Focusing public attention on emerging privacy and civil liberties issues

Previous Top News 2008

  • EPIC, Experts Urge Supreme Court: Protect Identity Management Techniques. EPIC filed a "friend of the court" brief in the United States Supreme Court, urging the Justices to protect techniques that allow individuals to safeguard privacy. The brief was filed on behalf of 17 legal scholars and technical experts. In Flores-Figueroa v. United States, the Court will be asked to determine whether individuals who include identification numbers that are not theirs, but don't intentionally impersonate others, can be subject to harsh criminal punishments for "identity theft." EPIC explained that the crime of identity theft should require an intent to impersonate another as Congress made clear in the federal laws under review. The brief urges the Court to not "set a precedent that might inadvertently render the use of privacy enhancing pseudonyms, anonymizers, and other techniques for identity management unlawful." For more information, see EPIC's Flores-Figueroa page. (Dec. 22)
  • Coalition Letter to President-elect Obama on the Future of Privacy. Thirty Privacy Coalition members sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president's expressed position on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that "[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information." For more information visit EPIC's A-Z Privacy Page. (Dec. 19)
  • Change in Yahoo Search Retention Leaves Privacy Questions Unresolved. Yahoo announced that, after 90 days, it will obscure some elements in the records that it keeps about all Internet users who use the company's services. The search company will continue to keep modified record locators, time/date stamps, web pages viewed, and a persistent user identifier, known as a "cookie" for an indefinite period. Yahoo is also retaining much of the IP address, which typically identifies a user's device, such as a laptop or a mobile phone. Privacy rules classify IP addresses as "personal data." Experts have criticized the partial deletion of IP address data as insufficient to protect consumers, and called for complete deletion. For more information, see EPIC's Search Engine Privacy page. (Dec. 18)
  • Department of Homeland Security releases Fusion Center Privacy Impact Assessment. The Department of Homeland Security has released the Privacy Impact Assessment for the State, Local, and Regional Fusion Center Initiative. The assessment examines the privacy implications of the State, Local and Regional Fusion Centers and the DHS' State and Local Program Management Office. In May, EPIC prevailed in its freedom of information request to disclose documents describing the federal government's involvement in efforts to limit Virginia's transparency and privacy laws and uncovered a secret contract between the State Police and the FBI that limits the rights of Virginia citizens to learn what information the State Police collect about them. For more information, see EPIC's page on Information Fusion Centers and Privacy. (Dec. 17)
  • Supreme Court Backs State Consumer Protection Law. Today, America's highest court affirmed the authority of states to establish safeguards that provide stronger consumer protections than federal laws. Cigarette companies challenged a Maine consumer protection law that prohibits unfair or deceptive trade practices, claiming that a weaker federal law "pre-empted" the Maine measure. However, the Supreme Court upheld the state protections, holding that the Maine law was not pre-empted by the Federal Cigarette Labeling and Advertising Act or federal regulators' authority. Many states have passed strong consumer privacy laws that private companies hope to preempt with weaker federal laws. The decision also follows President-elect Barack Obama's statement that "a single courageous state may, if its citizens choose, serve as a laboratory." Obama's statement echoes Supreme Court Justice Louis Brandeis, who advocated for state lawmakers' broad freedom to create innovative consumer protections as "laboratories of democracy." For more information, see EPIC's "Privacy Preemption Watch" page. (Dec. 15)
  • International Human Rights Day - Privacy is a Fundamental Right. December 10, International Human Rights Day, commemorates the 1948 adoption of the Universal Declaration of Human Rights. Human Rights Day 2008 marks the start of a year-long commemoration of the 61st anniversary of the Declaration. The document is the foundation of international human rights law, the first universal statement on the basic principles of inalienable human rights, and a common standard of achievement for all peoples and all nations. Article 12 of the Declaration includes privacy as a fundamental human right. The EPIC Privacy Law Sourcebook contains the complete Universal Declaration of Human Rights. For more information, watch this video. (Dec. 10)
  • European Court Rules UK DNA Retention Illegal. Today, the European Court of Human Rights ruled that the world largest DNA database, based in the United Kingdom, violated Article 8 of the European Convention on Human Rights which protects the right to privacy. Privacy International filed an amicus brief in this case. The European court considered several issues including familial searching, social stigmatization, and the protection of children's rights. The court, sitting as a Grand Chamber, ruled that applicants who have not been convicted of a crime are presumed innocent and that retaining indefinitely their genetic samples, fingerprints and DNA profiles interfered with the right to respect for private life. For more information on DNA database laws, see EPIC's Genetic Privacy page. (Dec. 4)
  • EPIC Calls For Disclosure of Federal Domestic Surveillance Guidelines. Today, EPIC filed a Freedom of Information Act request to force disclosure of new guidelines governing domestic surveillance. The Attorney General's Guidelines for Domestic FBI Operations became effective today, despite warnings from Congressional leaders that "these guidelines would permit FBI surveillance of innocent Americans with no suspicion and on the basis of their race, religion or national origin." Administration officials failed to make public the final, complete policies, which govern the conduct of field operatives while performing domestic investigations. "The guidelines grant the FBI broad authority to conduct domestic surveillance of many individuals suspected of no crime. Therefore it is necessary that the legal authority is made available to the public," EPIC said. For more information, See EPIC Attorney General's Guidelines. (Dec. 1)
  • EPIC, Media, Civil Liberties and Immigration Groups Urge NPR to Drop Promotion for E-Verify. In a letter to National Public Radio, EPIC, the ACLU, the National Immigration Law Center and Free Press have urged the NPR Ombudsman to discontinue a promotion for the controversial "E-Verify" program. The ad is running as a result of underwriting support from the Department of Homeland Security, but NPR guidelines allow only identification and not promotion for underwriters. See EPIC "Spotlight on Surveillance: E-Verify System - DHS Changes Name, But Problems Remain for U.S. Workers." (Dec. 1)
  • Senator Leahy Presses Justice Department on Telephone Privacy. Senator Patrick Leahy has asked the Department of Justice to provide information about investigations and prosecutions under the federal law that prohibits viewing confidential phone records information, following reports that Verizon employees improperly accessed President-elect Obama's cell phone records. The employees were dismissed but no criminal investigation was pursued. In 2007, EPIC testified before Congress on fraudulent access to phone records and urged Congress to establish stronger safeguards. For more information, see EPIC's illegal sale of phone records page. (Nov. 25)
  • Court Upholds New Hampshire Prescription Privacy Law. Today, the First Circuit Court of Appeals upheld a New Hampshire law that bans the sale of prescriber-identifiable prescription drug data for marketing purposes. In August, EPIC and 16 experts in privacy and technology filed a "friend of the court" brief urging the federal appellate court to reverse a lower court ruling that delayed enforcement of the New Hampshire Prescription Confidentiality Act. The experts said the lower court should be reversed because there is a substantial privacy interest in patient data that the lower court failed to consider. The New Hampshire Attorney General also defended the law, calling pharmaceutical representatives "invisible intruder[s] in the physician's examination room." Data mining companies challenged the law, claiming that the privacy measure violated their free speech rights. For more information, see EPIC's IMS Health v. Ayotte page. (Nov. 18)
  • EPIC Complaint Leads to Halt of Stalker Spyware Distribution. Following an EPIC complaint, a federal court has ordered CyberSpy Software to stop selling malicious computer software. In March, EPIC filed a complaint with the Federal Trade Commission alleging that the spyware purveyor engages in unfair and deceptive practices by: (1) promoting illegal surveillance; (2) encouraging "Trojan Horse" email attacks; and (3) failing to warn customers of the legal dangers arising from misuse of the software. The federal regulators agreed, and asked the court for a permanent injunction barring sales of CyberSpy's "stalker spyware," over the counter surveillance technology sold for individuals to spy on other individuals. The court entered a temporary restraining order on November 6, 2008. Further litigation is expected before the court rules on the government's request for a permanent ban. For more information, see EPIC's Personal Surveillance Technologies page and Domestic Violence and Privacy page. (Nov. 17)
  • Google "Flu Trends" Raises Privacy Concerns. Google announced this week a new web tool that may make it possible to detect flu outbreaks before they might otherwise be reported. Google Flu Trends relies on individual search terms, such as "flu symptoms," provided by Internet users. Google has said that it will only reveal aggregate data, but there are no clear legal or technological privacy safeguards to prevent the disclosure of individual search histories concerning the flu, or related medical concerns, such as "AIDS symptoms," "ritalin," or "Paxil." Privacy and medical groups have urged Google to be more transparent and publish the algorithm on which Flu Trends data is based so that the public can determine whether the privacy safeguards are adequate. For more information, see EPIC's Google Flu Trends page. (Nov. 12)
  • Google, Yahoo Drop Deal After Antitrust Review. Today, Google, the internet's largest search engine, abandoned its planned advertising arrangement with Yahoo, a Google competitor. In June, the two internet search companies announced plans to coordinate the sale of online advertisements. The US Department of Justice scrutinized the deal, and expressed concern that the arrangement would eliminate competition for Internet-based advertising. Government lawyers said that,"if implemented, the agreement between these two companies accounting for 90 percent or more of each relevant market would likely harm competition" and threatened to file a lawsuit to scuttle the deal. In 2007, EPIC urged the Federal Trade to impose conditions in a similar merger review, involving Google and Doubleclick. The FTC failed to do so, raising concerns about the independence of the Commission. (Nov. 5)
  • In EPIC Case for Wiretap Memos, Federal Judge to Review Justice Department Documents. In EPIC v. DOJ, EPIC, the ACLU, and the National Security Archive are seeking government documents regarding the President's warrantless wiretapping program. Today, a federal court ordered the Department of Justice to provide for inspection copies of legal memos authored by government lawyers. The opinions, prepared by the Office of Legal Counsel, provided the legal basis for the President to wiretap US citizens in the United States without court approval. EPIC began the Freedom of Information Act lawsuit in December 2005, after the New York Times first reported the details of the wiretap program. For more information, see EPIC's EPIC v. DOJ page. (Oct. 31)
  • Senators Seek Details of Terrorism Interrogations, Domestic Surveillance Activities. Senator Patrick Leahy issued a subpoena requiring Attorney General Michael Mukasey to disclose information regarding the federal government's terrorism-related activities, including its warrantless surveillance program. The Senate Judiciary Committee Chairman's subpoena requires the Attorney General to make public documents regarding the spy scheme. Lawmakers have sought this information for more than five years, but state that their efforts have been stonewalled by Bush administration officials. "There is no legitimate argument for withholding the requested materials from this Committee," Senator Leahy wrote. In December 2005, EPIC demanded the release of memos regarding the program. Some of those documents were disclosed in response to an EPIC lawsuit. Others remain secret pending the resolution of the case. Documents obtained by EPIC reveal that a former top official doubted that the spy program was legal. For more, see EPIC's National Security Agency's Warrantless Surveillance Program page. (Oct. 27)
  • International Privacy Conference Draws Attendees from 68 Countries. More than 600 participants attended the 30th annual International Conference of Data Protection and Privacy Commissioners in Strasbourg, France. The conference explored "Protecting privacy in a borderless world" through high-level panels with government officials, business leaders, technical experts, and privacy advocates. Delegates called for increased international co-operation and emphasized that data protection must play a more prominent role in public and private institutions. The conference said, "in light of recent scandals all over the world, a strong independent supervision with tangible sanction powers is more necessary than ever." Privacy commissioners issued resolutions on several topics, including Children's Online Privacy, International Privacy Standards, and Privacy in Social Network Services. For a comprehensive survey of privacy developments around the globe, purchase EPIC's Privacy and Human Rights report. (Oct. 24).
