epic.org

EPIC and the Center for Democracy & Technology have filed an amicus brief supporting Los Angeles residents' court fight against a city initiative to collect detailed location information on all individual e-scooter trips taken in Los Angeles. The lawsuit is currently on appeal after the trial court dismissed the case because it found no privacy interest in the data. EPIC and CDT's amicus brief describes how Los Angeles spearheaded a new data collection pipeline called the Mobility Data Specification (or MDS) to standardize the location data that ride share providers collect so that the data can easily be disclosed to governments for analysis—and, potentially, surveillance. EPIC and CDT wrote that MDS has the "power to turn a so-called 'smart city' into a surveillance state that is inimical to the Fourth Amendment." The amicus brief describes how MDS was developed to track any shared mobility vehicle, and that Los Angeles already had plans to expand the program to rideshare data from Uber and Lyft. EPIC and CDT also argued that the city's policy goals could be achieved without collecting individual trip data, and described how aggregation, differential privacy, and sampling are widely used to analyze mobility data and protect privacy more than bulk disclosure of individualized trip data. EPIC routinely files amicus briefs in cases applying the Fourth Amendment to novel technologies.

The Massachusetts Supreme Judicial Court issued an opinion in Commonwealth v. Zachary finding that when Boston Police accessed two days of rider history from a metro pass they did not perform a search under the Fourth Amendment. The court first followed an argument from EPIC's amicus brief urging the court to reject the third-party doctrine for electronic data collected by a third party from an individual for the purpose of obtaining a service. The court decided, "we reject the doctrine as applied to this case, where the data at issue has no connection to the limited purpose for which an individual uses a CharlieCard." The court then applied the mosaic theory of the Fourth Amendment which looks at the whole sweep of a government action and the insights derived when individual data points are aggregated to determine whether a search occurred under the Constitution. The court held that while "an extensive record of an individual's MBTA activity could constitute a search under the mosaic theory, the minimal amount of data obtained in this case does not constitute a violation of art. 14 or the Fourth Amendment." EPIC previously filed an amicus brief in the landmark location privacy case Carpenter v. United States, in which the Supreme Court held that collecting seven days of cell phone location data, considered in aggregate, constituted a search.

EPIC submitted comments identifying gaps and proposing privacy and fundamental rights-preserving updates to the European Commission's Proposal for Harmonized Rules on Artificial Intelligence (the Artificial Intelligence Act or "AIA"). The AIA is intended as a step forward in proactive regulation of AI system use. However, EPIC's comment describes how unaddressed privacy and human rights concerns may allow AI systems to be used in ways that cause serious harm to individuals interacting, knowingly or unknowingly, with those systems. EPIC recommends that the Commission (i) remove the broad exemptions on regulatory requirements for AI systems and expand prohibitions where necessary, (ii) mandate prior notification to individuals subject to AI system decision-making, (iii) fully ban emotion recognition and biometric categorization systems, and (iv) mandate review and approval of AI system conformity assessments by data protection authorities prior to use. EPIC advocates for algorithmic justice, transparency, and accountability, and recently submitted comments on the OECD Framework for Classifying AI Systems, recommending changes to more robustly address privacy concerns.

EPIC and the National Consumer Law Center have filed an amicus brief in a case that highlights the privacy-invading behavior of the online lead generator industry. The plaintiffs in the case, McCurley v. Royal Seas Cruises, are trying to hold a cruise company accountable for tens of thousands of illegal robocalls made on its behalf by a foreign telemarketing company using leads from two unscrupulous online lead generators. The trial court dismissed the case against Royal Seas Cruises because a provision in their contract with the telemarketer that said the telemarketer would comply with the federal anti-robocall law, the Telephone Consumer Protection Act. EPIC and NCLC argue in their brief that a simple contract provision cannot absolve Royal Seas Cruises from responsibility for these illegal robocalls. The amicus brief highlights the unscrupulous practices of the lead generator industry, including recent lawsuits accounting for millions of illegal calls and FTC enforcement actions against deceptive lead generator practices. EPIC and NCLC also argue that failure to hold Royal Seas Cruises accountable would "dramatically weaken TCPA enforcement, denying consumers any remedy for their privacy injuries, and leaving consumers unprotected from future harms." EPIC routinely files amicus briefs in TCPA cases.

The World Health Organization (WHO) has issued guidance on documentation of COVID-19 vaccination certificates. Among other items, the guidance outlines ethical and data protection considerations, different use scenarios, and procedures for use and verification. Critically, the guidelines emphasize that emergency circumstances do not permit authorities to ignore legal obligations relating to privacy and human rights. The guidelines also mandate data protection safeguards and warn against normalizing surveillance of health information. EPIC has previously recommended that public health responses to the pandemic be consistent with privacy and human rights standards and urged authorities to limit unnecessary collection and use of vaccine-related personal data by third parties, including pharmacies.

