News release: "The Federal Trade Commission warned marketers of six mobile applications that provide background screening apps that they may be violating the Fair Credit Reporting Act. The FTC warned the apps marketers that, if they have reason to believe the background reports they provide are being used for employment screening, housing, credit, or other similar purposes, they must comply with the Act. According to the FTC, some of the apps include criminal record histories, which bear on an individual's character and general reputation and are precisely the type of information that is typically used in employment and tenant screening."

"EPIC has filed a Freedom of Information Act request with the Federal Trade Commission for the Privacy Report that Google was recently required to submit to the agency. The Commission had previously investigated Google after EPIC filed a complaint regarding Google's Buzz product, which transformed private user contacts into publicly available social network data. Last fall the Commission reached a settlement with Google and, as a result, the company is subject to a consent order that requires it to file regular reports with the Commission. EPIC has requested that Google's first report, filed on January 26, 2012, be released to the public. Because of Google's plan to change its business practice on March 1, 2012, EPIC has asked the FTC to expedite the disclosure of the report. For more information see EPIC: In re Google Buzz."

"DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate."

EFF: "This January 28 marks International Privacy Day. Different countries around the world are celebrating this day with their own events. This year, we are honoring the day by calling attention to recent international privacy threats and interviewing data protection authorities, government officials, and activists to gain insight into various aspects of privacy rights and related legislation in their own respective countries. As part of International Privacy Day, the EFF asked data protection authorities, politicians, and activists about privacy related issues and concerns for 2012. In addition to the individuals highlighted in our previous posts, EFF heard back from the Council of Europe, the European Data Protection Supervisor (EDPS), and activists from Canada, France and Spain. In various ways, all of the responses focused on government surveillance or data protection laws. For the Council of Europe and European Data Protection Supervisor, the focus was on data protection agreements, while the activists were mindful of the ever-increasing power of government authorities to surveil their citizens."

"In honor of Data Privacy Day, the full ebook of lol...OMG! (regularly $9.99) is being made available for FREE!"

"One policy, one Google experience - We’re getting rid of over 60 different privacy policies across Google and replacing them with one that’s a lot shorter and easier to read. Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google."

News release: The European Commission has today [January 24, 2012] a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe."

ACLU: "Yesterday evening, Google announced a new privacy policy effective March 1. The new policy is consistent across the vast majority of Google products...the new privacy policy makes clear that Google will, for the first time, combine the personal data you share with any one of its products or sites across almost all of its products and sites (everything but Google Chrome, Google Books, and Google Wallet) in order to obtain a more comprehensive picture of you. And there’s no opting out. This comes on the heels of Google’s new Search, plus Your World, a feature combining search results from the public web with private information and photos you have shared (or that have been shared with you) through Google+ or Picasa...The head of Google’s privacy for product and engineering explained on Google’s blog that integrating an individual’s profiles across Google’s sites will help Google “figure[e] out what you really mean when you type in Apple, Jaguar or Pink,” provide more relevant ads, “provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day” (thanks, Mom), and “ensure that our spelling suggestions, even for your friends’ names, are accurate...this data aggregation is not just about what ads you see, but as ACLU of Massachusetts describes, it creates an even larger treasure chest of personal information ripe for government picking."

Report from the Internet Privacy Workshop - Internet Architecture Board (IAB) - via CDT: "The workshop report provides a useful overview of fundamental privacy design challenges that appear again and again: the increasing ease of user/device/application fingerprinting, unforeseen information leakage, difficulties in distinguishing first parties from third parties, complications arising from system dependencies, and the lack of transparency and user awareness of privacy risks and tradeoffs. The report also identifies a number of barriers to successful deployment and analysis of privacy-minded protocols and systems, including the difficulty of using generic protocols and tools to defend against context-specific threats; the tension between privacy protection and usability; and the difficulty of navigating between business, legal, and individual incentives."

"Today the Supreme Court unanimously held in U.S. v. Jones that the warrantless use of a GPS tracking device by the police violated the Fourth Amendment. The Court said that a warrant is required "[w]here, as here, the government obtains information by physically intruding on a constitutionally protected area," like a car. Concurring opinions by Justices Sotomayor and Alito urged the court to focus on the reasonableness of the suspect's expectation of privacy because physical intrusion is unnecessary to surveillance in the digital age. EPIC, joined by 30 legal and technical experts,filed a "friend of the court" brief. EPIC warned that, "it is critical that police access to GPS tracking be subject to a warrant requirement." For more information, see EPIC: US v. Jones, and EPIC: Location Privacy"

"Google’s Good to Know campaign aims to help people stay safe on the Internet and manage the information they share online. The website and ads provide easy to use tips and advice on online security, help on understanding the data users share and tools they can use to manage their data. Written in clear language and featuring practical examples to illustrate complex security and privacy issues, the website and advertising campaign aim to empower users to tackle their online security concerns and make more informed decisions about their internet use. The U.S. campaign includes adverts in newspapers, on public transport and online. Download all print ads – (PDF)."

• Arctic Capabilities - DOD Addressed Many Specified Reporting Elements in Its 2011 Arctic Report but Should Take Steps to Meet Near- and Long-term Needs, GAO-12-180, January 13, 2011
• Defense Contracting - Improved Policies and Tools Could Help Increase Competition on DOD's National Security Exception Procurements, GAO-12-263, January 13, 2011
• Health Care Quality Measurement - HHS Should Address Contractor Performance and Plan for Needed Measures, GAO-12-136, January 2013
• Taxpayer Privacy - A Guide for Screening and Assessing Proposals to Disclose Confidential Tax Information to Specific Parties for Specific Purposes, GAO-12-231SP, December 14, 2011
• VA Enhanced Monthly Benefits - Recipient Population Is Changing, and Awareness Could Be Improved, GAO-12-153, December 14, 2011

"As the result of EPIC v. DHS, a Freedom of Information Act lawsuit, EPIC has obtained nearly thee hundred pages of documents detailing a Department of Homeland Security's surveillance program. The documents include contracts and statements of work with General Dynamics for 24/7 media and social network monitoring and periodic reports to DHS. The documents reveal that the agency is tracking media stories that "reflect adversely" on DHS or the U.S. government. One tracking report -- "Residents Voice Opposition Over Possible Plan to Bring Guantanamo Detainees to Local Prison-Standish MI" -- summarizes dissent on blogs and social networking cites, quoting commenters. EPIC sent a request for these documents in April 2004 and filed suit against the agency in December. For more information, see EPIC: EPIC v. Department of Homeland Security: Media Monitoring."

EPIC: "Bloomberg News has reported that the Federal Trade Commission has expanded its antitrust investigation of Google to include Google's social networking service, Google+. The report comes after Google announced that it would include personal data gathered from Google+ in the results of users' searches, a move that led EPIC to urge the FTC to investigate the company. EPIC said that "Google's business practices raise concerns related to both competition and the implementation of the Commission’s consent order," referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. Google first confirmed the FTC’s antitrust investigation in June 2011. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission."

EPIC: In a letter to the Federal Trade Commission, EPIC has called for an investigation of recent changes by Google to Google Search, the dominant search algorithm on the Internet. EPIC cited Google's decision to include personal data, such as photos, posts, and contact details, gathered from Google+ in Google Search results. “Google’s business practices raise concerns related to both competition and the implementation of the Commission’s consent order,” EPIC said, referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of Google products and services and subjects the company to regular privacy audits. Recently, the Senate held a hearing on Google’s use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google’s acquisition of Youtube, which allowed Google to give preferential treatment to Google's own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade."

"EPIC filed the opening brief in EPIC v. NSA, No. 11-5233, challenging the National Security Agency’s response to EPIC's Freedom of Information Act request. EPIC is seeking information about the widely publicized cybersecurity agreement between the NSA and Google that followed the January 2010 China hack. The NSA claimed it "could neither confirm nor deny" the existence of any information about its relations with Google. After the attack, Google's implemented encryption technology for Gmail by default, a privacy safeguard EPIC and technical experts had urged in 2009. For more information, see EPIC v. NSA: Google / NSA Relationship."

News release: "The Federal Trade Commission has approved a biennial report to Congress focusing on the use of the Do Not Call Registry by both consumers and businesses over the past two years, as well as the impact that new technologies have had on the Registry. As detailed in the report, the Do Not Call Registry now has more than 209 million active registrations, and more than eight million new phone numbers were registered in Fiscal Year 2011. During that time, approximately 35,000 sellers, telemarketers, and exempt organizations such as charities subscribed to access the Registry, paying fees totaling more than $13.7 million. The report concludes that since its inception, the Registry has successfully accepted consumer registrations and complaints, allowed businesses to obtain access to Registry data, and provided law enforcement with the tools needed to investigate complaints and bring appropriate actions."

"EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency's social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy."

Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices, by Seth Schoen, Marcia Hofmann and Rowan Reynolds, December 2011

News release: "The Office of the Data Protection Commissioner, Ireland 21 December 2011 published the outcome of its audit of Facebook Ireland(FB-I) which was conducted over the last three months including on-site in Facebook Ireland’s Headquarters in Dublin. The report is available in 2 parts: Report of the Audit, including recommendations and the Facebook Technical Analysis Report...It is a comprehensive assessment of Facebook Ireland’s compliance with Irish Data Protection law and by extension EU law in this area...Deputy Commissioner, Gary Davis who led the conduct of the Audit stated that “this Audit was the most comprehensive and detailed ever undertaken by our Office. We set ourselves a very ambitious target for completion and publication as both this Office and Facebook, felt it was important that the outcome be published and opened to public comment and scrutiny...Facebook is constantly evolving and adapting in response to user needs and technical developments. Like any successful technology platform, the service needs to innovate by introducing new products and features in order to adapt to changing circumstances. Indeed the almost Darwinian nature of the site means that there will constantly be an absolute need to have in place robust mechanisms to keep pace with the innovation that is the source of the site’s success."

"Have you ever wondered why some online ads you see are targeted to your tastes and interests, or how websites remember your preferences from visit to visit? The answer may be in the “cookies." A cookie is information saved by your web browser, the software program you use to visit the web. Cookies can be used by companies that collect, store and share bits of information about your online activities to track your behavior across sites. Cookies also can be used to customize your browsing experience, or to deliver ads targeted to you. OnGuardOnline.gov wants you to know how cookies are used and how you can control information about your browsing activities. Here are answers to some commonly asked questions about cookies – what they are, what they do, and how you can control them."

CRS — Governmental Tracking of Cell Phones and Vehicles: The Confluence of Privacy, Technology, and Law. Richard M. Thompson, Law Clerk. December 1, 2011

Reading Digits in Natural Images with Unsupervised Feature Learning, Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu1, Andrew Y. Ng

News release: "The Information Commissioner’s Office (ICO) has today published new guidance making it clear that information concerning official business held in private email accounts is subject to the Freedom of Information Act. Information Commissioner, Christopher Graham said:

News release: "TRUSTe, the leading online privacy solutions provider, released its first privacy index as part of its new "Privacy Pulse" information series tracking changes and trends in online privacy. In the 2011 Website Edition of its Privacy Index, TRUSTe analyzed the privacy policies of the top 100 U.S. websites (as ranked by Alexa Sept. 2011) to evaluate privacy practices by measuring key policy attributes, as well as the type of disclosures contained in them. TRUSTe found that while nearly 100 percent of websites today include a privacy policy, existing policies are highly complex, lengthy and written in language that is confusing for the average person to understand. Additionally, the vast majority of privacy policies are not readily transparent regarding third-party usage of data or consumer choices."

CRS - Governmental Tracking of Cell Phones and Vehicles: The Confluence of Privacy, Technology, and Law. Richard M. Thompson, Law Clerk, December 1, 2011

NetworkWorld: "Engineering professor calls smartphone software 'appalling invasion of privacy

Identity Theft Reported by Households, 2005-2010: "Presents data on the nature of and trends in identity theft victimization among U.S. households from the National Crime Victimization Survey (NCVS). The NCVS defines identity theft as the misuse or attempted misuse of an existing credit card or another existing account or the misuse of personal information to open a new account or for other fraudulent purposes. Findings are based on experiences of all household members age 12 or older as reported by the head of household. The data brief examines changes in the percentage of households experiencing identity theft from 2005 to 2010. It describes differences in the types of identity theft experienced by households in 2010 compared to 2005, as well as changes in the demographic characteristics of victimized households. The brief also presents estimates on the monetary losses attributed to household victims of identity theft. Highlights include the following:

• In 2010, 7.0% of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced one or more types of identity theft victimization.
  
• Among households in which at least one member experienced one or more types of identity theft, 64.1% experienced the misuse or attempted misuse of an existing credit card account in 2010.
  
• From 2005 to 2010, the percentage of all households with one or more type of identity theft that suffered no direct financial loss increased from 18.5% to 23.7%."

News release: "The Federal Trade Commission today issued the National Do Not Call Registry Data Book for Fiscal Year 2011. The FTC's National Do Not Call Registry provides consumers with an easy way to stop unwanted telemarketing calls...According to the Data Book, at the end of FY 2011 (September 30, 2011), the Do Not Call Registry contained 209,722,924 actively registered phone numbers, up from 201,542,535 at the end of FY 2010. In addition, the number of consumer complaints about unwanted telemarketing calls increased from 1,633,819 at the end of FY 2010 to 2,272,662 at the end of FY 2011. In its third year of publication, the Data Book contains a wealth of information about the Registry for FY 2011, including:

• The number of active registrations and consumer complaint figures since the Registry began in 2003;
  
• FY 2011 complaint figures by month and complaint type;
  
• FY 2011 registration and complaint figures for all 50 states and the District of Columbia by population;
  
• The number of entities accessing the Registry by fiscal year; and
  
• An appendix on registration and complaint data by consumer state and area code."

The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world, November 2011

News release: "The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. The FTC's eight-count complaint against Facebook is part of the agency's ongoing effort to make sure companies live up to the privacy promises they make to American consumers. It charges that the claims that Facebook made were unfair and deceptive, and violated federal law."

"Consumer Reports' Guide to online security outlines some of the most common Net threats—such as phishing, online scams, and computer viruses. (See: Best ways to stay safe online.) But our latest security report also notes that mobile phones and social media sites can also present a rising amount of ID theft risks since more consumers are using their smart phones to shop and sharing news of online bargains on Facebook. (See: Mobile phones: The new risk and Concerns about Facebook.) The Consumer Federation of America, a non-profit association of almost 300 consumer organizations, has compiled a list of 10 tips for having an ID theft-free holiday season (PDF) on its website, IDTheftInfo.org."

News release: "The loss of computer tapes by Science Applications International Corporation (SAIC) may have placed TRICARE patient data at risk. There is no evidence that any of the data has actually been accessed by a third party, and analysis shows the chance any data was actually compromised is low, but proactive measures are being taken to ensure that potentially affected patients are kept informed and protected. SAIC is a contractor for the TRICARE Management Activity. On September 14, TMA learned that an SAIC employee reported that on September 12 computer tapes containing personally identifiable and protected health information (PII/PHI) of 4.9 million military clinic and hospital patients in Texas, or those patients who had laboratory exams sent to the military hospitals in Texas, were stolen. The data contained on the tapes may include names, Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes."

The growing impact of full disk encryption on digital forensics - Eoghan Caseya, Geoff Fellowsb, Matthew Geigerc, Gerasimos Stellatosd

"Documents obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001. The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and "massive intercept" gear that can gather all Internet communications in a country. The documents—the highlights of which are cataloged and searchable here—were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month."

"The European Union has adopted strict new guidelines limiting the use of body scanners at EU airports. Under the new guidelines, European Union member states may only deploy airport body scanners if they comply with new regulations that protect health, privacy, and fundamental rights. The European Commission has also prohibited any devices that store, record, or transfer images of travelers as well as devices that display an image of the naked human body. As a result, backscatter x-ray devices are now effectively prohibited in airports in the European Union. The European Commission has also made clear that passengers may not be required to go through body scanners, following the conclusion reached by the federal appellate court in the United States in the EPIC v. DHS case, which held that passengers have a legal right to opt-out of body scanners. The body scanners have not done well during trials in Europe. Most recently a test in Germany found that the devices were ineffective. For more information, see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS (Suspension of the Body Scanner Program)."

• To log or not to log? - Risks and benefits of emerging life-logging applications, November 11, 2011 via European Network and Information Security Agency (ENISA) - "European Union (EU) agency which acts as a centre of expertise for the EU Member States and European institutions. It gives advice and recommendations on good practice, and acts as a “switchboard” for exchanging knowledge and information. The agency also facilitates contacts between the European institutions, the Member States, and private business and industry."
• "Recording aspects of one’s life, or life-logging, has a long established history in human society, but it is undergoing transformational change in terms of depth, volume and type of data. Before the 20th century, life-logging was restricted to recordings on paper media and involved written accounts, such as books, diaries, or collections of letters between people as well as person-constructed images such as drawings or paintings. By the 20th century, the media had broadened to include still photographic images, sound and moving images and most families kept at least an image life-log in the form of a photo album. By the end of the 20th century, most of these life-log data were digitally recorded with both the resolution and frequency of recording dramatically increasing year on year. Paper diaries and letters gave way to blogs, e-mail, and social networking status updates with the significant difference that the latter were potentially recorded forever and with a vastly more complete history than the episodic fragments of days gone by."
• Appendix I Scenario Building and Analysis Template, accompanying the deliverable "To log or not to log? - Risks and benefits of emerging life-logging applications". File To log or not to log? - Risks and benefits of emerging life-logging applications [Appendix II]
• Appendix II Risk Assessment Spreadsheet, accompanying the deliverable "To log or not to log? - Risks and benefits of emerging life-logging applications"

Atlantic Wire - Adam Clark Estes: "When a federal judge ruled that Twitter must reveal the private data of three WikiLeaks associates on Thursday, privacy advocates died a little inside. The two organizations that had defended the three users, American Civil Liberties Union (ACLU) and the Electronic Frontier Foundations (EFF), immediately filed mournful blog posts that respectively raised doubts about the United States government's secretive handling of the case and highlighted grave message the ruling sends about the future of privacy on the internet. But Wall Street Journal reporter Jennifer Valentine-DeVries sums up the implications of the case best with a leading question: "Should the government be able to collect information related to your Internet use without a warrant?" We now know that the federal court's answer is, "Yes."

