Focusing public attention on emerging privacy and civil liberties issues

EPIC Alert 18.17

======================================================================= E P I C A l e r t ======================================================================= Volume 18.17 August 31, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/epic_alert_1817.html "Defend Privacy. Support EPIC." http://epic.org/donate ======================================================================= Table of Contents ======================================================================= [1] EPIC Files for Rehearing in Airport Body Scanner Case [2] FTC Finds Mobile Phone App Violated Children's Privacy Law [3] Facebook Makes Some Changes, Privacy Complaints Still Pending [4] Twitter Adopts Privacy-Enhancing Default to HTTPS [5] German DPA Asks for Removal of Facebook 'Like' Button on .de Sites [6] News in Brief [7] EPIC Bookstore [8] Upcoming Conferences and Events TAKE ACTION: Facebook Privacy 2011! - READ EPIC's complaint to FTC: http://epic.org/redirect/062011FB.html - WATCH EPIC on ABC Nightline: http://epic.org/redirect/062011FB.html - SUPPORT EPIC: http://www.epic.org/donate/ ======================================================================= [1] EPIC Files for Rehearing in Airport Body Scanner Case ======================================================================= Citing significant errors in an earlier decision, EPIC has petitioned the District of Columbia Circuit Court of Appeals to rehear EPIC's challenge to the Transportation Safety Administration's controversial body scanner program. EPIC is challenging both the factual and legal conclusions of the court. "The court overstated the effectiveness of the body scanner devices and understated the degree of the privacy intrusion to the traveling public," stated EPIC Executive Director Marc Rotenberg. EPIC's petition for rehearing highlights the distinction between the images viewed by TSA officials and the raw, naked images captured by the body scanner devices. According to documents EPIC obtained via the Freedom of Information Act (FOIA) - including technical specifications, vendor contracts, and hundreds of complaints from US air travelers about the body scanners - the agency specifically designed the devices to capture, store, and transfer naked images of screened individuals. The TSA claims to filter the images, but in a related suit against the United States Marshall Service, EPIC obtained 35,000 of the original, stored images from a single body scanner operated in a courthouse. EPIC's petition also challenges the finding that the scanners detect "liquid and powders." As a factual matter, the finding was never established, nor did the TSA itself make any such claims. EPIC further argues that the court wrongly concluded that the TSA is not subject to a federal privacy law that prohibits video voyeurism. The panel of judges found that TSA body scanner employees are "engaged in law enforcement activity," contrary to the TSA's own regulations, which state that the Transportation Security Officials who conduct the airport screening are not engaged in law enforcement activity. EPIC did not challenge the court's determination that the TSA unlawfully failed to provide an opportunity for public comment on the controversial screening program, or that travelers have a right to opt-out of airport body scanners. EPIC: Petition for Rehearing or Rehearing En Banc (Aug. 29, 2011) http://epic.org/redirect/083011_epic_petition_for_rehearing.html EPIC v. DHS: Original Opinion (July 15, 2011) http://epic.org/redirect/083011_epic_v_dhs_opinion.html EPIC: Opening Brief (Nov. 2010) http://epic.org/privacy/litigation/EPIC_Body_Scanner_OB_Final.pdf EPIC: EPIC v. DHS http://epic.org/redirect/083011_epic_v_dhs.html EPIC: Whole Body Imaging Technology http://epic.org/privacy/airtravel/backscatter/ ======================================================================= [2] FTC Finds Mobile Phone App Violated Children's Privacy Law ======================================================================= In the first privacy settlement involving a mobile application, W3 Innovations, a CA-based mobile-phone game developer, has settled charges with the Federal Trade Commission for violations of the Children's Online Privacy Protection Act (COPPA). The Commission imposed a fine of $50,000 against the company for "illegally collecting and disclosing personal information from tens of thousands of children under age 13 without their parents' prior consent." W3 Innovations, LLC, doing business as Broken Thumbs Apps, develops and distributes mobile apps for the iPhone and iPod touch that allow users to play games and share information online. The FTC's complaint charged that W3 Innovations and company president and owner Justin Maples distributed iPhone/iPod Touch apps that collected and maintained thousands of email addresses from users. Many of these apps are geared towards young children and were listed in the "Games-Kids" section of Apple Inc.'s App Store. Titles include "Emily's Girl World," "Emily's Dress Up," "Emily's Dress Up & Shop" and "Emily's Runway High Fashion." "The FTC's COPPA Rule requires parental notice and consent before collecting children's personal information online, whether through a website or a mobile app," said Commission Chairman Jon Leibowitz via the FTC's web site. "Companies must give parents the opportunity to make smart