EPIC has filed a lawsuit against the U.S. Postal Service to block the use of facial recognition and social media monitoring tools under the Internet Covert Operations Program (iCOP). EPIC’s case challenges the Postal Service’s failure to conduct and publish the Privacy Impact Assessment mandated by the E-Government Act before procuring and using advanced surveillance systems under iCOP. EPIC is seeking a court order to block iCOP from using these tools at least until the Postal Service has conducted the required assessment. EPIC brought suit after the Postal Service failed to locate a PIA in response to EPIC’s Freedom of Information Act request. Under iCOP, law enforcement officials the U.S. Postal Inspection Service monitored protests in the summer of 2020 and spring of 2021 and used Clearview AI’s controversial facial recognition product to identify individuals. The iCOP’s surveillance of protests and tracking of “inflammatory” content goes far beyond the program’s mandate to investigate fraud and other crimes perpetuated through the mail or USPS’s website. EPIC has previously used the E-Government Act to block the deployment of a media surveillance platform by the Department of Homeland Security and to halt the collection of voter data by the Presidential Advisory Commission on Election Integrity.

The Federal Trade Commission has refiled its antitrust complaint against Facebook after a federal court dismissed its original complaint in June. In the new complaint, the FTC alleges that Facebook used illegal anticompetitive methods to thwart competition and maintain a monopoly, including by buying competitors like Instagram and WhatsApp. The complaint details how Facebook’s practices enabled the social media giant to maintain its dominance at the expense of competition and consumers. For example, before Facebook’s acquisition of WhatsApp, the messaging platform “embraced privacy-focused offerings and design, including the principle ‘of knowing as little about you as possible’ and an ads-free subscription model” which provided “an important form of product differentiation for WhatsApp as an independent competitive threat in personal social networking.” The FTC also highlights the importance of meaningful competition, without which “Facebook has been able to provide lower levels of service quality on privacy and data protection than it would have to provide in a competitive market.” This complaint is the highest profile challenge that the Commission has brought against any tech company in decades. EPIC has long urged the FTC to block or unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward.

EPIC has submitted feedback to NIST to inform the development of an AI Risk Management Framework that will assist developers, users, and evaluators of AI systems in assessing and improving those systems. EPIC's feedback includes background on the proliferation of AI system use and the many potential and already-occurring harms stemming from that use, noting that this framework must take into account and meaningfully act to prevent those harms. EPIC recommends that the framework prioritize (i) protection of individuals affected by AI systems, (ii) accountability for AI system development and use, and (iii) interoperability with emerging and current AI and privacy regulations. EPIC frequently advocates for algorithmic justice, transparency, and accountability and has recently submitted comments on the European Commission's proposes Artificial Intelligence Act and the OECD Framework for Classifying AI Systems.

EPIC, through a freedom of information request, has obtained new records about the D.C. Department of Human Services’ use of automated systems to track and assign “risk score[s]” to recipients of public benefits. The documents show that DCDHS has contracted with Pondera, a Thomson Reuters subsidiary, for case management software and a tool known as “Fraudcaster.” Fraudcaster tracks location history and other information about people receiving public benefits, combining this information with “DHS data and pre-integrated third-party data sets” to yield supposed risk scores. Factors that may cause the system to label someone as riskier include “travel[ing] long distances to retailers” and “display[ing] suspect activity.” Thomson Reuters also offered a free trial of its CLEAR service to the DCDHS as an incentive to sign the Pondera contract quickly. CLEAR is “powered by billions of data points” and claims to “identif[y] potential concerns associated with people.” The system is used by Immigration & Customs Enforcement and other law enforcement agencies in the U.S. EPIC is pursuing more information about DCDHS’s use of Pondera systems and mapping out automated decision-making tools used in D.C. through the EPIC Scoring and Screening Project. EPIC advocates for algorithmic transparency and accountability, particularly for systems used to make high-impact decisions like public benefit determinations.

In a new report, the Government Accountability Office (GAO) surveyed 24 federal agencies on their use of facial recognition technology. The report reveals that 18 of those agencies are using facial recognition for purposes including law enforcement, physical security/surveillance, and digital access. Ten of those agencies, including the Department of Homeland Security, the Department of Justice, and the State Department plan to expand their use of facial recognition in the near future by acquiring new systems. According to the GAO, 27 states and 6 municipalities currently allow federal agencies to access non-federal facial recognition systems. The GAO's report follows the office's June report that 42 federal law enforcement agencies are using facial recognition technology with little to no oversight. According to the report, many agencies were unaware that employees were using the technology. The report also reveals that the Department of the Interior accessed the DC-area NCR-FRILS facial recognition system. EPIC organized a coalition opposing the system, leading to its shutdown in July of this year. EPIC recently filed suit against the U.S. Postal Service for using of facial recognition and social media monitoring technology without completing statutorily required Privacy Impact Assessments.

EPIC has joined with several international privacy and human rights advocacy groups in a statement calling for privacy reform in the wake of allegations that the Indian government used Pegasus to surveil activists, journalists, and opponents. The statement highlights the fundamental right to privacy established under both the Indian Constitution and international human rights law, condemns the illegal use of spyware, and calls for (i) an independent investigation into allegations of Pegasus use; (ii) surveillance reform ensuring independent judicial oversight and providing for judicial remedy; and (iii) establishing a data protection framework that will respect privacy rights. EPIC has previously filed suit against the U.S. Department of Homeland Security to obtain records of a system designed to surveil journalists⁠—the surveillance effort was subsequently suspended. In addition, EPIC has previously joined coalition letters calling for surveillance reform within the U.S. and has testified before Congress regarding the risks of commercial spyware.