The Socialbot Network: When Bots Socialize for Fame and Money -
Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu -
University of British Columbia Vancouver, Canada

"The Berkman Center for Internet & Society is pleased to share a new paper published in First Monday, Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act,’ authored by Berkman community members danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey.

CNNMoney: "Your phone company knows where you live, what websites you visit, what apps you download, what videos you like to watch, and even where you are. Now, some have begun selling that valuable information to the highest bidder. In mid-October, Verizon Wireless changed its privacy policy to allow the company to record customers' location data and Web browsing history, combine it with other personal information like age and gender, aggregate it with millions of other customers' data, and sell it on an anonymous basis."

Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared, B.U. J. SCI. & TECH. L., Vol. 17, Winter 2011.

DOE IG Evaluation Report - The Department's Unclassified Cyber Security Program – 2011, DOE/IG-0856 October 2011

News release: "The Electronic Frontier Foundation (EFF) sued the Department of Justice (DOJ) today for answers about "secret interpretations" of the USA PATRIOT Act, signed into law ten years ago today. Several senators have warned that the DOJ is using Section 215 of the PATRIOT Act to support what government attorneys call a "sensitive collection program" that may be targeting large numbers of Americans. Section 215 allows for secret court orders to obtain "tangible things" when the FBI certifies they are relevant to a government investigation. The list of possible "tangible things" the government can obtain is seemingly limitless, and could include everything from driver's license records to Internet browsing patterns. Section 215 also limits the court's discretion to deny the order and prevents the recipient of an order from disclosing its existence."

News release: "Following a public comment period, the Federal Trade Commission has accepted as final a settlement with Google, and authorized the staff to provide responses to the commenters of record. The settlement resolves charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleged that the practices violate the FTC Act. The settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. The Commission vote approving the final settlement was 4-0.

Official Google Blog: "As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we’re enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra “s”) when you’re signed in to your Google Account. This change encrypts your search queries and Google’s results page. This is especially important when you’re using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe. You can also navigate to https://www.google.com directly if you’re signed out or if you don’t have a Google Account."

This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents, October 13, 2011

News release: "Concerned that the pairing of the new Kindle Fire tablet with its must-use Silk browser means Amazon could track each Web click of Kindle Fire users Congressman Edward J. Markey (D-Mass.) [October 14, 2011] sent a letter to Amazon’s CEO asking for responses to questions about tablets users’ privacy and security...In May 2011, Reps. Markey and Joe Barton (R-Texas) introduced the Do Not Track Kids Act of 2011, bipartisan legislation that amends the Children’s Online Privacy Protection Act of 1998 to extend, enhance and update the provisions relating to the collection, use and disclosure of children’s personal information. The legislation also establishes new protections for the personal information of children and teens."

Tracking the Trackers: Where Everybody Knows Your Username by Jonathan Mayer, posted on October 11, 2011

The Economist: "The beauty of Twitter, the popular microblogging service, is that users have to keep it short: messages can only be 140 characters long. But companies that mine the stream of tweets for marketing and other purposes (see article in this week's issue of The Economist) get much more information. [Here is a map] of a tweet including all its metadata. The map was published by Raffi Krikorian, a developer at Twitter. It is 18 months old, but it is safe to say that the amount of metadata attached to a tweet has not decreased since."

Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users, Erica Newland, Caroline Nolan, Cynthia Wong, and Jillian York. The Berkman Center for Internet & Society and. The Center for Democracy & Technology, September 2011

News release: "In a massive coordinated information-seeking campaign, 35 ACLU affiliates are filing over 381 requests in 32 states across the country with local law enforcement agencies large and small that seek to uncover when, why and how they are using cell phone location data to track Americans. The requests seek information from local law enforcement agencies, including:

• whether law enforcement agents demonstrate probable cause and obtain a warrant to access cell phone location data;
  
• statistics on how frequently law enforcement agencies obtain cell phone location data;
  
• how much money law enforcement agencies spend tracking cell phones and
  
• other policies and procedures used for acquiring location data.

News release: An operator who allegedly sent millions of illegal spam text messages to consumers is banned from sending any unsolicited text messages, under a settlement agreement with the Federal Trade Commission entered by a federal court. According to the FTC complaint filed in February 2011, the marketer sent a “mind-boggling” number of unsolicited commercial text messages pitching mortgage modification services to consumers, and misrepresented that he was affiliated with a government agency. The FTC alleged that many consumers had to pay fees to their mobile carriers to receive the unsolicited text messages. The FTC also alleged that the marketer advertised his text message blasting services by sending consumers illegal spam. The agency charged him with violating the FTC Act and the CAN-SPAM Act."

News release: "A bankruptcy court in New York has approved the sale of customer information, including email addresses, phone numbers, mailing addresses, and birth dates, from Borders to Barnes & Noble, following an earlier determination that the transfer violated Border's privacy policy. The judge has now required that former Borders customers receive an email notification and that the companies place prominent notices on their web sites and take outs ads in USA Today. Customers will have 15 days to opt-out of the transfer."

News release: "What do you think about when choosing a cell phone provider? Their prices? Their coverage area? Whether they have spiffy, high-tech phones? Whether their phones work overseas or in the subway? What about how long they retain information about you and under what circumstances they turn it over to law enforcement? All of the nation's major mobile carriers are retaining their customers' location data for at least a year, according to a chart the Department of Justice (DOJ) developed in 2010 — and that the ACLU of North Carolina received in response to our public records request about local law enforcement's use of cell phone location information. And location info's not all they hang onto. We gave a copy of this document to Wired.com, which has written about it here."

News release: "Representatives Joe Barton (R-Texas) and Edward J. Markey (D-Mass.), Co-Chairmen of the House Bi-Partisan Privacy Caucus, sent a letter to the Federal Trade Commission (FTC) asking the agency to investigate so-called “supercookies”, files that can be installed on computers without a user's knowledge. Supercookies allow websites to collect detailed personal data about users, including websites previously visited. Even when consumers choose to delete regular cookies from their computers, supercookies persist. According to a report last month in The Wall Street Journal (“Latest in Web Tracking: Stealthy ‘Supercookies’, August 18, 2011), it was discovered that companies have been installing supercookies on users’ computers without their knowledge. Even technical experts at the websites in the report stated they had no knowledge that the secret files were being installed."

News release: "Buried in President Obama’s deficit reduction plan (see page 28) is a proposal to allow debt collectors “to contact delinquent debtors via their cellular phones” when collecting debts owed to or guaranteed by the federal government. The proposal will not help reduce the deficit and is harmful for consumers, the National Consumer Law Center warned...Currently, debt collection calls to cell phones are limited because collectors must check their phone number lists against a list of known cell phones and cannot call those numbers unless the consumer has provided that number as a way of reaching them. Though the proposal is limited to debts owed or guaranteed by the federal government, millions of consumers will be affected, including graduates who can’t pay their loans due to the terrible job market, homeowners who are behind in mortgages, and people who are in tax disputes with the Internal Revenue Service. Families who have lost their homes to foreclosure could be exposed to cell phone calls for years if the delinquency on their mortgage is sold to debt buyers."

EPIC: "Today Netflix announced that it has launched a DC lobbbying campaign against a federal privacy law that protects customer video rental information. The company, which is already under fire for dramatic hikes in the subscription price of its once popular DVD rental program, now claims that the privacy law prevents Facebook users from posting information about NetFlix on Facebook. According to OpenSecrets, operated by the Center for Responsive Politics, Netflix has ramped up its Washington influence, spending almost $200,000 in 2011, up from $20,000 in 2009. EPIC has described the Video Privacy Protection Act as "one of the strongest protections of consumer privacy against a specific form of data collection." The law always had an exception for user consent, which means that Facebook users are free to disclose information about the videos they rent. But NetFlix wants "blanket consent" so that all Netflix use will be posted routinely to Facebook. For more information, see EPIC: Video Privacy Protection Act."

"A report released today by the Center for Democracy & Technology and the Berkman Center for Internet & Society highlights the dilemmas companies and users face when enforcement of a website's Terms of Use policy results in deactivation of user accounts or removal of user-generated content. The report recommends principles, strategies, and tools that both companies and users can adopt to lessen the negative effects of account deactivation and content removal. The report, Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users, outlines select examples of good company practices. Such practices feature rules and enforcement policies that are sensitive to users' free expression and privacy rights and to the potential risks faced by human rights activists, who are increasingly using social media tools in their work."

Identity Theft - Trends, Patterns, and Typologies Based on Suspicious Activity Reports. Filed by the Securities and Futures Industries January 1, 2005 – December 31, 2010. Report released September 2011.

News release: "Want to know more about Internet safety and security? Visit the new and improved OnGuardOnline.gov for practical tips and resources on how to be safe, secure and responsible online. Created through a partnership of 16 federal agencies led by the Federal Trade Commission, it’s a great source of free information for your home, school, community group, or workplace. OnGuardOnline’s new features include a cybersecurity blog and information updates via e-mail. Also, the FTC has partnered with the Department of Homeland Security and other agencies in the Stop.Think.Connect Campaign™ to raise awareness of the need for stronger cybersecurity with new approaches to help increase online safety and security. The new OnGuardOnline blog offers cybersecurity news from around the government, how-to articles and videos, and insights from federal officials. Check back regularly for updates, or sign up to get an e-mail when a new post is up. You can copy information from the site, adapt it, post it, or link to it, and you can share your thoughts on the blog. Updating your website or blog? Link to OnGuardOnline. Editing a newsletter? Use our articles. Need hand-outs for a talk you’re giving? Print publications from the website, or order free materials from the FTC."

News release: "The Federal Trade Commission is seeking public comment on proposed amendments to the Children’s Online Privacy Protection Rule, which gives parents control over what personal information websites may collect from children under 13. The FTC proposes these amendments to ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve. The Commission proposes modifications to the Rule in five areas: definitions, including the definitions of “personal information” and “collection,” parental notice, parental consent mechanisms, confidentiality and security of children’s personal information, and the role of self-regulatory “safe harbor” programs."

"The Tracking Protection Working Group is chartered to improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements. The group seeks to standardize the technology and meaning of Do Not Track, and of Tracking Selection Lists." See in Input Documents as follows

• The FTC staff report that calls on industry to create a Do Not Track mechanism
  
• FTC guidelines for behavioral targeting
  
• IAB Self-Regulatory Principles for Online Behavioral Advertising
  
• Neelie Kroes, EU Commission, Online privacy - reinforcing trust and confidence
  
• Do Not Track Cookbook: approaches to data collection in DNT-friendly ways
  
• IETF proposal for Do Not Track
  
• Electronic Frontier Foundation (EFF) discussion of Do Not Track
  
• The Center for Democracy and Technology (CDT) DNT proposal
  
• Mozilla Do Not Track Field Guide
  
• Microsoft Web Tracking Protection, member submission to W3C

News release: "Ever have a medical test done and then had to wait around – sometimes anxiously, depending on the test – to get the lab test results from your doctor? That’s about to change. Yesterday, the Department of Health and Human Services (HHS) proposed regulations that would give patients the ability to access their clinical lab test results directly from the lab, instead of having to wait to receive the results from their health care provider. This change further empowers patients to manage their own health care and organize electronic copies of their own data – a major benefit of the health care system’s transition to digital records...Yesterday’s proposed regulations will change how test results get to patients. The proposed regulations would modify CLIA to permit labs to send results directly to patients, and the proposed regulations would also modify the HIPAA Privacy Rule to give patients the right to access or receive their lab results. Contrary state laws would be preempted. As with patients’ existing right of access, patients would have the ability to request their lab results in a particular form or format; for example, patients could request a paper copy of their test results, or to have the results sent electronically to the patients’ personal health record. (For more information on patients’ right to access their medical data, see CDT’s page on Getting Your Medical Records.)"

The Library of Congress - THOMAS: "This site was begun in September 2001 as a way of keeping the public readily apprised of legislation related to the terrorist attack on the United States that month. The selection, made by hand, is necessarily subjective, as the September 11th attack had a ripple effect on legislation in the second session of the 107th Congress, making boundaries difficult to draw. The site will not be updated after the conclusion of the 107th. Not included here are appropriations and authorization bills, which may include provisions relevant to our response to terrorism, but included are some bills related to bio-terrorism and not September 11th."

"The Circuit Court for the District of Columbia has ruled that the Department of Justice must release information regarding government surveillance of cell phone location data. The American Civil Liberties Union had filed a Freedom of Information Act request for information regarding current and past cases where the Department of Justice had accessed cell phone location data without a warrant. The agency sought to keep this information secret, claiming that releasing cell phone tracking data could implicate privacy of investigation subjects. The court, however, disagreed, stating, "The disclosure sought by the plaintiffs would inform this ongoing public policy discussion by shedding light on the scope and effectiveness of cell phone tracking as a law enforcement tool." For more information, see EPIC: Wiretapping and EPIC: Electronic Surveillance 1968-2010."

The PII Problem: Privacy and a New Concept of Personally Identifiable Information (July 8, 2011). New York University Law Review, Vol. 86, 2011. Paul M. Schwartz and Daniel J. Solove.

"A Federal judge has ruled that law enforcement officers must have a warrant to access cell phone locational data. Courts are divided regarding whether or not this type of data should be protected by a warrant requirement. Judge Garaufis of the Eastern District of New York, found that "The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by 'choosing' to carry a cell phone must be rejected…In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user's reasonable expectation of privacy in cumulative cell-site-location records." EPIC has filed amicus briefs in several related cases. For more information see: EPIC: Commonwealth v. Connolly, EPIC: US v. Jones, and EPIC: Locational Privacy."

"August 25, 2011 - Facebook is rolling out a series of changes to its privacy controls. We reviewed the changes in detail on Tuesday; now here’s how you can take advantage of these changes.

"Symantec Corp. announced the results of the August 2011 Symantec Intelligence Report, now combining the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. This month’s analysis reveals that once more spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit. In a pump-and-dump stock scam, spammers promote certain stocks in order to inflate the price as much as possible so that they may then be sold before their valuation crashes back to reality. The spam for these scams tries to convince the prospective mark that the penny stock is actually worth more than its valuation, or that it will soon skyrocket. Most of these claims are either misleading or false. A successful pump-and-dump spam campaign will artificially drive up the price of the stock to a point where the scammers decide to sell their shares. This usually coincides with them ending the spam campaign, which in turn reduces the interest in the stock, helping to drive its valuation back to the original low price."

Trends in Circumventing Web-Malware Detection. Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt. Google Technical Report rajab-2011a, July 2011

A Guide to Facebook Security For Young Adults, Parents, and Educators, Linda McCarthy, Keith Watson, and Denise Weldon-Siviy, August 2011. "This online guide explains how you can:

• Protect your Facebook account
  
• Avoid the scammers
  
• Use advanced security settings
  
• Recover a hacked Facebook account
  
• Stop imposters

Revealed: Operation Shady RAT by Dmitri Alperovitch, Vice President, Threat Research, McAfee: "An investigation of targeted intrusions into more than 70 global companies, governments, and non-profit organizations during the last five years."

Haystack Logo...and how well hidden is YOUR needle?

Data-Enabled Government: How Well Is Our Personal Information Used and Protected? - HP Business White Paper

"Data (in)security is rapidly gaining consumer attention in major media. In 2011 major breaches at Sony, Epsilon and others have highlighted the risk consumers face from their data being compromised. Major corporations are now recognizing the urgency to implement strong and innovative security measures to ensure the security of their customers’ data. At the same time, both Apple and Google have seen stunning growth in the past few years and now dominate the smartphone market. Companies and app developers have leveraged these platforms to provide new mobile services, often bringing them to market very quickly. But what steps have the smartphone OS providers and app developers taken to secure the data on their customers’ smartphones? At viaForensics we believe in proactive forensics – applying the power of forensic methods proactively to improve digital security. With appWatchdog we utilize forensic techniques to investigate consumer mobile apps and understand what user data is stored and could be at risk. This white paper summarizes our findings for the first 100 tests, from November 2010 through June 2011."

Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (July 29, 2011), Ayenson, Mika, Wambach, Dietrich James, Soltani, Ashkan, Good, Nathan and Hoofnagle, Chris Jay, Available at SSRN

News release: "The Electronic Frontier Foundation (EFF), in collaboration with the Tor Project, has launched an official 1.0 version of HTTPS Everywhere, a tool for the Firefox web browser that helps secure web browsing by encrypting connections to more than 1,000 websites. HTTPS Everywhere was first released as a beta test version in June of 2010. Today's 1.0 version includes support for hundreds of additional websites, using carefully crafted rules to switch from HTTP to HTTPS. HTTPS protects against numerous Internet security and privacy problems, including the search hijacking on U.S. networks that was revealed by an article published today in New Scientist magazine. The article, entitled US internet providers hijacking users' search queries, documents how a company called Paxfire has been intercepting and altering search traffic on a number of ISPs' networks. HTTPS can prevent such attacks."

News release: "Acting on recent data that reveals many consumers still aren’t protected by even basic antivirus software when banking online, McAfee today released an educational guide for banking safely on computers, tablets or mobile devices. According to Javelin Strategy & Research, in 2010 47 percent of household financial managers did not have antivirus software installed. Combining McAfee intelligence with the latest U.S. banking data from many top sources revealed that most consumers fall into one of three categories of online banking behavior, and that age tends to play a strong role in safety and security habits online. Most people’s level of confidence with banking online is associated with their overall comfort level online, including participating in such activities as shopping, searching, and social networking."

