EPIC logo

                              E P I C  A l e r t
Volume 15.12                                               June 13, 2008

                               Published by the
                  Electronic Privacy Information Center (EPIC)
                               Washington, D.C.


Table of Contents
[1] EPIC Urges Senate to Crack Down on Spyware
[2] Privacy Groups "Google.com Should Link to a Privacy Policy"
[3] Canadian Law Students File Privacy Complaint Against Facebook
[4] Coalition of Privacy Advocates Urges Privacy in E-Prescribing
[5] EPIC Urges DC Council to Suspend Video Surveillance Program
[6] News in Brief
[7] EPIC Bookstore: Zero Day Threat
[8] Upcoming Conferences and Events
    - Subscription Information
    - Privacy Policy
    - About EPIC
    - Donate to EPIC
    - Support Privacy '08

[1] EPIC Urges Senate to Crack Down on Spyware

On June 11, 2008, EPIC Executive Director Marc Rotenberg testified 
on spyware in a hearing before the Senate Commerce Committee.
EPIC said that spyware, adware, and other information collection
techniques are growing threats to the privacy of Internet users. EPIC
warned that spyware could cause significant degradation in system
performance, result in loss of Internet access, and impose substantial
costs on consumers and businesses. Furthermore, spyware creates numerous
privacy threats, including theft of personal information, monitoring of
communications and tracking of an individual's online activity.

The Committee is presently considering anti-spyware legislation, the
Counter Spy Act.  EPIC generally supported the Committee's efforts.
However, EPIC cautioned that a federal spyware law should not pre-empt
state laws that provide stronger consumer protections. EPIC commended
existing and innovative state spyware laws, including the Washington
State Computer Spyware Act. The Washington State law recently led to a
$1,000,000 settlement with software company Secure Computer.

EPIC also urged the Committee to address new spyware-like surveillance
techniques that do not involve the installation of software on users'
computers. Non-traditional computer surveillance technologies present
additional privacy threats. These technologies include deep packet
inspection, data collection through social networking platforms,
third-party and opt-out cookies, and mobile device surveillance.
Non-traditional spyware-like technologies are not directly addressed by
the present draft of the Counter Spy Act.

EPIC also briefed the Committee on privacy threats arising from “stalker
spyware,” over-the-counter surveillance technologies sold for
individuals to spy on other individuals. On March 6, 2008, EPIC filed a
complaint with the FTC against “stalker spyware” vendors. EPIC
highlighted the unfair and deceptive practices used to market this
software. These practices include the promotion of illegal surveillance
targets, the promotion of “Trojan Horse” email attacks, and the failure
to warn purchasers of the legal consequences of unlawful use.

The proposed Counter Spy Act:


EPIC's Testimony before the Senate Commerce Committee (pdf):


EPIC's Personal Surveillance Technologies Page:


EPIC's Complaint to the FTC regarding Spyware (pdf):


[2] Privacy Groups: "Google.com Should Link to a Privacy Policy"

This week, California Assembly member Joel Anderson said that Google is
in violation of California Law. In a letter to Eric Schmidt, CEO of
Google, Mr. Anderson wrote "All Google must do to bring itself into 
compliance with the law is to place the word 'privacy' on its homepage
to link to its privacy policy."

Last week, Consumer Privacy groups requested that Google.com follow
California law and place a prominent link to its privacy policy on its
home page, calling the failure to do so "alarming." The groups also
argue that it is widespread industry practice to display such a link.
Currently it requires clicking three hyperlinks to reach Google's
privacy policy, and the link on the homepage does not mention privacy.

The California Online Privacy Protection Act requires that operators of
commercial websites that collect personally identifiable information
"conspicuously post" a link to their privacy policy. The link should be
on the "homepage" or the "first significant page after entering the
website" or in a functional hyperlink such that any reasonable person
would notice it. In the letter, the groups argue that the
"straightforward reading of that law is that Google must place the word
'privacy' on the Google.com web page linked to its privacy policy."

