EPIC Alert Year In Review 2010
======================================================================= E P I C A l e r t ======================================================================= Year In Review January 13, 2011 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/epic_alert_yir2010.html "Defend Privacy. Support EPIC." http://epic.org/donate Report All Screening Experiences at EPIC Body Scanner Incident Report http://epic.org/bodyscanner/incident_report/ ======================================================================= 2 0 1 0 P R I V A C Y Y E A R I N R E V I E W ======================================================================= Here are the Top Ten Privacy Stories of 2010 and the Top Ten Privacy Issue to Watch in 2011 from the Electronic Privacy Information Center (EPIC): - Google Street View Debacle - TSA Strip Searches American Air Travelers - FTC Fumbles Privacy - Europe Steps Up Privacy Game - EPIC FOIA: Body Scanners Can Record, Store, and Transfer Images - Facebook Follies - Google Buzzes Gmail Users - VP Calls Wikileaks Hi-Tech Terrorism - EPIC: White House Privacy Grades Drop - As Year Ends, Washington Gets Busy with Privacy * * * * * * * * * * * * * * * * * * * * * * * * Google Street View Debacle Google's secretive and purposeful practice of using its Street View vehicles to collect data from unsecured wireless networks was revealed this year. Google collected passwords, email, and other sensitive data from millions of Internet users in thirty countries over a three-year period, and built an extensive database of personal information associated with private residential wi-fi routers. Canada and several European countries refused to let Google get away with this, as they investigated Google's actions and determined that laws had indeed been broken. After they were caught in the act, Google still pretended that this massive data collection occurred by accident; even though Google has a patent pending to use the information it collected in new location-based technologies. Meanwhile, regulators in the U.S. reacted both late and ineffectively. The FTC conducted no investigation at all, while the FCC finally begun one in November in response to an EPIC complaint. * * * * * * * * * * * * * * * * * * * * * * * * TSA Strip Searches American Air Travelers The Transportation Security Administration expanded the use of body scanners at checkpoints in airports across the country, contradicting their established policy by implanting them as primary screening measures. Department of Homeland Security Secretary Janet Napolitano justified the program as a "corrective action to improve aviation security" in the wake of an attempted terrorist attack on Christmas Day of 2009. Passengers are selected either to submit to scans inside of x-ray machines that show the full naked human form and have uncertain health risks, or face a rubber-gloved, hands-on "enhanced patdown" from a TSA agent. A grassroots movement of flyers rights organizations mobilized a citizens' protest on November 24, 2010, and reported afterwards that the government temporarily disbanded the use of scanner machines in order to avoid massive delays. Lawmakers across the country, from Washington, D.C. to New York and New Jersey, held hearings, demanded answers from key decision-makers, and introduced legislation to halt the program. Citizens groups are preparing for a second stand, this time boycotting the airline industry on December 23, 2010, which they have dubbed "We Won't Fly Day." * * * * * * * * * * * * * * * * * * * * * * * * FTC Fumbles Privacy The Federal Trade Commission - whose purpose is to protect consumers - has utterly failed to do so throughout 2010. Throughout the year, EPIC and other watchdog groups submitted several complaints concerning significant privacy violations, including Facebook's deceptive revised privacy settings and the lack of security in Google's cloud computing network, all on which the FTC took no action. Adding insult to injury, the FTC's end of the year privacy report did not inspire much hope that things will improve in the future: the report did not address the need for a U.S. privacy agency or a comprehensive privacy law based on "Fair Information Practices," and instead adhered to the tired and failed strategy of notice and choice. * * * * * * * * * * * * * * * * * * * * * * * * Europe Steps Up Privacy Game Throughout 2010, the EU pursued a full court press on data protection, especially in the areas of law enforcement, data transfer, and individual privacy rights. The EU reviewed its legal framework for data protection and proposed policy changes that would "bring [their] laws up to date with the challenges raised by new technologies and globalization." The European Commission also directed a bright light on Google beginning investigations into the company for a number of privacy violations including potential anti-trust violations and the collection of wi-fi data gathering for its Street View service. * * * * * * * * * * * * * * * * * * * * * * * * EPIC FOIA: Body Scanners Can Record, Store, and Transfer Images In January, EPIC released documents obtained from the Department of Homeland Security as a result of a Freedom of Information Act request