Category Archives: Privacy

NJ Federal Court Issues Notice about Redaction of Private Information from Court Filings

by Christina Frangiosa

I received this notice today from the U.S. District Court for the District of New Jersey, and thought it worthwhile to post in its entirety:

It has come to our attention that electronic filers may be using inappropriate procedures or software to redact documents. We encourage all electronic filers to review their software guides and/or check with your systems’ staff regarding this issue. The redaction techniques below can also be found on the court’s web site at http://www.njd.uscourts.gov/cm-ecf/RedactTips.pdf.

Effective Personal-Identity and Metadata Redaction Techniques for E-Filing

When you e-file a PDF document, you may be providing more information in that document than you can see via your PDF reader software. Some redaction techniques used when e-filing are ineffective, in that the text intended to be hidden or deleted can be read via a variety of techniques. And, because information about the document, called “metadata”, is also stored inside the document, it is often viewable as well. Examples of metadata and hidden data include the name and type of file, the name of the author, the location of the file on your file server, the full-sized version of a cropped picture, and prior revisions of the text.

E-filers must use extra care to make sure that the PDF documents to be submitted to ECF are fully and completely free of any hidden data which may contain redacted information. The protection of sensitive data can be compromised if improper redaction techniques are used. Here are a couple of examples of sensitive-data visibility issues:

* Highlighting text in black or using a black box over the data in MS Word or Adobe Acrobat will not protect the data from being able to be seen. Changing the text color to white so it disappears against the white screen/paper is similarly ineffective.

* Previous revisions and deleted text may be able to be seen by manipulating an Adobe Acrobat file.

Fortunately, there are effective means of eliminating this metadata from electronic documents. Probably the simplest method is to omit the information from the original document and save the redacted version with a new name, for example, “REDACTED”, then convert to PDF.

While the court does not endorse any specific method, and the responsibility for redacting personal identifiers rests solely with the parties, commercially-available software can be used to redact, not just hide, the sensitive information. Redax (http://www.blogger.com/www.appligent.com) and RapidRedact (http://www.blogger.com/www.rapidredact.com) are two examples of commercial products used by some. Adobe Acrobat 8.0 Professional and above and WordPerfect XIV both contain redaction tools. Search the web for references that may be useful to you.

While this notice clearly applies to cases filed in the federal court of New Jersey, electronic court filing is also available in the federal court in the Eastern District of Pennsylvania (Philadelphia, Allentown), which has a local rule requiring that certain personal information of the parties be removed from public filings. E.D. Pa. Local Rule of Civil Procedure 5.1.3 (“Modification or Redaction of Personal Identifiers: As documents in civil cases may be made available for personal inspection in the office of the clerk of court at the United States Courthouse, or, if filed electronically, may be made available on the court’s Electronic Case Filing system, such personal identifiers as Social Security numbers, dates of birth, financial account numbers and names of minor children should be modified or partially redacted in all documents filed either in traditional paper form or electronically.”).

UPDATE: This notice is also available on the Court’s web site. See Personal-Identity and Metadata Redaction Notice, October 23, 2009.

Why You Should Read a Web Site’s Terms of Service Before Posting

by Christina Frangiosa

All Internet users should be aware that many of the sites that they visit on a regular basis provide some guidelines about the use that may be made of the site. These guidelines generally cover copyright notices, whether you can copy or share the site’s original content with others, and what rights you retain when you post comments or contributions to their community resources, such as blogs, chats or photo/video share functions. If the site provides content such as podcasts, video clips or streaming content, the Terms of Use will generally outline the limitations to your use and further dissemination of such materials.

For instance, if you visit an online newspaper, such as The New York Times or The Wall Street Journal, the Terms of Service/Use will remind you that the newspaper retains copyright rights in the materials and that by using the site, you agree not to “modify, publish, transmit, participate in the transfer or sale of, reproduce . . ., create new works from, distribute, perform, display or in any way exploit” the newspaper’s original content. NY Times Terms of Service ¶¶ 2.2; see also WSJ’s Subscriber Agreement ¶ 6(b) (users “may not sell, publish, distribute, retransmit or otherwise provide access to the Content received through the Services to anyone, including, if applicable, your fellow students or employees”).

Most of these policies also expressly prohibit using their information for commercial purposes, stressing that their services may be used for “personal use only.” See The Wall Street Journal ¶ 6(b)(iii) (“you may not use such an archive to develop or operate an automated trading system or for data or text mining”).

