« May 2012 | Main | July 2012 »

June 2012 Archives

June 1, 2012

EPIC to Congress: "Strengthen FISA Oversight"

EPIC Executive Director Marc Rotenberg will testify before the House Judiciary Subcommittee on the FISA Amendments Act of 2008. The Act authorizes Government surveillance of international communications, including the private communications of U.S. citizens. EPIC will recommend increased transparency and new public reporting of the Government's surveillance activities. Currently, the FISA letter to Congress provides little to no information about Government conduct. "Congress should not reauthorize the FISA Act until adequate oversight procedures are in place," Rotenberg said. The hearing will be webcast. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International.

June 4, 2012

EPIC Asks Ombudsman to Investigate DHS FOIA Practices

EPIC has submitted a letter to the Office of Government Information Services, asking for an investigation into FOIA practices at the Department of Homeland Security. EPIC explained that the federal agency, which includes the TSA and the Bureau of Customs and Border Protection, routinely denies fee waivers in circumstances where the agency knows that the requester properly qualifies. By way of example, EPIC cited a recent FOIA appeal in which the agency wrongly denied a fee waiver request. EPIC said that the practice creates additional work for sophisticated FOIA requesters and may, as a practical matter, prevent other requesters from pursuing important FOIA requests. For more information, see EPIC: DHS Privacy Office and EPIC: Litigation Under the Federal Open Government Laws.

June 6, 2012

Homeland Security Seeks to Expand "Risk-Based" Profiles

The Department of Homeland Security has proposed to exempt its "Automated Targeting System" from certain Privacy Act provisions. The Automated Targeting System creates "risk-based" profiles of individuals traveling to, from, and throughout the United States. The profile contains a plethora of personal data, including, nationality, race, occupation, and biometrics. The System accesses and "ingests" this information from many sources, including government databases and commercial data aggregators. The DHS issued a Privacy Impact Assessment, which describes some of the privacy risks, including unauthorized access. In detailed comments to DHS in 2007, EPIC opposed the use of "risk-based" profiles. For more information, see EPIC: Automated Targeting System.

June 7, 2012

LinkedIn Breach Leads to 6.5 Million Stolen Passwords

The professional social network LinkedIn suffered a security breach that exposed the passwords of over 6 million users. A user on a Russian Web forum reported downloading 6 million LinkedIn passwords. LinkedIn later confirmed that some of the passwords corresponded to LinkedIn accounts, deactivated those passwords, and advised all users to update their passwords. EPIC testified about the growing problem of data breaches in 2011 before the House Financial Services Committee and the Senate Banking Committee. For more information, see EPIC: Cybersecurity and Privacy.

June 5, 2012

Consumer Privacy Rights Resolution

Consumer Privacy Rights Resolution

Lillie Coney,
EPIC Associate Director

Trans Atlantic Consumer Dialogue

Washington, DC
June 5, 2012

June 6, 2012

"First Do No Harm. Does Technology Harm Patients?"

"First Do No Harm. Does Technology Harm Patients?"

Lillie Coney,
EPIC Associate Director

2nd International Summit on the Future of Health Privacy
Washington, DC
June 6, 2012

June 7, 2012

IPv6, New Internet Protocol, Launches with Privacy Questions

The Internet Society has announced the world launch of IPv6, which will dramatically expand the number of Internet addresses. IPv6 creates fixed IP addresses, allowing routine tracking of Internet-connected devices, such as laptops, cellphones, and soon many consumer appliances. This will make it easier for law enforcement agencies and advertisers to track users of Internet-based services. A Privacy Extension allows the use of IPv6 without persistent identifiers, though it is not clear how widely it will be be adopted. In 2008, EPIC testified before the European Parliament on IP addresses and privacy, and said that companies that use IPv6 linked to identifiable users should be subject to data privacy requirements. The EU classifies IP addresses as personal information. For more information: See EPIC: Search Engine Privacy.

