EPIC logo

                            E P I C  A l e r t
Volume 14.25                                          December 14, 2007

                             Published by the
                Electronic Privacy Information Center (EPIC)
                             Washington, D.C.

Table of Contents
[1] Recusal of FTC Chairman Sought in Google-DoubleClick Case
[2] Facebook Adopts Some Privacy Measures, Promises Not to Retain Data
[3] FISA Debate Continues as Secret Court Refuses to Reveal Opinions
[4] Ask Eraser Privacy Feature Flawed
[5] Homeland Security to Require 10 Fingerprints from U.S. Visitors
[6] News in Brief
[7] EPIC Bookstore: Holiday Shopping Guide
[8] Upcoming Conferences and Events
    - Subscription Information
    - Privacy Policy
    - About EPIC
    - Donate to EPIC

[1] Recusal of FTC Chairman Sought in Google-DoubleClick Case

In a motion filed this week with the Secretary of the Federal Trade
Commission, EPIC and the Center for Digital Democracy have sought the
disqualification of FTC Chairman Deborah Platt Majoras from the pending
review of the proposed Google-DoubleClick merger. The organizations
recently learned that the law firm Jones Day, at which the FTC
Chairman's husband is a partner, has taken on DoubleClick as a client.

John M. Majoras is a partner who specializes in antitrust at the Jones
Day law firm. Jones Day's Web site said that it is representing
DoubleClick "on the international and U.S. antitrust and competition law
aspects" of the deal. The Web site listed five attorneys involved in the
deal, but doesn't include Majoras. However, Majoras has recused herself
in other antitrust reviews when Jones Day has been involved, and the
relationship between the Chairman and her husband's firm "calls into
question the ability of the commission to render decisions that are fair
and just." Representatives of Jones Day denied that the firm is acting
for DoubleClick in the merger review.

In a subsequent filing the next day, EPIC and the Center for Digital
Democracy provided new information to the Federal Trade Commission
concerning Jones Day's representation of DoubleClick in the pending
merger review. The new filing makes clear that statements denying Jones
Day participation in the matter are flatly contradicted by an earlier
posting on the firm's web site. The EPIC/CDD filing also notes that the
firm has subsequently removed the relevant web pages from its web site.
The groups are filing a Freedom of Information Act request for all
documents at the Commission regarding the matter and notifying
Congressional oversight committees.

Also this week, Rep. Joe Barton, Ranking Member of the House Energy and
Commerce Committee, sent a letter to Google raising 24 questions about
the company's proposed $3.1 billion merger with DoubleClick. Rep.
Barton, co-founder of the House Privacy Caucus, asked Google to detail
definitions of “anonymization” of consumer data, and “behavioral
targeting,” among other things. He also asked Google to explain “the
need to retain collected information for the length of time [Google
retains consumer data]” and “how and why information is combined or
shared across platforms.” A number of Senators and Representatives have
called for more in-depth review of the privacy questions raised by the
proposed merger. The deal is under investigation at both the U.S.
Federal Trade Commission and European Commission Directorate on

EPIC and CDD Motion for Recusal (pdf):


Center for Digital Democracy:


Jones Day:


Second recusal filing (pdf):


Jones Day's Earlier Posting (since removed):


[2] Facebook Adopts Some Privacy Measures, Promises Not to Retain Data

Social networking service Facebook recently introduced new privacy
components to its Beacon advertising system. The Beacon service collects
information from user interactions with third party sites such as Ebay
and Overstock.com. Beacon then broadcasts this information to a Facebook
user's friends, identifying the interaction such as items purchased or
services signed up for. A user on a third party site would have a brief
opportunity to opt-out via a pop-up. Security researchers reported that
information for all Internet users, not just Facebook users, was being
transmitted to Facebook's servers.

