=======================================================================
E P I C A l e r t
=======================================================================
Volume 20.12 June 27, 2013
-----------------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
"Defend Privacy. Support EPIC."
http://epic.org/donate========================================================================
Table of Contents
========================================================================
[1] EPIC, Bamford, Diffie, Schneier Call for Suspension of NSA Domestic
Surveillance Program
[2] Supreme Court Upholds Privacy of Driver Records
[3] EPIC Obtains Docs Detailing FBI Collection of DMV Photos
[4] EPIC to FCC: Investigate Disclosure of Consumer Phone Records
[5] NSA Targeting and Minimization Procedures Released
[6] News in Brief
[7] EPIC in the News
[8] EPIC Book Review: 'Big Data'
[9] Upcoming Conferences and Events
TAKE ACTION: Sign EPIC's Petition Against NSA Domestic Surveillance!
- SIGN the Petition:
https://epic.org/NSApetition/ - LEARN More:
https://epic.org/privacy/terrorism/fisa/- SUPPORT EPIC:
http://www.epic.org/donate/========================================================================
[1] EPIC, Bamford, Diffie, Schneier Call for Suspension of NSA Domestic
Surveillance Program
========================================================================
EPIC, joined by leading privacy and technology experts including James
Bamford, Whitfield Diffie, and Bruce Schneier, has petitioned the
National Security Agency to suspend domestic surveillance programs
pending public comment. According to recently released classified
documents, the NSA is engaging in programs that monitor US phone calls
and other forms of electronic communication, implicating the First and
Fourth Amendment rights of millions of American citizens.
EPIC's petition states: "NSA's collection of domestic communications
contravenes the First and Fourth Amendments to the United States
Constitution, and violates several federal privacy laws, including the
Privacy Act of 1974, and the Foreign Intelligence Surveillance Act of
1978 as amended." EPIC filed the petition as a request for formal
rulemaking under the Administrative Procedure Act, which states that
agency actions that substantially affect the rights of US citizens
must go through a systematic public notice and comment process before
being enacted.
The EPIC petition to the NSA further states that the NSA's domestic
surveillance "substantively affects the public to a degree sufficient
to implicate the policy interests" that require public comment, and
that "NSA's collection of domestic communications absent the opportunity
for public comment is unlawful." The NSA surveillance programs,
operating under the Foreign Intelligence Surveillance Act and heavily
classified, do not receive any public oversight. The NSA provides
classified briefings to only a handful of members of Congress, and
the agency's surveillance activities are reviewed by a secret court
known as the FISC.
Bamford is a former NSA employee and author of numerous books and
articles on the inner workings of the US intelligence community.
Diffie, a mathematician and technologist, pioneered public key
cryptography in the 1970s and 1980s. Schneier is the Chief
Technology Officer of BT Counterpane and a leading author on computer
security. All are members of the EPIC Advisory Board.
EPIC intends to renew the request each week until the NSA responds, as
required by all federal agencies under the statute. The petition is
available at
http://epic.org/NSApetition.
EPIC: Rulemaking Petition to the NSA
http://epic.org/NSApetitionFISC: Order Permitting NSA Phone Surveillance (Apr. 23, 2013)
http://epic.org/priv...Order-to-Verizon.pdfEPIC: NSA - Verizon Phone Record Monitoring
http://epic.org/priv...verizon/default.htmlEPIC: The Administrative Procedure Act (APA)
http://epic.org/open...e-Procedure-Act.html========================================================================
[2] Supreme Court Upholds Privacy of Driver Records
========================================================================
The US Supreme Court has ruled that the exceptions in a privacy
statute that protects drivers' records should be read narrowly and that
attorneys cannot use DMV records to solicit clients. In Maracich v.
Spears, the Court ruled that solicitation is not a permissible use of
state motor vehicle records under the Driver's Privacy Protection Act
(DPPA). The DPPA says that personal information in DMV records cannot
be obtained and used by individuals except for certain enumerated
purposes.
Justice Anthony Kennedy, writing for the majority, said, "To permit
this highly personal information to be used in solicitation is so
substantial an intrusion on privacy it must not be assumed, without
language more clear and explicit, that Congress intended to exempt
attorneys from DPPA liability in this regard." Justice Kennedy further
said:
"Petitioners and other state residents have no real choice but to
disclose their personal information to the state DMV, including
highly restricted personal information. The use of that information
by private actors to send direct commercial solicitations without
the license holder’s consent is a substantial intrusion on the
individual privacy the Act protects."
