Current activities at the Electronic Privacy Information Center

When Marc Rotenberg founded the Electronic
Privacy Information Center
in 1994, I doubt he realized how fast
their scope would swell as more and more of our lives became digitized
and networked. Now it seems like everything that happens in society
has an electronic component and a privacy component. I had the chance
to drop in to their office on Monday and heard about the
front-burner items they’re working on.

  • Whole-body imaging in airports, a very hot issue right now. While
    Americans push back against it, the European Union has to vote on it

  • The Smart Grid: a massive upgrade planned for the American system for
    delivering electricity across the nation as well as over the last mile
    to your home. Could the Smart Grid tell marketers your life style?

  • Privacy of text messaging. EPIC is very active on City of Ontario
    v. Quon
    , where the government asserts that using a city-issued
    device allows the city to read all of the employee’s messages.

  • Freedom of Information Act. Why are government agencies (except for a
    few exemplary ones) fulfilling a smaller percentage of
    demands during the Obama administration than they did during the Bush

  • Ballot initiatives. EPIC has argued in Doe v. Reed that
    signing a petition to put a question on a ballot should be private,
    like voting.

And if you visit the EPIC home page this week, or the companion page, you’ll see that
they’re following even more diverse issues: the FCC broadband
proposal, consumer privacy, data retention by ISPs, etc. They were
interested to hear what I’ve been learning recently about privacy in
electronic health records.

EPIC has been remarkably effective over the years as an organization
with about a dozen staff (mostly young and idealistic rather than
canny and seasoned) and no cash-wielding lobbyists. They haven’t
compromised their principles in the dozen years I’ve been following
them, but they not only get to the table most of the time but manage
to bend the decision their way most of the time.

I attribute this success to single-mindedness (they can nail the
privacy chink in any initiative) persistence, coalition-building with
like minded organizations (leading the Privacy Coalition,
collaborating with London’s Privacy International,
among other organizations around the world, and work closely with such
natural allies as the ACLU), but mostly knowing their stuff cold. They
sail into debate with a full understanding of technical details as
well as the legal issues that impinge on their position.

The Smart Grid is an excellent example of how EPIC investigates an
issue early in its existence and hones in on the dark underside. The
Smart Grid is a buzzword covering changes that should save us huge
amounts of electricity lost in old, inefficient switches, as well as
improve the efficiency of energy delivery in neighborhoods. A key part
of the Smart Grid is monitoring and logging our electricity usage,
building by building and even machine by machine.

In this futuristic vision, the electric utility would know when you’ve
started your air conditioner or clothes dryer and could send you
messages suggesting new patterns of behavior that will relieve
pressure on the grid and save you money as well. This is nice, but it
also means the electric utility basically knows how you lead your

Traffic analysis on your device usage could show who stays home during
the day, when kids come home from school, and who plays video games
(heavy electricity usage from a home computer) late at night.

Currently no one has discussed who controls this data. Implicitly, it
is left in the hands of the utility, which is free to sell it like any
other information. There is little doubt that advertisers would love
to get their hands on this information. So would the government, I
bet–remember when police were scanning homes for evidence of
marijuana cultivation? EPIC would like the information to be in the
hands of the consumer.

A bill just introduced by Representative Ed Markey, the “Electric
Consumer Right to Know Act” (H. R. 4860)
, would inform electricity
users of their energy usage in a form they could process on a computer
or other device, typically every 15 minutes. The bill mandates a smart
meter that “provides adequate protections for the security of such
information and the privacy of such electric consumer.” It doesn’t go
into any more detail about what the utility could do with the

The ambiguous ownership of Smart Grid data illustrates why privacy is
such a hard turf to defend, once you have declared your jurisdiction
over it as EPIC has done. Data flows from one place to
another–whether from the electric meter to your cell phone, your
camera to Facebook, or your vendor to your bank–and is therefore
intrinsically shared. Privacy is an umbrella term that encompass
attempts to set limits or impose rules on all these types of sharing.

In trying to protect our privacy EPIC is swimming against the tide, of
course, but what’s really challenging is how data collection and
dissemination has shifted. When EPIC started, most electronic data was
held by large institutions who made ready targets for EPIC’s legal
challenges. Now each person is his or her own worst enemy, freely
sharing personal information, pictures, and videos online–a
phenomenon termed Little Brother.

Cameras and sensors are also creating millions of new sources for
data, while advances in data mining and analysis allow people to learn
more from the data than ever before.

I think EPIC is handling this shift well. They stay focused on policy
rather than pursuing the idealistic but impractical course of training
people to use privacy safeguards and protect themselves. There are
just too many ways to weasel data out of us, some of which will never
be under our control, and most people just can’t learn everything they
need to know to be safe, whether it be about Web proxies, Flash
cookies, or document metadata.

EPIC demands that institutions take responsibility for privacy,
designing it into their systems. A recent, well publicized example of
this doctrine was their complaint to the FTC about Facebook’s changes
to privacy settings in December 2009. EPIC doesn’t believe it’s enough
to boast about flexibility and user control–something that endangers
the 99.9% of users who don’t understand how to change a default is a
violation of users’ rights.

But EPIC is neither rigid nor abstentionist. They may complain about
Facebook, but maintain a Facebook page. They’re totally into the new
electronic age. But they want it to serve its users rather than a few
centralized institutions, and for privacy advocates they’re not shy
about letting us know what they think.

tags: , ,