In addition, if you visit a medical site, the Terms of Use may disclaim any liability for any injuries that you receive by not getting medical treatment for your issues and for your decision to rely on the educational information provided by the site in lieu of seeking treatment. See WebMD. These sites also will disclaim that they provide any medical advice, and will advise you to always follow your doctor’s instructions and obtain proper medical treatment when you need to.

Many of these sites will typically provide guidelines for what material (text, photos, video) can be posted and what may be deemed “offensive” to the applicable community. If you violate the terms of the particular site with respect to “offensive” or “restricted content,” your ability to access the sites or continue a membership with them may be blocked or discontinued.

These Terms of Service – coupled with the site’s posted Privacy Policies (see the prior post, Recommended Reading: Privacy Policies for Web Sites You Visit) – should inform your choices about the behavior that you should use on each site, as well as giving you advanced warning if the site will re-use your information later, perhaps without your express consent.

What Happens to Information You Post – Can the Site Re-Use It?

This really raises questions about who owns the copyright to content that you write. Under U.S. copyright law, an author automatically obtains copyright rights in his or her “original works of authorship” (books, paintings, drawings, photos, sculptures, songs, portions of web sites, etc.) once they are “fixed in any tangible medium of expression.” 17 U.S.C. § 102(a).

You should read the terms of service for any web site on which you plan to post original content, such as comments to news articles, status updates on social networking sites, tweets on Twitter, photos uploaded to a photo sharing web site, or even videos shared on YouTube. Each of these sites has different policies in place regarding what they do with your original content, and in some respects, may limit what you can do with that content later. Here are some examples:

Facebook, Statement of Rights and Responsbilities, ¶ 2: “You own all of the content and information you post on Facebook, and you can control how we share your content through your privacy and application settings. In order for us to use certain types of content and provide you with Facebook, you agree to the following: . . . 1. For content that is covered by intellectual property rights, like photos and videos (“IP content”), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (“IP License”). This IP License ends when you delete your IP content or your account (except to the extent your content has been shared with others, and they have not deleted it).”
— This version of Facebook’s terms (dated May 1, 2009) suggests that once you delete your original content – or cancel your account – their limited rights to use it will expire. They also note, however, that if you have shared information with others and if they have not deleted it, Facebook’s ability to access to this material will not
disappear.

Shutterfly, Terms & Conditions ¶ 3: With respect to content you upload, “you will retain ownership of such Submissions, and you hereby grant us and our designees a worldwide, non-exclusive, sublicenseable (through multiple tiers), assignable, royalty-free, fully paid-up, perpetual, irrevocable right to use, reproduce, distribute (through multiple tiers), create derivative works of, and publicly display and perform (publicly or otherwise) such Submissions, solely in connection with the Service (including without limitation for purposes of promoting the Service).”
Note that you also consent to allow Shutterfly to use your likeness for purposes of (among others) promoting or marketing Shutterfly to others: “(iii) you hereby consent to the use of your likeness, and you have obtained the written consent, release, and/or permission of every identifiable individual who appears in a Submission to use such individual’s likeness, for purposes of using and otherwise exploiting the Submission in the manner contemplated by these Terms (including for purposes of promoting the Service), or, if any such identifiable individual is under the age of eighteen (18), you have obtained such written consent, release and/or permission from such individual’s parent or guardian (and you agree to provide to Shutterfly a copy of any such consents, releases and/or permissions upon Shutterfly’s request).”
— Shutterfly reserves the right to re-use your photos or videos to create derivative works for purposes of promoting or marketing their service – and provides that your use of the service constitutes your consent to use your likeness in their marketing efforts.

Snapfish, Terms & Conditions ¶ VII(A): “In order for Snapfish to make your photos available to you and your invitees, as well as to use images to offer you a special variety of online services, Snapfish needs the rights to make use of all Content on the Service, in accordance with and subject to these Terms. Accordingly, as a condition to your Membership, you hereby grant Snapfish a perpetual, universal, non-exclusive, royalty-free right to copy, display, modify, transmit, make derivative works of, and distribute your Content, solely for providing or improving the Service.”
— Snapfish claims to limit its use of your material to anything required to “provide or improve” their service to you.

Twitter, Terms of Service, General Conditions: “The Twitter service makes it possible to post images and text hosted on Twitter to outside websites. This use is accepted (and even encouraged!). However, pages on other websites which display data hosted on Twitter.com must provide a link back to Twitter. . . . We claim no intellectual property rights over the material you provide to the Twitter service. Your profile and materials uploaded remain yours.”
— Twitter appears to claim no rights in any of your original content.