  • European Parliament Challenges Body Scanners. European Union lawmakers have voted overwhelmingly to oppose the adoption of "body scanners," devices that produce images of people as if they were naked. The sponsors specifically identified the risk that the images of naked travelers would be retained by private vendors and government agencies. The European Parliament instructed the European Commission to carry out a fundament rights impact assessment, consult with European privacy authorities, assess the health impact of the technology, and conduct a cost-benefit impact assessment. For more information, see EPIC Backscatter X-Ray Screening Technology and EPIC Spotlight on Surveillance: Transportation Agency's Plan to X-Ray Travelers Should Be Stripped of Funding. (Oct. 23)
  • E-Deceptive Campaign Practices Technology Report Released. EPIC's voting project releases the first report on the technology of deceptive campaign practices. Deceptive campaigns are attempts to misdirect voters regarding the voting process for public elections. Deceptive campaign activity can be false statements about polling times, date of the election, or voter identification rules. The EPIC report reviews the potential for abuse of Internet technology in an election context, and makes recommendations on steps that could be taken by Election Protection, Election Administrators, and voters to protect the integrity of the upcoming election. A legal and policy companion of the report was simultaneously released by Common Cause and the Lawyers Committee for Civil Rights Under Law. For more information, see EPIC's Voting Privacy page and Voting Project . (Oct 20)
  • National Academy Calls for Comprehensive Review of Counterterrorism Programs for Effectiveness, Privacy Impacts. According to a new report from the National Research Council, all U.S. agencies with counterterrorism programs that collect or "mine" personal data -- such as phone records or Web sites visited -- should be required to evaluate the programs' effectiveness, lawfulness, and impacts on privacy. The report -- "Protecting Individual Privacy in the Struggle Against Terrorism: A Framework for Program Assessment -- sets out a program checklist agencies should follow, and urges Congress to establish new restrictions on how agencies can collect and use personal data. Press Release. Podcast. Webcast. Report (pdf). EPIC has written extensively on the problems with data mining and opposed the establishment of Total Information Awareness. (Oct. 7)
  • UPDATED - Supreme Court Hears Argument in Police Database Errors Case. Today, the U.S. Supreme Court heard arguments in Herring v. United States. The case will determine whether an arrest based on inaccurate information in a criminal justice database should be upheld. EPIC filed a "friend of the court" brief (pdf) in the case, urging the Justices to ensure the accuracy of police databases. The EPIC brief was filed on behalf of 27 legal scholars and technical experts and 13 privacy and civil liberty groups. EPIC explained how government databases are becoming increasingly unreliable, according to the government's own studies and urged the Court to "ensure an accuracy obligation on law enforcement agents who rely on criminal justice information systems." The amici warned that, "to permit a good faith reliance on data that is inaccurate, incomplete, or out of date will actually exacerbate the problem and increase the likelihood of unfair treatment in the criminal justice system." Transcript. For more, see EPIC's Herring v. U.S. page. (Oct. 7)
  • EPIC Publishes Open Government Litigation Manual. Today, EPIC published the 2008 edition of "Litigation Under the Federal Open Government Laws." It is the most comprehensive, authoritative discussion of the federal open access laws. The 24th edition of this standard reference work features updated content and a foreword by Senator Patrick Leahy, co-sponsor of the OPEN Government Act of 2007. The book contains the texts of the US open government laws, including the Freedom of Information Act, the Privacy Act, the Government in the Sunshine Act, and the Federal Advisory Committee Act. Today's publication date celebrates International Right to Know Day, which was established to raise awareness of every individual's right of access to government-held information. For more, see EPIC's 2008 FOIA Litigation Manual. (Sept. 26)
  • EPIC Urges FTC to Establish Privacy Safeguards for RFID Tags. In comments to the Federal Trade Commission, EPIC reiterated recommendations (pdf) it made in 2004 to the consumer protection agency to address the risks to consumer safety of the unregulated use of RFID tags that reveal personal data. The FTC is hosting a "Transatlantic RFID Workshop on Consumer Privacy and Data Security" to discuss consumer concerns. The workshop follows an event, organized by the US Department of Commerce, promoting the benefits of RFID. Comments on RFID may be submitted to the FTC until October 23. For more, see EPIC's RFID Privacy page. (Sept. 22).
  • Senate Begins Hearings on FBI Attorney General Guidelines. The Senate Judiciary Committee is holding an oversight hearing on the FBI. The FBI is proposing to adopt new guidelines for domestic operations that would permit "assessments" of individuals without any suspicion of criminal wrongdoing that could then lead to full investigations. The proposed Guidelines also appear to rescind 2003 principles that limit the use of racial factors to national security investigations. Several Senators have expressed concern about the proposal. See EPIC Attorney General's Guidelines. (Sept. 17)
  • Identity Theft Legislation Passes Congress.The House of Representatives has approved the Identity Theft Enforcement and Restitution Act, legislation introduced by Senator Patrick Leahy that passed the Senate in 2007. The bill contains new provisions to provide restitution to victims of identity theft and expands the computer crime law to address the problem of spyware. The President is expected to sign the measure. Senator Leahy and Senator Specter are also pressing for passage of the Personal Data Privacy and Security Act, which addresses consumer concerns such as security breaches and the misuse of the Social Security Number. The bill is currently pending in the Senate. For more, see EPIC Identity Theft: Its Causes and Solutions. (Sept. 16).
  • Privacy08 - Third Party Candidates Issue Strong Statement on Privacy. Charging that the Republican and Democratic parties have ignored the "most important issues facing our nation," Presidential candidates Chuck Baldwin, Bob Barr, Cynthia McKinney, and Ralph Nader issued a strong statement on four key issues, including privacy. The Privacy Principle begins "We must protect the privacy and civil liberties of all persons under US jurisdiction." The candidates said the principles "should be key in the considerations of every voter this November and in every election." The announcement was made at a National Press Club event organized by Ron Paul's Campaign for Liberty. For more information on privacy and the 2008 presidential elections, visit Privacy08 and Friend the Cause. (Sept. 15).