The law also requires that the policy meet certain standards. The policy
must identify the categories of personal information collected and the
categories of third parties that personal information is shared with.
The policy must also describe any process by which users can request or
review their personal information which has been collected, and describe
how users will be notified of material changes to the privacy policy.

The groups further argue that while privacy policies are "no guarantee
of privacy protection," the posting of one represents a commitment to
inform consumers about privacy practices. The prominent posting of a
privacy policy reflects the principle of openness about information
collection practices.

EPIC is a signatory to the letter, mainly joined by the California-based
World Privacy Forum and the Privacy Rights Clearing house.

Press Release From Consumer and Privacy Groups (pdf):


Letter to Eric Schmidt, CEO of Google (pdf):


EPIC Google Privacy Page:


[3] Canadian Law Students File Privacy Complaint Against Facebook

On May 30 2008, the Canadian Internet Policy and Public Interest Clinic 
(CIPPIC) filed a complaint with the Canadian Privacy Commissioner
regarding unnecessary and non-consensual collection and use of personal
information by Facebook. CIPPIC is a legal clinic affiliated with the
University of Ottawa and focuses on technology law issues. CIPPIC
accuses Facebook of violating the Canadian privacy laws set by the
Personal Information Protection and Electronic Documents Act (PIPEDA).
The complaint outlines that Facebook places conditions on access to its
services by asking users to consent to information collection
unnecessary for these services, collects information by deceptive
practices, gives third parties more access to their users' information
than necessary and has lax security measures.

PIPEDA states that an organization shall not condition the supply of a
service by requiring an individual to consent to the collection, use and
disclosure of information beyond that required to fulfill the specified
purposes.  CIPPIC argues that the obligatory provision of the date of
birth does not comply with this statement. Furthermore, in order to add
third-party applications, users have to give access to far more
information than the amount required for their purposes.

The University of Virginia's Adrienne Felt and CNET's Chris Soghoian
previously noted the practices with regards to third-party applications.
According to them, 90% of the applications get access to more
information than they need, including access to the information of the
friends of the user who installed the application. The complaint
specifically mentions that while Facebook is clear to developers about
which information they can collect from users, there is little to no
disclosure to the users themselves.

Facebook claims to offer granular control over its privacy settings.
CIPPIC finds this deceptive: "Facebook purports to provide users with a
high level of control over their data," said Harley Finkelstein, one of
the law students who lodged the complaint. "But our investigation found
that this is not entirely true." CIPPIC also finds Facebook's narrow
representation as a Social Networking Site misleading, because they also
engage in advertising and disseminating information to third parties
beyond the function of their applications.

A technical analysis of Mobile Facebook, the Facebook website for the
mobile phone, showed that it deployed sub par security measures. A
cookie that provides login credentials for the Facebook website has an
indefinite expiration time, which would allow other parties to gain
indefinite access to a users profile. It is common practice in computer
engineering to give cookies an expiration time to reduce these risks.

CIPPIC's director, Philippa Lawson, told the BBC that they are planning
to scrutinize other Social Networking Sites: "They are all suspect.
Facebook is the most popular site in Canada and so that is why we looked
at it particular, but I am hoping to be able to do an analysis of
MySpace later this year."

CIPPIC's PIPEDA Complaint Regarding Facebook (pdf):




EPIC Page on Facebook:


Washington Post: A Flashy Facebook Page, at a Cost to Privacy


[4] Coalition of Privacy Advocates Urges Privacy in E-Prescribing

A coalition of 25 privacy and civil liberty organizations sent a letter
to the key Congressional Committees on Capitol Hill regarding the
importance of patient prescription privacy. The coalition asked that
patient privacy should be a key consideration as Congress considers the
adoption of electronic prescribing policy.