As Justice Kennedy explained, "Congress chose to protect individual
privacy by requiring a state DMV to obtain the license holder’s
express consent before permitting the disclosure, acquisition, and
use of personal information for bulk solicitation," adding, "Direct
marketing and solicitation present a particular concern not only
because these activities are of the ordinary commercial sort but also
because contacting an individual is an affront to privacy even beyond
the fact that a large number of persons have access to the personal
information."
Writing in dissent, Justice Ruth Bader Ginsburg expressed concern that
theCourt's opinion would make it more difficult for attorneys to
contact clients.
Congress passed the DPPA in 1994 in order to prevent stalking and
solicitation using the personal information contained within motor
vehicle records. The statute contains a blanket prohibition on the use
of personal information contained within DMV records, unless the user
can meet one of the enumerated exceptions, a common formula for privacy
protection statutes. The Court ruled that Congress' formulation of
these statutes deserves deference. Justice Kennedy said that when
Congress wishes to create an exception to a privacy protection, it
uses "explicit terms." Consequently, said Kennedy, exceptions should be
interpreted "narrowly in order to preserve the primary operation of the
provision.", rather than to the outer limits of the text.
State DMV records contain a huge amount of sensitive personal
information, including Social Security Numbers, biometric identifiers,
and medical information. EPIC filed a "friend of the court" brief
discussing the wide range of personal information contained in DMV
records and the risks of identity theft. Following the enactment of
the Department of Homeland Security's REAL ID rules, state DMVs will
be required to collect and retain substantially more detailed personal
information.
In 1999, EPIC submitted a "friend of the court" brief defending the
DPPA in the case Reno v. Condon. The Supreme Court, in a unanimous
opinion by Chief Justice Rehnquist, upheld the constitutionality of
the law.
US Supreme Court: Decision in Maracich v. Spears (Jun. 17, 2013)
http://www.supremeco...12pdf/12-25_4314.pdfEPIC: "Friend of the Court" Brief in Maracich v. Spears (Nov. 16, 2012)
http://epic.org/redi...marchich-amicus.htmlEPIC: Driver's Privacy Protection Act
http://epic.org/privacy/drivers/EPIC: Maracich v. Spears
http://epic.org/amicus/dppa/maracich/ EPIC: Reno v. Condon
http://www.epic.org/.../epic_dppa_brief.pdf
========================================================================
[3] EPIC Obtains Docs Detailing FBI Collection of DMV Photos
========================================================================
EPIC has obtained, via a Freedom of Information Act request, a number
of agreements between the FBI and state DMVs. The agreements allow the
FBI to use facial recognition to compare subjects of FBI investigations
with the millions of license and identification photos retained by
participating state DMVs.
According to the documents obtained by EPIC, this facial recognition
program is run by the FBI's Facial Analysis, Comparison, and Evaluation
Services (FACES) Unit. According to a Standard Operating Procedure for
FACES, the "service will be expanded to include a larger customer base
as the operation evolves." Currently, the FACES team provides a photo
to state DMVs, which then return up to 25 results per DMV for
evaluation. FACES also has access to photos from other federal
databases, including the Departments of State and Defense.
A Privacy Threshold Analysis obtained by EPIC indicates that a Privacy
Impact Assessment is required of FACES, but to date EPIC has not
received any documentation to indicate that a Privacy Impact Assessment
had been performed.
In addition to facial recognition programs, the FBI is developing a
biometric database program called "Next Generation Identification;"
photographs used for facial recognition will be part of this database.
EPIC is suing the FBI to learn more about the development of Next
Generation Identification, which will include iris scans, DNA profiles,
voice identification profiles, and palm prints.
