« April 2018 | Main | June 2018 »

May 2018 Archives

May 2, 2018

Congress Considers Federal Database of Food Aid Recipients

A controversial provision of the Agriculture and Nutrition Act of 2018 would establish a federal database of Supplemental Nutrition Assistance Program recipients for the purpose of denying food assistance. The SNAP program provides assistance to low-income households and is administered by the states. However, Section 4001 would create a federal database with personal data, such as social security numbers, employment status, and income amounts, with the aim of denying food assistance. Privacy scholars have explained that government agencies often subject individuals living in poverty to excessive surveillance. Last year, EPIC successfully challenged the efforts of a federal commission to establish a national voter database, noting that voting is a state function.

EPIC Advises Safety Commission on Dangers of IoT

EPIC submitted comments to the Consumer Product Safety Commission for an upcoming hearing on "The Internet of Things and Consumer Product Hazards." EPIC urged the Commission to focus on privacy and security issues, which the Commission claims are outside its scope. EPIC told the Consumer Product Safety Commission that "Holding a hearing in the year 2018 to discuss IoT without addressing privacy and security is akin to holding a hearing in the last century about kitchen appliances without addressing the risk that a toaster might catch fire because of bad wiring." EPIC recommended that the Commission implement thirteen rules for manufacturers of IoT devices that were laid out by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups preciously urged the Commission to order the recall of the Google Home Mini "smart speaker" and received a response saying that it does not pursue privacy or data security issues.

May 3, 2018

EPIC Joins Coalition Urging CFPB To Maintain Public Database of Consumer Complaints

EPIC and a coalition of consumer organizations have sent a letter to Mick Mulvaney urging the Acting Director not to ban public access to the CFPB consumer complaint database. "The public complaint database is a tool that empowers individuals to inform and protect themselves in the marketplace," the groups stated. In recent remarks at a banking industry conference, Mulvaney said that he is considering closing off access to the database. The database has helped expose wrongdoing by numerous financial institutions-including failures by Equifax following its data breach, as detailed in a report just released by three Senators. EPIC has called on the CFPB to more vigorously pursue its investigation of Equifax, and has filed a Freedom of Information Act request to obtain communications about that investigation.

Facebook Denied Attempt to Delay Review of EU-US Personal Data Transfers

The Irish High Court has denied Facebook's request to halt review of Data Protection Commissioner v. Facebookby Europe's top court. The case, which was recently referred to the European Court of Justice, concerns whether Facebook's transfers of personal data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the landmark 2015 decision that the US had insufficient privacy protections to allow transfer of Europeans' personal data. Ruling against Facebook's request to delay the case further pending appeal, the Irish court said EU data subjects could be harmed if the case were delayed, and that there were “considerable concerns” about Facebook's conduct in the case. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law.

May 1, 2018

Senators Release Report On Consumer Complaints Following Equifax Breach

Senators Warren (D-MA), Schatz (D-HI) and Menendez (D-NJ) have published a report examining thousands of consumer complaints filed with the Consumer Financial Protection Bureau after Equifax's massive data breach last fall. The report, entitled "Breach of Trust," reveals the extent of Equifax's failure to address significant harms consumers faced as a result of the breach. The Senators sent their report along with a letter to the CFPB demanding the agency hold Equifax accountable. Despite the massive number of complaints, the CFPB has yet to announce any action against Equifax eight months after the breach. The Senators also admonished Director Mulvaney for his recent suggestion that he would end public access to the CFPB's complaint database. In testimony before the House Financial Services Committee in February, EPIC called on Congress to ensure that the CFPB takes action against Equifax. A February Reuters story indicated that the CFPB had halted its investigation into Equifax, but Mulvaney since confirmed that an investigation is still ongoing. EPIC submitted a Freedom of Information Act request to obtain information about the CFPB's Equifax investigation.

May 6, 2018

Safety Groups Urge Congress to Regulate "Autonomous Vehicles"

A coalition of consumer safety groups wrote to senators asking them to delay passing the AV START Act (S. 1885) until the National Transportation Safety Board finished its investigation of two recent crashes involving autonomous vehicles. The groups said: "we are very concerned that provisions in the bill put others sharing the road with AVs at unnecessary and unacceptable risk." EPIC has called for national safety standards for connected cars in comments to NHTSA. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data.