June 8, 2012

Swiss Court Sets Out Requirements for Google Street View in Switzerland

The Swiss Federal Supreme Court has allowed Google to continue operating its Street View service in Switzerland, subject to certain privacy protections. Google must completely obscure faces and license plates near "sensitive facilities" such as schools and prisons, and must not publish pictures of courtyards or lawns not visible to pedestrians unless the company obtains the owners' consent. Google must also honor requests from people who want to anonymize images of themselves. Recently, the unredacted version of an FCC report revealed that Google intentionally intercepted payload data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the project. EPIC is pursuing FOIA requests with the FCC and the Department of Justice regarding the agencies' investigations into Google Street View. For more information, see EPIC: Investigations of Google Street View and EPIC: FCC Investigation of Google Street View.

Department of Homeland Security Exempts Massive Database from Privacy Act

The Department of Homeland Security issued a final rule exempting its Operations System from various Privacy Act safeguards, including provisions that permit individuals to access information about them held by the agency. The system "fuses" information from many sources which the agency uses for investigatory purposes. There are over twenty categories of data, including social security numbers, citizenship, medical records, and even information gathered from social media in the database. In 2010, EPIC urged the agency not to reduce the privacy protections for the Operations System, citing the substantial risks. Despite EPIC's recommendations, DHS went forward. For more information, see EPIC: Total Information Awareness and EPIC: EPIC v. DHS: Media Monitoring.

EPIC Urges FTC to Protect Privacy of Myspace Users

EPIC submitted comments to the Federal Trade Commission on a proposed settlement with Myspace. The settlement follows from allegations that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. EPIC expressed support for the settlement in general, but recommended that the FTC make the settlement at least as protective as a previous settlement with Facebook. Additionally, EPIC said, the FTC should require Myspace to implement practices consistent with the White House's Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy.

June 12, 2012

Spokeo to Pay $800, 000 to Trade Commission to Settle Privacy Violations

The data broker Spokeo agreed to pay $800,000 to settle a complaint filed by the Federal Trade Commission that the company marketed its data profiles to employers in violation of federal privacy law. The FTC alleges that Spokeo violated the Fair Credit Reporting Act by failing to ensure that its information was accurate, failing to ensure that it would be used only for legally permissible purposes, and failing to tell users if adverse decisions were made based on the information. The FTC also alleged that Spokeo created its own endorsements on news and technology websites and represented them as independent endorsements. The FTC's settlement bans Spokeo from future FCRA violations and misrepresentations. In 2004, EPIC successfully urged the FTC to investigate the compilation and sale of personal dossiers by the data broker ChoicePoint. That investigation produced a $10 m settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: Federal Trade Commission and EPIC: Choicepoint.

FCC Issues Stronger Telemarketing Rules to Protect Consumers

The Federal Communications Commission's final rule amending the Telephone Consumer Protection Act of 1991 (TCPA) regulations is now in effect. The rule requires "(1)prior express written consent for all autodialed or prerecorded telemarketing calls to wireless numbers and residential lines; (2) allow[s] consumers to opt out of future robocalls during a robocall; (3) limit[s] permissible abandoned calls on a per-calling campaign basis, in order to discourage intrusive calling campaigns; and (4) exempts prerecorded calls to residential lines made by health care-related entities governed by the Health Insurance Portability and Accountability Act of 1996." EPIC has previously urged the Commission to require express consumer consent for telemarketing calls and to protect wireless subscribers from telemarketing. For more information, see EPIC: Telemarketing and the Telephone Consumer Protection Act (TCPA).

New Report Finds Border Surveillance Drone Program Inefficient and Ineffective

A new Report highlights problems with the drone program operated by Bureau of Customs and Border Protection. The Bureau has purchased 10 drones, costing approximately $18 million each, and has expended an additional $55.3 million for maintenance and operations. But according to the Office of Inspector General, the Bureau "needs to improve planning of its unmanned aircraft systems program to address its level of operation, program funding, and resource requirements, along with stakeholder needs." Also, despite the Bureau’s limited mission to safeguard the borders, the Bureau often flies missions for the FBI, the DOD, NOAA, local law enforcement, and other agencies. This practice made headlines last year when police in North Dakota used a Bureau drone to arrest a U.S. citizen. This week Sen. Rand Paul (R-KY) and Rep. Austin Scott (R-GA) introduced bills in the Senate and the House to limit the use of drones for surveillance in the United States.. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.