EPIC, the Center for Digital Democracy and advocacy group MoveOn.org
raised complaints. Thousands of Facebook users joined in protest of the
new features and the limited user control. Some advertisers were
reported as pulling back on using Beacon. Also reported were some
prototypes of Beacon which appeared to show that Facebook considered and
rejected a global opt-out of the feature. Legal issues were raised as to
whether Beacon and its companion Social Ads violated the privacy tort of
the right to publicity and the Video Privacy Protection Act.

Facebook CEO Mark Zuckerberg announced the new privacy features, and
apologized for how Beacon was developed and how the company reacted to
the aftermath. The privacy measures combine a limited opt-in and global
opt-out. Before a particular third party site will transmit information,
users must opt-in from their Facebook accounts. Facebook will continue
to ask for opt-ins until it is granted by the user. Once the opt-in is
granted, no more inquiries are made of the user. Facebook also added an
ability to globally opt out of the service. Users are able to change
their privacy settings and check a box entitled "Don't allow any
websites to send stories to my profile." Previously this feature was
only available on a site-by-site basis and only after that particular
site had broadcast Beacon data to users.

None of these privacy features stops the information from being
transmitted to Facebook. Rather, Facebook says that it does not retain
information transmitted to it that concerns non-Facebook members or
those that have opted out.

Mark Zuckerberg, Thoughts on Beacon:


EPIC's page on Social Networking Privacy:


EPIC's page on Facebook:


[3] FISA Debate Continues as Secret Court Refuses to Reveal Opinions

Congress continues to debate changes to the Foreign Intelligence
Surveillance Act as the February deadline for expiration of the Protect
America Act (PAA) looms. The PAA significantly expanded the surveillance
authority of the president by removing certain surveillance from review
by the FISA court. The PAA was requested by the administration following
certain FISA court rulings on its surveillance powers. In  a December 7,
2007 speech, Senator Whitehouse addressed the importance of oversight
over the president's surveillance powers. The FISA court recently
rejected a request to release redacted versions of the rulings outlining
the legal reasoning for the surveillance.

Sen. Whitehouse criticized three legal propositions from Office of Legal
Council opinions as examples of what the executive does "behind our
backs when they think no one is looking." The propositions state that:
the President may violate executive orders without issuing new ones; the
President may determine whether he is properly exercising his Article II
authority; and the Department of Justice is bound by the President's
legal determinations.    Since the Protect America Act removed certain
surveillance from the FISA court review, Sen. Whitehouse points to these
propositions as removing all limits from the President's ability to
wiretap Americans traveling abroad.

Sen. Whitehouse concludes by arguing for FISA reform which maintains
oversight over the president's surveillance authority. "We simply cannot
put the authority to wiretap Americans, whenever they step outside
America's boundaries, under the exclusive control and supervision of the
executive branch.  We do not allow it when Americans are here at home;
we should not allow it when they travel abroad.  The principles of
congressional legislation and oversight, and of judicial approval and
review, are simple and longstanding. Americans deserve this protection
wherever on God's green earth they may travel."

Meanwhile, the FISA court refused to release redacted records of legal
reasoning concerning the extent of  the President's surveillance powers.
The ACLU had sought the release of court orders and government pleadings
regarding warrantless wiretapping by the President. The court responded
by ruling that, though it had jurisdiction to consider the release of
records, there was no common law or First Amendment right to the
opinions. The ACLU had requested that the Court order a review of the
individual records and release the portions which are improperly
classified. The Court refused, stating that there would still be
deleterious effects from the disclosure. Among the deleterious effect
would be a chill on government disclosures to the court and the
potential that sensitive information would be released.  This case was 
the first time that anyone except the U.S. Department of Justice has
argued, even in writing, before the court. It is only the third time in
the history of the court that an opinion has been publicly released.

Transcript of Whitehouse Speech (Dec. 2007)(pdf): 


Foreign Intelligence Surveillance Court Ruling (pdf):


 EPIC's page on FISA: 


[4] Ask Eraser Privacy Feature Flawed

This week the Internet search company Ask announced the release of Ask
Eraser, a privacy "feature." An initial flurry of press reports
indicated that the program would help safeguard online privacy. A more
careful examination by EPIC has now raised questions about AskEraser.