May 7, 2018

EPIC Advises Senate on Drone Privacy Issues

In advance of a Senate hearing "Keeping Pace with Innovation - Update on the Safe Integration of Unmanned Aircraft Systems into the Airspace," EPIC submitted a statement to inform the committee of EPIC's ongoing work to establish transparency and oversight for the use of unmanned aircraft in the United States. EPIC believes that strong drone privacy rules are vital for the safe integration of commercial drones in the National Air Space. EPIC is now proceeding in the U.S. Court of Appeals of the D.C. Circuit against the FAA for the agency's failure to establish drone privacy safeguards. EPIC has also filed suit to enforce the transparency obligations of the Drone Advisory Committee, a body created by the FAA to study and make recommendations on U.S. drone policy. EPIC has also pursued several open government matters regarding the FAA's decision making process, which appears intended to purposefully avoid the development of meaningful privacy safeguards.

EPIC Renews Call for FTC to Stop Google's Tracking of Consumer Purchases

EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Google's tracking of consumer purchases. EPIC told the FTC that "this tracking of consumer purchases is without precedent and also raises questions as to what else Google does with the consumer data it obtains." EPIC originally filed the Complaint with the FTC on July 31, 2017. The Complaint alleges that Google collects billions of credit and debit card transactions and links that data to the activities of Internet users. Google claims to protect privacy but refuses to provide any details about a secret algorithm it uses, making it impossible for consumers to verify that their privacy is protected. EPIC has filed numerous complaints with the FTC, including the complaints that led to the FTC's 2011 Google Buzz Order and the 2011 Facebook Order. The FTC recently welcomed a new Chairman and three new Commissioners.

Annual ODNI Report Reveals Upturn in US Surveillance

According to the Office of Director National Intelligence 2017 report, the number of Foreign Intelligence Surveillance Act orders to collect call records more than tripled last year, from 151 million records in 2016 to 534 million in 2017. In 2012, EPIC testified before Congress on the need for more public reporting concerning the use of FISA authorities. Several of EPIC's recommendations, including better reporting on government surveillance activities, were incorporated in the USA FREEDOM Act.

May 8, 2018

EPIC Tells Congress to Consider Census Privacy Risks

In advance of a hearing on the 2020 Census, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau."

Transatlantic Consumer Dialogue Publishes "10 Things to Know About the GDPR"

The Transatlantic Consumer Dialogue, a coalition of more than 70 consumer organizations in Europe and North America, has made available "10 Things to Know About the GDPR." The analysis details key elements of the new European privacy law. TACD wrote, "People's data should be treated with the highest privacy protections no matter where they are based. Privacy is a fundamental human right and data protection is intrinsically linked to it." Last month, TACD sent a letter to Mark Zuckerberg urging Facebook to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD will host a press conference on GDPR with EPIC in Washington DC on May 16. EPIC makes available the complete text of the GDPR and related materials in the Privacy Law Sourcebook.

EPIC Warns of Privacy Act Obligations for Potential Federal Database of Food Aid Recipients

In advance of a hearing on "Program Integrity for the Supplemental Nutrition Assistance Program," EPIC has sent a statement to the House Oversight Committee. A provision of the Agriculture and Nutrition Act of 2018 would establish a federal database of Supplemental Nutrition Assistance Program recipients for the purpose of denying food assistance. The SNAP program provides assistance to low-income households and is administered by the states. However, Section 4001 would create a federal database with personal data, such as social security numbers, employment status, and income amounts, with the aim of denying food assistance. EPIC warned that if Congress decides to create this federal database, then the Department of Agriculture will be subject to Privacy Act obligations, including potential liability for the data breaches that may result. Last year, EPIC successfully challenged the efforts of a federal commission to establish a national voter database, noting that voting is a state function.