As a solution for medical errors and to make health care administration
more efficient, technology to support the sharing of prescription
information across databases is being advanced. However, the data
transfer capability of e-prescribing services may also be used for data
mining and research purposes. E-prescribing may also allow the sale and
reuse of prescription information without the consent or knowledge of

The letter outlined basic principles in the adoption of e-prescribing
such as a right to health information privacy; use of data only for
medical purposes; prompt notification of privacy breaches; meaningful
penalties; opt-out option for physicians; annual reports on patient
access to their data; no preemption of state privacy laws; and greater
transparency on Centers for Medicare and Medicaid Services.

EPIC Medical Privacy Page:


EPIC Amicus Brief, IMS v. State of New Hampshire (pdf):


Link to Privacy Letter on E-Prescribing:


[5] EPIC Urges DC Council to Suspend Video Surveillance Program

On June 2, 2008, EPIC Executive Director Marc Rotenberg appeared before
the District of Columbia Council to support the suspension of the
District's Video Interoperability for Public Safety ("VIPS") video
surveillance system. The VIPS system, supported by DC mayor Adrian
Fenty, would consolidate about 5,200 surveillance cameras into a single
network. The system does not have privacy regulations. Citing privacy
concerns, the DC Council Public Safety and Judiciary Committee recently
cut $886,000 from Mayor Fenty's proposed homeland security budget, money
that was designated for the VIPS system.

Mr. Rotenberg urged the Council to suspend the VIPS system, noting that 
EPIC uncovered evidence of previous DC video surveillance of political
protestors. This practice implicates Constitutional rights, and raises
questions about the widespread, regular use of surveillance cameras.
Through Freedom of Information Act litigation, EPIC obtained individual
logs of aerial video surveillance conducted by the DC Metropolitan
Police Department and the FBI of protesters at the Million Family March,
pro-Life demonstrations at the Supreme Court, and the various World Bank
protests. These images were obtained by helicopter and downloaded to
police on the ground. They were also provided to the MPD Command Center.

EPIC also urged the City Council to investigate the role of the firm L-1
Identity Solutions, the leading vendor of camera surveillance equipment.
 EPIC believes that L-1 would become a primary contractor for the VIPS
system.  L-1 has been the focus of several important studies, including
“No Place to Hide” by Washington Post reporter Robert O'Harrow and
“China's All-Seeing Eye” by Rolling Stone's Naomi Klein.  Klein
describes L-1 as a company that is helping China “build the prototype
for a high-tech police state.”

EPIC has previously supported strong privacy safeguards for video
surveillance. In May, EPIC urged the DC Council to carefully evaluate
the cost and effectiveness of camera surveillance systems.  Council
members were debating a bill that would have required all gas station
owners in the District to purchase and install camera systems. In 2002,
EPIC testified before the City Council regarding the problems with video
surveillance, and recommended strong privacy safeguards.

EPIC's Testimony Regarding VIPS (pdf):


DC VIPS System:


EPIC Video Surveillance Page: 


EPIC - Observing Surveillance: 


EPIC's Statement Regarding Mandatory Gas Station Camera in DC (pdf):


[6] News in Brief

Leaked Report Shows ISP spied on Web Surfers, Crashing Their Browsers.

A report leaked from British Telecom shows some of the results of its
use of the Phorm monitoring service. The ISP routed user's web surfing
traffic to Phorm, which then replaced parts of the websites they were
viewing with targeted ads. Phorm profiled users based on the users'
browsing history. The report details that users had no notice of the
system, and no choice to opt out. Additionally, the technology sometimes
crashed browsers or actually caused users to post on interactive online
forums. In the United States, Charter Communications has announced that
it plans on joining with NebuAd to perform similar monitoring and

Leaked BT-Phorm Report (pdf):


EPIC Page on Deep Packet Inspection:


Study Secretly Tracks Cell Phone Users Outside US

Nature magazine recently published a study by researchers that tracked
the location of 100,000 cell phone users outside of the United States
for a six-month period. Researchers report using anonymous data, but
also report that individual travel patterns show temporal and spatial
regularity. Individuals could be re-identified since they are likely to
be at home in the evenings and at work during the day. In the United
States, the Communications Act protects cell phone location information
as Customer Proprietary Network Information (CPNI). Carriers have a duty
to protect the privacy of CPNI.