According to the AskEraser FAQ, Internet users must turn on cookies and
keep the AskEraser cookie on the users computer so that Ask search
histories are not tracked. This procedure conflicts with the privacy
protecting practice of routinely deleting cookies and would require
users to disable other privacy software.

The opt-out cookie is also a "persistent identifier" that will allow
companies such as Ask to track Internet users whether or not the
companies retain search histories. Opt-out cookies were popularized by
the Internet Advertising company DoubleClick, a firm that Google is now
seeking to acquire.

Google has recently signed a multi-year deal with Ask that both extends
and broadens the working relationship of the two companies. According to
a mid-November press release "Google will provide Ask.com and IAC's
other Internet brands with sponsored listings. Additional terms of the
five-year agreement were not disclosed." However, Google is the company
that processes the Ask.com search requests, even with Ask Eraser
enabled, which means that Google could retain search histories.

Jeff Chester, Executive Director of the Center for Digital Democracy
said, "The representations about Ask Eraser are not fair or accurate. In
the absence of user action, Ask will continue to track the search
histories of Internet users. Those users who enable Ask Erase must
disable cookie deletion features. Also, the search deletion policy will
expire. Finally, all of the Ask searches, for users who have selected
Ask Eraser, will be processed by Google which purposefully chooses to
retain search histories."

Marc Rotenberg, EPIC Executive Director said, "If the FTC sanctions
opt-out cookies, Internet users will be required to keep persistent
identifiers on their computers from all the companies they do not want
tracking them. It is a nonsensical approach to privacy protection."

AskEraser FAQ:


"Ask.com Puts You in Control of Your Search Privacy With the Launch of
'AskEraser'" (Dec. 11, 2007):


Ask Press Release, "IAC and Google Sign Multi-year Deal" (Nov. 12,


Doubleclick, "DART Ad-Serving and Search Cookie Opt-Out":


[5] Homeland Security to Require 10 Fingerprints from U.S. Visitors

Under border control system US-VISIT, the Department of Homeland
Security will begin collecting a full set of fingerprints from foreign
visitors to the U.S. Until now, US-VISIT has only required two-print
collection. The database now includes 90 million sets of prints.

The program initially applied only to visitors traveling to the United
States on visas. However, on September 30, 2004, US-VISIT was expanded
to collect biometrics from travelers visiting the United States for
ninety days or less through the Visa Waiver Program, and has been
broadened more in the past three years.

Under US-VISIT, foreign visitors are subject to biometric collection,
biographic data collection, and watch list checks. The information
collected from individuals includes name, date of birth, country of
citizenship, passport number and country of issuance, complete U.S.
destination address, and digital fingerscans.

The Government Accountability Office reported in July that US-VISIT is
plagued with problems. "Weaknesses existed in all control areas and
computing device types reviewed," the GAO said. Security flaws in the
network used at 400 entry points nationwide increase the risk of theft
or manipulation of tens of millions of identity records, which include
passport, visa, Social Security and biometric data.

In 2005, a computer virus crashed the US-VISIT system. According to
documents released to Wired News under the Freedom of Information Act,
DHS knew of the software vulnerability, but deliberately chose to leave
more than 1,300 sensitive US-VISIT workstations vulnerable to attack.

Government Accountability Office, "Information Security: Homeland
Security Needs to Immediately Address Significant Weaknesses in Systems
Supporting the US-VISIT Program GAO-07-870" (July 2007) (pdf):


Department of Homeland Security's Press Release About 10-print


Department of Homeland Security's US-VISIT page:


EPIC's page on US-VISIT:


EPIC's page on Biometrics:


[6] News in Brief

Two Informative CRS Reports on FISA are Released

As Congress continues to debate amendments to the Foreign Intelligence
Surveillance Act, two new CRS reports have been released.  The first
presents a brief overview of selected issues in the FISA debate,
including the tension between national security and civil liberties; the
collection of foreign intelligence from persons based abroad; and
immunity for telecommunications companies that aided the
administration's warrantless surveillance program.  The second report
provides a detailed comparison of he three major proposals before
Congress. The House passed HR 3733, which does not include immunity, is
compared with the Senate Judiciary bill, which also does not contain
immunity, and the Senate Intelligence Committee bill, which does contain
immunity. The Senate has yet to pass a bill. The President has promised
to veto bills which contain immunity.