May 9, 2018

EPIC Advises FTC on Children's Privacy

In response to an industry proposal to diminish safeguards for children's privacy, EPIC reminded the FTC that industry guidelines must comply with the Children's Online Privacy Protection Act. EPIC also highlighted recent updates in the COPPA regulations that minimize data collection concerning children. EPIC wrote, "COPPA has evolved to address changes in technology and business practices." EPIC has testified several times before Congress on protecting children's data and supported the 2013 updates to COPPA.

May 10, 2018

Appeals Court: Border Searches of Cell Phones Require 'Reasonable Suspicion'

A federal appeals court has ruled that U.S. border officials may not conduct a forensic search of a mobile device without a "reasonable suspicion" that the device contains evidence of a crime. The court's decision followed Riley v. California, a 2014 Supreme Court case holding that the Fourth Amendment requires police to obtain a warrant to search a cell phone. EPIC filed an amicus brief in the Riley case, cited by the Supreme Court, about the detailed personal data stored in cell phones. EPIC's Alan Butler predicted that the Riley decision would lead courts to require "reasonable suspicion" for border searches. EPIC recently filed a FOIA suit against against a federal agency for information about the warrantless searches of cell phones. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced legislation to place restrictions on searches and seizures of electronic devices at the border.

White House Establishes AI Advisory Committee

The White House has established the "Select Committee on Artificial Intelligence" to advise the President and coordinate AI policies among executive branch agencies. The Office of Science and Technology Policy, NSF, and DARPA will lead the interagency committee. According to the White House, the goals of the Committee are (1) prioritize funding for AI research and development; (2) remove barriers to AI innovation; (3) train the future American workforce; (4) achieve strategic military advantage; (5) leverage AI for government services; and (6) lead international AI negotiations. The Committee will also coordinate efforts across federal agencies to research and adopt technologies such as autonomous systems, biometric identification, computerized image and video analysis, machine learning and robotics. It is unclear whether the Committee will include public perspectives in its work. In 2014, EPIC, joined by 24 consumer privacy, public interest, scientific, and educational organizations petitioned the OSTP to accept public comments on a White House project concerning Big Data. The petition stated, "The public should be given the opportunity to contribute to the OSTP's review of 'Big Data and the Future of Privacy' since it is their information that is being collected and their privacy and their future that is at stake." In 2015 EPIC launched an international campaign for Algorithmic Transparency and recently urged Congress to establish oversight mechanisms for the use of AI by federal agencies.

May 11, 2018

EPIC Seeks Records from FTC Regarding Irish Audits of Facebook

EPIC has submitted a Freedom of Information Act request seeking records about the Irish Data Protection Commissioner's inquiries regarding Facebook’s compliance with the FTC's Consent Order. In 2011, the Austrian privacy group Europe-v-Facebook and other parties filed formal complaints to the Irish Data Protection Commissioner about third party access to Facebook user data. The Irish Data Protection Commissioner then initiated an audit of Facebook to assess its compliance with both Irish Data Protection Law and EU law. The 2011 Irish audit found that the safeguards for third party applications did not ensure security for user data. In a 2012 re-audit, the Irish on Commissioner found a "satisfactory response" from Facebook regarding preventing third party applications. Following the 2012 re-audit, the FTC and the Data Protection Commissioner signed a Memorandum of Understanding to exchange information to enforce compliance with privacy laws in each respective country. Two years after the Data Protection Commissioner found a "satisfactory response" from Facebook regarding third party applications, a third party application harvested the data of over 87 million users and transferred the data to Cambridge Analytica.

Senators Urge DHS to Address Concerns Over Facial Recognition at Airports; Conduct Public Rule-Making

In a letter to DHS Secretary Kirstjen Nielson, Senators Edward Markey (D-MA) and Mike Lee (R-UT) urged the agency to promptly conduct a public rulemaking on the agency's biometric exit program prior to any expansion of the program. The program, currently implemented in nine U.S. airports, requires travelers on departing international flights to submit to facial recognition identification. The Senators requested that DHS determine the accuracy of the technique and the procedures for collecting passenger data. EPIC is currently pursuing documents about the biometric exit program, but documents EPIC obtained about a related program that tested iris and facial recognition scanning at the border revealed that the technology did not perform operational matching at a "satisfactory" level. An earlier EPIC lawsuit against the DHS led to the removal of backscatter x-ray devices — "body scanners" — at US airports.