EPIC: "The House of Representatives Judiciary Committee voted to approve a bill that will require Internet Service Providers (ISPs) to retain data on every customer to allow the government to identify and track their online activity for one year. EPIC Director Marc Rotenberg testified against the bill at the subcommittee hearing, and his arguments were cited by committee members including Representative Jerrold Nadler (D-NY). After two days of deliberation, the bill was passed with an amendment to require ISPs to retain even more information: not only internet protocol addresses, but also customer names, addresses, phone records, type and length of service, and credit card numbers. This retention is a radical contradiction of the core American value that we are innocent until proven guilty, said Representative Jason Chaffetz (R-UT)."

Faces of Facebook: Privacy in the Age of Augmented Reality - FAQ only - See also slides here. Alessandro Acquisti (Heinz College, Carnegie Mellon University), Ralph Gross (Heinz College, Carnegie Mellon University) Fred Stutzman (Heinz College, Carnegie Mellon University), August 2011

"Marketers are spying on Internet users -- observing and remembering people's clicks, and building and selling detailed dossiers of their activities and interests. The Wall Street Journal's What They Know series documents the new, cutting-edge uses of this Internet-tracking technology. The Journal analyzed the tracking files installed on people's computers by the 50 most popular U.S. websites, plus WSJ.com. The Journal also built an "exposure index" -- to determine the degree to which each site exposes visitors to monitoring -- by studying the tracking technologies they install and the privacy policies that guide their use."

CNET: "Google's Street View cars collected the locations of millions of laptops, cell phones, and other Wi-Fi devices around the world, a practice that raises novel privacy concerns, CNET has confirmed. The cars were supposed to collect the locations of Wi-Fi access points. But Google also recorded the street addresses and unique identifiers of computers and other devices using those wireless networks and then made the data publicly available through Google.com until a few weeks ago."

Commentary: "Britain is now enmeshed in a gigantic scandal around privacy invasions by the press and police. It began with revelations about reporters for Rupert Murdoch's British tabloid newspaper News of the World hacking into the voicemail of a murdered young girl, and has expanded as other privacy invasions have come to light."

"The Federal Trade Commission today told Congress that protecting consumers’ privacy – through law enforcement, education and policy initiatives – is a top priority at the agency. In delivering Commission testimony before the House Committee on Energy and Commerce Subcommittees on Commerce, Manufacturing, and Trade, and Communications and Technology, Commissioner Edith Ramirez said, “Privacy has been an important part of the Commission’s consumer protection mission for 40 years. During this time, the Commission’s goal in the privacy arena has remained constant: to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits offered by the dynamic and ever-changing marketplace."

Follow up to previous postings on whole body scanning at airports, via EPIC: The European Parliament has adopted a resolution that sets out strict safeguards for airport body scanners. The resolution requires that Member States only "deploy technology which is the least harmful for human health" and establish substantial privacy protection. The resolution prohibits the use of body scanners that use ionizing radiation. New guidelines also state that airport body scanners "must not have the capabilities to store or save data." EPIC currently is pursuing a lawsuit to suspend the use of body scanners in the United States, citing several federal laws and the US Constitution. EPIC has called the US airport body scanner program "invasive, ineffective, and unlawful." For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology."

News release: "Outside, the global position system allows mobile phone users to pinpoint their location with surprising accuracy. But indoors, those who are lost are out of luck: GPS satellite signals can’t penetrate roofs. Researchers at the McCormick School of Engineering and Applied Science have determined one way of figuring out your location inside: by letting your phone listen. Their new mobile phone app, called Batphone, allows users to record ambient noise in a room and tag it with an acoustic fingerprint, which allows future users to use that database of fingerprints to determine their location." “We have found that the app has been very successful in determining locations,” says app developer Stephen Tarzia, a computer engineering graduate student in the Empathic Systems Project headed by electrical engineering and computer science professors Peter Dinda and Gokhan Memik and adjunct professor Robert Dick."

"Federal and state applications for orders authorizing or approving the interception of wire, oral or electronic communications increased 34 percent in 2010, compared to the number reported in 2009. The interceptions are reported in the 2010 Wiretap Report, released today by the Administrative Office of the United States Courts (AOUSC). The current report covers intercepts concluded between January 1, 2010 and December 31, 2010. A total of 3,194 intercept applications by federal and state courts were authorized in 2010, with 1,207 applications by federal authorities authorized and 1,987 applications by 25 states authorized. One application was denied. Installed intercepts totaled 2,311."

News release: "The Federal Trade Commission told Congress that consumers must be confident that their privacy will be protected if they are to be willing to take advantage of all the benefits offered by the Internet marketplace. Commission testimony to the Senate Committee on Commerce, Science and Transportation, delivered by Commissioner Julie Brill, states that, “Privacy has been an important component of the Commission’s consumer protection mission for 40 years. During this time, the Commission’s goal in the privacy arena has remained constant: to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits offered by the dynamic and ever-changing marketplace.”

OECD draft Communiqué on Principles for Internet Policy-Making, June 29, 2011

EPIC: "In a FOIA lawsuit against the Department of Homeland Security, EPIC has just obtained documents concerning the radiation risks of TSA's airport body scanner program. The documents include agency emails, radiation studies, memoranda of agreement concerning radiation testing programs, and results of some radiation tests. One document set reveals that even after TSA employees identified cancer clusters possibly linked to radiation exposure, the agency failed to issue employees dosimeters - safety devices that could assess the level of radiation exposure. Another document indicates that the DHS mischaracterized the findings of the National Institute of Standards and Technology, stating that NIST "affirmed the safety" of full body scanners. The documents obtained by EPIC reveal that NIST disputed that characterization and stated that the Institute did not, in fact, test the devices. Also, a Johns Hopkins University study revealed that radiation zones around body scanners could exceed the "General Public Dose Limit." For more information, see EPIC: EPIC v. Department of Homeland Security - Full Body Scanner Radiation Risks and EPIC: EPIC v. DHS (Suspension of Body Scanner Program)."

Know Your Rights! by Hanni Fakhoury, EFF Staff Attorney, June 2011

EPIC: "The Trans-Atlantic Consumer Dialogue (TACD), a coalition of consumer groups in Europe and North America, adopted a report on privacy and electrical services at the 12th Annual TACD meeting held recently in Brussels. The Smart Meter White Paper warns the "dramatic increase in the granularity of data available and frequency of collection of household energy consumption means that the smallest detail of household life can be revealed." The TACD report sets out recommendations to protect the privacy of users of new energy services. For more information, see EPIC - Smart Grid and Privacy."

FCC: "You may be one of many consumers who have received emails saying you’re about to be assaulted by unwanted telemarketing calls to your wireless phone. Rest assured that placing telemarketing calls to wireless phones is -- and always has been -- illegal in most cases. Why the Confusion? The confusion seems to stem from recent discussions in the wireless phone industry about establishing a wireless 411 phone directory, much like your traditional (wired) 411 phone directory. A number of email campaigns seem to suggest that if your wireless telephone number is listed in a wireless 411 directory, it will be available to telemarketers, and you will start to receive sales calls. In addition, some of these email campaigns suggest that there is a separate do-not-call “cell phone registry,” which you must call to have your wireless phone number covered by the do-not-call rules. This information is wrong."

News release: "As explained in the amicus brief, the proposed settlement raises concerns in three areas in which the FTC has significant expertise: FDCPA and debt collection, privacy and data collection, and class action fairness. First, the FTC is the chief federal enforcer of the FDCPA and has conducted comprehensive assessments of debt collection activities, including its 2009 report, Collecting Consumer Debts: The Challenges of Change and its 2010 report, Repairing a Broken System: Protecting Consumers in Debt Collection Litigation and Arbitration. Second, the FTC safeguards consumers’ privacy and the security of their personal information under Section 5 of the FTC Act and the Gramm-Leach-Bliley Act. Finally, in connection with its Class Action Fairness Project, the FTC has studied how best to protect consumer interests and promote fairness in the class action context and has filed amicus briefs commenting on potentially unfair class settlements."

"In a 6-3 decision, the Supreme Court struck down Vermont's prescription privacy law. IMS Health, Inc. v. Sorrell held that the Vermont statute, which bars disclosure of prescription data for marketing purposes, violates data mining firms' free speech rights. Vermont "burdened a form of protected expression that it found too persuasive. At the same time, the State has left unburdened those speakers whose messages are in accord with its own views. This the State cannot do." the Court wrote. The Court suggested that a more privacy-protective statute might have withstood Constitutional scrutiny, writing "the State might have advanced its asserted privacy interest by allowing the information’s sale or disclosure in only a few narrow and well-justified circumstances. A statute of that type would present quite a different case than the one presented here." EPIC filed an amicus brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the "de-identification" techniques adopted by data-mining firms do not protect patient privacy. For more information, see EPIC: IMS Health v. Sorrell."

News release: "The Federal Trade Commission told Congress today during a hearing that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach...The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities."

NYT: "The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide, according to an official who has worked on the draft document and several others who have been briefed on its contents. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity. The F.B.I. recently briefed several privacy advocates about the coming changes. Among them, Michael German, a former F.B.I. agent who is now a lawyer for the American Civil Liberties Union, argued that it was unwise to further ease restrictions on agents’ power to use potentially intrusive techniques, especially if they lacked a firm reason to suspect someone of wrongdoing."

Announcement by Eva Galperin: "Back in December of 2010, Facebook debuted its tag suggestion feature, which works by using facial recognition technology to examine photos in which you’ve already been tagged, and then creating what Facebook calls your “photo summary” or “photo comparison information,” or what we’ll call your “facial fingerprint.” Using this information, FB suggests your name to your friends when they upload a photo of you, and invites them to tag you in that photo. Over the last few months, Facebook has been slowly rolling this feature out to all of its users, which caught the attention of security firm Sophos, The New York Times, and the European Union, which has launched a probe to investigate the new feature."

"EPIC and a coalition of privacy, consumer rights, and civil rights organizations filed a statement to the Department of Homeland Security in opposition to the proposed expansion of the employment verification system, "E-Verify." The agency announced plans to incorporate state driver license records that could significantly expand the use of the Homeland Security database. The groups said that the DHS proposal is unlawful and looks very similar to the REAL ID scheme that was previously defeated. EPIC has testified before Congress and published a Spotlight on Surveillance report about E-Verify. For more information, see EPIC: Employment Eligibility Verification System and EPIC: National ID."

PricewaterhouseCoopers’ Health Research Institute, Health Reform Prospering in a post-reform world, June 2001

EPIC: "The White House modified its privacy policy for WhiteHouse.gov on June 3, 2011. The new policy is more than twice as long as the old policy. The new policy states the White House web site now uses persistent Google Analytics cookies that track users for up to two years. Previously the site employed only single-session cookies, which were automatically deleted when users closed their browsers. The site does not provide a means for visitors to opt out of receiving cookies. The present policy reflects changes the administration made last year to allow for use of tracking cookies by federal websites. For more information, see EPIC: White House Adopts Weird Opt-Out Privacy Policy for Public Access to Government Web Sites."

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The House has approved the 2012 budget for the Transportation Security Administration, cutting $270 million from the amount originally requested by the Agency. The cuts include $76 million that had been designated for the purchase of 275 airport body scanners. Leading lawmakers and activists have called attention to the health risks associated with the scanners, as well as their invasiveness. Representative Jason Chaffetz (R-UT) criticized the machines as “slow” and “ineffective.”

News release: "AVG Technologies, Inc. announced it will make its leading Family Safety software available for free in exchange for a 99 cent donation to the American Red Cross family relief efforts in Joplin, Mo. The move comes in response to research the company conducted and has released over the course of the year on early childhood technology usage trends, “Digital Diaries" and is complemented with the release of a first-of-its-kind e-book and mobile application for teaching very young children the basics of online safety, Little Bird’s Internet Security Adventure.” AVG CEO JR Smith is making appearances across the country today urging parents to consider introducing their child to Little Bird to help them learn about online safety....Roughly half of today’s children (ages 6-9) are regularly talking to their friends online and using social networks, yet 58 percent of their parents admit they are not well-informed about their children’s online social networks. The “Digital Playground,” the third stage of AVG’s year-long “Digital Diaries” research program, further reveals the increasingly digitally-literate group of 6- to 9-year-olds and their parents in North America, Europe, Australia and New Zealand to find that:

• More than half (51 percent) of 6- to 9-year-olds use some kind of children’s social network such as Club Penguin or WebKinz.
  
• Roughly one in five use email, and despite being underage, 14 percent are on Facebook, according to their parents.
  
• 47 percent of 6- to 9-year-olds talk to their friends on the Internet.
  
• Almost one in six 6- to 9-year-olds and one in five 8- to 9-year-olds have experienced what their parents consider objectionable or aggressive behavior online.
  
• American children average four hours online each week, slightly more than the worldwide average of 3.5 hours per week.
  
• 58 percent of parents admit they are neither well-informed nor understand their children’s online social networks.
  
• Only 56 percent of parents were certain their family computer has parental controls or safety programs in place."

Privacy leakage vs. Protection measures: the growing disconnect, Balachander Krishnamurthy - AT&T Labs Research; Konstantin Naryshkin - Worcester Polytechnic Institute; Craig E. Wills - Worcester Polytechnic Institute, May 2011.

Press Release and Highlights: "The annual study of the impact of the Internet on Americans conducted by the Center for the Digital Future found that almost half of Internet users age 16 and older -- 48 percent -- are worried about companies checking their actions on the Internet. By comparison, the new question for the Digital Future Study found that only 38 percent of Internet users age 16 and older are concerned about the government checking what they do online."

Official Google Blog: "...Through the strength of our cloud-based security and abuse detection systems, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.) Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities."

G8 Summit of Deauville - May 26-27, 2011: "We discussed new issues such as the Internet which are essential to our societies, economies and growth. For citizens, the Internet is a unique information and education tool, and thus helps to promote freedom, democracy and human rights. The Internet facilitates new forms of business and promotes efficiency, competitiveness, and economic growth. Governments, the private sector, users, and other stakeholders all have a role to play in creating an environment in which the Internet can flourish in a balanced manner. In Deauville in 2011, for the first time at Leaders' level, we agreed, in the presence of some leaders of the Internet economy, on a number of key principles, including freedom, respect for privacy and intellectual property, multi-stakeholder governance, cyber-security, and protection from crime, that underpin a strong and flourishing Internet. The "e-G8" event held in Paris on 24 and 25 May was a useful contribution to these debates."

RollCall: "After two days of wrangling and last-minute deal-making in the Senate, Congress cleared a reauthorization of the USA PATRIOT Act on Thursday, and the Obama administration announced that the president signed the bill into law before provisions of the anti-terrorism act expired at midnight. A standoff over amendments in the Senate ate into the time needed to fly the enrolled bill to President Barack Obama, who is traveling in Europe. Instead of physically signing the bill, Obama planned to direct the use of an autopen to sign it, White House spokesman Nick Shapiro said in an email shortly after the House cleared the bill. “Failure to sign this legislation poses a significant risk to U.S. national security,” Shapiro said in the email. Autopens generate a facsimile of an individual’s signature and are frequently used by Members of Congress for signing constituent correspondence and other letters. The Justice Department’s Office of Legal Counsel advised in 2005 that the president may sign a bill by autopen."

EPIC: "A draft agreement between the United States and the European Union will allow the U.S. Department of Homeland Security to store passenger data for up to 15 years. The passenger data includes names, addresses, phone numbers, and credit card information, and even ethnic origin, political opinions, and details of health or sex life. The 15 year time period in the proposed agreement is three times that allowed under Europe's existing Passenger Name Record regime. See also EPIC: EU-US Airline Passenger Data Disclosure."

Privacy Protections for Personal Information Online, Gina Stevens, Legislative Attorney, April 6, 2011

PBS Newshour: 'As the Obama administration pushes ahead with plans to increase the use of electronic medical records, two internal reports released Tuesday by the Department of Health and Human Services revealed "significant concerns" about security gaps in the system. The Office of the Inspector General found "a lack of general [information technology] security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals." The investigation audited computer security at seven large hospitals in different states, and found 151 major vulnerabilities, including unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. The auditors classified 124 of the breeches were "high impact" - resulting in costly losses, injury or death. According to the report, "outsiders or employees at some hospitals could have accessed, and at one of the seven hospitals did access, systems and beneficiaries' personal data."

Catching AuthTokens in the Wild - The Insecurity of Google's ClientLogin Protocol by Bastian Könings, Jens Nickels, and Florian Schaub, May 13, 2011

Office of the Director of National Intelligence, 2010 Data Mining Report For the Period January 1, 2010 through December 31, 2010 [via FAS, May 10, 2011]

"...the Administration has transmitted a cybersecurity legislative proposal to Capitol Hill in response to Congress’ call for assistance on how best to address the cybersecurity needs of our Nation. This is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government; fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity. Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy."

• Read the fact sheet
  
• Read about the Administration’s Cybersecurity Accomplishments
  
• Read the text of the legislative proposal.

The False Tradeoff between Privacy and Security. (May 1, 2011). Daniel J. Solove, Nothing to Hide: The False Tradeoff between Privacy and Security, Chapter 1, Yale University Press, 2011.

"The FSA's Consultation paper CP11/08 is entitled 'Data Collection: Retail Mediation Activities Return and complaints data'. It was published in May 2011. Comments should reach us by July 8 2011.

News release: "The Federal Trade Commission today told Congress that “the Commission is committed to protecting consumers’ privacy in the mobile sphere” by bringing enforcement actions where appropriate and “by working with industry and consumer groups to develop workable solutions that protect consumers while allowing innovation in this growing marketplace.” In Commission testimony before the Senate Judiciary Committee Subcommittee for Privacy, Technology and the Law, Jessica Rich, Deputy Director in the FTC’s Bureau of Consumer Protection said the FTC has been examining mobile and wireless issues since 2000, when the agency hosted a workshop on emerging wireless Internet and data technologies and the privacy, security, and consumer protection issues they raise. The FTC also hosted a technology forum in 2006 that featured mobile issues, two Town Halls to explore the use of radio frequency identification technology and its integration into mobile devices, and a forum in 2008 examining consumer protection issues in the mobile sphere. In addition, the FTC has taken law enforcement actions against companies that fail to protect the privacy and security of consumer information. The testimony highlighted four recent cases that illustrate how the FTC’s authority applies to the mobile arena. The FTC’s case against Google alleges that the company deceived consumers by using information collected from Gmail users to generate and populate a new social network, Google Buzz, without users’ consent. As part of the proposed settlement order, Google must protect the privacy of all of its customers – including mobile users."