The Wall Street Journal, Subscriber Agreement ¶ 7(b)(iii): “You agree that upon uploading, posting or submitting information on the Services, you grant Dow Jones, and our respective affiliates and successors a non-exclusive, transferable, worldwide, fully paid-up, royalty-free, perpetual, irrevocable right and license to use, distribute, publicly perform, display, reproduce, and create derivative works from your User Content in any and all media, in any manner, in whole or part, without any duty to compensate you.”
— This means that they can re-use what you post, (sometimes) authorize others to re-use it and they are not required to pay you anything for it, or obtain your prior permission.

WebMD, Terms & Conditions, User Submissions: “If you submit any business information, idea, concept or invention to WebMD by email, you agree such submission is non-confidential for all purposes. . . . If you make any submission to a Public Area or if you submit any business information, idea, concept or invention to WebMD by email, you automatically grant-or warrant that the owner of such content or intellectual property has expressly granted-WebMD a royalty-free, perpetual, irrevocable, world-wide nonexclusive license to use, reproduce, create derivative works from, modify, publish, edit, translate, distribute, perform, and display the communication or content in any media or medium, or any form, format, or forum now known or hereafter developed. WebMD may sublicense its rights through multiple tiers of sublicenses. If you wish to keep any business information, ideas, concepts or inventions private or proprietary, do not submit them to the Public Areas or to WebMD by email.” (Emphasis in original).
— Essentially, WebMD acknowledges that they plan to commercialize any good idea that you provide to them without your permission if you ignore this warning.

YouTube, Terms of Service ¶ 6(C): “For clarity, you retain all of your ownership rights in your User Submissions. However, by submitting User Submissions to YouTube, you hereby grant YouTube a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the User Submissions in connection with the YouTube Website and YouTube’s (and its successors’ and affiliates’) business, including without limitation for promoting and redistributing part or all of the YouTube Website (and derivative works thereof) in any media formats and through any media channels.”
— YouTube acknowledges that it might use your content to promote their services.

When Can You Forward the Web Site’s Original Content to Your Friends?

In addition to being concerned about a site’s proposed use of your original writings (whether through comments, posts, blogs, updates on social networking sites, etc.), you should be aware that the Terms of Use policies will govern your ability to forward their original content to others.

As explained above, you should assume that as an initial matter, the web site on which you find an interesting article is probably the owner of the copyright in that material. Under copyright law, copyright owners have the exclusive right to create derivative works (which your comment forwarding their content might be) and to publish or distribute their works as they see fit. 17 U.S.C. § 106. Anyone who engages in this conduct without their consent or approval could engaging in copyright infringement, which carries statutory damages (per instance) of between $750 and $30,000. Id. § 504 (c). In addition, if a court determines that your actions were “willful” justifying an enhanced damages award, this amount per instance can increase up to $150,000. Id. As a result, you should always review the site’s terms of service to see what the limits are to your use of their original content.

Many sites will provide guidelines for downloading from their service or sharing their original content. They may provide limited licenses to permit downloading as long as you include all copyright notices, a reference to the original source of the material and/or use the material for personal use only. See NY Times Terms of Service ¶¶ 2.2, 2.3.

If they provide tools to share their materials on certain social networking sites (like Facebook, Yahoo Buzz, LinkedIn and others), the sites might give more leeway to the number of times that you can share their materials. See The Wall Street Journal ¶ 6(b)(iii) (“While you may download, store and create an archive of articles from the Service for your personal use, you may not otherwise provide access to such an archive to more than a few individuals on an occasional basis. The foregoing does not apply to any sharing functionality we provide through the Service that expressly allows you to share articles or links to articles with others.”)

Forwarding original content without the consent of the owner can be copyright infringement if you don’t fit into a defense to the allegation, such as fair use or parody. The case law that defines when conduct is “fair use” or that the resulting communication is a “parody” is detailed and voluminous – too large to try to summarize here. Suffice it to say that it’s a very fact-intensive analysis and one cannot assume that just because someone believes their own conduct is “fair” does not mean that the law will recognize it as qualifying for the “fair use” defense.

** Note: By linking the terms of use provided by the web sites identified above, I am not endorsing them or making any representations about the value of the goods or services provided by them. They were chosen somewhat randomly and are intended to serve as examples to show various terms of service about which Internet users should be aware.