that sought documents to support its suspicion that the full body scanners were designed to capture and store images of the people scanned at airports. Though DHS and TSA had continually made claims to the contrary, the documents proved the machines' technical capacity to store, record and transfer images. In fact, DHS had purposely specified to the machine manufacturers that the full body scanners must have this feature. The documents also reveal that the machines have USB and Ethernet capabilities, and run on an operating system with demonstrated security flaws, rendering the images they can store vulnerable to any bad actor with temporary network access. EPIC is suing to strike down the program in the District of Columbia Circuit Court of Appeals. * * * * * * * * * * * * * * * * * * * * * * * * Facebook Follies Facebook founder Mark Zuckerberg certainly doesn't hide his view that privacy is a "social norm" of the past. And everything Facebook has done this past year has been designed to try to make this a self-fulfilling prophecy. Facebook engaged in unfair and deceptive trade practices, including changes to privacy settings that disclosed information to the public that was previously restricted, which led EPIC to file two complaints with the Federal Trade Commission. Facebook also launched "Places" this year, a tool that discloses Facebook user locational data to others, often without the knowledge or consent of the user. Most recently, Congressmen Ed Markey (D-MA) and Joe Barton (R-TX) sent a letter to Facebook following the revelation that Facebook's business partners transmitted personal user data to advertisers and Internet-tracking companies, in direct violation of the company's policy. * * * * * * * * * * * * * * * * * * * * * * * * Google Buzzes Gmail Users In February 2010 Google took a huge misstep in its introduction of Buzz, a social networking service that made private email contacts of Gmail subscribers publicly available without their consent. EPIC and House Members independently urged the Federal Trade Commission to investigate Google Buzz. EPIC's complaint argued that Google's modified business practices and service terms violated user privacy expectations, diminished user privacy, contradicted Google's own privacy policy, and potentially violated federal wiretap laws. After Gmail users filed a class action lawsuit alleging violations of federal privacy and consumer fraud laws, Google eventually entered into a settlement agreement. As part of the settlement, Google agreed to establish an $8.5 million settlement fund to pay the attorneys, compensate the lead plaintiffs, and establish a fund for "existing organizations focused on Internet privacy policy or privacy education." * * * * * * * * * * * * * * * * * * * * * * * * VP Calls Wikileaks Hi-Tech Terrorism Late in the year, on Meet the Press with David Gregory, Vice President Joe Biden stated that Wikileaks Spokesperson Julian Assange resembles a "High Tech Terrorist." The attack followed a series of questions about President Obama's politically unpopular decisions. A Washington Post poll shows that a majority of Americans want Julian Assange arrested by U.S. authorities and charged with some crime. The poll neglected to ask its respondents if they expected the same treatment for the U.S. military contractors who spent tax dollars on a human smuggling ring involving child prostitutes, as revealed by Wikileaks. Commentators, like Salon's Glenn Greenwald, highlight the drawbacks, legal and otherwise, in prosecuting Mr. Assange for helping to publish diplomatic cables leaked from the Pentagon. Any law criminalizing Wikileaks' actions would also imperil the investigative reporting operations of more traditional media entities like the New York Times. * * * * * * * * * * * * * * * * * * * * * * * * EPIC: White House Privacy Grades Drop 2010 was a year of disappointment for the White House, as their privacy grades drop this year in EPIC's Privacy Report Card. The Privacy Report Card is an annual publication examining how the president and his administration handle privacy issues. Grades dropped or remained the same for President Obama across the board, in areas of Consumer Privacy, Medical Privacy, Civil Liberties, and Cyber Security. The report card noted the FTC's failure to pursue any significant privacy investigation, under-representation of privacy experts on key administrative committees, the growing influence of the National Security Administration, and the absolute neglect of the Civil Liberties and Privacy Oversight Board. * * * * * * * * * * * * * * * * * * * * * * * * As Year Ends, Washington Gets Busy with Privacy 2010 hurtled to a close with Washington's awakening to the multitude of ways privacy protections can be legislated, prosecuted, and investigated. The FTC and the Commerce Department each released reports about privacy, each concluding that more consumers must be given more privacy rights. At last count, up to three new administrative privacy offices have been suggested or created, but nominations for the Civil Liberties and Privacy Oversight Board have not yet been initiated. The House Judiciary Committee held a hearing looking into the WikiLeaks scandal and testing the line