Previous Top News: 2012
- Senate to Debate Privacy Amendments for Surveillance Law
The Senate is scheduled to debate several proposals that would establish new safeguards for the FISA Amendments Act, a controversial law that allows surveillance of the phone and email communications of US citizens without a warrant. Earlier this year, EPIC testified before the House Judiciary Committee, and recommended increased transparency and new public reporting of the Government's surveillance activities. Currently, the FISA letter to Congress provides little information about Government conduct. "Congress should not reauthorize the FISA Amendments Act until adequate oversight procedures are in place," EPIC Executive Director Marc Rotenberg said at the May hearing. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International. (Dec. 26, 2012) - EPIC Sues CIA for Details of NYPD Spying
EPIC has filed a Freedom of Information Act lawsuit against the Central Intelligence Agency for details of the agency’s involvement in a New York Police Department surveillance program that targeted Muslims and persons of Arab descent. In August 2011, the New York Police Commissioner acknowledged that the CIA participated in the domestic surveillance. Following an investigation by the CIA Inspector General, the CIA announced that there is "no evidence that any part of the agency's support to the NYPD constituted 'domestic spying.'" In early 2012 EPIC sought the public release of the report prepared by the CIA Inspector General. As the agency failed to comply with statutory deadlines established by the Freedom of Information of Act, EPIC has now filed suit for release of the document. For more information see: EPIC: EPIC v. CIA - Domestic Surveillance and EPIC: Open Government. (Dec. 21, 2012) - Instagram Retreats on Changes to Terms of Service, Cites User Opposition
Instagram announced that it would withdraw proposed changes to its terms of service announced earlier this week. Instagram backed off a plan to use the names, images, and photos of users for advertising purposes, pleading instead to "complete our plans, and then come back to our users and explain how we would like for our advertising business to work." Instagram's parent company, Facebook, is bound by the terms of a settlement with the Federal Trade Commission, initiated in 2009 by EPIC and other consumer privacy organizations, that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. A recent letter to Facebook CEO Mark Zuckerberg from EPIC and the Center for Digital Democracy warned that Facebook's proposed changes would adversely affect Instagram users. For more information, see EPIC: Facebook, EPIC: In re Facebook, and EPIC: FTC. (Dec. 21, 2012) - EPIC Comments on Federal Cybersecurity Plan
In response to a request for comments, EPIC submitted comments on the Federal Cybersecurity Research and Development Strategic Plan. The cybersecurity strategic plan calls for a coordinated research strategy across federal agencies including the Department of Homeland Security and the National Security Agency. EPIC supported the call for privacy safeguards and anonymous web access, and recommended the further integration of genuine privacy-enhancing techniques. EPIC also emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act as the plan progresses. EPIC previously submitted comments to the Department of Defense regarding Cyber Security and Information Assurance Activities. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA - Cybersecurity Authority. (Dec. 20, 2012) - FTC Releases Updated Children’s Online Privacy Rule
The Federal Trade Commission has updated the Children's Online Privacy Protection Act. The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or "cookies)", and prevents third-party advertisers from secretly collecting children’s personal information without parental consent for behavioral advertising purposes. EPIC supported the changes and responded to criticisms from industry groups. In 2010, EPIC testified before the United States Senate that the 1998 law was critical to protect the privacy of children but that updates were also essential in light of new business practices, the emergence of social networks, smartphone apps. A subsequent FTC report found that many child-directed mobile apps lack adequate privacy safeguards. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (Dec. 19, 2012) - FTC Pursues Investigation of Data Brokers
The Federal Trade Commission has issued orders requiring nine data brokerage companies to provide the agency with information about how they collect and use data about consumers. The agency said it will use the information to study privacy practices in the data broker industry. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC brought a complaint to the FTC against the data broker Choicepoint that produced a $10 million settlement, then the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Dec. 19, 2012) - National Academy of Sciences to Undertake Independent Assessment of Airport Body Scanners
After years of pressure from political leaders, civil liberties and health advocates, including EPIC, there will be an independent review of the health risks posed by backscatter x-ray devices. A National Academy of Sciences committee will assess “whether exposures comply with applicable health and safety standards” for passengers and airport employees. The study is limited to radiation and safety testing, and will not examine the privacy implications or effectiveness of the x-ray machines. In 2012, both the House and the Senate introduced legislation calling for an independent assessment of the controversial devices. Europe has also effectively banned the use of backscatter X-ray devices. EPIC has a FOIA lawsuit against DHS concerning body scanner radiation risks. In response to another EPIC lawsuit, the agency will begin a public comment process on the airport screening program in March 2013. For more information see: EPIC: Whole Body Imaging Technology and Body Scanners. (Dec. 19, 2012) - Representative Markey Introduces Privacy Legislation for Aerial Drones
Representative Ed Markey (D-MA) has introduced the Drone Aircraft Privacy and Transparency Act. The bill calls for the Federal Aviation Administration to complete a report on the privacy implications of domestic drone use. In addition, the bill will require drone operators to submit a data collection and data minimization statement concerning the collection of personally identifiable information. EPIC has twice (1, 2) asked Congress to protect individual privacy against increased use of domestic drones. EPIC, joined by over 100 organizations, experts, and members of the public, petitioned the FAA to establish privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Dec. 18, 2012) - Instagram Privacy Change Raises Legal Questions
Instagram recently announced several changes to the terms of service that will allow the company to use pictures in advertisements without notifying or compensating users, and to disclose user data to Facebook and to advertisers. Instagram also proposed that the parents of minors implicitly consent to the use of their childrens' images for advertising purposes. The changes The changes will take effect January 16, 2013, and will not apply to pictures uploaded before that date. Instagram’s parent company, Facebook, is under a 2011 consent order with the Federal Trade Commission that that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. Using an individual’s name or likeness for commercial purposes without consent is also prohibited in most states. EPIC had recently urged Facebook users to vote for "Existing Documents," warning that under the changed terms of service, Facebook would loosen privacy controls and that would impact Instagram. For more information, see EPIC: Facebook and EPIC: FTC. (Dec. 18, 2012) - Federal Agency Proposes "Black Box" Mandate for Cars
The National Highway Traffic Safety Administration has proposed that, beginning September 1, 2014, all new cars will be required to have Event Data Recorders. The devices record detailed information about drivers, which can be made available to insurance companies, the police, and others. Currently, there are minimal privacy protections in the draft regulation. The public will have until February 11, 2013 to provide comments to the agency. EPIC recommends that commentators urge the agency to "Strengthen privacy safeguards." For more information see EPIC - Event Data Recorders and Privacy and EPIC - Driver Privacy Protection Act. (Dec. 14, 2012) - Senate Judiciary Committee Approves Location Privacy Bill
The Location Privacy Act of 2011, sponsored by Senator Al Franken has been reported favorably by the Senate Judiciary Committee. The bill requires affirmative consent for the collection and disclosure of location information, an important protection for cell phone users and users of location-based services. EPIC previously recommended similar protections for location data and filed comments with the Federal Communications Commission advocating location privacy safeguards under the Communications Act. For more information, see EPIC: Locational Privacy and EPIC: Electronic Communications Privacy Act. (Dec. 14, 2012) - Appeals Court Upholds Non-Harmful Phone Spoofing
A federal appeals court has ruled that a state law prohibiting all caller ID spoofing is preempted by the federal Truth in Caller ID Act of 2009. Under the federal law, it is only unlawful to transmit misleading caller information with the intent to defraud or cause harm. EPIC urged the Senate in 2007 and House of Representatives in 2006 and 2007 to establish this intent requirement to protect the use of Privacy Enhancing Technologies, which limit the disclosure of actual identity. The appeals court's ruling upholds this important privacy protection. For more information, see EPIC: Illegal Sale of Phone Records and EPIC: Comments to FCC on TCIA Rules. (Dec. 14, 2012) - Facebook Updates Privacy Controls, Removes Profiles Safeguard
Facebook announced changes to its privacy controls and the privacy settings of its users. The changes include settings that allow users to choose which information apps can access and disclose, and a privacy shortcuts menu. But Facebook also removed an option that allowed users to hide themselves from strangers through Facebook’s search function. The changes follow an election conducted by Facebook in which 88 percent of voters opposed changing the privacy policy and voting rights of users. EPIC previously wrote to the Federal Trade Commission regarding the blanket disclosure features of certain apps and the proposal to end the voting part of the site governance process Facebook. Facebook is currently subject to a settlement with the FTC over privacy violations. For more information, see EPIC: Facebook and EPIC: In re Facebook. (Dec. 13, 2012) - Federal Appeals Court Addresses Email Privacy, Notes EPIC's Amicus Brief
The Court of Appeals for the Fourth Circuit has affirmed the lower court judgement in United States v. Hamilton. At issue in the case was the privacy of workplace e-mails exchanged between a husband and wife. The government argued that Hamilton waived his right to email privacy because he failed to safeguard his email after a change in the computer use workplace policy. EPIC argued as amicus curiae brief, that it would be extremely difficult for employees to securely delete all confidential saved e-mails whenever a use policy changed, an issue the court explored during oral argument. The court wrote that "In an era in which email plays a ubiquitous role in daily communications, these arguments caution against lightly finding waiver of marital privilege by email usage," but determined that Hamilton did not take any steps to protect the email and therefore had waived the spousal privilege. For more information, see EPIC: United States v. Hamilton and EPIC: Workplace Privacy. (Dec. 13, 2012) - 88% of Facebook Users Oppose Changes to Privacy Policy and Voting Rights, EPIC Urges FB to Withdraw Proposal
Preliminary results from the recent Facebook Site Governance Vote, indicate that 589,141 Facebook users voted to keep the existing Statement of Rights and Responsibilities and Privacy Policy. Only 79,731 voted for the proposed changes. In the largest vote in Facebook history, approximately 88% of users who voted favored the existing documents. EPIC and the Center for Digital Democracy earlier wrote FB CEO Mark Zuckerberg, recommending that the proposal be withdrawn. In 2009, Facebook withdrew proposed changes to the Terms of Service after 150,000 users formed a group "FB Users Against the New TOS." In 2007, FB backed off "Beacon," a controversial marketing technique, when 50,000 users signed a petition. Facebook is currently under a consent order with the US Federal Trade Commission. For more information, see EPIC: Facebook. (Dec. 10, 2012) - FTC Report Finds Privacy Problems for Children’s Mobile Apps
A report by the Federal Trade Commission found little progress on transparency for child-directed mobile applications. The FTC surveyed apps from Google Play and Apple App stores and concluded that "many apps included interactive features or shared kids' information with third parties without disclosing these practices to parents." The report commits the FTC to another review of the app marketplace and indicates that the agency has launched "multiple non-public" investigations to determine whether certain apps had engaged in unfair and deceptive trade practices or violated the Children’s Online Privacy Protection Act. The FTC recently proposed revisions to the COPPA Rule, which EPIC supported. For more information, see EPIC: Children’s Online Privacy and EPIC: Federal Trade Commission. (Dec. 10, 2012) - Aviation Industry to FAA: "Ignore Privacy"
Aviation groups have asked the Federal Aviation Administration to ignore the privacy implications of increased drone use in the United States. The letter follows the FAA statement that domestic drones “raises privacy issues [that] will need to be addressed.” Earlier this year, EPIC warned Congress, "there are substantial legal and constitutional issues involved in the deployment of aerial drones by federal agencies." EPIC, joined by over 100 organizations, experts, and members of the public, has petitioned the FAA to to establish privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Dec. 7, 2012) - Senate Committee to Consider Location Privacy Bill
The Senate Judiciary Committee is set to consider S. 1223, the Location privacy Act of 2011, sponsored by Senator Al Franken. The bill would establish important privacy protections for cellphone users and require affirmative consent for the collection or disclosure of location data by service providers. EPIC previously recommended new protections for location data as part of the update of federal law. EPIC also filed comments with the Federal Communications Commission supporting guidelines for the protection of location data under the federal Communications Act. For more information, see EPIC: Locational Privacy and EPIC: Electronic Communications Privacy Act. (Dec. 6, 2012) - EPIC to Department of Defense: Maintain Strong Open Government Rules
EPIC has submitted extensive comments to the Defense Logistics Agency, an agency component within the Department of Defense, opposing changes to the Freedom of Information Act (FOIA). The agency's proposals will substantially alter the Defense Logistics Agency FOIA Program, and modify key terms governing FOIA processing, general FOIA policy, exemptions under the FOIA, and fee waivers. EPIC said that several of the proposals are contrary to law, exceed the scope of the agency's authority, and should be withdrawn. EPIC further stated that the proposals contravene statements of the President and Attorney General concerning government transparency EPIC routinely submits comments on proposed changes to FOIA regulations, warning agencies not to erect new obstacles to those seeking information about government. The statement to the DLA was prepared with the assistance of students at the Georgetown University Law Center studying the law of open government. For more information, see EPIC: Open Government. (Dec. 6, 2012) - Massachusetts High Court Allows Limited Warrantless Search of Cellphone Call Logs
The Supreme Judicial Court of Massachusetts has ruled that no search warrant is required to check the recent call list of a flip phone seized during a lawful arrest. However, the Court in Commonwealth v. Phifer emphasized that the ruling is narrow and fact-specific. Different facts, a more invasive search, or a more complex phone could result in a different outcome, said the Massachusetts high court. In the case, police witnessed a drug deal, arrested the dealer, and then checked the phone's call log for evidence of recent drug sales. The Massachusetts Court analogized searching the phone in these circumstances to searching a container that could contain contraband. The Supreme Judicial Court issued a similar ruling in a contemporaneous companion case, Commonwealth v. Berry. In a previous Massachusetts case in which EPIC filed a "friend of the court" brief, the Supreme Judicial Court ruled that sensitive data obtained from GPS tracking requires a search warrant. For more information, see EPIC: Locational Privacy and EPIC: Commonwealth v. Connolly. (Dec. 6, 2012) - EPIC Urges Vote for EXISTING Facebook Documents
Facebook has proposed changes to its policies that would (1) end user voting, (2) remove spam blocking, and (3) share FB user data with affiliates without user consent. EPIC and others are urging Faceboook users to participate in the Facebook Governance Vote and to vote for EXISTING documents. Anyone with a Facebook account can VOTE HERE. #existingdocuments (Dec. 4, 2012) - EPIC: Hearing on FTC Nominee Should Address FTC's Settlement Process for Privacy Violations
In a letter to the Senate Commerce Committee, EPIC has recommended that Congress require the Federal Trade Commission to consider more carefully the public's views on proposed privacy settlements. EPIC also recommended that the FTC require compliance with the Consumer Privacy Bill of Rights for companies that violate consumer privacy. The Committee is holding a hearing on the nomination of Joshua Wright to the FTC. The letter states that EPIC takes no position on the nomination of Dr. Wright, but encourages Congress to take the opportunity to explore the Commission's response to growing public concerns about privacy. EPIC routinely submits comments to the FTC on proposed consent orders, most recently on the Compete, Inc. settlement. EPIC has also recommended that the FTC promote the Consumer Privacy Bill of Rights in privacy settlements. For more information, see EPIC: Federal Trade Commission. (Dec. 4, 2012) - EPIC Urges Congress to Suspend Funding for Body Scanner Program