choices when it comes to their children's sharing of information on smart phones." EPIC previously testified before the Senate Commerce Committee and submitted comments to the FTC on the need to update COPPA and to clarify the law's application to mobile and social networking services. FTC: Press Release on COPPA Ruling (Aug. 15, 2011) http://www.ftc.gov/opa/2011/08/w3mobileapps.shtm EPIC: Testimony before US Senate on COPPA (April 29, 2010) http://epic.org/privacy/kids/EPIC_COPPA_Testimony_042910.pdf EPIC: Comments to the FTC on COPPA (July 9, 2010) http://epic.org/privacy/ftc/COPPA_070910.pdf EPIC: Children's Online Privacy Protection Act http://epic.org/privacy/kids/ ======================================================================= [3] Facebook Makes Some Changes, Privacy Complaints Still Pending ======================================================================= In response to several complaints filed by EPIC with the Federal Trade Commission, Facebook announced August 23 that it would make some changes in its business practices, including providing more accurate information about the disclosure of user data and new safeguards for photo tagging. Privacy controls for sharing photos, posts, and other content now will be inside user profile and status pages instead of on a separate page. Users will have greater flexibility in selecting who sees each individual piece of information, and can now can approve or deny "tags" before they appear public. However, Facebook now routinely posts location and status updates; a user no longer has the ability to affirmatively "check in." EPIC, along with other privacy organizations including the Center for Digital Democracy, Consumer Watchdog, and the Privacy Rights Clearinghouse, have filed several complaints with the Commission about Facebook's automated tagging of users, changes in Privacy settings, and transfers of personal data, stating that Facebook's practices were "unfair and deceptive." In the June 2011 FTC complaint about Facebook's new automated facial recognition feature, EPIC alleged that "[u]sers could not reasonably have known that Facebook would use their photos to build a biometric database in order to implement a facial recognition technology under the control of Facebook." In response to a July 2011 letter from Connecticut Attorney General George Jepson, Facebook agreed to run ads that link users to their privacy settings and show them how to opt-out of Facebook's facial recognition program. The ads are new, but Facebook has failed to implement an opt-in model for its facial recognition technology. Even if a user is able to opt-out of being tagged in photos, there is no way to opt-out of being added to Facebook's facial recognition biometric database itself. EPIC's complaints at the FTC are still pending. Facebook: Announcement on Privacy Controls (Aug. 23, 2011) http://blog.facebook.com/blog.php?post=10150251867797131 Facebook: Description of New Privacy Controls (Aug. 2011) http://www.facebook.com/about/sharing Connecticut AG: Press Release (July 26, 2011) http://www.ct.gov/ag/lib/ag/press_releases/2011/072611facebook.pdf EPIC: Facebook Complaint to FTC (June 10, 2011) http://epic.org/redirect/062111facebookftccomplaint.html EPIC: Facebook Privacy http://epic.org/privacy/facebook/ EPIC: Facial Recognition http://epic.org/privacy/facerecognition/ EPIC: Biometrics http://epic.org/privacy/biometrics/ Facebook: Making Photo Tagging Easier http://www.facebook.com/blog.php?post=467145887130&_fb_noscript=1 ======================================================================= [4] Twitter Adopts Privacy-Enhancing Default to HTTPS ======================================================================= Twitter announced August 23 that it will implement HTTPS functionality by default in order to encrypt data and protect privacy for all Twitter users. HTTPS is an Internet protocol allowing web servers to use encryption to securely transfer and display content. Twitter's new policy promotes enhanced privacy for Twitter users, particularly when the service is accessed through public Internet access points. However, because default HTTPS will be phased in gradually, users should still specify "Always use HTTPS" in their account preferences. Twitter's policy change stems from several security incidents in early 2011, including two in which hackers gained administrative control of the popular web site. After these attacks, the Federal Trade Commission investigated Twitter's business practices, resulting in a settlement agreement that requires Twitter to stop "misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information." As a further condition of the settlement, Twitter is required to maintain a "comprehensive information security program" for a period of 10 years. Every violation of the settlement could cost Twitter up to $16,000. In 2009, EPIC pointed out the importance of default HTTPS in a complaint to the Commission about Google's Cloud Computing Services. EPIC cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information for Cloud Computing services. Twitter: Notice on Using HTTPS for Improved Security (Aug. 23, 2011) http://twitter.com/#!