May 14, 2018

Supreme Court: Fourth Amendment for Lawful Driver of Vehicle Regardless of Rental Agreement

The U.S. Supreme Court ruled today that a driver in lawful possession of a rental car has a reasonable expectation of privacy regardless of a rental car agreement. The Court held in Byrd v. United States that, "the mere fact that a driver in lawful possession or control of a rental car is not listed on the rental agreement will not defeat his or her otherwise reasonable expectation of privacy." EPIC filed an amicus brief in the case, joined by 23 technical experts and legal scholars members of the EPIC Advisory Board, which stated that "relying on rental contracts to negate Fourth Amendment standing would undermine legitimate expectations of privacy." EPIC also urged the Court to recognize that a modern car collects vast troves of personal data and "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC routinely participates as amicus curiae in cases before the Supreme Court, such as in United States v. Microsoft Corp., Dahda v. United States, and United States v. Jones.

Supreme Court: Government's Reading of Wiretap Act 'Makes Little Sense'

The Supreme Court has ruled in Dahda v. United States, a case about the federal Wiretap Act and the suppression of evidence obtained under an overly broad wiretap order. A lower court permitted the evidence, relying on a novel interpretation of the Act. EPIC filed an amicus brief in the case, arguing that "it is not for the courts to create textual exceptions" to federal privacy laws. The Supreme Court agreed with EPIC that it "makes little sense" for the court to rewrite the statute. However, the Court declined to suppress the evidence, finding that it was a lawful search under a narrow interpretation of the Wiretap Act. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, including Byrd v. United States (a case in which the Court rejected suspicionless searches of rental cars) and Carpenter v. United States (a case about warrantless searches of cellphone location records).

FTC Commissioner Chopra: "FTC orders are not suggestions"

Incoming Federal Trade Commissioner Rohit Chopra issued a memo today warning that the FTC will enforce its consent orders against companies that violate the law. "FTC orders are not suggestions," said Chopra. Chopra said the FTC should seek structural remedies as well as monetary fines. EPIC has repeatedly told the FTC to enforce its orders, and even sued the agency, EPIC v. FTC, for failing to enforce the order against Google following the Buzz fiasco. More recently, EPIC and a coalition of consumer groups told the FTC that the Cambridge Analytica breach could have been avoided had FTC enforced the 2011 Consent Order against Facebook. The FTC has since confirmed that it is investigating Facebook for the breach. According to the former Acting Director of the FTC's Bureau of Consumer Protection, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook."

May 15, 2018

EPIC Obtains Comey's Memos Detailing Conversations with Trump

Through a Freedom of Information Act request, EPIC obtained declassified memorandums from former FBI Director James Comey detailing his conversations with President Trump from January to April 2017. The conversations include President Trump asking about the possibility of imprisoning journalists, dropping the investigation of former advisor Michael Flynn, and the need to "lift the cloud" of the Russia investigation. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several FOIA cases concerning Russian interference with the 2016 election including: EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).

EPIC Urges FTC To Strengthen Revised Settlement with Uber

In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a revised settlement with Uber. The FTC reached a settlement with Uber back in August of 2017 for its numerous privacy abuses, including secretly tracking riders and using software to evade authorities. But shortly after announcing the settlement, the FTC discovered that Uber had hid a massive data breach and used its bug bounty program to pay off the hackers. As a result, the FTC required Uber to submit all of its privacy assessments to the Commission. While EPIC supported the FTC’s action, EPC said that "the FTC should make Uber's privacy assessments public so that consumers can evaluate whether the company is meeting its obligations under the Consent Order." The FTC's initial investigation and subsequent settlement with Uber were prompted by EPIC's complaint against Uber's in 2015.

EPIC To Senate Judiciary: Privacy Is Integral to Democracy

In advance of a hearing on Cambridge Analytica and the Future of Data Privacy, EPIC has sent a statement to the Seante Judiciary Committee. EPIC said that "It has become increasingly clear that even as we are asked to give up our privacy, companies have become ever more secretive about how they profile and target voters." In 2014, EPIC challenged Facebook's manipulation of users' News Feeds for psychological research. "If Facebook used data manipulation to shape users' emotions, it can use data manipulation to shape voters' practices," EPIC told the Committee.