Recommended Reading: Privacy Policies for Web Sites You Visit

by Christina Frangiosa

Most web sites have privacy policies that generally identify what the site does with your personal information once it is submitted to them. Depending on the purpose of the web site, these policies can be very involved (on sites that collect and retain your credit card information and/or Social Security Numbers) to very simple (on sites that collect very little of your personal data).

There are no hard-and-fast rules for what must be included in a privacy policy, and there is no minimum list of terms that must be included. In certain industries, however, federal law imposes disclosure requirements that require certain types of businesses to identify what they do with your personal information. For instance, financial institutions may be governed by the Gramm-Leach-Bliley Act (GLB), which generally places restrictions on the use of personal financial information, such as credit cards. Similarly, health care providers may be governed by Health Insurance Portability Accountability Act (HIPAA), which provides very detailed rules about the use of personal medical information. Web sites that are directed to children or could reasonably foresee a younger audience are required to comply with the Childrens’ Online Privacy Protection Act (COPPA), which significantly limits what personal information web site operators are permitted to collect and/or retain.

If an organization covered by federal laws such as these also provides a web site, their treatment of your personal information should be described in the privacy policy associated with the web site (or in the case of health care providers, they may hand you a hard-copy Notice of Privacy Practices when you visit their offices for treatment, which has a different purpose than online privacy policies).

In addition, the Federal Trade Commission (FTC) recently updated its guidelines identifying best practices for online advertising – which includes statements made in online privacy policies. FTC Staff Revises Online Behavioral Advertising Principles (2/2/09). It also provides a summary of best practices to be considered by web site operators. Privacy Policies: Say What You Mean and Mean What You Say (2/08). Among these guidelines is a simple instruction: if a web site posts a privacy policy, it must not violate the terms.

Violations of privacy policies have resulted in investigations initiated by the FTC, sometimes resulting in fines against the company for saying one thing in its privacy policy and then doing something completely different. See, for example, these summaries about FTC investigations and settlements: Sony BMG Music Settles Charges Its Music Fan Websites Violated the Children’s Online Privacy Protection Act (12/11/08); Online Apparel Retailer Settles FTC Charges That It Failed to Safeguard Consumers’ Sensitive Information, in Violation of Federal Law (1/17/08). In essence, privacy policies are considered to be a form of advertising, and therefore, must be truthful.

Evaluating Privacy Policies

You should understand that in some circumstances, the moment you visit a web site information about you (although perhaps not personally identifiable) can be collected automatically by the web site, including your computer’s IP address, the date and time of your visit, the number of times you have visited this particular site, and (sometimes) where else on the Internet you have visited. Then, you may be in a position to submit personal information to the site – perhaps your credit card in order to complete an online purchase, a home phone number, a mailing address, a birth date, updates to a wishlist or baby gift registry, etc.

At the very least, when you are faced with sending personal information about yourself to a web site, take a few minutes to find the privacy policy associated with that site and read it to find out what they will be doing with the information that you are about to give them. If you cannot understand the policy, or if you do not like what you are reading, perhaps reconsider whether you should give them your personal information. In an age where identity theft is common, it pays to be careful with such information.

You can also check to see whether the privacy policy has an “opt out” procedure that you can invoke if you do not want to permit that particular use of your information.

Selected Privacy Policies for Comparison*

BANKING SITES
Citibank; Republic First Bank; TD Bank; Wachovia Bank; WellsFargo

DRUG STORES (Prescriptions, Rebates)
CVS; Duane Reade; Rite Aid; Safeway

GOVERNMENT
Federal Trade Commission (FTC); Internal Revenue System (IRS); The White House; US Department of Commerce; US Department of Justice; US Patent & Trademark Office

MEDICAL SITES
Johns Hopkins Medicine; LabCorp; Mayo Clinic; Quest Diagnostics; WebMD

NEWS ORGANIZATIONS
ABC News; CNN; Fox News; MSNBC; NY Times; Wall Street Journal; Washington Post

SEARCH ENGINES
Ask.com; Bing; Google; Yahoo

SHOPPING SITES
Amazon; Barnes & Noble; LL Bean; Sears; Starbucks; Target; Wal-mart (a new policy will go into effect Aug. 23, 2009 – the link points to a series of privacy policies available through Wal-mart)

SOCIAL NETWORKING SITES
Facebook; LinkedIn; MySpace; Twitter

USER-GENERATED CONTENT (Photos, Videos)
Kodak EasyShare; Shutterfly; Snapfish; YouTube; Zazzle

FOREIGN SITES (with different legal requirements)
Agence-France Presse; BBC (see also Targeted Advertising Update (for users outside the UK only); The Economist; The Financial Times; World Intellectual Property Organization

* Note: By posting links to the privacy policies of the web sites identified above, I am not making any representations or endorsements about the value of the products or services provided by these sites or about the validity or enforceability of their privacy policies. These links were chosen somewhat randomly and are intended to serve as examples to show various ways to explain a site’s treatment of data collected from its visitors.

