Defend Privacy. Support EPIC.

EPIC's Mission
Focusing public attention on emerging privacy and civil liberties issues

EPIC Alert 20.03

======================================================================= E P I C A l e r t ======================================================================= Volume 20.03 February 15, 2013 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." =========================================================================== Table of Contents =========================================================================== [1] EPIC Petitions FAA on Drone Privacy; Agency Responds [2] White House Issues New Cybersecurity Executive Order, Directive [3] EPIC, Coalition Seek Privacy Safeguards for Car Data [4] EPIC to Supreme Court: Protect Genetic Privacy [5] US NGOs Press Federal Government to Support EU Privacy Proposals [6] News in Brief [7] EPIC in the News [8] EPIC Bookstore [9] Upcoming Conferences and Events TAKE ACTION: Support Europe v. Facebook! - LEARN about the Project: - DEMAND Your Facebook Data: - JOIN Forces with Europe v. Facebook: - SUPPORT EPIC: ======================================================================== [1] EPIC Petitions FAA on Drone Privacy; Agency Responds ======================================================================== In response to an extensive petition submitted by EPIC in February 2012, the Federal Aviation Administration (FAA) has announced it will begin a public rulemaking on the privacy impact of aerial drones. The EPIC petition, joined by over 100 organizations, experts, and members of the public, urged the FAA to develop privacy standards for drone operators. In a February 14 letter to EPIC Executive Director Marc Rotenberg, the FAA Chief Counsel stated, "the FAA recognizes that increasing the use of [drones] raises privacy concerns. The agency intends to address these issues through engagement and collaboration with the public." The FAA's announcement comes exactly one year after President Obama signed the FAA Modernization and Reform Act of 2012, which directed the FAA to loosen restrictions on government and commercial drone flights in the United States. A recent report published by the Congressional Research Service outlines the scope of the Federal Aviation Administration's power to regulate unmanned aerial vehicles in US airspace. The report further investigates Fourth Amendment and privacy implications of domestic drone use, stating, "Perhaps the most contentious issue concerning the introduction of drones into U.S. airspace is the threat that this technology will be used to spy on American citizens." Drones' potential threats to privacy rights have spurred many states to consider legislation limiting drone surveillance. Oregon has become the most recent state to consider limits on the deployment of drones within the US. A new bill sets out licensing requirements for drone use in Oregon and fines those who use unlicensed drones to conduct surveillance. New limitations are also being proposed for federal evidence collected by drone use in a state court. The Florida State Senate is considering a bill that would flatly prohibit law enforcement from using drones "to gather evidence or other information." North Dakota and Missouri are among the other states considering drone privacy legislation. In July 2012, EPIC testified before the US House Committee on Homeland Security on the use of domestic drones. EPIC's testimony explained that "there are substantial legal and constitutional issues involved in the deployment of aerial drones by federal agencies," some of which pose truly unique threats to citizens' privacy. EPIC cautioned Congress that current privacy safeguards are inadequate to protect against these threats, and that Congress should pass drone legislation that would require retention and use limits for data gathered by drones, as well as transparency measures to ensure that the public understands domestic drone policies. EPIC: Letter from FAA Chief Counsel to EPIC (Feb. 14, 2013) FAA: Unmanned Aircraft Systems Test Site Selection Congressional Research Service: Drone Report (Jan. 30, 2013) State of Oregon: Senate Bill 71 (2013) State of Missouri: House Bill 46 (2013) State of North Dakota: Bill 13.0664.01000 (2013) EPIC: Testimony before US House on Drones (July 19, 2012) EPIC: Petition to FAA on Drones (Feb. 24, 2012) EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones ======================================================================== [2] White House Issues New Cybersecurity Executive Order, Directive ======================================================================== During his 2013 State of the Union address, President Obama announced an Executive Order on cybersecurity and "critical infrastructure." Executive Order 21213 grants new powers to federal agencies to share cybersecurity information with private companies. Affected federal agencies will assess the privacy and civil liberties impact of their actions under the Executive Order on an annual basis. The assessments include self-evaluation against the Fair Information Practice Principles - a set of eight principles that safeguard privacy when implemented correctly. President Obama further urged Congress to pass "legislation to give our government a greater capacity to secure our networks and deter attacks." The new Congress has reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA) - a bill scuttled in 2012 because of sustained opposition from Internet activists outraged by the bill's privacy ramifications. CISPA's provisions include allowing the private sector