EPIC logo

=======================================================================
                              E P I C   A l e r t
=======================================================================
Volume 16.16                                            August 28, 2009
-----------------------------------------------------------------------

                                Published by the
                   Electronic Privacy Information Center (EPIC)
                                Washington, D.C.

                 http://www.epic.org/alert/EPIC_Alert_16.16.html

			"Defend Privacy. Support EPIC."
			     http://epic.org/donate


=======================================================================
Table of Contents
=======================================================================
[1] EPIC Forces Disclosure of Government Contracts with
     Social Media Companies, Privacy Terms Missing
[2] FTC Issues Final Breach Notification Rule for Medical Data
[3] Privacy Compliance for Facebook, Some Changes Made
[4] DHS Proposes to Rescind SSN No-Match Rule
[5] Court Enjoins Transfer of "Clear" Data
[6] News in Brief
[7] EPIC Bookstore: "OECD Communications Outlook 2009"
[8] Upcoming Conferences and Events
        - Join EPIC on Facebook http://facebook.com/epicprivacy
  	- Privacy Policy
  	- About EPIC
  	- Donate to EPIC http://epic.org/donate
  	- Subscription Information

=======================================================================
[1] EPIC Forces Disclosure of Government Contracts with
     Social Media Companies, Privacy Terms Missing
=======================================================================

In response to an EPIC Freedom of Information Act Request, the
Government Services Administration released several contracts
between the federal government and web 2.0 companies, including
agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr),
and MySpace.

On April 30, 2009, EPIC filed a FOIA request with the GSA
requesting (1) all agreements between federal agencies and social
networking services, cloud computing services, and/or vendors of
other similar services; (2) all records, including memoranda and
legal opinions, concerning the application of the Privacy Act of
1974 and the Freedom of Information Act to social networking
services, cloud computing services, and/or other similar services,
and (3) all instructions, policies and/or procedures concerning
the collection, storage, transmission, and use of information
about users of social networking or cloud computing services by
federal agencies.

The EPIC FOIA request was made after the a news article stated that the
GSA had signed agreements with social networking and cloud computing
service providers concerning federal agencies' use of Web 2.0
services. The GSA often enters into contracts on behalf of
multiple federal agencies in an effort to promote efficiency in
government contracting. The news report also stated that a coalition
of agencies have been working with private corporations to develop
terms of service for federal agencies' participation in social media
companies. The article cited a GSA official as stating that some of the
areas of concern involved liability limits, endorsements and freedom
of information.

Generally, the nine agreements obtained by EPIC state the Government's
obligation to comply with federal law, and explicitly note obligations
to comply with privacy or freedom of information laws. These contracts
include companies like MySpace, SlideShare.net, Flickr, Vimeo.com,
AddThis.com, Blip.tv, and BLIST. However, Facebook and Google (YouTube)
contracts do not affirmatively express the Agency's obligations to
comply with these laws. Further, the Google/YouTube contract explicitly
authorizes the use of persistent cookies when it states that
"[p]rovider acknowledges that, except as expressly set forth in this
Agreement, Google uses persistent cookies in connection with that
YouTube Video Player. To the extent that any rules or guidelines exist
prohibiting the use of persistent cookies in connection with the
Provider Content applies to Google, Provider expressly waives those
rules or guidelines as they may apply to Google."

EPIC also discovered that contracts with the GSA consistently omit
statements concerning Web 2.0 service providers' obligations to protect
privacy. Whereas most privacy policies state how a website processes
information, it is actually intended as a disclaimer of liability and
does not provide any protection in and of itself. Given the fact that
the data collection practices of federal agencies and their contractors
are routinely subject to the federal Privacy Act, this omission is
significant.


Privacy and Government Contracts with Social Media Companies:
     http://epic.org/privacy/socialnet/gsa/

EPIC's FOIA Request to GSA:
     http://www.epic.org/privacy/socialnet/gsa_foia_4-30-09.pdf

GSA's Contract with Google (YouTube):
     http://www.epic.org/foia/gov2.0/GSA_Google_Contract.pdf

GSA's Contract with Blip.tv:
     http://www.epic.org/foia/gov2.0/GSA_Blip_Contract.pdf

GSA's Contract with Blist:
     http://www.epic.org/foia/gov2.0/GSA_Blist_Contract.pdf

GSA's Contract with Yahoo (Flickr):
     http://www.epic.org/foia/gov2.0/GSA_Yahoo_Contract.pdf

GSA's Contract with MySpace:
     http://www.epic.org/foia/gov2.0/GSA_MySpace_Contract.pdf

GSA's Amended Contract with Facebook:
     http://www.epic.org/foia/gov2.0/GSA_Facebook_Amendment.pdf

GSA's Amended Contract with SlideShare.net:
     http://www.epic.org/foia/gov2.0/GSA_Slideshare_Amendment.pdf

GSA's Amended Contract with Vimeo.com:
     http://www.epic.org/foia/gov2.0/GSA_Vimeo_Amendment.pdf

GSA's Amended Contract with AddThis.com
     http://www.epic.org/foia/gov2.0/GSA_Addthis_Amendment.pdf

GSA Training Slides:
     http://www.epic.org/foia/gov2.0/GSA_Slides.pdf

GSA's Letter to EPIC:
     http://www.epic.org/foia/gov2.0/GSA_EPIC_Letter.pdf

EPIC - Social Network Privacy:
     http://www.epic.org/privacy/socialnet/default.html

