Focusing public attention on emerging privacy and civil liberties issues

EPIC Alert 17.17

======================================================================= E P I C A l e r t ======================================================================= Volume 17.17 August 31, 2010 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/epic_alert_1717.html "Defend Privacy. Support EPIC." http://epic.org/donate ======================================================================= Table of Contents ======================================================================= [1] Senators Question Full Body Scanners, Highlight Health Risks [2] EPIC Launches Body Scanner Incident Report Page [3] Facebook "Places" Embeds Privacy Risks [4] Agency Reconsiders Medical Breach Notification Rule [5] Lawsuit Filed for Travel Surveillance Records [6] News in Brief [7] EPIC Book Review: "Islands of Privacy" [8] Upcoming Conferences and Events TAKE ACTION: Stop Airport Strip Searches! - JOIN Facebook Group "Stop Airport Strip Searches" and INVITE Friends - DISPLAY the IMAGE http://thepublicvoice.org/nakedmachine.jpg - SUPPORT EPIC http://www.epic.org/donate/ ======================================================================= [1] Senators Question Full Body Scanners, Highlight Health Risks ======================================================================= On August 6, 2010, three U.S. Senators wrote to the Department of Homeland Security (DHS), objecting to the agency's expansion of the airport body scanner program. In a letter to DHS Secretary Janet Napolitano, Senators Collins (R-ME), Burr (R-NC), and Coburn (R-OK) have asked "why the Department continues to purchase this technology when legitimate concerns about its safety appear to remain unanswered." The Senators noted that "the issue of radiation associated with the backscatter x-ray AIT machines has not been adequately addressed by TSA." They urged the agency's Chief Medical Officer, working with independent experts, to conduct a review of the health effects on travelers and airport personnel. EPIC recently submitted a Freedom of Information Act request to the DHS for all records of tests conducted by the agency regarding radiation impacts. EPIC has also filed an emergency motion in federal court to suspend the program, pending an thorough review of the airport body scanner program. The EPIC request follows a recent report by Dr. David Brenner to the Congressional Biomedical Caucus that radiation exposure may be up to twenty times greater than the DHS acknowledged. In April 2010, several scientists urged Presidential Science Adviser Dr. John P. Holdren to conduct further evaluation of the health risks of body scanners. On August 19, 2010, the Chairman and Ranking Member of the Homeland Security Committee, with four other Senators, sent a letter to the head of the US Marshals Service to ask why the federal agency stored more than 35,000 images from full body scanners at the Orlando federal courthouse. The letter follows a Freedom of Information Act lawsuit, filed by EPIC, in which the Marshals Service was forced to disclose images and technical documents demonstrating that it had stored body scanner images. The August 19 letter follows an EPIC open government lawsuit against the United States Marshals Service. EPIC obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 collected by the agency. EPIC has also pursued a FOIA lawsuit against the Department of Homeland Security for images produced by the similar airport body scanner machines. The agency has admitted to possessing around 2,000 stored images produced by the machines, but refuses to turn them over. August 6, 2010 Letter from Senators to DHS http://www.epic.org/redirect/090110senatorsletter.html August 19, 2010 Letter from Senators to DHS http://epic.org/Senators_Letter_US%20Marshals_8-19-10.pdf EPIC's Press Release Regarding Body Scanner Images http://epic.org/press/EPIC_Body_Scanner_Press_Release_08_03_10.pdf EPIC v. DHS (Suspension of Body Scanner Program) http://www.epic.org/redirect/081110epicvdhs.html EPIC v. USMS (FOIA) http://epic.org/privacy/body_scanners/epic_v_doj/default.html EPIC v. DHS (FOIA) http://epic.org/privacy/airtravel/backscatter/epic_v_dhs.html ======================================================================= [2] EPIC Launches Body Scanner Incident Report Page ======================================================================= On August 30, 2010, EPIC launched the "EPIC Body Scanner Incident Report" web page. The page invites air travelers to share their experiences with the Transportation Security Administration's (TSA's) full body scanner program. Security experts have likened full body scans to a "digital strip search." Medical experts have raised questions about the harmful radiation effects of full body scans. In July, EPIC filed suit in federal court to suspend the program, citing health risks and Constitutional violations. The EPIC web page follows on the heels of hundreds of complaints filed with the TSA by air travelers. The page provides an opportunity for travelers to submit factual accounts of their first-hands experiences with the full body scanner in airports. Air travelers have previously criticized the scanner program as invasive, unconstitutional, and offensive. Air travelers have described their "anger and outrage" in response to the body scanner program and detailed the TSA's failure to notify travelers before subjecting them to radiation. Other travelers have raised religious objections to the