to share detailed information about Internet users with the government. In addition to Executive Order 21213, the President also issued Presidential Policy Directive 21, which directs the Secretary of the Department of Homeland Security to take specific, discrete actions on cybersecurity practices. The Directive requires DHS to set up national centers that can analyze the information shared between the government and private sector quickly enough to provide near real-time situational awareness. The information analyzed by DHS will include intelligence from the Intelligence Community (e.g. National Security Agency), the Department of Defense, and other agencies with "relevant intelligence or information." EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a secret directive that grants cybersecurity authority to the National Security Agency. The White House: State of the Union Address (Feb. 12, 2013) The White House: Executive Order 21213 (Feb. 12, 2013) The White House: Presidential Policy Directive 21 (Feb. 12, 2013) EPIC: "Flawed Cybersecurity Bill Passes House" (Apr. 27, 2012) US House: Text of CISPA EPIC: EPIC v. NSA - Cybersecurity Authority EPIC: Cybersecurity Privacy Practical Implications ========================================================================= [3] EPIC, Coalition Seek Privacy Safeguards for Car Data ========================================================================= EPIC, joined by a coalition of privacy, consumer rights, and civil rights organizations, as well as members of the public, have urged the National Highway Traffic Safety Administration to protect driver privacy and establish privacy safeguards for "event data recorders" (EDRs). Event data recorders are often referred to as "black boxes" because they record a number of data points that can be examined in the event of an automobile crash. These data points include speed of the automobile, the status of the brake and accelerator pedals, and the use or non-use of seatbelts. Data stored in EDRs may be accessed by third parties such as vehicle manufacturers, law enforcement for post-crash investigations, or repair shops for diagnostic purposes. The agency's proposed rule would mandate the installation of EDRs in all cars and small trucks sold in the US by 2014; currently most vehicles already come equipped with EDRs, but they are not mandated. In the proposal, the NHTSA conceded that data collected by EDRs raise significant privacy issues, Nevertheless, the proposal has no new privacy safeguards, although the agency maintains that it treats the vehicle owner as the owner of the EDR data, adheres to applicable Privacy Act and FOIA provisions, and that EDR data does not contain Personally Identifiable Information. In recent comments to the NHTSA, EPIC recommended that the agency: (1) restrict the amount of data collected by EDRs; (2) conduct a comprehensive privacy impact assessment; (3) uphold Privacy Act protections; (4) require security standards for EDR data; and (5) establish best practices to fully protect the privacy rights of vehicle owners and operators. EPIC argued that "[i]t is contrary to reasoned decisionmaking for the agency to mandate massive data collection and not fully amend its current regulations to protect individual privacy. " EPIC has previously commented on proposed rules put forth by the National Highway Traffic Safety Administration. When the agency proposed a rule in 2002 expanding its role in the development of event data recorders and another in 2004 standardizing EDR data formats, EPIC urged it to adhere to the Fair Information Practices and the Privacy Act of 1974 in order to protect driver privacy. EPIC also has supported the privacy of information collected by the Department of Motor Vehicles. Federal Register: Request for Comments on EDRs (Dec. 13, 2012) EPIC: Comments on EDR Privacy (Feb. 11, 2013) EPIC: Comments to NHTSA on Event Data Recorder Privacy (Feb. 2003) EPIC: Comments to NHTSA on Event Data Recorder Privacy (Aug. 2004) EPIC: Automobile Event Data Recorders and Privacy EPIC: The Drivers Privacy Protection Act ======================================================================== [4] EPIC to Supreme Court: Protect Genetic Privacy ======================================================================== EPIC has filed a "friend of the court" brief in the US Supreme Court case Maryland v. King, arguing that law enforcement's warrantless collection of DNA is unconstitutional because such collection "constitutes an unreasonable search and seizure under the Fourth Amendment [and] poses unnecessary and ongoing risks to privacy without serving any legitimate government interest." Maryland v. King centers on whether the Fourth Amendment permits law enforcement to systematically collect DNA samples from every arrestee. This DNA is searched, without any probable cause or reasonable suspicion, against a central database to investigate unrelated cases In King, the defendant was arrested for assault and his DNA was used to convict him in an unrelated cold case. EPIC's brief describes the government's "dramatic and unpredictable" expansion of DNA collection over the past decade. The FBI's national DNA database, CODIS, accessible by every law enforcement agency in the country, was created in 1994 for the limited purpose of linking sex offenders with crime scene evidence. However, in the past 20 years, "the government has continuously and incrementally broadened CODIS' reach, allowing law enforcement to collect and retain DNA samples from many new categories of individuals. When a program like CODIS develops