EPIC: FOIA Request to FBI re: FACES (Mar. 29, 2013)
http://epic.org/foia...est-FBI-DMV-MOUs.pdfEPIC: FBI Agreements with State DMVs (Mar. 2013)
http://epic.org/foia...-MOUs-FACES-Unit.pdfEPIC: FBI FACES Unit Standard Operating Procedure (Apr. 9, 2013)
http://epic.org/foia...I-SOP-FACES-Unit.pdfEPIC: FBI FACES Privacy Threshold Analysis (Apr. 1, 2011)
http://epic.org/foia...I-PTA-FACES-Unit.pdfEPIC: EPIC v. FBI – Next Generation Identification
http://epic.org/foia/fbi/ngi/EPIC: Facial Recognition
http://epic.org/privacy/facerecognition/========================================================================
[4] EPIC to FCC: Investigate Disclosure of Consumer Phone Records
========================================================================
In a letter to Federal Communications Commission Chair Mignon Clyburn,
EPIC has urged the agency to determine whether Verizon violated the
Communications Act when it released consumer call detail information to
the National Security Agency (NSA). In early June, UK newspaper The
Guardian reported that, in response to a Foreign Intelligence
Surveillance Court order, Verizon had released identifying call
metadata to the NSA, including telephone numbers, time of call, and
call duration. The Guardian also published a copy of the classified
order.
EPIC's letter argues that, by "surrendering protected information of
its consumers in response to a facially invalid order, Verizon has
violated the legal protections surrounding consumer proprietary
network information ('CPNI')," which includes the time, date,
duration, destination number, and location of telephone calls, and any
other information that appears on the subscriber's telephone bill.
According to the letter, a key provision of the Telecommunications Act
"places strict limits on telecommunications carriers' ability to
disclose CPNI. Disclosure is only permitted as required by law, with
the customer's consent, or pursuant to four narrowly drawn exceptions
related to the facilitation of telecommunications or emergency
services."
"Verizon's disclosure of CPNI to the NSA was not authorized under the
Telecommunications Act because it did not fall under any of the Act's
permissible disclosures. Verizon customers did not authorize these
disclosures," EPIC's letter maintains. The letter also refers the FCC
to EPIC's June 7 letter to Congress, detailing the illegality of the
FISC order that presumably formed the basis for Verizon's disclosures
of CPNI.
"The role of carriers like Verizon is particularly important because
the structure of the Foreign Intelligence Surveillance Act does not
allow for meaningful public oversight or accountability," EPIC
argues. Thus, "millions of consumers had no way of knowing that their
personal information had been illegally provided to the NSA by Verizon"
– yet at the same time, "these consumers are completely dependent on
Verizon for the protection of their personal phone records."
Congress explicitly charged the Commission with investigating
unauthorized disclosures of consumer call detail information. Over 20
years ago, the FCC ruled that CPNI "belongs to the customers," not
carriers, and restricted carriers' use of CPNI. Since then, the
Commission has exercised authority numerous times to protect the
privacy of consumers' phone records. EPIC's letter therefore urged the
FCC to "investigate Verizon's violations of the Telecommunications Act,
and its consumers' privacy, by surrendering protected information in
response to a plainly unlawful order."
EPIC: Letter to FCC re: NSA Surveillance (Jun. 11, 2013)
http://epic.org/priv...C-FCC-re-Verizon.pdfFISA: Verizon Order (Apr. 23, 2013)
http://epic.org/priv...Order-to-Verizon.pdfEPIC: Foreign Intelligence Surveillance Act
http://epic.org/privacy/terrorism/fisa/EPIC: Clapper v. Amnesty Int'l
http://epic.org/amicus/fisa/clapper/EPIC: USA PATRIOT Act
http://epic.org/priv...errorism/usapatriot/========================================================================
[5] NSA Targeting and Minimization Procedures Released
========================================================================
Top Secret documents recently published by the UK's Guardian newspaper
reveal the National Security Agency's procedures for targeting non-US
citizens under the Foreign Intelligence Surveillance Act, as well as
the minimization procedures for information collected about US
citizens. The documents indicate that "[a] person whose location is not
known will be presumed to be a non-United States person." The
minimization procedures also contain a number of exceptions that allow
for the NSA to collect domestic communications.
According to the documents, the NSA may collect any communications
based on the fact that the communications are encrypted, and retain the
encrypted information for as long as needed to exploit it. The
documents also indicate the NSA maintains databases of the telephone
numbers, email accounts, and other identifiers of US citizens.