between the First Amendment and state secrets. In addition, Congress finally voted to repeal "Don't Ask, Don't Tell" and the President's healthcare technology council looked into the increased use of digitized medical records and recommended privacy enhancing policies. Nothing like a mid-term election to get things done. ======================================================================= ISSUES TO WATCH IN 2011 ======================================================================= Here are the top ten privacy topics to pay attention to in 2010: - Supreme Court Decides Several Privacy Cases - Body Scanner Challenges Go to Court - Congress Steps Up DHS Oversight - Smart Grid and Privacy? - Targeted Advertising Comes to T.V - Europe Strengthens Privacy Protections - Bipartisan Privacy Legislation - Biometric Technology Used in War on Terror, Facebook - Deep Packet Inspection, Thought Dead, Rears Head Again - Net Neutrality Decided by the Courts * * * * * * * * * * * * * * * * * * * * * * * * Supreme Court Decides Several Privacy Cases In 2011, the Supreme Court is poised to answer pivotal constitutional questions about the privacy rights of government contract employees and the scope of open government laws. The Court will decide whether the Fourth Amendment provides additional legal protections in cases where privacy legislation fails to adequately protect an individual's personal data. EPIC filed a "friend of the court" brief, cosigned by 27 technical experts and legal scholars, arguing that the right to informational privacy is well recognized by scholars and international courts. The Court will also decide if corporations qualify for privacy protections under the Freedom of Information Act. EPIC filed another "friend of the court" brief with many of the same signees, arguing that personal privacy rights have been understood for more than a century to accommodate the interests of individuals, not corporations. * * * * * * * * * * * * * * * * * * * * * * * * Body Scanner Challenges Go to Court Oral argument for EPIC's suit to strike down the Transportation Security Administration's controversial body scanner program is scheduled for March 10, 2010. This is the final stage in a case that started with two separate petitions to Secretary Napolitano in 2009 and 2010 and progressed through EPIC's initial request on July 3, 2010 for an emergency court order to halt the program from expanding. The decision should follow closely on the heels oral argument in early March. An ideal outcome of which would immediately halt the use of body scanners as a default, mandatory primary screening mechanism. Two other cases have also been brought to challenge the body scanners. In Redfern v. Napolitano, two Harvard Law School students have brought constitutional and administrative law claims in U.S. District Court, while Michael Roberts, an airline pilot for ExpressJet, also has sued the TSA after he was placed on paid leave for refusing to submit himself to the body scanners or an enhanced pat-down. * * * * * * * * * * * * * * * * * * * * * * * * Congress Steps Up DHS Oversight Following the appointment of several DHS critics to key positions, the Department of Homeland Security will be subject to increased oversight in 2011. Rep. Jason Chaffetz (R-UT), the sponsor of a bill that would limit the use of body scanners at airports, is the new chair of the House DHS oversight subcommittee. Rep. Peter King (R-NY) is also promising increased oversight, citing the Department’s mishandling of the war on terrorism and increased violence along the Mexican border. EPIC has repeatedly called for enhanced oversight for the Department, who has employed an increasingly large amount of discretion in the exercise of their authority. * * * * * * * * * * * * * * * * * * * * * * * * Smart Grid and Privacy? Smart Grid technology is the newest innovation with the potential to dramatically reshape the privacy policy landscape for years to come. The nation's electric utility grid is under pressure because of aging infrastructure and the growth in residential and industrial demand for energy. Smart Grid offers a solution to this problem by monitoring power usage in order to deliver electricity more efficiently. Yet if Smart Grid was only about electricity generation and delivery it would not have such serious privacy implications. However, the Smart Grid will also be the most significant and sophisticated multi-directional communication network ever conceived, dwarfing the Internet in capacity and speed. The Smart Grid is designed to collect, retain, and transmit detailed electricity use data from every billable residence or business in intervals of 15 minutes or less. The resulting energy usage signatures will yield information about the occupants, including intimate details of their moment-to-moment existence, which will frustrate efforts to maintain privacy and confidentiality. * * * * * * * * * * * * * * * * * * * * * * * * Targeted Advertising Comes to T.V. Riding on the back of what has been a successful Internet business model, television provider DirecTV will initiate targeted advertising in 2011. Online advertisements targeted toward consumers have raised significant privacy concerns in the past, and