EPIC - Facebook:
     http://epic.org/privacy/facebook/

EPIC - Cloud Computing:
     http://epic.org/privacy/cloudcomputing/



=======================================================================
[2] FTC Issues Final Health Breach Notification Rule
=======================================================================

The Federal Trade Commission issued a final rule requiring breach
notification by vendors of medical records and related entities.
The American Recovery and Reinvestment Act of 2009 establishes
provisions for advancing the health information technology while
strengthening privacy and security protections for medical data.
Recognizing that some web-based entities that collect consumers'
health information are not subject to the existing the Health
Insurance Portability and Accountability Act, the Recovery Act
required the Department of Health and Human Services to study,
in consultation with the Federal Trade Commission, potential
privacy, security and breach notification requirements and submit a
report to the Congress. Until Congress enacts a new legislation
implementing the recommendations, the FTC final rule will regulate
the requirements. The proposed rule published in April called for
public comments.

In June, EPIC submitted comments to the FTC on the rule. EPIC commented
that the proposed regulation was not broad enough, and should be
modified to ensure that all entities handling electronic health records
be subject to the regulation so that the privacy interests of citizens
are protected. EPIC also advised that entities report all breaches to
the FTC via some centralized means because redundant breach messages
will be less likely. The FTC modified the rule in support of EPIC's
advice, but exempted all federal agencies.

EPIC had also suggested that the FTC establish comprehensive privacy
and security standards, and create a private right of action for
violation of the rule. EPIC further recommended that information
"accessed" be treated as "acquired" and substitute media notices like
text messaging and social networking be used to notify individuals of
breaches. Other suggestions included verification of data breach
notices, creation of minimum security standards, assessing penalties
for violations. EPIC opposed the creation of "safe-harbors" for
de-identified data due to uncertainties and privacy risks associated
with such information.

The final rule, 16 CFR Part 318, defines "breach of security" as
acquisition of unsecured electronic health information without
authorization. The rule also defines other terms such as "business
associate," "HIPAA-covered entity," "personal health record," "PHR
identifiable health information," "PHR related entity," "state," "third
party service provider," "unsecured" PHR and "vendor of personal health
records."

The rule requires each vendor of personal health records to notify both
the individual affected by the breach as well as the FTC following the
discovery of a "breach of security" of unsecured PHR. Third party
service providers are required to notify designated officials or a
senior official at the vendor of personal health records, and obtain an
acknowledgement from such official that the notice was received. The
rule requires the breach notifications be sent without unreasonable
delay and no later than 60 calendar days after the discovery of the
breach. However, a law enforcement official is entitled to determine
if a notification would impede a criminal investigation and delay the
notice.

The Health Breach rule also prescribes different methods of individual
notices; media notices; as well as notice to the FTC. The notice must
contain a brief description of what happened including the date of
breach and the date of discovery, description of types of unsecured
health information that were involved in the breach, steps that should
be taken by the individual, a brief statement of action taken by the
entity following the breach, and contact procedures for individuals
affected by the breach in case they wanted to ask questions or learn
additional information.

The rule becomes effective 30 days after the publication in the Federal
Register and sunsets on the effective date of legislation, if enacted,
establishing requirements for notification for health data breaches.
The FTC Health Breach notification rule does not apply to HIPAA-covered
entities or to any entity's activities as a business associate of a
HIPAA-covered entity.


FTC Health Breach Notification Rule:
     http://www.ftc.gov/os/2009/08/R911002hbn.pdf

EPIC's Comments to the FTC on the Health Breach Notification Rule:
     http://epic.org/privacy/medical/Comments_on_FTC_EHR-EPIC.pdf

FTC Issues Final Breach Notification Rule for Electronic Health
Information:
     http://www.ftc.gov/opa/2009/08/hbn.shtm

FTC Page on Health Data Breach:
     http://www.ftc.gov/healthbreach/

FTC Page - Privacy Initiative (Health Breach Notification Rule):
     http://www.ftc.gov/healthbreach/

FTC Health Breach Notification Form:
     http://www.ftc.gov/os/2009/08/R911002hbnform.pdf

The American Recovery and Reinvestment Act of 2009:
     http://epic.org/redirect/022309_Stimulus_Act.html

EPIC - Identity Theft:
     http://epic.org/privacy/idtheft

EPIC - Medical Privacy:
     http://epic.org/privacy/medical



=======================================================================
[3] Privacy Compliance for Facebook, Some Changes Made
=======================================================================

In mid-July, the Office of the Privacy Commissioner of Canada released
a Report of "Findings into the Complaint Filed by the Canadian Internet
Policy and Public Interest Clinic" against Facebook, Inc. The complaint
was filed by the CIPPIC under the Personal Information Protection and
Electronic Documents Act and comprised 24 allegations ranging over 12
distinct subjects. These included default privacy settings, collection
and use of users' personal information for advertising purposes,
disclosure of users' personal information to third-party application
developers, and collection and use of non-users' personal information.

Although the Commissioner's Office made several recommendations which
were resolved, the Assistant Privacy Commissioner of Canada found that
in the subjects of third-party applications, account deactivation and
deletion, accounts of deceased users, and non-users' personal
information to be in contravention of PIPEDA. The Assistant
Commissioner determined that Facebook did not have adequate safeguards
in place to prevent unauthorized access by application developers to
users' personal information, and furthermore was not doing enough to
ensure that meaningful consent was obtained from individuals for the
disclosure of their personal information to application developers.