scanners, noting that the devices run afoul of teachings across many faiths. In July, EPIC sued the Department of Homeland Security to suspend deployment of full body scanners. EPIC filed a petition for review and motion for an emergency stay, urging the D.C. Circuit Court to suspend TSA program. EPIC said that the program is "unlawful, invasive, and ineffective." EPIC argued that the federal agency has violated the Administrative Procedures Act, the Privacy Act, the Religious Freedom Restoration Act, and the Fourth Amendment. EPIC cited the invasive nature of the devices, the TSA's disregard of public opinion, and the impact on religious freedom. Previously, EPIC FOIA lawsuits forced the disclosure of documents that demonstrate full body scanners' ability to collect, retain, and transmit images. EPIC Body Scanner Incident Report http://epic.org/bodyscanner/incident_report/ EPIC v. DHS (Suspension of Body Scanner Program) http://www.epic.org/redirect/081110epicvdhs.html EPIC v. USMS (FOIA) http://epic.org/privacy/body_scanners/epic_v_doj/default.html EPIC v. DHS (FOIA) http://epic.org/privacy/airtravel/backscatter/epic_v_dhs.html ======================================================================= [3] Facebook "Places" Embeds Privacy Risks ======================================================================= The recently announced Facebook service Places makes user location data routinely available to others, including Facebook business partners, regardless of whether users wish to disclose their location. There is no single opt-out to avoid location tracking. The default settings of this new tool allow user data to be disclosed in a number of ways that are not immediately clear to users. Facebook has put a complicated set of new privacy settings in place to deal with the "Places" tool. Additionally, Facebook allows anyone to create a location on the system, which means anyone could add the location of a person's home or business to the website without the person's knowledge. By default, Facebook has enabled Places for all users. If a user chooses to "check in" from a mobile device, that user's location is published to that user's news feed. If the option "Include me in 'People Here Now' after I check in" is selected, the user's location also appears on the public page of the location, available to everyone. This setting is enabled by default for those who have previously set some of their other information available to everyone. If a user checks in, that user can "tag" a number of friends as also being at the same location. The default behavior for users tagged by their friends is very confusing. Those users who have taken no action with respect to this setting will receive an email and a prompt with the options to "allow" or "not now." Those who choose "allow" are automatically set to allow all future check-ins by friends. Those who choose "not now" are still tagged as being at the location, just not "checked in." Users are also tagged immediately when the check-in takes place, although the tags may be removed once users become aware of them. A user who has ever used Places to check in is automatically set to allow check-ins by friends. By default, check-in information is also available to the third-party developers of applications that a user has authorized, as well as to the third-party developers of applications that a user's friends have authorized. Additionally, At the Coca-Cola Village Amusement Park in Israel, visitors were recently issued bracelets with RFID chips that linked to their Facebook accounts. RFID readers scattered throughout the park updated the users' Facebook pages when the bracelets were scanned and on-site photographers posted photos that were automatically tagged with the users' identities. For users who do not want location information revealed to others, EPIC recommends that Facebook users: (1) disable "Friends can check me in to Places," (2) customize "Places I Check In," (3) disable "People Here Now," and (4) uncheck "Places I check in to" from the list of settings accessible to applications through your friends. EPIC, joined by many consumer and privacy organizations, has two complaints pending at the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices, which are frequently associated with new product announcements. EPIC: Facebook Places and Privacy http://epic.org/privacy/facebook/places/ EPIC: Facebook and Privacy http://epic.org/privacy/facebook/ EPIC: In re Facebook http://epic.org/privacy/inrefacebook/ EPIC: In re Facebook II http://epic.org/privacy/facebook/in_re_facebook_ii.html Facebook Places http://www.facebook.com/places/ ======================================================================= [4] Agency Reconsiders Medical Breach Notification Rule ======================================================================= The Department of Health and Human Services (HHS) has withdrawn its previously issued interim medical privacy rule after facing substantial criticism from privacy advocates. This interim rule was authorized as part of the American Recover and Reinvestment Act (ARRA) signed by President Obama in February 2009. The old rule required that health-care providers and insurers report privacy breaches to patients only if the provider or insurer felt that there was a "significant risk" of harm. Privacy advocates criticized this language on the basis that it granted too much discretion to the firms responsible for safeguarding patient data. Several senators also wrote to HHS Secretary, Kathleen