concealed surveillance technology. EPIC said the proliferation of police tracking devices "creates a large, and largely unregulated, repository containing detailed travel profiles of American citizens." The EPIC brief warned that "law enforcement access to such information raises the specter of mass, pervasive surveillance without any predicate act that would justify this activity." EPIC said that GPS systems are becoming increasingly widespread, and identified particular growth among vehicle-installed GPS systems. The federal government is currently tracking drivers in six states using GPS tracking systems designed to assess a mileage tax as an adjunct or replacement for federal gasoline tax revenue. Several states, including Massachusetts, have proposed similar plans, which are often called "VMT (Vehicle Miles Traveled)" regimes. Some private firms, including UPS, mandate GPS tracking on their vehicles. Others, such as OnStar, offer GPS tracking services to the public. The brief explains that, as GPS trackers become more commonplace, it is easier for law enforcement to engage in large-scale, simultaneous surveillance of multiple individuals. Such ease raises the troubling prospect of mass, pervasive surveillance. EPIC's brief urges the court to require a warrant, based on independent judicial review of the evidence, prior to law enforcement use of GPS tracking. DC Circuit decision - United States v. Maynard http://www.epic.org/redirect/081110maynarddecision.html "Friend-of-the-court," Brief by EPIC in Commonwealth v. Connolly http://epic.org/privacy/connolly/042009amicus.pdf Massachusetts Supreme Judicial Court Docket page forÊ Commonwealth v. Connolly http://www.ma-appellatecourts.org/display_docket.php?dno=SJC-10355 EPIC's Commonwealth v. Connolly page http://epic.org/privacy/connolly/ ======================================================================= [6] News in Brief ======================================================================= Governments Demand Unencrypted Message Data from Blackberry Devices Several countries have made demands on Blackberry's parent company, Research in Motion (RIM). Saudi Arabia, India, and others have demanded that the company, which relies on its security as a selling point, begin turning over unencrypted message data to law enforcement. The Saudi and Indian governments are threatening to shut down RIM's services in their respective countries if the company doesn't comply. Sources have reported that RIM has reached an agreement with the Saudi government that will allow for the sharing of at least some data. EPIC: Privacy and Human Rights http://epic.org/phr06/ Research in Motion http://www.rim.com/ Town Uses Google Maps to Check for Pools Riverhead, New York, a town on Long Island, used Google Maps to investigate which of its residents have pools, then checked those addresses against its own database to find pools without proper permits. Town officials report that they found roughly 250 unlicensed pools, totaling fees around $75,000. NBC New York, Heads Up! Google Earth Used to Track Illegal Pools onÊ Long Island http://www.epic.org/redirect/081110googlenewstry1.html Fox News, Google Earth Watching Your Backyard ...And Maybe More http://www.epic.org/redirect/081110googlenewstry2.html Google Office Raided in South Korea over Street View Wi-Fi Google's office in Seoul, South Korea has been raided by the Korean National Police Agency over the company's collection of unencrypted Wi-Fi data through its Google Earth street mapping program. According to a statement from the agency, officials arrived at the office with a search warrant, seized materials, and will ask Google to turn over all data that the company collected since it launched the program in Korea. The raid involved the agency's Cyber Terror Response Center. With this action, South Korea becomes the latest in a long line of countries and U.S. states that have begun investigations into Google's collection of wireless internet data. KNPA Press Release (translated from Korean) ÊÊ Ê http://www.epic.org/redirect/081110newsrelease.html EPIC: Investigations of Google Street View ÊÊ Ê http://epic.org/privacy/streetview/ New York Times, Police in South Korea Raid Google's Office http://www.nytimes.com/2010/08/11/technology/11google.html ======================================================================= [7] EPIC Book Review ======================================================================= "Cyberwar" - Richard A Clarke Available for purchase at: http://epic.org/redirect/081610booklink.html Richard A. Clarke, who served as an advisor to Presidents George H.W. Bush, Bill Clinton, and George W. Bush, explores the threats and solutions presented by our wired society in his new book "Cyberwar." Clarke's book allows the reader to see how the government perceives cyber security threats. Clarke begins the book by describing several attempts at cyberwar that have already occurred. His narratives involving cyber conflicts in Georgia, Estonia, and Korea are compelling. Clarke describes cyber threats in ways that are easy for laymen to understand. Clarke also recounts the state of cyber security in the past three administrations and finds each administration lacking. Along the way, Clarke touches on many old conflicts between the cyber security community and the privacy and civil liberties communities, including the controversy over the clipper chip. EPIC actively opposed the clipper chip technology, which would have created a backdoor into individuals' private computers. The program failed in the face of widespread opposition. Clarke criticizes the lack of organization within the government, especially within the Department of Homeland Security, and faults the Obama Administration's "inaction" on cyber security issues. President Obama has, however, been working with Howard Schmidt, a former Microsoft security executive who has now been appointed cyber security coordinator for the administration and with Timothy Edgar, a former American Civil Liberties Union attorney, to assure that a balance is struck between cyber security and civil liberties. In a speech on cyber security in May 2009, Obama stated "Our pursuit of cybersecurity will not include Ñ I repeat, will not include Ñ monitoring private sector networks or internet traffic." "We will preserve and protect the personal privacy and civil liberties that we cherish as Americans," he said. Clarke acknowledges that privacy and civil liberties are important issues in any discussion regarding cyber security. He concedes that, in recent years, the government has done much to lose the trust of the American public and advocates the creation of "empowered, independent organizations to investigate whether abuses are occurring and to bring legal action against those who are violating privacy laws and civil liberties." But Clarke fails to acknowledge the numerous instances of post-hoc immunity and toothless "independent" federal agencies. Even independent agencies that are empowered to enforce law and regulation often lack political will to do so. Experts have also questioned the extent of the risk presented by cyber warfare. Clarke runs through several scenarios which, while well written and interesting, may be hyperbolic. In a recent debate hosted by Intelligence Squared, EPIC Director Marc Rotenberg and security expert Bruce Schneier argued that the threat of cyberwar has been greatly exaggerated. Intelligence Squared Debate available at: ÊÊ Ê http://www.epic.org/redirect/081110debate.html --Ginger McCall ======================================================================= ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60. http://epic.org/bookstore/foia2008/ Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Privacy and Security in the Future Internet 3rd Network and Information Security (NIS'10) Summer School Crete, Greece, September 13-17 2010. For more information: http://www.nis-summer-school.eu Internet Governance Forum 2010 Vilnius, Lithuania, 14-16 September 2010. For more information: http://igf2010.lt/ "32nd Int'l Conference of Data Protection and Privacy Commissioners" Jerusalem, October 2010. For more information: http://www.justice.gov.il/MOJEng/RashutTech/News/conference2010.htm The Public Voice Civil Society Meeting: "Next Generation Privacy Challenges and Opportunities" Jerusalem, October 25, 2010 For more information: http://thepublicvoice.org/events/israel10/ ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook http//facebook.com/epicprivacy http://epic.org/facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: http://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 17.15 ------------------------