The Commissioner's Office made several suggestions to Facebook. The
Office advised the social networking firm to limit application
developers' access to user information, inform users specifically about
the nature and use of shared information, and share information after
obtaining consent of only users who add an application. The Office also
said that deactivated account information should be deleted after a
reasonable length of time, and that the privacy policy be amended to
include all intended uses of personal information. Facebook was given
30 days. Facebook updated its privacy policy on August 11, 2009 to
include "clarifying changes and minor updates."

The updated policy asks developers, operators of platform applications,
and websites to respect user privacy settings. The modified policy
directs developers to use the data received only to operate the
specific applications, inform readers on what data is being collected,
how it would be used, and whether it would be shared. The policy also
states that developers must delete user data if their application is
deleted by the user. The updated policy also made some clarifications
in terms regulating advertisements and in the special provisions
applicable to advertisers.

Facebook is complying with the Commissioner's Officer and revising
its Privacy Policy to better describe a number of practices, including
the reasons for the collection of date of birth, account
memorialization for deceased users, the distinction between account
deactivation and deletion, and how its advertising programs work.
It will also educate users about reviewing their privacy settings to
make sure the defaults and selections reflect the user's preferences.
The social networking firm has also undertaken the task of increasing
the understanding and control a user has over the information accessed
by third-party applications. Facebook plans to introduce a new
permissions model that will require applications to specify the
categories of information they wish to access and obtain express
consent from the user before any data is shared. Further, users would
also have to specifically approve any access to their friends'
information, which would still be subject to the friend's privacy and
application settings.

In June, the Article 29 Working Party warned about the dissemination
and use of information available on Social Networking Sites for other
secondary, unintended purposes. The officials issued an opinion
requiring robust security, privacy-friendly default settings. The
European Privacy Commissioners recommended that controllers take
"appropriate technical and organizational measures, 'both at the time
of the design of the processing system and at the time of the
processing itself' to maintain security and prevent unauthorized 
processing, taking into account the risks represented by the processing
and the nature of the data." Earlier, in January, EPIC had suggested
the regulation of Social Network Service partners, including
advertisers and application developers.

Office of the Privacy Commissioner of Canada:
     http://www.priv.gc.ca/index_e.cfm

Report of Findings into the Complaint Filed by the CIPPIC against
Facebook, Inc. under PIPEDA:
     http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm

Personal Information Protection and Electronic Documents Act (PIPEDA):
     http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm#appendixB

Remarks at a Media Briefing- Jennifer Stoddart (July 16, 2009):
     http://www.priv.gc.ca/speech/2009/sp-d_20090716_e.cfm

Redlined Version of Proposed Changes to Facebook's SRR:
     http://www.box.net/shared/hi66nsrhss

Facebook Announces Privacy Improvements in Response to Recommendations
by Canadian Privacy Commissioner :
     http://www.facebook.com/press/releases.php?p=118816

Facebook agrees to address Privacy Commissioner's concerns:
     http://www.priv.gc.ca/media/nr-c/2009/nr-c_090827_e.cfm

Delivering More Control and Transparency, Facebook Blog, August 27, 2009:
     http://blog.facebook.com/blog.php?post=126129882130

Article 29 Working Party Opinion of Social Networking Sites:
     http://epic.org/privacy/socialnet/Opinion_SNS_090316_Adopted.pdf

Article 29 Working Party:
     http://epic.org/redirect/040109_A29WP.html

Facebook Privacy Policy:
     http://www.facebook.com/policy.php

Facebook Statement of Rights and Responsibilities:
     http://www.facebook.com/terms.php

EPIC's Suggestion on Social Networking Privacy:
     http://www.cpdpconferences.org/L-Z/rotenberg.html

EPIC - Facebook Privacy:
     http://epic.org/privacy/facebook/

EPIC - Social Networking Privacy:
     http://epic.org/privacy/socialnet/



=======================================================================
[4] DHS Proposes to Rescind SSN No-Match Rule
=======================================================================

The Department of Homeland Security is proposing to rescind its
SSN No-Match Rule and the 2008 Supplemental Final Rule. In August
2007, DHS issued a rule describing legal obligations of an employer
when a no-match letter from the Social Security Administration
or a letter regarding employment verification forms from the DHS was
received. The final rule also described "safe-harbor" procedures
that the employer could follow in response to such a letter and
thereby be certain that the DHS will not use the letter as any part
of an allegation that the employer had constructive knowledge that
the employee referred to in the letter was an alien not authorized
to work in the United States. Failure to correct discrepancies
resulted in liability under US immigration laws. However, due to the
cumbersome process involved in correcting errors, employers instead
choose to fire workers including citizens and non-citizens.

A federal court granted a preliminary injunction in the implementation
of the rule. The court raised few issues regarding DHS's rulemaking
action which included whether DHS had supplied a reasoned analysis to
justify what the court viewed as a change in the Department's position
that a no-match letter may be sufficient, by itself, to put an employer
on notice, and thus impart constructive knowledge, that employees
referenced in the letter may not be work-authorized; and whether the
DHS had exceeded its authority (and encroached on the authority of the
Department of Justice) by interpreting the antidiscrimination
provisions of the an immigration statute.