In response to the recent revelations about NSA domestic surveillance,
Senator Patrick Leahy (D-VT), joined by several other US senators, has
introduced a bill amending certain provisions of the USA PATRIOT Act
and the FISA Amendments Act. The bill would increase the NSA's
threshold for obtaining domestic metadata, require court-approved
minimization procedures, and move up expiration dates on surveillance
authorities to June 2015.
EPIC recently petitioned the NSA to suspend domestic surveillance
pending public comment. In May 2012, EPIC testified before Congress on
the FISA Amendments Act of 2008 and made recommendations on improving
public accountability and oversight for FISA. EPIC urged Congress
not to reauthorize the FISA Amendments Act until adequate oversight
procedures were in place. "Where the government is given new
authorities to conduct electronic surveillance, there should be new
means of oversight and accountability," EPIC stated.
NSA: Minimization Procedures in Foreign Intelligence (Jul. 28, 2009)
http://epic.org/redi...sa-minimization.htmlNSA: Procedures for Targeting Non-US Persons (July 28, 2009)
http://epic.org/redi...3-nsa-targeting.htmlSen. Patrick Leahy (D-VT): Text of FISA Bill (Jun. 2013)
http://www.leahy.sen...ov/download/sch13282EPIC: NSA Petition (Jun. 17, 2013)
http://epic.org/NSApetition/EPIC: Testimony on the FISA Amendments Act of 2008 (May 31, 2012)
http://epic.org/redi...-fisa-testimony.htmlEPIC: Foreign Intelligence Surveillance Act (FISA)
http://epic.org/privacy/terrorism/fisa/========================================================================
[6] News in Brief
========================================================================
EU Commissioner Asks Attorney General to Explain US Spying
European Justice Commissioner Viviane Reding has demanded that US
Attorney General Eric Holder explain the scope of US data collection on
EU citizens. "Direct access of US law enforcement to the data of EU
citizens on servers of US companies should be excluded unless in
clearly defined, exceptional and judicially reviewable situations," the
Commissioner wrote. The Commissioner's request is similar to that made
by other European officials, including German Justice Minister Sabine
Leutheusser-Schnarrenberger, who also stated that "all facts must be
put on the table." Recent reports indicate that US lobbied the European
Commission to weaken a comprehensive data protection law now pending in
the European Parliament. Earlier in 2013, EPIC joined a coalition of
leading US consumer and civil liberties organizations expressing concern
about the role of US officials in the development of European privacy
law. The coalition's letter stated that "without exception," members of
the European Parliament reported that the US government was "mounting
an unprecedented lobbying campaign to limit the protections that
European law would provide."
EU Justice Commissioner: Letter to USAG re: NSA (Jun. 13, 2013)
http://www.statewatc...reding-ag.letter.pdfGerman Justice Ministry: Statement on NSA (Jun. 12, 2013)
http://epic.org/redi...n-nsa-statement.htmlEU: Draft of Data Protection Law (Jan. 25, 2013)
http://epic.org/redi...-data-law-draft.htmlEPIC et al.: Letter to US Officials re: EU Privacy Law (Feb. 4, 2013)
http://epic.org/priv...re-EU-US-Privacy.pdfEPIC: EU Data Protection Regulation
http://epic.org/priv...ction_directive.htmlEPIC, Coalition Demand Congress Investigate NSA Surveillance
EPIC and a coalition of over 100 civil liberties organizations and
Internet companies have sent a letter to the US Congress, demanding a
full-scale investigation into the National Security Agency's domestic
surveillance activities. The coalition's letter emphasized the need
for public transparency and an end to dragnet surveillance: "This type
of blanket data collection by the government strikes at bedrock
American values of freedom and privacy," the letter states. EPIC is
also spearheading a petition to the NSA that requires the agency to
suspend programs that collect information on all US persons. EPIC
intends to renew the request to the agency every week until the NSA
responds.