Proposal to Restrict Use of Whole Body Image Scanners as Primary Screening Tool in Airport Security

by Christina Frangiosa

On June 4, 2009, the House passed H.R. 2200, the Transportation Security Administration Authorization Act, which authorized various programs of the TSA. There are at least two House Reports that analyzed the impact and scope of the bill, but the minute details of each are largely beyond the scope of this post. See H.R. Rep. No. 111-123 (May 19, 2009); H.R. Rep. No. 111-127 (May 21, 2009).

Instead, of particular importance was Amendment No. 10 (H. AMDT. 172), introduced on June 4, 2009, by Rep. Jason Chaffetz (R-UT). Cong. Rec. H6206 (daily ed. June 4, 2009); see also id. H6208 (Rep. Chaffetz’s arguments in further support of the Amendment). The Amendment proposed limitations on the use of Whole Body Image (WBI) scanners at airport security checkpoints as a primary screening method, and recommended that travelers be given the option to have a pat-down search instead, unless other primary screening methods identify the person as a potential security risk.

Key Provisions (from a Privacy Perspective) of the Amendment

The key sections of this Amendment are:

(2) PROHIBITION ON USE FOR ROUTINE SCREENING.—Whole-body imaging technology may not be used as the sole or primary method of screening a passenger under this section. Whole-body imaging technology may not be used to screen a passenger under this section unless another method of screening, such as metal detection, demonstrates cause for preventing such passenger from boarding an
aircraft.

(3) PROVISION OF INFORMATION.—A passenger for whom screening by whole-body imaging technology is permissible under paragraph (2) shall be provided information on the operation of such technology, on the image generated by such technology, on privacy policies relating to such technology, and on the right to request a pat-down search under paragraph (4) prior to the utilization of such technology with respect to such passenger.

(4) PAT-DOWN SEARCH OPTION.—A passenger for whom screening by whole-body imaging technology is permissible under paragraph (2) shall be offered a pat-down search in lieu of such screening.

(5) PROHIBITION ON USE OF IMAGES.—An image of a passenger generated by whole-body imaging technology may not be stored, transferred, shared, or copied in any form after the boarding determination with respect to such passenger is made.

Cong. Rec. H6207 (daily ed. June 4, 2009). These amendments were proposed as modifications to 49 U.S.C. § 44901.

House Reports Analyzing Proposed Legislation & Amendments

House Report 111-127 discusses the various amendments to the Bill, and provides another source of the text of the amendment. H.R. Rep. No. 111-127 (May 21, 2009). House Report 111-123 is also available and worth reading for its concise summary of the purpose of the bill. H.R. Rep. No. 111-123 (May 19, 2009).

Arguments in Support of the Amendment

Rep. Carol Shea-Porter (D- NH) co-sponsored the amendment and spoke in support of its adoption:

“When this full-body imaging technology was first introduced, the TSA said that it would only be used as a secondary screening method for those people who set off the metal detectors. Now it has become very clear that the TSA intends for this technology to replace metal detectors at airports all over the country. The New York Times reported as much in an April 7, 2009, article.

“The Chaffetz/Shea-Porter amendment would ensure that full-body imaging remains a secondary screening method. It would also ensure that the people who do go through it are well informed and are given the option of a pat-down.

“Mr. Chair, we do not take this amendment lightly. As a member of the Armed Services Committee, I am very aware of the security threats that are facing our country. We, too, want to ensure that the Department of Homeland Security and the TSA have the tools they need to prevent future terrorist attacks. However, the steps that we take to ensure our safety should not be so intrusive that they infringe upon the very freedom that we aim to protect.

“Two weeks ago, I went to Washington National Airport to view one of these machines. I saw how the technology is being used. I saw the pictures it produces and the inadequate procedures TSA has put into place to protect our privacy. The images are incredibly revealing as I will show you here. This is a gross violation of a person’s right to privacy. It is also illogical because, if we allow this intrusion into our lives, then there should be this same scan at every single train station, at every building that we enter and on every single bus that we board.

