Defend Privacy. Support EPIC.

EPIC's Mission
Focusing public attention on emerging privacy and civil liberties issues

EPIC Alert 20.07

======================================================================= E P I C A l e r t ======================================================================= Volume 20.07 April 16, 2013 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. "Defend Privacy. Support EPIC." ======================================================================== Table of Contents ======================================================================== [1] EPIC Sues FBI to Obtain Details on Massive Biometric ID Database [2] EPIC Comments on Federal Cybersecurity Framework [3] EPIC Comments on FTC FOIA Procedures [4] EU Takes Action Against Google for Privacy Policy Meltdown [5] President May Veto Controversial Cybersecurity Bill [6] News in Brief [7] EPIC in the News [8] EPIC Book Review: 'SuperVision' [9] Upcoming Conferences and Events TAKE ACTION: Comment on the TSA's 'Nude' Airport Body Scanners! - COMMENT to the TSA: - LEARN More: - SUPPORT EPIC: ======================================================================== [1] EPIC Sues FBI to Obtain Details on Massive Biometric ID Database ======================================================================== EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents on "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice- identification profiles, photographs, and other identifying information culled from numerous federal, state, and local law enforcement agencies. The FBI intends to use facial recognition to identify individuals within the database. In addition to data from suspects and convicts, NGI will contain records on millions of US persons with no arrest records or reason for suspicion. The FBI also plans to collect surveillance camera footage and other publicly accessible images to add to the agency's facial recognition program. EPIC v. FBI, filed April 8 in the District of Columbia federal court, focuses on the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. After more than six months, the FBI has yet to provide any responsive documents. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." Non-law-enforcement civilian agencies, such as DMVs and other licensing entities, also will be able to submit their records to NGI, and over 18,000 law-enforcement agencies will have access to the database. EPIC: Complaint filed against FBI re: FOIA Request (Apr. 8, 2103) FBI: Next Generation Identification EPIC: Information on EPIC v. FBI EPIC: Biometric Identifiers EPIC: Facial Recognition ======================================================================== [2] EPIC Comments on Federal Cybersecurity Framework ======================================================================== In response to the agency's request, EPIC has submitted comments on the National Institute of Standards and Technology's review for developing a national cybersecurity framework. EPIC supports civilian control of cybersecurity and privacy protections based on the Fair Information Practices. In the comments to NIST, EPIC emphasized the need for all federal agencies to comply with the Privacy and Freedom of Information Acts. EPIC also recommended that the cybersecurity framework should clearly define what constitute "national security threats" and emphasized the need to avoid equating all cybersecurity issues with national security issues. In order to promote transparency and public engagement, EPIC's comments recommended that "[w]ithin the scope of the Cybersecurity Framework," NIST: (1) with respect to any cybersecurity legislation, urge Congress to include protections for civil liberties and privacy in line with the Cybersecurity Framework; (2) abide by the Obama Administration's commitment to civilian control of cybersecurity; (3) urge the release of documentation concerning purported cybersecurity authority for agencies, including the National Security Agency ("NSA"), involved in the Cybersecurity Framework; (4) distinguish between cybercrimes that fall under law enforcement and cyberterrorism that falls under national security; (5) acknowledge the 1992 OECD Guidelines for the security of information systems; and (6) fully adhere to the Privacy Act of 1974 and the Freedom of Information Act." EPIC's comments also emphasized the need for the National Security Agency to release documentation concerning its own cybersecurity authority. EPIC has previously submitted comments on the Federal Cybersecurity Research and Development Strategic Plan and on the Defense Department's cybersecurity program. In both instances, EPIC urged robust privacy protections and adherence to the both the Privacy Act and the Freedom of Information Act. NIST: Request for Comments on Cybersecurity Standards (Feb. 26, 2013) EPIC: Comments to NIST on Cybersecurity (Apr. 8, 2013) The White House: Executive Order 13636 (Feb. 19, 2013) EPIC: EPIC v. NSA - Cybersecurity Authority