/twitterglobalpr/status/106077860170706944 FTC: Press Release on Twitter Settlement (Mar. 11, 2011) http://www.ftc.gov/opa/2011/03/twitter.shtm EPIC: Complaint to FTC on Cloud Computing (Mar. 17, 2009) http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf EPIC: Social Networking Privacy http://epic.org/privacy/socialnet/ EPIC: In Re Google and Cloud Computing http://epic.org/privacy/cloudcomputing/google/ ======================================================================= [5] German DPA Asks for Removal of Facebook 'Like' Button on .de Sites ======================================================================= Thilo Weichert, Data Protection Authority commissioner for the German state of Schleswig-Holstein, has called on web site owners in his state to remove Facebook "Like" buttons. Sites that do not comply by the end of September 2011 could face a formal complaint, a prohibition order, and/or a penalty fine that may reach 50,000 Euros. After conducting a thorough legal and technical analysis in conjunction with the Independent Centre for Privacy Protection (ULD), Weichert concluded that when users click the "Like" button on web pages, traffic and content data are transferred to Facebook's US-based servers. "Whoever visits facebook.com or uses a plug-in must expect that he or she will be tracked by the company for two years. Facebook builds a broad individual - and for members even a personalized - profile," said Weichert. ULD considers such profiling an infringement of German and European data protection law. In recent weeks, Germany has issued several statements against Facebook. German data protection authorities have said that Facebook's new facial recognition feature is illegal and have asked the site to remove it and delete all related information: "[E]ven if Facebook was offering a user-friendly method to opt-out, it would not meet national or European data protection requirements. For storage of biometrics a pre-issued, unambiguous consent by the affected is required." Authorities also have demanded that network users have more control over their e-mail address books in Facebook's "Friend Finder" tool. EPIC has written several complaints to the Federal Trade Commission regarding Facebook's privacy infringements and is awaiting determination by the agency. German Data Protection Commissioner: Press Release (Aug. 8, 2011) https://www.datenschutzzentrum.de/presse/20110819-facebook-en.htm Hamburg, Germany DPC: Press Release (Aug. 2, 2011) http://epic.org/redirect/083011_hamburg_dpc_fb_press_release.html EPIC: Facebook http://epic.org/privacy/facebook/ EPIC: Facebook Facial Recognition http://epic.org/redirect/083011_fb_and_facial_recognition.html EPIC: In Re Facebook (I) (Dec. 17, 2009) http://epic.org/privacy/inrefacebook/ EPIC: In Re Facebook (II) (May 5, 2010) http://epic.org/privacy/facebook/in_re_facebook_ii.html ======================================================================= [6] News in Brief ======================================================================= EPIC's Verdi to Argue Privacy Case in Federal Court of Appeals The Third Circuit Court of Appeals has granted EPIC's request to argue in support of a Jane Doe police deputy in Luzerne County, PA, who is suing to recover monetary damages for privacy violations. At oral argument, EPIC Senior Counsel John Verdi will urge the court to hold that the Luzerne County Sheriff's Department violated Ms. Doe's Constitutional right to informational privacy when a coworker captured semi-nude video footage without her consent during a mandatory decontamination shower. The 2007 footage was uploaded onto a government computer. EPIC has filed an amicus brief in the Third Circuit Court of Appeals arguing that the case implicates "freedom, intimacy, autonomy, and human dignity." EPIC has filed similar briefs in other cases, including NASA v. Nelson, decided by the Supreme Court earlier this year. Oral argument is scheduled for September 13 in Philadelphia. EPIC: Doe v. Luzerne http://epic.org/amicus/luzerne/default.html EPIC's amicus brief in Doe v. Luzerne http://epic.org/amicus/luzerne/EPIC_Luzerne_Amicus_Brief.pdf EPIC Settles Street View Case with Federal Trade Commission EPIC and the Federal Trade Commission have agreed to settle an open government lawsuit regarding the Commission's decision to close the investigation of Google Street View. EPIC sought documents from the FTC after members of Congress urged the Commission to pursue an aggressive investigation and privacy agencies worldwide determined that Google violated national privacy laws. In 2010 and 2011 the Federal Trade Commission provided EPIC with documents suggesting that the agency believed it lacked enforcement authority over Google. However, the 2010 closing letter in the case also indicated that the Commission never undertook an independent investigation to determine whether other violations of law may have occurred. The case is EPIC v. FTC, No. 11-cv-00881 (D.C. Dist. Ct 2011). Reps. Barton and Markey's Letter to FTC Chairman Leibowitz (May 2010) http://www.epic.org/redirect/060410housememltr.html FTC Consumer Protection Office: Street View Closing Letter (Oct. 2010) http://www.ftc.gov/os/closings/101027googleletter.pdf EPIC: Google Street View http://epic.org/privacy/streetview/ Federal Judge: Locational Data Protected Under Fourth Amendment A federal district judge ruled August 22 that law enforcement officers must have a warrant to access cell phone locational data. Judge Nicholas Garaufis of the Eastern District of New York found that "The fiction that the vast majority of the American population consents to warrantless government access to the records ... of their movements by 