  • Cloud Computing Raises Privacy Concerns. A new report from Pew Internet and American Life Project indicates that "cloud computing" applications, such as web-based email and other web apps, are raising new privacy concerns. The report Use of Cloud Computing: Applications and Services found that 69% of online Americans use webmail services, store data online, or use software programs such as word processing applications whose functionality is located on the web. At the same time, "users report high levels of concern when presented with scenarios in which companies may put their data to uses of which they may not be aware." For example, 90% of respondents said that they "would be very concerned if the company at which their data were stored sold it to another party," 80% say "they would be very concerned if companies used their photos or other data in marketing campaigns," and 68% of "users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions." For more information on public attitudes on privacy, see EPIC Public Opinion and Privacy Page. (Sept. 12)
  • Federal Appeals Court Hears Telephone Privacy Case. On September 10, 2008, a federal court in the District of Columbia heard arguments in a challenge to telephone privacy regulations. At issue is a federal rule (pdf) requiring telephone companies to obtain affirmative, opt-in consent from customers before they disclose personal information to outside corporations. An industry group challenged the privacy rule. In May, EPIC filed a "friend of the court" brief (pdf) urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. "Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone," the brief said. "An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers." See EPIC pages on NCTA v. FCC and CPNI (Customer Proprietary Network Information). (Sept. 11)
  • EPIC Testifies Before the Homeland Security Committee. EPIC Associate Director Lillie Coney testified (pdf) at a Congressional hearing on "Ensuring America's Security: Cleaning Up the Nation's Watchlists". Ms. Coney said that there are several problems with the watchlist program: it is not subject to the Privacy Act, the watchlists are full of errors, the secure flight program may become a textbook case of "security theater," and the traveler redress program is not designed to do what it claims. For more information, see EPIC Spotlight on Surveillance: Secure Flight, EPIC Spotlight on Surveillance: Travel Redress Program, and EPIC Air Travel Privacy Page. (Sept. 9)
  • Presidential Candidate Bob Barr Speaks at Privacy 08 Event in Washington, DC. The Libertarian candidate for President Bob Barr spoke today at the National Press Club. The former Congressman urged the Republican and Democratic candidates to address the growing concerns in the United States about the protection of privacy. Mr. Barr is an outspoken critic of the REAL ID plan and the President's warrantless wiretapping program. The Privacy '08 Campaign is planning other forums for the candidates as the election approaches. (Sept. 5)
  • Conventions Begin, Privacy 08 Campaign Underway. With the Presidential Conventions beginning this week, EPIC has launched the Privacy 08 Campaign, a nonpartisan effort to promote privacy discussions during the 2008 Presidential campaign. After the political conventions are over, EPIC will host an event at the National Press Club on September 5, 2008 for one of the Presidential candidates who will speak about the privacy and civil liberties challenges facing the country. Join the Cause! Buy cool stuff! Support Privacy 08! (Aug. 25)
  • Appellate Court Holds that Watch List Decisions Subject to Court Review. A federal court has ruled that airline passengers who are on no-fly lists can sue to clear their names. The watch lists are filled with errors and generate many false positives, but adverse determinations are virtually impossible to challenge. Homeland Security Secretary Michael Chertoff has objected to court oversight, but refuses to disclose the details behind the lists. EPIC previously documented numerous errors and complaints regarding air travel watch lists. For more information, see EPIC's "Air Travel Privacy" page. (Aug. 21)
  • Warrantless Wiretapping Case Returns to Trial Court. Today, a lawsuit challenging AT&T's participation in President Bush's warrantless wiretapping program was sent back to trial court. The lawsuit arises from the government's surveillance of Americans' telephone and Internet communications in apparent violation of the Constitution and federal privacy laws. Telecom companies, including AT&T, helped the government spy on Americans. The trial court will apply recently-passed federal law to the case, which provides immunity for corporations' participation in the spy scheme under certain circumstances. In 2007, EPIC filed a "friend-of-the-court" brief in collaboration with the Stanford Constitutional Law Center, supporting judicial review of the domestic spy program. For more information, see EPIC's "Hepting v. AT&T" and "FISA" pages. (Aug. 21)
  • EPIC Protects Worker Privacy. In comments to the General Services Administration (GSA), EPIC argued for privacy protections for federal contractor employees. The GSA sought comments on implementing an executive order mandating that federal contractors use the E-Verify system. The GSA proposed rule would require that new hires and current employees be verified against databases known to contain millions of errors, with failures to verify leading to eventual termination. EPIC recommended fixing database errors, applying Privacy Act protections, and exempting current employees before implementing the rule. For more see EPIC's Spotlight on Surveillance: National Employment Database Could Prevent Millions of Citizens From Obtaining Jobs. (Aug. 11)
  • EPIC Argues for High Privacy Standard in Email Interception Case. EPIC submitted a brief in Bunnell v. MPAA, a case that could substantially impact email privacy. EPIC's "friend of the court" brief supported the application of the federal Wiretap Act's protections to email messages in circumstances when the messages are briefly stored while they pass through mail servers. In Bunnell, a former employee hacked his ex-employer's corporate email server to secretly swipe private emails as they were transmitted. EPIC argued that the Wiretap Act applies to these sorts of circumstances by barring "interception" of electronic communications. EPIC has long advocated for application of the "interception" standard to email, and filed an amicus brief on this issue in 2004 in U.S. v. Councilman. For more information see EPIC's Bunnell v. MPAA page. (Aug. 7)
  • Registered Traveler Program Halted After Data Breach. The Clear registered traveler program suffered a security breach when a laptop was stolen. The laptop contains unencrypted personal information regarding approximately 33,000 travelers, including names and addresses, as well as passport and driver's license numbers. Government officials suspended new applications to the registered traveler scheme in the wake of the data theft. The Clear program permits users to bypass normal airport security lines after they enroll and undergo a background check. EPIC has warned of the privacy and security risks posed by registered traveler programs. For more information, See EPIC's Passenger Profiling page. (Aug. 5)
  • President Consolidates Surveillance Authority. President Bush has revised a key Executive Order that sets out the authorities of the US intelligence agencies. Executive Order 12333 establishes the "Goals, Directions, Duties, and Responsibilities with Respect to United States Intelligence Efforts" as well as the "Conduct of Intelligence Activities." The Order was drafted by the Director of National Intelligence and grants the top Intelligence office new powers to coordinate domestic surveillance. EPIC previously warned the 9-11 Commission that new surveillance authorities require new forms of oversight. (Aug. 4).
  • Trade Commission Approves Data Breach Settlements, But Fails to Impose Monetary Penalties. The Federal Trade Commission has finalized settlements with TJX, Reed Elsevier, and Seisint. The settlements arose from data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in financial fraud. Earlier this year, EPIC filed comments with the FTC urging the Commission to include civil penalties in the settlements. EPIC wrote that civil penalties are necessary to provide incentives for companies to safeguard personal data. EPIC also noted that the FTC imposed $10 million in civil penalties in the Choicepoint case. The final agreements impose security and audit responsibilities, but no financial penalties. For more on data breaches and ID theft, see EPIC's Identity Theft: Its Causes and Solutions page. (Aug. 4)
  • Congressional Privacy Leaders Call for Internet Companies to Come Clean On Behavioral Profiling. Senior members of Congress have requested details of Internet companies' efforts to spy on their customers. The 33 targeted Internet companies, including AT&T, Time Warner, Microsoft, and Google, may be tracking the activities of Internet users. Congressman Edward J. Markey warned that "new technologies, such as 'deep packet inspection' technologies, have the ability to track every single website that a consumer visits while surfing the Web." Charter Communications and Embarq previously came under fire for monitoring Internet users and suspended their activities. Members of Congress have now turned their attention to the leading telcos and Internet firms. For more information, see EPIC's page on Deep Packet Inspection and Privacy. (Aug. 4).
  • China to Spy on Olympic Visitors' Internet Activity. A Chinese intelligence agency has ordered foreign-owned hotels to install invasive snooping equipment that monitors Olympic visitors' Internet activity. Senator Sam Brownback announced that he has obtained an order from the Chinese Public Security Bureau that directs hotels to intercept and record the Internet activities of all guests, including "journalists, athletes' families, and other visitors." Senator Brownback observed that this directive contradicts China's pledge to the International Olympic Committee that the country would "maintain an environment free of government censorship during the Games." The spying plan also contravenes longstanding international privacy and human rights norms, including Article 12 of the Universal Declaration of Human Rights, which prohibits "arbitrary interference with privacy, family, home or correspondence." For more information, see EPIC's Privacy and Human Rights report and EPIC's page on Olympic Privacy. (July 30)
  • Health IT Bill Moves Forward in House with Some Privacy Safeguards. The House Commerce Committee today approved H.R. 6357, the Protecting Records, Optimizing Treatment, and Easing Communication through Healthcare Technology Act of 2008. The PRO(TECH)T Act will promote the adoption of health information technology that is intended to improve the delivery of healthcare services. The bill includes some security and privacy safeguards, such as data breach notification, though Patient Privacy Rights believes that stronger protections are necessary. EPIC made several suggestions to strengthen the privacy provisions. For more information see EPIC Medical Privacy. (July 23)
  • European Court of Human Rights Rules that Medical Data Breach Violates Fundamental Privacy Rights. The Finnish government will be required to pay a fine because it failed to protect the privacy of patient data against unauthorized access, according to a ruling from the European Court of Human Rights. The European Court held that Article 8 of the European Convention on Human Rights, which protects private life, includes an affirmative obligation to ensure the security of personal data. The Court also held that it was unreasonable to expect the petitioner to prove that the record had been misused. For more information on international privacy, see EPIC's Privacy and Human Rights report. (July 22)
  • In ACLU, EPIC Case, Federal Court Strikes Down Internet Censorship Law. Today, the Third Circuit Court of Appeals struck down the Child Online Protection Act, a federal law that sought to prohibit the publication of information on the Internet that could be considered "harmful to minors." The Court held that the law violated the First and Fifth Amendments because it is "impermissibly overbroad and vague." The Court also criticized the law's encroachment on the right of Internet users to receive information anonymously, a claim that EPIC raised early in the litigation. The lawsuit challenging the Child Online Protection Act began nearly ten years ago, following the Supreme Court's invalidation of Congress' first attempt to censor the Internet, the Communications Decency Act. For more information, see EPIC's page on The Legal Challenge to the Child Online Protection Act. (July 22)
  • Congressional Privacy Leaders Criticize Embarq's Secret Internet Spying, Call on Internet Company to Divulge Details. Senior members of Congress criticized Embarq's recent test of Internet snooping technology. The Internet company, in partnership with NebuAd, intercepted customers' Internet activity "to create consumer profiles for the purpose of serving ads to consumers based upon their search and surfing habits." The Congressmen observed that Embarq's secret Internet surveillance raises substantial questions of compliance with federal law. Congressmen Edward Markey (D-MA) and Joe Barton (R-TX) previously urged Charter Communications, the nation's fourth-largest cable company, to back off on a similar venture with NebuAd. The cable giant scrapped the controversial plan in June. For more information, see EPIC's page on Deep Packet Inspection and Privacy. (July 15)
  • First European Union Privacy Seal Awarded to Search Company. The European Data Protection Supervisor presented the first EuroPriSe Seal to the search company Ixquick. EuroPri is a European initiative to determine whether information technology products and services comply with European regulation on privacy and data security. Ixquick is a meta-search engine that forwards search requests to several search engines, gathers and combines the results and presents the results to the requesting users. Ixquick serves as a proxy -- IP addresses of users are not disclosed to other search engines. Ixquick also incorporates data minimization techniques. For more information on search engine privacy, see EPIC page on Search Engine Privacy. (July 14)
  • EPIC Urges Protection of Passport Privacy. EPIC testified before the Senate Judiciary Committee, urging new protections for passport information privacy. The hearing, held at a time of increased information collection and dissemination by the government, addressed an Inspector General report on data breaches at the State Department. EPIC's testimony recommended implementing the privacy protections of S. 495, the Personal Data Privacy and Security Act of 2007; limiting employee and contractor disclosures; increasing accounting requirements; and creating an independent privacy agency. In a FOIA request filed today, EPIC demanded the release of the complete Inspector General report, substantial portions of which have been withheld from the public. For more, see EPIC's page on Passport Privacy. (July 10)
  • EPIC v. FTC: EPIC Obtains Documents Detailing Conflict of Interest in Google-Doubleclick Merger Review. Pursuant to a settlement in a Freedom of Information Act lawsuit against the Federal Trade Commission, EPIC has obtained documents detailing former FTC Chairman Deborah Platt Majoras' conflict of interest in the Google-Doubleclick merger review. Majoras headed the Commission's review of the proposed $3.1 billion Google acquisition while her spouse's law firm represented Doubleclick. A July 17, 2007 memorandum obtained by EPIC flatly contradicts Majoras' claim that "no one at the FTC" knew of the conflict "until the afternoon of Tuesday, December 11, 2007." In 2007 EPIC and the Center for Digital Democracy urged the FTC to establish privacy safeguards as a condition of the merger. One week prior to the Commission's decision to approve the merger without conditions, EPIC learned that the Jones Day law firm represented Doubleclick. EPIC then submitted Freedom of Information requests to determine the role of the Jones Day firm in the merger review. For more, see EPIC's page EPIC v. FTC (July 8)
  • Senate Debates Warrantless Surveillance Bill, Telecom Immunity. Today the Senate will begin debate on the FISA Amendments Act. Votes are scheduled for tomorrow. The Act expands the President's warrantless surveillance powers, provides immunity for telecom companies that participated in warrantless surveillance, and requires review of warrantless surveillance by the executive branch Inspectors General. Senators Dodd, Leahy, and Feingold oppose the bill and will offer amendments to to strip the immunity provisions. Supporters of Presidential Candidate Barack Obama have urged him to oppose the legislation. The debate will be on C-SPAN 2 beginning 10 am EDT. For more, see EPIC's page on FISA. (July 8)
  • Google Adds Link to Privacy Policy. Following a public request by EPIC and other privacy organizations, Google posted a link from its homepage to its privacy policy. Under California law, Google was required to post the link within 30 days and, on day 30, the word "privacy" appeared on the Google homepage. Google's posting brings the site in line with the widespread practice of commercial web sites. For more information on Google and Privacy, see EPIC's page Privacy? (July 7).