So I ask that my fellow Members join me in voting for this resolution and for this amendment.”

Cong. Rec. H6207 (daily ed. June 4, 2009).

In response to the opposition raised during the session (quoted in detail below), Mr. Chaffetz argued in favor of the Amendment:

“Whole-body imaging does exactly what it’s going to do. It takes a 360-degree image of your body. Now, I want to have as much safety and security on the airplanes I’m flying every week, but there comes a point in which in the name and safety and security we overstep that line and we have an invasion of privacy. This happens to be one of those invasions of privacy.

“Now I understand why the gentleman from California expressed his concern. Let me be clear that this amendment on whole-body imaging only limits primary screening. It can be used for secondary screening. You may get people with artificial hips or knees or something else, and they may elect this kind of screening. It’s perfect for them.

“But to suggest that every single American–that my wife, my 8-year-old daughter–needs to be subjected to this, I think, is just absolutely wrong. Now, the technology will actually blur out your face. The reason it does this is because there is such great specificity on their face, that they have to do that for some privacy. But down in other, more limited parts you could see specifics with a degree of certainty that, according to the TSA as quoted in USA Today, ‘You could actually see the sweat on somebody’s back.’ They can tell the difference between a dime and a nickel. If they can do that, they can see things that, quite frankly, I don’t think they should be looking at in order to secure a plane. You don’t need to look at my wife and 8-year-old daughter naked in order to secure that airplane.

“Some people say there is radio communication. There is distance. Well, it’s just as easy to say there is a celebrity or some Member of Congress or some weird-looking person. There is communication.

“You say you can’t record the devices. Many of us have mobile phones or have these little cameras. There is nothing in this technology that would prohibit the recording of these. With 45,000 good, hardworking TSA employees, 450 airports, some two million air traffic travelers a day, there is inevitably going to be a breach of security. And I want our planes to be as safe and secure as we can, but at the same time, we cannot overstep that bound and have this invasion of privacy.

“I urge my colleagues to vote in support of this amendment.”

Cong. Rec. H6208 (daily ed. June 4, 2009).

Arguments in Opposition to the Amendment

Rep. Charles Dent (R-PA) argued in opposition to the amendment, but noted that his opposition was reluctant – favoring the heightened need for security over a slight risk to an individual’s privacy rights:

“Just yesterday, I visited Reagan National Airport and took a look at the whole-body imaging machines over there, and I just have to say a couple of things about this.

“I was impressed by the technology. It seems that we have a great deal of satisfaction from passengers who utilize that type of screening. There are limitations to the magnetometer. A magnetometer can pick up metallic items, like keys, but other prohibited items, like liquids and C4 for potential explosives, will be detected under the whole-body imaging technology but not under a magnetometer. So I do believe that this technology is valid.

“As for the privacy concerns that have been raised, while I understand them, I think they have been overstated. There are strong, strong restrictions in place to make sure that those individuals, the transportation security officers who actually help the passengers go through the whole-body imaging scanning, are not in contact with the person who is actually viewing the image. Those people are in a separate room, so they’re separated. The face of the individual is also blurred, so that’s another protection.

“So I do think that this technology is very valuable. It will help make us safer. Again, I think it is a step in the right direction. So I would reluctantly oppose the amendment. I understand the concerns expressed, but nevertheless, I feel that this technology is valuable and that it enhances security.”

Cong. Rec. H6207 (daily ed. June 4, 2009).

Rep. Daniel E. Lungren (R-CA) opposed the amendment, but without suggesting any reluctance in his opposition:

“I happen to be one of those people who happens to have an artificial hip. Every time I go through, I set off the screener. Every time I go through, I get hand-patted down, and even though they do it in a very nice way, frankly, that’s far more intrusive than going out to the Reagan National Airport and going through that particular system that we’re talking about with those pictures.

“We have been working for many years since 9/11 to try and come up with devices which will allow us to be able to detect those kinds of things that, if brought on airliners, would be a threat to all passengers. The whole-body imaging technology, which this amendment seeks to stop in terms of its application as a primary means of screening, can detect many things such as small IEDs, plastic explosives, ceramic knives, and other objects that traditional metal detection cannot detect. Let me underscore that: this device that this amendment seeks to take off the table as a primary means of screening can detect small IEDs, plastic explosives, ceramic knives, and other objects that traditional metal detection cannot detect. That ought to be enough for us to understand this.