May 17, 2018

In Congressional Testimony, EPIC Calls For Privacy Safeguards for Social Security Number

EPIC Consumer Privacy Counsel Sam Lester testified before the House Ways and Means Committee at a hearing on "Securing Americans' Identities: The Future of the Social Security Number." EPIC's Lester emphasized that "the SSN was never meant to be an all-purpose identifier," and its widespread use has contributed to the epidemic of data breaches, identity theft and financial fraud. Lester called on Congress to prohibit the use of the SSN in the private sector without explicit legal authorization. Lester also warned Congress against creating a national biometric identifier that would raise serious privacy and civil liberties risks. EPIC frequently testifies before Congress. EPIC President Marc Rotenberg recently testified before the Senate Banking Committee and the House Financial Services Committee on the need to update U.S. privacy law. EPIC also maintains an archive of information about the SSN online.

EPIC Testifies Before Safety Commission on IoT Privacy Hazards

EPIC testified before the Consumer Product Safety Commission at the hearing on "The Internet of Things and Consumer Product Hazards." EPIC International Law Counsel Sunny Kang urged the Commission to focus on privacy and security. EPIC's Kang told the Commission that "IoT is the weakest link to privacy and security vulnerabilities in consumer products." EPIC recommended baseline rules for IoT device manufacturers adopted by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups previously urged the Commission to recall the Google Home Mini device which was designed to always record conversations.

May 18, 2018

ICE Abandons "Extreme Vetting" Software to Screen Visa Applicants

Immigration and Customs Enforcement has dropped a plan to use machine learning software to determine if a visa applicant might commit a crime or terrorist act. Last year, EPIC joined over 50 privacy, civil liberties, and civil rights groups to oppose the plan, stating that the "initiative was tailor-made for discrimination." EPIC has pursued several FOIA cases to uncover the use of secret algorithms by government agencies to score people, including EPIC v. CBP about the "Analytical Framework for Intelligence" that generated secret "risk assessments" on US travelers. In testimony for the 9-11 Commission, EPIC warned that "the use of information technology to identify individuals that may pose a specific threat to the United States" is a "complex problem [that] necessarily involves subjective judgments."

EPIC Renews Call For FTC To Stop Samsung's Surveillance of the Home

EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Samsung's "always on" SmartTV, which surreptitiously records consumers' private conversations and transmits their unencrypted voice recordings to third parties. EPIC also warned the FTC that "Samsung is now collecting viewing data from consumers," a practice the FTC found unlawful in a recent settlement with VIZIO. EPIC originally filed this complaint with the FTC on February 24, 2015, but the Commission took no action. EPIC routinely files complaints with the FTC. EPIC's complaints against Uber, Facebook and Google all led to FTC settlements with the companies. Last week, EPIC renewed its complaint against Google for tracking consumers' in-store purchases.

Council of Europe Modernizes International Privacy Convention

The Council of Europe has updated Convention 108, the first international treaty for privacy and data protection. Among other changes, the amending protocol requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights including algorithmic transparency. EPIC and consumer coalitions have urged the United States to ratify the International Privacy Convention. The complete text of the Privacy Convention is contained in the Privacy Law Sourcebook, available at the EPIC Bookstore.

EPIC to DC Circuit: Informational Privacy is a Constitutional Right

EPIC has filed a "friend of the court" brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breach case. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." In a 2011 case NASA v. Nelson, EPIC urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government.

May 22, 2018

EPIC Urges Congress to Regulate the Internet of Things

In advance of a hearing on the Internet of Things (IoT), EPIC wrote to Congress on the need for privacy and security regulations for IoT consumer products. EPIC explained that regulation is necessary "because neither the manufacturers nor the owners of those devices have incentive to fix weak security." EPIC has called upon the Consumer Product Safety Commission to regulate IoT products, saying that the privacy and security of IoT devices, such as Internet-connected door locks and thermostats, are critical concerns for American consumers. Last week, EPIC testified before the Safety Commission on IoT hazards and promoted baseline standards to protect consumer safety. EPIC previously testified before Congress on the "Internet of Cars."