Sebelius, urging her to include "strong safeguards that protect the privacy and security of individuals' personal health information and informing her that the "significant risk" of harm standard was not in keeping with Congress' intent when it passed the ARRA. In previous comments to the Federal Trade Commission, EPIC recommended that notification of health data breaches be enhanced, that additional breach notification through means such as text messages and social networking sites be developed, and that companies obtain verification of receipt of notifications. EPIC has also testified in Congress that the "significant harm" standard, favored by the HHS for breach notification, is unfair to consumers. EPIC: Medical Records Privacy http://epic.org/privacy/medical/ HHS: Interim Medical Privacy Rule http://www.epic.org/redirect/090110hhsinterimrule.html Senators' Letter to Kathleen Sebelius http://epic.org/privacy/medical/HHS_Letter.pdf EPIC: Comments to Federal Trade Commission http://epic.org/privacy/medical/Comments_on_FTC_EHR-EPIC.pdf ======================================================================= [5] Lawsuit Filed for Travel Surveillance Records ======================================================================= Travel author and privacy advocate Edward Hasbrouck has filed a lawsuit against the United States Customs and Border Protection, a component of the Department of Homeland Security, in U.S. Federal Court under the Privacy Act and the Freedom of Information Act (FOIA). The suit, brought by the First Amendment Project on Hasbrouck's behalf, seeks copies of Hasbrouck's Passenger Name Records stored by the agency for making risk assessments of travelers, which the agency has refused to disclose in response to requests under the Privacy Act. Hasbrouck is also seeking records under the FOIA and the Privacy Act regarding his original request and the methods that the agency has uses to process requests such as his. After following the agency's procedures and filing administrative appeals, Hasbrouck received no response and has now sued in federal court. Specifically, the complaint asks the court to order the agency to complete its search for non-exempt records and release them in unredacted form to Hasbrouck for his review. FAQ: Hasbrouck v. U.S. Customs and Border Protection: http://www.papersplease.org/wp/hasbrouck-v-cbp Complaint: Hasbrouck v. U.S. Customs and Border Protection: http://www.epic.org/redirect/090110complaint.html EPIC: Secure Flight http://epic.org/privacy/airtravel/secureflight.html EPIC: Automated Targeting System http://epic.org/privacy/travel/ats/ ======================================================================= [6] News in Brief ======================================================================= The Economist Hosts Online Privacy Debate EPIC President Marc Rotenberg and CATO's Jim Harper are participating in a weeklong live debate, sponsored by the Economist, on the proposition "This house believes that governments must do far more to protect online privacy." Readers can add comments and vote on the motion. The Economist: Privacy Debate http://www.economist.com/debate/debates/overview/181 Google Receives No-Bid Contract From Spy Agency Google was awarded a no-bid contract this week with the National Geospatial-Intelligence Agency (NGA) to provide "a secured, hosted environment that provides web-based access to geospatial visualization services" The NGA produces satellite images and mapping services for both civilian and military government agencies. In response to objections from Microsoft that its Bing service could compete with Google Earth for the contract, the agency opened the contract up for other entrants but changed the description to require "compatible capability across networks, global access, unlimited processing and software licenses, and access to the Google Earth hosted content through widely-used Open Geospatial Consortium service interfaces." National Geospatial-Intelligence Agency http://www.nga.gov NGA: Solicitation for Geospatial Visualization Enterprise Services https://www.fbo.gov/index?id=482ab868878ecd0bd81d978216718820 NextGov: NGA's Sticking with Google http://www.epic.org/redirect/090110newsarticle.html EPIC Presses for Release of Government Documents on Health Risks of Airport Body Scanners EPIC has filed an appeal with the Transportation Security Administration, challenging the agency's denial of expedited processing and fee waivers for an EPIC Freedom of Information Act request. EPIC's is seeking documents from the TSA concerning full body scanner radiation risks and testing. EPIC challenged the TSA's denial of expedited processing, arguing that by delaying to release of the records, the agency was risking the health of travelers and its own employees. EPIC also argued that the record request was particularly timely, as three US Senators recently wrote to the Department of Homeland Security about the safety of the airport body scanners and the risk to air travelers. Separately, EPIC has urged a federal court to suspend the program, pending an independent review of the health risks and privacy impact. EPIC: Appeal of TSA's Decision Regarding Fee Waiver and Expedited Process http://epic.org/privacy/body_scanners/Body_Scan_Rad_Appeal.pdf EPIC: FOIA Request to DHS Regarding Body Scanners and Radiation http://epic.org/privacy/backscatter/Body_Scanner_Radiation_FOIA.pdf Senators' Letter to U.S. Marshals Service http://www.epic.org/redirect/090110senatorsletterusms.html EPIC: Body Scanners