The Foreign Intelligence Surveillance Act: A Brief Overview of Selected
Issues (pdf):


The Foreign Intelligence Surveillance Act: Comparison of House-Passed
H.R. 3773, S. 2248 as Reported By the Senate Select Committee on
Intelligence, and S. 2248 as Reported Out of the Senate Judiciary
Committee (pdf):


EPIC's page on FISA:


International Human Rights Day

December 10, International Human Rights Day, commemorated the 1948
adoption of the Universal Declaration of Human Rights. Human Rights Day
2007 marked the start of a year-long commemoration of the 60th
anniversary of the Declaration. The Declaration is the foundation of
international human rights law, the first universal statement on the
basic principles of inalienable human rights, and a common standard of
achievement for all peoples and all nations. Article 12 of the
Declaration includes privacy as a fundamental human right.

UN International Human Rights Day:


Universal Declaration of Human Rights:


Privacy and Human Rights 2006:


Privacy Law Sourcebook:


Privacy Protections Lacking in US Healthcare Bill

Senators Kennedy and Enzi proposed the Wired for Healthcare Quality Act,
S. 1693, in an effort to advance health information technology. However,
members of the Coalition for Patient Privacy claim that the Wired Act
does not contain meaningful protections to keep individuals' health
information private, and have asked that the bill go no further until
privacy protections are added. According to advocacy group Patient
Privacy Rights, “passage of the Wired Act as written will further erode
Americans' right to keep their health records private and cost the
taxpayers millions.” Senator Leahy has drafted an amendment adding
privacy protections, and the Coalition for Patient Privacy sent a letter
to the Senate this week urging the Wired Act's sponsors to include all
of the privacy protections proposed in Senator Leahy's amendment.

Wired for Health Care Quality Act, S.1693:


Senator Leahy amendment (pdf):


Coalition for Patient Privacy letter to Senators Kennedy and Enzi (Dec.
10, 2007) (pdf):


DOJ Support Voter Photo ID Requirements

The Department of Justice submitted a brief in support of the state of
Indiana's voter identification law awaiting a hearing before the United
States Supreme Court scheduled for January 9, 2008.  The brief asserts
that the Indiana Voter ID law is an administrative rule that furthers
the State's interest in combating voter fraud.  The Department of
Justice states that the state has broad authority to establish the new
photo voter ID requirement and that it is neither discriminatory nor a
severe burden.  EPIC filed a brief in the same case, Crawford v. Marion
County, in opposition to the State's position. because of privacy and
the claim by that the identification requirement protected the election
process from fraud.  Indiana has recent case history of absentee voter
fraud that resulted in overturning a local judicial race.

The Justice Department's record of enforcing laws that protect the
voting rights of minority voters has seen a shift toward voter fraud,
which has little documented evidence, and away from ballot access
problems that have a long history.

DOJ Brief (pdf):


EPIC's page on Crawford case:


EPIC Crawford Brief (pdf):


EPIC's page on Voting Privacy:


Samuelson Clinic Releases New Security Breach Notification Report

A new report released by the Samuelson Clinic, entitled “Security Breach
Notification Laws: Views from Chief Security Officers” found that 36
states have enacted breach notification legislation, which requires
notice to individuals in the event of a loss of their personal data. The
report chronicled the literature on data security breaches and surveyed
information security chiefs on the subject. However, the report noted
that security of personal information held by companies is still not a
marketable feature to consumers.

