Focusing public attention on emerging privacy and civil liberties issues

EPIC Alert Year In Review 2010

=======================================================================
                            E P I C   A l e r t
=======================================================================
Year In Review                                        January 13, 2011
-----------------------------------------------------------------------

                           Published by the
               Electronic Privacy Information Center (EPIC)
                           Washington, D.C.

             http://www.epic.org/alert/epic_alert_yir2010.html

                    "Defend Privacy. Support EPIC."
                         http://epic.org/donate
			

                  Report All Screening Experiences at
                   EPIC Body Scanner Incident Report
              http://epic.org/bodyscanner/incident_report/

=======================================================================
       2 0 1 0   P R I V A C Y   Y E A R   I N   R E V I E W
=======================================================================

Here are the Top Ten Privacy Stories of 2010 and the Top Ten Privacy
Issue to Watch in 2011 from the Electronic Privacy Information Center 
(EPIC):

- Google Street View Debacle
- TSA Strip Searches American Air Travelers
- FTC Fumbles Privacy
- Europe Steps Up Privacy Game
- EPIC FOIA: Body Scanners Can Record, Store, and Transfer Images
- Facebook Follies
- Google Buzzes Gmail Users
- VP Calls Wikileaks Hi-Tech Terrorism
- EPIC: White House Privacy Grades Drop
- As Year Ends, Washington Gets Busy with Privacy

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Google Street View Debacle

Google's secretive and purposeful practice of using its Street View
vehicles to collect data from unsecured wireless networks was revealed
this year. Google collected passwords, email, and other sensitive data
from millions of Internet users in thirty countries over a three-year
period, and built an extensive database of personal information
associated with private residential wi-fi routers. Canada and several
European countries refused to let Google get away with this, as they
investigated Google's actions and determined that laws had indeed been
broken. After they were caught in the act, Google still pretended that
this massive data collection occurred by accident; even though Google
has a patent pending to use the information it collected in new
location-based technologies. Meanwhile, regulators in the U.S. reacted
both late and ineffectively. The FTC conducted no investigation at all,
while the FCC finally begun one in November in response to an EPIC
complaint.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

TSA Strip Searches American Air Travelers

The Transportation Security Administration expanded the use of body
scanners at checkpoints in airports across the country, contradicting
their established policy by implanting them as primary screening
measures. Department of Homeland Security Secretary Janet Napolitano
justified the program as a "corrective action to improve aviation
security" in the wake of an attempted terrorist attack on Christmas Day
of 2009.  Passengers are selected either to submit to scans inside of
x-ray machines that show the full naked human form and have uncertain
health risks, or face a rubber-gloved, hands-on "enhanced patdown" from
a TSA agent. A grassroots movement of flyers rights organizations
mobilized a citizens' protest on November 24, 2010, and reported
afterwards that the government temporarily disbanded the use of scanner
machines in order to avoid massive delays.  Lawmakers across the
country, from Washington, D.C. to New York and New Jersey, held
hearings, demanded answers from key decision-makers, and introduced
legislation to halt the program.  Citizens groups are preparing for a
second stand, this time boycotting the airline industry on December 23,
2010, which they have dubbed "We Won't Fly Day."

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

FTC Fumbles Privacy

The Federal Trade Commission - whose purpose is to protect consumers -
has utterly failed to do so throughout 2010. Throughout the year, EPIC
and other watchdog groups submitted several complaints concerning
significant privacy violations, including Facebook's deceptive revised
privacy settings and the lack of security in Google's cloud computing
network, all on which the FTC took no action. Adding insult to injury,
the FTC's end of the year privacy report did not inspire much hope that
things will improve in the future: the report did not address the need
for a U.S. privacy agency or a comprehensive privacy law based on "Fair
Information Practices," and instead adhered to the tired and failed
strategy of notice and choice.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Europe Steps Up Privacy Game

Throughout 2010, the EU pursued a full court press on data protection,
especially in the areas of law enforcement, data transfer, and
individual privacy rights.  The EU reviewed its legal framework for data
protection and proposed policy changes that would "bring [their] laws up
to date with the challenges raised by new technologies and
globalization." The European Commission also directed a bright light on
Google beginning investigations into the company for a number of privacy
violations including potential anti-trust violations and the collection
of wi-fi data gathering for its Street View service.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

