Opening the Privacy Files

The American security contractor turned Russian asylum-seeker, who sported an Electronic Frontier Foundation (EFF) sticker on his laptop in one published photo, has been the source of a constant drip-drip of revelations about U.S. government snooping. And all those headlines mean that more than just wonks and fanatics are pondering things like data brokers and cybersurveillance.

“There's never been a better time for privacy advocates than today,” says Robert Gellman, a Washington, DC-based privacy consultant. “And I suspect I'll be saying the same thing in five years.”

Policing this landscape in the U.S. are dozens of nonprofits with different motivations and tactics. Most have been around for decades, though rarely has their work attracted the attention it does nowadays.

There's the big-name and broad-purposed ACLU, which has proven a well-financed litigation prod against the federal government's efforts to keep its surveillance programs under wraps. There's EFF, the hipster organization of staff activists and technologists that rivals the ACLU with its Freedom of Information Act work and still finds time to dabble in issues like patent reform. And there are smaller, but still potent consumer groups such as the San Diego-based Privacy Rights Clearinghouse.

Segregating the groups by mission is no easy task. There are those that focus on government surveillance. Others challenge corporate privacy policies. Some aid consumers and draft policy. Most do at least a little of all three.

The groups generally work well together and frequently team up on amici briefs and petitions. However, there are also fault lines ' particularly when it comes to whether to accept corporate donations. And with a growing pot of cy pres dollars up for grabs as a result of proliferating privacy suits, at least one public skirmish has already erupted over which groups should be considered worthy recipients.

“It's a very loose network,” says Colin Bennett, author of The Privacy Advocates: Resisting the Spread of Surveillance (available from Amazon at http://amzn.to/1eYtKCZ). “There's no one leader and there are disagreements and arguments that go on. But I think there's no question that big corporations and leaders, including those in Congress, listen to them.”

Privacy Powerhouses

The ACLU, EFF and the Electronic Privacy Information Center (EPIC), are clearly the Big Three in privacy advocacy when measured by size and scope of work. Although privacy is just one area of its enormous civil liberties portfolio, the ACLU is unmatched in terms of staff size, funding and reach across the country.

It's been particularly effective with FOIA litigation, forcing the government to turn over unflattering information about its collecting of so-called suspicious activity reports as well as its controversial interpretations of Patriot Act surveillance provisions.

Even when those legal fights aren't successful, they can attract enough political attention to provoke changes. The ACLU this year sued the FBI for unredacted copies of two Department of Justice legal memos that advise federal prosecutors and investigators in the use of location tracking. See, “ACLU Sues Justice Department to Get Policies and Records on Use of NSA Surveillance in Criminal Cases,” ACLU.org. The matter is still pending in federal court, but two U.S. senators asked Attorney General Eric Holder to release the memos by the end of January.

“There's a growing concern in the U.S. about government power, and the ACLU is a group that's been at the forefront of that issue,” Gellman says.

The ACLU is also active in California legislative politics with a team of lobbyists that work on a host of issues, including criminal justice and privacy. The organization cosponsored legislation that would have expanded Californians' access to information collected about them online. AB 1291. Assemblywoman Bonnie Lowenthal (D-Long Beach) pulled the bill amid intense opposition from the tech lobby.

Like the ACLU, San Francisco-based EFF has also been active, and effective, in public records litigation. This year alone, EFF's 15 lawyers have won the release of documents about government use of the Patriot Act, drones and the Los Angeles County Sheriff's Department's automated license plate recognition program.

EFF rarely jumps into policymaking, however. Staffers will comment on legislation, but EFF doesn't have full-time lobbyists in Washington, DC or Sacramento.

EFF also limits its pursuit of corporate privacy issues. That doesn't mean that the group hasn't criticized Google and Facebook. It has. It's also filed at least one amicus brief challenging Facebook's position in an information aggregation case. See the Facebook v. Power Ventures page on EFF.com.

But “there are other organizations that work on consumer protection, so we don't feel like we have a void to fill there,” EFFG Executive Director, Shari Steele says.

Washington, DC-based EPIC has been more active challenging Google and other online companies. In 2010, EPIC filed a complaint against Google and its social network, Buzz, for invading private Gmail accounts. The complaint resulted in a settlement requiring Google to create a privacy program to protect its consumers. An alleged violation of that settlement the next year led the FTC to fine Google $22.5 million for additional privacy violations.