In a letter to Representatives Mike Rogers and Shelia Jackson-Lee, EPIC has asked Congress to suspend funding for the airport body scanner program until the TSA has completed a court-ordered public rulemaking. The letter follows a House oversight hearing where members of Congress learned that the TSA had shipped millions of dollars worth of backscatter X-ray devices to warehouses. Earlier the TSA stated that it was moving the devices to smaller airports for efficiency reasons. Backscatter X-ray devices are currently prohibited in Europe. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program), EPIC: Whole Body Imaging Technology and Body Scanners ("Backscatter" X-Ray and Millimeter Wave Screening) and EPIC: EPIC: Body Scanner FAQ. (Nov. 29, 2012) - Senate Committee Updates ECPA, Modifies Video Privacy Law
The Senate Judiciary Committee approved a bill that updates the Electronic Privacy Communications Act and modifies the Video Privacy Protection Act. The bill generally requires law enforcement to obtain a warrant before accessing email or other electronic communications and allows for blanket consent of video viewing information. An amendment by Senator Feinstein, adopted by the Committee, limited the opt-in to two years or till whenever the user withdraws consent. EPIC previously testified against a proposal that would weaken the consent provision of the Video Privacy Protection Act. EPIC has also favored more extensive updates for ECPA, including coverage of locational information. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Video Privacy Protection Act. (Nov. 29, 2012) - NASA Suffers More Data Breaches
NASA has announced that the theft of an unencrypted laptop has compromised the personal information of a "large number" of NASA employees and contractors. A similar theft earlier this year exposed the data of thousands of Kennedy Space Center employees. The federal agency said that by the end of the year all NASA laptops must have full-disk encryption. The recent developments follow a 2010 United States Supreme Court case, NASA v. Nelson, in which a federal contractor challenged NASA's overly broad collection of personal information. EPIC filed an amicus curiae brief in support of the contractor Robert Nelson, arguing that there were insufficient legal protections and that NASA's systems are vulnerable to data breaches. Robert Nelson is among the employees and contractors who this week received a notice from NASA about the data breach. For more information, see EPIC: NASA v. Nelson and EPIC: Privacy Act. (Nov. 27, 2012) - UPDATED: EPIC Appeals NSA's Withholding of Cybersecurity Directive
EPIC has appealed a decision by the National Security Agency to deny EPIC's Freedom of Information Act Request for the public release of Presidential Policy Directive 20. The Policy Directive expands the NSA's cybersecurity authority and has raised concerns about government surveillance of the Internet. EPIC's FOIA appeal points to numerous substantive and procedural defects in the NSA's response, and highlights the importance of public discussion of cyber security authority. The NSA has ten days to respond to EPIC's appeal. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority. (Nov. 27, 2012) - Privacy Groups Ask Facebook to Withdraw Proposed Changes
EPIC, along with the Center for Digital Democracy, has asked Facebook to withdraw proposed changes that will impact the privacy of users and their ability to participate in site governance. Facebook recently proposed to end the voting part of the site governance process, restrict users' ability to prevent unwanted messages, and combine personal information from Facebook with Instagram. In the letter, the groups say "[b]ecause these proposed changes raise privacy risks for users, may be contrary to law, and violate your previous commitments to users about site governance, we urge you to withdraw the proposed changes." Facebook users may also comment directly on the proposed changes. Facebook is subject to the terms of a recent settlement with the Federal Trade Commission that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook. (Nov. 26, 2012) - Pew Survey Finds Most Parents Concerned About Children's Online Privacy
A new report from the Pew Research Center and the Berkman Center for Internet & Society finds that 81% of parents are concerned about how much information advertisers can learn about their child's online behavior. Also, 69% of parents of online teens are concerned about how their child’s online activity might affect their future academic or employment opportunities. And 63% of parents of teens ages 12-13 say they are "very" concerned about their child's interactions with people they do not know online. Many parents reported taking steps to address these risks, such as talking to their children or helping them configure privacy settings. The Federal Trade Commission is considering new privacy rules to strengthen the Children’s Online Privacy Protection Act. EPIC strongly supports the proposed changes. For more information, see EPIC: Children's Online Privacy and EPIC: Federal Trade Commission. (Nov. 21, 2012) - NSA Withholds Cybersecurity Directive, EPIC to Appeal
The National Security Agency has responded to a Freedom of Information Act Request from EPIC, seeking the public release of Presidential Policy Directive 20. The Directive, first reported by the Washington Post, is believed to expand the NSA's cybersecurity authority. In response to EPIC, the NSA argued that the Agency does not have to release the document because it is a confidential presidential communication and it is classified by the NSA. EPIC is litigating similar claims against the NSA, including the release of NSPD 54, a 2008 presidential directive setting out the NSA’s cybersecurity authority. In an official statement to Congress earlier this year, EPIC explained that the NSA was a “black hole for public information about cybersecurity.” EPIC plans to appeal the NSA's determination. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority. (Nov. 20, 2012) - FTC Releases 2012 Performance Report
The Federal Trade Commission has released its performance and accountability report for 2012. The report summarizes the agency’s activities, shows how the agency has managed its resources, and explains how it plans to address future changes. Regarding consumer privacy, the agency cites the release of a new privacy report, the adoption of a consent order with Facebook, and a $22.5 million fine against Google as its primary accomplishments . The Commission reported that it acted on 90.6% of all consumer complaints that it received, though it did not indicate how many of these actions concerned consumer privacy. The agency’s goals for the coming year include “promot[ing] stronger privacy protections through policy initiatives on a range of topics such as data brokers, mobile devices, and comprehensive online data collection.” Earlier this year, EPIC brought suit against the Federal Trade Commission for its failure to enforce a 2011 consent order. EPIC has also routinely urged the FTC to take account of public comments when the agencies sets out proposed settlements and asks for public comments. For more information, see EPIC: Federal Trade Commission and EPIC: EPIC v. FTC (Enforcement of Google Consent Order). (Nov. 20, 2012) - EPIC Submits Comments to FTC on Consumer Tracking Settlement
EPIC submitted comments to the Federal Trade Commission on a recent settlement with Compete, Inc. The settlement arises from allegations that Compete failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its toolbar and survey panel would collect. The FTC also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The proposed settlement requires Compete to obtain consumers’ express consent before collecting any data through its software, to delete personal information already collected, and to provide directions for uninstalling its software. EPIC expressed support for the settlement, but recommended that the FTC also require the Compete to implement Fair Information Practices similar to the Consumer Privacy Bill of Rights, make the compliance reports publicly available, and develop a best practices guide to de-identification techniques, as anonymization has become more critical for online privacy. For more information, see EPIC: Federal Trade Commission and EPIC: Re-Identification. (Nov. 20, 2012) - EPIC Argues for Privacy of Driver's Records in Supreme Court Case
In a "friend of the court" brief, EPIC has urged the U.S. Supreme Court to limit the disclosure of personal information covered by the Driver's Privacy Protection Act. At issue in Maracich v. Spears is a lower court's decision to allow disclosure of information stored in state departments of motor vehicles. EPIC's amicus brief details the staggering amount of personal information in driver's records, particularly as a consequence of the REAL ID regulations. In Reno v. Condon, the Supreme Court upheld the Constitutionality of the federal law. EPIC filed an amicus brief in that case and said "The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest." For more information, see EPIC: Maracich v. Spears and EPIC: The Driver's Privacy Protection Act. (Nov. 16, 2012) - Senate Reauthorizes SAFE WEB Act
The Senate has approved a House bill to reauthorize the SAFE WEB Act. The SAFE WEB Act gives the Federal Trade Commission additional tools to combat cross-border fraud, spam, and spyware. EPIC previously testified before both the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation on the SAFE WEB Act. EPIC said that it supported legislation that safeguards privacy and ensures government oversight while enabling the FTC to work more closely with consumer protection agencies in other countries. For more information, see EPIC: Federal Trade Commission. (Nov. 15, 2012) - Congress to Scrutinize TSA's "Scanner Shuffle"
The House Subcommittee on Transportation Security is holding an oversight hearing this week, "TSA's Recent Scanner Shuffle: Real Strategy or Wasteful Smokescreen?" The hearing announcement follows a decision by the TSA to remove the backscatter x-ray devices from major US airports. In a statement for the record, EPIC highlighted public concerns about the use of body scanners, including health and privacy risks, and the failure of the TSA to take public comments on the program. In July 2011, the federal appeals court in Washington, DC ruled that that the Department of Homeland Security must "act promptly" to receive public comments. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program), EPIC: Whole Body Imaging Technology and Body Scanners ("Backscatter" X-Ray and Millimeter Wave Screening) and EPIC: EPIC: Body Scanner FAQ. (Nov. 14, 2012) - President Issues Secret Cybersecurity Directive, EPIC Seeks Public Release
Following a Washington Post report of a new cyber security directive, EPIC has filed a Freedom of Information Act request for the release of Presidential Policy Directive 20. The Directive is believed to expand cyber security authority for the National Security Agency. EPIC is pursuing several FOIA cases, including the release of NSPD-54, an earlier Directive that gave NSA authority to conduct surveillance within the United States. EPIC has also sought public release of the technical arrangement between the NSA and Google that was adopted in January 2010. Federal law prevents the National Security Agency, a component of the Department of Defense, from conducting operations within the United States. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority, and EPIC v. NSA: Google / NSA Relationship. (Nov. 14, 2012) - EPIC Urges the Interior Department to Preserve Strong Open Government Rules
In comments the Department of the Interior, EPIC has urged the federal agency not to weaken the Freedom of Information Act (FOIA) as it has proposed. The Interior Department is considering regulations that would place new burdens on FOIA requesters by: (1) terminating FOIA requests, (2) denying FOIA requests without providing justifications as required by law, and (3) withholding the identity of agencies to which the Department refers FOIA requests. EPIC said that the Interior Department's proposal would undermine the open government law, is contrary to law, and the views expressed by the President and the Attorney General about the FOIA. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. In 2011, EPIC submitted extensive comments to the Department of Justice, warning the agency not to erect new obstacles for FOIA requesters. For more information, see EPIC: Open Government. (Nov. 14, 2012) - Google Transparency Report Reveals Risks of Cloud-based Computing
According to a recent report from Google, the company received 20,938 requests for user data in the first half of 2012, up from 18,257 requests in the second half of 2011. The United States accounted for 7,969 requests in the 2012 report. And of these requests, Google provided user data to the US government in 90% of the cases. Over the last several years, Google has pursued an aggressive effort to promote computing services that store personal data on Google's servers even as the number of government requests has grown. And earlier this year, Google reduced safeguards for Gmail users, over the objections of many lawmakers and users, when it consolidated privacy policies across its various Internet services. In 2009, EPIC L3[urged] the Federal Trade Commission to look more closely at the privacy risks of cloud-based services. For more, see EPIC - "Cloud Computing". (Nov. 14, 2012) - Supreme Court Limits Remedies for Credit Card Privacy Violations
In U.S. v. Bormes, the U.S. Supreme Court held that the government could not be sued for violating the Fair Credit Reporting Act under an 1887 law that waived governmental immunity for certain claims "premised on other sources of law." The case arose after an attorney paid a federal-court filing fee with his credit card and noticed that the receipt included personal information in violation of the Fair Credit Reporting Act. He then sued the government under the Little Tucker Act, which waives sovereign immunity "for claims premised on other sources of law." Justice Scalia, writing for a unanimous Court, held that the attorney could not sue the government under the Little Tucker Act because the Fair Credit Reporting Act has its own detailed damages provision, and "[w]here . . . a statute contains its own self-executing remedial scheme, we look only to that statute to determine whether Congress intended to subject the United States to dam¬ages liability." The Court sent the case back to the Seventh Circuit Court of Appeals to determine whether the government may be sued under the Fair Credit Reporting Act itself. For more information, see EPIC: Fair Credit Reporting Act. (Nov. 13, 2012) - Supreme Court to Review DNA Collection Law
The Supreme Court has agreed to hear Maryland v. King, a challenge to the constitutionality of the State's DNA Collection Act. The Act authorizes law enforcement to collect DNA samples from individuals arrested, but not convicted, for certain crimes. The lower court held that the Act was unconstitutional as applied to the defendant because the warrantless collection of DNA from a mere arrestee was an unlawful search and seizure under the Fourth Amendment. The Maryland court previously upheld the Act as applied to convicted felons in State v. Raines. EPIC filed an amicus brief in Raines and other cases involving compelled DNA collection in California, Louisiana, and the District of Columbia. EPIC has argued that the privacy implications of DNA collection are greater than fingerprint collection. A recent report from the President's Commission on Bioethics recommends limiting law enforcement access to DNA information. For more information, see EPIC: Genetic Privacy and EPIC: DNA Act. (Nov. 13, 2012) - DHS Privacy Review Fails to Address DHS Monitoring of Online Dissent
The Department of Homeland Security released a Privacy Compliance Review which found that the DHS social media monitoring program complied the DHS's own privacy requirements. Documents obtained by EPIC through a FOIA lawsuit revealed that DHS is monitoring social networks and media organizations for criticism of the agency. Congress held a Hearing earlier this year to determine why DHS is tracking political statements on Twitter and social networks. EPIC's lawsuit against DHS is ongoing. For more information, see EPIC: EPIC v. Department of Homeland Security: Media Monitoring. (Nov. 9, 2012) - Lawmakers Gain "Partial Glimpse" into Data Brokers' Business Practices
Members of the Congressional Bi-Partisan Privacy Caucus released the responses of several data brokers to an inquiry into their business practices. Data brokers collect and sell the personal information of consumers to third parties, typically without the knowledge of the consumers themselves. The lawmakers reported that most of the companies did not consider themselves "data brokers," and that "[m]any questions about how these data brokers operate have been left unanswered, particularly how they analyze personal information to categorize and rate consumers." The Federal Trade Commission recently called for data-broke legislation in a report on consumer privacy. In 2005, EPIC brought a complaint against the data broker Choicepoint that produced a $10 million settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Nov. 8, 2012) - EPIC to Congress: Protect Privacy Against Drone Surveillance
EPIC participated in a Congressional Hearing on the Impact of Domestic Drone Use Technology on Privacy and Constitutional Rights of All Americans, held at Rice University in Houston, Texas. Congressman Ted Poe (R-TX), sponsor of H.R. 6449: Air Travelers' Bill of Rights Act of 2012, convened the hearing. Joining Congressman Poe were Representatives Michael McCaul (R-TX), Hank Johnson (D-GA), and Sandy Adams (R-FL). EPIC's Amie Stepanovich testified on the need for specific laws to limit drone surveillance in the United States. In a prepared statement, EPIC recommended a warrant requirement for drone surveillance by police as well as data use limitations, and transparency obligations for drone operators. In February, EPIC, joined by over 100 organizations, experts, and members of the public, petitioned the FAA to begin a rule making on the privacy impact of drone use. The Agency has not yet responded to the EPIC Petition. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Nov. 5, 2012) - Privacy and Civil Liberties Oversight Board Holds First Public Meeting
The Privacy and Civil Liberties Oversight Board held its initial meeting to take recommendations from the public regarding the issues the Board should pursue. The Implementing Recommendations of the 9/11 Commission Act of 2007 established the Board as an independent agency to "analyze and review actions the executive branch takes to protect the Nation from terrorism, ensuring that the need for such actions is balanced with the need to protect privacy and civil liberties." In a prepared statement, EPIC urged the Board to investigate the program activities of the Department of Homeland Security and other federal agencies that have failed to comply with the Privacy Act of 1974. For more information, see EPIC: Spotlight on Surveillance, EPIC: The Privacy Act of 1974, EPIC: The 9/11 Commission Report, and EPIC: “Security and Liberty: Protecting Privacy, Preventing Terrorism” (Testimony Before the 9/11 Commission). (Nov. 1, 2012) - Appeals Court Hears Arguments in E-mail Privacy Case