http://epic.org/privacy/airtravel/backscatter/ EPIC v. DHS Suspension of Program http://www.epic.org/redirect/081110epicvdhs.html Law Enforcement Agencies Employ Full Body Scanner Vans Last week, media outlets reported a new use of body scanner technology. Law enforcement agencies around the country have been utilizing full body scanner technology in vans that are able to scan other vehicles while driving down public roadways. These vans, known as Z Backscatter Vans, are capable of seeing through vehicles and clothing and routinely store the images that they generate. The use of full body scanners in the airport security context has been contested by EPIC and other privacy groups, as well as several U.S. senators and congressmembers. The effectiveness, privacy implications, and health risks of this technology have yet to be fully evaluated, as EPIC noted in its recent lawsuit against the Department of Homeland Security. Forbes Blogs: Full-Body Scan Technology Deployed in Street-Roving Vans http://www.epic.org/redirect/090110forbesstory.html EPIC: Body Scanners http://epic.org/privacy/airtravel/backscatter/ EPIC v. DHS Suspension of Program http://www.epic.org/redirect/081110epicvdhs.html Senators' Letter to DHS Regarding Radiation Risks of Full Body Scanners http://www.epic.org/redirect/090110senatorsletter.html Call for Papers on Privacy and Technology Innovation, The European Journal of Social Science Research has issued a call for papers for a thematic issue on the topic of "Privacy and Technology" with a submission deadline of November 30, 2010. According to the request, topics to be discussed include but are not limited to "Data Protection in Europe (with a special focus on New Member States), International, comparative Analyses of Approaches to Privacy, Cognition and Privacy, Privacy and Health Care, Changes in Privacy Perceptions." All submissions will be peer-reviewed. Please send papers to L.Beltzung@iccr-international.org Call for Papers: Privacy and Technology http://www.epic.org/redirect/090110callforpaper.html ======================================================================= [7] EPIC Book Review "Islands of Privacy" ======================================================================= "Islands of Privacy" - Christena Nippert-Eng In her book, "Islands of Privacy," Christena Nippert-Eng deftly explores the intricacies of societal and personal standards of privacy. Ms. Nippert-Eng integrates real life experiences of contributors with in-depth analysis of topics such as technology, secrets, the ownership of information, and breaches of privacy. The contributors' real life experiences keep the book interesting and give Nippert-Eng a chance to explore many facets of privacy in every day life. Nippert-Eng begins by exploring the idea of secrets and the psychology and social effects of secret keeping and secret sharing. She interviews a variety of subjects who tell her funny, sad, and fascinating personal stories about secrets. Nippert-Eng discusses the social currency of secrets, exploring their value as a tool to build - and destroy - relationships. Nippert-Eng then explores secrets and privacy in a variety of contexts, including the telephone and email context. She does an excellent job of exploring the ways that technology and privacy interact. Nippert-Eng explores the advent of cell phones and emails in depth, probing her subjects about a variety of subjects including their feelings on cell phones, the ways that they integrate technology into their lives, and the methods they use to create boundaries and spheres of privacy. She also explores privacy in more traditional realms: the home and in purses/wallets. The book contains a fascinating analysis of the privacy of purses and wallets and the strict the social boundaries that well-off particular private areas like these. Nippert-Eng probes these strong social conventions and polls subjects on the private vs. public status of items in their purses or wallets, while seamlessly integrating entertaining and enlightening personal narratives from subjects. Nippert-Eng's book is, overall, an excellent study of what privacy and secrecy mean in the modern age, how social norms are evolving to meet the challenge posed by new technology, and what normal people do to protect their privacy. --Ginger McCall ======================================================================= ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2008," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60. http://epic.org/bookstore/foia2008/ Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Privacy and Security in the Future Internet 3rd Network and Information Security (NIS'10) Summer School Crete, Greece, September 13-17 2010. For more information: http://www.nis-summer-school.eu Internet Governance Forum 2010 Vilnius, Lithuania, 14-16 September 2010. For more information: http://igf2010.lt/ "32nd Int'l Conference of Data Protection and Privacy Commissioners" Jerusalem, October 2010. For more information: http://www.justice.gov.il/MOJEng/RashutTech/News/conference2010.htm The Public Voice Civil Society Meeting: "Next Generation Privacy Challenges and Opportunities" Jerusalem, October 25, 2010 For more information: http://thepublicvoice.org/events/israel10/ ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook http//facebook.com/epicprivacy http://epic.org/facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: http://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 17.17 ------------------------