  • 50th Anniversary of Landmark Ruling in NAACP v Alabama. Today marks the 50th anniversary of the Supreme Court's decision in NAACP v. Alabama, one of the most important privacy cases of the last century. Professor Anita L. Allen, a leading privacy scholar, author of many books and articles, and a member of the EPIC Board of Directors, wrote an essay to celebrate the anniversary of the decision. (June 30)
  • Under Pressure, Charter Cable Drops Internet Snooping Plan. Today, Charter announced that it will scrap its plan to intercept internet traffic for marketing purposes. The fourth-largest American cable company's plan recently came under fire from Rep. Edward J. Markey (D-MA) and Rep. Joe Barton (R-TX). Congressman Markey welcomed today's news, and urged other companies to delay any similar plans until "important privacy concerns can be addressed." In May, Charter announced its intention to partner with NebuAd and spy on its customers' internet activities. Legal experts questioned the legality Charter's snooping program, citing federal laws, including the Wiretap Act and the Communications Act, which prohibit interception and disclosure of wire and electronic communications. For more information, see EPIC's page on Deep Packet Inspection and Privacy. (June 24)
  • OECD Secretary General Seeks to Formalize Civil Society Participation, Expresses Support for International Privacy Standards. At the OECD Ministerial conference on the Future of the Internet Economy, the Secretary General of the Paris-based research and policy-making organization recommended that the OECD "begin the process of formalising the participation of civil society and the technical community in the work of the OECD on the Internet economy." The OECD also reaffirmed support for the 1980 Privacy Guidelines, which are "the foundation for most countries privacy standards." Civil Society groups gathered in Seoul for a Public Voice Forum and to participate in the Ministerial conference. More than 70 organizations endorsed the "Civil Society-TUAC Seoul Declaration." (Jun. 20)
  • Supreme Court Rejects Limits on FOIA Requests. In a unanimous decision, the US Supreme Court upheld the right of individuals to request documents under the Freedom of Information Act, even if similar documents were previously requested by others. The Court rejected the Federal Aviation Administration's contention that it may ignore requests if the agency previously received identical requests from different requesters. The Court also rejected the agency's "virtual representation" claim, that a FOIA requester can be "virtually represented" by a previous requester who sought similar records. The Court based its decision on America's "deep-rooted historic tradition that everyone should have his own day in court." For more information, see EPIC's FOIA Litigation Manual and FOIA Litigation Docket. (June 13)
  • EPIC Urges Congress to Safeguard Medical Privacy. In response to a request from Congressman Edward Markey, EPIC recommended strong medical privacy safeguards in a bill that would establish a national framework for electronic health records. EPIC commended Congress for raising the vital issues implicated by digital health records, and recommended effective and meaningful privacy safeguards for consumers' personal medical information. EPIC detailed the privacy threats posed by electronic medical records, and recommended that Congress: recognize Americans' right to the privacy of their personal health information; provide enhanced protections for especially sensitive medical information; give patients the right to sue if their medical privacy is beached; and require commonsense security measures. For more, see EPIC's page on medical privacy. (June 13)
  • EPIC Urges Senate to Crack Down on Spyware. Today EPIC Executive Director Marc Rotenberg presented testimony on Spyware in a hearing before the Senate Commerce Committee. EPIC said Internet users face ongoing threats from Spyware and similar techniques. EPIC supported the Counter Spy Act but cautioned that a federal spyware law should not replace stronger state laws. EPIC also urged the Senate to address new surveillance techniques, such as deep packet inspection and Social Networking advertising. For more, see EPIC's page on personal surveillance technologies. (June 11)
  • Homeland Security Extends Control Over Workers, Travelers. President Bush has signed Executive Order 12989 which gives the Department of Homeland Security authority to review employment eligibility for all federal employees and federal contractors. The decision to expand "E-Verify" comes after Congress rejected the President's verification proposal and a federal court struck down the agency's attempt to establish similar authority by regulation. EPIC testified in Congress in 2007 against the "Employment Eligibility Verification System." Meanwhile, the Transportation Security Administration, a division of Homeland Security, will now require travelers to present identity documents or to be"cooperative." See EPIC Spotlight on Surveillance: "National Employment Database Could Prevent Millions of Citizens From Obtaining Jobs" and EPIC Amicus in Gilmore v. Ashcroft. (June 10)
  • Privacy Groups - "Google.com Should Link to a Privacy Policy." EPIC and a coalition of a dozen organizations, many based in California, have urged Google to include a link from its homepage to its privacy policy. In a letter to Google CEO Eric Schmidt, the groups say that the Internet giant is required by California privacy law to post the link. They also point out that posting it is the"widespread practice of commmercial web sites." Press release. For more infomation on Google and Privacy, see EPIC's page Privacy? (June 3)
  • EPIC Speaks at DC City Council on Video Surveillance. EPIC Executive Director Marc Rotenberg appeared before the DC City Council today to support the efforts of Council Members to suspend the "VIPS" Surveillance System and to urge the City Council to investigate the role of the firm L-1 Identity Solutions, the leading vendor of camera surveillance equipment. See EPIC's page Video Surveillance and Observing Surveillance. (June 2)
  • Canadian Law Students File Privacy Complaint Against Facebook. The Canadian Internet Policy and Public Interest Clinic today filed a 35-page complaint under the Personal Information Protection and Electronic Documents Act against Facebook, alleging 22 separate violations of Canadian privacy law. CIPPIC Press Release. See EPIC Facebook Privacy page. (May 30)
  • EPIC Supports New Internet Privacy Standard. EPIC has expressed support for the DNSSEC proposal now under consideration at ICANN. The DNS security extension should help protect users from attempts by hackers to spoof, masquerade and hijack websites. The Public Interest Registry proposed to implement DNSSEC for the .ORG domain. DNSSEC is already in use by the top-level country code domains of Sweden, Bulgaria, Brazil and Puerto Rico. See EPIC Page on DNSSEC. (May 26)
  • President Signs Genetic Nondiscrimination Act. President Bush has signed in law the Genetic Information Nondiscrimination Act of 2008. The Act prohibits discrimination on the basis of genetic information with respect to health insurance and employment. However, the Act does not address the privacy risks associated with the collection and storage of electronic health records. See EPIC page on Genetic Privacy. (May 21.)