Civil Liberties/Internet Coalition: Letter to Congress (Jun. 2013)
http://epic.org/priv...Coal-NSA-Spy-Ltr.pdfEPIC: Petition to NSA to Stop Data Collection on US Persons
http://epic.org/NSApetitionEPIC: NSA: Verizon Phone Record Monitoring
http://epic.org/priv...verizon/default.htmlEPIC: USA PATRIOT Act
http://epic.org/priv...errorism/usapatriot/EPIC: Domestic Surveillance
http://epic.org/feat...es/surveillance.html EPIC Opposes DHS Biometric Collection
EPIC has submitted comments to the Department of Homeland Security,
staunchly opposing the agency's border biometric collection,
facilitated through the Office of Biometric Identity Management
program. Since at least 2004, DHS has collected fingerprints and facial
photos from individuals entering the US, which are then disseminated to
DHS agency components, other federal agencies, "federal, state, and
local law enforcement agencies," and the "federal intelligence
community." Currently, at least 30,000 individuals from federal, state,
and local governments can access the DHS biometric data, which DHS also
shares with foreign governments, including Canada, Australia, and the
United Kingdom. EPIC's comments urge the agency to cease collecting
biometric information without proper privacy safeguards in place.
Should the agency continue to collect this sensitive information, EPIC
recommends that DHS: (1) impose strict information security safeguards
on biometric information collection and limit dissemination of
biometric information; (2) conduct a comprehensive privacy impact
assessment on the biometric collection program; (3) grant individuals
Privacy Act rights before collecting additional biometric information;
and (4) adhere to international privacy standards.
EPIC: Comments to DHS re: US Border Biometric Collection (Jun. 14, 2013)
http://epic.org/priv...s/EPIC-OBIM-Cmts.pdfDHS: RFC on US Border Biometric Collection (Apr. 15, 2013)
http://www.gpo.gov/f...5/pdf/2013-08718.pdfDHS: Government Agencies Using US-VISIT
http://www.dhs.gov/g...ncies-using-us-visitEPIC: US-VISIT
http://epic.org/privacy/us-visit/EPIC: Biometrics
http://epic.org/privacy/biometrics/ EPIC Recommends Privacy Protections for Natural Disaster Survivors
In comments to the National Institutes of Health, an agency component
of the US Department of Health and Human Services, EPIC urged the
agency to safeguard personally identifiable information following
natural disasters. The agency proposes to use the "People Locator"
system and related mobile app ReUnite to reunite "family and friends
who are separated during a disaster." The People Locator system allows
third parties to enter highly sensitive information about each missing
or located individual, which in turn is accessed by the public,
including an individual's name, location, date of birth, race,
religion, health status, address, and photographs. EPIC recommended
that the agency: (1) limit data collection to relevant information;
(2) protect the system's security by implementing data access control
and establishing data quality standards; (3) define a record retention
and disposal schedule; (4) establish guidelines, which adhere to the
Fair Information Practices, for disclosures to third parties.
EPIC: Comments to NIH re: Disaster People Locator (Jun. 14, 2013)
http://epic.org/redi...ic-nih-comments.htmlNIH: Request for Comments on People Locator System (Apr. 15, 2013)
http://www.gpo.gov/f...5/pdf/2013-08788.pdfNIH: Lost Person Finder
https://lpf.nlm.nih.gov/EPIC: Locational Privacy
http://epic.org/priv...cy/location_privacy/Senator Paul Seeks Answers about FBI's Domestic Drone Use
Senator Rand Paul (R-KY) has sent a letter to FBI Director Robert
Mueller seeking answers about the FBI's domestic use of drones. In a
recent US Senate Judiciary Committee hearing on FBI oversight,
Director Mueller admitted that the FBI uses drones for domestic
surveillance. Mueller also stated there were no guidelines in place
to regulate the FBI's use of drones or protect the privacy of
Americans. In 2012, EPIC petitioned the Federal Aviation
Administration to conduct a public rulemaking addressing domestic
drones' threat to privacy and civil. Earlier in 2013, EPIC
petitioned the Bureau of Customs and Border Protection to establish
privacy regulations for CBP's drone use, and testified before the US
Congress on domestic drones and privacy.