in this statutory step-by-step fashion, it is difficult to divine a limiting principle." EPIC's brief also states that the Fourth Amendment limits "the otherwise unbounded collection and use of the individual's DNA sample by the government." An individual's DNA contains sensitive data about physical traits, predisposition to diseases, and familial relations. An entire genome does not have to be sampled or retained to identify a criminal; however, the government permanently retains complete DNA samples and uses those DNA databases to search not only those arrested, but their family members as well. The brief maintains that the most privacy-protecting means of handling criminal DNA samples is to destroy them immediately after analysis, as was recommended by the National Academy of Sciences nearly 20 years ago. "As our knowledge of genetics and its capabilities continues to expand," EPIC's brief concludes, "it brings with it new challenges to privacy. Once an individual's DNA sample is in a government database, protecting that information from future exploitation becomes more difficult." Twenty-six technical experts and legal scholars also signed onto the EPIC brief. The US Supreme Court will hear the case sometime this spring. EPIC: "Friend of the Court" Brief in Maryland v. King (Feb. 1, 2013) US Supreme Court: Maryland v. King Docket Maryland Court of Appeals: Opinion in King v. State (2011) EPIC: Maryland v. King EPIC: Genetic Privacy ======================================================================== [5] US NGOs Press Federal Government to Support EU Privacy Proposals ======================================================================== EPIC has joined a coalition of leading US consumer and civil liberties organizations expressing concern about the role of US officials in the development of European privacy law. In a letter to the US Secretaries of State, Justice, and Commerce, the coalition sought a meeting to ensure that US lobbying efforts in Europe "are not averse to the views expressed by the President." The letter states that, "without exception," members of the European Parliament reported that US governmental agencies and businesses were "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." As the President explained last year, "Never has privacy been more important than today, in the age of the Internet, the World Wide Web and smart phones. In just the last decade, the Internet has enabled a renewal of direct political engagement by citizens around the globe and an explosion of commerce and innovation creating jobs of the future." The Consumer Bill of Rights sets out the principles of individual control over personal data; transparency of privacy practices and data use policies; data use consistent with the context in which consumers supply their data; information security; ensuring that users can access their data and have a means to correct inaccuracies; the right to reasonable limits on companies' collection and retention of the personal data; and corporate accountability for data breach. The President also said that the Consumer Privacy Bill of Rights is "a blueprint for privacy in the information age. . . . My Administration will work to advance these principles and work with Congress to put them into law." EPIC has been a consistent advocate of EU data privacy reform. In October 2012, EPIC Executive Director Marc Rotenberg testified before the European Parliament's Committee on Civil Liberties, Justice, and Home Affairs. Mr. Rotenberg's testimony expressed support of a proposed EU privacy reform, which would accomplish five important goals. "First," Mr. Rotenberg explained, "it simplifies the existing framework of European privacy laws. Second, it strengthens rights for consumers. Third, it clarifies legal authority for data privacy agencies. Fourth, it updates privacy protections in light of new data collection practices. Fifth, it reaffirms a fundamental right of great importance." Also in 2012, EPIC co-authored a letter, along with a group of trans- atlantic consumer organizations, expressing support for the EU's effort to update and modernize privacy law. The letter explains that promotion of stronger privacy standards in Europe will benefit consumers worldwide, as businesses improve their privacy practices and security standards. "We believe that this approach, which sets out rights and responsibility for the collection and use of personal data, is the cornerstone of data protection in the modern era," the letter states. EPIC et al.: Letter to US Government on EU Data Privacy (Feb.4, 2013) EPIC: Testimony Before EU Parliament on Data Privacy (Oct.10, 2012) EPIC: Letter re: EU General Data Protection Regulation (Sept. 5, 2012) The White House: Consumer Privacy Bill of Rights (Feb. 2012) EPIC: EU Data Protection Directive ======================================================================== [6] News in Brief ======================================================================== EPIC Obtains New Documents on FBI Cellphone Tracking Technology In the fifth interim release of documents in the Freedom of Information Act lawsuit EPIC v. FBI, the agency has turned over nearly 300 pages on a surveillance technique directed toward users of mobile phones. The documents obtained by EPIC reveal that FBI agents have been using "cell site simulator" technologies, also known as "StingRay," "Triggerfish," or "Digital Analyzers," to monitor cell phones since 1995. Internal FBI emails also obtained by EPIC reveal that agents went through extensive training on these devices in 2007. In addition, a presentation