June 15, 2012

Administration Announces First Privacy "Multistakeholder" Meeting

The National Telecommunications and Information Administration will hold the first meeting of the privacy "multistakeholder process" on July 12. The meeting will address privacy and mobile applications, but many questions about the process remain unanswered. In comments to the agency, EPIC said that the Administrative Procedures Act, a well established legal framework for soliciting public comment, is a better and more transparent way to produce a meaningful outcome on new privacy policies. For more information, see EPIC: NTIA Multistakeholder Process.

June 18, 2012

House to Consider Bill to Reauthorize Expansive Surveillance Law

The House Committee on the Judiciary will markup the FISA Amendments Act Reauthorization Act of 2012 on Tuesday, June 19, 2012. The Act authorizes government surveillance of international communications, including the private communications of United States citizens. Currently, the law provides little information to Congress or the public about these surveillance activities. EPIC Executive Director Marc Rotenberg recently testified at an oversight hearing, and called on Congress to strengthen oversight procedures and increase transparency before the Act is renewed. In a recent report by the Senate Intelligence Committee, Senators Mark Udall and Ron Wyden also said that the FISA contains a loophole that allows the government "to circumvent traditional warrant protections and search for the communications of a potentially large number of American citizens." For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International.

EPIC Honors Sen. Al Franken, the Honorable Judge Kozinski, Dana Priest, Whitfield Diffie, and Willis Ware

At the 2012 EPIC Champion of Freedom Dinner, Senator Al Franken, Chief Judge Alex Kozinski, and Washington Post reporter Dana Priest received the EPIC awards for the defense of civil liberties and human rights, and for raising public awareness of new challenges to privacy. Senator Franken pursued meaningful legislation on emerging privacy issues, including a bill to protect location privacy. Chief Judge Kozinski of the United States Ninth Circuit Court of Appeals has worked to defend libery in an era of rapidly changing technology. Dana Priest's investigative series "Top Secret America," with William Arkin, exposed the exponential post-9/11 growth of the United States intelligence community. Whitfield Diffie and Willis Ware were presented with EPIC lifetime achievement awards Slate's Dahlia Lithwick hosted the event in Washington, D.C., and technologist Bruce Schenier and Supreme Court litigator Paul Wolfson made guest appearances. For more information, see 2012 EPIC Champion of Freedom Awards Dinner.

June 20, 2012

EPIC Joins Open Government Groups in Freedom of Information Act Case

EPIC has joined five other prominent open government groups in a friend of the court brief in support of Citizens for Responsibility and Ethics in Washington. The organization is seeking to reverse a federal court which held that federal agencies do not have to say whether they will comply with a FOIA request. In the friend of the court brief, the open government groups said that the ruling conflicts with the plain language of the Freedom of Information Act and would produce unnecessary confusion in FOIA cases. For more information, see EPIC: Open Government.

EPIC Argues That Resellers of State Driver Records Should Be Strictly Liable Under Privacy Law

EPIC filed a "friend of the court" brief in Gordon v. Softech Int'l, Inc., a case concerning privacy protections for driver records. The Driver’s Privacy Protection Act is intended to prevent the misuse of personal information disclosed by state departments of motor vehicles. The Act allows the disclosure of driver record information only for "permissible uses." Some companies resell this information to others. EPIC argued in its brief that when the buyer uses this information for an impermissible purpose, the seller should be liable under the law. Strict liability, EPIC said, is necessary to incentivize resellers to limit the sale of personal information and prevent abuse. For more information, see EPIC: Gordon v. Softech International, Inc. and EPIC: Driver's Privacy.

Senator Schumer: High Resolution Mapping Must Respect Privacy

Senator Charles Schumer (D-NY) has sent a letter to Apple and Google after the companies announced high-definition, 3-D aerial mapping products. Apple’s Flyover displays detailed images of metropolitan areas, while Google will collect 3-D images for its mapping service. Neither company has indicated if aerial drones will be used to collect imagery. Senator Schumer expressed concern about the privacy implications of the new services. He asked the companies to provide advanced notification when the aerial surveillance was to occur, allow individuals to opt-out of having their property displayed, and ensure blurring of individuals and sensitive infrastructure. The full-scope of Apple and Google's aerial surveillance program is not known. In 2010, it was revealed that Google’s "Street View" vehicles were also collecting vast amounts of personal communications from private wi-fi networks. For more information, see EPIC: Investigations of Google Street View and EPIC: Unmanned Aerial Vehicles and Drones.