News release: "Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue. Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day. Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties. Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc."

CRS - Law Enforcement Use of Global Positioning (GPS) Devices to Monitor Motor Vehicles: Fourth Amendment Considerations, February 28, 2011

Better Choices: Better Deals - Consumers Powering Growth. UK Department for Business, Innovations and Skills, April 2011

Larsson, Stefan, The Path Dependence of European Copyright (April 15, 2011). SCRIPT-ed, Vol. 8, No. 1, April 2011. Available at SSRN: http://ssrn.com/abstract=1824228

FISA Annual Reports to Congress 2010 [via FAS]

"Rep. Markey (D-MA) and Rep. Barton (R-TX) released a discussion draft of the "Do Not Track Kids Act of 2011." This Act establishes enhanced protections for the use and disclosure of the personal information of children and teens online. In February, Rep. Speier (D-CA) introduced the broader Do Not Track Me Online Act. And in California, the Senate Judiciary Committee voted to move their Do Not Track bill, SB 761, to the next stage in the Appropriations Committee. EPIC submitted a statement to Congress saying that an effective Do Not Track initiative must ensure that a consumer's decision to opt-out is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Advertising."

The Deciders: Facebook, Google, and the Future of Privacy and Free Speech, Jeffrey Rosen

Via CDT - The Threat of Data Theft to American Consumers: "Two high profile data (Sony's Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005.5 According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions."

"Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices complaint EPIC: In re Google Buzz ..."

Cyrus Nemati, CDT: "If you've been following our Take Back Your Privacy campaign, you've seen our weekly privacy tips. Each week, we offer readers a new way to protect their privacy online through plug-ins, browser tricks, programs, and general privacy best practices. While each tip has merit in its own right, there are a few tips that give you a great amount of control over your online privacy. Without further ado, here are Take Back Your Privacy's Top Five Privacy Tips."

The big four phone carriers spill on their location and customer data collection policies: "The recent uproar over location tracking in smartphones has gotten ugly and fingers are bound to be pointed. But in the spirit of transparency, the four major carriers have outlined and detailed their location tracking applications s well as what exactly that data is being used for. The honesty does come as a response to the revelation that iPhones, Android devices, and Windows Phone 7 units are tracking user location."

A trade group raises concerns about the FTC settlement with Google over Buzz, by Grant Gross

Welcome to the age of data: Watch your back! by Molly Wood

News release: "The Electronic Frontier Foundation (EFF) and Access have launched an international campaign for HTTPS Now, rallying consumers around the world to help us make web surfing safer. HTTPS (Hypertext Transfer Protocol Secure) protects web surfing by encrypting requests from a user's browser and the resulting pages that are displayed, but many websites default to using the unencrypted and vulnerable HTTP protocol. The HTTPS Now campaign takes a three-pronged approach to protecting web surfing, including distributing updated tools for people to use to protect their web browsing, taking an Internet-wide survey of the state of HTTPS deployment, and helping website operators implement HTTPS. As a first step, individuals using the web are encouraged to install HTTPS Everywhere, a security tool for the Firefox browser developed by EFF and the Tor Project. HTTPS Everywhere automatically encrypts a user's browsing, changing it from HTTP to HTTPS whenever possible."

News release: "[April 19, 2011], the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP) has issued several administrative orders against Google for incremental penalty payments. Investigations by the CBP show that Google has, for a period of two years, systematically, and without the data subjects’ knowledge, collected MAC addresses of more than 3,6 million WiFi routers, in combination with the calculated location of those routers. This was done by using the so called ‘Street View cars’. MAC addresses in combination with their calculated locations, qualify, in this context, as personal data, because the collected data provide information about the WiFi router’s owners. The Dutch DPA also concludes that Google, using the same Street View cars, collected so called payload data, the contents of internet communication. This information contains personal data such as e-mail addresses, medical data and information concerning financial transactions.
Google has been ordered to, within three months, inform the data subjects – off line as well as on line – about the collection of data originating from WiFi routers by the Street View cars. Within the same period of three months, Google must also offer an on line possibility to opt-out from the database in order to enable people to object to the processing of the data concerning their WiFi routers. In case Google does not comply with the administrative order within the time period granted, the penalty amount can increase to a maximum of one million euros. Furthermore, Google is obliged to destroy the payload data it has collected in the Netherlands within four weeks. Read the Dutch press release and the relevant documents (only in Dutch)."

Declan McCullagh,Chief political correspondent, CNET: How police have obtained iPhone, iPad tracking logs

Information Security Oversight Office’s (ISOO) Report to the President for Fiscal Year (FY) 2010: "This report provides information on the status of the security classification program as required by Executive Order 13526, “Classified National Security Information” (the Order). It provides statistics and analysis concerning key components of the system, primarily classification and declassification, and coverage of ISOO’s reviews. It also contains information with respect to industrial security in the private sector as required by Executive Order 12829, as amended, “National Industrial Security Program.” FY 2010 was a notable year for the security classification program. The initial implementation of Executive Order 13526 began in earnest and remains ongoing. To comply with your direction that a government-wide implementing directive be issued within 180 days, we led an interagency working group that developed 32 C.F.R. Part 2001 which became effective and binding on all appropriate Executive branch agencies on June 25, 2010. However, we are concerned about delays in the issuance of agency regulations implementing the Order. Despite the preparation of agency drafts and the completion of our review last Fall, many agencies failed to issue their regulations in final form by December 2010 and many have yet to issue them as of the date of this letter [April 15, 2011]."

Privacy Protections for Personal Information Online, Gina Stevens, Legislative Attorney, April 6, 2011

News release: "Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the "Verizon 2011 Data Breach Investigations Report." These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices. The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action. The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

"The Solicitor General filed a petition with the Supreme Court about the growing dispute in the federal courts over warrantless locational tracking. There is a split among the appellate court about GPS tracking by police agencies. The petition appeals a decision from the DC Circuit which held that the warrantless tracking of a motor vehicle violates the Constitutional right against unlawful searches. Earlier, EPIC filed an amicus brief in the Massachusetts Supreme Judicial Court case that also held that a warrant is required for the use of a GPS tracking device. For more information, see EPIC - Commonwealth v. Connolly and EPIC - Locational Privacy."

EU: "77% of 13-16 year olds and 38% of 9-12 year olds in the EU have a profile on a social networking site, according to a pan-European survey carried out for the European Commission. Yet, a quarter of children who use social networking sites like Facebook, Hyves, Tuenti, Nasza-Klasa SchuelerVZ, Hi5, Iwiw or Myvip say their profile is set to "public" meaning that everyone can see it, and many of these display their address and/or phone number. The figures highlight the importance of the European Commission's upcoming review of the implementation of the Safer Social Networking Principles for the EU. This agreement was brokered by the Commission in 2009 (IP/09/232) when major social networking companies agreed to implement measures to ensure the online safety of their under 18s users. Children's safety online is an important part of the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200)."

• Safer Internet Programme
  
• Concrete tips for parents on how to keep your child safe online
  
• Digital Agenda website

"On 15 April 2011, the European Data Protection Supervisor (EDPS) adopted an opinion on the Commission's proposal aimed at revising the financial rules applicable to the annual budget of the European Union ("EU Financial Regulation"). The proposal covers several matters which involve the processing of personal data by the EU institutions and by entities at Member State level. One of the most significant new elements introduced by the proposal is the possibility to publish decisions on administrative and financial penalties. Such publication would entail the disclosure of information about the person concerned in an identifiable way. The EDPS believes that this provision does not meet the requirements of data protection law. To better comply with data protection rules, it should be improved by explicitly indicating the purpose for the disclosure and by ensuring the consistent application of the possibility of what is in fact naming and shaming of persons, with use of clear criteria to demonstrate the necessity of the disclosure."

National Strategy for Trusted Identities in Cyberspace, Enhancing Online Choice, Efficiency, Security, and Privacy - April 2011

Follow-up: Personally Identifiable Information Made Available to the Public Via the Death Master File (Limited Distribution), A-06-10-20173, 3/31/11

"The Federal Trade Commission today told a House subcommittee that millions of consumers are victims of identity theft each year at a cost of billion of dollars and countless hours of consumers’ time to repair the damage. In testimony before the House Ways and Means Committee’s Social Security Subcommittee, the agency said helping protect consumers from ID theft and deal with its consequences is a critical part of the FTC’s consumer protection mission. In the testimony, the FTC recommended legislation to help mitigate the identity theft problem by making Social Security numbers less useful to identity thieves and making the numbers harder to access."

Via EPIC: "Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data."

Symantec Internet Security Threat Report Trends for 2010, Volume 16, Published April 2011

IDG News Service - "Pandora and possibly other makers of popular smartphone applications are being questioned by a federal grand jury about their privacy practices. In a filing with the U.S. Securities and Exchange Commission on Monday, Pandora said that early this year it was served with a subpoena to produce documents in connection with a federal grand jury "which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms," it said. The company also wrote that it believes similar subpoenas were issued to publishers of numerous other smartphone applications. Pandora was informed that it is not a specific target of the investigation, it said. Pandora has been the subject of class-action lawsuits charging it with violating computer privacy laws."

"Federal Trade Commission Chairman Jon Leibowitz today issued the FTC’s 2011 Annual Report at the American Bar Association’s Section of Antitrust Law Spring Meeting in Washington, DC, highlighting the agency’s continued efforts to protect financially distressed consumers and promote competition during the economic downturn.

News release: "Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States."

Via EFF: "Your cell phone company knows everywhere you go, twenty-four hours a day, every day. How concrete is this fact for you? It's very concrete for Malte Spitz, a German politician and privacy advocate. He used German privacy law — which, like the law of many European countries, gives individuals a right to see what private companies know about them — to force his cell phone carrier to reveal what it knew about him. The result? 35,831 different facts about his cell phone use over the course of six months. As the German newspaper website Zeit Online reports:

Via EFF: "Your cell phone company knows everywhere you go, twenty-four hours a day, every day. How concrete is this fact for you? It's very concrete for Malte Spitz, a German politician and privacy advocate. He used German privacy law — which, like the law of many European countries, gives individuals a right to see what private companies know about them — to force his cell phone carrier to reveal what it knew about him. The result? 35,831 different facts about his cell phone use over the course of six months. As the German newspaper website Zeit Online reports:

Privacy Impact Assessment for the Use of Unidirectional Social Media Applications Communications and Outreach, March 8, 2011. Kathleen McShea
Director of New Media and Web Communications, Office of Public Affairs, Department of Homeland Security

"EPIC asked a federal court in Washington, DC to reconsider its earlier decision allowing the Department of Homeland Security to keep secret 2,000 airport body scanner images in EPIC's Freedom of Information Act lawsuit. The Court relied on a legal theory in its decision, "Exemption High b(2)," that was recently struck down by the Supreme Court in Navy v. Milner. In Milner, the Court held that FOIA exemption 2 only applies to records concerning employee relations and human resources issues. Milner overturns previous lower court decisions that applied the exemption to broader categories of records, allowing federal agencies to block disclosure of documents to the public. EPIC argues in its motion that the Department of Homeland Security is unlawfully withholding information about the airport scanners from the public. For more information, see EPIC-Milner v. Dept. of Navy and EPIC v. DHS - Body Scanners."

Smartphone Security - Survey of U.S. consumers, Ponemon Institute© Research Report, Sponsored by AVG Technologies, Independently conducted by Ponemon Institute LLC, Publication Date: March 2011

EPIC: "Judge Denny Chin struck down a proposed settlement between Google and copyright holders that would have imposed significant privacy risks on e-book consumers. Google's proposal would have entitled the company to collect each users' search queries as well as the titles and page numbers of the books they read. In a February 2010 hearing before the Court, EPIC President Marc Rotenberg explained EPIC Press Release: EPIC Urges Court To Reject Google Books Settlement; EPIC: Google Books Settlement and Privacy."

News release: "In testimony before the Senate Committee on Commerce, Science and Transportation, the Federal Trade Commission discussed its efforts to protect consumer privacy through enforcement actions, consumer education, and policy initiatives like the FTC staff’s recent preliminary privacy report. The report proposes a framework to balance consumer privacy with industry innovation by: 1) building privacy protections into everyday business practices (“privacy-by-design”); 2) simplifying privacy choices for consumers; and 3)improving transparency with clearer, shorter privacy notices. The Commission told Congress that industry stakeholders have made important progress in implementing Do Not Track, a mechanism proposed in the staff's preliminary privacy report last December that would allow consumers to choose not to have their Internet browsing tracked by third parties. The testimony noted that two of the major Internet browsers – Microsoft and Mozilla – “have recently announced the development of new choice mechanisms for online behavioral advertising that seek to provide increased transparency, greater consumer control, and improved ease of use.”

EPIC: "In a hearing before the House Oversight Subcommittee on National Security, EPIC urged Congress to suspend the use of airport body scanners for primary screening. EPIC said the devices were not effective and were not minimally intrusive, as courts have required for airport searches. EPIC cited TSA documents obtained in EPIC's FOIA lawsuit which showed that the machines are designed to store and transfer images, and not designed to detect powdered explosives. EPIC was joined on the panel by radiation expert Dr. David Brenner, who has frequently pointed out the radiation risks created by these machines. The TSA, which is a federal agency funded by taxpayer dollars and responsible for the body scanner program, originally refused to testify at hearing. Eventually they showed up. Chairman Jason Chaffetz, who had previously sponsored a bill regarding body scanners, grilled the TSA officials and said the hearing would continue with more questions. For more information see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS."

News release: "The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors."

News release: "The Federal Trade Commission has finalized a proposed settlement that it announced in June 2010 with social networking site Twitter, which resolved charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information. The FTC alleged that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account. The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” In addition, Twitter offered its users privacy settings that enabled them to designate their tweets as private."

ACLU And EFF Plan To Appeal Ruling In Case Challenging Government Attempt To Obtain Private Data in WikiLeaks Investigation

News release: "For the first time, industry groups and civil liberties interests have come together to advocate a comprehensive, common approach to cybersecurity. That approach is reflected in today's release of a cybersecurity white paper that rejects government mandates and advocates for a stronger partnership between industry and government. The 20-page white paper is a joint release from CDT, U.S. Chamber of Commerce, Business Software Alliance, TechAmerica, and the Internet Security Alliance."

News release: "The Federal Trade Commission today released the list of top consumer complaints received by the agency in 2010. The list showed that for the 11th year in a row, identity theft was the number one consumer complaint category. Of 1,339,265 complaints received in 2010, 250,854 – or 19 percent – were related to identity theft. Debt collection complaints were in second place, with 144,159 complaints. The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted."

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Inspector General of the Department of Homeland Security released a report finding that the agency's contract files did not "contain[] sufficient evidence of justification and approval, market research, and acquisition planning" for the $1.3 billion dollars in noncompetitive contracts the agency entered into in fiscal year 2010. The noncompetitive process raises doubts that the agency secured the "best possible value" for the goods and services and that the contracts were awarded to "eligible and qualified vendors." The IG recommended that the agency’s Chief Procurement Officer pursue corrective action plans. EPIC previously criticized the agency’s contracting practices regarding whole body scanners. For related information see EPIC: EPIC v. DHS: Body Scanners (Suspend the Program) and EPIC: EPIC v. DHS (FOIA)."

News release: AeroVironment Develops World’s First Fully Operational Life-Size Hummingbird-Like Unmanned Aircraft for DARPA

2010 Internet Crime Report, The Internet Crime Complaint Center (IC3), February 2011

Privacy and Security in Health Care: A Fresh Look

"EFF just received documents in response to a 2-year old FOIA request for information on the FBI’s "Going Dark" program, an initiative to increase the FBI's authority in response to problems the FBI says it's having implementing wiretap and pen register/trap and trace orders on new communications technologies. The documents detail a fully-formed and well-coordinated plan to expand existing surveillance laws and develop new ones. And although they represent only a small fraction of the documents we expect to receive in response to this and a more recent FOIA request, they were released just in time to provide important background information for the House Judiciary Committee’s hearing [February 17, 2011] on the Going Dark program."

News release: "The Federal Trade Commission, the nation’s consumer protection agency, released tips to help people protect their personal information while they use public wireless networks – Wi-Fi hotspots in coffee shops, libraries, airports, hotels, universities, and other public places. While convenient, public Wi-Fi networks often are not secure. When using wireless networks, it’s best to send only personal information that is encrypted – either by an encrypted website or a secure network. Encryption scrambles information sent over the internet into a code so that it’s not accessed by others. An encrypted website protects only the information sent to and from that site. A secure wireless network encrypts all the information sent over it. To determine if a website is encrypted, look for https at the beginning of the web address (the “s” is for secure), and a lock icon at the top or bottom of the browser window. Some websites use encryption only on the sign-in page, but if any part of the session isn’t encrypted, the entire account could be vulnerable. Look for https and the lock icon throughout the site, not just at sign in."

10 Conservative Principles for Cybersecurity Policy, by Paul Rosenzweig, George Washington University School of Law; Posted FEbruary 10, 2011

Official Google Blog: "Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples...that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information...2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page."

EPIC: "In Pineda v. William Sonoma, the California Supreme Court has determined that merchants may not require credit card customers to provide ZIP codes. In a unanimous decision, the Court found that ZIP codes are "personal identification information" under the state Credit Card Act of 1971. In the Pineda case, the customer believed that providing an SSN was necessary to complete a credit card transaction. The merchant subsequently used the SSN to determine the customer's home address. The California court said that the Credit Card Act "intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction." For more information, see EPIC - Social Security Numbers and EPIC - Reidentification."