EPIC FOIA: Body Scanners Can Record, Store, and Transfer Images

In January, EPIC released documents obtained from the Department of
Homeland Security as a result of a Freedom of Information Act request
that sought documents to support its suspicion that the full body
scanners were designed to capture and store images of the people scanned
at airports. Though DHS and TSA had continually made claims to the
contrary, the documents proved the machines' technical capacity to
store, record and transfer images. In fact, DHS had purposely specified
to the machine manufacturers that the full body scanners must have this
feature. The documents also reveal that the machines have USB and
Ethernet capabilities, and run on an operating system with demonstrated
security flaws, rendering the images they can store vulnerable to any
bad actor with temporary network access. EPIC is suing to strike down
the program in the District of Columbia Circuit Court of Appeals.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Facebook Follies

Facebook founder Mark Zuckerberg certainly doesn't hide his view that
privacy is a "social norm" of the past. And everything Facebook has done
this past year has been designed to try to make this a self-fulfilling
prophecy.  Facebook engaged in unfair and deceptive trade practices,
including changes to privacy settings that disclosed information to the
public that was previously restricted, which led EPIC to file two
complaints with the Federal Trade Commission. Facebook also launched
"Places" this year, a tool that discloses Facebook user locational data
to others, often without the knowledge or consent of the user. Most
recently, Congressmen Ed Markey (D-MA) and Joe Barton (R-TX) sent a
letter to Facebook following the revelation that Facebook's business
partners transmitted personal user data to advertisers and
Internet-tracking companies, in direct violation of the company's
policy.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Google Buzzes Gmail Users

In February 2010 Google took a huge misstep in its introduction of Buzz,
a social networking service that made private email contacts of Gmail
subscribers publicly available without their consent. EPIC and House
Members independently urged the Federal Trade Commission to investigate
Google Buzz. EPIC's complaint argued that Google's modified business
practices and service terms violated user privacy expectations,
diminished user privacy, contradicted Google's own privacy policy, and
potentially violated federal wiretap laws. After Gmail users filed a
class action lawsuit alleging violations of federal privacy and consumer
fraud laws, Google eventually entered into a settlement agreement. As
part of the settlement, Google agreed to establish an $8.5 million
settlement fund to pay the attorneys, compensate the lead plaintiffs,
and establish a fund for "existing organizations focused on Internet
privacy policy or privacy education."

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

VP Calls Wikileaks Hi-Tech Terrorism

Late in the year, on Meet the Press with David Gregory, Vice President
Joe Biden stated that Wikileaks Spokesperson Julian Assange resembles a
"High Tech Terrorist." The attack followed a series of questions about
President Obama's politically unpopular decisions. A Washington Post
poll shows that a majority of Americans want Julian Assange arrested by
U.S. authorities and charged with some crime. The poll neglected to ask
its respondents if they expected the same treatment for the U.S.
military contractors who spent tax dollars on a human smuggling ring
involving child prostitutes, as revealed by Wikileaks. Commentators,
like Salon's Glenn Greenwald, highlight the drawbacks, legal and
otherwise, in prosecuting Mr. Assange for helping to publish diplomatic
cables leaked from the Pentagon. Any law criminalizing Wikileaks'
actions would also imperil the investigative reporting operations of
more traditional media entities like the New York Times.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

EPIC: White House Privacy Grades Drop

2010 was a year of disappointment for the White House, as their privacy
grades drop this year in EPIC's Privacy Report Card. The Privacy Report
Card is an annual publication examining how the president and his
administration handle privacy issues. Grades dropped or remained the
same for President Obama across the board, in areas of Consumer Privacy,
Medical Privacy, Civil Liberties, and Cyber Security. The report card
noted the FTC's failure to pursue any significant privacy investigation,
under-representation of privacy experts on key administrative committees,
the growing influence of the National Security Administration, and the
absolute neglect of the Civil Liberties and Privacy Oversight Board.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

As Year Ends, Washington Gets Busy with Privacy

2010 hurtled to a close with Washington's awakening to the multitude of
ways privacy protections can be legislated, prosecuted, and
investigated. The FTC and the Commerce Department each released reports
about privacy, each concluding that more consumers must be given more
privacy rights.  At last count, up to three new administrative privacy
offices have been suggested or created, but nominations for the Civil
Liberties and Privacy Oversight Board have not yet been initiated. The
House Judiciary Committee held a hearing looking into the WikiLeaks
scandal and testing the line between the First Amendment and state
secrets. In addition, Congress finally voted to repeal "Don't Ask, Don't
Tell" and the President's healthcare technology council looked into the
increased use of digitized medical records and recommended privacy
enhancing policies. Nothing like a mid-term election to get things done.