EPIC, though it doesn't have the resources of the ACLU or EFF, is also a frequent FOIA filer. Its executives, too, are effective at building mini-coalitions of privacy groups. They were the ones, for instance, who rallied advocates in September to ask the FTC to block planned Facebook privacy policy changes, according to John Simpson, the privacy project director at Consumer Watchdog.

“EPIC is in the forefront of privacy matters,” Simpson says. “They do great work and they don't take corporate money.”

Follow the Money

The issue of funding is one that always lurks beneath the surface of privacy groups. No nonprofit knows that better than the Center for Democracy & Technology (CDT). The Washington, DC-based organization was born in 1994 when members of EFF split in a disagreement over how closely the privacy advocates worked with telecommunications companies on a federal surveillance bill. Those who supported a “practical” policy approach of working with corporations and lawmakers on solutions stayed in DC and became CDT.

“That group has been historically distrusted by other groups because it takes money from the private sector,” Bennett says.

But it's far from the only group that accepts corporate cash. Google provides funding to a number of privacy groups, including EFF, Consumer Action and the Consumer Federation of America.

“All of our donors, it's made very, very clear to them that EFF will not limit anything we do based on their donations,” Steele says.

Even the ones who don't accept industry money often find themselves in a scramble for cy pres awards. Leaders of five consumer groups, including EPIC, wrote to U.S. District Judge Edward Davila of the Northern District of California in August, complaining that the proposed cy pres recipients in In re Google Referrer Header settlement were simply allies of the litigants. See, “Privacy Groups Wrestle Over Cy Pres Funds,” The Recorder. Several had accepted funding from Google, the defendant, the letter pointed out.

Plaintiff's counsel suggested the signatories were merely miffed that they weren't selected.

“These groups are all in need of funds and they spend a fair amount of time grubbing for it,” Gellman says.

Creeping Influence

Besides EFF, California is home to a number of smaller privacy advocacy organizations with niche interests.

The Privacy Rights Clearinghouse (PRC) in San Diego is a go-to, how-to information Sherpa for consumers eager to stop junk mail or to respond to a retailer's data breach report. Founder and director Beth Givens is influential in the privacy policymaking world too, making frequent appearances before lawmakers and the media. The PRC does not take industry money.

The World Privacy Forum, also in San Diego, is frequently mentioned by other privacy advocates as an organization with clout. Founder Pam Dixon, a former newspaper columnist, leads a small research machine that produces meaty investigative reports on everything from data brokers to medical record privacy.

Like Givens, Dixon testifies regularly before regulatory agencies and at conferences. Neither group is highly active on the litigation front.

And then there's Consumer Watchdog (CW). The Santa Monica organization has its hands in a seemingly endless array of consumer issues, including two measures on the 2014 ballot. But Google leaders know CW well for its Privacy Project, a campaign that pursues the Mountain View company's data-handling bobbles with media-attracting aplomb. See, http://bit.ly/KRjkvu.

Simpson and colleague Carmen Balber in 2011 hired professional mimes to “track” Google CEO Eric Schmidt after he testified before Congress.

“Our point was that if you tracked customers in a brick-and-mortar store like they do online it would be kind of creepy,” he says.

CW is co-counsel in the Google Street View litigation, challenging the company's collection of personal data over unprotected Wi-Fi networks. The nonprofit also complained to the FTC about Google's alleged circumvention of privacy settings on Apple's Safari browser. And Simpson says his group is seriously considering pursuing another 2014 ballot initiative, this one to create do-not-track online standards in California.

“These groups are very valuable,” says Gene Stonebarger, the Folsom plaintiffs attorney who successfully argued against the collection of consumer information in Pineda v. Williams-Sonoma. “Without them, consumers would be in a very difficult situation, particularly with the sausage-making in the Legislature.”

Privacy groups' success has been mixed. Efforts to pass do-not-track legislation have been watered down or blocked. Attempts to restrict the collection of personally identifying information have also been rejected frequently.

“These privacy issues are really hard to address,” says Goldberg, the PRC lobbyist. “We've had more success in killing bad privacy bills than moving the ball on privacy forward.”

Cheryl Miller writes for The Recorder, the San Francisco-based ALM sibling of e-Commerce Law & Strategy. She can be reached at [email protected].

For privacy advocates, these are heady days.