  • Congressman Barton Urges Scrutiny of Google's Privacy Practices.In a letter (pdf) to Google's Eric Schmidt, the top Republican of a powerful Congressional committee has asked the Google CEO to explain its privacy practices since the acquisition of Internet advertiser Doubleclick. Rep. Joe Barton (R-TX) also pressed Google about the retention of persistent identifiers, such as IP addresses and User IDs. Last year, EPIC, CDD and US PIRG urged (pdf) the Federal Trade Commission to impose privacy safeguards as a condition of the Google Doubleclick merger. Earlier this year, EPIC recommended (pdf) to the European Parliament that IP addresses be considered personally identifiable information. A subsequent report (pdf) from the Article 29 Working Group endorsed this approach. See EPIC's Privacy? Proposed Google-Doubleclick Merger page. (May 21)
  • CFP 2008 Launches Today. The 18th Annual Computers Freedom and Privacy Conference: CFP: Technology Policy '08, starts today in New Haven Connecticut. This year's panels include E-Deceptive Campaign Practices; Social Networks and User Generated Content; and New Challenges for Spyware Policy. CFP 2008 is focused on technology policy, noting "This election year will be the first to address US technology policy in the information age as part of our national debate." For the election year, EPIC has launched the Privacy '08 campaign. (May 20)
  • Senate Explores Role of US Firms in China. A hearing in the Senate Judiciary Committee today examined "Global Internet Freedom: Corporate Responsibility and the Rule of Law." Representatives from Google, Yahoo, and Cisco answered questions about corporate practices. The surveillance firm L-1, which was the focus of a recent Rolling Stone article did not not participate. EPIC and Privacy International publish Privacy and Human Rights, a detailed report on the state of privacy around the world which discusses new systems of surveillance in China. (May 20)
  • Congressional Privacy Leaders Call for Charter Cable to Halt Internet Snooping Plan. Rep. Edward J. Markey (D-MA) and Rep. Joe Barton (R-TX), senior members of Congress and leading privacy champions, challenged the legality of Charter Communications' plan to intercept and inspect their customers' Internet activity. The Congressmen stated that provisions of the federal Communications Act prohibit companies that provide cable services from disclosing subscribers' personally identifiable information without "prior written or electronic consent of the subscriber." Charter plans to intercept its customers' Internet activity without obtaining prior written consent. Congressmen Markey and Baton requested that Charter Communication hold off on the proposed venture with NebuAd. See EPIC's page on Deep Packet Inspection and Privacy (May 20)
  • EPIC, Technical Experts, Legal Scholars, and Civil Liberties Organizations Urge Accuracy In Police Databases. EPIC today filed a "friend of the court" brief (pdf) in the United States Supreme Court, urging the Justices to ensure the accuracy of police databases. The brief was filed on behalf of 27 legal scholars and technical experts and 13 privacy and civil liberty groups. In Herring v. US, the Court will be asked to determine whether an arrest based on inaccurate information in a criminal justice database should be upheld. EPIC explained how government databases are becoming increasingly unreliable, according to the government's own studies and urged the Court to "ensure an accuracy obligation on law enforcement agents who rely on criminal justice information systems." The amici warned that, "to permit a good faith reliance on data that is inaccurate, incomplete, or out of date will actually exacerbate the problem and increase the likelihood of unfair treatment in the criminal justice system." See EPIC page on Herring v. US. (May 16)
  • D.C. Council Cuts Funding for Video Surveillance System. The D.C. City Council has removed $886,000 from the Mayor's proposed homeland security budget for a system of 5,200 surveillance cameras in the nation's capital. D.C. Council members and others criticized the "Video Interoperability for Public Safety" system, which lacks privacy safeguards. The Council required the Mayor to develop rules for video surveillance cameras and technology that must be approved by the Council before future funding is authorized. See EPIC's page on Video Surveillance and Observing Surveillance. (May 14)
  • FTC Issues Additional CAN-SPAM Rules, Fails to Regulate Third-Party List Brokers This week, the Federal Trade Commission approved new rules for CAN-SPAM, the federal anti-spam law. The Commission stated that consumers cannot be charged a fee to opt out of spam. The FTC also determined that third-party list brokers (companies that sell email lists to spammers) are not subject to CAN-SPAM's opt-out requirements. In 2005, EPIC urged the FTC to impose opt-out requirements on third-party list brokers. EPIC stated that this requirement was consistent with CAN-SPAM's goal and was more effective than the present system, which requires consumers to opt out with individual companies. For more information, see EPIC's web page: "SPAM - Unsolicited Commercial E-Mai" (May 15)
  • EPIC Report: "REAL ID Implementation Review: Few Benefits, Staggering Costs". At a REAL ID Workshop at the Berkman Center, EPIC today released a new report on the Department of Homeland Security's national identification proposal, the REAL ID system. "May 11, 2008 is the statutory deadline for implementation of the REAL ID system. Yet on this date, not one State is in compliance with the federal law creating a national identification system. In fact, 19 States have passed resolutions or laws rejecting the national ID program. The Department of Homeland Security has faced so many obstacles with the REAL ID system that the agency now plans an implementation deadline of 2017." See EPIC page on National ID Cards and the REAL ID Act, and EPIC Comments on the Draft Regulations. (May 13)
  • Coalition for Patient Privacy Urges Privacy Controls In Electronic Prescriptions. The Coalition for Patient Privacy (25 privacy and civil liberty groups) today sent a letter (pdf) to Congress urging members "to include privacy protections in any measures supporting or mandating electronic prescribing." The coalition also recommended members "prohibit the use of prescription data for purposes other than prescription filling." EPIC previously detailed the substantial privacy interest in prescription information and the harm caused by corporations who mined the data for marketing purposes in a "friend of the court" brief (pdf) in a New Hampshire case. See EPIC pages on IMS Health v. Ayotte and Medical Privacy. (May 11)
  • EPIC Prevails in Virginia Fusion Center FOIA Case. Yesterday, Richmond General District Court held that EPIC "substantially prevailed" on the merits of its freedom of information lawsuit against the Virginia State Police. EPIC filed the case after the State Police refused to disclose documents describing the federal government's involvement in efforts to limit Virginia's transparency and privacy laws. Through the litigation, EPIC uncovered a secret contract between the State Police and the FBI that limits the rights of Virginia citizens to learn what information the State Police collect about them. The court's letter opinion requires the State Police to pay EPIC's litigation costs, but not its attorneys' fees. For more information, see EPIC's web page EPIC v. Virginia Department of State Police: Fusion Center Secrecy Bill. For more information about fusion centers, see EPIC's Fusion Center Page (May 9)
  • EPIC Commends D.C. Council Committee for Blocking Funding for New Surveillance System. In a letter (pdf) to the D.C. Council, EPIC, ACLU-NCA and the Constitution Project commended the Public Safety and Judiciary Committee for cutting $886,000 from the proposed homeland security budget for a system of 5,200 surveillance cameras. D.C. Council members and others have criticized the "Video Interoperability for Public Safety" system, which lacks privacy safeguards. The groups urged the full Council to examine "the VIPS program and explore whether a centralized network of thousands of cameras throughout the District is a cost effective and appropriate strategy." See EPIC's page on Video Surveillance. (May 9)
  • EPIC Recommends Privacy Safeguards for Voting System Standards. EPIC submitted comments to the Election Assistance Commission on the proposed Voluntary Voting System Guidelines. EPIC proposed new guidance on privacy protection in the casting of ballots. EPIC alo recommended more transparency for the privacy protections provided by federally certified voting systems. For more information on EPIC's voting project visit Voting Privacy and the National Committee for Voting Integrity. (May 8)
  • EPIC, Privacy Groups, Technical Experts, and Legal Scholars Support Opt-In for Telephone Services. EPIC filed a "friend of the court" brief (pdf) today in federal appellate court urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. At issue is the Federal Communications Commission's Order (pdf) that protects consumers' telephone record information, which the National Cable and Telecommunications Association has challenged. "Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone," the brief said. "An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers." See EPIC's pages on NCTA v. FCC and CPNI (Customer Proprietary Network Information). (May 6)
  • D.C. Council Committee Refuses to Fund Mayor's Massive Camera Surveillance Network. The Public Safety and Judiciary Committee of the D.C. Council has cut $886,000 from Mayor Fenty's proposed homeland security budget, money designated for the consolidation of about 5,200 surveillance cameras into a single network. D.C. Council members and others have criticized the Video Interoperability for Public Safety, which does not yet have regulations to protect individual privacy. The budget will go to the full Council, which could choose to reinstate the funding. The Department of Homeland Security will provide approximately 90% of the funding for the D.C. camera system. In March, in a statement to the DC Council, EPIC urged (pdf) a careful evaluation of the cost and effectiveness of camera surveillance systems. No studies have shown a significant drop in violent crime when camera systems are used. See EPIC's page on Video Surveillance. (May 2)
  • FISA Orders Up, Government Reporting on National Security Letters Begins. According to the 2007 FISA report, the Foreign Intelligence Surveillance Court approved 2,370 application to conduct electronic surveillance and physical searches in the United States in 2007, up from 2,176 applications approved in 2006. For the first time, the report includes information regarding the total number of requests made by the Department of Justice with National Security Letter authority for information concerning U.S. persons. in 2006, the government made approximately 12,583 NSL requests for information concerning 4,790 U.S. persons. The 2007 NSL statistics are expected later this year. For more information on FISA, see EPIC FISA Orders page and EPIC FISA page. (May 1)
  • Wiretaps Up by 20 Percent in 2007.According to the 2007 Wiretap report, federal and state courts issued 2,208 orders for the interception of wire, oral or electronic communications in 2007, compared to 1,839 in 2006. (Press release.) As in 2006, no applications for wiretap authorizations were denied by either state or federal courts. The total number of authorized wiretaps has grown in each of the five past calendar years, beginning in 2003. The 2007 Wiretap Report does not include interceptions regulated by the Foreign Intelligence Surveillance Act of 1978 or interceptions initiated by the President outside the exclusive authority of the federal wiretap law and the FISA. See EPIC Wiretapping page. (Apr. 30).
  • EPIC Urges Commission to Impose Civil Penalties in Data Breach Settlements. Today, EPIC filed comments with the Federal Trade Commission urging the FTC to include civil penalties in settlements with TJX, Reed Elsevier, and Seisint. The FTC recently concluded investigations of the companies' weak security policies, and reached preliminary settlements that would impose security and audit responsibilities, but no financial penalties. The FTC's investigations arose from the companies' unrelated 2004-2005 data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in alleged financial fraud. EPIC noted that civil penalties were necessary to provide incentives for companies to better safeguard personal consumer data in the future, and observed that the FTC imposed $10 million in civil penalties in the Choicepoint case. For more on data breaches and ID theft, see EPIC's Identity Theft: Its Causes and Solutions page. (Apr. 28)
  • Supreme Court Upholds Voter ID Law. The U.S. Supreme Court today struck down a challenge to a voter ID law in Indiana. In 6-3 opinion (pdf), the majority said the state interests "are both neutral and sufficiently strong to require us to reject petitioners' facial attack on the statute," and the burden imposed on v oters was "minimal and justified." Justice Souter wrote in dissent, "this statute imposes a disproportionate burden upon those without" government-issued photo IDs. EPIC had submitted a brief (pdf) detailing problems with the law. "Not only has the state failed to establish the need for the voter identification law or to address the disparate impact of the law, the state's voter ID system is imperfect, and relies on a flawed federal identification system." See EPIC pages on Crawford v. Marion County and Voter Privacy. (Apr. 28)
  • EPIC Testifies Before the Election Commission on New Voting Guidelines. EPIC Associate Director Lillie Coney testified before the Election Assistance Commission on the 2007 Voting System Guidelines. EPIC urged the Commission to "offer clear and effective guidance to states on issues of functional capability, hardware, software, telecommunication, security, quality assurance, and configuration of voting systems." The Commission is nearing the end of the second voting guidelines drafting process. For more information on the voting project, see EPIC's Voting Privacy page and the National Committee for Voting Integrity. (Apr. 24).