DHS subsequently published a supplemental notice of proposed rulemaking
and supplemental final rule to clarify certain aspects of the 2007
No-Match final rule and to respond to the findings underlying the
court's injunction. Neither the SNPRM nor final rule, however, changed
the safe-harbor procedures or applicable regulatory text. In October
2008, the same court declined to vacate the injunction on the SSN
No-Match Rule.

The DHS conducted a review of existing programs and regulation under
the incumbent Secretary and determined that the U.S. Citizenship and
Immigration Services' program, E-Verify, along with other DHS programs
"provide better tools for employers to reduce incidences of
unauthorized employment" and "better detect and deter" the use of
fraudulent identity documents by employees. Consequently, DHS has
decided to rescind both the August 2007 No-Match rule as well as the
2008 Supplemental Final Rule.

DHS has also decided to focus resources on promoting E-Verify,
U.S. Immigration and Customs Enforcement's Mutual Agreement
Between Government and Employers, and other similar programs. In
May 2008, E-Verify also added the Integrated Border Inspection
System realtime arrival and departure information of non-citizens
to its databases and in February 2009, USCIS also added Department of
State passport data into E-Verify. In 2010, DHS plans to incorporate
the Student and Exchange Visitors Information System into E-Verify.

EPIC, the Government Accountability Office, the Social Security
Administration's Inspector General, and the CATO Institute have
detailed many shortcomings of E-Verify, and have highlighted several
issues with the program including high levels of inaccuracies in the
databases on which the program is based, employer misuse resulting in
discrimination and unlawful termination, the lack of privacy
protections as well as the program's high costs. Last year, EPIC also
filed a Freedom of Information request with the DHS asking for all
records, including contracts and related documents, between DHS and
NPR concerning the E-Verify promotion that began earlier. The request
had included a demand for records involving contracts and related
documents involving DHS and other media outlets. In spite of filing a
FOIA Appeal, the agency has failed to produce the relevant documents.

The agency has called for comments which must be submitted no later
than September 18, 2009. The comments may be submitted, identified by
DHS Docket No. ICEB-2006-0004.


Federal Register, Vol. 74, No. 159, Wednesday, August 19, 2009 -
(Proposed Rule Rescinding SSN No-Match Rule):
     http://edocket.access.gpo.gov/2009/pdf/E9-19826.pdf

Federal Register, Vol. 72, No. 157, Wednesday, August 15, 2007 -
(Final Rule - Safe-Harbor Procedures for Employers Who Receive
a No-Match Letter):
     http://edocket.access.gpo.gov/2007/E7-16066.htm

Department of Homeland Security,
Safe Harbor Procedures for Employers, October 28: 
     http://edocket.access.gpo.gov/2008/pdf/E8-25544.pdf 

EPIC's letter to NPR Ombudsman:
     http://epic.org/DHS_NPR_ltr_12-08.pdf

EPIC's FOIA request to DHS:
     http://epic.org/privacy/e-verify/dhs_foia_120408.pdf

"Employment Verification - Challenges Exist in Implementing a Mandatory
Electronic Employment Verification System", United States Government
Accountability Office", June 10, 2008:
     http://www.gao.gov/new.items/d08895t.pdf

"Inspector General's Statement on SSA's Major Management and
Performance Challenges", Nov. 5, 2008:
     http://epic.org/redirect/120808_IG_SSA_statement.html

E-Verify Debunking Exposes Debunking Errors,
The Cato Institute, May 21, 2008:
     http://epic.org/redirect/120808_CATO_EVerify_error.html

EPIC, "Spotlight on Surveillance: E-Verify System - DHS Changes Name,
But Problems Remain for U.S. Workers.":
     http://epic.org/privacy/surveillance/spotlight/0707/default.html



=======================================================================
[5] Court Enjoins Transfer of "Clear" Data
=======================================================================

A federal court has passed an order prohibiting Verified Identity Pass,
Inc., the company behind the Registered Traveler program "CLEAR," from
"selling or otherwise transferring, disclosing to third parties or
maintaining in an unsecure manner any personal biographic or biometric
information that was provided to it by members of the putative class in
connection with or as a condition to their membership in the CLEAR
program...."

The Federal Court for the Southern District of New York found that
there was "an immediate need for preliminary injunctive relief
preventing the transfer or disclosure of such information" and "there
is a risk of disclosure of such confidential private information
resulting from the lack of accountability or oversight concerning the
manner in which that information is maintained or stored." The court
mandate directs VIP to "forthwith take all steps necessary to preserve,
through the conclusion of this litigation, all documents, data and
other materials relevant to the allegations" and includes biographic
information collected by VIP, all communications with CLEAR members,
all documents archiving and/or stored websites containing CLEAR
marketing materials, promotional membership information, payment and
membership history, and financial records.

VIP ceased operations on June 22, 2009 after declaring bankruptcy. At
that time, VIP was the largest RT program in the nation operating out
of 20 airports with about 250,000 members. The CLEAR RT application
process collected a vast amount of personal information from members,
such as proof of legal name, date of birth, citizenship status, home
address, place of birth, and gender. The information was used to pre
-screen travelers for express service through airport security
checkpoints.