Study 'Understanding Human Mobility Patterns':




TSA Changes ID Policy

The Transportation Security Administration announced a change in the
agency's air travelers ID policy. Beginning June 21, 2008, passengers
who are suspected of willfully refusing to provide identification at a
security checkpoint will be denied access to the secure area of the
airport. However, there is no change in the agency's policy of allowing
travelers who may have lost, forgotten, or had their ID stolen from
traveling. Passengers suspected of lying about the reason why they have
no ID are vulnerable to this change in ID policy.

EPIC Air Travel Privacy:


TSA Press Release:


Fusion Centers Face “Insufficient” Terrorist Activity

A recent study of fusion centers determined that “[t]here is, more often
than not, insufficient purely 'terrorist' activity to support a
multi-jurisdictional and multi-governmental level fusion center that
exclusively processes terrorist activity.”  Fusion centers are
intelligence databases that collect information on ordinary citizens.
These state entities were established after 9-11, and were originally
intended to compile information regarding terrorist activity.  Privacy
advocates have identified privacy threats created by fusion centers, and
criticized fusion centers' involvement in domestic spying that is
unrelated to terrorism.  The Department of Homeland Security has awarded
over $380 million in grants to fund fusion centers. Information in the
recent study, authored by Milton Nenneman of the Naval Postgraduate
School, suggests that fusion centers lack enough terrorism-related work
to justify their present staffing levels and budgets.

“An Examination of State and Local Fusion Centers and data Collection
Methods” (pdf):


EPIC's Fusion Center page:


Privacy In the Clouds: White Paper on Privacy and Digital Identity

The Information and Privacy Commissioner (IPC) of Ontario published a
white paper about identity management with Privacy Enhancing
Technologies (PETs) on the Internet. The central standpoint of the white
paper, 'Privacy in the Clouds', focuses on informational
self-determination, or the ability of an individual to control the
collection, use and disclosure of their personal information. IPC calls
for creating a user-centric identity management infrastructure, both in
effect on the Internet (Web 2.0) and the real world (medical records).
This infrastructure allows users to determine what information will be
revealed to what parties and for what purposes. It gives users insight
on how trustworthy those parties are, how they will handle the
information and what the consequences of sharing their information will
be. IPC sees a large role for open standards, such as OpenID, and
community-driven operability to develop this infrastructure.

Information and Privacy Commissioner of Ontario:


EPIC Page on Internet Privacy:

EPIC Page on Medical Record Privacy:


Bush Orders Contractors to Check Legal Status of Employees

President Bush signed Executive Order 12989, which gives the Department
of Homeland Security authority to review employment eligibility for all
federal employees and federal contractors. The decision to expand
"E-Verify" comes after Congress rejected the President's verification
proposal and a federal court struck down the agency's attempt to
establish similar authority by regulation. EPIC testified in Congress in
2007 against the "Employment Eligibility Verification System." The
Government Accountability Office, in a June 10 report, stated that
"challenges remain" in the path to implementation of full employment
verification. The GAO is concerned with the ability of DHS and the
Social Security Administration to handle the increased workload, the
inability of E-Verify to catch certain types of fraud, and the
vulnerability of E-Verify to employer fraud and misuse.

Executive Order 12989:


GAO: Employment Verification: Challenges Exist in Implementing a
Mandatory Electronic Employment Verification System (pdf):


EPIC Spotlight on Surveillance - Electronic Employment Verification:


[7] EPIC Bookstore: Zero Day Threat

Zero Day Threat


The book is a walk through the world of computer crime from the
perspective of security or law enforcement professionals.  The view from
the perspective of the authors is that these criminals are young male
loners looking for attention or money to support drug habits. Or they
are the tools of global organized criminal networks.