The Fourth Circuit heard oral arguments this week in United States v. Hamilton, a criminal case involving personal e-mails to a spouse sent from a workplace computer. The court focused on the scope of the marital privilege, the privacy of workplace e-mail, and whether failing to delete e-mail after a change in an email "use policy" can constitute a waiver of privilege. EPIC argued in an amicus brief that the retroactive application of a use policy as well as "a duty to delete" would be unfair to users. For more information, see EPIC: United States v. Hamilton and EPIC: Workplace Privacy. (Oct. 30, 2012) - Justices Hear Arguments in Surveillance Standing Case
The Supreme Court heard oral arguments in Clapper v. Amnesty International, a case concerning the right to challenge illegal surveillance. A federal appeals court ruled in favor of a group of plaintiffs, including human rights advocates, journalists and attorneys, and held that their costs incurred to avoid surveillance were sufficient to establish a live controversy under the Constitution. Solicitor General Donald Verilli, arguing on behalf of the United States and the Director of National Intelligence, claimed that plaintiffs could not establish a sufficiently concrete injury because they do not know if they had been subject to surveillance. The Justices, including Justice Kennedy, seemed concerned about the possibility of government surveillance of privileged attorney-client communications. EPIC filed an amicus brief, joined by thirty-two legal scholars and technical experts, and six privacy and open government organizations, arguing that the plaintiffs concerns were well founded considering the surveillance capabilities of the NSA and the failure to establish sufficient public reporting requirements for lawful surveillance. For more information, see: EPIC: Clapper v. Amnesty Int'l USA and EPIC: Foreign Intelligence Surveillance Act. (Oct. 29, 2012) - EPIC Comments on FTC Rent-to-Own Computer Spying Settlement
EPIC has submitted comments on a series of settlements between the Federal Trade Commission and companies that offered computers on a rent-to-own basis, typically to low-income consumers. The companies installed surveillance technology that secretly recorded keystrokes, location information, screenshots, and even took webcam photos. The settlements prohibit the companies from deceptively collecting information from consumers or collecting location information without consent, and require them to destroy the illegally-gathered data. EPIC expressed support for the settlements, and also recommended that the FTC also require the companies to implement Fair Information Practices similar to the Consumer Privacy Bill of Rights; make the compliance reports publicly available, and hold a workshop on privacy and inequality. EPIC routinely comments on the FTC's proposed settlements concerning consumer privacy. For more information, see EPIC: Federal Trade Commission. (Oct. 26, 2012) - FOIA Ombudsman Sides with EPIC, DHS to Revise Fee Procedures
Following a detailed complaint from EPIC, which stated that the DHS "is throwing up roadblocks" by withholding fee waivers that should be granted, the FOIA Ombudsman has announced significant changes that will assist all DHS Freedom of Information Act requesters. Beginning October 1, 2012, the DHS will conditionally grant fee waivers if the request is likely to qualify for fee waiver. EPIC had objected that previously the agency did not grant waivers even when it knew the requester was likely to qualify. Second, DHS will inform non-commercial requesters that they are entitled to two free hours of search time and 100 free pages of duplication. Previously, the agency did not inform requesters of this legal right. Third, when fees are imposed, the agency will now provide requesters a detailed breakdown of costs. EPIC President Marc Rotenberg praised the work of the FOIA Ombudsman and acknowledged the changes at DHS. "Congress made clear that the fee waiver provision promotes access to public information. These changes are consistent with that important purpose," said Mr. Rotenberg. For more information, see EPIC - Open Government. (Oct. 24, 2012) - Federal Trade Commission Proposes "Best Practices" for Facial Recognition Technology
The Federal Trade Commission has released a report recommending practices that businesses using facial recognition technology should follow in order to protect the privacy and security of consumers. The report noted that facial recognition techniques range from simple face detection to the identification of previously anonymous individuals. The FTC recommended several practices for all businesses, such as privacy by design, data deletion, and security standards. In services involving facial recognition to identify individuals, the FTC recommended that companies obtain the affirmative express consent of consumers, and in certain sensitive locations, such as health care facilities, the FTC said that the technology should not be used at all. In earlier comments to the Commission, EPIC recommended a moratorium on the use of facial recognition until adequate privacy safeguards are developed. A similar recommendation is found in the Madrid Privacy Declaration, which is endorsed by more than 100 civil society organizations worldwide. Facebook has ended the use of facial recognition in the European Union and suspended use in the United States. For more information, see EPIC: Face Recognition and EPIC: Federal Trade Commission. (Oct. 22, 2012) - New Jersey Supreme Court Considers Cellphone Tracking Case
In State v. Earls, the New Jersey Supreme Court is today hearing arguments on whether the police may use cellphone tracking techniques without court approval. Earlier this year, the US Supreme Court ruled that the police must obtain a court order if they attach a GPS tracking device to a vehicle. EPIC filed a "friend of the court" brief in Earls, urging the New Jersey court to uphold Fourth Amendment protections. The cell phone tracking techniques at issue in the New Jersey case, EPIC argued, "is more invasive than the GPS tracking in Jones." Princeton attorney Grayson Barber is arguing for EPIC as amicus before the New Jersey court. (Oct. 22, 2012) - Public Voice Conference Underway in Uruguay
Civil society groups, privacy advocates, tech experts, and others are gathering today in Punta del Este, Uruguay for "Privacy Rights are a Global Challenge." The conference will examine Enforcement of Consumer Privacy Rights Enforcement, Privacy Laws in Latin America, Emerging Trends, and the Implementation of the Madrid Declaration. The Public Voice conference is held in conjunction with the annual meeting of the Privacy and Data Protection Commissioners. Follow at #tpv12. You can also view the meeting webcast. (Oct. 22, 2012) - Verizon Begins Invasive Marketing Program
Verizon has begun selling the personal information of Verizon users, including location information and web browsing activity. The collection of content information implicates federal wiretapping law, although some have suggested that Verizon escapes liability by allowing users to opt-out. EPIC previously filed a complaint with the Federal Trade Commission regarding Verizon’s business practices, which EPIC described as “unfair and deceptive, contrary to the privacy and security interests of Verizon Wireless customers, and actionable by the Federal Trade Commission.” For more information, see EPIC: Federal Trade Commission, and EPIC: Electronic Communications Privacy Act. (Oct. 22, 2012) - TSA Unplugs, Boxes Up Airport Body Scanner X-ray Devices
Earlier this year, the TSA indicated that it would no longer purchase backscatter x-ray devices for deployment in US airports. A news story this week confirms that the TSA has ceased buying the "Whole Body Imaging" devices and is actively replacing them with millimeter wave scanners, a less intrusive but also controversial scanning technology. EPIC sued the Department of Homeland Security to force disclosure of technical documents about the body scanner program. In a subsequent lawsuit, EPIC v. DHS, the DC Circuit Court of Appeals determined that air travellers have a right to opt-out of the body scanner screening and that the TSA must undertake a notice and comment rulemaking. In the most recent decision, the Court has ordered the agency to begin the public comment process by March 2013. For more information, see EPIC: Whole Body Imaging Technology and Body Scanners and EPIC; EPIC v. DHS (suspension of airport body scanners). (Oct. 19, 2012) - EPIC FOIA Cases Move Forward in Federal Court
Federal judges have recently issued orders compelling government agencies to produce documents in two open government cases pursued by EPIC. In EPIC v. Office of Director of National Intelligence, 12-1282, EPIC is seeking information about a plan to integrate databases across the federal government, without the legal safeguards typically in place for personal data held by government agencies. (EPIC press release). In response to the EPIC FOIA lawsuit, a federal judge has ordered the agency to disclose the procedures it has established to safeguard privacy rights. In EPIC v. DHS, 12-333, EPIC is L6[seeking documents] about the monitoring of the Internet that some Justice Department officials believe may "run afoul of privacy laws forbidding government surveillance of private Internet traffic." The government sought a 16 month extension. The court has ordered the agency to start producing documents in the next month. For more information, see EPIC - Open Government. (Oct. 18, 2012) - FTC Holds "Robocall Summit"
A Federal Trade Commission workshop on automated telephone calls focused on the legal and technical aspects of robocalls, including the current state of telephonic technology, call authentication technology, and call blocking technology. The Federal Communications Commission recently established new penalties for Caller ID "spoofing," the practice of faking caller ID information. In comments to the FCC and testimony before Congress, EPIC recommended, and Congress and the FCC agreed, that intent to do harm is necessary in order to trigger the penalties, because spoofing can also be used to maintain anonymity, and to protect, for example, victims of domestic violence. For more information, see EPIC: FTC and EPIC: Caller ID. (Oct. 18, 2012) - National Do Not Call Registry Tops 217 Million Phone Numbers
According to the 2012 "National Do Not Call Registry Data Book", the number of actively registered phone numbers is up, but so too are the number of consumer complaints about unwanted telemarketing calls. The FTC has continued to receive large numbers of consumer complaints about robocalls even though most telemarketing robocalls have been illegal since September 2009. EPIC supported establishment of the Do Not Call Registry, and recommended to Congress in 2010 that an effective Do Not Track initiative would need to ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Telemarketing and the Telephone Consumer Protection Act and EPIC: Online Tracking and Behavioral Profiling. (Oct. 17, 2012) - European Data Protection Agencies Order Google to Improve Privacy Practices
The French Data Protection Commissioner, acting on behalf of the European Union, has ordered (Appendix) Google to endorse key privacy principles, comply with data protection laws, and give users greater control over their personal information. The decision follows an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services to create detailed and secret profiles on Internet users. The Commissioner determined that the change violated European data protection laws because Google "does not collect unambiguous consent of the user," and listed 12 steps that Google should implement in order to ensure compliance with the law. Earlier this year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have Google's changes in business practices. Google's consolidation also prompted objections from state attorneys general, members of Congress, IT managers in the government and private sectors, and consumer organizations in the United States and Europe. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Oct. 16, 2012) - Appeals Court Hears Arguments in Open Government Case
The DC Circuit Court of appeals today considered arguments in Citizens for Responsibility and Ethics in Washington v. Federal Election Commission, concerning an agency's failure to comply with statutory obligations to process a Freedom of Information Act request. EPIC joined with Public Citizen and several other prominent open government organizations in an amicus brief supporting CREW's appeal. The open governments group argued that the FEC's practice conflicts with the plain language of the Freedom of Information of Act and would wreak havoc on open government. For more information, see EPIC, Open Government. (Oct. 16, 2012) - Federal Court Panel Blocks South Carolina Voter ID Requirement
A special panel of federal judges in Washington, DC has barred the state of South Carolina from enforcing new voter identification requirements in the upcoming November elections. The court was "unable to conclude" that South Carolina could implement its voter identification law in a way that would "suffice under the Voting Rights Act" before the upcoming elections. The court did grant preclearance to implement the law after the November elections citing the "extremely broad interpretation of the reasonable impediment provision," which allows South Carolina voters to still vote if they complete an affidavit affirming their identity and state the reason for not having obtained photo identification. EPIC has previously argued that voter ID requirements impermissibly burden the right to vote. For more information, see EPIC: Voter ID and Privacy and EPIC: Crawford v. Marion County. (Oct. 15, 2012) - GAO Recommends New Safeguards for Locational Data
"Additional Federal Actions Could Help Protect Consumer Privacy," a report from the Government Accountability Office, essentially says that users of mobile devices have no idea what information about them is collected or how it is used. The report explains that the privacy problems are getting worse as industry groups have failed to establish meaningful safeguards and the NTIA's "multistakeholder process" is going nowhere. Several members of Congress have introduced legislation to protect mobile data, much as communications information is routinely protected by law. Senator Al Franken is the sponsor of Location Privacy Protection Act of 2011, which would "close current loopholes in federal law by requiring any company that may obtain a customer's location information from his or her smartphone or other mobile device to get the customer's express consent before" collecting location data or sharing it with third parties. For more information, see EPIC: Locational Privacy and EPIC: Location Privacy: Apple iPhone/iPad. (Oct. 15, 2012) - Presidential Commission Urges Privacy Protections for DNA Data
Noting the rapid advances in the use of genetic data, the report of the Presidential Commission for the Study of Bioethical Issues recommended "a consistent floor of privacy protections covering whole genome sequence data regardless of how they were obtained. These policies should protect individual privacy by prohibiting unauthorized whole genome sequencing without the consent of the individual from whom the sample came." The Commission further said "Only in exceptional circumstances should entities such as law enforcement or defense and security have access to biospecimens or whole genome sequence data for non health-related purposes without consent." The Presidential Commission offered additional recommendations on "Ethical Principles," "Policy and Governance," and "Analysis and Recommendations." Earlier this year, EPIC provided comments to the Commission, and proposed new safeguards for genetic data and limit law enforcement access. EPIC also recommended that the Commission build upon existing genetic privacy and medical laws to enhance individual control over their genetic information. For more information, see EPIC: Genetic Privacy and EPIC: Medical Record Privacy. (Oct. 15, 2012) - FBI Exempts Massive Database from Privacy Act Protections
The Federal Bureau of Investigation has exempted the FBI Data Warehouse System, from important Privacy Act safeguards. The database ingests troves of personally identifiable information including race, birthdate, biometric information, social security numbers, and financial information from various government agencies. The database contains information on a surprisingly broad category of individuals, including "subjects, suspects, victims, witnesses, complainants, informants, sources, bystanders, law enforcement personnel, intelligence personnel, other responders, administrative personnel, consultants, relatives, and associates who may be relevant to the investigation or intelligence operation; individuals who are identified in open source information or commercial databases, or who are associated, related, or have a nexus to the FBI’s missions; individuals whose information is collected and maintained for information system user auditing and security purposes." The Federal Bureau of Investigation has exempted these records from the notification, access, and amendment provisions of the Privacy Act. Earlier this year, EPIC opposed the Automated Targeting System, another massive government database that the Department of Homeland Security exempted from Privacy Act provisions. For more information, see EPIC: The Privacy Act of 1974 and EPIC: Automated Targeting System. (Oct. 10, 2012) - EPIC Urges Support for New European Privacy Framework
In testimony before the European Parliament, in Brussels, EPIC President Marc Rotenberg expressed support for the new Data Protection regulation of the European Union. "Efforts to update European Privacy law will provide benefits to Internet users all around the globe," Rotenberg said. US consumer organizations have also expressed support for the EU initiative. The Madrid Privacy Declaration, endorsed by more than 100 civil society organizations, calls for the "establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions." (Oct. 9, 2012) - Supreme Court to Hear Challenge to Restrictive State FOI Law
The Supreme Court has agreed to hear a case, McBurney v. Young, challenging a Virginia state open government law that restricts access to residents and new media organizations operating within Virginia. Petitioners are out-of-state residents whose requests for state documents under the Virginia Freedom of Information Act were denied. The case presents the important issue of whether states can discriminate against non-residents by denying them access to state records. EPIC filed an amicus brief along with several open government organizations urging the Court to hear this case. For more information, see: EPIC: Open Government. (Oct. 5, 2012) - Senate Report Finds Fusion Centers "Wasteful," Likely Violate Federal Privacy Laws