After its shutdown in June, the company statement on the fate of
information on customers evolved several times. On July 1, 2009, the
company stated that "Applicant and Member data is currently secured by
Lockheed Martin, and that they are working with Verified Identity Pass
on securing the data. According to Steve Brill, Clear's founder who had
left the company in February, TSA could quickly reclaim the data under
Registered Traveler rules. Brill also warned that the rules might have
been altered since he left the company. Clear had "reserve[d] the right
to change [its] policies [from time to time]" by informing its
"customers by email."

On June 25, 2009, leaders of the House Homeland Security Committee sent
a letter to the TSA regarding the bankruptcy of VIP. The committee is
investigating among other things: when the TSA became aware of the
bankruptcy; whether they have asked the company for its plan regarding
its RT data; if the agency is seeking a privacy impact assessment on
the bankruptcy; and whether the agency has a contingency plan for
safeguarding the data now that the company has gone out of business.

Eight lawsuits have been filed against VIP by former CLEAR customers
and raises claims of breach of contract, fraud and deceptive trade
practices violating New York Law, where the company was registered.
One case also highlighted the wrongful retention of highly
personalized and sensitive personal data.


Perkins v. Verified Identity Pass Inc., S.D.N.Y., No. 09-5951, 08/18/09:
Complaint:
     http://epic.org/privacy/airtravel/clear/CLEAR_complaint.pdf

Court Order:
     http://epic.org/privacy/airtravel/clear/sdny_clear_injunction.pdf

EPIC - Bankruptcy of Verified Identity Pass and the Privacy of Clear
Registered Traveler Data:
     http://epic.org/privacy/airtravel/clear

TSA - Registered Traveler:
     http://www.tsa.gov/approach/rt/index.shtm

TSA - Minimum Required RT Security Standards and Procedures for
Assessing Compliance with RT Security Standards:
     http://www.tsa.gov/assets/pdf/rt_appendix_c.pdf

TSA - Registered Traveler Security, Privacy, and Compliance Standards
for Sponsoring Entities and Service Providers:
     http://www.tsa.gov/assets/pdf/rt_standards.pdf

House Homeland Security Committee Letter:
     http://epic.org/dhs-committee_tsa-ltr.pdf

Clear's Privacy Policy:
     http://www.flyclear.com/clear_privacy.pdf

Clear's Online Privacy Policy:
     http://www.flyclear.com/clear_online.pdf

CBP - Trusted Traveler Programs:
     http://www.cbp.gov/xp/cgov/travel/trusted_traveler/

Airports Accepting the Clear Card (Archived):
     http://epic.org/privacy/airtravel/clear/clear-airports.pdf

EPIC Spotlight on Surveillance - Registered Traveler Card:
     http://epic.org/privacy/surveillance/spotlight/1005/

EPIC - Air Travel Privacy:
     http://epic.org/privacy/airtravel/

EPIC - Secure Flight:
     http://epic.org/privacy/airtravel/secureflight.html

EPIC - Passenger Profiling:
     http://epic.org/privacy/airtravel/profiling.html

EPIC's testimony before Congress: "The Future of Registered Traveler,"
November 3, 2005:
     http://epic.org/privacy/airtravel/rt_test_110305.pdf

EPIC's testimony before Congress: "Ensuring America's Security:
Cleaning Up the Nation's Watchlists", September 9, 2008:
     http://epic.org/privacy/airtravel/watchlist_test_090908.pdf



=======================================================================
[6] News in Brief
=======================================================================


Massachusetts Lowers Privacy Protection in Data Privacy Rule

In November 2008, the Commonwealth of Massachusetts became the first
state in the United States to enact comprehensive data privacy and
security standards and regulations in order to ensure that businesses
are taking steps to safeguard personal information. The purpose of the
new regulation is to protect against unauthorized access or use in a
way that creates a risk of identity theft or fraud. Although it was
initially announced that the rules would come into effect from
January 1, 2009, it has now been modified and postponed to March 1,
2010. The amended rules changes several definitions, and affects
employers with regard to personal data of Massachusetts employees even
if these employees do not reside in Massachusetts. The amended rules
no longer require an obligation to limit the amount of personal
information, or the time period such information is retained and no
longer prohibits access to those persons who are required to know the
information. Further, the new rules remove the obligation to identify
records that contain personal information as well as the obligation to
implement a written procedure for how physical access to records is
restricted.

Standards for The Protection of Personal Information of Residents of
the Commonwealth (201 CMR 17.00):
     http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

FAQs regarding 201 CMR 17.00:
     http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf

EPIC - Identity Theft:
     http://epic.org/privacy/idtheft



New Hampshire Enacts Electronic Health Privacy Law

New Hampshire signed into law a statute that is aimed at protecting
health information privacy in electronic medical records and allows
individuals to opt out of sharing their names, addresses, and protected
health care information with electronic health data exchanges. A
companion statute restricts health data for marketing and fundraising
and puts forth breach notifications for health care providers and their
business associates. The new statute is scheduled to take effect on
January 1, 2010. Earlier this year, the U.S. Supreme Court refused to
hear the challenge to another New Hampshire law, the Prescription
Confidentiality  Act, which prevents data brokers from collecting
information on which individual physicians were prescribing which drugs
and selling such information to pharmaceutical companies to influence
physicians' prescribing habits. The First Circuit had upheld the
constitutionality of the statute. EPIC and 16 other experts in privacy
and technology submitted a friend of the Court brief highlighting the
presence of substantial privacy interest in de-identified patient data.
In IMS Health v. Sorrell, the Second Circuit is now considering the
constitutionality of a similar statute arising from Vermont.