“If you look at the privacy questions, let’s be clear: the person who actually is there, the employee of TSA who is there when you go through this machine, is not the one who reads the picture. That person, he or she, is in another room–isolated. They never see you. They actually talk to one another by way of radio. So this idea that somebody is sitting in this little room, waiting to see what you look like, frankly, is sort of overblown.

“All I can say is this: I have been through many, many pat-downs because I happen to have an artificial hip. Going through this at Reagan National Airport was so much quicker so less intrusive of my privacy than what we go through now. For us to sit here now and to pass an amendment which is going to stop this development and application, frankly, I think, is misguided.

“With all due respect to the gentleman from Utah, who I know is sincere about that, and to the gentlewoman, who is also sincere, I would ask you to rethink this. From my experience, this is far more protective of my privacy than what I have to go through every time I go to the airport, number one; but more importantly, it protects me and every other passenger to a greater extent than any other procedure we have now. We aren’t doing this because we want to do it. We’re doing it because we have people around the world who want to kill us, who want to destroy our way of life, and they have utilized commercial airliners for that purpose in the greatest attack in our Nation’s history since Pearl Harbor.

“This is a device which helps us take advantage of our technological know-how to gain an advance on the enemy. I would hope we would not do this by way of this amendment.”

Cong. Rec. H6207H6208 (daily ed. June 4, 2009).

Current Status of the Bill and Amendment

Initially, the Amendment failed – as recorded by voice vote at 3:00 p.m. on June 4, 2009. (Cong. Rec. H6208). Mr. Chaffetz demanded a record vote, and the vote was postponed until later the same day. Id. Shortly after 4:00 p.m, the amendment passed by a vote of 310 – 118.

The full text of the Amendment can be found in the following places: Cong. Rec. H6206 (daily ed. June 4, 2009); and H.R. Rep. No. 111-127 (May 21, 2009). Text of the bill and the amendments can also be found by checking the current status of either one – they are cross-linked.

The full Bill (H.R. 2200), as amended, passed the House by a record vote of 397 – 25. Cong. Rec. H6216 (daily ed. June 4, 2009). Presumably, this Bill will now travel to the Senate for re-introduction under a new Bill number and further debate.

Anticipated Appointment of “Cyber Czar” on May 29, 2009

by Christina Frangiosa

On May 26, President Obama announced among other things that he was establishing “new directorates and positions within the National Security Staff to deal with new and emerging 21st Century challenges associated with cybersecurity, WMD terrorism, transborder security, information sharing, and resilience policy, including preparedness and response.” Statement by the President on the White House Organization for Homeland Security and Counterterrorism, May 26, 2009.

These new positions directly result from the completion of an interagency cyber-security study that he commissioned on February 9, 2009, “to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.” President Obama Directs the National Security and Homeland Security Advisors to Conduct Immediate Cyber Security Review, February 9, 2009. The study, lead by Melissa Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, was to be completed within sixty days.

The White House reported that the study was completed and delivered to White House staff on April 17, and is currently being reviewed. Statement by the Press Secretary on Conclusion of the Cyberspace Review, April 17, 2009. Once the review of the conclusions is completed, the White House “will begin discussing the results.” Id.

During a speech delivered at the RSA Conference in San Francisco in April 22, 2009, Hathaway apparently discussed some of the report’s methodologies and promised that once the report was issued to the public, it would be apparent that significant work would be required to remedy identified concerns. Reports of the speech were published in various places, but notable among them were Government Technology and Fusion Authority.

Finally, according to Information Week, the White House is expected to release the study report to the public on May 29, 2009, at the same time the new positions in the National Security Staff are announced.

CDT Recommended Keeping Advisor Position within Department of Homeland Security

On May 1, 2009, Gregory T. Nojeim, Senior Counsel and Director of the Center for Democracy & Technology’s (“CDT”) Project on Freedom, Security and Technology, testified before a subcommittee of the House Committee on Energy and Commerce on May 1, 2009, arguing that the new positions be created within the Department of Homeland Security, instead of within the National Security Agency (“NSA”). See also Reuters, “Experts: Cybersecurity Czar Needs to Be White House-Based,” published by FoxNews on May 2, 2009; Cong. Rec., Daily Digest, May 1, 2009 at D486 (confirms that hearing was held and that testimony was received by “public witnesses,” but does not identify who testified).

