Electronic Privacy Information Center
In re Facebook and the Facial Identification of Users
- Sen. Rockefeller Requests FTC Report on Facial Recognition Technology: Senator John D. Rockefeller (D-WV) sent a letter requesting that the Federal Trade Commission assess the use of facial recognition technology and recommend legislation to protect privacy. Facial recognition technology is being used by technology firms and also police agencies, which has raised civil liberties concerns. The letter cited mobile applications such as SceneTap, which “tracks the male/female ratio and age mix of the crowd [in bars]” and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on recognition of that person’s age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, and EPIC: Facial Recognition. (Oct. 20, 2011)
- Facebook Makes Some Changes, Privacy Complaints Still Pending: In response to several complaints filed by EPIC with the Federal Trade Commission, Facebook announced that it would make some changes in its business practices, including providing more accurate information about the disclosure of user data to others and new safeguards for photo tagging. EPIC, along with several privacy organizations, filed several complaints with the FTC about FB’s automated tagging of users, changes in Privacy settings, and transfers of personal data, stating that Facebook’s practices were “unfair and deceptive.” Facebook’s recent actions address some but not all of the issues raised by the consumer organizations. The complaint at the FTC are still pending. For more information see EPIC: Facebook Privacy. (Aug. 29, 2011)
Future Attribute Screening Technology (FAST) Project FOIA Request
- According to documents published by the Department of Homeland Security, FAST is a “Minority Report” style initiative that seeks to determining the probability that an individual, who is not suspected of any crime, might commit a future criminal act. Under the FAST program, the DHS will collect and retain of a mix of “physiological and behavioral signals” from individuals as they engage in daily activities.
Information Fusion Centers and Privacy
White House Budget Funds Surveillance, Ignores Public Concerns: The White House Office of Management and Budget has released the federal budget for fiscal year 2012. The stated goal of the budget is to reduce the national deficit by eliminating wasteful programs. However, the budget proposal includes funding for 275 airport body scanners, which EPIC has called “invasive, unlawful, and ineffective.” There is funding for federal “fusion centers,” widely viewed as unregulated government databases that are used to track people suspected of new crime. The White House budget proposes expansion of the “Secure Communities” program, which has been the target of harsh criticism by civil liberties groups.
Investigations of Google Street View
- When Google began the Street View project in 2007, many privacy concerns were raised, but the debates focused almost exclusively on the collection and display of images obtained by the Google Street View digital cameras. It turns out that Google was also obtaining a vast amount of Wi-Fi data from Wi-Fi receivers that were concealed in the Street View vehicles. Following independent investigations, Google now concedes that it gathered MAC addresses (the unique device ID for Wi-Fi hotposts) and network SSIDs (the user-assigned network ID name) tied to location information for private wireless networks. Google also admits that it has intercepted and stored Wi-Fi transmission data, which includes email passwords and email content.
Location Privacy: Apple iPhone / iPad
- Supreme Court to Hear Arguments in GPS Tracking Case: The United States Supreme Court will hear arguments on November 8 to determine whether the warrantless use of a GPS tracking device by the police violates the Fourth Amendment. EPIC filed a “friend of the court” brief in US v. Jones, urging the Supreme Court to uphold robust Fourth Amendment protections. Along with 30 legal and technical experts, EPIC argued that 24-hour GPS surveillance by law enforcement constitutes a “search” under the Fourth Amendment and requires judicial oversight. Arguing in support of a lower court decision, EPIC warned that, “it is critical that police access to GPS tracking be subject to a warrant requirement.” The Supreme Court will consider both whether persistent GPS tracking constitutes a “search” and also whether the installation of a GPS tracking device on a private vehicle is a “seizure.”
Sen. Schumer Calls for Investigation into “brazen” OnStar Privacy Violation: Senator Charles Schumer (D-NY) wrote a letter to the Federal Trade Commission requesting an investigation into OnStar’s announcement that it would track the location of its customers’ vehicles even after the customers canceled their service. OnStar also reserved the right to sell such locational information to advertisers. In an interview with FOX News last week, EPIC Executive Director Marc Rotenberg warned that the company would make data of former customers available to third parties.
Medical Record Privacy
- Cignet Fined 4.3 Million for Privacy Violations: The Department of Health and Human Services has determined that Cignet Health violated the privacy rule of the Health Insurance Portability and Accountability Act of 1996. The agency fined Cignet 4.3 million for denying patients access to their medical records and for failing to cooperate with the investigation. This is the first time that the agency has used its legal authority to penalize a company for privacy violations.
- Google “Flu Trends” Raises Privacy Concerns. Google announced this week a new web tool that may make it possible to detect flu outbreaks before they might otherwise be reported. Google Flu Trends relies on individual search terms, such as “flu symptoms,” provided by Internet users. Google has said that it will only reveal aggregate data, but there are no clear legal or technological privacy safeguards to prevent the disclosure of individual search histories concerning the flu, or related medical concerns, such as “AIDS symptoms,” “ritalin,” or “Paxil.” Privacy and medical groups have urged Google to be more transparent and publish the algorithm on which Flu Trends data is based so that the public can determine whether the privacy safeguards are adequate.
- U.S. Company Implants Chips Into Two Employees. An Ohio video surveillance company, CityWatcher.com, has embedded silicon chips into two of its employees. The chips are planted in the person’s upper right arm and “read” by a device similar to a card reader. The company says it is testing the technology as a way to limit access to a security area. In 2004, the Food and Drug Administration approved the use of an implantable computer chip for health care information applications. Called the VeriChip, it is a radio frequency identification (RFID) device about the size of a grain of rice. For more information, see EPIC’s radio frequency identification (RFID) and VeriChip pages.