the FTC has recently proposed Do Not Track regulations to increase transparency in the industry. Attempts to tailor advertisements to the interests and demographics of television viewers is likely to encounter opposition from consumers who don't want their private information put into another corporate database. * * * * * * * * * * * * * * * * * * * * * * * * Europe Strengthens Privacy Protections European countries are looking to enhance their already strong privacy laws in the new year. Opt-in consent, which values transparency and consumer choice, has been a law since the mid-1990s, but the European Union is also considering legislation allowing users to delete all their personally identifiable information from a website and transfer their data between wireless providers without having to leave a profile behind. Data minimization, especially in regard to law enforcement and behavioral advertising, will be a central concern for updating European data protection. * * * * * * * * * * * * * * * * * * * * * * * * Bipartisan Privacy Legislation A new Congress may find the will to enact bipartisan privacy legislation. On the table in 2011 is a "privacy bill of rights" which will require businesses to ask permission from their customers before using their personal data for purposes other than those for which it was initially collected. Businesses will also be required to submit to privacy audits. Another possibility is "Do Not Track" legislation, providing people with the right to avoid being monitoring of their Internet activity. This turn toward enhanced privacy regulations will be a move away from relying on self-regulation to protect consumers. * * * * * * * * * * * * * * * * * * * * * * * * Biometric Technology Used in War on Terror, Facebook Biometric Technology will flood the market in 2011. As part of a counterinsurgency effort in Afghanistan, biometric information is being collected and stored on hundreds of thousands of individuals, including ordinary citizens. Separate databases are currently being amassed by NATO forces as well as the local Afghan government, which include personal information, such as fingerprints and iris and face scans. During his time as commander of the U.S. forces in Iraq, General David Petraeus admitted to relying heavily on biometric information as part of the war effort. Demonstrating the range of uses for biometric data, Facebook will also make use of biometric technology in 2011 with plans to use facial recognition technology to match faces in new pictures to ones already existing in the Facebook databases. The full roll out of this new feature will once again cause Facebook to face heavy opposition from its users. Users must opt-out of photo tagging by disabling the "Suggest photos of me to friends" privacy setting. Or they can configure their privacy settings to show photos they are tagged in to themselves first and then to others on a case-by-case basis. Users have already expressed dismay about the invasiveness of the new feature. * * * * * * * * * * * * * * * * * * * * * * * * Deep Packet Inspection, Thought Dead, Rears Head Again Wireless companies will revisit the concept of deep-packet inspection in 2011, much to the chagrin of their customers. It is still unclear how the FCC's net neutrality rules will affect wireless business, but it is agreed that wireless will be regulated more lightly than wireline Internet. Deep-packet inspection was used previously to enhance targeted advertisements, though it was heavily criticized for its invasiveness and questionable legality under federal wiretap laws. Despite this, wireless companies are likely to resume the practice, this time for the purpose of raising rates for the use of services like YouTube and Skype. Higher rates on these applications will allow companies to create or promote their competitive services at a lower cost to consumers. Push-back can be expected from the Federal Trade Commission (FTC), however, having positioned itself to push for Internet-specific privacy regulations in 2011. * * * * * * * * * * * * * * * * * * * * * * * * Net Neutrality Decided by the Courts The FCC will release the full text of their new net neutrality rules in 2011. The rules will give in on so-called "speed neutrality," allowing for "reasonable network management" in the transmission of data, though the regulations are heavier for "content neutrality," preventing broadband providers from blocking consumer access to websites or applications. A fierce backlash is to be expected, as big business will claim the rules are stifling and civil liberties experts profess that they do not go far enough to protect the Internet. Advocates from both sides will challenge the rules in court early in 2011, once again leaving the certainty of a free Internet in the hands of the judges. ======================================================================= Join EPIC on Facebook ======================================================================= Join the Electronic Privacy Information Center on Facebook http://facebook.com/epicprivacy http://epic.org/facebook Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC 2010 YEAR IN REVIEW ---------------------
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.