The findings of the report are that breach notification laws raise
awareness of the importance of information security; facilitate better
cooperation among departments within organizations; and that as a result
companies are requiring better security practices of their own suppliers
or contractors. The study recommends the establishment of uniform
standards for: public notice of security breaches; notification to a
centralized organization in addition to customers; clarification and
broadening technology safe harbor provisions; create a safe harbor
period for notifications; and collection of more information on the type
of notification trigger language that should be used. The Federal
government has failed to enact legislation related to breach

Samuelson Clinic report:


One World Trust Releases 2007 Global Accountability Study

One World Trust, a leading expert in the field of global governance and
accountability, has released a report at the British Parliament
measuring and ranking the accountability of 30 of the world's most
powerful intergovernmental, corporate, and non-governmental
organizations. The Report analyses each organization's capabilities
according to the four dimensions of accountability as defined by the
Global Accountability Framework: transparency, participation,
evaluation, and complaint and response mechanisms. This year's report
shows that intergovernmental organizations showed excellent transparency
and evaluation systems, while NGOs showed the best participation
capabilities and corporations showed the best complaint and response

2007 Global Accountability Study:


The Public Voice:


[7] EPIC Bookstore: Holiday Shopping Guide

Shopping for the holidays? Consider an EPIC book!

Titles from the EPIC Bookstore 2007

Litigation Under the Federal Open Government Laws (FOIA) 2006


Privacy and Human Rights 2006


Information Privacy Law 2005


The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments


The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society


Filters and Freedom 2.0: Free Speech Perspectives on Internet Content


Cryptography and Liberty 2000: An International Survey of Encryption


The Consumer Law Sourcebook 2000: Electronic Commerce and the Global


Privacy on the Line, The Politics of Wiretapping and Encryption, Updated
and Expanded Edition by Whitfield Diffie and Susan Landau


"The Future of Reputation: Gossip, Rumor, and Privacy on the Internet”
by Daniel J. Solove


"Privacy Law and Society" by Anita Allen 


"Takeover: The Return of the Imperial Presidency and the Subversion of
American Democracy" by Charlie Savage


"Digital Destiny: New Media and the Future of Democracy" by Jeff Chester


"Generation Digital: Politics, Commerce and Childhood in the Age of the
Internet" by Kathryn C. Montgomery



EPIC Publications:

"Information Privacy Law: Cases and Materials, Second Edition" Daniel J.
Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"FOIA 2006: Litigation Under the Federal Open Government Laws," Harry
A. Hammitt, Marc Rotenberg, Melissa Ngo, and Mark S. Zaid, editors
(EPIC 2007). Price: $50. http://www.epic.org/bookstore/foia2006

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act.  The 23nd edition fully updates
the manual that lawyers, journalists and researchers have relied on for
more than 25 years.  For those who litigate open government cases (or
need to learn how to litigate them), this is an essential reference


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).  This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.

A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore http://www.epic.org/bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

US Department of Homeland Security Privacy Office Public Workshop: CCTV
- Developing Privacy Best Practices. Arlington, VA. December 17-18,
2007. For more information, email privacyworkshop@dhs.gov

ACI’s 7th National Symposium on Privacy & Security of Consumer and
Employee Information.  January 23-24, 2008.  Philadelphia, PA.  For more
information: http://www.americanconference.com/privacy

Computer Professionals for Social Responsibility: Technology in Wartime
Conference. January 26, 2008. Stanford University. For more
information: http://cpsr.org/news/compiler/2007/Compiler200707#twc

Mobility, Data Mining And Privacy: Preserving Anonymity in
Geographically Referenced Data. February 14, 2007. Rome, Italy. For more

Future of the Internet Economy - OECD Ministerial Meeting. June 14-18,
2008. Seoul, Korea. For more information:

Subscription Information

Subscribe/unsubscribe via web interface:


Back issues are available at:


The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research.  For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009.  Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 14.22 -------------------------