A Senate Investigations Committee has released a new report on "State and Local Fusion Centers", government data warehouses that store an enormous amount of information on Americans. The Senate report found that Fusion Centers, operated by the Department of Homeland Security, "often produced irrelevant, useless or inappropriate intelligence" and stored records on U.S. persons, "possibly in violation of the Privacy Act." In 2007, EPIC's "Spotlight on Surveillance" warned that Fusion Centers would lead to "abuse and misuse." In subsequent FOIA cases, and comments to the DHS, EPIC helped document the many problems with the federal Fusion Center program, including lack of oversight and ineffective privacy safeguards. For more information, see EPIC: Information Fusion Centers and Privacy and EPIC: EPIC v. Virginia Department of State Police: Fusion Center Secrecy Bill. (Oct. 3, 2012) - International Consumer Coalition Selects EPIC's Lillie Coney to Co-chair Information Society Committee
The Trans-Atlantic Consumer Dialogue, a coalition of more than sixty consumer organizations in Europe and North America, has selected officers for 2012. EPIC's Lillie Coney joins NCC's Thomas Nortvedt as co-chair of the Information Society Policy Committee. Former US co-chair Susan Grant with Consumer Federation of America joined the TACD US Steering Committee. Other TACD committees include FoodPolicy, Intellectual Property, Financial Services, and Nanotechnology. The TACD presents joint consumer policy recommendations to the US government and the European Union to promote the consumer interest in EU and US policy making. (Oct. 3, 2012) - Pennsylvania Judge Blocks Voter ID Requirement
A Pennsylvania district court barred the state from enforcing voter identification requirements in the upcoming November elections. Following guidance from the state Supreme Court, Judge Robert Simpson issued a narrow preliminary injunction. He ordered that Pennsylvania may not require photo IDs to vote in November. Election officials may ask voters for identification, but those without ID may still cast regular ballots. Judge Simpson explained that the state Supreme Court identified "the essential offending activity as voter disenfranchisement, not a request to produce photo ID." EPIC has previously argued that voter ID requirements impermissibly burden the right to vote. For more information, see EPIC: Voter ID and Privacy and EPIC: Crawford v. Marion County. (Oct. 3, 2012) - EPIC FOIA Uncovers Google’s Privacy Assessment
Through a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained Google's initial privacy assessment. The assessment was required by a settlement between Google and the FTC that followed from a 2010 complaint filed by EPIC over Google Buzz. The FTC has withheld from public disclosure information about the audit process, procedures to assess privacy controls, techniques to identify privacy risks, and the types of personal data Google collects from users. EPIC intends to challenge the agency withholdings. For more information, see EPIC: Federal Trade Commission, EPIC: Google Buzz, and EPIC: Open Government. (Sep. 28, 2012) - Consumer Groups Ask FTC to Investigate Facebook-Datalogix Data-Matching Arrangement
EPIC, joined by the Center for Digital Democracy, has asked the Federal Trade Commission to investigate whether Facebook's data-matching arrangement with Datalogix violates a settlement between the FTC and Facebook. Facebook is matching the personal information of users with personal information held by Datalogix. The settlement, adopted in August, prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. EPIC had previously asked the FTC to determine whether "Timeline," which made archived user data widely available, or biometric tagging of user photos violated the terms of the consent order. The FTC has not made a determination on the EPIC Timeline request, and Facebook has suspended facial recognition in the US. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Datalogix. (Sep. 27, 2012) - EPIC Supports New Children’s Privacy Rule
EPIC submitted comments on the Federal Trade Commission's revisions to the proposed Children’s Online Privacy Protection Act Rule. EPIC said that it supported the new definitions of "operator" and "website or online service directed to children," which hold child-directed websites and third-party services responsible for the collection of children’s personal information, but asked the FTC to monitor age-screening and to clarify the scope of a provision on using persistent identifiers, such as "cookies." EPIC supported the original FTC rule in September 2011, noting that the proposed revisions take "account of the increased use of mobile devices by users and new data collection practices by businesses." For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Sep. 27, 2012) - Court Responds to EPIC Petition, Expects Body Scanner Rule by March 2013
The Court of Appeals for the DC Circuit has issued a ruling on EPIC's recent petition regarding the controversial body scanner program. EPIC had urged the court to require the Secretary of Homeland Security to begin a public comment process or suspend the program. The agency said it might "finalize documents" by February 2013. The court said it expected the agency to begin the process before the end of March 2013. In July 2011 the court ordered the agency to "promptly" begin the process. For more information, see: EPIC v. DHS (Suspension of Body Scanner Program). (Sep. 25, 2012) - Supreme Court to Hear Drivers' Records Privacy Case
The US Supreme Court has decided to review Marachich v. Spears, a case concerning the Drivers' Privacy Protection Act. The federal privacy law prohibits the disclosure of personal information in state motor vehicle records, except under certain narrow circumstances. In 2000, several states challenged the law. EPIC argued in an amicus brief that "the Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest." The Supreme Court upheld the law. More recently, EPIC has argued that resellers of driver records should be strictly liable for violations of the law. At issue in the Marachich case is whether records can be disclosed to facilitate attorney solicitations. The Court of Appeals for the Fourth Circuit ruled that the law permits solicitations under the "litigation" exception. For more information, see EPIC: The Drivers' Privacy Protection Act and EPIC: Gordon v. Softech. (Sep. 25, 2012) - EPIC Urges Supreme Court to Uphold Review of Wiretapping Programs
Today EPIC filed an amicus brief with the US Supreme Court in Clapper v. Amnesty International USA, a case challenging the interception of communications of US persons under foreign intelligence surveillance laws. This case presents the issue of constitutional "standing," whether the journalists and human rights organizations who brought he lawsuit can establish an imminent threat or reasonable fear that their communications will be collected. The federal appeals court found in their favor. In urging affirmance, EPIC argued that the capacity of National Security Agency to intercept private communications combined with the failure to establish meaningful oversight underscores the concern that the interception of private communications would occur. The EPIC brief is supported by 32 legal scholars and technical experts, and six organizations devoted to privacy and open government. For more information, see EPIC: Clapper v. Amnesty, EPIC: Foreign Intelligence Surveillance Act (FISA). (Sep. 24, 2012) - New Government Report Highlights Privacy Risks
A new report from the Government Accountability Office outlines the risks of increased domestic drone use -- "Unmanned Aircraft Systems" -- following adoption of a recent law. The GAO report -- "Measuring Progress and Addressing Potential Privacy Concerns Would Facilitate Integration into the National Airspace System" -- notes widespread concern about privacy. The GAO report found that privacy "concerns include the potential for increased amounts of government surveillance using technologies placed on UAS, the collection and use of such data, and potential violations of constitutional Fourth Amendment protections against unreasonable search and seizures." The report also notes that "non-military unmanned aircraft system GPS signals are unencrypted, risking potential interruption of command and control . . .." Earlier this year, EPIC warned Congress that "there are substantial legal and constitutional issues involved in the deployment of aerial drones by federal agencies." EPIC, joined by over 100 organizations, experts, and members of the public, has petitioned the FAA to begin a rule making to establish privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Sep. 24, 2012) - Facebook Ceases Facial Recognition in European Union
The Irish Data Protection Commissioner issued a report finding that Facebook has implemented many of the Commissioner’s recommendations, such as halting the automatic use of facial recognition through "tag suggestions." Facebook has agreed to give users the choice over the use of facial recognition, to grant users access to their facial recognition template, and to delete the facial recognition data of EU citizens by October 15. The report also found that Facebook had implemented recommendations for improving transparency, enhancing the ability for users to delete data, and allowing users to access their data. On recommendations concerning user education, data deletion, and as targeting based on sensitive terms, the report found that "full implementation has not yet been achieved but is planned to be achieved by a specific deadline." The Federal Trade Commission recently adopted a proposed settlement with Facebook that prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In November 2011, EPIC recommended that the FTC prevent Facebook from creating facial recognition profiles without users' consent. In February 2012. EPIC recommended "the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established." For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition. (Sep. 21, 2012) - Pennsylvania to Reconsider Voter ID Law
The Pennsylvania Supreme Court has ruled that a lower court must determine whether the State's strict voter ID can lawfully be implemented before the national election on November 6. The Supreme Court said that the "disconnect between what the law prescribes and how it is being implemented" raises questions. EPIC has previously argued that voter ID requirements are an impermissible burden on the right to vote. EPIC: Voter Photo ID and Privacy and EPIC: Crawford v. Marion County. (Sep. 21, 2012) - Department of Homeland Security Releases 2012 Privacy Report
The Department of Homeland Security released the 2012 Privacy Office Annual Report to Congress. The report describes a social media monitoring policy, and privacy training for fusion centers personnel. According to the report, the TSA has still failed to adopt privacy safeguards for whole body image devices. The report is silent on several new DHS-funded initiatives, including the Future Attribute Screening Technology, a Minority-Report like proposal for "pre-crime" detection. The report also notes the expansion of the National Counterterrorism Center's five-year retention policy for records on U.S. Persons that do not contain terrorism information. The Chief Privacy Officer of the DHS is required by law to ensure that new agency programs do not diminish privacy in the United States. For more information, see EPIC: Privacy Report Held Hostage. (Sep. 20, 2012) - Senate Considers Amendment to Weaken Internet Privacy Law
A senate committee is today considering changes to the Video Privacy Protection Act, a law which safeguards the video viewing records of Internet users. The amendment would allow companies to obtain blanket consent for the use of customer information in the future, whether or not users knew who would receive the information or why it was being disclosed. In testimony before the Senate in January, EPIC strongly opposed the amendment and recommended instead changes that would update the law to provide greater safeguards for Internet users. A federal court recently held that the video law protects the privacy of Hulu subscribers. As the court explained, "Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved." The amendment is backed by Netflix and various industry lobbyists. For information, see EPIC, Video Privacy Protection Act. (Sep. 20, 2012) - EPIC Prevails in Mobile Body Scanner FOIA Case
A federal district court has awarded EPIC attorneys fees and costs in EPIC v. DHS, No, 11-945, a Freedom of Information Act lawsuit that resulted in the disclosure of information about the agency's plan to deploy body scanners at bus stations, train stations, and elsewhere. The court found that EPIC had "substantially prevailed" in the FOIA lawsuit and that "EPIC has demonstrated a public benefit arising from the disclosed records." EPIC has several related FOIA lawsuits concerning new systems of mass surveillance. For more information, see EPIC v. DHS (Mobile Body Scanners FOIA Lawsuit). (Sep. 16, 2012) - House Renews Foreign Intelligence Surveillance Powers
The House has voted to reauthorize the FISA Amendments Act (301-118). The Act authorizes programs of surveillance intended to target foreign agents, but allows collection of private communications of United States citizens without individualized suspicion. In May 2012, EPIC Executive Director Marc Rotenberg testified before the House Judiciary Committee on the legislation and recommended new oversight procedures. The Senate has yet to consider the measure. Senator Ron Wyden (D-OR) and others have expressed concern about renewal of the Act. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International USA. (Sep. 12, 2012) - EPIC Pursues Body Scanner Case, Files Reply Brief
EPIC has filed a reply brief with the U.S. Court of Appeals for the D.C. Circuit in the airport body scanner case. The case arises from EPIC's Mandamus Petition, seeking to enforce the Court's July 2011 order requiring the DHS to "promptly" begin notice-and-comment rulemaking. EPIC has argued that the agency's ongoing delay is "unreasonable" and that the Court should require the Secretary to begin the rule making or suspend the program. For more information, see: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology. (Sep. 12, 2012) - Rep. Markey Introduces Mobile Privacy Act
Representative Edward Markey (D-MA) introduced "The Mobile Device Privacy Act," a bill that would require companies disclose the existence of monitoring software to consumers and obtain consent before using this software to collect personal information. The bill, H.R. 6337, would also direct the Federal Trade Commission and the Federal Communications Commission to develop rules implementing the act’s provisions. Recently, EPIC filed comments with the FCC urging the Commission to require mobile carriers to implement comprehensive fair information practices. For more information, see EPIC: Customer Proprietary Network Information and EPIC: Location Privacy. (Sep. 12, 2012) - FTC Finalizes Settlement with Myspace
The Federal Trade Commission has finalized the terms of a settlement with Myspace. The settlement follows from allegations that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. EPIC commented on the settlement, recommending that the FTC make the settlement at least as protective as a previous settlement with Facebook. Additionally, EPIC said, the FTC should require Myspace to implement practices consistent with the White House’s Consumer Privacy Bill of Rights. In response to EPIC’s comments, the FTC decided to accept the proposed settlement without modification but said that “the privacy program mandated under the consent order will require Myspace to address many of the consumer protections discussed in your comment.” For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy. (Sep. 11, 2012) - New Congressional Report Recommends TSA Address Privacy and Health Concerns with Airport Bodyscanners
"Rebuilding TSA into a Smarter, Leaner Organization," a new House Report critiques the Transportation Security Administration for "failing to meet taxpayers' expectations." The report, prepared by the House Committee on Homeland Security, recommends that the TSA sponsor "an independent analysis" of the health risks of body scanners and install privacy filters on all devices. The Report cites the decision in EPIC v. DHS, pointing out that the TSA has failed to abide by the ruling of a federal appeals court to "act promptly" to receive public comments. For more information, see EPIC v. Department of Homeland Security - Full Body Scanner Radiation Risks and EPIC v. TSA - Body Scanner Modifications (ATR). (Sep. 11, 2012) - New CRS Report Finds Few Protections For Drone Surveillance
"Drones in Domestic Surveillance Operations," a new report from the the Congressional Research Service, examines current law, the Fourth Amendment, and recently introduced legislation. The CRS finds that "the prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues." In testimony before a House Subcommittee earlier this year, EPIC's Amie Stepanovich stated, "there are substantial legal and constitutional issues involved in the deployment of aerial drones by federal agencies that need to be addressed." EPIC recommended that the FAA develop privacy rules, that DHS conduct a privacy assessment, and that Congress establish new privacy safeguards. EPIC, joined by over 100 organizations, experts, and members of the public, has also petitioned the FAA to begin a rulemaking on the privacy impact of drone use. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Sep. 7, 2012) - CPDP 2013 Calls for Papers in Advance of January Conference
The 6th Annual Computers, Privacy and Data Protection Conference has announced a Call for Papers. The conference will take place January 23-25, 2013, in Brussels. Both experienced and junior researchers, as well as Ph.D. candidates, are invited to submit work. The theme of the 2013 CPDP conference is “Reloading Data Protection.” Organizers are particularly interested in papers focusing on technology’s relationship to privacy, data protection, non-discrimination and surveillance. Deadline for submissions is October 19, 2012. EPIC is a participant in CPDP conferences and presents the ”EPIC International Champion of Freedom Awards” at CPDP. For more information, see EPIC Champion of Freedom Press Release, EPIC: EU Law, EPIC: Privacy. (Sep. 7, 2012) - Pew Survey Finds Most Mobile Users Avoid Apps Due to Privacy Concerns