May 23, 2018

After EPIC Obtains FBI Victim Notification Procedures, Court Rules for Bureau

After EPIC obtained the FBI cyberattack victim notification procedures in Freedom of Information Act lawsuit EPIC v. FBI, a D.C. federal court has ruled that the agency may withhold remaining records explaining FBI's response to the Russian interference in the 2016 election. EPIC had argued that the FBI had failed to demonstrate that releasing records of the agency's response to cyberattacks would interfere with its investigation of the Russian interference. The "Victim Notification Procedures" obtained by EPIC led to Associated Press investigation which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. EPIC is currently pursuing related FOIA cases about Russian interference in the 2016 election, including EPIC v. IRS (Release of Trump Tax Returns) and EPIC v. DHS (election cybersecurity).

EPIC Renews Call For FTC To Stop Secret Scoring of Young Athletes

EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the FTC about the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating," a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. According to EPIC, "the UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens." EPIC pointed to objective, provable, and transparent rating systems such as ELO as far preferable. EPIC has championed "Algorithmic Transparency" as a fundamental human right. Earlier this month, the Council of Europe adopted the modernized Privacy Convention that establishes a legal right for individuals to obtain "knowledge of the reasoning" for the processing of personal data.

CPDP 2019 Conference "Data Protection and Democracy" - Call for Panels

The 12th international conference on Computers, Privacy and Data Protection will take place in Brussels, January 30 to February 1, 2019. The theme of the conference is "Data Protection and Democracy." CPDP is seeking panel proposals from academic consortia, research projects, think tanks and other research organizations. The deadline is June 21, 2018. CPDP2018 offered 85 panel sessions with 420 international speakers from academia, public and private sectors and civil society. More than 1,000 people from from 55 countries attended CPDP2018. EPIC is an event sponsor of CPDP and will present the 2019 International Champion of Freedom Award on January 30, 2019.

Congressional Leaders Reintroduce Bipartisan Bill To Protect Children's Online Privacy

Senator Edward Markey (D-MA) and Congressman Joe Barton (TX-06), along with Senator Richard Blumenthal (D-CT) and Congressman Bobby L. Rush (IL-01), have reintroduced the Do Not Track Kids Act, a bill that would strengthen the Children's Online Privacy Protection Act (COPPA) by extending its protections to children under 15 and creating an "Eraser Button" that would allow parents and children to delete publicly available personal information. The bill would also prohibit targeted advertising to children, mandate data security standards for internet-connected devices sold to children, and establish a "Digital Marketing Bill of Rights for Minors" that would limit the collection of children's personal information, including geolocation information. EPIC recently warned the Federal Trade Commission not to weaken existing rules under COPPA that safeguard children's privacy. EPIC and a coalition of consumer groups have also urged the FTC to stop companies from selling dangerous, internet-connected "toys that spy".

FBI Overstated Number of Encrypted Devices it Could Not Access Last Year

According to the Washington Post, the FBI "provided grossly inflated statistics to Congress and the public" about the number of encrypted cellphones inaccessible to law enforcement. The FBI stated it was locked out of 7,800 devices, but a subsequent review suggested the actual number is about 1,200. EPIC President Marc Rotenberg told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States." According to the federal wiretap reports, in 2016 a total of 68 federal wiretaps were reported as being encrypted, of which 53 could not be decrypted. In a 2016 debate before the American Bar Association, former FBI Director James Comey said the FBI was locked out of about 650 phones. Rotenberg countered that 3.1 million phones were stolen or lost in a year and subject to misuse without strong encryption.

May 24, 2018

US and European Consumer Groups Urge Global Compliance with GDPR

Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups, has written to ninety-five major internet companies, including Amazon and Google, seeking compliance with the EU General Data Protection Regulation (GDPR) as a baseline standard for all users worldwide. TACD wrote, "Strong privacy standards should apply to everyone who uses online platforms and services no matter where they live." The letter states that "European regulation provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for people whose data is gathered." Following an earlier TACD letter and questions from Congress, Marc Zuckerberg said Facebook would apply GDPR protections in all jurisdictions. The TransAtlantic Consumer Dialogue was established in 1998 and works to promote the consumer interest in EU and US policy making.