  • U.S. Senate Approves Genetic Privacy Legislation. The U.S. Senate today passed Genetic Information Nondiscrimination Act. The bill, which passed the Senate in 2003 but died in the House, was reintroduced on January 16. The genetic privacy bill addresses the risk that advances in genetics open new opportunities for medical progress and will also give rise to the potential misuse of genetic data to discriminate. The bill seeks to establish a national standard to prohibit genetic discrimination by health insurance providers and employers. Under the bill, these entities cannot require genetic testing, cannot determine premiums or eligibility for insurance or employment based on genetic information, and are limited in their collection and use of genetic data. The bill now goes back to the House; President Bush has said he supports the legislation. See EPIC's page on Genetic Privacy. (Apr. 24)
  • NJ Supreme Court: Subscribers Have Privacy Right In Their Internet Data. In a 7-0 ruling (pdf) today, the New Jersey Supreme Court upheld a lower court ruling (pdf) and found that Internet service providers must protect user information and a valid subpoena is needed before the providers can disclose private data about subscribers. "We now hold that citizens have a reasonable expectation of privacy, protected by Article I, Paragraph 7, of the New Jersey Constitution, in the subscriber information they provide to Internet service providers - just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies," the court ruled. Last year, EPIC joined five groups in filing a "friend of the court" brief (pdf) to the NJ Supreme Court in New Jersey v. Reid. In their brief, the groups explained, "This case raises far-reaching questions about the scope of privacy protection in the electronic environment," especially because subscriber information "can reveal substantially more about an individual than, for example, the phone numbers she dials." (Apr. 21)
  • EPIC Seeks Documents About Federal Influence on Fusion Center Transparency and Privacy.EPIC filed an open government request (pdf) with the Texas Department of Public Safety today. EPIC's request seeks documents about the federal government's role in the Texas Fusion Center's transparency and privacy policies. The White House's official position (pdf) requires fusion centers to respect state open government and privacy laws. However, EPIC recently obtained documents (pdf), through FOI litigation, that reveal federal involvement in limiting Virginia's open government and privacy protections. For more information, see EPIC's Fusion Center page and EPIC's EPIC v. Virginia Department of State Police: Fusion Center Secrecy Bill page. (Apr. 18)
  • International Privacy Officials Recommend Social Networking Privacy Safeguards. The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also recommended to raise the awareness of regulators, providers and the general public. For more information, see EPIC pages on Social Networking and Facebook Privacy. (Apr. 17)
  • Senate Subcommittee Questions Officials Regarding Fusion Centers.Today, the Senate Subcommittee on State, Local, and Private Sector Preparedness and Integration held a hearing on "fusion centers" - intelligence databases that collect information on ordinary citizens. The Subcommittee questioned federal and state officials about fusion center progress, and witnesses testified regarding fusion center funding, development, and civil liberties issues. EPIC previously wrote to the Subcommittee about the impact of fusion centers on state open government and privacy laws. Through Freedom of Information Act litigation, EPIC is investigating the role of federal agencies in exempting fusion centers from state open government and privacy laws. For more information, see EPIC's Fusion Center page and EPIC's EPIC v. Virginia Department of State Police: Fusion Center Secrecy Bill page. (Apr. 17)
  • EPIC Urges Strong Consumer Protections in RFID Legislation in New Hampshire. In response to a request from the New Hampshire Senate, EPIC today expressed support (pdf) for HB 686, concerning radio frequency identification (RFID) technology. "The legislation would establish important safeguards for New Hampshire residents including: (1) penalties for illegal use of RFID technology; (2) a private right of action for individuals; (3) restrictions on the use of RFID technology by the State of New Hampshire with few exceptions; (4) prohibitions on electronic tracking of individuals without a valid court order or consent; and (5) prohibitions against forced implantation of RFID devices in humans." EPIC also recommended the NH Senate "also (1) address unique identifiers linked to databases containing personally identifiable information, and (2) label RFID readers and interrogators, as well as RFID tags and products containing tags." See EPIC's page on RFID. (Apr. 14)
  • Alaska Joins Other States in Rejecting REAL ID System. Just two weeks after DHS granted all 56 states and territories extensions that would allow state licenses and ID cards to remain "valid for federal purposes" past May 11, 2008, Alaska has passed legislation against the REAL ID national identification scheme. SB 202 (pdf) states, "A state agency may not expend funds solely for the purpose of implementing or aiding in the implementation of, the requirements of the federal Real ID Act of 2005." DHS has said it "made extensions available for states that needed additional time to come into compliance, or to complete ongoing security measures," implying that states that received extensions had agreed to implement the national identification system. However, Alaska is one of several states that has declared unequivocally that it will not implement the REAL ID scheme. See EPIC's page on National ID Cards and the REAL ID Act. (Apr. 11)
  • EPIC Obtains Documents Revealing Federal Role In State Fusion Center Secrecy. Pursuant to a Freedom of Information Act lawsuit, EPIC has obtained a Memorandum of Understanding between the FBI and the Virginia State Police that limits the state's open government law. The agreement requires the state agency to comply with federal regulations that restrict the disclosure of public records about the Virginia Fusion Center that would otherwise be available to the public. But many other documents that EPIC is seeking about the fusion center and communications between the State Police and federal agencies have not yet been disclosed. At a hearing today in Richmond, a District Court judge required the State Police to produce all records that EPIC has sought by Monday, April 14. The Virginia Governor is currently considering a bill that would limit the state's open government and privacy laws for the Virginia Fusion Center. For more information, see EPIC v. Virginia Department of State Police. (Apr. 9)
  • European Privacy Officials: Privacy Rules Apply to Search Engines. European privacy officials have established "a clear set of responsibilities" on search engine companies regarding their handling of user data. The opinion, issued by the Article 29 Working Group, states that the European Union Data Protection Directive requires search engines to "delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose" for which they were collected. This requirement has particular significance for search engines, because European privacy rules classify Internet Protocol (IP) addresses as "personal data." The opinion further holds that European privacy laws generally apply to search engines "even when their headquarters are outside [Europe]," and requires that search engines must delete personal data within six months of collection. Earlier this year, EPIC urged the European Parliament to protect the privacy of search histories. For more information, see EPIC's Search Engine Privacy page. (Apr. 7)
  • EPIC Urges Senate Committee to Press FTC on Consumer Privacy and FOIA Obligations, Proposes Budget Cut for Agency.Today, EPIC asked the Senate Commerce Committee to press the Federal Trade Commission on the Commission's failure to adequately protect consumer privacy and failure to operate transparently. EPIC highlighted the Commission's failure to require privacy safeguards as a condition of the recent Google-Doubleclick merger. EPIC also detailed the FTC's handling of FTC Chairman Deborah Platt Majoras' apparent conflict of interest in the merger review, and noted that the FTC has failed to disclose records relating to Jones Day's involvement in the merger review. The Senate Commerce Committee will hold hearings regarding the Commission's reauthorization on April 8, 2008. EPIC urged the Committee to cut the Commission's budget by 5% based on the Commission's lack of commitment to consumer privacy and open government. For more information, see EPIC's page on Privacy? Proposed Google/Doubleclick Deal. (Apr.7)
  • Congress Holds First Hearing on Online Virtual Worlds, Simulcast in Second Life. The House Commerce Committee held a hearing today on "Online Virtual Worlds: Applications and Avatars in a User-Generated Medium." It was the first simulcast of a Congressional hearing in a virtual world. In the Chairman's Opening Statement, Rep. Ed Markey (D-MA) described the hearing as "both a glimpse into the future and a window into the current reality of millions of people across the world." The most recent edition of the EPIC Privacy and Human Rights report contains a "country report" on Second Life. (Apr. 1)
  • DHS Hits Roadblocks In Demanding State Implementation of REAL ID System. Several states are rejecting the Department of Homeland Security's REAL ID program, which would create a national identification system. States have until March 31 to ask the agency for an extension that would allow state licenses and ID cards to remain "valid for federal purposes." Four states (Maine, Montana, New Hampshire and South Carolina) have expressly rejected the system and none asked for an extension. DHS has given Montana an extension, though the governor said (pdf) the state would never implement REAL ID. California (pdf) is among the states that requested an extension but said it did not agree to implement the national identification system. The REAL ID proposal has drawn sharp criticism from state governments, members of Congress, civil liberties advocates, and security experts (pdf). EPIC has called the scheme "a real danger to security and civil rights." See EPIC's page on National ID Cards and the REAL ID Act. (Mar. 24)
  • EPIC Sues to Compel Disclosure of Documents About Federal Role in Virginia Secrecy Bill. Today, EPIC filed a Virginia Freedom of Information Act lawsuit (pdf) challenging the Virginia State Police's failure to make public documents relating to the role of federal agencies in recent legislative efforts to limit the state's open government and privacy laws for "fusion centers." These intelligence databases collect information on ordinary citizens and have raised substantial privacy concerns. Press reports and statements from Virginia officials have raised questions about federal involvement in the Virginia legislation. The lawsuit follows EPIC's original requests (pdf). For more information, see EPIC's page Information Fusion Centers and Privacy. (Mar. 21)
  • UPDATE - Clinton, McCain, Obama Privacy Breached - Contractors Accessed Passport Files. The State Department has determined that three private contractors accessed the confidential passport file of Presidential candidates Hillary Clinton, John McCain, and Barack Obama. The FBI has opened an investigation. Government records are protected under the Privacy Act of 1974. Additional safeguards are in place for prominent persons, but Privacy Act enforcement across the federal government remains low and agencies frequently claim exemptions. Senator Clinton has also proposed a Privacy Bill of Rights to update the law and improve enforcement. (Mar. 21)