A survey by the Pew Research Center found that the majority of mobile phone users have uninstalled or avoided apps due to privacy concerns. According to the report, 54% of mobile users have decided to not install an app after discovering the amount of information it collect, and 30% of mobile users uninstalled an app after discovering that it was collecting personal information that they didn’t wish to share. Owners of Android and iPhone devices are also equally likely to delete (or avoid entirely) cell phone apps due to concerns over their personal information. Younger cellphone users were also twice as likely as older users to report that "someone has accessed phone in a way that felt like privacy invasion." This poll follows another survey by Pew that found that users were becoming more active in managing their social media accounts. For more information, see EPIC: Public Opinion on Privacy. (Sep. 5, 2012) - U.S. Consumer Groups Endorse Proposed European Privacy Law
In a letter to members of the European Parliament, over twenty U.S. consumer organizations expressed support for the new European data protection law. The coalition, including Consumers Union, Consumer Federation of America, and Public Citizen, said that the proposed regulation "provides important new protections for the privacy and security of consumers." The groups also explained that the European effort will raise privacy standards for consumers in other parts of the world. The European Union privacy regulation is a comprehensive update of the 1995 EU Data Protection Directive and adopts innovative new approaches to privacy protection, such as "Privacy by Design." BEUC, the association of European consumer groups, has also expressed support for the new law. For more information, see EPIC: EU Data Protection Directive. (Sep. 5, 2012) - 2012 Democrat Platform Endorses Internet Privacy
The 2012 Democratic National Platform supports the administration’s Internet Privacy Bill of Rights to protect consumer privacy. Separate provisions in the platform call for privacy protections for broadband deployment, intellectual property enforcement, and cybersecurity laws; the Democratic platform opposes voter identification laws. However, the platform is silent on the Fourth Amendment, and retreats from the 2008 Democratic platform that opposed surveillance of individuals that were not suspected of a crime. In 2008, Candidate Obama promised to "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy.” The 2012 Republican Platform was released last week. The Libertarian and Green Party platforms are also available. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Voter Photo ID and Privacy, EPIC: National Security Letters, and EPIC: Cybersecurity Privacy Practical Implications. (Sep. 4, 2012) - EPIC Airport Body Scanner Case: TSA Defies Court, Seeks More Delay
The TSA has responded to EPIC's recent motion about the airport body scanner program. Citing the agency's extraordinary delay in seeking public comment on the controversial program, EPIC urged the court in Washington, DC to require the TSA begin the comment process in 60 days or suspend the program. In its response to EPIC, the TSA claims that the earliest possible date it could "finalize documents" before even starting the public comment process would be "the end of February 2013." EPIC filed the motion a year after the federal agency was ordered by the D.C. Circuit Court to "promptly" begin a public rulemaking and more than three years after a coalition of organizations petitioned Secretary Napolitano to begin the rulemaking. A group of organizations, led by the Competitive Enterprise Institute, has filed an amicus brief in support of EPIC. EPIC will file a reply to the TSA on September 10. For more information, see EPIC v. DHS (Suspension of Body Scanner Program). (Aug. 31, 2012) - Federal Appellate Court Strikes Down Texas Voter ID Law
The D.C. Circuit Court of Appeals has invalidated a Texas law that would require voters to present a photo identification in order to vote. Calling the law “the most stringent in the country,” the court held that “record evidence suggests that [the law], if implemented, would in fact have a retrogressive effect on Hispanic and African American voters.” Therefore, the court held, the law violates section 5 of the Voting Rights Act of 1965. Section 5 requires “covered jurisdictions” to show that new voting procedures, such as Voter ID requirements, are nondiscriminatory before those changes can be put into effect. The ruling came after the Department of Justice previously blocked the law through the Section 5 preclearance process. EPIC has argued that unreasonable voter ID requirements are an impermissible burden on the right to vote. For more information, see EPIC: Voter Photo ID and Privacy and EPIC: Crawford v. Marion County. (Aug. 30, 2012) - EPIC Supreme Court Brief: Investigative Techniques are Not Infallible
EPIC has filed an amicus brief with the US Supreme Court, arguing that new "investigative techniques should be subject to close scrutiny by the courts." EPIC submitted the brief in Florida v. Harris, a case involving a car search in response to an "alert" by a drug detection dog. The Florida Supreme Court held that a law enforcement agent relying on such an "alert" must produce evidence to support the reliability of the detection technique. Filing in support of the Florida decision, EPIC argued that new investigative techniques, such as terahertz scanners, airport body scanners, and digital intercept devices, raise similar concerns about reliability. EPIC described a growing consensus among legal scholars and technical experts about the need to improve the reliability of many forensic techniques. Â "The 'perfect search,'" EPIC wrote, "like the 'infallible dog,' is a null set." For more information, see EPIC: Florida v. Harris and EPIC: Florida v. Jardines. (Aug. 30, 2012) - EPIC and Others Ask Supreme Court to Review Controversial State FOI Law
EPIC, and several other leading open government organizations, have filed an amicus brief in support of a petition for Supreme Court review challenging the Virginia Freedom of Information law, which allows only Virginia residents and news media representatives to access state public records. The amicus brief argues that Virginia's "citizens-only" provision is constitutionally impermissible as it unecessarily burdens the rights of individuals and organizations outside of Virginia. This case is of particular interest to EPIC because state FOI laws are often necessary for oversight of new surveiilance programs. In 2008, EPIC brought a successful FOIA lawsuit in Virginia and obtained documents revealing an agreement to limit oversight of a State Fusion Center. For more information, see EPIC: v Virginia Department of State Police: Fusion Center Secrecy Bill. (Aug. 30, 2012) - 2012 Republican Platform Addresses Privacy and Government Surveillance
The 2012 Republican Party Platform calls for strong Constitutional protections for privacy and new safeguards for personal data held by businesses. "We will ensure that personal data receives full constitutional protection from government overreach and that individuals retain the right to control the use of their data by third parties," the platform states. The platform also criticizes TSA screening procedures and calls for warrant requirements for most law enforcement-operated drones. However, other provisions endorse voter identification laws and increased disclosure of personal information to the government for cyber security. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Whole Body Imaging Technology and Body Scanners, EPIC: Unmanned Aerial Vehicles (UAVs) and Drones, EPIC: Voter Photo ID and Privacy, and EPIC: Cybersecurity Privacy Practical Implications. (Aug. 29, 2012) - Republican Party Seeks To Limit Drone Surveillance
The 2012 Republican Party Platform advocates Fourth Amendment limits on government drones. “We support pending legislation to prevent unwarranted or unreasonable governmental intrusion through the use of aerial surveillance or flyovers on U.S. soil, with the exception of patrolling our national borders.” Senator Rand Paul (R-KY) and Representative Austin Scott (R-GA), introduced legislation earlier this year to limit aerial drone surveillance. In March, the House approved an amendment to the National Defense Authorization Act of 2013, introduced by Representative Landry (R-LA), that prohibits information collected without a warrant by drones operated by the Department of Defense from being used in court. Congressman Ed Markey (D-MA) has also proposed comprehensive legislation for drones. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Aug. 28, 2012) - German Consumer Group Says Facebook App Center Violates Privacy
The Federation of German Consumer Organizations has alleged that Facebook’s App Center violates German law. The App Center does not provide a complete disclosure of the purposes for which apps collect data, and therefore does not provide for the informed consent required by law. The group says it will consider legal action if Facebook does not correct the problem by September 4. The allegations follow repeated requests by German data protection officials that Facebook disable its facial recognition software. Recently, the Federal Trade Commission finalized a settlement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. In response to a dissent by Commissioner Rosch, the FTC clarified that “Facebook will be liable for conduct by apps that contradicts Facebook’s promises about the privacy or security practices of these apps.” For more information, see EPIC: In re Facebook. (Aug. 28, 2012) - Supreme Court Upholds, for the Moment, Controversial State DNA Law
Chief Justice Roberts has granted a preliminary stay of a decision by the Maryland Supreme Court, which would have invalidated that state's new DNA collection law. The Maryland Court ruled in April that the warrantless collection of DNA from an arrestee constituted an unreasonable search. Justice Roberts wrote that there was a "reasonable probability" that the Court would agree to review the case and that the state would suffer irreparable harm if the law is invalidated in the interim. EPIC filed amicus briefs in several DNA privacy cases, including United States v. Pool (2011), Kohler v. Englade (2006), and Maryland v. Raines (2003). For more information, see EPIC: DNA Act and EPIC: Genetic Privacy. (Aug. 22, 2012) - European Consumer Organizations Back New EU Privacy Effort
BEUC, the association of European consumer organizations, has published a Position Paper on Data Protection supporting a new European Union privacy initiative. BEUC states that the proposed Privacy Regulation "addresses the main challenges and the shortcomings of the current framework with the aim of enhancing the rights of data subjects and restoring control over the processing of their own personal data," but BEUC cautions that "several provisions still need to be clarified to ensure the EU framework is effective and becomes the global standard for data protection." The Trans Atlantic Consumer Dialogue, a coalition of US and European consumer groups, has also expressed support for the EU initiative. For more information, see EPIC: EU Data Protection Directive. (Aug. 22, 2012) - EPIC Supports Moratorium on RFID Student Tracking
EPIC, along with Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and other leading privacy and civil liberties organizations, issued a Position Paper on the Use of RFID in Schools. Radio Frequency Identification is an identification tracking technology "designed to monitor physical objects," such as commercial products, vehicles, and animals. Some school districts are proposing to use RFID ID tags to monitor students, teachers, and staff. The report warns of significant privacy and security risks. If RFID techniques are adopted, the groups urge that schools adopt robust privacy safeguards. In 2006 and 2007, EPIC submitted comments to federal agencies recommending against the use of RFID technology to track air travelers. The State Department subsequently made changes to the "e-Passport," to address privacy and security concerns. For more information, see EPIC: Radio Frequency Identification (RFID) Systems and EPIC: Student Privacy. (Aug. 21, 2012) - Judge Rejects Settlement in Facebook "Sponsored Stories" Case
A federal judge has rejected a proposed settlement in a class-action lawsuit about Facebook's unapproved use of user images for advertising purposes. The judge, who had previously expressed skepticism about the terms of the settlement, wrote that the plaintiffs had not justified the lack of direct monetary payments to Facebook users, nor had they explained how users will receive an economic benefit from being able to opt out of future endorsements. EPIC and several consumer privacy organizations opposed the settlement, saying that there was little benefit to Facebook users and that the cy pres allocation was not aligned with the interests of the class. In 2009 and 2010 EPIC and a coalition of consumer privacy organizations brought a successful complaint to the Federal Trade Commission that resulted in a significant consent order. In a letter to the court following the recent court order, EPIC explained that the FTC settlement had produced far greater benefits for Facebook users. For more information, see EPIC: In re Facebook. (Aug. 21, 2012) - Federal Court Applies Video Privacy Law to Streaming Services
A federal court recently held that the Video Privacy Protection Act applied to companies that provide video streaming services over the Internet. The opinion, which is the first to address the issue, relies on the forward-looking nature of the law, reasoning that "Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved." EPIC previously testified before the Senate Judiciary Committee and recommended several ways that Congress could strengthen the Act, such as by confirming that it applies to streaming services and allowing users to inspect the information that video providers collect about them. The Senate is considering an amendment that would weaken the consent provision of the law by allowing companies such as Netflix to obtain blanket consent to routinely disclose a consumer’s video viewing records. For more information, see EPIC: Video Privacy Protection. (Aug. 20, 2012) - Government Standard for Vehicle "Event Data Recorders" Will Go Forward
The National Highway Traffic Safety Administration has denied a petition for rulemaking that would delay the effective date of national requirements for event data recorders. The government requirements for the devices that are installed in vehicles will be effective on September 1, 2012. Commonly referred to as "black boxes," event data recorders collect and store vehicle operation information before, during, and after a vehicle crash, including vehicle location, driver speed, seat belt use, and number of vehicle occupants. In 2003 and 2004, EPIC urged the agency and the automotive industry to protect privacy interests when deploying event data recorders. For more information on driver privacy, see EPIC: The Drivers Privacy Protection Act. (Aug. 17, 2012) - EPIC FOIA - Documents Shed Further Light on Homeland Security Pursuit of Crowd Surveillance
New documents obtained by EPIC under the Freedom of Information Act provide further details on a DHS plan to use an multiples surveillance technologies to search people in public spaces. Previous EPIC FOIA work produced records about a similar DHS program, which the government agency subsequently claimed it had cancelled. However, the new documents obtained by EPIC show that the DHS was still pursuing mobile crowd surveillance as recently as 2011. The technologies include "intelligent video," backscatter x-ray, Millimeter Wave Radar, and Terahertz Wave, and could be deployed at subway platforms, sidewalks, sports arenas, and shopping malls. For more information, see EPIC: EPIC v. DHS (Mobile Body Scanners FOIA Lawsuit) and EPIC: Electronic Frisking. (Aug. 16, 2012) - EPIC: Voters Should Be Wary of 2012 Election Apps
EPIC has released a report, "Smartphones and the 2012 Election," which focuses on the potential risks to voters who download election-related apps to their smartphones and tablets. The report contends that these apps promote greater citizen participation in e-democracy, but also may contain malware, disseminate false information A recent study by the University of Pennsylvania's Annenberg School for Communication revealed that voters are ambivalent about "personalized" political advertising, a practice likely to increase with the number of election and political apps available for download. EPIC's report also examines the role of federal and state regulation in protecting voters and providing guidance to campaigns, and recommends actions that voters, election administrators, and campaigns can take to better protect voter privacy. For more information, see EPIC: Voting Privacy and EPIC: Location Privacy: Apple iPhone / iPad. (Aug. 13, 2012) - FTC Finalizes Settlement with Facebook
The Federal Trade Commission has finalized the terms of a settlement with Facebook first announced in November of 2011. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC recommended strengthening the settlement by requiring Facebook to restore the privacy settings users had in 2009; giving users access to all of the data that Facebook keeps about them; preventing Facebook from creating facial recognition profiles without users’ consent; and publicizing the results of the government privacy audits. Although the FTC decided to adopt the settlement without any modifications, in a response to EPIC, the Commission said that facial recognition data is included within the settlement's definition of "covered information," that the audits would be publicly available to the extent permitted by law, and that the terms of the settlement "are broad enough to address misconduct beyond that expressly challenged in the complaint." Commissioner Rosch dissented from the final settlement, citing concerns that the provisions might not adequately cover deceptive statements made by Facebook apps. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Aug. 10, 2012) - White House Pulls Down TSA Petition
At approximately 11:30 am EDT, the White House removed a petition about the TSA airport screening procedures from the White House "We the People" website. About 22,500 of the 25,000 signatures necessary for a response from the Administration were obtained when the White House unexpectedly cut short the time period for the petition. The site also went down for "maintenance" following an article in Wired that sought support for the campaign. (Aug. 9, 2012) - Federal Appeals Court Holds that Driver's Privacy Law Applies to Parking Tickets
The Seventh Circuit Court of Appeals held that a federal driver’s privacy law prevented a Chicago suburb from issuing tickets that contained the driver's name, address, driver's license number, date of birth, height and weight. The Driver's Privacy Protection Act is a federal law passed after a California actress was murdered by a stalker who obtained personal information from the state department of motor vehicles. EPIC recently filed a "friend of the court" brief arguing that resellers of state driver records should be strictly liable under the Act. For more information, see EPIC: Driver’s Privacy. (Aug. 9, 2012) - FTC Fines Google $22.5 Million for Privacy Violations
