Landau, "A Gateway for Hackers:
The Security Threat in
the New Wiretapping Law"

EPIC Protects Worker Privacy
In comments to the General Services Administration (GSA), EPIC argued for privacy protections for federal contractor employees. The GSA sought comments on implementing an executive order mandating that federal contractors use the E-Verify system. The GSA proposed rule would require that new hires and current employees be verified against databases known to contain millions of errors, with failures to verify leading to eventual termination. EPIC recommended fixing database errors, applying Privacy Act protections, and exempting current employees before implementing the rule. For more see EPIC's Spotlight on Surveillance: National Employment Database Could PreventMillions of Citizens From Obtaining Jobs. (Aug. 11)

EPIC Argues for High Privacy Standard in Email Interception Case
EPIC submitted a brief in Bunnell v. MPAA, a case that could substantially impact email privacy. EPIC’s “friend of the court” brief supported the application of the federal Wiretap Act's protections to email messages in circumstances when the messages are briefly stored while they pass through mail servers. In Bunnell, a former employee hacked his ex-employer's corporate email server to secretly swipe private emails as they were transmitted. EPIC argued that the Wiretap Act applies to these sorts of circumstances by barring "interception" of electronic communications. EPIC has long advocated for application of the "interception" standard to email, and filed an amicus brief on this issue in 2004 in U.S. v. Councilman. For more information see EPIC's Bunnell v. MPAA page. (Aug. 7)

Registered Traveler Program Halted After Data Breach
The Clear registered traveler program suffered a security breach when a laptop was stolen. The laptop contains unencrypted personal information regarding approximately 33,000 travelers, including names and addresses, as well as passport and driver's license numbers. Government officials suspended new applications to the registered traveler scheme in the wake of the data theft. The Clear program permits users to bypass normal airport security lines after they enroll and undergo a background check. EPIC has warned of the privacy and security risks posed by registered traveler programs. For more information, See EPIC's Passenger Profiling page. (Aug. 5)

President Consolidates Surveillance Authority
President Bush has revised a key Executive Order that sets out the
authorities of the US intelligence agencies. Executive Order 12333 establishes the "Goals, Directions, Duties, and Responsibilities with Respect to United States Intelligence Efforts" as well as the "Conduct of Intelligence Activities." The Order was drafted by the Director of National Intelligence and grants the top Intelligence office new powers to coordinate domestic surveillance. EPIC previously warned the 9-11 Commission that new surveillance authorities require new forms of oversight. (Aug. 4).

Trade Commission Approves Data Breach Settlements, But Fails to Impose Monetary Penalties
The Federal Trade Commission has finalized settlements with TJX, Reed Elsevier, and Seisint. The settlements arose from data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in financial fraud. Earlier this year, EPIC filed comments with the FTC urging the Commission to include civil penalties in the settlements. EPIC wrote that civil penalties are necessary to provide incentives for companies to safeguard personal data. EPIC also noted that the FTC imposed $10 million in civil penalties in the Choicepoint case. The final agreements impose security and audit responsibilities, but no financial penalties. For more on data breaches and ID theft, see EPIC's Identity Theft: Its Causes and Solutions page. (Aug. 4)

Congressional Privacy Leaders Call for Internet Companies to Come Clean On Behavioral Profiling
Senior members of Congress have requested details of Internet companies' efforts to spy on their customers. The 33 targeted Internet companies, including AT&T, Time Warner, Microsoft, and Google, may be tracking the activities of Internet users. Congressman Edward J. Markey warned that "new technologies, such as ‘deep packet inspection' technologies, have the ability to track every single website that a consumer visits while surfing the Web." Charter Communications and Embarq previously came under fire for monitoring Internet users and suspended their activities. Members of Congress have now turned their attention to the leading telcos and Internet firms. For more information, see EPIC's page on Deep Packet Inspection and Privacy. (Aug. 4).

China to Spy on Olympic Visitors' Internet Activity
A Chinese intelligence agency has ordered foreign-owned hotels to install invasive snooping equipment that monitors Olympic visitors' Internet activity. Senator Sam Brownback announced that he has obtained an order from the Chinese Public Security Bureau that directs hotels to intercept and record the Internet activities of all guests, including “journalists, athletes’ families, and other visitors.” Senator Brownback observed that this directive contradicts China's pledge to the International Olympic Committee that the country would “maintain an environment free of government censorship during the Games.” The spying plan also contravenes longstanding international privacy and human rights norms, including Article 12 of the Universal Declaration of Human Rights, which prohibits “arbitrary interference with privacy, family, home or correspondence.” For more information, see EPIC’s Privacy and Human Rights report and EPIC’s page on Olympic Privacy. (July 30)

Health IT Bill Moves Forward in House with Some Privacy Safeguards
The House Commerce Committee today approved H.R. 6357, the Protecting Records, Optimizing Treatment, and Easing Communication through Healthcare Technology Act of 2008. The PRO(TECH)T Act will promote the adoption of health information technology that is intended to improve the delivery of healthcare services. The bill includes some security and privacy safeguards, such as data breach notification, though Patient Privacy Rights believes that stronger protections are necessary. EPIC made several suggestions to strengthen the privacy provisions. For more information see EPIC Medical Privacy. (July 23)