from the agency's Wireless Intercept and Tracking Team argues that cell site simulators qualify for a low legal standard as a "pen register device," an interpretation that was recently rejected by a Texas federal court. EPIC: FBI Documents on Mobile Surveillance Technologies (Feb. 7, 2013) EPIC: EPIC v. FBI - Stingray / Cell Site Simulator US District Court/TX: Decision on Cell Site Simulators (Jun. 2, 2012) EPIC: Locational Privacy Congress Challenges Justice Department Commitment to Open Government In a recent letter to the director of the US Office of Information Policy, a Congressional oversight committee has asked a series of questions challenging the federal government's compliance with the FOIA. The Office of Information Policy is tasked with "encouraging agency compliance with the Freedom of Information Act (FOIA) and for ensuring that the President's FOIA Memorandum and the Attorney General's FOIA Guidelines are fully implemented across the government." The letter from Committee Chair Rep. Darrell Issa (R-CA) and Ranking Member Rep. Elijah Cummings (D-MD) called on the Justice Department to address concerns about "outdated FOIA regulations, exorbitant and possibly illegal fee assessments, FOIA backlogs, the excessive use and abuse of exemptions, and dispute resolution services." EPIC makes frequent use of the FOIA to obtain information from the government about surveillance and privacy policy. EPIC has also raised concerns in comments to federal agencies and to the Office of Government Information Services about systemic problems with FOIA compliance. US House: Letter to OIP re: FOIA Compliance (Feb. 4, 2013) US Office of Information Policy Federal Register: President's 2009 FOIA Memorandum (Jan. 26, 2009) US AG Office: Attorney General's 2009 FOIA Memorandum (Mar. 19, 2009) EPIC: Open Government EPIC: FOIA Litigation Docket FTC Reaches Settlement with Mobile App Path over Privacy Violations The Federal Trade Commission has announced a settlement and consent order with the social networking app Path over charges that Path secretly collected information from mobile users' address books without their consent. The FTC also fined the company $800,000 for violating the Children's Online Privacy Protection Act, which prohibits the collection of personal information from children without obtaining parental consent. The consent order requires Path to implement a comprehensive privacy program and to submit to independent privacy assessments for the next 20 years. Over the last year, the FTC has released a series of reports documenting privacy problems with mobile apps that collect the personal information of children. In September 2012 EPIC submitted comments supporting the FTC's proposed improvements to the COPPA rule, which the agency ultimately adopted. FTC: Press Release on Path Settlement (Feb. 1, 2013) FTC: Text of Path Settlement (Feb. 8, 2013) FTC: Press Release on Kids' Mobile Apps Report (Feb. 16, 2012) FTC: Text of Mobile Kids' Apps Report (Dec. 2012) EPIC: Comments on FTC Improvements to COPPA (Sept. 24, 2012) EPIC: Children's Online Privacy EPIC: FTC ======================================================================= [7] EPIC in the News ======================================================================= "Genetic Privacy for Suspects?" The Scientist, Feb. 12, 2013. "Push to Gauge Bang for Buck from College Gains Steam." The Wall Street Journal, Feb. 11, 2013. "States and Cities Step Up and Resist Drone Surveillance." The New American, Feb. 11, 2013. "Lots of buzz about domestic drones; concerns rise with possibilities." The Washington Times, Feb. 11, 2013. "Is Christopher Dorner 'The First Human Target' of Drones on U.S. Soil?" In These Times, Feb. 11, 2013. "Software that tracks people on social media created by defence firm." The Guardian UK, Feb. 10, 2013. "Tracking Privacy and Ownership In An On-Line World." NPR's "Talk of the Nation," Feb. 8, 2013. "Privacy issues may dominate in 2013." Consumer Affairs, Feb. 7, 2013. "Genetic Privacy Front and Center at Supreme Court." Wired, Feb. 6, 2013. "Basic Privacy Themes Reviewed in Dialogue on Diversity Colloquium." CapitalWire PR, Feb. 5, 2013. "Privacy groups call on U.S. government to stop lobbying against EU data law changes." ZDNet, Feb. 4, 2013. "Privacy battle against U.S. drone surveillance ramps up." CSO, Feb. 1, 2013. "Data Protection Laws, an Ocean Apart." The New York Times, Feb. 2, 2013. For More EPIC in the News: ======================================================================== [8] EPIC Bookstore ======================================================================== "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75 Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= "The New Frontier: Policy & Politics in the Age of the Internet." 22 February, Washington, DC. For More Information: "IDP13 in OKC." 23 February 2013, Oklahoma City, OK. For More Information: " Hands on the Future in the Classroom." SXSW, 6 March 2013, Austin, TX. For More Information: "Online Privacy: Consenting to your Future." 21-22 March 2013, Portomaso, Malta. For More Information: EPIC Champion of Freedom Awards Dinner. 3 June 2013, Washington, DC. For More Information: 22nd Annual Computers, Freedom, & Privacy Conference. 25-26 June 2013, Washington, DC. For More Information: Contact Chris Calabrese at ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government and private-sector infringement on constitutional values. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 20.03------------------------
Electronic Privacy Information Center - Contact Info