The Federal Trade Commission fined Google $22.5 million for violating the terms of a settlement reached with the company last year. Google violated the settlement by placing advertising tracking cookies on Safari browsers despite telling users that it would honor the default Safari privacy settings, which prevented the placement of such cookies. The settlement prohibits Google from misrepresenting the extent to which it maintains the privacy and security of personal information, and requires the company to submit to independent privacy audits for the next 20 years. The settlement follows from a complaint filed by EPIC over Google Buzz, the social network service launched in early 2010. Google recently consolidated user data across its products and services, prompting objections from European data protection authorities, state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Aug. 9, 2012) - Department of Homeland Security Limits E-Verify Data and Disclosures
The Department of Homeland Security has issued a Privacy Act system of records notice for the E-Verify Program. E-Verify is a government records system that informs employers about the citizenship status of current and prospective employees. The database contains detailed personal information including names, dates of birth, Social Security numbers, and citizenship status for all individuals subject to review. This Privacy Act notice minimizes the information that the agency will collect, and also limits the agency's ability to disclose personal information to outside entities. Last year EPIC, along with a coalition of privacy, consumer rights, and civil rights organizations, encouraged DHS to strengthen privacy and security safeguards for E-Verify. For more information, see EPIC: E-Verify and Privacy. (Aug. 9, 2012) - Government Accountability Office Recommends Updating Federal Privacy Laws
The Government Accountability Office issued a report finding that technological changes since the passage of the Privacy Act in 1974 require changing the law in order to adequately protect the privacy and security of personal information. Specifically, the report recommended applying Privacy Act protections to all federal collection of information, strengthening limitations on the use of information, and establishing more effective methods of notifying the public about data collection practices. Recently, EPIC recommended that the Privacy Act explicitly define “actual damages” to include provable mental and emotional distress. EPIC also pointed out that the proposed circumstances under which agencies can disclose personal information should be narrowly tailored, and that individuals should have sufficient warning of government security breaches affecting personal information. EPIC's letters follow a request from Senator Daniel Akaka (D-HI) for comment on S.1732, the Privacy Act Modernization for the Information Age Act of 2011. For more information, see EPIC: Privacy Act and EPIC: FAA v. Copper. (Aug. 8, 2012) - White House TSA Petition Passes 20,000 Signatures
A petition, posted at the White House website "We The People," urging the Transportation Security Agency to "Follow the Law!" has received more than 20,000 signatures. If 25,000 people sign the petition before August 9, 2012, the White House will respond.The petition asks President Obama to force the Transportation Security Administration to begin the public comment process on the controversial airport body scanner program, as the agency was ordered to do by a federal court more than a year ago. For more information see EPIC v. DHS (Suspension of Body Scanners). (Aug. 7, 2012) - Senate Confirms Four Members of the Privacy Civil Liberties Oversight Board
The Senate voted late Thursday to confirm four nominees to the Privacy and Civil Liberties Oversight Board before its summer recess. The Board was created by Congress in 2004, at the recommendation of the 9/11 Commission, to advise the President and other senior executive branch officials and ensure that privacy and civil liberties are protected as laws, regulations, and executive branch policies are implemented. It was reconstituted as an independent agency in 2007, but since then Congress has failed to confirm all five members of the board. After yesterday's confirmations the Board can "do work," but it cannot hire staff until the Senate confirms its Chairman. For more information, see EPIC: Privacy Oversight and EPIC: The Sui Generis Privacy Agency. (Aug. 3, 2012) - Federal Court to Hear Arguments in Cell Phone Tracking Case
The Court of Appeals for the Fifth Circuit has tentatively scheduled oral argument in the first week of October for a current case, In re US Application for Historic Cell-Site Location Information, addressing whether the Fourth Amendment allows the Government to force disclosure of historical cell phone location records without a warrant. EPIC filed an amicus brief in this case, arguing that cell phone location records reveal private information and should be protected even if they are held by third party cell phone companies. For more information, see EPIC: In re Historic Cell-Site Location Information and EPIC: Location Privacy. (Aug. 3, 2012) - Judge Skeptical of Facebook Settlement
At a preliminary hearing on a proposed settlement involving Facebook "sponsored stories," Judge Seeborg expressed skepticism about the deal, wondering if there was any actual benefit to Facebook users. The deal, which had been endorsed by some groups funded by Facebook, was opposed by EPIC and several consumer privacy organizations. In 2009, EPIC and a coalition of consumer privacy organizations brought a successful complaint to the FTC that resulted in a significant consent order. For more information, see In re Facebook. (Aug. 3, 2012) - Illinois Becomes Third State to Prohibit Employers from Demanding Facebook Information
Illinois Governor Pat Quinn has signed a bill that will prohibit employers from seeking the social network usernames and passwords of others. The Right to Privacy in the Workplace Act takes effect on January 1, 2013, and will result in Illinois joining Maryland and Delaware as the third state that protects the social network privacy of employees and job applicants. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy. (Aug. 2, 2012) - EPIC Files Lawsuit for Details of ODNI Plan to Amass Data on Americans
EPIC has filed a Freedom of Information Act lawsuit against the Office of the Director of National Intelligence for details of the agency’s plan to gather personal data from across the federal government. The ODNI is the top intelligence agency in the United States, coordinating the activities of the CIA, the FBI, the DHS, and others. Under revised guidelines, the ODNI plans to obtain and integrate databases containing detailed personal information from across the federal government. The data will be kept for up to five years without the legal safeguards typically in place for personal data held by government agencies. EPIC's lawsuit asks the agencies to disclose the procedures it has established to safeguard privacy rights. For more information see: EPIC: Open Government. (Aug. 2, 2012) - Markey Bill Would Limit Drone Surveillance
Representative Ed Markey (D-MA) has announced a bill aimed at protecting individual privacy from drone surveillance. Rep. Markey said, "When it comes to privacy protections for the American people, drones are flying blind." The draft bill requires the FAA to establish privacy safeguards for drone operators and creates new limits on data collection by law enforcement agencies. Earlier this year, EPIC, joined by over 100 organizations, experts, and members of the public, petitioned FAA to begin a rulemaking on the privacy impact of drone use. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Aug. 1, 2012) - FTC Proposes Additional Changes to Children’s Online Privacy Rule
The Federal Trade Commission proposed additional changes to the Children's Online Privacy Protection Act Rule. The revised rule would clarify that operators of websites who choose to use advertising services and plug-ins that collect data about children would have to comply with COPPA. The rule would also allow mixed-audience websites to age-screen visitors, and would clarify the circumstances in which persistent identifiers such as cookies or IP addresses are considered "personal information." The revisions modify an earlier rule that was proposed by the FTC in September 2011. EPIC commented on the September 2011 rule, noting that "the proposed revisions update the COPPA Rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses." For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Aug. 1, 2012) - Court Orders Homeland Security to Answer EPIC's Petition
The US Court of Appeals for the DC Circuit has ordered the DHS to respond to EPIC's mandamus petition to "enforce the court's mandate" by August 30. EPIC filed the "extraordinary writ" after a year had passed since the federal agency was ordered to begin a public rulemaking on the controversial airport body scanner program. A coalition of organizations, led by the Competitive Enterprise Institute, has filed an amicus brief in support of the EPIC petition and a separate petition to the White House has gathered more than 16,000 signatures. For more information, see EPIC v. DHS (suspension of airport body scanners). (Aug. 1, 2012) - Senate Committee Considers Updates to Federal Privacy Act
The Senate Oversight of Government Management Subcommittee held a hearing today on "The State of Federal Privacy and Data Security Law: Lagging Behind the Times?" The hearing focused on S.1732, the Privacy Act Modernization for the Information Age Act of 2011, and S.3414, an amendment to the Cybersecurity Act of 2012, introduced by Senator Daniel Akaka (D-HI). Both measures would strengthen privacy protections for personal information collected by government agencies. Senate witnesses agreed that after the Supreme Court decision in FAA v. Cooper, the Privacy Act should be amended to compensate individuals for provable, nonpecuniary harms. EPIC has made several recommendations to update the federal privacy law and also warned about the deployment of new agency profiling systems. For more information, see EPIC: The Privacy Act of 1974 and EPIC: Automated Targeting System. (Jul. 31, 2012) - EPIC Urges Education Department to Protect Student Privacy
EPIC has submitted comments to the Education Department, recommending the agency collect only "relevant and necessary" student information when it undertakes educational studies. The agency's Institute of Education Sciences has proposed a "Study of Promising Features of Teacher Preparation Programs" to help assess teacher effectiveness. The new database will contain records on "approximately 5,000 students and 360 teachers." EPIC urged the agency to only collect student data germane to teacher effectiveness, such as test scores, and opposed the agency's collection of detailed student information such as actual name and "disciplinary incidences." Earlier this year, EPIC sued the Education Department for issuing regulations that failed to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jul. 31, 2012) - Senate Amendment Would Weaken Video Privacy Act
The Senate is considering an amendment that would weaken the consent provision of the Video Privacy Protection Act by allowing companies such as Netflix to obtain blanket consent to routinely disclose a consumer’s video viewing records EPIC previously testified before the Senate Judiciary Committee and recommended that Congress strengthen the consumer privacy law by giving users access to the information collected about them, by extending the scope of coverage, and by increasing the penalties for violations of the law. For more information, see EPIC: Video Privacy Protection. (Jul. 30, 2012) - Franken Amendment Seeks to Protect Cybersecurity Privacy
The Senate is expected to consider the Cybersecurity Act of 2012 prior to the August recess. Unlike the Secure IT Act, the Cybersecurity Act would avoid the NSA takeover of the Internet. However, privacy concerns remain about the broad authority of Internet companies to monitoring Internet users and turn information to the government. An amendment sponsored by Senator Al Franken (D-Minn) would limit this surveillance. A provision that limits the disclosure of cybersecurity threat information remains in the Act. Earlier this year, EPIC recommended to the Senate that the Freedom of Information Act limitation be removed. For more information, see EPIC: Cybersecurity Privacy Practical Implications. (Jul. 30, 2012) - US Pushes Forward Flawed International Privacy Framework
The United States is the lone signatory for the Asia-Pacific Economic Cooperation’s Cross Border Privacy Rules. The APEC Cross Border Privacy Rules set out a self-regulatory framework for the transfer of personal data across national borders. APEC is an inter-governmental organization with 21 member economies that promotes business and trade in the Asia-Pacific region. APEC established a Privacy Framework in 2004 that is generally considered among the weakest privacy frameworks in the world. In 2006, EPIC and a coalition of consumer groups submitted comments to the Department of Commerce detailing the shortcomings of the APEC framework and recommending stronger safeguards for consumers. For more information, see EPIC: International Privacy Standards and EPIC: APEC Privacy Framework. (Jul. 30, 2012) - London Olympics Underway, Privacy Issues Loom
Olympic organizers have stepped up the use of surveillance and identification technologies at the London 2012 games. Body scanners have been installed at entrances to Hyde Park and Victortia Park. IOC members, VIPS guests an staff will carry RFID-enabled identity documents. One commentator has noted that even the Olympic Mascot has "A Huge Camera Eye That 'Records Everything.'" For more information, see EPIC, Privacy and the 2008 Olympic Summer Games and London 2012, Privacy Policy. (Jul. 27, 2012) - In UK, Google Admits It Retains Street View Data
In a letter to the UK Information Commissioner, Google has admitted it retained payload data improperly collected by Street View vehicles. Google had promised earlier it would delete the data. The UK privacy agency has now demanded that Google turn over the payload data for examination and forensic analysis. EPIC recently filed an amicus brief in a US federal appeals court, arguing that Google Street View violated federal wiretap law. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google. (Jul. 27, 2012) - Voters Wary of Individually-Tailored Political Ads
A report by the Annenberg School for Communication at the University of Pennsylvania found that 86 percent of voters did not want political campaigns to tailor advertisements based on their interests. This percentage is higher than the percentage of respondents who reject other tailored advertisements (61%) or tailored news (56%). Significantly, a majority of respondents also reported that they would be less likely to vote for candidates that targeted them with tailored ads. For more information, see EPIC: Voter Privacy and EPIC: Public Opinion and Privacy. (Jul. 24, 2012) - White House TSA Petition Passes 15,000
A petition posted at the White House website "We the People" urging the Transportation Security Agency to "Follow the Law!" has received more than 15,000 signatures. If 25,000 people sign the petition before August 9, 2012, the White House will respond. The petition asks President Obama to force the TSA to begin the public comment process on the controversial airport body scanner program, as the agency was ordered to do by a federal court more than a year ago. For more information see EPIC v. DHS (suspension of airport body scanners). (Jul. 23, 2012) - Second Wisconsin Judge Strikes Down State Voter ID Law
In a second challenge to Wisconsin's voter ID requirement, Judge David Flanagan has held that the ID law imposes an unconstitutional burden on the right to vote. The law "tells more than 300,000 Wisconsin voters who do not now have an acceptable form of photo identification that they cannot vote unless they first obtain a photo ID card," wrote Judge Flanagan. The opinion follows a similar ruling earlier this year by Wisconsin judge Richard Niees. For more information EPIC: Voter Photo ID and Privacy and EPIC: Crawford v. Marion County. (Jul. 23, 2012) - FISA Reform Proposal Moves Forward in Senate
The Senate Judiciary Committee has approved a bill that would established new safeguards for the Foreign Intelligence Surveillance Amendments Act. The Act provides for court approval of 'programs of surveillance' that allow for the collection of communications of US citizens. The bill, sponsored by Senator Patrick Leahy (D-VT), would renew the Act but also establish new reporting requirements to improve government accountability. In May 2012, EPIC Executive Director Marc Rotenberg testified before the House Judiciary Committee, and recommended increased oversight and reporting. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International USA. (Jul. 20, 2012) - EPIC Demands Evidence of TSA Body Scanner Rulemaking
EPIC has submitted a Freedom of Information Act request to the TSA, seeking documents about whether the agency actually intends to give the public the opportunity to comment on the controversial body scanner program. One year has passed since the D.C. Circuit Court of Appeals ordered the agency to "act promptly" and undertake a public notice-and-comment rulemaking. The agency has not done so but claims to be working on it. In a separate Petition for Mandamus EPIC asked the Court to require the agency to issue a proposed rule within 60 days or suspend the program. For more information, see EPIC v. DHS (airport body scanners). (Jul. 19, 2012) - EPIC Asks Congress to Adopt Privacy Safeguards for Drones
Today's House Homeland Security Oversight Subcommittee hearing, "Using Unmanned Aerial Systems Within the Homeland: Security Game Changer?” examined federal use of drones in the United States. University of Texas Professor Todd Humphreys testified about how he gained full flight control of a drone operated by someone else. On the second panel, EPIC's Amie Stepanovich testified on the privacy implications of domestic drone use, alongside Gerald Dillingham and Chief Deputy William McDaniel. In February, EPIC, joined by over 100 organizations, experts, and members of the public, petitioned FAA to begin a rulemaking on the privacy impact of drone use. The Agency has not yet responded the EPIC Petition or addressed privacy concerns. EPIC recommended that the FAA develop privacy rules, that DHS conduct a privacy assessment, and that Congress establish new privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Jul. 19, 2012) - EPIC Recommends Protections for Use of Commercial Facial Recognition Technology