"The Digital Signage Federation (DSF), a professional membership association, announced today the release of new industry standards for digital signage privacy. The “Digital Signage Privacy Standards” are a set of voluntary privacy guidelines recommended by DSF for digital signage companies, their partners and the venues that host these systems....The DSF Standards Committee is comprised of eight members from different sectors of the industry, and is chaired by Ken Goldberg, CEO of Real Digital Media. Harley Geiger, a committee member and Policy Counsel at the Center for Democracy & Technology, was instrumental in leading the effort to develop policies that safeguard consumer privacy and preserve the public’s trust in the digital signage industry. Subsequently, the Digital Signage Privacy Standard includes strong principles in the following categories:

• Transparency
  
• Individual Participation
  
• Purpose Specification
  
• Data Minimization
  
• Use Limitation
  
• Data Quality & Integrity
  
• Security
  
• Accountability

EPIC: "Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA, to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy."

State Cyberbullying Law - A Brief Review of State Cyberbullying Laws and Policies, Sameer Hinduja, Ph.D. and Justin W. Patchin, Ph.D., Cyberbullying Research Center, updated January 2011

Emerging Legal Issues in Social Media: In Part 1 of his commentary, Ken Strutin discusses how the growth of social media and social networking applications has permeated and extended the range of legal investigation, discovery and litigation. The materials he highlights represent a current sampling of notable developments in law enforcement, law practice, civil and criminal litigation, and technology's influence on human behavior.

News release: "The Center for Democracy & Technology today released a proposal that sketches the parameters of what Do Not Track (DNT) means. The document is intended to identify the types of behaviors that DNT should prohibit, and jumpstart a discussion aimed at developing a common understanding of the terms of this emerging technology. The concept of DNT technology is gaining momentum; however, definitions underlying technology—such as what "tracking" actually means—are still in flux...CDT suggests that the following definition for "tracking" in the context of Do Not Track:

"Privacy International, EPIC, and the Center for Media and Communications Studies (CMSC) released European Privacy and Human Rights (EPHR) 2010, a report investigating the scope of privacy and data protection laws in Europe. The study includes 33 individual reports covering issues from privacy enforcement to ID cards, biometrics, and data-sharing and video surveillance The study ranks privacy protections across the European Union (EU). An interactive map allows is available. The EPHR is based on EPIC's report Privacy & Human Rights: An International Survey of Privacy Laws and Developments."

Via FAS: China: Student Informant System to Expand, Limiting School Autonomy, Free Expression (U//FOUO - "Unclassified // For Official Use Only")- 23 November 2010, CIA-DI-10-05021 [This report was prepared by the Open Source Works, which was charged by the Director for Intelligence with drawing on language trained analysts to mine open-source information for new or alternative insights on intelligence issues.]

National Journal: Google and Mozilla both announced that they will be adding "do-not-track" options to their Internet browsers, allowing users to prevent websites from gathering personal information and selling it to advertisers. Mozilla announced its plan Sunday with Google following suit Monday. According to a company statement, Google's "Keep My Op-Outs" feature will be available as an extension for download on its Chrome browser Monday. "We made available, for all major browsers, a downloadable browser plugin that enables you to permanently opt out of Google's advertising cookie, even if you deleted all your browser's cookies," according to the statement." Mozilla's Firefox version will be an HTTP header that will tell websites that a user wants to opt-out what's called "online behavioral advertising." "The advantages to the header technique are that it is less complex and simple to locate and use, it is more persistent than cookie-based solutions, and it doesn't rely on user's finding and loading lists of ad networks and advertisers to work," said Mozilla technology and privacy officer Alex Fowler wrote in a blog post Sunday. Microsoft announced a similar feature for its Internet Explorer in December."

UK Home Office: "The Government began the process of scrapping identity cards by introducing the Identity Documents Bill to Parliament on 26 May 2010. The Bill made provision for the cancellation of the UK National Identity Card, the Identification Card for EEA nationals and the destruction of the National Identity Register. This Bill has completed the parliamentary process and the Identity Documents Act 2010 received Royal Assent on 21 December 2010. In line with the terms of the Act identity cards ceased to be valid legal documents for the purposes of confirming identity, age or for travel in Europe on 21 January 2011. Under the terms of the Act the National Identity Register will be destroyed within two months of the Act coming in to force. This means all personal information supplied during process of applying for an identity card, including photographs and fingerprints, will be destroyed by 21 February 2011. Refunds will not be provided and identity card holders are not required to return the card to IPS. As the card will cease to be a legal document, if you have an identity card you should consider securely destroying it. If you choose to retain your identity card, you should ensure that it is kept in a safe and secure place. The statutory post of Identity Commissioner, set up under the Identity Cards Act 2006 to provide independent oversight of the National Identity Service, is also terminated under the terms of the Act."

Domestic Intelligence: New Powers, New Risks [released 01/18/11], by Emily Berman - Counsel in the Liberty and National Security Program at the Brennan Center for Justice

EPIC: "The Supreme Court has issued a decision in NASA v. Nelson, a case brought by NASA scientists who argued that the government's invasive background checks violated the Constitution. The Supreme Court found amicus brief , cosigned by 27 technical experts and legal scholars, which highlighted problems with the Privacy Act, including the "routine use" exception, security breaches, and the agency's authority to carve out its own exceptions. For more information, see EPIC: NASA v. Nelson."

"Gibson Dunn 2010 Year-End Electronic Discovery and Information Law Update calls for Reform Reach Crescendo. Sanctions Granted Less Frequently. Government's Duties Clarified. No Reasonable Expectation of Privacy In Social Media."

McIntyre, Joshua J., The Number is Me: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011.

Follow up to previous postings on government implementation of whole body scanning technology at airports, this News release: "A federal district court has granted the Department of Homeland Security's motion to conclude one of EPIC's Freedom of Information Act lawsuits. EPIC was seeking more than 2,000 images generated by airport body scanners held by the TSA. The DHS objected to the disclosure and the court sided with the government. The court relied on a legal theory, "Exemption High (b)(2)" that is currently under review by the Supreme Court in Milner v. Dept. of Navy. As a result of this lawsuit, EPIC obtained many documents concerning the airport screening program, including Procurement Specifications, Operational Requirements, traveler complaints, and vendor contracts with L3 and Rapiscan, that were subsequently made available to the public. EPIC may appeal the district court's decision as to the release of the body scanner images. For more information see EPIC: EPIC v. DHS and EPIC: Body Scanners."

DHS Privacy Office 2010 Data Mining Report to Congress, December 2010

"On January 10, 2011, the EastWest Institute released a report detailing the results of the First Worldwide Cybersecurity Summit: Protecting the Digital Economy, and outlining the cybersecurity initiative’s next steps as it prepares for the Second Worldwide Cybersecurity Summit in London on June 1-2. At the summit, held from May 3 to 5, 2010 in Dallas, Texas, EWI brought together over 400 technical experts, policy elites and national security officials from the Cyber40, an informal grouping of the world’s most digitally-advanced countries—among others, the United States, China, India, Russia and Estonia. Participants worked to identify problems facing crucial sectors of the Internet, such as financial services and essential government services, and forge concrete solutions to protect the world’s digital infrastructure."

News release: "At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt announced plans to create a National Program Office to help foster an environment in which sensitive online transactions can be carried out with greater levels of trust. The National Program Office, to be established within the Department of Commerce, would coordinate federal activities needed to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for consumers. The national office would serve as the point of contact to bring the public and private sectors together to meet this challenge."

News release: "National Taxpayer Advocate Nina E. Olson today released her annual report to Congress, identifying the need for tax reform as the number one priority in tax administration. The Advocate expressed continuing concern that the IRS’s increasing use of hard-core enforcement actions, particularly tax liens, is inflicting unnecessary harm on financially struggling taxpayers. The report also examines challenges the IRS is facing in implementing the new health care law."

• Executive Summary of 2010 Annual Report to Congress
  
• Complete Report: 2010 Annual Report to Congress

PEOPLE v. DIAZ, Criminal Appeal, Start Date: 09/09/2008. Opinion issued - Petition for review after the Court of Appeal affirmed a judgment of conviction of a criminal offense. This case presents the following issues: (1) Was defendant's cell phone an item "immediately associated with the person of the arrestee" within the meaning of United States v. Edwards (1974) 415 U.S. 800, and thus subject to search incident to his arrest? (2) Was the warrantless search of the cell phone an hour and a half after the arrest, while defendant was being interrogated, invalid under United States v. Chadwick (1977) 433 U.S. 1? The court ordered briefing deferred pending the decision of the United States Supreme Court in Arizona v. Gant, No. 07-542, cert. granted Feb. 25, 2008, __ U.S. __ [128 S.Ct. 1443, 170 L.Ed.2d 274], or further order of this court."

Top Issues Facing Social Security Administration Management - Fiscal Year 2011, December 2010

WaPo: As outrage over screenings rises, sites consider replacing TSA - "For airports, the change isn't about money. At issue, airport managers and security experts say, is the unwieldy size and bureaucracy of the federal aviation security system. Private firms may be able to do the job more efficiently and with a personal touch, they say. Airports that choose private screeners must submit the request to the TSA. There are no specific criteria for approval, but federal officials can decide whether to grant the request "based on the airport's record of compliance on security regulations and requirements." The TSA pays for the cost of the screening and has the final say on which company gets the contract. Rep. John L. Mica (R-Fla.), the incoming chairman of the House Transportation and Infrastructure Committee, has written to 200 of the nation's largest airports, urging them to consider switching to private companies. The TSA was "never intended to be an army of 67,000 employees," he said."

WikiLeaks And The New Corporate Disclosure Crisis - Stephanie Nora White and Rebecca Theim: "If the scandals that have plagued corporate America in the past two years haven't gotten you thinking about your own company's vulnerabilities, then the latest revelations out of WikiLeaks certainly should. In an interview with Forbes' Andy Greenberg, WikiLeaks founder Julian Assange declared that half the documents that have been fed to the organization are from corporations, and that sometime early next year his organization plans what presumably will be the first of many corporate disclosures. It will begin with information about one of the nation's leading banks. The target is rumored to be Bank of America, and the bank's stock tumbled 3% shortly after the rumors were publicized. Got your attention now? WikiLeaks is promising to give a voice to the disenfranchised, disgusted and disillusioned within Corporate America, those who have knowledge of company behavior ranging from distasteful to criminal. "Companies turn people into leakers by their failure to listen, look and respond," says business consultant and author Margaret Heffernan, whose forthcoming book, Willful Blindness: Why We Ignore the Obvious at Our Peril, will tackle the issue. In other words, it will no longer be a company's general counsel who will decide if and when something is disclosed to the public. Now, it's any insider with a flash drive who's troubled or disgruntled by an organization's conduct. And the types of information WikiLeaks is disclosing can be more damaging--and memorable--than a traditional corporate crisis."

Washington Post: Auditors question TSA's use of and spending on technology: "The massive push to fix airport security in the United States after the attacks of Sept. 11, 2001, led to a gold rush in technology contracts for an industry that mushroomed almost overnight. Since it was founded in 2001, the TSA has spent roughly $14 billion in more than 20,900 transactions with dozens of contractors. In addition to beefing up the fleets of X-ray machines and traditional security systems at airports nationwide, about $8 billion also paid for ambitious new technologies. The agency has spent about $800 million on devices to screen bags and passenger items, including shoes, bottled liquids, casts and prostheses. For next year, it wants more than $1.3 billion for airport screening technologies. But lawmakers, auditors and national security experts question whether the government is too quick to embrace technology as a solution for basic security problems and whether the TSA has been too eager to write checks for unproven products."

Follow up to FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers, this news from Gallup: "U.S. Internet users would likely welcome a "Do Not Track" measure like the one the Federal Trade Commission is currently considering to keep advertisers from tracking their movements online. Gallup finds Internet users largely aware that advertisers use their online browsing history to target ads to their interests, but largely opposed to such tactics -- even if they help to keep websites free...The results, from a USA Today/Gallup poll conducted Dec. 10-12, 2010, come as the Federal Trade Commission considers a measure that would allow Internet users to essentially opt out of online tracking, as they do with the telemarketing "Do Not Call" list. AdWeek in a recent editorial said such a measure would amount to an "apocalypse" for online advertisers, particularly for the fast-growing $1.1 billion industry that relies on these tactics to target content to users."

"The United States Court of Appeals for the District of Columbia Circuit has scheduled oral argument in EPIC's case, No. 10-1157, against the Department of Homeland Security. The court set a March 10, 2011 date for the parties to present oral argument before the Court. EPIC filed suit against the Department of Homeland Security to suspend the body scanner program because it is "unlawful, invasive, and ineffective." In its opening brief, EPIC argued that the federal agency has violated the Administrative Procedures Act, the Privacy Act, the Religious Freedom Restoration Act, the Video Voyeurism Prevention Act, and the Fourth Amendment. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology.

WSJ: "More than half the smartphone apps tested by The Wall Street Journal sent a serial-number-like identifier for the phone to tracking companies. Some tracking companies use these IDs to create profiles of cellphone users for marketing purposes. The use of these identifiers poses a greater risk than tracking technologies typically used on PC Web browsers, said Heng Xu, an assistant professor of information sciences and technology at Pennsylvania State University. This is because the numbers are difficult or impossible to delete and can be tied to other data, like a person’s location at a given moment, she said."

"Few devices know more personal details about people than the smartphones in their pockets: phone numbers, current location, often the owner's real name—even a unique ID number that can never be changed or turned off. These phones don't keep secrets. They are sharing this personal data widely and regularly, a Wall Street Journal investigation has found. An examination of 101 popular smartphone "apps"—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders."

News release: "The Department of Commerce today issued a report detailing initial policy recommendations aimed at promoting consumer privacy online while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth. The report outlines a dynamic framework to increase protection of consumers’ commercial data and support innovation and evolving technology. The Department is seeking additional public comment on the plan to further the policy discussion and ensure the framework benefits all stakeholders in the Internet economy."

News release: "An estimated 11.7 million persons, representing five percent of all persons age 16 or older in the United States, were victims of identity theft during the two years prior to being surveyed in 2008, the Bureau of Justice Statistics (BJS) announced today. The financial losses due to the identity theft totaled more than $17 billion. Identity theft was defined in the survey as the attempted or successful misuse of an existing account, such as a debit or credit account, misuse of personal information to open a new account, or misuse of personal information for other fraudulent purposes, such as obtaining government benefits. Approximately 6.2 million victims (three percent of all persons age 16 or older) experienced the unauthorized use or attempted use of an existing credit card account, the most prevalent type of identity theft. An estimated 4.4 million persons reported the misuse or attempted misuse of a banking account, such as a debit, checking or savings account. Another 1.7 million persons experienced the fraudulent misuse of their information to open a new account, and about 618,900 persons reported the misuse of their information to commit other crimes, such as fraudulently obtaining medical care or government benefits or providing false information to law enforcement during a crime or traffic stop. About 16 percent of all victims (1.8 million persons) experienced multiple types of identity theft during the two-year period."

Follow up to postings on Wikileaks, news of a Hearing on the Espionage Act and the Legal and Constitutional Issues Raised by WikiLeaks, Thursday 12/16/2010.

EPIC: December 10 marks the United Nation's annual International Human Rights Day, which celebrates the signing of the Universal Declaration of Human Rights. The Declaration sets forth universal privacy rights in Article 12 and rights to freedom of expression in Article 19. The Declaration's importance and influence is recognized in the U.S. State Department's annual Human Rights Reports. In 2009, the Public Voice published the Madrid Privacy Declaration, which affirmed these international rights to privacy and free and open expression. You can find more information and resources through the U.N. Dag Hammarskjöld Library's Human Rights Day page."

Changes in Airport Passenger Screening Technologies and Procedures: Frequently Asked Questions, Bart Elias, Specialist in Aviation Policy, November 23, 2010

Follow up to Your Office Copy Machine Might Digitally Store Thousands of Documents That Get Passed on at Resale, news that FTC Offers Businesses Tips for Securing Data on Digital Copiers.

News release: "The Federal Trade Commission, the nation’s chief privacy policy and enforcement agency for 40 years, issued a preliminary staff report today that proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services. The proposed report also suggests implementation of a “Do Not Track” mechanism – likely a persistent setting on consumers’ browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities....The report states that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The framework outlined in the report is designed to reduce the burdens on consumers and businesses."

Holiday Shopping Tips: "This holiday season the FBI reminds shoppers that cyber criminals aggressively create new ways to steal money and personal information. Scammers use many techniques to fool potential victims, including conducting fraudulent auction sales, reshipping merchandise purchased with stolen credit cards, and selling fraudulent or stolen gift cards through auction sites at discounted prices...If you have received a scam email, please notify the IC3 by filing a complaint at http://www.IC3.gov. For more information on e-scams, please visit the FBI's New E-Scams and Warnings webpage at http://www.fbi.gov/cyberinvest/escams.htm."

Follow up to previous postings on government implementation of whole body scanning technology at airports via CNET, Your risks and rights with TSA's 'enhanced' screening (FAQ).

Google: "..we’re releasing a white paper, Enabling Trade in the Era of Information Technologies: Breaking Down Barriers to the Free Flow of Information, that explores the ways that governments impose limits on the free flow of information online. It’s pretty wonky stuff, but the premise is simple: In addition to infringing human rights, governments that block the free flow of information on the Internet are also blocking trade and economic growth. Over the last two decades, the Internet has delivered tremendous economic and trade benefits. It has driven record increases in productivity, spurred innovation, created new economies, and fueled international trade. In part this is because the Internet makes geographically distant markets easy to reach. But this engine of economic growth is increasingly coming under attack. According to one study, more than forty governments now engage in broad-scale restriction of online information. Governments are blocking online services, imposing non-transparent regulation, and seeking to incorporate surveillance tools into their Internet infrastructure. These are the trade barriers of the 21st century economy...we urge policymakers in the United States, European Union and elsewhere to take steps to break down barriers to free trade and Internet commerce. These issues present challenges, but also an opportunity for governments to align 21st century trade policy with the 21st century economy."