Facebook Acquires Facial Recognition Company Face.com

Facebook announced the acquisition of Face.com, a facial recognition technology company and long-time business partner of Facebook. Facebook uses an automatic facial recognition system, called "tag suggestions," to create a database of users' biometric information. Last year, EPIC filed a complaint with the Federal Trade Commission, stating that Facebook created biometric profiles of users without their explicit consent, failed to provide a clear mechanism for the deletion of these profiles, and failed to take adequate safeguards to ensure that users' biometric information would not be accessible to government agents and other third parties. In recent comments to the FTC, EPIC recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. For more information, see EPIC: Facial Recognition and EPIC: Facebook and Facial Recognition.

June 21, 2012

House Panel Votes to Renew Surveillance Law Without New Safeguards

The House Judiciary Committee voted to reauthorize the FISA Amendments Act, HR 5949, through Dec. 31, 2017 without any changes. The Act authorizes "programs of surveillance" intended to target foreign agents, but also allows collection of private communications of United States citizens without individualized suspicion. EPIC Executive Director Marc Rotenberg recently testified before the Committe and recommended that Congress strengthen oversight procedures to protect privacy and limit possible misuses of the legal authority. But amendments to improve accountability introduced by Rep. John Conyers (D-MI), Rep. Jerold Nadler (D-NY), Rep. Bobby Scott (D-VA), and Rep. Sheila Jackson-Lee (D-Texas), were all defeated. In the Senate, Senator Ron Wyden (D-OR) and others have expressed concern about renewal of the Act. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International USA.

June 22, 2012

EPIC Calls for Suspension of Homeland Security's "Risk-based" Profiling System

EPIC submitted comments to Customs and Border Protection, a component of the Department of Homeland Security, urging the agency to suspend the Automated Targeting System. Although the System was initially created to screen shipping cargo, the agency now monitors individuals, and creates "risk-assessment" profiles on Americans who are not suspected of any crime. The agency makes determinations about individuals based on such factors as race, ethnicity, and gender. The agency even collects information on political opinions and religious beliefs. An unfavorable "risk-based" evaluation by ATS m can subject individuals to investigation, government surveillance, and denial of the right to travel. For more information, see EPIC: Automated Targeting System, EPIC: Passenger Profiling, and EPIC: Air Travel Privacy.

National Association of Attorneys General to Focus on "Privacy in Digital Age"

The National Association of Attorneys General has elected Maryland Attorney General Doug Gansler president during its summer meeting. Gansler announced a new initiative for the organization -- "Privacy in the Digital Age" -- that will “bring the energy and legal weight of this organization to investigate, educate and take necessary steps to ensure that the Internet’s major players protect the privacy of online consumers while balancing their legitimate business interest.” Recently AG Gansler met with consumer and privacy advocates at a meeting hosted by the Privacy Coalition. And earlier this year, the organization sent a letter asking Google for a meeting to discuss the company’s plans to consolidate the personal information of users of Google’s products and services. For more information, see EPIC: Google Consent Order and EPIC: Privacy Preemption Watch.

June 11, 2012

EPIC's 2012 Champion of Freedom Awards Dinner

June 11, 2012 DInner Logo

Join Dahlia Lithwick,
Senator Al Franken,
Judge Alex Kozinski,
and Dana Priest for

EPIC's 2012 Champion of Freedom Awards Dinner
Washington, D.C.
June 11, 2012

June 27, 2012

Senate Judiciary Holds Hearing on Voter Suppressions

The Senate Judiciary Committee held a hearing on “Prohibiting the Use of Deceptive Practices and Voter Intimidation Tactics in Federal Elections." The Senate is considering new legislation to address the problem of deceptive practices and voter intimidation. Committee Chairman Patrick Leahy cited "burdensome identification laws" as one of the obstacles to public participation in federal elections. A new report highlights similar problems in the recent Canadian national election. EPIC has published reports on deceptive campaign practices and filed briefs in opposition to unnecessary voter ID requirements. For more information see EPIC Voting Privacy and EPIC - Crawford v. Marion County.