In his printed remarks, Nojeim admonished that the White House’s role in cybersecurity should be limited to “set[ting] policy and direction, and to budget[ing] enough resources for the program” through a newly-created White House office – to ensure transparency in the planning and budgeting phase of the process. Testimony at p. 7. He further argued, however, that as far as cybersecurity operations were concerned, “[t]he lead for cybersecurity operations should stay with the Department of Homeland Security, and the NCSC [National Cyber Security Center] should be provided with additional resources and high-level attention.” Id. at p. 8. He explained in detail why these operations should not be controlled by the NSA, including articulating CDT’s concerns that the NSA’s expertise in “spying” does not “necessarily entail superior expertise in cybersecurity.” Id. at p. 7.

The House Committee on Oversight and Government Reform held a hearing on May 5, 2009 to address “Cybersecurity : Emerging Threats, Vulnerabilities, and Challenges in Securing Federal Information Systems.” Cong. Rec., Daily Digest, May 1, 2009 at D489; see also Daily Digest, May 5, 2009, at D503 (identifying testifying witnesses).

The Senate Committee on Energy and Natural Resources also held a hearing on May 7, 2009 “to receive testimony on a Joint Staff draft related to cybersecurity and critical electricity infrastructure” at which witnesses were to testify by invitation only. Cong. Rec., Notice of Hearings, April 30, 2009, at S4994; see also Cong. Rec., Daily Digest, May 7, 2009 at D520 (identifying testifying witnesses who appeared during the hearing).

Expected Mandate of the CyberSecurity Director (“Cyber Czar”)

On May 26, 2009, after the President’s announcement, FoxNews broadcast its analysis (in video format). The analysis addressed a potentially “broad mandate” to be assigned to this new office, but did not provide any particular detail – presumably because the White House has not yet released any detail about these new positions.

Note that thus far, not only does it appear that a director-level position will be created, but also subordinate positions reporting to the director. It also appears that these positions actually may be created within the NSA, and not the Department of Homeland Security, as the CDT recommended. See Statement by the President on the White House Organization for Homeland Security and Counterterrorism, May 26, 2009.

New Bill Proposed on April 1 Supports Creation of National Cybersecurity Advisor

Several weeks before these announcements, Sen. John D. Rockefeller, IV (D-WV) introduced Senate Bill S. 778 (on April 1, 2009), which proposed certain duties and responsibilities of a “National Cybersecurity Advisor,” including acting as principal advisor to the President on cybersecurity legal issues, reviewing all cybersecurity-related budget requests, directing sponsorship for certain security clearances and employing experts or consultants as needed for “cybersecurity-related work.” S. 778, section 1(b).

An additional proposed duty is particularly troubling from a privacy perspective: “[N]otwithstanding any provision of law, regulation, rule, or policy to the contrary, [the National Cybersecurity Advisor shall] have full access to all Federal cyber-compartmented or special access programs.” While some of the terms in this provision are not defined – notably, “cyber-compartmented . . . programs”– the breadth of this provision and its clear rejection of the authority of other laws seems overreaching, perhaps permitting this Advisor to have unfettered access to certain information that may have been protected from disclosure by these other laws, regulations, rules or policies. Id., section 1(b)(5).

This bill was read twice when it was introduced and referred to the Senate Committee on Homeland Security and Governmental Affairs. Current status of the bill can be found here.

A More Detailed Bill, The Cybersecurity Act of 2009, S. 773

Senator Rockefeller proposed another bill on April 1, 2009: The Cybersecurity Act of 2009, S. 773. This bill identifies a more rigorous cybersecurity plan, including the ability to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network” or disconnect these systems or networks in the “interests of national security.” Section 18, paras. 2 and 6.

The breadth of this proposed power to foreclose access to Federal government agency systems is troubling. One hopes that this power to declare an emergency – sufficient to deny access to public services – will not be wielded lightly, especially given the current Administration’s stated interest in providing transparency to government operations. The bill does not provide any guidelines for the identification of such an emergency, or for the determination of how long access should be denied, but it is anticipated that these guidelines will be included in any regulations associated with an act of this nature.

The CDT similarly criticized these powers through Mr. Nojeim’s May 1, 2009 testimony. Testimony at p. 4.

Because S. 773 does not refer to a National Cybersecurity Advisor or the powers intended to be assigned to this Advisor, further discussion of this bill is beyond the scope of this posting.