=======================================================================
ISSUES TO WATCH IN 2011
=======================================================================

Here are the top ten privacy topics to pay attention to in 2010:

- Supreme Court Decides Several Privacy Cases
- Body Scanner Challenges Go to Court
- Congress Steps Up DHS Oversight 
- Smart Grid and Privacy?
- Targeted Advertising Comes to T.V
- Europe Strengthens Privacy Protections
- Bipartisan Privacy Legislation
- Biometric Technology Used in War on Terror, Facebook
- Deep Packet Inspection, Thought Dead, Rears Head Again
- Net Neutrality Decided by the Courts

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Supreme Court Decides Several Privacy Cases

In 2011, the Supreme Court is poised to answer pivotal constitutional
questions about the privacy rights of government contract employees and
the scope of open government laws. The Court will decide whether the
Fourth Amendment provides additional legal protections in cases where
privacy legislation fails to adequately protect an individual's personal
data.  EPIC filed a "friend of the court" brief, cosigned by 27
technical experts and legal scholars, arguing that the right to
informational privacy is well recognized by scholars and international
courts.  The Court will also decide if corporations qualify for privacy
protections under the Freedom of Information Act.  EPIC filed another
"friend of the court" brief with many of the same signees, arguing that
personal privacy rights have been understood for more than a century to
accommodate the interests of individuals, not corporations.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Body Scanner Challenges Go to Court

Oral argument for EPIC's suit to strike down the Transportation Security
Administration's controversial body scanner program is scheduled for
March 10, 2010.  This is the final stage in a case that started with two
separate petitions to Secretary Napolitano in 2009 and 2010 and
progressed through EPIC's initial request on July 3, 2010 for an
emergency court order to halt the program from expanding. The decision
should follow closely on the heels oral argument in early March. An
ideal outcome of which would immediately halt the use of body scanners
as a default, mandatory primary screening mechanism. Two other cases
have also been brought to challenge the body scanners. In Redfern v.
Napolitano, two Harvard Law School students have brought constitutional
and administrative law claims in U.S. District Court, while Michael
Roberts, an airline pilot for ExpressJet, also has sued the TSA after he
was placed on paid leave for refusing to submit himself to the body
scanners or an enhanced pat-down.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Congress Steps Up DHS Oversight 

Following the appointment of several DHS critics to key positions, the
Department of Homeland Security will be subject to increased oversight
in 2011. Rep. Jason Chaffetz (R-UT), the sponsor of a bill that would
limit the use of body scanners at airports, is the new chair of the
House DHS oversight subcommittee. Rep. Peter King (R-NY) is also
promising increased oversight, citing the Department’s mishandling of
the war on terrorism and increased violence along the Mexican border.
EPIC has repeatedly called for enhanced oversight for the Department,
who has employed an increasingly large amount of discretion in the
exercise of their authority.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Smart Grid and Privacy?

Smart Grid technology is the newest innovation with the potential to
dramatically reshape the privacy policy landscape for years to come. The
nation's electric utility grid is under pressure because of aging
infrastructure and the growth in residential and industrial demand for
energy.  Smart Grid offers a solution to this problem by monitoring
power usage in order to deliver electricity more efficiently.  Yet if
Smart Grid was only about electricity generation and delivery it would
not have such serious privacy implications. However, the Smart Grid will
also be the most significant and sophisticated multi-directional
communication network ever conceived, dwarfing the Internet in capacity
and speed. The Smart Grid is designed to collect, retain, and transmit
detailed electricity use data from every billable residence or business
in intervals of 15 minutes or less. The resulting energy usage
signatures will yield information about the occupants, including
intimate details of their moment-to-moment existence, which will
frustrate efforts to maintain privacy and confidentiality.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Targeted Advertising Comes to T.V. 