HB 542 – Final version:
     http://www.gencourt.state.nh.us/legislation/2009/HB0542.html

HB 619 – Final version:
     http://www.gencourt.state.nh.us/legislation/2009/HB0619.html

EPIC - IMS Health v. Sorrell:
     http://epic.org/privacy/ims_sorrell/

IMS Health's Notice of Appeal:
     http://epic.org/privacy/ims_sorrell/IMS_appeal.pdf

PhRMA's 2nd Circuit Brief:
     http://epic.org/redirect/082809_PhRMA_2dCir_Brief.html

IMS Health's 2nd Circuit Brief:
     http://epic.org/redirect/082809_IMS_2dCir_Brief.html

Supreme Court Docket: IMS Health v. Ayotte:
     http://origin.www.supremecourtus.gov/docket/08-1202.htm

First Circuit Opinion:
     http://epic.org/privacy/imshealth/11_18_08_order.pdf

Prescription Confidentiality Act:
     http://www.gencourt.state.nh.us/legislation/2006/HB1346.html

EPIC's Brief - IMS Health v. Ayotte:
     http://epic.org/privacy/imshealth/epic_ims.pdf

EPIC - IMS Health v. Ayotte:
     http://epic.org/privacy/imshealth/



Health Department Issues Final Rule on Breach Notification

The Department of Health and Human Services published a final interim
rule requiring individuals be notified by health care providers, health
plans, and other entities covered under Health Insurance Portability
and Accountability Act when their health information is breached.
The rules require health care providers and other HIPAA covered
entities to promptly notify affected individuals of a breach, as well as
the HHS Secretary and the media in cases where a breach affects more
than 500 individuals. The regulations also require business associates
of covered entities to notify the covered entity of breaches at or by
the business associate. The FTC Health Breach notification rule does
not apply to HIPAA-covered entities or to any entity's activities as
a business associate of a HIPAA-covered entity. The creation of this
rule was mandated under the American Recovery and Reinvestment Act of
2009.


HHS - Health Information Privacy:
     http://hhs.gov/ocr/privacy/

HHS - HITECH Breach Notification Interim Final Rule:
     http://epic.org/redirect/082809_HHS_BreachNotifRule.html

Breach Notification Interim Final Regulation (74 FR 42740)-August 2009:
     http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

Press Release:
     http://www.hhs.gov/news/press/2009pres/08/20090819f.html

HITECH Breach Notification Guidance and RFI (74 FR 19006)-April 2009:
     http://epic.org/redirect/082809_HHS_BreachNotifGuide.html

The American Recovery and Reinvestment Act of 2009:
     http://epic.org/redirect/022309_Stimulus_Act.html

EPIC - Medical Privacy:
     http://epic.org/privacy/medical

EPIC - Identity Theft:
     http://epic.org/privacy/idtheft




DHS Issues PIA for Border Searches of Electronic Devices

The Department of Homeland Security released a Privacy Impact
Assessment for the searches of electronic devices conducted at U.S.
borders. The legality of searching and examining persons and property
crossing into the U.S. has been recognized for centuries. A court has
also upheld the searching of electronic devices at the border. Privacy
concerns have been raised by members of Congress. Senators Russ
Feingold (D-Wi) and Patrick Leahy (D-Vt) had urged the Customs and
Border Patrol to reconsider the policy of searching laptops, digital
cameras, and handheld devices at borders. The PIA analyzes how CBP and
Immigration and Customs Enforcement handles the examination, detention,
retention, and seizure of electronic devices and information. The two
federal agencies identified several privacy risks associated with the
examination, detention, retention, and/or seizure of a traveler's
electronic device or information during a border search which include
the traveler being unaware of the viewing or detention of his personal
information; detention of PII when not required; disclosure of PII to
other agencies that may misuse or mishandle it; and new privacy risks
that may arise due to ever-changing technology.

DHS Border Searches of Electronic Devices PIA:
     http://epic.org/redirect/082809_DHS_Border_ElecDevice_PIA.html

Senator Patrick Leahy (D-Vt.), Chairman, Senate Judiciary Committee,
"Laptop Searches And Other Violations Of Privacy Faced By Americans
Returning From Overseas Travel" (June 25, 2008):
     http://leahy.senate.gov/press/200806/062508.html

CRS - The Department of Homeland Security Intelligence Enterprise:
Operational Overview and Oversight Challenges for Congress:
     http://epic.org/crs-rept_dhs-oversight.pdf

"TIME CHANGE -- Laptop Searches and Other Violations of Privacy Faced
by Americans Returning from Overseas Travel":
     http://judiciary.senate.gov/hearings/hearing.cfm?id=3420



Congress Urges Department of Commerce to Oversee ICANN

Members of the House Committee on Energy and Commerce wrote a letter
to the Secretary for the United States Department of Commerce urging
that the oversight of Internet Corporation for Assigned Names and
Numbers be made permanent. The letter asked for a "permanent instrument
to which ICANN and the Department of Commerce are co-signatories." The
representatives asked that the new instrument provide for periodic
reviews of ICANN's performance with respect to transparency and
accountability, the security and stability of the Internet, management
of generic top-level domains and implementation of any new gTLDs. The
members also asked for outlining the steps that ICANN would take to
maintain and improve its accountability; and create a mechanism for
ICANN's implementation of any new gTLDs and internationalized domain
names that ensured appropriate consultation with stakeholders. Further,
the representatives asked that ICANN adopt measures to maintain timely
and public access to accurate and complete WHOIS information, including
registrant, technical, billing and administrative contact information
that is critical to the tracking of malicious websites and domain
names. The committee members also stated that the new instrument
include commitments that ICANN will remain a not-for-profit corporation
headquartered in the United States.