  • EPIC Urges Alaska Senate to Protect Consumers From RFID Misuse In testimony (pdf) to the Alaska Senate Judiciary Committee today, EPIC Senior Counsel Melissa Ngo supported Alaska's SB 293, which included prohibitions against unauthorized scanning and reading of RFID tags and against allowing RFID technology users' to require continued activation of RFID tags in order for consumers "to exchange, return, repair, or service an item that" contain RFID tags. However, EPIC recommended four changes to the bill: "(1) including regulations on the use of unique identifiers and the profiles that can be created; (2) including an enforcement provision with a private right of action; (3) stronger provisions on deactivation of tags, including the possibility of permanent deactivation; and (4) clearly and prominently labeling RFID readers or transponders." These additions would strengthen protections for consumers against misuse or abuse of data collected through RFID tags. See EPIC's page on RFID Systems. (Mar. 17)
  • Inspector General Finds Continuing Abuses of Patriot Act Powers For the fourth consecutive year, the Inspector General found (pdf) privacy breaches by FBI agents using National Security Letters, which permit the FBI to compel the disclosure of records held by banks, telephone companies, and others without judicial oversight. A second report (pdf) found abuses of Patriot Act Section 215 orders that allow the FBI to demand business records and other "tangible things" from any company or individual. "[W]e found that the FBI had issued [NSLs] for information about [redacted] after the FISA court, citing First Amendment concerns, had twice declined to sign Section 215 orders in the same investigation," the Inspector General said. Sen. Patrick Leahy, Chairman of the Judiciary Committee, plans an oversight hearing. "Legislative action may be necessary to correct these abuses. I intend to seek accountability and advertence to the rule of law," he said. EPIC has recommended (pdf) reforms to the NSL authority. See EPIC's page on National Security Letters. (Mar. 14)
  • EPIC Sues Trade Commission to Compel Disclosure of Documents Concerning Jones Day's Role in US Doubleclick Merger Review. Today, EPIC filed a Freedom of Information Act lawsuit (pdf) challenging the Federal Trade Commission's failure to make public documents relating to the role of the Jones Day law firm in the Google-Doubleclick merger review. The lawsuit follows EPIC's original request (pdf) and subsequent administrative appeal (pdf). During the FTC merger review, Jones Day publicly stated that it represented Doubleclick (pdf). After EPIC learned that Chairman Majoras' spouse is a Jones Day partner, EPIC moved for the recusal of the FTC Chairman, and emphasized that recusal had occurred in other similar matters involving conflicts of interest with the Jones Day firm. However, Chairman Majoras participated in the Google-Doubleclick review and voted to approve the merger without conditions, despite privacy groups' warnings that the merger would threaten consumer privacy. (Mar. 14)
  • EPIC Opposes Expanded Camera Surveillance of DC Residents. In a statement to the DC Council, EPIC urged (pdf) a careful evaluation of the cost and effectiveness of camera surveillance systems. Council members are debating a bill that would require all gas station owners in the District to purchase and install camera systems. However, no studies have shown a significant drop in violent crime when camera systems are used. The Metropolitan Police Department has suggested a drop in crime in some parts of the city, but Council member Mary Cheh noted that MPD did not analyze whether the crimes were merely displaced to other areas of the city. As for helping to solve crimes, in the MPD's annual report (pdf) on cameras, police showed no convictions and a handful of arrests based on evidence from the 73 cameras throughout the District. For more information, see EPIC's page on Video Surveillance. (Mar. 11)
  • European Commission Approves Google-Doubleclick Merger, But European Privacy Laws Will Apply. The European Commission today approved the proposed Google-Doubleclick merger under its competition authority. Though the Commission did not consider privacy in the merger review, it did reaffirm the obligation of Google-Doubleclick to comply with European privacy laws. "The Commission's decision to clear the proposed merger is based exclusively on its appraisal under the EU Merger Regulation. It is without prejudice to the merged entity's obligations under EU legislation in relation to the protection of individuals and the protection of privacy with regard to the processing of personal data and the Member States' implementing legislation." Last year, EPIC filed a complaint (pdf) with the US Federal Trade Commission, urging the FTC to open an investigation into the proposed acquisition, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users. In January testimony (pdf) before the European Parliament, EPIC urged the European Commission to establish privacy safeguards as a condition of the merger. See EPIC's page on Privacy? Proposed Google/Doubleclick Deal. (Mar. 11)
  • EPIC Urges Investigation of "Stalker Spyware". EPIC filed a complaint with the Federal Trade Commission against several purveyors of stalker spyware. Stalker spyware products are over the counter surveillance technologies sold for individuals to spy on other individuals -- and can be used by abusers to spy on their victims. The complaint alleges that these companies engage in unfair and deceptive practices by: (1) promoting illegal surveillance by abusers of their victims; (2) promoting "Trojan Horse" email attacks; and (3) failing to warn their customers of legal dangers of misuse of stalker spyware. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and investigate other harms that stalker spyware may cause. For more information see EPIC's pages on Personal Surveillance Technologies, and Domestic Violence and Privacy. (Mar. 7)
  • Virginia Lawmakers Consider Fusion Center Secrecy Bill as Role of Federal Agencies Remains Unknown. Today the Virginia Senate is considering legislation that would limit the state's open government and privacy laws for "fusion centers." These intelligence databases collect information on ordinary citizens and have raised substantial privacy concerns. Press reports and statements from Virginia officials have also raised questions about federal involvement in the Virginia legislation. EPIC filed Freedom of Information Act requests with two Virginia agencies on February 12, 2008 to determine whether the Dept. of Justice or the Dept. of Homeland Security participated in the development of the legislation. Despite the expiration of the statutory deadline and the pending vote in the Virginia Assembly, the state agencies have not released a single public record in response to EPIC's requests. For more information, see EPIC's page Information Fusion Centers and Privacy. (Feb. 26)
  • EC Opens Public Consultation on RFID Recommendations. The European Commission has published draft guidelines on the use radio frequency identification (RFID) technology in member countries. Among other proposals, the commission recommends RFID operators conduct privacy impact assessments before deploying the technology and immediate deactivation of RFID tags containing personal data when goods are purchased. The public is encouraged to submit comments; the deadline is April 25. A final version of the recommendations is expected in Summer 2008. EPIC has experience detailing (pdf) the privacy and security problems that can accompany use of RFID technology. See EPIC's page on RFID. (Feb. 25)
  • Search Histories Subject to European Privacy Rules. European privacy officials determined this week that companies operating search engines will be subject to European privacy rules that limit the collection, use, and disclosure of personal information. The privacy officials who make up the Article 29 Working Group stated that "The protection of the users' privacy and the guaranteeing of their rights, such as the right to access to their data and the right to information as provided for by the applicable data protection regulations, remain the core issues of the ongoing debate." Earlier this year, EPIC urged the European Parliament to protect the privacy of search histories. A report from the Article 29 Working Group on Search Engines and Privacy is expected in April. (Feb. 22)
  • Data Broker Merger Threatens Privacy. Reed-Elsevier, corporate parents of Lexis-Nexis, has made a move to acquire Choicepoint, the databroker. Consumer privacy will be seriously affected if the merger is approved without any privacy safeguards. The previous Google-Doubleclick merger involving two large databases of personal information similarly raised privacy as well as antitrust issues. Choicepoint is a large player in the commercial databroker market and has been the target of an EPIC privacy complaint and an FTC investigation and fine for the privacy harms its business practices cause. For more see EPIC's page on Choicepoint. (Feb. 21)
  • Facebook Eases Account Deletion, Default Third Party Information Sharing Remains. After recent criticisms, concerning the practical impossibility of deleting account information, Facebook has changed its help page on deletion. Users may now contact Facebook to request permanent deletion of their information. However, Facebook's default sharing of excess personal information with thousands of third party application developers remains. User information travels to these third parties when they or their friends add an application to their profiles. Facebook disclaims all liability from what happens to that information. For more, see EPIC's page on Facebook. (Feb. 19)
  • Supreme Court To Review Decision on Faulty Arrest. The US Supreme Court today agreed to consider Herring v. United States (pdf), a challenge to an arrest based on inaccurate information in a government database. The Court will decide whether to suppress the evidence obtained. In a 1995 opinion, Justice O'Connor wrote, "In recent years, we have witnessed the advent of powerful, computer-based recordkeeping systems that facilitate arrests in ways that have never before been possible. The police, of course, are entitled to enjoy the substantial advantages this technology confers. They may not, however, rely on it blindly. With the benefits of more efficient law enforcement mechanisms comes the burden of corresponding constitutional responsibilities." EPIC has also highlighted problems with inaccurate government databases in formal comments to federal agencies, as well as a 2003 online campaign urging the reestablishment of accuracy requirements for the FBI's National Crime Information Center, the nation's largest criminal justice database. For more information, see EPIC's page on Herring v. US (Feb. 19)
  • House Holds Fast on Privacy Law Enforcement, President's Unconstitutional Warrantless Surveillance Powers to Expire. The House of Representatives recessed yesterday, allowing the Protect America Act to expire on Saturday. That law, passed in August, expanded the warrantless surveillance powers of the President. The White House also wants legal immunity for telephone companies that participated in the warrantless surveillance program. The House last year passed the RESTORE Act, which rejected the effort to gut the federal wiretap law. After extensive White House lobbying, the Senate this week passed S. 2248 with the immunity provision, but the House said no to the White House effort to adopt the Senate bill. EPIC and other groups are suing the Department of Justice for documents on the legal justification for the warrantless surveillance program. For more, see EPIC's page on FISA. (Feb. 15)