EPIC Calls On FTC to Investigate Facebook Email Changes

EPIC has asked the Federal Trade Commission to review Facebook's decision to change the default email address of Facebook users. The company recently removed email addresses, selected by users, with a @facebook.com address assigned by Facebook. EPIC asked the FTC to review this practice as it finalizes the terms of a settlement with Facebook. "Facebook's willingness to disregard user choice . . . raise[s] important questions about the company's ability to comply with the terms of the proposed Consent Order," EPIC wrote. EPIC also said that the change is a deceptive business practice because Facebook did not tell users that their preferred email address could be removed by the company. And EPIC noted that the change would result in user email being sent to Facebook's servers that would otherwise have gone to the user's email service. The FTC's settlement with Facebook follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement would bar Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.

June 28, 2012

Supreme Court Dismisses Challenge to Congress's Ability to Define Harm

The Supreme Court today dismissed First American v. Edwards, a challenge to the ability of plaintiffs to sue for a violation of statutory rights established by Congress. The lower court ruled that the plaintiffs had standing because "[t]he injury required by Article III can exist solely by virtue of statutes creating legal rights, . . .." The Supreme Court held that its decision to review the case was "improvidently granted," which means that the lower court opinion stands. EPIC filed a "friend of the court" brief, responding to briefs from several prominent Internet companies that supported the challenge. EPIC argued that Congress must maintain the power to define injuries and provide remedies, and that this was particularly important for privacy protection. For more information, see EPIC: First American v. Edwards.

Homeland Security Seeking Applicants to Join Privacy Board

The Department of Homeland Security has announced that it is seeking applicants for the Data Privacy and Integrity Advisory Committee. The Committee was established to advise the agency on issues related to personally identifiable information, data integrity, and other privacy-related matters. The agency has a mandate from Congress to ensure that its programs "do not erode privacy protections" and to ensure that personal information is "handled in full compliance with fair information practices as set out in the Privacy Act of 1974." For more information, see EPIC: Department of Homeland Security Chief Privacy Office and Privacy and EPIC: EPIC v. DHS (Suspension of Body Scanner Program).

June 25, 2012

Supreme Court Says Federal Immigration Law Trumps Arizona Law, But Upholds Narrow Application of "Papers Please" Provision

In Arizona v. United States, the Supreme Court invalidated much of SB 1070, the controversial Arizona state law. However, the Court upheld a new identification requirement though cautioned that it could be subject to preemption and constitutional challenges after it goes into effect. The provision allows state officers to make a "reasonable attempt" to determine immigration status during the course of "an authorized, lawful detention." Justice Kennedy, writing for the Court, cautioned that the provision might "raise constitutional concerns" as applied, but said that the law "could be read to avoid these concerns." EPIC argued in Hiibel v. Sixth Judicial District Court of Nevada that "stop and identify" statutes are unconstitutional. The Supreme Court upheld the state law in that case in a 5-4 opinion by Justice Kennedy. For more information, see: EPIC: Hiibel v. Sixth Judicial District Court of Nevada and EPIC: Your Papers, Please.

June 28, 2012

Administration Releases More Details on Privacy Multistakeholder Meeting

The National Telecommunications and Information Administration published a notice with new information about the privacy multistakeholder process. The purpose of the initiative is to implement the White House Consumer Privacy Bill of Rights; the first meeting will focus on mobile applications.The meeting will be held on Thursday, July 12 at the Department of Commerce. However, there will be limited opportunity for those outside of Washington, DC to participate in the "multistakeholder" meeting. In previous comments to the agency, EPIC said that the Administrative Procedure Act, a well established legal framework for soliciting public comment, is a better and more transparent way to produce a meaningful outcome. For more information, see EPIC: NTIA Multistakeholder Process.

About June 2012

This page contains all entries posted to epic.org in June 2012. They are listed from oldest to newest.

May 2012 is the previous archive.

July 2012 is the next archive.

Many more can be found on the main index page or by looking through the archives.