In a statement for the record, EPIC called on the Senate Subcommittee on Privacy, Technology, and the Law to protect the ability of individuals to control the disclosure of their identity. The hearing on "What Facial Recognition Technology Means for Privacy and Civil Liberties" will feature witnesses from the government, private companies, and academia. EPIC recommended that Fair Information Practices ("FIP") be enforced against companies that collect facial recognition data. These legal obligations would include limitations on collection, use, and retention of the data, informed consent, security, accessibility, and accountability. "In the absence of guidelines and legal standards, EPIC recommends a moratorium on the commercial deployment of facial recognition techniques." For more information, see EPIC: Facial Recognition. (Jul. 18, 2012) - EPIC Files Mandamus Petition to Compel Action on the Airport Body Scanner Program
EPIC has filed a mandamus petition with the Federal Court of Appeals in Washington, DC to require the beginning of a public comment process on the controversial airport body scanner program. One year has passed since the Court ordered the Department of Homeland Security to "act promptly" to undertake the action demanded by EPIC, but the agency has taken no action. In the petition, EPIC said that the agency's delay poses risks to travelers, defies the Court's authority, and is unlawful. EPIC asked the court to require that the federal agency receive public comments within 60 days or that it suspend the program. (Mandamus Appendix). For more information, see EPIC v. DHS (airport body scanners). (Jul. 17, 2012) - EPIC Calls on FCC to Require Mobile Phone Carriers to Protect Privacy
EPIC, joined by Consumer Watchdog, submitted comments to the Federal Communications Commission on the privacy and security of information stored on mobile phones. The comments discussed the various privacy risks created by the business practices of many carriers, and recommended that the FCC require mobile carriers to implement comprehensive privacy and security protections based on Fair Information Practices. EPIC previously wrote to the FCC in 2007 to call for increased protections for customers' Customer Proprietary Network Information, and in 2001 to urge the FCC to establish fair location information practices. For more information, see EPIC: Customer Proprietary Network Information and EPIC: Location Privacy. (Jul. 17, 2012) - EPIC Objects to Facebook Settlement, Cites Failure to Benefit Class Members
EPIC has asked a federal judge to reject a pending class action settlement concerning Facebook, stating that it does not actually benefit Facebook users. In one letter to the court, EPIC explained that the settlement does not fix the problem with "Sponsored Stories." In a second letter, joined by consumer, privacy, and academic organizations, EPIC said that "cy pres" funds should be distributed according to objective criteria, as courts have done in other similar cases. (Cy pres allows courts to allocate funds in class action settlements.) In 2009, EPIC led a coalition of consumer and privacy organizations that was responsible for the FTC's privacy settlement with Facebook.] And EPIC has routinely represented the interests of Facbeook users. For more information, see EPIC: Facebook Privacy. (Jul. 13, 2012) - EPIC Urges FTC to Develop Meaningful Privacy Protections for Mobile Services
EPIC has submitted comments to the Federal Trade Commission concerning "Advertising and Privacy Disclosures in a Digital World". The FTC is currently exploring ways businesses could improve privacy notices for mobile devices. EPIC pointed out that many of the techniques, such as privacy icons, suffer from the same problems as traditional privacy notices. EPIC recommended that the FTC focus instead on substantive privacy protections, such as those found in the federal Privacy Act, sectoral privacy laws, and the Consumer Privacy Bill of Rights, proposed by the White House. An earlier FTC report called for new privacy legislation and an FTC investigation documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (Jul. 11, 2012) - EPIC Urges Privacy Safeguards for Defense Department Cybersecurity Program
EPIC has submitted comments to the Department of Defense, urging the agency to protect individual privacy when it obtains detailed information about Internet users from the private sector. Under current Department regulations, companies are encouraged to provide information about Internet users that may relate to "cyber incidents" and cyber "threats."This is similar to a controversial provision in Cyber Intelligence Information Protection Act ("CISPA"). EPIC recommended that the agency revise the regulations for the "Cyber Security and Information Assurance" program so that: (1) the program remain voluntary, (2) "cyber incident" and "threat" are narrowly defined, (3) liability is imposed on private companies for disclosing excess user information, (4) the Attorney General conduct annual audits, and (5) the agency adheres to federal privacy laws. EPIC also warned the agency to fully comply with the Freedom of Information Act, which has provided the public with important information about network security. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relationship). (Jul. 11, 2012) - Law Enforcement Requests to Wireless Carriers Topped 1.3 Million in 2011
In response to recent letters from Congressman Ed Markey (D-MA), nine mobile wireless carriers have provided detailed reports of law enforcement requests for user cell phone records. These requests come from agencies - across all levels of government - seeking text messages, caller locations, and other information in the course of investigations. The reports show that companies turn over thousands of records a day in response to subpoenas, court orders, police emergencies, and other requests. The volume of requests has increased as much as 16 percent for some companies over the last five years, and some carriers have rejected as many as 15 percent of all requests that they found legally questionable or unjustified. EPIC recently filed amicus briefs in the Fifth Circuit and New Jersey Supreme Court arguing that disclosure of historical and real-time cell phone location information violates a reasonable expectation of privacy and thus requires a warrant under the Fourth Amendment. For more information, see EPIC: In re Historic Cell-Site Location Information, EPIC: State v. Earls. (Jul. 9, 2012) - Executive Order Grants Authority to Seize Private Communications Facilities
The White House has released a new Executive Order seeking to ensure the continuity of government communications during a national emergency. The Executive Order grants new powers to the Department of Homeland Security, including the ability to collect certain public communications information. Under the Executive Order the White House has also granted the Department the authority to seize private facilities when necessary, effectively shutting down or limiting civilian communications. In 2011, Congress considered similar provisions in cybersecurity legislation, which would have allowed the government to disconnect communications traffic in times of national security. Following public protest, congress abandoned the proposal. For more information, see EPIC: Cybersecurity Privacy Practical Implications. (Jul. 9, 2012) - Industry Association Publishes Guidelines for Drone Operators
The Association for Unmanned Vehicle Systems International, the organization representing drone manufacturers and operators, has released an Industry "Code of Conduct". Compliance with the guidelines is both voluntary and not enforceable. The association acknowledges that invasive drone surveillance technology poses a risk to the public, and specifically tasked users to "respect the privacy of individuals." In February, EPIC, joined by over 100 organizations, experts, and members of the public, submitted a petition to the FAA requesting a public rulemaking on the privacy impact of drone use in U.S. airspace. The Agency has not yet responded or addressed these concerns. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Jul. 6, 2012) - Court Orders Twitter to Disclose User Records, Denies User's Ability to Challenge Order
A New York judge has ordered Twitter to turn over user data for an Occupy Wall Street protester. The user challenged the order under the Twitter terms of service, but the court ruled that the user had no standing. EPIC recently filed a "friend of the court" brief arguing that users of cell phone services have a reasonable expectation of privacy in their location records, which are subject to the same disclosure rules as Twitter data. For more information, see EPIC: In re Twitter Order Pursuant to 2703(d), EPIC: In re Historic Cell-Site Location Information. (Jul. 3, 2012) - 2011 Report: Wiretap Authorizations Decrease
According to the 2011 Wiretap Report, released by the Administrative Office of the US Courts, federal and state applications for wiretap orders dropped 14 percent in 2011, compared to the number reported in 2010. The reduction in wiretaps resulted primarily from a drop in applications for intercepts in narcotics offenses. In 2011, a total of 2,732 intercept applications were authorized by federal and state courts, with 792 applications by federal authorities and 1,940 by the states. In 2011, 98 percent, or 2,674, of all authorized wiretaps were designated as portable devices. The Wiretap Report does not include interceptions pursuant to the Foreign Intelligence Surveillance Act of 1978. For more information see: EPIC: Wiretapping and Administrative Office of the US Courts: Wiretap Reports. (Jul. 3, 2012) - European Expert Group Affirms Privacy Rules for Cloud Service Providers
The Article 29 Working Party, representing the privacy agencies of European Union countries, has released a new Opinion in which it states that cloud service providers will be subject to the EU Data Protection Directive. The expert group also advises users of cloud-based services to conduct a comprehensive and thorough risk analysis of cloud services. In 2009, EPIC urged the US Federal Trade Commission to develop privacy standards for Cloud Computing services. See EPIC - Cloud Computing. (Jul. 3, 2012) - Administration Releases More Details on Privacy Multistakeholder Meeting
The National Telecommunications and Information Administration published a notice with new information about the privacy multistakeholder process. The purpose of the initiative is to implement the White House Consumer Privacy Bill of Rights; the first meeting will focus on mobile applications.The meeting will be held on Thursday, July 12 at the Department of Commerce. However, there will be limited opportunity for those outside of Washington, DC to participate in the "multistakeholder" meeting. In previous comments to the agency, EPIC said that the Administrative Procedure Act, a well established legal framework for soliciting public comment, is a better and more transparent way to produce a meaningful outcome. For more information, see EPIC: NTIA Multistakeholder Process. (Jun. 28, 2012) - Homeland Security Seeking Applicants to Join Privacy Board
The Department of Homeland Security has announced that it is seeking applicants for the Data Privacy and Integrity Advisory Committee. The Committee was established to advise the agency on issues related to personally identifiable information, data integrity, and other privacy-related matters. The agency has a mandate from Congress to ensure that its programs "do not erode privacy protections" and to ensure that personal information is "handled in full compliance with fair information practices as set out in the Privacy Act of 1974." For more information, see EPIC: Department of Homeland Security Chief Privacy Office and Privacy and EPIC: EPIC v. DHS (Suspension of Body Scanner Program). (Jun. 28, 2012) - Supreme Court Dismisses Challenge to Congress's Ability to Define Harm
The Supreme Court today dismissed First American v. Edwards, a challenge to the ability of plaintiffs to sue for a violation of statutory rights established by Congress. The lower court ruled that the plaintiffs had standing because "[t]he injury required by Article III can exist solely by virtue of statutes creating legal rights, . . .." The Supreme Court held that its decision to review the case was "improvidently granted," which means that the lower court opinion stands. EPIC filed a "friend of the court" brief, responding to briefs from several prominent Internet companies that supported the challenge. EPIC argued that Congress must maintain the power to define injuries and provide remedies, and that this was particularly important for privacy protection. For more information, see EPIC: First American v. Edwards. (Jun. 28, 2012) - EPIC Calls On FTC to Investigate Facebook Email Changes
EPIC has asked the Federal Trade Commission to review Facebook's decision to change the default email address of Facebook users. The company recently removed email addresses, selected by users, with a @facebook.com address assigned by Facebook. EPIC asked the FTC to review this practice as it finalizes the terms of a settlement with Facebook. "Facebook's willingness to disregard user choice . . . raise[s] important questions about the company's ability to comply with the terms of the proposed Consent Order," EPIC wrote. EPIC also said that the change is a deceptive business practice because Facebook did not tell users that their preferred email address could be removed by the company. And EPIC noted that the change would result in user email being sent to Facebook's servers that would otherwise have gone to the user's email service. The FTC's settlement with Facebook follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement would bar Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Jun. 27, 2012) - Senate Judiciary Holds Hearing on Voter Suppressions
The Senate Judiciary Committee held a hearing on “Prohibiting the Use of Deceptive Practices and Voter Intimidation Tactics in Federal Elections." The Senate is considering new legislation to address the problem of deceptive practices and voter intimidation. Committee Chairman Patrick Leahy cited "burdensome identification laws" as one of the obstacles to public participation in federal elections. A new report highlights similar problems in the recent Canadian national election. EPIC has published reports on deceptive campaign practices and filed briefs in opposition to unnecessary voter ID requirements. For more information see EPIC Voting Privacy and EPIC - Crawford v. Marion County. (Jun. 27, 2012) - Supreme Court Says Federal Immigration Law Trumps Arizona Law, But Upholds Narrow Application of "Papers Please" Provision
In Arizona v. United States, the Supreme Court invalidated much of SB 1070, the controversial Arizona state law. However, the Court upheld a new identification requirement though cautioned that it could be subject to preemption and constitutional challenges after it goes into effect. The provision allows state officers to make a "reasonable attempt" to determine immigration status during the course of "an authorized, lawful detention." Justice Kennedy, writing for the Court, cautioned that the provision might "raise constitutional concerns" as applied, but said that the law "could be read to avoid these concerns." EPIC argued in Hiibel v. Sixth Judicial District Court of Nevada that "stop and identify" statutes are unconstitutional. The Supreme Court upheld the state law in that case in a 5-4 opinion by Justice Kennedy. For more information, see: EPIC: Hiibel v. Sixth Judicial District Court of Nevada and EPIC: Your Papers, Please. (Jun. 25, 2012) - National Association of Attorneys General to Focus on "Privacy in Digital Age"
The National Association of Attorneys General has elected Maryland Attorney General Doug Gansler president during its summer meeting. Gansler announced a new initiative for the organization -- "Privacy in the Digital Age" -- that will “bring the energy and legal weight of this organization to investigate, educate and take necessary steps to ensure that the Internet’s major players protect the privacy of online consumers while balancing their legitimate business interest.” Recently AG Gansler met with consumer and privacy advocates at a meeting hosted by the Privacy Coalition. And earlier this year, the organization sent a letter asking Google for a meeting to discuss the company’s plans to consolidate the personal information of users of Google’s products and services. For more information, see EPIC: Google Consent Order and EPIC: Privacy Preemption Watch. (Jun. 22, 2012) - EPIC Calls for Suspension of Homeland Security's "Risk-based" Profiling System
EPIC submitted comments to Customs and Border Protection, a component of the Department of Homeland Security, urging the agency to suspend the Automated Targeting System. Although the System was initially created to screen shipping cargo, the agency now monitors individuals, and creates "risk-assessment" profiles on Americans who are not suspected of any crime. The agency makes determinations about individuals based on such factors as race, ethnicity, and gender. The agency even collects information on political opinions and religious beliefs. An unfavorable "risk-based" evaluation by ATS m can subject individuals to investigation, government surveillance, and denial of the right to travel. For more information, see EPIC: Automated Targeting System, EPIC: Passenger Profiling, and EPIC: Air Travel Privacy. (Jun. 22, 2012) - House Panel Votes to Renew Surveillance Law Without New Safeguards
The House Judiciary Committee voted to reauthorize the FISA Amendments Act, HR 5949, through Dec. 31, 2017 without any changes. The Act authorizes "programs of surveillance" intended to target foreign agents, but also allows collection of private communications of United States citizens without individualized suspicion. EPIC Executive Director Marc Rotenberg recently testified before the Committe and recommended that Congress strengthen oversight procedures to protect privacy and limit possible misuses of the legal authority. But amendments to improve accountability introduced by Rep. John Conyers (D-MI), Rep. Jerold Nadler (D-NY), Rep. Bobby Scott (D-VA), and Rep. Sheila Jackson-Lee (D-Texas), were all defeated. In the Senate, Senator Ron Wyden (D-OR) and others have expressed concern about renewal of the Act. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International USA. (Jun. 21, 2012) - Facebook Acquires Facial Recognition Company Face.com
Facebook announced the acquisition of Face.com, a facial recognition technology company and long-time business partner of Facebook. Facebook uses an automatic facial recognition system, called "tag suggestions," to create a database of users' biometric information. Last year, EPIC filed a complaint with the Federal Trade Commission, stating that Facebook created biometric profiles of users without their explicit consent, failed to provide a clear mechanism for the deletion of these profiles, and failed to take adequate safeguards to ensure that users' biometric information would not be accessible to government agents and other third parties. In recent comments to the FTC, EPIC recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. For more information, see EPIC: Facial Recognition and EPIC: Facebook and Facial Recognition. (Jun. 20, 2012) - Senator Schumer: High Resolution Mapping Must Respect Privacy