European leaders are weighing tough new online data protection rules ' and costly penalties for violators ' for their 500 million residents. The courts and Congress have placed a bullseye on U.S. National Security Agency surveillance programs. Even dictionary.com declared “privacy” the word of 2013 because this “was the year that the desire to be seen and heard was turned on its head.”

Then, of course, there is Edward Snowden.

The American security contractor turned Russian asylum-seeker, who sported an Electronic Frontier Foundation (EFF) sticker on his laptop in one published photo, has been the source of a constant drip-drip of revelations about U.S. government snooping. And all those headlines mean that more than just wonks and fanatics are pondering things like data brokers and cybersurveillance.

“There's never been a better time for privacy advocates than today,” says Robert Gellman, a Washington, DC-based privacy consultant. “And I suspect I'll be saying the same thing in five years.”

Policing this landscape in the U.S. are dozens of nonprofits with different motivations and tactics. Most have been around for decades, though rarely has their work attracted the attention it does nowadays.

There's the big-name and broad-purposed ACLU, which has proven a well-financed litigation prod against the federal government's efforts to keep its surveillance programs under wraps. There's EFF, the hipster organization of staff activists and technologists that rivals the ACLU with its Freedom of Information Act work and still finds time to dabble in issues like patent reform. And there are smaller, but still potent consumer groups such as the San Diego-based Privacy Rights Clearinghouse.

Segregating the groups by mission is no easy task. There are those that focus on government surveillance. Others challenge corporate privacy policies. Some aid consumers and draft policy. Most do at least a little of all three.

The groups generally work well together and frequently team up on amici briefs and petitions. However, there are also fault lines ' particularly when it comes to whether to accept corporate donations. And with a growing pot of cy pres dollars up for grabs as a result of proliferating privacy suits, at least one public skirmish has already erupted over which groups should be considered worthy recipients.

“It's a very loose network,” says Colin Bennett, author of The Privacy Advocates: Resisting the Spread of Surveillance (available from Amazon at http://amzn.to/1eYtKCZ). “There's no one leader and there are disagreements and arguments that go on. But I think there's no question that big corporations and leaders, including those in Congress, listen to them.”

Privacy Powerhouses

The ACLU, EFF and the Electronic Privacy Information Center (EPIC), are clearly the Big Three in privacy advocacy when measured by size and scope of work. Although privacy is just one area of its enormous civil liberties portfolio, the ACLU is unmatched in terms of staff size, funding and reach across the country.

It's been particularly effective with FOIA litigation, forcing the government to turn over unflattering information about its collecting of so-called suspicious activity reports as well as its controversial interpretations of Patriot Act surveillance provisions.

Even when those legal fights aren't successful, they can attract enough political attention to provoke changes. The ACLU this year sued the FBI for unredacted copies of two Department of Justice legal memos that advise federal prosecutors and investigators in the use of location tracking. See, “ACLU Sues Justice Department to Get Policies and Records on Use of NSA Surveillance in Criminal Cases,” ACLU.org. The matter is still pending in federal court, but two U.S. senators asked Attorney General Eric Holder to release the memos by the end of January.

“There's a growing concern in the U.S. about government power, and the ACLU is a group that's been at the forefront of that issue,” Gellman says.

The ACLU is also active in California legislative politics with a team of lobbyists that work on a host of issues, including criminal justice and privacy. The organization cosponsored legislation that would have expanded Californians' access to information collected about them online. AB 1291. Assemblywoman Bonnie Lowenthal (D-Long Beach) pulled the bill amid intense opposition from the tech lobby.

Like the ACLU, San Francisco-based EFF has also been active, and effective, in public records litigation. This year alone, EFF's 15 lawyers have won the release of documents about government use of the Patriot Act, drones and the Los Angeles County Sheriff's Department's automated license plate recognition program.

EFF rarely jumps into policymaking, however. Staffers will comment on legislation, but EFF doesn't have full-time lobbyists in Washington, DC or Sacramento.

EFF also limits its pursuit of corporate privacy issues. That doesn't mean that the group hasn't criticized Google and Facebook. It has. It's also filed at least one amicus brief challenging Facebook's position in an information aggregation case. See the Facebook v. Power Ventures page on EFF.com.

But “there are other organizations that work on consumer protection, so we don't feel like we have a void to fill there,” EFFG Executive Director, Shari Steele says.

Washington, DC-based EPIC has been more active challenging Google and other online companies. In 2010, EPIC filed a complaint against Google and its social network, Buzz, for invading private Gmail accounts. The complaint resulted in a settlement requiring Google to create a privacy program to protect its consumers. An alleged violation of that settlement the next year led the FTC to fine Google $22.5 million for additional privacy violations.