EPIC: "A new poll by Zogby International finds that 61% of Americans polled between Nov. 19 and Nov. 22 oppose the use of full body scans and TSA pat downs. Of those polled, 52% believe the enhanced security measures will not prevent terrorist activity, almost half (48%) say it is a violation of privacy rights, 33% say they should not have to go through enhanced security methods to get on an airplane, and 32% believe the full body scans and TSA pat downs to be sexual harassment. The Zogby Poll is the most recent survey of American opinion on the new airport screening procedures. Combined with earlier polls by USA Today and the Washington Post-ABC News, the Zogby Poll reflects declining support for the TSA program."

• News release: "U.S. Rep. Rush Holt, a scientist and the Chairman of the House Select Intelligence Oversight Panel, Friday wrote the Administrator of the Transportation Security Administration (TSA), reiterating his concerns about the use of body imaging technology, notably about potential health effects and the effectiveness of the screening to detect the full range of explosive threats known or anticipated to be used by potential terrorists...the majority of the radiation from X-ray backscatter machines strikes the top of the head, which is where 85 percent of the 800,000 cases of basal cell carcinoma diagnosed in the United States each year develop."
  
• Airport body-scanner manufacturers armed for K Street battle: "...Companies like L-3 Communications, the defense contractor, are providing several of the scanners under a nearly $165 million TSA contract won earlier this year, are well-prepared for the fight."
  
• WaPo: Protesters' body scanner opt-out day could bring nationwide delays at airports

News release: "The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage security flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking... This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough...Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly."

Follow up to previous postings on government implementation of whole body scanning technology at airports, this news release: "The Air Line Pilots Association, Int’l (ALPA), welcomed the Transportation Security Administration (TSA) announcement of expedited screening for airline pilots as important action to move the nation toward a threat-based strategy that focuses security resources where the risk is highest and away from a one-size-fits-all approach...ALPA proposed the creation of a highly secure and effective security screening system that would quickly and accurately verify the identity and employment status of active airline pilots. As a result, ALPA’s Crew Personnel Advanced Screening System (CrewPASS) program would identify individual pilots as trusted and, as a result, enhance the overall security of air travel and reduce passenger delays. In [the November 19, 2010] announcement, the TSA acknowledged ALPA for developing the CrewPASS concept and committed to phasing in CrewPASS nationally. The CrewPASS system is currently operating at Baltimore-Washington Thurgood Marshall International, Pittsburgh International, and Columbia Metropolitan airports."

Follow up to previous postings on government implementation of whole body scanning technology at airports, via National Journal, "The Transportation Security Administration is working to create an alternative screening process for pilots, the agency's chief said this morning, amid mounting protests by airline pilots over new airport scanners criticized as invasive and hazardous to health due to radiation exposure."

"The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals." Snipped from November 3, 2010 letter from ICO to Global Privacy Counsel, Google France: "My office now understands that GSV (Google Street View) cars driving in the UK before May 2010 were equipped with the same equipment as the GSV cars in countries where regulators found some instances where entire emails and URLs were captured, as well as passwords. As such, my office believes that while most of the payload data gathered from the UK is fragmentary, in some instances it is possible that entire emails and URLs were captured, as well as passwords. It is my view that the collection of this information is a serious breach of the first data protection principle..."

2010 HIMSS Security Survey Sponsored by Intel, Final Report, November 3, 2010

News release: "Federal Trade Commission Chairman Jon Leibowitz [November 4, 2010] announced the appointment of Edward W. Felten as the agency’s first Chief Technologist. In his new position, Dr. Felten will advise the agency on evolving technology and policy issues. Dr. Felten is a professor of computer science and public affairs and founding director of the Center for Information Technology Policy at Princeton University. He has served as a consultant to federal agencies, including the FTC, and departments of Justice and Defense, and has testified before Congress on a range of technology, computer security, and privacy issues. He is a fellow of the Association of Computing Machinery and recipient of the Scientific American 50 Award. Felten holds a Ph.D. in computer science and engineering from the University of Washington. Dr. Felten’s research has focused on areas including computer security and privacy, especially relating to consumer products; technology law and policy; Internet software; intellectual property policy; and using technology to improve government."

Sharing Data While Protecting Privacy, November 3, 2010 - The judicious use of accurate and reliable data plays a critical role in initiatives designed to increase the transparency and efficiency of Federal programs and to enhance our capacity to gauge program effectiveness. Sharing data among agencies also allows us to achieve better outcomes for the American public through more accurate evaluation of policy options, improved stewardship of taxpayer dollars, reduced paperwork burdens, and more coordinated delivery of public services. As advances in technology enhance tools for data sharing, Federal agencies can and should seek new approaches for identifying and sharing high-value data responsibly and appropriately. This Memorandum strongly encourages Federal agencies to engage in coordinated efforts to share high-value data for purposes of supporting important Administration initiatives, informing public policy decisions, and improving program implementation while simultaneously embracing responsible stewardship."

News release: "The Federal Trade Commission has a new Business Center at Business.ftc.gov that gives business owners, attorneys, and marketing professionals the tools they need to understand and comply with the consumer protection laws, rules, and guides the FTC enforces. The Business Center provides practical, plain-language guidance about advertising, credit, telemarketing, privacy, and a host of other topics. A series of short videos explain the bottom line about what businesses need to know to comply, and the Business Center blog gives readers the latest compliance tips and information."

Email I received Tuesday evening, 9:49pm ET: "Google rarely contacts Gmail users via email, but we are making an exception to let you know that we've reached a settlement in a lawsuit regarding Google Buzz, a service we launched within Gmail in February of this year. Shortly after its launch, we heard from a number of people who were concerned about privacy. In addition, we were sued by a group of Buzz users and recently reached a settlement in this case. The settlement acknowledges that we quickly changed the service to address users' concerns. In addition, Google has committed $8.5 million to an independent fund, most of which will support organizations promoting privacy education and policy on the web. We will also do more to educate people about privacy controls specific to Buzz. The more people know about privacy online, the better their online experience will be. Just to be clear, this is not a settlement in which people who use Gmail can file to receive compensation. Everyone in the U.S. who uses Gmail is included in the settlement, unless you personally decide to opt out before December 6, 2010. The Court will consider final approval of the agreement on January 31, 2011. This email is a summary of the settlement, and more detailed information and instructions approved by the court, including instructions about how to opt out, object, or comment, are available at http://www.BuzzClassAction.com."

News release: "The Electronic Frontier Foundation (EFF) filed suit against three agencies of the Department of Justice (DOJ) today, demanding records about problems or limitations that hamper electronic surveillance and potentially justify or undermine the Administration's new calls for expanded surveillance powers. The issue has been in the headlines for more than a month, kicked off by a New York Times report that the government was seeking to require "back doors" in all communications systems -- from email and webmail to Skype, Facebook and even Xboxes -- to ease its ability to spy on Americans. The head of the FBI publicly claimed that these "back doors" are needed because advances in technology are eroding agents' ability to intercept information. EFF filed a Freedom of Information Act (FOIA) request with the Federal Bureau of Investigation (FBI), the Drug Enforcement Agency (DEA), and the DOJ Criminal Division to see if that claim is backed up by specific incidents where these agencies encountered obstacles in conducting electronic surveillance."

Geotag, You're It! What Your Smartphone Might Be Saying Behind Your Back, Privacy Rights Clearinghouse, October 18, 2010

Identity Theft Trends, Patterns, and Typologies Reported in Suspicious Activity Reports Filed by Depository Institutions January 1, 2003 – December 31, 2009, released October 2010 by the Financial Crimes Enforcement Network

EPIC: "Following numerous protests around the world, Google has ended its illegal collection of wifi data transmissions. The company, which originally claimed it was not even collecting wifi data, was forced to admit that the practice has been ongoing for three years in more than thirty countries, following an independent investigation initiated by European privacy officials. Investigations are still underway to determine the extent of Google's liability. EPIC wrote to the FCC earlier this year, pointing out that the practice violated US wiretap laws."

• EPIC - Investigations of Google Street View
  
• Official Google Blog: "Creating stronger privacy controls inside Google: "In May we announced that we had mistakenly collected unencrypted WiFi payload data (information sent over networks) using our Street View cars. We work hard at Google to earn your trust, and we’re acutely aware that we failed badly here. So we’ve spent the past several months looking at how to strengthen our internal privacy and security practices, as well as talking to external regulators globally about possible improvements to our policies."

News release: "The Federal Trade Commission today told the Equal Employment Opportunity Commission that the Fair Credit Reporting Act (FCRA) imposes requirements on Consumer Reporting Agencies (CRAs) - which include the three major credit bureaus - and on employers that use the information “to ensure that sensitive consumer report information is used with fairness, impartiality, and respect for consumers’ privacy.” Commission testimony given by Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, states that FCRA requirements placed on CRAs and employers are designed to promote privacy, accuracy, and fairness in the use of consumer reports. For example, before giving a consumer report to an employer, the CRA must take reasonable steps to ensure that the employer has a legitimate basis to obtain the report; must inform the employer of his or her obligation to provide certain notices to consumers; and must obtain the employer’s certification that he or she is complying with the FCRA and will not use consumer report information in violation of equal opportunity laws."

News release: "This is National Protect Your Identity Week, and the Federal Trade Commission, the nation’s consumer protection agency, has information to help consumers, businesses, and law enforcement officials safeguard personal information and take action if an identity thief strikes.

• www.ftc.gov/idtheft is a one-stop national resource to learn about the crime of identity theft. Consumers can learn how to avoid identity theft – and what to do if their identity is stolen. Businesses can learn to help their customers deal with identity theft and prevent problems in the first place. Law enforcement officials will find resources that help victims of identity theft.
  
• www.YouTube.com/FTCVideos has short educational videos that help consumers learn more about identity theft, phishing, reducing spam, and protecting their computers against unwanted intrusions.
  
• www.onguardonline.gov/games lets consumers test their cyber smarts with interactive games on everything from phishing and computer security to social networking and e-mail scams.
  
• www.ftc.gov/freereports offers details about a consumer’s right to get a free copy of his or her credit report from each of the three national credit reporting companies, upon request, once every 12 months. Reviewing one’s credit report regularly is an effective way to deter and detect identity theft."

State of the Internet 2010: A Report on the Ever-Changing Threat Landscape, CA Technologies Internet Security Business Unit
Internet Security Intelligence Report, October 2010

WSJ: "Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found. The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure. The problem has ties to the growing field of companies that build detailed databases on people in order to track them online—a practice the Journal has been examining in its What They Know series. It's unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information."

EFF: "As noted in our first post, EFF recently received new documents via our FOIA lawsuit on social network surveillance, filed with the help of UC Berkeley’s Samuelson Clinic, that reveal two ways the government has been tracking people online: Citizenship and Immigration’s surveillance of social networks to investigate citizenship petitions and the DHS’s use of a “Social Networking Monitoring Center” to collect and analyze online public communication during President Obama’s inauguration. This is the second of two posts describing these documents and some of their implications. In addition to learning about surveillance of citizenship petitioners, EFF also learned that leading up to President Obama’s January 2009 inauguration, DHS established a Social Networking Monitoring Center (SNMC) to monitor social networking sites for “items of interest.” In a set of slides [PDF] outlining the effort, DHS discusses both the massive collection and use of social network information as well as the privacy principles it sought to employ when doing so."

Follow up to posting, WSJ Tracks how marketers are spying on Internet users, this news release: "Representatives Edward J. Markey (D-Mass.) and Joe Barton (R-Texas), Co-Chairman of the House Bi-Partisan Privacy Caucus, released responses to the letters they had sent to companies identified in a Wall Street Journal investigation as reportedly installing intrusive consumer-tracking technologies to track and/or target consumers visiting these company Web sites. “The responses [links to which are included in this news release] raise a number of concerns, including whether consumers are able to effectively shield their personal Internet habits and private information from the prying eyes of online data gatherers,” Rep. Markey said. “Consumers may be unaware that the sites they visit, coordinating with a cadre of analytics firms, advertising networks and offline data companies, may be tracking their activities around the Internet. While the responses that Rep. Barton and I received cite privacy policies and opt-out choices to enable consumers to preserve their privacy, these policies can be complicated and laborious to navigate. For example, a single website may have business relationships with a dozen or more third-party data firms that display advertisements on its site. A consumer may have to visit each of these sites, consulting its privacy policy and clicking through to opt-out, if such an option is provided. In some cases, a list of all third party affiliates is not readily accessible, keeping consumers in the dark.”

Escaping the ‘Scrapers’: "The Internet has given rise to a dizzying array of people-search sites and data brokers that gather and compile public information and social-networking profiles. The sites gather information from public sources such as property records and telephone listings, and other information is harvested by “scraping” — or copying — websites where people post information about themselves. The fact that the information is from public records or posted on the Internet generally means that the companies have a right to use it. And many of the firms emphasize that the data will still be available in public records or elsewhere online, even if the information is removed from specific sites. As long as the source of the information remains available, it can simply be scraped again. But determined consumers willing to navigate the maze of companies have some options for requesting that their data be removed from certain sites."

What They Know - interactive graphic: "Marketers are spying on Internet users -- observing and remembering people's clicks, and building and selling detailed dossiers of their activities and interests. The Wall Street Journal's What They Know series documents the new, cutting-edge uses of this Internet-tracking technology. The Journal analyzed the tracking files installed on people's computers by the 50 most popular U.S. websites, plus WSJ.com. The Journal also built an "exposure index" -- to determine the degree to which each site exposes visitors to monitoring -- by studying the tracking technologies they install and the privacy policies that guide their use."

WSJ: "A former Federal Trade Commission employee has filed a complaint with the agency accusing Google Inc. of not adequately protecting the privacy of consumers’ search queries. The complaint was filed September 6 by Christopher Soghoian, who worked until August as a technologist with the FTC’s Division of Privacy and Identity Protection. It calls on the agency to investigate Google and to “compel Google to take proactive steps to protect the privacy of individual users’ search terms.” The complaint alleges Google shares with third parties users’ search queries, including those that contain personal information. In an emailed statement, Google said its passing of search-query data to third parties “is a standard practice across all search engines” and that “webmasters use this to see what searches bring visitors to their websites.” The statement added, “Google does not pass any personal information about the source of the query to the destination website.”

News release: "The Federal Trade Commission today unveiled a community outreach kit with new resources to help parents and communities keep kids safe online and on their mobile phones. With more than five million copies of the Net Cetera: Chatting with Kids About Being Online guide already in the hands of families across the country, FTC Chairman Jon Leibowitz announced the expanded campaign."

"EPIC and 14 other privacy and consumer protection groups (including the American Library Association) sent a letter to Google CEO Eric Schmidt about Google's revised privacy policy. Under this new policy, twelve specific Google privacy policies will be replaced by a single policy that will enable greater data sharing within the corporation. EPIC previously raised similar concerns about Google Buzz in a complaint to the Federal Trade Commission. In the complaint, EPIC argued that Google's Gmail-specific privacy policy was more protective of users than their general privacy policy. For more information, see EPIC: In re Google Buzz."

"Biometric recognition--the automated recognition of individuals based on their behavioral and biological characteristic--is promoted as a way to help identify terrorists, provide better control of access to physical facilities and financial accounts, and increase the efficiency of access to services and their utilization. Biometric recognition has been applied to identification of criminals, patient tracking in medical informatics, and the personalization of social services, among other things. In spite of substantial effort, however, there remain unresolved questions about the effectiveness and management of systems for biometric recognition, as well as the appropriateness and societal impact of their use. Moreover, the general public has been exposed to biometrics largely as high-technology gadgets in spy thrillers or as fear-instilling instruments of state or corporate surveillance in speculative fiction. Now, as biometric technologies appear poised for broader use, increased concerns about national security and the tracking of individuals as they cross borders have caused passports, visas, and border-crossing records to be linked to biometric data. A focus on fighting insurgencies and terrorism has led to the military deployment of biometric tools to enable recognition of individuals as friend or foe. Commercially, finger-imaging sensors, whose cost and physical size have been reduced, now appear on many laptop personal computers, handheld devices, mobile phones, and other consumer devices. Biometric Recognition: Challenges and Opportunities addresses the issues surrounding broader implementation of this technology, making two main points: first, biometric recognition systems are incredibly complex, and need to be addressed as such. Second, biometric recognition is an inherently probabilistic endeavor. Consequently, even when the technology and the system in which it is embedded are behaving as designed, there is inevitable uncertainty and risk of error. This book elaborates on these themes in detail to provide policy makers, developers, and researchers a comprehensive assessment of biometric recognition that examines current capabilities, future possibilities, and the role of government in technology and system development."

News release: [On September 22, 2010] the Federal Trade Commission told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach. In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations..
The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted."

Transparency Report: "Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual. We’ve created an interactive map of Government Requests that shows the number of government inquiries for information about users and requests for Google to take down or censor content. We hope this step toward greater transparency will help in ongoing discussions about the appropriate scope and authority of government requests. Our interactive Traffic graphs provide information about traffic to Google services around the world. Each graph shows historic traffic patterns for a given country/region and service. By illustrating outages, this tool visualizes disruptions in the free flow of information, whether it's a government blocking information or a cable being cut. We hope this raw data will help facilitate studies about service outages and disruptions."

EU Passenger Name Record (PNR) External Strategy (9/21/10): "The European Commission adopted today a package of proposals on the exchange of Passenger Name Record (PNR) data with third countries (countries outside the EU), consisting of an EU external PNR strategy and recommendations for negotiating directives for new PNR agreements with the United States, Australia and Canada."

A Review of the FBI's Investigations of Certain Domestic Advocacy Groups, September 2010

Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid. The Smart Grid Interoperability Panel – Cyber Security Working Group, August 2010

"A Wall Street Journal investigation into online privacy has found that popular children's websites install more tracking technologies on personal computers than do the top websites aimed at adults."