EPIC: Comments on Federal Cybersecurity Strategic Plan (Dec. 19, 2012) EPIC: Comments on DoD Cybersecurity (July 10, 2012) ======================================================================== [3] EPIC Comments on FTC FOIA Procedures ======================================================================== EPIC has submitted comments to the Federal Trade Commission pursuant to the agency's February 2013 notice to revise Freedom of Information Act fee regulations. EPIC generally supports many of the agency's changes, and applauded the FTC for reducing request fees, explaining, "The proposed revisions impact various agency practices concerning FOIA fee processing, and on the whole, the agency's proposals benefit FOIA requesters." For example, the Commission proposes increasing the threshold for small charge fee waivers "from those that do not exceed $14 to those under $25." However, EPIC's comments also noted that several of the Commission's fee proposals create barriers for FOIA requesters or otherwise frustrate the spirit of the law. Specifically, EPIC urged the FTC to "(1) update its definition for news media representative; (2) clarify which documents are public information and ensure that hyperlinks to those records work properly; (3) disclose private sector contract rates for FOIA processing; (4) refrain from prematurely closing FOIA requests; and (5) adopt alternative dispute resolution or arbitration when resolving delinquent FOIA fees." EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. In 2012, EPIC submitted extensive comments to the Department of Defense, noting that the DoD's proposals would substantially alter FOIA requirements and modify key terms governing FOIA processing, general FOIA policy, exemptions under the FOIA, and fee waivers. EPIC's comments argued that several of the proposals are contrary to law, exceed the scope of the agency's authority, and should be withdrawn. EPIC further stated that the proposals contravene "the express statements" of the President and Attorney General concerning government transparency, and warned the agency not to erect new obstacles for FOIA requesters. EPIC also filed comments with the Department of the Interior in 2012, pursuant to the agency's notice of a change to FOIA regulations. EPIC's comments observed that the Interior Department's proposed revisions and adoptions would impact not only the requirements for making requests under the agency's FOIA rules, but also the processing fees and agency consultations and referrals. EPIC further objected to several of the proposed changes, and similarly cautioned that those changes undermined the FOIA, were contrary to law, and exceeded the agency's rulemaking authority. EPIC: Comments to FTC on Fee Schedule Rulemaking (Mar. 29, 2013) Federal Register: FTC Request for Comments on FOIA (Feb. 28, 2013) EPIC: Comments to Interior Dept. on FOIA Regulations (Nov. 13, 2012) EPIC: Comments to DLA on FOIA (Dec. 5, 2012) EPIC: Open Government ======================================================================== [4] EU Takes Action Against Google for Privacy Policy Meltdown ======================================================================== Data protection agencies in six European countries have announced enforcement actions against Google. These agencies, representing France, Germany, Italy, the Netherlands, Spain, and the United Kingdom, form part of a data protection coalition called the Article 29 Working Party, headed by the French data protection bureau CNIL. In March 2012 the Article 29 Working Party launched an investigation into Google's new privacy policies in order to ensure that the policies met the requirements of the European Data Protection Directive. At the October 2012 conclusion of the investigation, Working Party agencies "asked Google to comply with their recommendations within 4 months." As of March 2013, the Working Party reports, "Google ha[d] not implemented any significant compliance measures." According to an April 2 CNIL report, Google has ignored recommendations to comply with European data protection law, and"[i]t is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation. Each agency represented in the working group will launch individual investigations based on their independent enforcement authority," and all member agencies have done so. The enforcement action follows Google's March 2012 decision to combine user data across 60 Internet services to create detailed profiles of Google users - resulting in, for example, a Google user's YouTube login information being combined into one user profile with his or her Gmail account, Google Docs account, and browsing history. This switch in privacy policies prompted objections from US state attorneys general, members of Congress, and IT managers in both the government and private sectors, as well as EPIC and other consumer and privacy groups. The National Association of Attorneys General sent a letter to Google founder Larry