Congress Letter to Gary Locke, Department of Commerce:
     http://epic.org/linkedfiles/sen_icann.pdf

House Committee Energy & Commerce:
     http://energycommerce.house.gov/

U.S. Department of Commerce:
     http://www.commerce.gov/

The Pubic Voice
     http://www.thepublicvoice.org



Privacy Advocate Joins FTC

Chris Soghoian, a member of the EPIC Advisory Board, is joining the
Federal Trade Commission as technical consultant in the Division of
Privacy and Identity Protection in the Bureau of Consumer Protection.
As a Ph.D. candidate at Indiana University's School of Informatics,
Chris's research interests included data security and privacy, cyber
law and policy. As a security researcher, he has discovered and
disclosed vulnerabilities in software applications made by Google,
Yahoo, Facebook and Apple. In the policy sphere, his activism has
resulted in the successful passage of an amendment to Indiana's
data breach laws and a Congressional investigation into security 
flaws at the Transportation Security Administration. Earlier this
year, Chris raised the issue of using cookies on the White House
website within embedded YouTube videos for the President's weekly
address. Such cookies could also be used to track individuals who
played the President's weekly address on their computer.

"Going Fed:"
     http://paranoia.dubfire.net/2009/08/going-fed.html

White House exempts YouTube from privacy rules:
     http://news.cnet.com/8301-13739_3-10147726-46.html

White House acts to limit YouTube cookie tracking:
     http://news.cnet.com/8301-13739_3-10148844-46.html

Chris Soghoian, EPIC Advisory Board:
     http://epic.org/epic/advisory_board.html#soghoian



Report Finds "Leakage" of PII from Social Networks

A paper by two researchers from AT&T Labs and Worcester Polytechnic
Institute has established that it is possible for personally
identifiable information to "leak" from Social Networking Sites to
third-party aggregators. The research found that the top-10 third-party
servers across a large set of popular web sites had grown from 40% in
October 2005 to 70% in September 2008. The study found that leakage in
PII could occur via a combination of HTTP header information and
cookies being sent to third-party aggregators. The report also stated
that while it was not known whether aggregators were recording PII, it
was undeniable that information was available to them. The researchers
stated that online Social Network Sites were in the best position to
prevent such leakage by eliminating social network identifiers from
request URLs and consequently, the referrer header.

Krishnamurthy and Wills, "On the Leakage of Personally Identifiable
Information Via Online Social Networks:"
     http://epic.org/redirect/082809_PII_SNS_Leak_Report.html

EPIC - Social Network Privacy:
     http://epic.org/privacy/socialnet



NIST Published Revised Security Controls for Federal Information
Systems and Organizations

The Computer Security Division Information Technology Laboratory of the
National Institute of Standards and Technology revised and published
security controls for federal information systems. The published
guideline is a mandatory federal standard developed by NIST in response
to the Federal Information Security Management Act. The new guideline
is more detailed than its predecessor and advises agencies to write
cybersecurity policy and includes several controls to defend against
computer threats. The new guidelines would not only be applicable to
civilians agencies, but also the Defense Department and other
intelligence agencies. A companion document, "Special Publication
800-53A," includes a procedures for testing and evaluating each security
control.

Recommended Security Controls for Federal Information Systems and
Organizations:
     http://epic.org/redirect/082809_NIST_Sec_Control.html

Markup Version:
     http://epic.org/redirect/082809_NIST_Sec_Control_Markup.html

Guide for Assessing the Security Controls in Federal Information Systems:
     http://epic.org/redirect/082809_NIST_Sec_Control_Guide.html



=======================================================================
[7] EPIC Bookstore: "OECD Communications Outlook 2009"
=======================================================================

     "OECD Communications Outlook 2009"

     http://www.amazon.com/gp/product/9264059830?tag=e03a6-20

Although the advent of telecommunications technology has crossed many
miles in the last few centuries, the human desire to connect and
communicate has always pushed mankind into developing novel ways to
communicate. The OECD Communications Outlook provides a bird's-eye
perspective over not only the development of telecommunications and
technology, but also the market forces that shape, hammer and thrust
it forward.

Drafted by the staff working in the OECD Directorate for Science,
Technology and Industry, the book is divided into chapters examining
recent changes in communication policy, market size, network dimensions
and development, internet infrastructure, broadcasting, and pricing
trends. The report confirms the perception that the telecommunications
market has expanded and goes on to emphasize how the ability to
communicate has seven pathways now as compared to one in 1980. The
report uses statistical data analyses to show striking trends in the
medium of communication technologies and identifies both the
bottlenecks as well as the impetus for future growth.

The publication studies the rise of broadband on fixed lines and the
increase in demand of bundled services over the specter of abysmal
investments in communications infrastructure. The report notes that,
although government's ownership of public telecommunication operators
have reduced, the current financial situation makes it likely that
major reductions in state ownership would be deferred. The OECD book
also notes the changing audio visual landscape with both being
delivered over a range of different network and devices and the money
being poured in new, high-speed broadband networks which allows for a
much richer audio-visual experience.