  • EPIC Challenges Trade Commission's Failure to Produce Documents Concerning Jones Day's Role in US Doubleclick Merger Review. In a Freedom of Information Act appeal(pdf), EPIC challenged the Federal Trade Commission's failure to make public documents relating to the role of the Jones Day law firm in the Google-Doubleclick merger review. The appeal follows EPIC's original request. During the FTC review, Jones Day publicly stated that it represented Doubleclick but later denied representing Doubleclick, after EPIC learned that Chairman Majoras' husband, John M. Majoras, is a Jones Day partner. EPIC moved for the recusal of the Chairman, and noted that recusal had occurred in other matters involving apparent conflicts of interest with the Jones Day firm. However, Chairman Majoras participated in the review and voted to approve the merger without conditions, despite privacy groups' warnings that the merger would threaten consumer privacy. For more information, see EPIC's page Privacy? Proposed Google/Doubleclick Deal. (Feb. 13)
  • EPIC Seeks Documents About Federal Role in Effort to Limit Accountability of State "Fusion Centers". EPIC filed a Freedom of Information Act request (pdf) with the Virginia State Police today. EPIC's request seeks documents about a plan that would shroud the Virginia Fusion Center, a database that collects detailed information on ordinary citizens, in secrecy. The Virginia legislature is considering a bill that would limit Virginia's open government and privacy statutes, as well as Virginia's common law right of privacy, for Virginia agencies connected to the Fusion Center. Press Groups have criticized the proposed law, and warned that, if passed, Virginia citizens can "say hello to Big Brother." EPIC's FOIA request focuses on the possible role of the US Department of Justice and the US Department of Homeland Security in the development of the Virginia legislation. For more information, see EPIC's page Information Fusion Centers and Privacy. (Feb. 12)
  • EPIC, Privacy Groups Renew Call for Investigation of Ask Eraser. EPIC filed a supplemental complaint (pdf) with the Federal Trade Commission today highlighting the ongoing consumer privacy threats posed by Ask.com's AskEraser product. The new complaint restates that Ask.com is engaging in an unfair and deceptive trade practice. Ask.com corrected one substantial problem with AskEraser following an earlier letter from EPIC, but EPIC makes clear in the new filing that Ask.com has failed to resolve the substantial threats to consumer privacy, and urges the FTC to move forward with an investigation. For more information, see the EPIC "Does Ask Eraser Really Erase?" page. (Feb. 8)
  • EPIC Urges Court to Assess Government Secrecy Claims in Domestic Surveillance Case. EPIC, in a joint brief (pdf) with the American Civil Liberties Union and the National Security Archive, asked a federal court to order the Department of Justice to produce legal opinions that were prepared to justify the President's domestic surveillance program. The brief renews EPIC's request that a federal judge review the documents held by the agency and determine whether they should be kept from the public. In December 2005, immediately after press reports uncovered the President's surveillance program, EPIC requested the legal opinions that were prepared to justify the program. The government refused to produce many key documents, and EPIC sued under the Freedom of Information Act. (Feb. 6)
  • Homeland Security Agency Finally Releases Annual Privacy Report. The Department of Homeland Security has just published the 2007 Annual Privacy Report, several months after it was due. Under the Homeland Security Act of 2002, the Chief Privacy Officer must prepare "a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters." The first report (April 2003 to June 2004), was published in February 2005. The second report (July 2004 to July 2006) was published in December 2006. EPIC has urged the timely publication of the Annual Reports so that the Congress and the public can meaningfully evaluate the impact of the Department's programs on privacy. For more information, see EPIC's letter on the Homeland Security Privacy Report. (Feb. 4)
  • Security Experts Warn that Pending Surveillance Law Will Weaken US National Security. In a report that will appear in IEEE Security & Privacy, leading experts in computer security warn that legislation now under consideration in the Senate could make the United States vulnerable to attack. The paper "Risking Communications security: Potential hazards of the Protect America Act" warns that warrantless wiretapping creates creates serious security risks, including "danger of exploitation of the system by unauthorized users, danger of criminal misuse by trusted insiders, and danger of misuse by government agents." (Jan. 30)
  • European High Court Protects Internet Privacy. In response to a request from the Spanish national court, the European Court of Justice ruled today that European community law does not require European countries to disclose user information in civil cases involving copyright. The high court for the European Union also ruled that European countries have no obligation to require ISPs to retain data for civil lawsuits. The case is Promusicae, C-275/06. For more on international privacy law, see EPIC's Privacy and Human Rights report. (Jan. 29)
  • Europe Celebrates Privacy Day, US Intends New Internet Surveillance. The Council of Europe has designated January 28 Data Protection Day, a day to "to inform and educate the public at large as to their day-to-day rights." The Wall Street Journal reported today that US Homeland Security Secretary Michael Chertoff is seeking $6 b to expand secret surveillance of Internet communications, which would include government sensors on private, company networks. EPIC's Privacy and Human Rights reports surveys privacy developments around the globe. Privacy International recently published International Privacy Rankings for 2007. (Jan. 28)
  • EPIC Urges European Parliament to Act on Google-Doubleclick Merger. In testimony before the European Parliament in Brussels, EPIC President Marc Rotenberg said that the European Commission must establish privacy safeguards because the US Federal Trade Commission failed to do so (pdf) during the US merger review. Mr. Rotenberg also said that Google was beginning to reveal the characteristics of an "information monopolist" and that it was important for governments to act to preserve the rights of citizens and to safeguard competition and innovation in the information economy. For more information, see page on Privacy? Proposed Google-DoubleClick Merger. (Jan. 21)
  • Montana Governor Urges REAL ID Rebellion. In a letter (pdf) to the governors of 17 states, Montana Governor Brian Schweitzer asked them to band together to reject the REAL ID national identification system. "Today, I am asking you to join with me in resisting the DHS coercion to comply with the provisions of REAL ID," Gov. Schweitzer wrote. "I would like us to speak with one, unified voice and demand the Congress step in and fix this mess." On January 11, Homeland Security Secretary Michael Chertoff released the agency's final regulations for REAL ID. The proposal has drawn sharp criticism from state governments, members of Congress, civil liberties advocates, and security experts (pdf). EPIC has called the scheme "a real danger to security and civil rights." See EPIC's National ID Cards and REAL ID Act page. (Jan. 21)
  • Consumer Privacy Coalition Files FTC Complaint Against Ask.com. EPIC and five other groups filed a complaint (pdf) with the Federal Trade Commission alleging that Ask.com is engaging in unfair and deceptive trade practices with the representations concerning AskEraser, a search service that purports to protect privacy. Among the critical points highlighted by the consumer privacy coalition: (1) users must accept an AskEraser cookie and disable a genuine privacy feature in browsers that block cookies; (2) the AskEraser cookie is a unique persistent identifier that makes it easy for Ask.com, its business partners, and the government to track the activities of AskEraser users; and (3) Ask.com will disable the search delete feature -- the central purpose of the Ask Eraser service -- without notice to the user. The complaint follows a December letter (pdf) to Ask.com describing these security and privacy problems. (Jan. 19)
  • EPIC Proposes Privacy Conditions for Video Surveillance. In comments (pdf) filed today with the Department of Homeland Security, EPIC detailed its "Framework for Protecting Privacy & Civil Liberties If CCTV Systems Are Contemplated." EPIC explained that it "does not support the creation nor the expansion of video surveillance systems, because their limited benefits do not outweigh their enormous monetary and social costs." EPIC's guidelines explain that (1) alternatives to CCTV are preferred; (2) there must be a demonstrated need for the system; (3) the public and privacy and security experts must be consulted before the system is created; (4) Fair Information Practices must govern any use of video surveillance; (5) there must be a privacy and civil liberties assessment; and (6) there needs to be room to create enhanced safeguards for any enhanced surveillance. EPIC's framework is based on Fair Information Practices, the Privacy Act of 1974, the 1980 OECD Privacy Guidelines, and the Video Voyeurism Act. See EPIC's page on Video Surveillance. (Jan. 15)
  • National Identification Plan Announced. Department of Homeland Security Secretary Michael Chertoff today released the agency's final regulations for REAL ID, the national identification system. The proposal has drawn sharp criticism from state governments, members of Congress, civil liberties advocates, and security experts (pdf). The Secretary scaled back some of the requirements, reduced the cost, and extended the deadline for state compliance. However, Secretary Chertoff also indicated that the REAL ID card would be used for a wide variety of purposes, unrelated to the law that authorized the system, including employment verification and immigration determination. He also indicated that the agency would not prevent the use of the card by private parties for non-government purposes. As part of the cost-saving effort, Homeland Security has decided not to encrypt the data that will be stored on the card. Congress is considering legislation to repeal the Act. View EPIC's press release: Homeland Security Department Announces Deeply Flawed Regulations For National ID System. For more information, see EPIC's National ID Cards and REAL ID Act page. (Jan. 11)
  • Homeland Security Expected To Release REAL ID Regulations on Friday. EPIC has learned that the Department of Homeland Security will release the final regulations for REAL ID tomorrow at noon ET. The proposal for a federally mandated national identification system has been widely criticized. EPIC and others (pdf) have detailed security and privacy problems (pdf) with the plan. A coalition of organizations urged the Homeland Security agency to withdraw the proposal. Seventeen states formally opposed REAL ID, and Congress is considering legislation that would repeal the plan. The original deadline for implementation was 2008, but DHS has pushed it back to 2013, in part, because of public opposition. See EPIC's National ID Cards and REAL ID Act page. (Jan. 10)
  • Federal Appellate Court Hears Case on Prescription Data and Privacy. Today, the First Circuit Court of Appeals heard oral arguments in a case concerning a New Hampshire state law banning the sale of prescribe-identifiable prescription drug data for marketing purposes. In August, EPIC and 16 experts in privacy and technology filed a "friend of the court" brief (pdf) urging the First Circuit Court of Appeals to reverse the ruling (pdf) of the lower court, which held that the NH Prescription Confidentiality Act violated the free speech rights of data mining companies. The experts said the lower court should be reversed because there is a substantial privacy interest in de-identified patient data that the lower court failed to consider. This privacy interest, in part flows from the reality that data may not be, in fact, truly de-identified, and also because de-identified data does impact actual individuals. See EPIC's IMS Health v. Ayotte page. (Jan. 9)