European Court of Human Rights Rules that Medical Data Breach Violates Fundamental Privacy Rights
The Finnish government will be required to pay a fine because it failed to protect the privacy of patient data against unauthorized access, according to a ruling from the European Court of Human Rights. The European Court held that Article 8 of the European Convention on Human Rights, which protects private life, includes an affirmative obligation to ensure the security of personal data. The Court also held that it was unreasonable to expect the petitioner to prove that the record had been misused. For more information on international privacy, see EPIC's Privacy and Human Rights report. (July 22)

In ACLU, EPIC Case, Federal Court Strikes Down Internet Censorship Law
Today, the Third Circuit Court of Appeals struck down the Child Online Protection Act, a federal law that sought to prohibit the publication of information on the Internet that could be considered "harmful to minors." The Court held that the law violated the First and Fifth Amendments because it is "impermissibly overbroad and vague." The Court also criticized the law's encroachment on the right of Internet users to receive information anonymously, a claim that EPIC raised early in the litigation. The lawsuit challenging the Child Online Protection Act began nearly ten years ago, following the Supreme Court's invalidation of Congress' first attempt to censor the Internet, the Communications Decency Act. For more information, see EPIC's page on The Legal Challenge to the Child Online Protection Act. (July 22)

Congressional Privacy Leaders Criticize Embarq's Secret Internet Spying, Call on Internet Company to Divulge Details
Senior members of Congress criticized Embarq's recent test of Internet snooping technology. The Internet company, in partnership with NebuAd, intercepted customers' Internet activity "to create consumer profiles for the purpose of serving ads to consumers based upon their search and surfing habits." The Congressmen observed that Embarq's secret Internet surveillance raises substantial questions of compliance with federal law. Congressmen Edward Markey (D-MA) and Joe Barton (R-TX) previously urged Charter Communications, the nation's fourth-largest cable company, to back off on a similar venture with NebuAd. The cable giant scrapped the controversial plan in June. For more information, see EPIC's page on Deep Packet Inspection and Privacy. (July 15)

First European Union Privacy Seal Awarded to Search Company
The European Data Protection Supervisor presented the first EuroPriSe Seal to the search company Ixquick. EuroPri is a European initiative to determine whether information technology products and services comply with European regulation on privacy and data security. Ixquick is a meta-search engine that forwards search requests to several search engines, gathers and combines the results and presents the results to the requesting users. Ixquick serves as a proxy -- IP addresses of users are not disclosed to other search engines. Ixquick also incorporates data minimization techniques. For more information on search engine privacy, see EPIC page on Search Engine Privacy. (July 14)

EPIC Urges Protection of Passport Privacy
EPIC testified before the Senate Judiciary Committee, urging new protections for passport information privacy. The hearing, held at a time of increased information collection and dissemination by the government, addressed an Inspector General report on data breaches at the State Department. EPIC's testimony recommended implementing the privacy protections of S. 495, the Personal Data Privacy and Security Act of 2007; limiting employee and contractor disclosures; increasing accounting requirements; and creating an independent privacy agency. In a FOIA request filed today, EPIC demanded the release of the complete Inspector General report, substantial portions of which have been withheld from the public. For more, see EPIC's page on Passport Privacy. (July 10)

Previous Top News Archive

Spotlight on Surveillance

Proposed ‘Enhanced’ Licenses Are Costly to Security and Privacy

Hot Topics

August 2008
Automated Targeting System
Deep Packet Inspection
Domestic Surveillance
Facebook
FISA
Fusion Centers
Google/DoubleClick
Iraqi Biometric Identification System
Medical Record Privacy
National ID
National Security Letters
Open Government
Olympic Privacy
Passport Privacy
Phone Records
Search Engine Privacy
Social Networking Privacy
Voter Registration Databases

EPIC Docket Highlights

August 2008
EPIC v. FTC
EPIC v. VSP (Fusion Centers)
EPIC FTC Complaint (Google)
Gonzales v. ACLU
EPIC v. DHS (passenger data)
EPIC v. DOJ (NSA surveillance)
EPIC v. DOJ (IOB reports)
EPIC v. DOD (TIA/fee waiver)
Illegal Sale of Phone Records

EPIC amicus briefs:
Crawford v. Marion County (Voter ID)
Doe v. Chao (Privacy Act)
BATF v. Chicago (FOIA)
Watchtower Bible v. Stratton (Anonymity)
Reno v. Condon (DPPA)
Smith v. Doe (Megans Law)
Gilmore v. Ashcroft (Secrecy)
ACLU v. DOD (Secrecy)
Gonzales v. Doe (Wiretap)
Hepting v. AT&T (Wiretap)
Herring v. US (Errors in databases)
Hiibel v. Nevada (Anonymity)
IMS Health v. Ayotte
(Medical privacy)
Kehoe v. Fidelity Bank (Consumer privacy)
Kohler v. Englade (DNA)
NCTA v. FCC (Phone records privacy)
New Jersey v. Reid
(ISP subscriber privacy)
Peterson v. NTIA (WHOIS data)
US v. Councilman (Wiretap)

Complete EPIC Docket