'choosing' to carry a cell phone must be rejected .... In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user's reasonable expectation of privacy in cumulative cell-site-location records." Courts are divided regarding whether historical mobile phone data, including location, should be protected by a warrant requirement. EPIC has filed amicus briefs in several related cases. US Dist. Court, Eastern NY: Ruling on Cell Phone Data (Aug. 22, 2011) http://epic.org/redirect/083011_cellphone_warrant_ruling.html Judge Nicholas G. Garaufis http://epic.org/redirect/083011_judge_garaufis.html EPIC: Commonwealth v. Connolly http://epic.org/privacy/connolly/ EPIC: US v. Jones http://epic.org/amicus/jones/ EPIC: Locational Privacy http://epic.org/privacy/location_privacy/default.html/ Israel Grants Google Street View Conditional Approval The Israeli Justice Ministry has granted Google conditional approval to use its Street View mapping service in Israel. In return, Google has accepted several limitations, including allowing Israeli citizens to request further blurring of buildings and license plates, accepting Israeli legal rulings in any lawsuit, providing information to the public about the service, and applying "privacy by design." Other countries, including the UK, France, and Spain, have determined that Google broke privacy laws when Street View cars collected wi-fi data from private wireless networks. In the US, the Federal Communications Commission launched an investigation after EPIC filed a complaint asking the Commission to investigate violations of federal wiretap law and the US Communications Act. Israeli Justice Ministry: Google Street View Information (Aug. 2011) http://www.justice.gov.il/MOJEng/ILITA/News/googlestreetview.htm EPIC: Google Street View Complaint (May 18, 2010) http://epic.org/redirect/071911_epic_streetview_complaint.html FCC Chairman: Response to Reps. Rogers, Barrow et al. (June 22, 2011) http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-308300A3.pdf EPIC: Google Street View http://epic.org/privacy/streetview/ EPIC Moderates #PrivChat on Twitter EPIC has taken over as the new moderator and co-host, with Privacy Camp, of #PrivChat, a weekly Twitter chat that explores developments in the privacy world. #PrivChat takes place every Tuesday at 12:00 PM EST and typically lasts for 45 minutes. Participants include lawyers, advocates, industry representatives, technical and security experts, and other individuals and organizations interested in privacy. Discussion topics may be submitted on Twitter using the #PrivChat hash tag in advance of the meeting. Weekly topics will be posted one hour prior to the beginning of each #PrivChat, at 11:00 AM EST. Chat transcripts will be retained and posted afterward. EPIC: #PrivChat http://www.epic.org/privchat EPIC: PrivChat Archives http://www.epic.org/privchat/2011.html Twitter: #PrivChat https://twitter.com/search/privchat Privacy Camp http://privacycamp.wordpress.com/ ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 http://epic.org/bookstore/foia2010/ Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. http://www.epic.org/redirect/aspen_ipl_casebook.html This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. http://www.epic.org/phr06/ This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. http://www.epic.org/bookstore/pvsourcebook This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. http://www.epic.org/bookstore/pls2004/ The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. http://www.epic.org/bookstore/filters2.0 A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at: EPIC Bookstore http://www.epic.org/bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: http://mailman.epic.org/mailman/listinfo/foia_notes ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Privacy Platform Meeting on The Transatlantic Dimension of Data Protection. Brussels, Belgium, 7 September 2011. For More Information: sophie.bots@europarl.europa.eu. 5th Annual International Right-to-Know Day Celebration. American University Law School, Washington, DC, 28 September 2011. For More Information: secle@wcl.american.edu. EPIC Public Voice Conference. Mexico City, Mexico, 31 October 2011. For More Information: http://www.thepublicvoice.org/. 33rd International Conference of Data Protection and Privacy Commissioners (ICDPPC 2011). Mexico City, Mexico, 2-3 November 2011. For more information: http://www.privacyconference2011.org/. 8th Conference on Privacy and Public Access to Court Records. Sponsored by the College of William and Mary School of Law. Williamsburg, VA, 3-4 November 2011. For More Information: http://www.legaltechcenter.net/aspx/conferences.aspx. Workshop on Cryptography for Emerging Technologies and Applications. NIST Campus, Gaithersburg, MD, 7-8 November 2011. For More Information: http://www.nist.gov/itl/csd/ct/ceta-workshop.cfm. Computers, Privacy, & Data Protection 2012: European Data Protection: Coming of Age. Brussels, Belgium, 25-27 January 2012, Call for Papers Abstracts Deadline 1 June 2011. For More Information: http://www.cpdpconferences.org. ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: http://facebook.com/epicprivacy http://epic.org/facebook http://twitter.com/epicprivacy Join us on Twitter for #privchat, Tuesdays, 12:00pm ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: http://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 18.17 ------------------------