I did not like this book, but it might be just the read for a computer
security professional or law enforcement person. The underlying problems
attributed to computer related crimes are software engineering, inferior
data management practices by private companies, and the dysfunctional
rules for granting credit.  The book did not focus on these issues, but
cataloged the disreputable nature of offenders.

The first decade of the digital communication age did belong to the
young-and that was not a bad thing.  Young men with an interest in
computers are not all bad, and yes the worms and viruses spread over the
Internet under the names "I Love You," "Melissa", "Anna Kournikova", and
"SoBig" were costly headaches attributed in many cases to young males. 
The authors of the book document the history of these incidents and
connect the motivations to attention seekers, vandals, methamphetamine
addicts, and finally international crime syndicates.  The later being
the scariest of them all because the Internet is global and the
resources are focused solely on theft in a grand way.

Stronger physical locks result from lock manufacturers reacting to
threats to their customers. Unfortunately there is a disconnect between
the real world problems of consumers and the poor data management
practices of data holders who are often hidden from view. The quote
"Right now it isn't painful enough for customers," reveals a disconnect
from consumers because it is painful to deal with the problems of
identity theft, but they are not getting the right information on the
real source of the problem.

There is one maxim that may be helpful to summarize my view on the
situation: "If you build it, thieves will come--so build it well."  If
the "it" happens to be an identification system such as REAL ID, or
credit granting system like the one used by the financial services
industry: do not use bad practices because they will be exploited.

- Lillie Coney


EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.


This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.


This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry
A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors
(EPIC 2007). Price: $50. 


This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 23nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:


The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.


A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore 


"EPIC Bookshelf" at Powell's Books



EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:


[8] Upcoming Conferences and Events

Making the Future of the Internet Economy Work for Citizens, Consumers
and Workers, The Public Voice Conference. June 16, 2008. Seoul, Korea.
For more information: 

Future of the Internet Economy - OECD Ministerial Meeting. June 17-18,
2008. Seoul, Korea. For more information:

Second Annual National Institute on Cyberlaw: Expanding the Horizons.
June 18-20, 2008. Washington DC. For more information:

Conference on Ethics, Technology and Identity. The Hague. June 18-20,
2008. For more information:

National Conference on DNA Databanks and Race. June 19-20, 2008, New
York University (NYU) Department of Sociology. For more information:
http://www.gene-watch.org/ International workshop on "Global Internet Governance: An
Interdisciplinary Research Field in Construction" in Paris. 23 June
2008, Paris, France . For more information:
http://www.epic.org/redirect/glob_internet_gov.html Personal Democracy Forum 2008: Rebooting the System. June 23-24, New
York City For more information:
http://www.personaldemocracy.com/ Homeland Security, Privacy and Civil Liberties:A Five Year Review. June
26, 2008. The Heritage Foundation's Allison Auditorium For more
http://www.heritage.org/press/events/ev062608a.cfm Privacy Laws & Business 21st Annual International Conference. Value Privacy, Secure Your Reputation, Reduce Risk. 7-9th July, 2008, St. John’s College, Cambridge. For more information: http://www.privacylaws.com/ The Privacy Symposium - Summer 2008: An Executive Education Program on Privacy and Data Security Policy and Practice, August 18-21, 2008, Harvard University, Cambridge, MA. For more information: http://www.privacysummersymposium.com/ ====================================================================== Subscription Information ====================================================================== Subscribe/unsubscribe via web interface: https://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ======================================================================== Privacy Policy ======================================================================== The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================== About EPIC ======================================================================== The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================== Donate to EPIC ======================================================================== If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ======================================================================= Support Privacy '08 ======================================================================= If you would like more information on Privacy '08, go online and search for "Privacy 08". You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08. Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at epic.org. Support the campaign. Facebook Cause: http://www.epic.org/redirect/fbprivacy08.html Twitter: http://twitter.com/privacy08 CafePress: http://www.cafepress.com/epicorg ------------------------- END EPIC Alert 15.11 ------------------------- .