EPIC Calls on FEC to Pass Stronger Transparency Rules for Political Ads

EPIC submitted comments on the Federal Election Commission's (FEC) proposed rules for political ads on the internet. The FEC proposed two alternative rules, one which would hold internet companies to the same standard as traditional media companies and one which would make exceptions for online ads. EPIC stated: "FEC rules should be technology-neutral and consistent across media platforms." EPIC also recommended that the FEC adopt algorithmic transparency rules, which would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment, and maintain a public directory of advertiser data. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack.

Amazon Echo Secretly Recorded And Disclosed User's Private Conversation

"Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices.

May 30, 2018

EPIC, Coalition Oppose State Department's Plan to Collect Social Media Identifiers of Visa Applicants

EPIC, the Brennan Center and 55 privacy, civil liberties, and civil rights organizations submitted comments opposing the State Department's plan to collect social media identifiers from individuals applying for visas. The coalition warned that the proposal would "undermine First Amendment rights of speech, expression, and association." Social media monitoring raises serious privacy and civil liberties issues. EPIC previously opposed the State Department's expansion of social media collection as well as a similar proposal by the Department of Homeland Security. In EPIC v. DHS, a 2011 Freedom of Information Act case, EPIC uncovered the first agency plan to monitor social media.

May 31, 2018

EPIC FOIA: DHS Collaborated With Presidential Election Commission on Voter Data Collection

EPIC has obtained records under the Freedom of Information Act showing that the Department of Homeland Security communicated frequently with the Presidential Election Commission after EPIC filed a lawsuit to block the Commission's efforts to obtain state voter data. The documents show that DHS officials had numerous communications with Commission staff beginning in June 2017. The records obtained by EPIC also reveal that Kirstjen Nielsen, now the DHS Secretary, worried that the Commission's voter data grab would "disrupt critical efforts DHS is leading to work with state and local officials" on election cybersecurity. After EPIC brought suit in July, the Commission suspended the data collection program, discontinued the use of an unsafe computer server, and deleted voter information that was illegally obtained. The Commission was ultimately shut down in January 2018.

EPIC Sues to Obtain Privacy Impact Assessment for DHS Journalist Database

EPIC has filed a Freedom of Information Act lawsuit to obtain a Privacy Impact Assessment for "Media Monitoring Services," a controversial new database proposed by the Department of Homeland Security. In April, the DHS announced a system to track journalists and "media influencers" and to monitor hundreds of thousands of news outlets and social media accounts. Although the system is designed to monitor journalists, the federal agency failed to conduct a Privacy Impact Assessment as required by law. EPIC submitted a request for Assessment but the agency did not respond. EPIC has successfully obtained several Privacy Impact Assessments, including a related media tracking system (EPIC v. DHS) and for facial recognition technology (EPIC v. FBI). In EPIC v. Presidential Election Commission, EPIC challenged the Commission's failure to publish a Privacy Impact Assessment prior to collection of state voter data.

EPIC, Coalition Urge Compliance With Freedom Act Transparency Requirements

EPIC and a coalition of privacy and civil liberties groups urged the Office of the Director of National Intelligence to abide by the transparency requirements of the USA FREEDOM Act. The Act ended the NSA's bulk collection of domestic call detail information. The Act also requires the public reporting of the number of unique identifiers gathered under the Foreign Intelligence Surveillance Act. A related letter to the House Judiciary Committee urged the Committee to oversee the reporting requirement. In 2012, EPIC testified before Congress on the need for better reporting on the use of FISA authorities. Several of EPIC's recommendations were incorporated in the USA FREEDOM Act.

About May 2018

This page contains all entries posted to epic.org in May 2018. They are listed from oldest to newest.

April 2018 is the previous archive.

June 2018 is the next archive.

Many more can be found on the main index page or by looking through the archives.