Page to express "strong concerns." NAAG noted particularly that "Google has not only failed to provide an 'opt-in' option, but has failed to provide meaningful 'opt-out' options as well." EPIC sued the Federal Trade Commission in 2012 to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. That consent order, issued in October 2011, established privacy safeguards for users of all Google products and services and subjected the company to regular privacy audits. The order bars Google from misrepresenting the company's privacy practices, requires the company to obtain user consent before disclosing personal data, and mandates the development of and compliance with a comprehensive privacy program. CNIL: Press Release on Actions Against Google (Apr. 2, 2013) CNIL: Letter to Google (Oct. 16, 2012) NAAG: Letter to Google (Feb. 22, 2012) US House: Letter to the FTC re: Google (Feb. 17, 2012) EPIC: Google Buzz EPIC: Enforcement of Google Consent Order ======================================================================== [5] President May Veto Controversial Cybersecurity Bill ======================================================================== The White House has announced that the President's senior advisors will recommend a veto if improvements are not made to the controversial Cyber Intelligence Sharing and Protection Act (CISPA). The action follows a recent closed door hearing by a House Committee over the objections of EPIC and other groups. An April 1 letter jointly signed by EPIC and a coalition of privacy and civil liberty organizations, urged the House Intelligence Committee to make public CISPA's markup process. The Committee had considered the bill behind closed doors, removing opportunities for accountability and oversight, despite the current prominence of cybersecurity issues both with the public and in Congress. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." The coalition's letter explained that CISPA's threats to privacy and civil liberties require fundamental changes: "The public has a right to know how Congress is conducting the people's business, particularly when such important wide-ranging policies are at stake. There have been many public calls by Members of Congress and administration officials about the importance of adopting cybersecurity legislation. Yet, many of our organizations have raised serious concerns about the threats to privacy and civil liberties and to the public's right to know posed by CISPA, and the need for fundamental changes to this bill to protect those rights. Although the base bill, HR 624, has been made public, it is also critical that the public be aware of any amendments under consideration, and the debate over such amendments," the letter stated. "All congressional committee hearings and votes should be conducted in accordance with our country's highest principles of transparency and openness and made accessible to the public," the letter continued. "Certainly, there are special exceptions when a committee can and should move to closed session to consider properly classified information, but this step should be taken only in specific instances where needed. The general rule should be open government…. By keeping the proceedings secret the Committee obscures any potential amendments to the bill and the process by which they are adopted or rejected. This prevents constituents from holding their individual representatives accountable on this issue." EPIC is an advocate for government transparency and currently is pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. EPIC: Letter from Coalition of Civil Liberties Groups (Apr. 1, 2013) US House: Text of HR 624 (CISPA) (Feb. 12, 2013) EPIC: FOIA request to NSA re: NSPD54 (Jun. 25, 2009) EPIC: EPIC v. NSA - Cybersecurity Authority ======================================================================== [6] News in Brief ======================================================================== EPIC's Rotenberg Urges State AGs to Safeguard Consumer Privacy Speaking at the annual conference of the National Association of Attorneys General, EPIC President Marc Rotenberg said that state AGs cannot sit on the sidelines as consumers face increasing risks of identity theft, security breaches, and secretive profiling. Rotenberg stated that the onus should not be on consumers to keep up with ever- changing policy practices: "There is no reason that a customer should have to go back and check their privacy settings when a company changes its business practice," he said. States Attorneys General recently fined Google $7 million for violating state consumer protection laws when the company's "Street View" vehicles, loaded with Internet packet sniffers, intercepted private residential communications. EPIC has also created a promotional video, "Good to Really Know," with consumer information about online privacy. NAAG: Annual Conference (Apr. 15, 2013) NAAG: Settlement with Google re: Street View Violations (Mar. 12, 2013) EPIC: "Good to Really Know" Video EPIC: Google Street View EPIC: Consumer Privacy Bill of Rights EPIC: Consumer Privacy Supreme Court Will Not Review Email Privacy Case The US Supreme Court has declined to review a lower court's decision on email privacy. In the case Jennings v. Broome, the South Carolina Supreme Court held in 2012 that the federal Electronic Communications Privacy Act (ECPA) does not protect emails stored on remote computer servers. As a result of this case, users in South Carolina have fewer privacy protections than users in California, where a federal court has reached the opposite conclusion. EPIC, joined by 18 national organizations, filed an amicus brief in favor of petitioner Jennings, urging the US Supreme Court to clarify the scope of email privacy protections. US Supreme Court: Decision Not to Review Jennings (Apr. 15, 2013) Jennings et al.: Petition for Supreme Court Review (Jan. 2013) EPIC: "Friend of the Court" Brief in Jennings v. Broome (Feb 17, 20130 EPIC: Jennings v. Broome EPIC: Electronic Privacy Communications Act Appeals Court: Fed Agencies Must Make "Determinations" in FOIA Requests The DC Circuit Court has reversed a lower court's decision and sided with the group Citizens for Responsibility and Ethics in Washington (CREW) in a case surrounding a federal agency's obligation to respond to a Freedom of Information Act request. CREW argued that the Federal Election Commission's response to a FOIA request did not meet the statutory obligations of a "determination" under the Act. The federal appeals court held that an agency must make and communicate a determination whether or not to comply with a FOIA request, as well as specific exemptions claimed on any withheld documents, within 20 working days of receiving the request, or within 30 days in exceptional circumstances. EPIC joined five other prominent open government groups in a "friend of the court" brief in support of CREW. DC Circuit Court: Decision in CREW FOIA Case (Apr. 2, 2013) EPIC: "Friend of the Court Brief" in CREW v. FEC (Jun. 18, 2012) EPIC: Open Government FTC Releases 2013 Annual Report The Federal Trade Commission has released its annual report for the period from April 2012-2013. The report begins with a description of the FTC's accomplishments on consumer privacy, and lists the data- breach lawsuit against Wyndham, Google's $22.5 million fine for tracking Safari users, settlements with credit agency Equifax and data broker Spokeo, and a survey of the credit reporting industry. EPIC has previously recommended that the FTC enforce existing consent orders with Google and Facebook, require adoption of the Consumer Privacy Bill of Rights, and modify proposed settlements in response to public comment. FTC: Annual Highlights Report for 2012-2013 (Apr. 2013) EPIC: Letter to Congress re: FTC Legal Enforcement (Dec. 4, 2012) EPIC: EPIC v. FTC (Enforcement of Google Consent Order) EPIC: Federal Trade Commission ======================================================================= [7] EPIC in the News ======================================================================= "Privacy group urges rules distinguish between Cyber crime and Cyber terror." Government Security News, Apr. 15, 2013. "Facebook Partners with Attorneys General in Teen Online Safety Campaign." Pew Stateline, Apr. 15, 2013. "Trying Passenger Patience." The New York Times, Apr. 15, 2013. "FBI Sued for Info on Supersnooping Program." Courthouse News, Apr. 10, 2013. "House Intelligence panel OKs CISPA after closed door meeting." ComputerWorld, Apr. 10, 2013. "EPIC presses FBI for access to biometric database." The Inquirer, Apr. 9, 2013. "EPIC files FOIA lawsuit against FBI for details on biometric database.", Apr. 9, 2013. against-fbi-for-details-on-biometric-database/ "EPIC presses FBI in lawsuit for details on biometric database." NetworkWorld, Apr. 8, 2013. "The 5 biggest online privacy threats of 2013." PC World, Apr. 8, 2013. "Domestic drones gain ground." Politico, Apr. 4, 2013. "Facebook's New Mobile Software Raises Privacy Questions." MediaPost, Apr. 4, 2013. "Border Drones Fall Short of Target." The Wall Street Journal, Apr. 2, 2013. SB10001424127887324883604578398453574545348.html "More Privacy Troubles for Google in Europe." CIO Today, Apr. 2, 2013. "How Data Brokers Profit Off You Without Your (or the Law's) Knowledge." Digital Trends, Apr. 1, 2013. just-live-in-it/ For More EPIC in the News: ======================================================================== [8] Book Review: 'SuperVision' ======================================================================== "SuperVision: An Introduction to the Surveillance Society," John Gilliam and Torin Monahan John Gilliam and Torin Monahan's engrossing overview of modern surveillance society steers clear of the conventional paradigms usually rehashed around surveillance. Instead of invoking privacy and Big Brother, Gilliam and Monahan explore how deeply surveillance has been integrated into