EPIC, though it doesn't have the resources of the ACLU or EFF, is also a frequent FOIA filer. Its executives, too, are effective at building mini-coalitions of privacy groups. They were the ones, for instance, who rallied advocates in September to ask the FTC to block planned Facebook privacy policy changes, according to John Simpson, the privacy project director at Consumer Watchdog.

“EPIC is in the forefront of privacy matters,” Simpson says. “They do great work and they don't take corporate money.”

Follow the Money

The issue of funding is one that always lurks beneath the surface of privacy groups. No nonprofit knows that better than the Center for Democracy & Technology (CDT). The Washington, DC-based organization was born in 1994 when members of EFF split in a disagreement over how closely the privacy advocates worked with telecommunications companies on a federal surveillance bill. Those who supported a “practical” policy approach of working with corporations and lawmakers on solutions stayed in DC and became CDT.

“That group has been historically distrusted by other groups because it takes money from the private sector,” Bennett says.

But it's far from the only group that accepts corporate cash. Google provides funding to a number of privacy groups, including EFF, Consumer Action and the Consumer Federation of America.

“All of our donors, it's made very, very clear to them that EFF will not limit anything we do based on their donations,” Steele says.

Even the ones who don't accept industry money often find themselves in a scramble for cy pres awards. Leaders of five consumer groups, including EPIC, wrote to U.S. District Judge Edward Davila of the Northern District of California in August, complaining that the proposed cy pres recipients in In re Google Referrer Header settlement were simply allies of the litigants. See, “Privacy Groups Wrestle Over Cy Pres Funds,” The Recorder. Several had accepted funding from Google, the defendant, the letter pointed out.

Plaintiff's counsel suggested the signatories were merely miffed that they weren't selected.

“These groups are all in need of funds and they spend a fair amount of time grubbing for it,” Gellman says.

Creeping Influence

Besides EFF, California is home to a number of smaller privacy advocacy organizations with niche interests.

The Privacy Rights Clearinghouse (PRC) in San Diego is a go-to, how-to information Sherpa for consumers eager to stop junk mail or to respond to a retailer's data breach report. Founder and director Beth Givens is influential in the privacy policymaking world too, making frequent appearances before lawmakers and the media. The PRC does not take industry money.

The World Privacy Forum, also in San Diego, is frequently mentioned by other privacy advocates as an organization with clout. Founder Pam Dixon, a former newspaper columnist, leads a small research machine that produces meaty investigative reports on everything from data brokers to medical record privacy.

Like Givens, Dixon testifies regularly before regulatory agencies and at conferences. Neither group is highly active on the litigation front.

And then there's Consumer Watchdog (CW). The Santa Monica organization has its hands in a seemingly endless array of consumer issues, including two measures on the 2014 ballot. But Google leaders know CW well for its Privacy Project, a campaign that pursues the Mountain View company's data-handling bobbles with media-attracting aplomb. See, http://bit.ly/KRjkvu.

Simpson and colleague Carmen Balber in 2011 hired professional mimes to “track” Google CEO Eric Schmidt after he testified before Congress.

“Our point was that if you tracked customers in a brick-and-mortar store like they do online it would be kind of creepy,” he says.

CW is co-counsel in the Google Street View litigation, challenging the company's collection of personal data over unprotected Wi-Fi networks. The nonprofit also complained to the FTC about Google's alleged circumvention of privacy settings on Apple's Safari browser. And Simpson says his group is seriously considering pursuing another 2014 ballot initiative, this one to create do-not-track online standards in California.

“These groups are very valuable,” says Gene Stonebarger, the Folsom plaintiffs attorney who successfully argued against the collection of consumer information in Pineda v. Williams-Sonoma. “Without them, consumers would be in a very difficult situation, particularly with the sausage-making in the Legislature.”

Privacy groups' success has been mixed. Efforts to pass do-not-track legislation have been watered down or blocked. Attempts to restrict the collection of personally identifying information have also been rejected frequently.

“These privacy issues are really hard to address,” says Goldberg, the PRC lobbyist. “We've had more success in killing bad privacy bills than moving the ball on privacy forward.”

Cheryl Miller writes for The Recorder, the San Francisco-based ALM sibling of e-Commerce Law & Strategy. She can be reached at [email protected].