Massachusetts’s new data protection law went into effect at the beginning of March. The law applies to all companies that own or license the personal information of Massachusetts residents. According to the new regulations, companies are now required to create a comprehensive security program that details how personal information will be safeguarded. Governor Deval Patrick stated, “Consumers should feel confident that their personal information is protected, and not exposed to loss or theft. These regulations improve the safety of personal information, while giving businesses the flexibility to secure that information without undue burden.” For more information on privacy and identity theft, see EPIC: Identity Theft.
On March 2, 2010, the German Federal Constitutional Court ruled that a law allowing law enforcement authorities to store telephone and Internet data is inconsistent with the right to privacy under the German Constitution. The law allows data on calls and e-mail exchanges to be retained for six months, and made available for use by criminal authorities. The court found that the law went beyond the original intent of the directive the European Union enacted in March 2006. EPIC has documented the impact of data retention requirements. For more information, see EPIC’s webpage on data retention.
In response to an EPIC Freedom of Information Act lawsuit, the Department of Homeland Security and the Transportation Security Administration (TSA) released more documents about body scanners in US airports. The documents include many complaints from travelers who went through the devices. Travelers reported that they were not told about the pat down alternative or that they were going to be subject to a body scan by TSA officials. Travelers also expressed concern about radiation risks to pregnant women and the image capture of young children without clothes. EPIC has previously obtained whole body imaging vendor contracts, operational requirements, and procurement specifications from TSA. EPIC and Ralph Nader have urged President Obama to suspend the program until an independent review is completed. For more information see EPIC: Whole Body Imaging Technology.
The FTC has sent a letter to EPIC regarding the February 2010 EPIC complaint about Google’s recently launched social networking tool, Google Buzz. In the letter, the Bureau of Consumer Protection Director states that the complaint “raises interesting issues that relate to consumer expectations about the collection and use of their data.” Further, the FTC Director highlights the importance of having consumers “understand how their data will be used” and allowing consumers the “opportunity to exercise meaningful control over such uses.” EPIC has since filed an amended complaint with the FTC that describes how Google Buzz violated Google’s own privacy policy for Gmail. For more information, see EPIC: In re Google Buzz.
The Judiciary Subcommittee on Human Rights and the Law held a hearing on "Global Internet Freedom and the Rule of Law," which focused on information technology industry business practices in countries that restrict the internet . The Senate hearing came one month after Secretary Clinton delivered a speech on internet freedom. Following the speech, EPIC and 29 experts of technology and privacy wrote a letter to Secretary Clinton, urging the United States to begin the process of ratifying the Council of Europe Convention on Privacy, which seeks to protect fundamental human rights as technology advances. EPIC made the same recommendation in statements for the record for a House hearing on Google and U.S. Cyberspace Policy, and for the Senate hearing on Internet Freedom. For more information, see Letter from State Department regarding Clinton Letter and EPIC’s NSPD-54 complaint.
The Senate confirmed Julie Brill, former Vermont Assistant Attorney General, to fill a vacancy for FTC Commissioner. Brill served for over 20 years as Vermont’s Assistant Attorney General for Consumer Protection and Antitrust, and currently serves as Senior Deputy Attorney General and Chief of Consumer Protection and Antitrust for the North Carolina Department of Justice. Brill has had experience with several important consumer protection issues, including tobacco, food and drug, antitrust, and privacy and identity theft. Senator Leahy (D-VT) expressed support for Brill’s confirmation, proclaiming, “We again have an FTC that is on the side of the consumers. Julie Brill will help revitalize an FTC that has languished while consumers’ interests have given way to special interests.”
EPIC has filed a "friend of the court" brief in the United States Supreme Court, urging the Justices to protect the privacy of those who sign petitions. In Doe v. Reed, the Court has been asked to determine whether the state of Washington may force disclosure of the names of citizens who have signed petitions for ballot initiatives. EPIC's brief argues that revealing the names would subject signatories to the risk of retribution, that signing petitions constitutes anonymous speech, and that signing petitions is similar to casting a vote and should be protected accordingly. For more information, see EPIC Doe v. Reed.
The White House announced today that it has made a description of the Comprehensive National Cybersecurity Initiative (CNCI) available online for public viewing. The12 CNCI initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains secret. EPIC has been involved in ongoing litigation regarding a Freedom of Information Act request for the text of the critical cybersecurity document NSPD 54 that President Bush signed in 2008. For more information, see EPIC: EPIC Sues NSA to Force Disclosure of Cyber Security Authority and EPIC: EPIC Seeks Records on Google-NSA Relationship.
EPIC has filed a supplement to its earlier complaint with the Federal Trade Commission, urging the FTC to investigate Google Buzz. EPIC's original complaint cited clear harms to service subscribers, and alleges that the change in business practices "violated user expectations, diminished user privacy, contradicted Google's privacy policy, and may have violated federal wiretap laws." EPIC's supplemental complaint elaborates on the specific ways in which Google Buzz constituted a violation of Google's stated Privacy Policy for Gmail. For more information, see EPIC: In re Google Buzz.
Today the Supreme Court of the United States issued an order that will allow a privacy case against the Hustler Magazine to continue in lower courts. In March of 2008, less than a year after she was murdered by her wrestler husband, naked photos of Nancy Benoit were published in the magazine. Nancy Benoit's mother Maureen Toffoloni, sued the magazine, claiming that her daughter had asked immediately after the shoot to have the photos and video destroyed and believed that photographer Mark Samansky had done so. Hustler magazine asked the court to dismiss the action, arguing that publication of the pictures was protected by the First Amendment. The Appeals Court ruled against Hustler magazine in June, allowing the lawsuit to go forward. Hustler appealed the decision and the Supreme Court let stand the lower court's ruling.
The Government Accountability Office (GAO) recently released a report regarding the deployment of body scanners. The GAO cited its 2009 recommendations to the Transportation Security Administration (TSA): that the TSA conduct operational tests to ensure that the whole body imaging machines are reliable, and the that TSA conduct an assessment of the whole body imaging machines' vulnerabilities. In its latest report, the GAO warned TSA of the importance of full operational tests, citing the puffer machine debacle as an example of the government waste that results from insufficient operational testing. The GAO also expressed concern over TSA's lack of complete risk assessments and inability to "provide documentation to show how they have addressed the concerns raised in the 2009 GAO report regarding the susceptibility of the technology to terrorist tactics." Because of this, the GAO concluded that it is unclear whether the body scanners or other technologies would have detected the weapon used in the December 25 attempted attack. For more information, see EPIC: Whole Body Imaging Technology and Body Scanners.
Following a hearing last week, U.S. District Court Judge Seeborg reserved decision about the approval of Facebook’s proposed 9.5 million dollar settlement in a case involving Facebook Beacon. According to the settlement terms, Facebook would contribute about $6 million to the establishment of a privacy organization. Facebook, however, would maintain control over this organization, as Facebook's top lobbyist would become co-President and all significant decisions would require a unanimous vote. EPIC and several other privacy organizations, including the Consumer Federation of America and the Privacy Rights Clearinghouse, have written a letter to Judge Seeborg, ask him to reject the settlement as proposed. For more information, see EPIC: Facebook Privacy.
EPIC FOIA Note #16: 