- VeriChip RFID Implant Is Cloned. Programmer Jonathan Westhues has recently proved that the VeriChip implantable RFID chip can be easily copied. Anybody capable of purchasing off the shelf electronics equipment and reading the description below can now impersonate the bearer of the chip and gain access to their medical records, among other things. As VeriChip has marketed their chip as a means of managing access control to buildings and medical records, this represents a significant threat to the bearer’s privacy and security.
National ID and the REAL ID Act
- Worker Biometric ID Under Consideration in US: Senators Charles Schumer and Lindsey Graham have proposed a new national identity card. The Senators would require that “all U.S. citizens and legal immigrants who want jobs” obtain a “high-tech, fraud-proof Social Security card” with a unique biometric identifier. The card, they say, would not contain private information, medical information, or tracking techniques, and the biometric identifiers would not be stored in a government database. EPIC has testified in Congress and commented to federal agencies on the privacy and security risks associated with national identification systems and biometric identifiers.
National Strategy for Trusted Identities in Cyberspace (NSTIC)
- EPIC, Joined by 13 Organizations, Sends Statement on NSTIC: EPIC, joined by the American Library Association, Liberty Coalition, Bill of Rights Defense Committee, and the Center for Media and Democracy, among others, sent a statement to the Department of Homeland Security responding to the Administration’s call for comments regarding its National Strategy for Trusted Identities in Cyberspace Creating Options for Enhanced Online Security and Privacy (NSTIC) draft policy. The coalition’s comments press the Administration for a clearer definition of the problems that the policy intends to solve. The coalition further advocates for the maintenance of a free and open Internet that protects the creative content of users, assures privacy, and creates accountability and oversight of government activity, especially as it relates to law enforcement and surveillance.
USA Patriot Act
- EPIC: USA PATRIOT Act. (May. 24, 2011)
Re-identification is the process by which anonymized personal data is matched with its true owner.
- Netflix Cancels Contest over Privacy Concerns: Netflix canceled its second $1 million Netflix Prize after privacy concerns from the FTC and a federal lawsuit alleging invasion of privacy and violations of the Video Privacy Protection Act. The Netflix contest challenged contestants to find a superior movie-recommendation algorithm from “anonymized” datasets that included movie ratings, date of ratings, unique ID numbers for Netflix subscribers, and movie information. In 2006, during the first Netflix Prize contest, researchers conducted a study that revealed if a person has information about when and how a user rated six movies, that person can identify 99% of people in the Netflix database. After productive discussions with the FTC over reidentification concerns which stemmed from this study, Netflix and the federal agency reached an understanding on how Netflix would use user data in the future. Netflix also settled the VPPA lawsuit.
Search Engine Privacy
- Congress Pursues Investigation of Google and Facebook’s Business Practices: Following similar letters from other Congressional leaders, the head of the House Judiciary Committee has asked Google Inc. and Facebook to cooperate with government inquiries into privacy practices at both companies. Rep. Conyers (D-MI) noted that Google’s collection of user data “may be the subject of federal and state investigations” and asked Google to retain the data until “such time as review of this matter is complete.” Rep. Conyers also asked Facebook to provide a detailed explanation regarding its collection and sharing of user information. The House Judiciary Committee is expected to hold hearings on electronic privacy later this year.
- Microsoft to Delete Search Data after Six Months, Following Recommendation by European Privacy Officials: In order to comply with European privacy law, Microsoft announced that it will delete user search data, including IP addresses, after six months. In 2008 the Article 29 Working Group, which includes data protection officials across the European Union, met with Microsoft, Google, and Yahoo to discuss their data retention practices. Following a determination that records are subject to European privacy law, the Article 29 Working Group asked the search engine companies to eliminate online user data, including IP addresses and search queries, after six months. Microsoft will redesign its new Bing search engine to comply with the request. It is unclear at this point what Google and Yahoo will do. In early 2008, EPIC urged the European Parliament to protect the privacy of search histories.
- Change in Yahoo Search Retention Leaves Privacy Questions Unresolved. Yahoo announced that, after 90 days, it will obscure some elements in the records that it keeps about all Internet users who use the company’s services. The search company will continue to keep modified record locators, time/date stamps, web pages viewed, and a persistent user identifier, known as a “cookie” for an indefinite period. Yahoo is also retaining much of the IP address, which typically identifies a user’s device, such as a laptop or a mobile phone. Privacy rules classify IP addresses as “personal data.” Experts have criticized the partial deletion of IP address data as insufficient to protect consumers, and called for complete deletion.
Secure Communities and Privacy
- EPIC, Coalition Seeks Investigation of New FBI ID Program and “Secure Communities”: A coalition of civil liberties and civil rights organizations have asked the Inspector General of the Department of Justice to investigate the FBI’s Next Generation Identification program, a “billion-dollar initiative to create the world’s largest biometric database.” The 70 organizations, including EPIC, have also urged an assessment of “Secure Communities,” the mismanaged federal deportation effort. Several states, including Illinois, Massachusetts, and New York, have already withdrawn from the DHS program.
- Department of Homeland Security Terminates Biometric Collection Agreements With States, Intends to Continue Program Without Safeguards: The Department of Homeland Security wrote to State Governors, stating that the agency intends to terminate agreements with state and local governments concerning the Secure Communities program. The agency states that it intends to unilaterally pursue the program despite the termination, though it fails to cite any legal authority in support of the tactic. The statement follows lawmakers’ recent criticism of Secure Communities. The program collects and discloses biometric information obtained from individuals who come into contact with police. In June, California legislators urged Governor Jerry Brown to suspend the state’s participation in Secure Communities, citing a “crisis of confidence” in the program. The lawmakers identified numerous risks raised by the program and noted that “victims of domestic violence have been [wrongfully] placed into deportation proceedings as the result of Secure Communities when they simply called the police for help.”