"The Foreign Intelligence Surveillance Act (FISA) authorizes a special court, the Foreign Intelligence Surveillance Court (FISC), to undertake electronic surveillance in the United States for foreign intelligence information. The FISC is now seeking public comments concerning its procedures. Comments must received by Monday, October 4, 2010. EPIC previously submitted an amicus brief regarding FISA authority and national security. EPIC will be submitting comments to the FISC and endorse changes that improve accountability and transparency for FISA orders."

Views on Genetic Testing: An AARP Bulletin Survey, by: Helen W. Brown, Ph.D., Research & Strategic Analysis: "A large majority of Americans have never been tested for their genetic makeup, according to a recent AARP Bulletin survey. Moreover, most would not consider undergoing genetic testing to find out if they are susceptible to a disease such as Alzheimer’s, cancer, or diabetes. The top reasons why respondents have not had genetic testing include never having given it any thought (63%), the cost (32%), not wanting to know the results (21%), concerned someone else may get the results (20%), and being skeptical of science (12%)."

Official Google Blog: "Long, complicated and lawyerly — that's what most people think about privacy policies, and for good reason. Even taking into account that they’re legal documents, most privacy policies are still too hard to understand. So we’re simplifying and updating Google’s privacy policies. To be clear, we aren’t changing any of our privacy practices; we want to make our policies more transparent and understandable. As a first step, we’re making two types of improvements:

1. Most of our products and services are covered by our main Google Privacy Policy. Some, however, also have their own supplementary individual policies. Since there is a lot of repetition, we are deleting 12 of these product-specific policies. These changes are also in line with the way information is used between certain products—for example, since contacts are shared between services like Gmail, Talk, Calendar and Docs, it makes sense for those services to be governed by one privacy policy as well.
   
2. We’re also simplifying our main Google Privacy Policy to make it more user-friendly by cutting down the parts that are redundant and rewriting the more legalistic bits so people can understand them more easily. For example, we’re deleting a sentence that reads, “The affiliated sites through which our services are offered may have different privacy practices and we encourage you to read their privacy policies,” since it seems obvious that sites not owned by Google might have their own privacy policies..."

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The United States Court of Appeals for the District of Columbia Circuit has set a briefing schedule for EPIC v. DHS, No. 10-1157, EPIC's challenge to the airport body scanner program. EPIC has alleged that that the Department of Homeland Security has violated three federal laws (the Administrative Procedures Act, the Privacy Act, and the Religious Freedom Restoration Act) and that the body scanner search itself is unconstitutional, given what the courts have said about the permissible scope of airport screening procedures. EPIC's initial brief will be due November 1, 2010. Subsequent briefs from DHS and EPIC will be due by December 15, 2010. In earlier open government litigation against DHS, EPIC obtained evidence that the devices are designed to store and record images."

Follow up to previous postings on government implementation of whole body scanning technology at airports, "EPIC has filed an appeal with the Transportation Security Administration, challenging the agency's denial of expedited processing and fee waivers for an EPIC Freedom of Information Act request. EPIC's is seeking documents from the TSA concerning full body scanner radiation risks and testing. EPIC challenged the TSA's denial of expedited processing, arguing that by delaying to release of the records, the agency was risking the health of travelers and its own employees. EPIC also argued that the record request was particularly timely, as three US Senators recently wrote to the Department of Homeland Security about the safety of the airport body scanners and the risk to air travelers. Separately, EPIC has urged a federal court to suspend the program, pending an independent review of the health risks and privacy impact."

Follow up to previous postings on government implementation of whole body scanning technology at airports, via Forbes news that "American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents...While the biggest buyer of AS&E’s machines over the last seven years has been the Department of Defense operations in Afghanistan and Iraq...law enforcement agencies have also deployed the vans to search for vehicle-based bombs in the U.S."

Identity Theft Resource Center 2010 Breach List - Breaches: 435 Exposed: 13,329,706 - Report Date, 8/17/2010

Cleveland.com: "..the city will roll out next year with new trash and recycling carts embedded with radio frequency identification chips and bar codes. The chips will allow city workers to monitor how often residents roll carts to the curb for collection. If a chip show a recyclable cart hasn't been brought to the curb in weeks, a trash supervisor will sort through the trash for recyclables. Trash carts containing more than 10 percent recyclable material could lead to a $100 fine, according to Waste Collection Commissioner Ronnie Owens. Recyclables include glass, metal cans, plastic bottles, paper and cardboard."

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Chairman and Ranking Member of the Homeland Security Committee, along with four other Senators, have sent a letter to the head of the US Marshal Service to ask why the federal agency stored more than 35,000 images from whole body imaging scans taken at the Orlando federal courthouse. The letter follows a Freedom of Information Act lawsuit, filed by EPIC, in which the Marshal Service was forced to disclose the fact that it had stored body scanner images. EPIC has also filed an emergency motion in federal court to suspend the program, pending a thorough review of the airport body scanner program. For more information, see EPIC: Whole Body Imaging Technology and EPIC v. DHS (Suspension of Body Scanner Program). ">letter to the head of the US Marshal Service to ask why the federal agency stored more than 35,000 images from whole body imaging scans taken at the Orlando federal courthouse. The letter follows a Freedom of Information Act lawsuit, filed by EPIC, in which the Marshal Service was forced to disclose the fact that it had stored body scanner images. EPIC has also filed an emergency motion in federal court to suspend the program, pending a thorough review of the airport body scanner program."

An Analysis of Private Browsing Modes in Modern Browsers, by Gaurav Aggarwal and Elie Bursztein, Stanford University; Collin Jackson, CMU; Dan Boneh, Stanford University

Follow up to previous postings on National Security Letters, this news release: "The FBI has partially lifted a gag it imposed on American Civil Liberties Union client Nicholas Merrill in 2004 that prevented him from disclosing to anyone that he received a national security letter (NSL) demanding private customer records. Merrill, who received the NSL as the president of an Internet service provider (ISP), can now reveal his identity and speak about his experience for the first time since receiving the NSL. The ACLU and New York Civil Liberties Union filed a lawsuit challenging the NSL statute and the gag order on behalf of Merrill (then called John Doe) in April 2004, which resulted in numerous court rulings finding the NSL statute unconstitutional. Merrill was the first person ever to challenge an NSL in court...NSLs are secret record demands the FBI issues to obtain access to personal customer records from ISPs, libraries, financial institutions and credit reporting agencies without court approval or even suspicion of wrongdoing. Because the FBI can gag NSL recipients to prohibit them from disclosing anything about the record demands they receive, the FBI's use and potential abuse of the NSL power has been shrouded in excessive secrecy. While the NSL served on Merrill stated that he was prohibited from telling anyone about it, he decided to challenge the demand in court because he believed that the FBI was ordering him to turn over constitutionally protected information about one of his clients. Because of the FBI-imposed gag, Merrill was prohibited from talking about the NSL or revealing his identity and role in the lawsuit until today, even though the FBI abandoned its demand for records from Merrill more than three years ago."

"Google, a company with vast pools of data about us, is moving into the world of highly targeted ads." See this graphic for details covering 1998 to present.

Official Google Blog: "The original architects of the Internet got the big things right. By making the network open, they enabled the greatest exchange of ideas in history. By making the Internet scalable, they enabled explosive innovation in the infrastructure. It is imperative that we find ways to protect the future openness of the Internet and encourage the rapid deployment of broadband. Verizon and Google are pleased to discuss the principled compromise,
Verizon-Google Legislative Framework Proposal, our companies have developed over the last year concerning the thorny issue of “network neutrality."

"CDT submits the following chart as an addendum to the written testimony of Leslie Harris, President and Chief Executive Officer of the Center for Democracy and Technology before the House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection on The BEST PRACTICES Act of 2010 and Other Federal Privacy Legislation on July 22, 2010. The chart compares some of the key provisions in both bills, and issues CDT’s recommendations about the approach we believe privacy legislation should take."

Follow up to previous postings on government implementation of whole body scanning technology at airports, "In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 at issue in the EPIC lawsuit. EPIC has pursued a but the DHS refuses to release the images it has obtained. EPIC has also filed suit to stop the deployment of the machines in US airports. For more information, see EPIC Body Scanners, EPIC - EPIC v. DOJ (Marshall Service FOIA)

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC new the organization has filed an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 at issue in the EPIC lawsuit. EPIC has pursued a but the DHS refuses to release the images it has obtained. EPIC has also filed suit to stop the deployment of the machines in US airports. For more information, see EPIC Body Scanners and EPIC - EPIC v. DOJ (Marshall Service FOIA).

2010 Data Breach Investigations Report, A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service

The Web's New Gold Mine: Your Secrets - A Journal investigation finds that one of the fastest-growing businesses on the Internet is the business of spying on consumers. First in a series, by Julia Angwin: "The Journal conducted a comprehensive study that assesses and analyzes the broad array of cookies and other surveillance technology that companies are deploying on Internet users. It reveals that the tracking of consumers has grown both far more pervasive and far more intrusive than is realized by all but a handful of people in the vanguard of the industry.

• The study found that the nation's 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning. A dozen sites each installed more than a hundred. The nonprofit Wikipedia installed none.
  
• Tracking technology is getting smarter and more intrusive. Monitoring used to be limited mainly to "cookie" files that record websites people visit. But the Journal found new tools that scan in real time what people are doing on a Web page, then instantly assess location, income, shopping interests and even medical conditions. Some tools surreptitiously re-spawn themselves even after users try to delete them.
  
• These profiles of individuals, constantly refreshed, are bought and sold on stock-market-like exchanges that have sprung up in the past 18 months."

Pew Internet: Reputation Management and Social Media - How people monitor their identity and
search for others online by Mary Madden, Aaron Smith, May 26, 2010

News release: "The National Cyber Security Alliance (NCSA), a public-private partnership focused on educating a digital citizenry to stay safe and secure online, today launched its National Cyber Security Awareness Month Web portal with information on events, activities, promotions and educational materials to be used in preparation for the online safety month to be held in October. Anyone – family, employers, consumers, teachers, and students – interested in online safety is encouraged to access the portal, and all materials are free to use."

[Federal Register: July 28, 2010 (Volume 75, Number 144)] [Notices][Page 44216-44223]: "The Department of Commerce's Internet Policy Task Force is conducting a comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy. The Department seeks comments from all stakeholders, including the commercial, academic and civil society sectors, on measures to improve cybersecurity while sustaining innovation. Preserving innovation, as well as private sector and consumer confidence in the security of the Internet economy, are important for promoting economic prosperity and social well-being overall. In particular, the Department seeks to develop an up-to-date understanding of the current public policy and operational challenges affecting cybersecurity, as those challenges may shape the future direction of the Internet and its commercial use, both domestically and globally. After analyzing comments on this Notice, the Department intends to issue a report that will contribute to the Administration's domestic and international policies and activities in advancing both cybersecurity and the Internet economy."

Exclusive - Google, CIA Invest in ‘Future’ of Web Monitoring, By Noah Shachtman, July 28, 2010: "The investment arms of the CIA and Google are both backing a company that monitors the web in real time — and says it uses that information to predict the future. The company is called Recorded Future, and it scours tens of thousands of websites, blogs and Twitter accounts to find the relationships between people, organizations, actions and incidents — both present and still-to-come. In a white paper, the company says its temporal analytics engine “goes beyond search” by “looking at the ‘invisible links’ between documents that talk about the same, or related, entities and events.” The idea is to figure out for each incident who was involved, where it happened and when it might go down. Recorded Future then plots that chatter, showing online “momentum” for any given event."

News release: "The Federal Trade Commission testified [July 22, 2010] about FTC efforts to protect consumer privacy and commented on legislative proposals to improve privacy protections before the U.S. House Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce. The testimony presented by David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the FTC’s law enforcement actions to hold companies accountable for protecting consumer privacy, focusing on data security, identity theft, children’s privacy, and protecting consumers from intrusive spam, spyware, and telemarketing. The testimony noted that the FTC has brought 28 actions charging businesses with failing to protect consumers’ personal information and 15 actions charging website operators with collecting information from children without parents’ consent. The FTC also has brought 15 spyware cases and dozens of actions challenging illegal spam, including an action against a rogue Internet Service Provider that resulted in a temporary 30 percent drop in spam worldwide. Finally, the FTC has brought 64 actions alleging violations of the Do Not Call Rule, resulting in violators paying almost $40 million in civil penalties and giving up nearly $18 million, including consumer redress."

Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, this news release: "Attorney General Richard Blumenthal today on behalf of the executive committee of a 38-state coalition asked Google whether it tested its Street View software before use -- which should have revealed that the program collected data transmitted over wireless computer networks. Google has acknowledged unauthorized collection of data -- possibly including emails, passwords, web browsing and other confidential information – but called it a mistake. In a letter to Google, Blumenthal also asks whether the company’s program was designed to collect random bits of information broadcast over wireless networks or download specific types of data and whether it has sold or otherwise used technical network information also collected."

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "On July 20, 2010, the Department of Homeland Security announced a substantial change in the deployment of body scanners in US airports. According to the DHS Secretary, the devices, which had once been part of a pilot program for secondary screening, will now be deployed in 28 additional airports. The devices are designed to capture and store photographic images of naked air travelers. EPIC has filed an emergency motion in federal court, urging the suspension of the program and citing violations of several federal statutes and the Fourth Amendment. Public opposition to the program is also growing."

Follow up to previous postings on government implementation of whole body scanning technology at airports, today, EPIC filed a reply in its case against the Department of Homeland Security, EPIC v. DHS,10-1157. EPIC had previously filed a petition and motion for emergency stay, asking the court to suspend the use of the machines. EPIC argued that the use of body scanners for primary screening in U.S. airports violates several federal laws and the Fourth Amendment. In its reply to the government's motion, EPIC also cited the growing public opposition to the program, the decision of major airports not to use body scanners, as well as the agency's failure to adequately address Constitutional concerns."

"Metro today announced an enhanced Web site on which customers can check the balance of their SmarTrip card, monitor any SmartBenefits activity through their employers, and review their usage over time, including on their iPhones and Blackberrys. Users can also report cards online as stolen, lost, cracked or malfunctioning, though they can't add to their balance from a credit card. The immediate reaction from normally-skeptical Metro riders seemed positive for the long-anticipated move. In April, Metro's board approved changes to its privacy policy to allow card owners to monitor activity on their cards - pieces of plastic that hold up to $300 in fares at a time, with many employers, including the federal government, reloading the cards with money each month. It's clear why privacy considerations were important: When I registered my own card with the site and logged on, it became apparent that the timestamped information linked to my SmarTrip was enough to reconstruct nearly all my movements around the region, since I rely almost entirely on Metrobus and Metrorail to get around, and even illustrate habits and routines."

"EPIC Executive Director Marc Rotenberg testified [July 15, 2010]before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies."

Millennials will make online sharing in networks a lifelong habit

Unleashing the Wireless Broadband Revolution: "Expanded wireless broadband access will trigger the creation of innovative new businesses, provide cost-effective connections in rural areas, increase productivity, improve public safety, and allow for the development of mobile telemedicine, telework, distance learning, and other new applications that will transform Americans' lives. Spectrum and the new technologies it enables also are essential to the Federal Government, which relies on spectrum for important activities, such as emergency communications, national security, law enforcement, aviation, maritime, space communications, and numerous other Federal functions. Spectrum is also critical for many State, local, and tribal government functions. As the wireless broadband revolution unfolds, innovation can enable efficient and imaginative uses of spectrum to maintain and enhance the Government's capabilities. In order to achieve mobile wireless broadband's full potential, we need an environment where innovation thrives, and where new capabilities also are secure, trustworthy, and provide appropriate safeguards for users' privacy. These characteristics will continue to be important to the adoption of mobile wireless broadband."

EPIC: "The White House has announced a new "Clear Notice and Personal Choice" policy for the use of Web Measurement and Customization Technologies for government web sites. The policy is remarkable in that there does not appear to be any legal basis to allow federal agencies to routinely disclose personal information of citizens to private companies. The policy is accompanied by new Guidance for Agency Use of Third-Party Websites and Applications. The White House also announced a National Strategy for Trusted Identities in Cyberspace. EPIC had urged the White House to uphold Privacy Act obligations in use of web 2.0 services. For more information, see EPIC - Privacy and Government Contracts with Social Media Companies."

Follow up to Google Launches Encrypted Search in Beta, via the Official Google Enterprise Blog, the announcement that the company moved encrypted search from https://www.google.com to https://encrypted.google.com. "The site functions in the same way. However, if school network administrators decide to block encrypted searches on https://encrypted.google.com, the blocking will no longer affect Google authenticated services like Google Apps for Education."

Legislating Consumer Privacy Online & Off: Last month, Congressmen Rick Boucher and Cliff Stearns, respectively Chairman and Ranking Member of the House Subcommittee on Communications, Technology and the Internet, released a discussion draft of legislation "to assure the privacy of information about individuals both on the Internet and offline." This is the most significant movement in over half a decade to craft privacy rules for consumers in the digital age."

OMB Guidance for Online Use of Web Measurement and Customization Technologies, June 25, 2010, M-10-22

The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure."

Twitter Settles Charges that it Failed to Protect Consumers’
Personal Information; Company Will Establish Independently Audited Information Security Program: "Social networking service Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the agency’s first such case against a social networking service. The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others."

Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, via Privacy International, "Crime reference number 2318672/10 was today issued by London's Metropolitan Police, marking the commencement of investigations into Google for alleged criminal interception of Wireless communications content. Privacy International, which brought the complaint, has been briefed by police on the likely path the investigation will take. In the first instance police will conduct initial inquiries into the essential facts of the case before deciding which (if any) law may have been breached. In this case PI has brought the action under two laws - the Regulation of Investigatory Powers Act and the Wireless Telegraphy Act. The police will need to seek advice on which legislation to focus on, as each involves a different prosecution process."

Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, via EPIC: "The French National Commission on Computing and Liberty (CNIL) has released preliminary results (French) (English) of the Google Street View investigation in France. According to the CNIL, Google "saved passwords for access to mailboxes" and obtained content of electronic messages. The CNIL is pursuing the investigation to determine whether Google engaged in "unfair and unlawful collection of data" as well as "invasion of privacy and individual liberties." Investigations are now underway in at least 18 countries and five states in the US. EPIC has prepared a preliminary survey of Investigations of Google Street View."

Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, an update via EPIC: "Several state attorneys general have opened investigations of Google, following disclosures that the company captured and stored Wi-Fi data in addition to digital images. These states include Connecticut, Illinois, Massachusetts, Michigan, and Missouri. Maryland and New York are also reported to be pursuing investigations. Connecticut AG Richard Blumenthal described the "driveby data sweeps" of WiFi networks as "deeply disturbing, a potentially impermissible, pernicious invasion of privacy." In a subsequent statement, the Connecticut Attorney General said he will determine the legality of Google's WiFi collection practices. Earlier, EPIC sent a letter to the Federal Communications Commission urging the FCC to determine whether Google may have violated the Wiretap Act and the Communications Act. Google has since grounded its entire Street View fleet and ceased all WiFi data collection. For more information, see EPIC - Investigations of Google Street View."

EPIC: "The Supreme Court has issued a ruling in City of Ontario v. Quon, a case concerning the reasonablenees of a search of a public employee's pager. EPIC filed a "friend of the court" brief in the case, arguing that data minimization practices should be followed for electronic searches, and that the search, which uncovered personal texts unrelated to the purpose of the search, was therefore unreasonable. EPIC urged the Supreme Court to apply the approach set out in Comprehensive Drug Testing v. United States, which allows a government agency to undertake appropriate searches without unnecessarily violating privacy interests. The Court ruled that the search was reasonable, reversing the Ninth Circuit's decision that such a search be conducted through the least intrusive means possible. For more information, see EPIC: City of Ontario v. Quon."

EPIC: "International watchdog Privacy International has announced the launch of a new website for bringing transparency to "technical mysteries" behind controversial systems. Cracking the Black Box identifies key questions regarding mysterious technologies and asks experts, whistleblowers, and other concerned parties to "help crack the box" by anonymously contributing ideas and input. The organization responsible for the technology in question is then invited to provide an official response. The first two issues addressed on the PI site are the Google Wi-Fi controversy and the EU proposal to retain search data."

"In formal comments to the California Public Utility Commission, EPIC said that utility customers should control the use of personal information generated by Smart Grid services. EPIC warned that companies will otherwise use the data for purposes not related to electricity delivery, consumption management, or payment. EPIC urged the California Commission to include a requirement that limits the use of personal data by third party providers offering energy management services. The Commission acknowledged EPIC's March 2010 comments and EPIC's April 2010 comments in the proposed California Smart Grid plan. For more information, see EPIC Smart Grid."

Official Google Blog: "When we announced three weeks ago that we had mistakenly included code in our software that collected samples of payload data from WiFi networks, we said we would ask a third party to review the software at issue, how it worked, and what data it gathered. That report, by the security consulting firm Stroz Friedberg, is now complete and was sent to the interested data protection authorities today. In short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted. You can read the report here. We are continuing to work with the relevant authorities to respond to their questions and concerns.

No Secrets, by Raffi Khatchadourian: "[Julian Paul] Assange is an international trafficker, of sorts. He and his colleagues collect documents and imagery that governments and other institutions regard as confidential and publish them on a Web site called WikiLeaks.org. Since it went online, three and a half years ago, the site has published an extensive catalogue of secret material, ranging from the Standard Operating Procedures at Camp Delta, in Guantánamo Bay, and the “Climategate” e-mails from the University of East Anglia, in England, to the contents of Sarah Palin’s private Yahoo account. The catalogue is especially remarkable because WikiLeaks is not quite an organization; it is better described as a media insurgency. It has no paid staff, no copiers, no desks, no office. Assange does not even have a home. He travels from country to country, staying with supporters, or friends of friends—as he once put it to me, “I’m living in airports these days.” He is the operation’s prime mover, and it is fair to say that WikiLeaks exists wherever he does. At the same time, hundreds of volunteers from around the world help maintain the Web site’s complicated infrastructure; many participate in small ways, and between three and five people dedicate themselves to it full time. Key members are known only by initials—M, for instance—even deep within WikiLeaks, where communications are conducted by encrypted online chat services. The secretiveness stems from the belief that a populist intelligence operation with virtually no resources, designed to publicize information that powerful institutions do not want public, will have serious adversaries."

Article 29 Data Protection Working Party Press Release, Brussels, 26 May 2010: EU data protection group says Google, Microsoft and Yahoo! do not comply with data protection rules

News release: "Today, Chairman Henry A. Waxman, Subcommittee Chairman Ed Markey, and Ranking Member Joe Barton sent a letter to Eric Schmidt, Chairman & CEO of Google, regarding recent reports of data collection over private Wi-Fi networks in conjunction with Google's Street View product. The Committee is concerned about the accuracy and completeness of Google's public explanations and request information regarding the nature and use of the private data collected, the underlying technology of the Street View vehicle fleet, and the impact on consumer privacy."

"With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience. To use search over SSL, visit https://www.google.com New window icon each time you perform a search. Note that only Google web search is available over SSL, so other search products like Google Images and Google Maps are not currently available over SSL. When you're searching over SSL, these properties may not appear in the left panel."

Your Office Copy Machine Might Digitally Store Thousands of Documents That Get Passed on at Resale

EPIC: "The Senate unanimously passed the Faster FOIA Act of 2010, introduced by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), that will establish a 16-member commission to determine methods for reducing delays in processing FOIA requests. Government reports reveal substantial delays in disclosing records subject to the open government law. The legislation seeks to improve the processing of FOIA requests. EPIC frequently uses the FOIA to obtain information about government programs that impact privacy rights."

BusinessWire: "A new study of 90 organizations actively engaged in online marketing concludes that in spite of an acknowledged return on investment, hundreds of millions of dollars are being held back from online behavioral advertising (OBA) over concerns that a lack of consumer trust in the practice could damage brand reputation. The study, Economic Impact of Privacy on Online Behavioral Advertising, conducted independently by the Ponemon Institute, found that although 70 percent of companies agreed that behaviorally targeted advertising substantially increases marketing and sales performance, and in spite of an overall favorable return, most companies surveyed have limited their online advertising budgets over privacy concerns. In fact, extrapolated results suggest that budgets would be as much as four times higher if not for these concerns. Among the study’s noteworthy results:
98 percent of companies surveyed said they have restricted OBA because of privacy concerns;

News release: "A total of 2,376 federal and state applications for orders authorizing the interception of wire, oral or electronic communications, known as wiretaps, was reported in 2009. The number of applications for orders by federal authorities was 663; the number of applications reported by state prosecuting officials was 1,713. No applications were denied. The Omnibus Crime Control and Safe Streets Act of 1968 requires the Administrative Office of the U.S. Courts to report to Congress the number and nature of federal and state applications for wiretap orders. The 2009 Wiretap Report covers intercepts concluded between January 1, 2009 and December 31, 2009."

EPIC: "A new White House memo sets out the Federal Information Security Management Act of 2002 (FISMA) standards for federal agencies. All agencies must comply with the FISMA standard and report security practices for information under agency control. The standard also extends obligations to agency contractors. By November 15, 2010, all agencies must be capable of monitoring all information traffic on their networks; and make reports to CyberScope, a platform launched last year to provide a single government-wide security management tool for FISMA reports. The Memorandum included requirements to respond to breaches of personal information. Agency Inspectors General will provide oversight of agency FISMA compliance."

Generalized ‘satisfaction of search’: Adverse influences on dual-target search accuracy - Mathias S. Fleck, Ehsan Samei, and Stephen R. Mitroff, Department of Psychology & Neuroscience, Center for Cognitive Neuroscience, Duke University, Carl E. Ravin Advanced Imaging Laboratories, Department of Radiology, Duke University Medical Center

"The Department of Commerce’s Internet Policy Task Force is conducting a comprehensive review of the nexus between privacy policy and innovation in the Internet economy. The Department seeks public comment from all Internet stakeholders, including the commercial, academic and civil society sectors, on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy..The Department has launched the Privacy and Innovation Initiative to identify policies that will enhance: (1) The clarity, transparency,
scalability and flexibility needed to foster innovation in the information economy; (2) the public confidence necessary for full citizen participation with the Internet; and (3) uphold
fundamental democratic values essential to the functioning of a free market and a free society."

Follow up to previous postings on government implementation of whole body scanning technology at airports, this news release: "EPIC and a broad coalition of organizations sent a formal petition to the Department of Homeland Security to demand that the agency suspend the airport body scanner program. The petition states that the "uniquely intrusive search" is unreasonable and violates the Constitution. The petition further states the program fails to comply with several federal laws, including the Religious Freedom Restoration Act, the Privacy Act of 1974, and the Administrative Procedures Act. The petitioners also argue that the machines are ineffective and that there are better, less costly security technology. The petitioners contend that the TSA has routinely misled the pubic about the ability of the devices to store and transmit detailed images of travelers' naked bodies. In a Freedom of Information Act lawsuit, EPIC has already obtained technical documents, vendor contracts, and hundreds of traveler complaints."

Teens and Mobile Phones - Text messaging explodes as teens embrace it as the centerpiece of their communication strategies with friends, April 20, 2010

Follow up to Google Announces "A new approach to China", from the New York Times: "Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s web services, including e-mail and business applications."

News release: "Eight federal regulators released an Online Form Builder today that financial institutions can download and use to develop and print customized versions of a model consumer privacy notice. The Online Form Builder, based on the model form regulation published in the Federal Register on December 1, 2009, under the Gramm-Leach-Bliley Act, is available with several options. Easy-to-follow instructions for the form builder will guide an institution to select the version of the model form that fits its practices, such as whether the institution provides an opt-out for consumers. To obtain a legal "safe harbor" and so satisfy the law's disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder."

Hoofnagle, Chris Jay, King, Jennifer, Li, Su and Turow, Joseph, How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies? (April 14, 2010). Available at SSRN: http://ssrn.com/abstract=1589864

News release: "The Electronic Frontier Foundation (EFF) along with Google and numerous other public interest organizations and Internet industry associations joined with Yahoo! in asking a federal court Tuesday to block a government attempt to access the contents of a Yahoo! email account without a search warrant based on probable cause. The Department of Justice is seeking the emails as part of a case that is under seal, and the account holder has apparently not been notified of the request. Government investigators maintain that because the Yahoo! email has been accessed by the user, it is no longer in "electronic storage" under the Stored Communications Act (SCA) and therefore does not require a warrant, even though that same legal theory has been flatly rejected by the one Circuit Court to address it. Yahoo! is challenging the government request before a federal magistrate judge in Denver, arguing that the SCA and Fourth Amendment require the government to get a search warrant before compelling Yahoo! to disclose the email. In an amicus brief filed in support of Yahoo! Tuesday, EFF says that the company is simply following the law and protecting the constitutional privacy rights of its customers."

Follow up to previous postings on government implementation of whole body scanning technology at airports, this news release: "Ninety-three percent of Americans said they are willing to sacrifice some level of privacy to increase safety when traveling by air, according to research conducted in January and February by Unisys Corporation (NYSE: UIS). Nearly two-thirds of Americans (65%) said they are willing to cooperate with full electronic body scans at the airport, and more than half (57%) would be willing to submit to identity checks using biometric data such as iris scans or fingerprints. Nearly three quarters of Americans (72%) said they are willing to provide personal data in advance of air travel to increase security. The findings, part of the latest bi-annual Unisys Security Index, illustrate that recent events such as the attempted Christmas Day airline bombing may have made security a priority for air travelers. A clear majority of citizens in nearly every country surveyed said they would be willing to forgo privacy to increase air travel security. For example, 90% of citizens in the United Kingdom and 70% of Australians said they would submit to electronic body scans."

NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, Erika McCallister, Tim Grance, Karen Scarfone, April 2010.

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "A meeting between top United States counter-terrorism officials and European counterparts ended in Madrid today with no agreement to restart a program that gave the US access to European financial data. The Terrorist Finance Tracking Program operated in secret from 2001 to 2006. European legislators objected to the program as a violation of EU privacy law. There also appeared to be no EU support for the further deployment of body scanners in European airports. EPIC has raised several objections to the body scanner program, including a letter with Ralph Nader to the administration, Congressional Testimony, and open government litigation, which revealed that the devices store and record images."

"Smart Grid policies that maximize the benefits to consumers need to encompass more than just the electric or telecom sectors policies. The purpose of the Summit is to create a forum to align policies for energy, telecommunication, the environment and the economy, and fulfill the promises of smart grid deployments. The Summit brings together dozens of representatives from a wide variety of policy communities including: state and federal legislative, regulatory and administrative agencies, labor, consumers, and representatives from the major energy and smart grid associations. In this first of its kind multiple-policy, multiple-community Summit, the UTC intends to provide a forum for this next level of policy development..."

News release: "Three consumer protection organizations on Thursday filed a complaint with the Federal Trade Commission (FTC), demanding the commission investigate growing privacy threats in the “Wild West” online. The U.S. Public Interest Research Group, the Center for Digital Democracy and the World Privacy Forum challenged the commission to investigate the growing privacy threats to consumers from the practices conducted by the real-time data-targeting auction and exchange online marketplace. Increasingly and largely unknown to the public, technologies enabling the real-time profiling, targeting, and auctioning of consumers is becoming commonplace. Adding to the privacy threat, explains the new complaint, is the incorporation and expanding role of an array of outside data sources for sale online that provide detailed information on a consumer."

Follow up to postings on security issues and erasing hard drive, from Gizmodoa detailed article with accompanying screen shots and product references: "With stories abounding of identity theft aided by information lifted from discarded storage devices, you want devices you no longer plan to use to have no usable information when they head out the door. Here's how to wipe them clean...When you erase/delete a file from your computer, it's not really gone until the areas of the disk it used are overwritten by new information. If you use the normal Windows delete function, the "deleted" file is sent to the Recycle Bin until the space it uses is required by other files. If you use Shift-Delete to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software. As long as the operating system does not reuse the space occupied by a file with another file, the "deleted" file can be recovered."

News release: "Department of Homeland Security (DHS) Secretary Janet Napolitano today announced that the Transportation Security Administration (TSA) will begin implementing new enhanced security measures for all air carriers with international flights to the United States to strengthen the safety and security of all passengers—superseding the emergency measures put in place immediately following the attempted terrorist attack on Dec. 25, 2009...Secretary Napolitano also commended today’s release of the Surface Transportation Security Priority Assessment as another important step in efforts to protect the nation’s traveling public from acts of terrorism—conducted by the Obama administration in its first year as a thorough review of the nation’s surface transportation security efforts, which cover mass transit, commuter and long-distance passenger rail, freight rail, commercial vehicles and pipelines."

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "In response to a Congressional inquiry, led by Congressman Bennie Thompson, the Transportation Security Agency acknowledged that images on body scanner machines would be recorded for "testing, training, and evaluation purposes." The TSA also did not dispute that test mode could be activated in airports, but said this "would" not happen. As part of an ongoing lawsuit, EPIC had previously obtained TSA documents describing the machines' capabilities to store and transmit detailed images of travelers' naked bodies."

News release: "The Federal Trade Commission today reported to Congress that it is getting the word out about Internet safety for children by aggressively promoting a new booklet, Net Cetera: Chatting with Kids About Being Online, to schools, police and sheriff’s departments, and PTAs nationwide. Net Cetera explains to parents and their children how to deal with issues such as social networking, cyberbullying, using mobile phones safely, and protecting the family computer from badware. The booklet is practical, plain-language, and value-neutral, so all parents – regardless of whether they are technologically savvy – can use it to help their kids make better decisions about online behavior. It is the most recent addition to the OnGuardOnline.gov consumer education campaign, which helps people guard against Internet fraud, secure their computers, and protect their privacy."

Follow up to previous postings on the Domestic Surveillance Program, via EFF, Kevin Bankston: "Today, Chief Judge Vaughn Walker of the federal district court in San Francisco found that the government illegally wiretapped an Islamic charity's phone calls in 2004, granting summary judgment for the plaintiffs in Al-Haramain Islamic Foundation v. Obama. The court held the government liable for violating the Foreign Intelligence Surveillance Act (FISA). Today's order is the first decision since ACLU v. NSA to hold that warrantless wiretapping by the National Security Agency was illegal. The decision in ACLU v. NSA was overturned on other grounds in 2007, and the focus of the government's litigation strategy since then has been to avoid having any court rule on the merits of the issue. The court's thorough decision is a strong rebuke to the government's argument that only the Executive Branch may determine if a case against the government can proceed in the courts, by invoking state secrets. The Obama Administration adopted this "state secrets privilege" theory from the Bush Administration's legal positions in this and other warrantless wiretapping cases."

World Privacy Forum: "New forms of sophisticated digital signage networks are being deployed widely by retailers and others in both public and private spaces. From simple people-counting sensors mounted on doorways to sophisticated facial recognition cameras mounted in flat video screens and end-cap displays, digital signage technologies are gathering increasing amounts of detailed information about consumers, their behaviors, and their characteristics, like age, gender, and ethnicity. These technologies are quickly becoming ubiquitous in the offline world, and there is little if any disclosure to consumers that information about behavioral and personal characteristics is being collected and analyzed to create highly targeted advertisements, among other things. Few if any consumers expect that the video screen they are watching, the kiosk they are typing on, or the game billboard they are interacting with is watching them back while gathering images of them and behavioral information. This is creating a one-way-mirror society with no notice or opportunity for consumers to consent to being monitored in retail, public, and other spaces or to consent to having their behavior analyzed for marketing and profit. The privacy problems inherent in digital networks are profound, and to date these issues have not been adequately addressed by anyone. This report by the World Privacy Forum seeks to shed light in a dark area and to start a more robust public debate. In addition to the report, the WPF has released with a group of the nation's leading consumer groups a set of privacy principles to be used in digital s