Sen. Rand Paul (R-KY): Letter re: Domestic Drone Use (Jun. 20, 2013)
http://www.paul.sena...ts/MuellerDrones.pdfUS Senate Judiciary Comm.: Hearing on Domestic Drones (Jun. 19, 2013)
http://epic.org/redi...3-senate-drones.htmlEPIC et al.: Petition to FAA re: Drone Privacy (Feb. 24, 2012)
http://epic.org/priv...etition-03-08-12.pdfEPIC: Petition to CPB re: Domestic Drone Privacy (Mar. 2013)
http://epic.org/drones_petition/EPIC: Testimony Before US Congress on Domestic Drones (Mar. 13, 2013)
http://epic.org/redi...drone-testimony.htmlEPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones
http://epic.org/privacy/drones/ Privacy Officials Seek Answers on Google Glass
More than 30 international privacy officials, including the Privacy
Commissioner of Canada and the Chairman of the EU's Article 29 Working
Party, have written to Google demanding information on Google Glass.
"[W]e would strongly urge Google to engage in a real dialogue with data
protection authorities about Glass," the letter states. The coalition
also lists eight specific questions for Google to answer, including how
Glass complies with privacy laws and how Google intends to use the
information collected by Glass. Recently, members of the US
Congressional Bi-Partisan Privacy Caucus wrote to Google with similar
questions about Glass; following the letter, Google announced that it
would not approve any facial recognition apps for Glass.
Canadian Privacy Commissioner: Letter to Google (Jun. 18, 2013)
http://www.priv.gc.c...13/nr-c_130618_e.asp US Congress: Bi-Partisan Privacy Caucus Letter to Google (May 16, 2013)
http://joebarton.hou...eGlassLtr_051613.pdfGoogle: Press Release on Glass and Facial Recognition (May 31, 2013)
https://plus.google....ss/posts/fAe5vo4ZEcEEPIC: Google Glass and Privacy
http://epic.org/priv...e/glass/default.html European Privacy Authorities Give Google 3 Months to Comply with Law
European data protection authorities have ordered Google to comply with
EU data protection law or face fines. The French Data Protection
Authority (CNIL), which led the investigation into Google's
consolidation of user data, stated that "Google has not implemented any
significant compliance measures", and gave the company three months to
comply with CNIL requirements. The decision follows an investigation
triggered by the collapse of the Google privacy policy in March 2012,
which allowed the company to combine user data across 60 Internet
services to create detailed profiles on Internet users. In response,
EPIC sued the Federal Trade Commission to enforce the terms of a
settlement with Google that would have prohibited changes in Google's
business practices. Google's consolidation also prompted objections
from state attorneys general, members of Congress, and IT managers in
the government and private sectors.
CNIL: Press Release on Google Order (Jun. 20, 2013)
http://epic.org/redi...e-press-release.htmlNAAG: Letter to Google re: Privacy Policy Changes (Feb. 22, 2012)
http://epic.org/redi...g-google-letter.htmlUS Congress: Bi-Partisan Privacy Caucus Letter to FTC (Feb. 17, 2012)
http://epic.org/redi...s-letter-google.htmlSafeGov: Blog Post on Google Privacy Changes (Jan. 25, 2012)
http://epic.org/redi...gov-google-post.htmlEPIC: In re: Google Buzz
http://epic.org/privacy/ftc/googlebuzz/EPIC: EPIC v. FTC (Enforcement of the Google Consent Order)
http://epic.org/priv...e/consent-order.html EPIC's Rotenberg: "Time to Restore Oversight of Domestic Surveillance"
Writing in The Washington Post, EPIC President Marc Rotenberg said
that there is a clear problem that needs to be addressed following the
news report of the NSA's domestic surveillance program: "the Foreign
Intelligence Surveillance Court (FISC) is an inadequate check on the
government’s demands for personal information." Rotenberg pointed
to the routine approval of all surveillance orders presented to the
surveillance court. He also wrote that the court has exceeded its
statutory purpose. "No longer tethered to the mission of enabling the
monitoring of foreign agents or the collection of foreign intelligence,
the FISC’s enormous surveillance authorities are now directed to the
daily activities of Americans." EPIC's President concluded, "It may be
the case that the government needs access to vast amounts of telephone
records and the user data held by Internet firms. But that argument can
no longer be made to a court where there is no meaningful review and
too little public accountability."
Marc Rotenberg in The Washington Post: "It Is Time to Return to
Oversight of Surveillance Authority" (Jun. 12, 2013)
http://www.washingto...s-time-to-return-to- oversight-of-surveillance-authority/2013/06/12/522fe660-d217-
11e2-9577-df9f1c3348f5_story.html