This book is not meant as an advice or guide; but rather as a
compilation of statistics that would help policy makers comprehend a
plethora of simultaneous evolutions in data interchange. The publication
gives a technical and informational overview of the digital evolution
against the backdrop of ever-changing, dynamic technologies mapped onto
competing market forces and leaves the readers to best judge how to
realize and apply the learning in their respective fields.

-- Anirban Sen

================================
EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.

http://epic.org/bookstore/foia2008/
	
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years. 

================================

"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

http://www.epic.org/redirect/aspen_ipl_casebook.html

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.

================================

"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
http://www.epic.org/phr06/

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.

================================

"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

http://www.epic.org/bookstore/pvsourcebook

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.

================================

"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
$40.

http://www.epic.org/bookstore/pls2004/

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as
well as an up-to-date section on recent developments. New materials
include the APEC Privacy Framework, the Video Voyeurism Prevention Act,
and the CAN-SPAM Act.

================================

"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

http://www.epic.org/bookstore/filters2.0

A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.

================================

EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore
http://www.epic.org/bookstore


================================

EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:
https:/mailman.epic.org/mailman/listinfo/foia_notes


=======================================================================
[8] Upcoming Conferences and Events
=======================================================================

EPIC, Privacy Scorecard for the Obama Administration, National Press
Club, Washington DC, September 9, 2009. For more information,
http://www.theprivacycoalition.org/

Section: Protest Politics | Panel: The Contentious Politics of
Intellectual Property, 5th ECPR General Conference, Potsdam, Germany,
September 10-12, 2009. For more information,
http://www.ecpr.org.uk/potsdam/default.asp

2nd International Action Day "Freedom not Fear - Stop the Surveillance
Mania" Demonstrations, Events, Privacy Parties, etc., in many
countries. Worldwide, September 12, 2009. For more information,
http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2009

Pan-European Dialogue on Internet Governance (EuroDIG),
Geneva, Switzerland, September 14-15, 2009. For more information,
http://www.eurodig.org/

World Summit on the Knowledge Society WSKS 2009,
Crete, Greece, September 16-18, 2009. For more information,
http://www.open-knowledge-society.org/

Gikii, A Workshop on Law, Technology and Popular Culture,
Institute for Information Law (IViR), University of Amsterdam,
September 17-18, 2009.
For more information, http://www.law.ed.ac.uk/ahrc/gikii/2009.asp

"The Net will not forget,"
European conference on ICT and Privacy,
Copenhagen, Denmark, September 23-24, 2009.
For more information, http://www.ict-privacy.dk/

3rd International Conference "Keeping Children and Young People Safe
Online," Warsaw, Poland, September 29-30, 2009.
For more information,
http://tinyurl.com/KCYPSO

"6th Communia Workshop: Memory Institutions and Public Domain"
Barcelona, Spain, October 1-2, 2009. For more information,
http://www.communia-project.eu/ws06

10th German Big Brother Awards,
Bielefeld, Germany, October 16, 2009.
For more information, http://www.bigbrotherawards.de

eChallenges 2009, Istanbul, Turkey, October 21-23, 2009.
For more information, http://www.echallenges.org/e2009/default.asp

Big Brother Awards Switzerland,
Zurich, Switzerland, October 24, 2009.
Deadline for nominations: August 31, 2009.
For more information, http://www.bigbrotherawards.ch/2009/

3rd European Privacy Open Space, Vienna, Austria, October 24-25, 2009.
For more information, http://www.privacyos.eu

Austrian Big Brother Awards
Vienna, Austria, October 25, 2009.
Deadline for nominations:
21 September 2009.
For more information,
http://www.bigbrotherawards.at

Free Culture Forum: Organization and Action,
Barcelona, Spain, October 29 - November 1, 2009.
For more information, http://fcforum.net

Free Society Conference and Nordic Summit,
Gothenburg, Sweden, November 13-15, 2009.
For more information, http://www.fscons.org

3rd European Privacy Open Space,
Vienna, Austria, October 24-25, 2009.
For more information, http://www.privacyos.eu

Global Privacy Standards in a Global World, The Public Voice,
Madrid, Spain, November 3, 2009. For more information,
http://thepublicvoice.org/events/madrid09/

31st International Conference of Data Protection and Privacy
Commissioners, Madrid, Spain, November 4-6, 2009.
For more information,
http://epic.org/redirect/072009_31Conf_IntlDPA.html

UN Internet Governance Forum,
Sharm El Sheikh, Egypt, November 15-18, 2009.
For more information, http://www.intgovforum.org/


=======================================================================
Join EPIC on Facebook
=======================================================================

Join the Electronic Privacy Information Center on Facebook

http//facebook.com/epicprivacy

http://epic.org/facebook

Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.


=======================================================================
Privacy Policy
=======================================================================

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."


=======================================================================
About EPIC
=======================================================================

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

=======================================================================
Donate to EPIC
=======================================================================

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:

http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.


=======================================================================
Subscription Information
=======================================================================

Subscribe/unsubscribe via web interface:
http://mailman.epic.org/mailman/listinfo/epic_news

Back issues are available at:
http://www.epic.org/alert


The EPIC Alert displays best in a fixed-width font, such as Courier.


------------------------- END EPIC Alert 16.16 ------------------------

.