modern life, and the complex relationship we have with it; the end result is an engaging, practical, and insightful book. "SuperVision" begins by describing what encompasses surveillance, which, in their words, is the "monitoring [of] people in order to regulate or govern behavior," then covers a number of important ideas to shape readers' critical thinking as they read the book: examples include how the private sector, not the government, is the main innovator of surveillance technology; how surveillance perpetuates existing inequalities; how we desire surveillance in some contexts; and how more surveillance does not necessarily mean more security. These concepts lay the groundwork for the different forms of and reasons for the surveillance described in the rest of the book. Professors Gilliam and Monahan are excellent guides of a very large topic, and their examples are relevant and thought-provoking. SuperVision describes surveillance in different settings, including school, the workplace, and on the Web, and our everyday use of cell phones, ID cards, loyalty cards, and credit cards; in fact, they call the cell phone the "perfect symbol of the surveillance society." "SuperVision"'s use of common technological items to demonstrate the depth and pervasiveness of modern surveillance destroy the prevailing notion that only malefactors should be concerned about surveillance. As the authors correctly points out, technologies shape human behavior and adaptations and thus increased use of surveillance technology should concern us all. "SuperVision" provides an important perspective on the current state of our surveillance society and reminds us of the importance of critically thinking about surveillance's ubiquity and complexity; in Gilliom's and Monahan's words, "technologies are never neutral." - Jeramie D. Scott ================================ EPIC Publications: "Litigation Under the Federal Open Government Laws 2010," edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall, and Mark S. Zaid (EPIC 2010). Price: $75. Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding President Obama's 2009 memo on Open Government, Attorney General Holder's March 2009 memo on FOIA Guidance, and the new executive order on declassification. The standard reference work includes in-depth analysis of litigation under: the Freedom of Information Act, the Privacy Act, the Federal Advisory Committee Act, and the Government in the Sunshine Act. The fully updated 2010 volume is the 25th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years. ================================ "Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98. This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law. ================================ "Privacy & Human Rights 2006: An International Survey of Privacy Laws and Developments" (EPIC 2007). Price: $75. This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published. ================================ "The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40. This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process. ================================ "The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40. The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act. ================================ "Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20. A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. ================================ EPIC publications and other books on privacy, open government, free expression, and constitutional values can be ordered at: EPIC Bookstore ================================ EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act. Subscribe to EPIC FOIA Notes at: ======================================================================= [9] Upcoming Conferences and Events ======================================================================= FCBA Young Lawyers Committee - Apps: The Legal and Business Landscape." Speaker: Alan Butler, Appellate Advocacy Counsel, 16 April 2013, Washington, DC. For More Information: uploads/2013/02/FINAL-April-Newsletter-2013.pdf. "ASAP 6th Annual National Training Conference." Speaker: Ginger McCall, Director, EPIC Open Government Project. 15 May 2013, Arlington, VA. For More Information: 2013/index.cfm. EPIC Champion of Freedom Awards Dinner. 3 June 2013, Washington, DC. For More Information: 2013 Health Privacy Summit, 5-6 June 2013, Washington, DC. For More Information: privacy-summit/event-summary-1bfa9be80d364092aeed1a8803377fa8.aspx. 22nd Annual Computers, Freedom, & Privacy Conference. 25-26 June 2013, Washington, DC. For More Information: Contact Chris Calabrese at ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government and private-sector infringement on constitutional values. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: Back issues are available at: The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 20.07------------------------
Electronic Privacy Information Center - Contact Info