Riding on the back of what has been a successful Internet business
model, television provider DirecTV will initiate targeted advertising in
2011. Online advertisements targeted toward consumers have raised
significant privacy concerns in the past, and the FTC has recently
proposed Do Not Track regulations to increase transparency in the
industry. Attempts to tailor advertisements to the interests and
demographics of television viewers is likely to encounter opposition
from consumers who don't want their private information put into another
corporate database.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Europe Strengthens Privacy Protections

European countries are looking to enhance their already strong privacy
laws in the new year. Opt-in consent, which values transparency and
consumer choice, has been a law since the mid-1990s, but the European
Union is also considering legislation allowing users to delete all their
personally identifiable information from a website and transfer their
data between wireless providers without having to leave a profile
behind.  Data minimization, especially in regard to law enforcement and
behavioral advertising, will be a central concern for updating European
data protection.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Bipartisan Privacy Legislation

A new Congress may find the will to enact bipartisan privacy
legislation.  On the table in 2011 is a "privacy bill of rights" which
will require businesses to ask permission from their customers before
using their personal data for purposes other than those for which it was
initially collected. Businesses will also be required to submit to
privacy audits.  Another possibility is "Do Not Track" legislation,
providing people with the right to avoid being monitoring of their
Internet activity. This turn toward enhanced privacy regulations will be
a move away from relying on self-regulation to protect consumers.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Biometric Technology Used in War on Terror, Facebook

Biometric Technology will flood the market in 2011. As part of a
counterinsurgency effort in Afghanistan, biometric information is being
collected and stored on hundreds of thousands of individuals, including
ordinary citizens. Separate databases are currently being amassed by
NATO forces as well as the local Afghan government, which include
personal information, such as fingerprints and iris and face scans.
During his time as commander of the U.S. forces in Iraq, General David
Petraeus admitted to relying heavily on biometric information as part of
the war effort. Demonstrating the range of uses for biometric data,
Facebook will also make use of biometric technology in 2011 with plans
to use facial recognition technology to match faces in new pictures to
ones already existing in the Facebook databases. The full roll out of
this new feature will once again cause Facebook to face heavy opposition
from its users. Users must opt-out of photo tagging by disabling the
"Suggest photos of me to friends" privacy setting.  Or they can
configure their privacy settings to show photos they are tagged in to
themselves first and then to others on a case-by-case basis. Users have
already expressed dismay about the invasiveness of the new feature.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Deep Packet Inspection, Thought Dead, Rears Head Again 

Wireless companies will revisit the concept of deep-packet inspection in
2011, much to the chagrin of their customers. It is still unclear how
the FCC's net neutrality rules will affect wireless business, but it is
agreed that wireless will be regulated more lightly than wireline
Internet. Deep-packet inspection was used previously to enhance targeted
advertisements, though it was heavily criticized for its invasiveness
and questionable legality under federal wiretap laws. Despite this,
wireless companies are likely to resume the practice, this time for the
purpose of raising rates for the use of services like YouTube and Skype.
Higher rates on these applications will allow companies to create or
promote their competitive services at a lower cost to consumers.
Push-back can be expected from the Federal Trade Commission (FTC),
however, having positioned itself to push for Internet-specific privacy
regulations in 2011.

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Net Neutrality Decided by the Courts

The FCC will release the full text of their new net neutrality rules in
2011. The rules will give in on so-called "speed neutrality," allowing
for "reasonable network management" in the transmission of data, though
the regulations are heavier for "content neutrality," preventing
broadband providers from blocking consumer access to websites or
applications. A fierce backlash is to be expected, as big business will
claim the rules are stifling and civil liberties experts profess that
they do not go far enough to protect the Internet. Advocates from both
sides will challenge the rules in court early in 2011, once again
leaving the certainty of a free Internet in the hands of the judges.

=======================================================================
Join EPIC on Facebook
=======================================================================

Join the Electronic Privacy Information Center on Facebook

http://facebook.com/epicprivacy

http://epic.org/facebook

Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.

=======================================================================
Privacy Policy
=======================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."

=======================================================================
About EPIC
=======================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

=======================================================================
Donate to EPIC
=======================================================================

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.


---------------------- END EPIC 2010 YEAR IN REVIEW ---------------------