Senator Charles Schumer (D-NY) has sent a letter to Apple and Google after the companies announced high-definition, 3-D aerial mapping products. Apple’s Flyover displays detailed images of metropolitan areas, while Google will collect 3-D images for its mapping service. Neither company has indicated if aerial drones will be used to collect imagery. Senator Schumer expressed concern about the privacy implications of the new services. He asked the companies to provide advanced notification when the aerial surveillance was to occur, allow individuals to opt-out of having their property displayed, and ensure blurring of individuals and sensitive infrastructure. The full-scope of Apple and Google's aerial surveillance program is not known. In 2010, it was revealed that Google’s "Street View" vehicles were also collecting vast amounts of personal communications from private wi-fi networks. For more information, see EPIC: Investigations of Google Street View and EPIC: Unmanned Aerial Vehicles and Drones. (Jun. 20, 2012) - EPIC Argues That Resellers of State Driver Records Should Be Strictly Liable Under Privacy Law
EPIC filed a "friend of the court" brief in Gordon v. Softech Int'l, Inc., a case concerning privacy protections for driver records. The Driver’s Privacy Protection Act is intended to prevent the misuse of personal information disclosed by state departments of motor vehicles. The Act allows the disclosure of driver record information only for "permissible uses." Some companies resell this information to others. EPIC argued in its brief that when the buyer uses this information for an impermissible purpose, the seller should be liable under the law. Strict liability, EPIC said, is necessary to incentivize resellers to limit the sale of personal information and prevent abuse. For more information, see EPIC: Gordon v. Softech International, Inc. and EPIC: Driver's Privacy. (Jun. 20, 2012) - EPIC Joins Open Government Groups in Freedom of Information Act Case
EPIC has joined five other prominent open government groups in a friend of the court brief in support of Citizens for Responsibility and Ethics in Washington. The organization is seeking to reverse a federal court which held that federal agencies do not have to say whether they will comply with a FOIA request. In the friend of the court brief, the open government groups said that the ruling conflicts with the plain language of the Freedom of Information Act and would produce unnecessary confusion in FOIA cases. For more information, see EPIC: Open Government. (Jun. 20, 2012) - EPIC Honors Sen. Al Franken, the Honorable Judge Kozinski, Dana Priest, Whitfield Diffie, and Willis Ware
At the 2012 EPIC Champion of Freedom Dinner, Senator Al Franken, Chief Judge Alex Kozinski, and Washington Post reporter Dana Priest received the EPIC awards for the defense of civil liberties and human rights, and for raising public awareness of new challenges to privacy. Senator Franken pursued meaningful legislation on emerging privacy issues, including a bill to protect location privacy. Chief Judge Kozinski of the United States Ninth Circuit Court of Appeals has worked to defend libery in an era of rapidly changing technology. Dana Priest's investigative series "Top Secret America," with William Arkin, exposed the exponential post-9/11 growth of the United States intelligence community. Whitfield Diffie and Willis Ware were presented with EPIC lifetime achievement awards Slate's Dahlia Lithwick hosted the event in Washington, D.C., and technologist Bruce Schenier and Supreme Court litigator Paul Wolfson made guest appearances. For more information, see 2012 EPIC Champion of Freedom Awards Dinner. (Jun. 18, 2012) - House to Consider Bill to Reauthorize Expansive Surveillance Law
The House Committee on the Judiciary will markup the FISA Amendments Act Reauthorization Act of 2012 on Tuesday, June 19, 2012. The Act authorizes government surveillance of international communications, including the private communications of United States citizens. Currently, the law provides little information to Congress or the public about these surveillance activities. EPIC Executive Director Marc Rotenberg recently testified at an oversight hearing, and called on Congress to strengthen oversight procedures and increase transparency before the Act is renewed. In a recent report by the Senate Intelligence Committee, Senators Mark Udall and Ron Wyden also said that the FISA contains a loophole that allows the government "to circumvent traditional warrant protections and search for the communications of a potentially large number of American citizens." For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International. (Jun. 18, 2012) - Administration Announces First Privacy "Multistakeholder" Meeting
The National Telecommunications and Information Administration will hold the first meeting of the privacy "multistakeholder process" on July 12. The meeting will address privacy and mobile applications, but many questions about the process remain unanswered. In comments to the agency, EPIC said that the Administrative Procedures Act, a well established legal framework for soliciting public comment, is a better and more transparent way to produce a meaningful outcome on new privacy policies. For more information, see EPIC: NTIA Multistakeholder Process. (Jun. 15, 2012) - New Report Finds Border Surveillance Drone Program Inefficient and Ineffective
A new Report highlights problems with the drone program operated by Bureau of Customs and Border Protection. The Bureau has purchased 10 drones, costing approximately $18 million each, and has expended an additional $55.3 million for maintenance and operations. But according to the Office of Inspector General, the Bureau "needs to improve planning of its unmanned aircraft systems program to address its level of operation, program funding, and resource requirements, along with stakeholder needs." Also, despite the Bureau’s limited mission to safeguard the borders, the Bureau often flies missions for the FBI, the DOD, NOAA, local law enforcement, and other agencies. This practice made headlines last year when police in North Dakota used a Bureau drone to arrest a U.S. citizen. This week Sen. Rand Paul (R-KY) and Rep. Austin Scott (R-GA) introduced bills in the Senate and the House to limit the use of drones for surveillance in the United States.. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Jun. 12, 2012) - FCC Issues Stronger Telemarketing Rules to Protect Consumers
The Federal Communications Commission's final rule amending the Telephone Consumer Protection Act of 1991 (TCPA) regulations is now in effect. The rule requires "(1)prior express written consent for all autodialed or prerecorded telemarketing calls to wireless numbers and residential lines; (2) allow[s] consumers to opt out of future robocalls during a robocall; (3) limit[s] permissible abandoned calls on a per-calling campaign basis, in order to discourage intrusive calling campaigns; and (4) exempts prerecorded calls to residential lines made by health care-related entities governed by the Health Insurance Portability and Accountability Act of 1996." EPIC has previously urged the Commission to require express consumer consent for telemarketing calls and to protect wireless subscribers from telemarketing. For more information, see EPIC: Telemarketing and the Telephone Consumer Protection Act (TCPA). (Jun. 12, 2012) - Spokeo to Pay $800, 000 to Trade Commission to Settle Privacy Violations
The data broker Spokeo agreed to pay $800,000 to settle a complaint filed by the Federal Trade Commission that the company marketed its data profiles to employers in violation of federal privacy law. The FTC alleges that Spokeo violated the Fair Credit Reporting Act by failing to ensure that its information was accurate, failing to ensure that it would be used only for legally permissible purposes, and failing to tell users if adverse decisions were made based on the information. The FTC also alleged that Spokeo created its own endorsements on news and technology websites and represented them as independent endorsements. The FTC's settlement bans Spokeo from future FCRA violations and misrepresentations. In 2004, EPIC successfully urged the FTC to investigate the compilation and sale of personal dossiers by the data broker ChoicePoint. That investigation produced a $10 m settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: Federal Trade Commission and EPIC: Choicepoint. (Jun. 12, 2012) - EPIC Urges FTC to Protect Privacy of Myspace Users
EPIC submitted comments to the Federal Trade Commission on a proposed settlement with Myspace. The settlement follows from allegations that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. EPIC expressed support for the settlement in general, but recommended that the FTC make the settlement at least as protective as a previous settlement with Facebook. Additionally, EPIC said, the FTC should require Myspace to implement practices consistent with the White House's Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy. (Jun. 8, 2012) - Department of Homeland Security Exempts Massive Database from Privacy Act
The Department of Homeland Security issued a final rule exempting its Operations System from various Privacy Act safeguards, including provisions that permit individuals to access information about them held by the agency. The system "fuses" information from many sources which the agency uses for investigatory purposes. There are over twenty categories of data, including social security numbers, citizenship, medical records, and even information gathered from social media in the database. In 2010, EPIC urged the agency not to reduce the privacy protections for the Operations System, citing the substantial risks. Despite EPIC's recommendations, DHS went forward. For more information, see EPIC: Total Information Awareness and EPIC: EPIC v. DHS: Media Monitoring. (Jun. 8, 2012) - Swiss Court Sets Out Requirements for Google Street View in Switzerland
The Swiss Federal Supreme Court has allowed Google to continue operating its Street View service in Switzerland, subject to certain privacy protections. Google must completely obscure faces and license plates near "sensitive facilities" such as schools and prisons, and must not publish pictures of courtyards or lawns not visible to pedestrians unless the company obtains the owners' consent. Google must also honor requests from people who want to anonymize images of themselves. Recently, the unredacted version of an FCC report revealed that Google intentionally intercepted payload data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the project. EPIC is pursuing FOIA requests with the FCC and the Department of Justice regarding the agencies' investigations into Google Street View. For more information, see EPIC: Investigations of Google Street View and EPIC: FCC Investigation of Google Street View. (Jun. 8, 2012) - IPv6, New Internet Protocol, Launches with Privacy Questions
The Internet Society has announced the world launch of IPv6, which will dramatically expand the number of Internet addresses. IPv6 creates fixed IP addresses, allowing routine tracking of Internet-connected devices, such as laptops, cellphones, and soon many consumer appliances. This will make it easier for law enforcement agencies and advertisers to track users of Internet-based services. A Privacy Extension allows the use of IPv6 without persistent identifiers, though it is not clear how widely it will be be adopted. In 2008, EPIC testified before the European Parliament on IP addresses and privacy, and said that companies that use IPv6 linked to identifiable users should be subject to data privacy requirements. The EU classifies IP addresses as personal information. For more information: See EPIC: Search Engine Privacy. (Jun. 7, 2012) - LinkedIn Breach Leads to 6.5 Million Stolen Passwords
The professional social network LinkedIn suffered a security breach that exposed the passwords of over 6 million users. A user on a Russian Web forum reported downloading 6 million LinkedIn passwords. LinkedIn later confirmed that some of the passwords corresponded to LinkedIn accounts, deactivated those passwords, and advised all users to update their passwords. EPIC testified about the growing problem of data breaches in 2011 before the House Financial Services Committee and the Senate Banking Committee. For more information, see EPIC: Cybersecurity and Privacy. (Jun. 7, 2012) - Homeland Security Seeks to Expand "Risk-Based" Profiles
The Department of Homeland Security has proposed to exempt its "Automated Targeting System" from certain Privacy Act provisions. The Automated Targeting System creates "risk-based" profiles of individuals traveling to, from, and throughout the United States. The profile contains a plethora of personal data, including, nationality, race, occupation, and biometrics. The System accesses and "ingests" this information from many sources, including government databases and commercial data aggregators. The DHS issued a Privacy Impact Assessment, which describes some of the privacy risks, including unauthorized access. In detailed comments to DHS in 2007, EPIC opposed the use of "risk-based" profiles. For more information, see EPIC: Automated Targeting System. (Jun. 6, 2012) - EPIC Asks Ombudsman to Investigate DHS FOIA Practices
EPIC has submitted a letter to the Office of Government Information Services, asking for an investigation into FOIA practices at the Department of Homeland Security. EPIC explained that the federal agency, which includes the TSA and the Bureau of Customs and Border Protection, routinely denies fee waivers in circumstances where the agency knows that the requester properly qualifies. By way of example, EPIC cited a recent FOIA appeal in which the agency wrongly denied a fee waiver request. EPIC said that the practice creates additional work for sophisticated FOIA requesters and may, as a practical matter, prevent other requesters from pursuing important FOIA requests. For more information, see EPIC: DHS Privacy Office and EPIC: Litigation Under the Federal Open Government Laws. (Jun. 4, 2012) - EPIC to Congress: "Strengthen FISA Oversight"
EPIC Executive Director Marc Rotenberg will testify before the House Judiciary Subcommittee on the FISA Amendments Act of 2008. The Act authorizes Government surveillance of international communications, including the private communications of U.S. citizens. EPIC will recommend increased transparency and new public reporting of the Government's surveillance activities. Currently, the FISA letter to Congress provides little to no information about Government conduct. "Congress should not reauthorize the FISA Act until adequate oversight procedures are in place," Rotenberg said. The hearing will be webcast. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International. (Jun. 1, 2012) - EPIC Calls for Genetic Privacy Protections
EPIC submitted comments to the Presidential Commission for the Study of Bioethical Issues, urging the advisory panel to protect genetic privacy in large-scale human genome sequence data. The Commission requested comments pertaining to the "privacy of individuals, research subjects, patients, and their families" as the government moves closer to large-scale human genome sequencing. EPIC Advisory Board member, Professor Anita L. Allen serves as a Commissioner for the Presidential advisory panel. EPIC recommended that the Commission build upon genetic privacy and medical laws such as the Genetic Information Nondiscrimination Act("GINA") and the Health Insurance Portability and Accountability Act Privacy Rule to protect genetic data. EPIC also recommended that individuals should be given property rights over their genetic data. For more information, see EPIC: Genetic Privacy and EPIC: Medical Record Privacy. (May. 29, 2012) - EPIC to Testify on Foreign Intelligence Surveillance Act
EPIC Executive Director Marc Rotenberg is scheduled to testify before the House Judiciary Committee at a hearing on May 31, 2012 regarding the FISA Amendments Act of 2008. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Foreign Intelligence Surveillance Court. (May. 25, 2012) - French Data Protection Authority Sends New Questions to Google
The CNIL, the French data protection authority, has sent Google new questions regarding its privacy practices after finding the company's previous response was “often incomplete or approximate." The French agency is acting on behalf of governments across Europe that have raised questions about recent changes in Google's business practices. "The fact that Google's position on personal data processings is still unclear on many points after an in-depth exchange with the CNIL raises additional concerns about Google's adequate information of its users," the letter says. Google executives met with the CNIL on Wednesday, but the data protection authority said that many of its concerns had still not been addressed. Google’s decision to consolidate user data from over 60 products and services has also been criticized in the US by Members of Congress, state Attorneys General, and IT managers in government and the private sector. EPIC brought an enforcement action to block the March 1, 2012 changes. For more information, see EPIC: Enforcement of Google Consent Order. (May. 25, 2012) - Senate Approves FDA Transparency Amendment
The Senate has approved a pro-transparency amendment sponsored by Senator Patrick Leahy (D-VT) to the Food and Drug Administration Safety and Innovation Act. Senator Leahy's amendment will preserve public access to information in the agency's possession related to drugs and pharmaceuticals. The Act originally would have allowed the agency to deny public access to information relating to drugs obtained from a federal, state, local, or foreign government agency if that agency had requested that the information be kept confidential. Many members of the government transparency and accountability community objected in a letter to Congress, highlighting the importance of transparency regarding drug information and the potential health and safety risks created by the original language. For more information, see Openthegovernment.org and EPIC: Open Government. (May. 24, 2012) - Facebook Users Force Vote on Privacy Changes
Facebook users have registered enough comments on Facebook's proposed privacy changes to force a vote on the issue. A provision in Facebook’s Statement of Rights and Responsibilities states that Facebook will allow users to vote on proposed alternatives if more than 7,000 users comment on a proposed change. The vote is binding if "more than 30 percent of all active registered users as of the date of the notice vote." Facebook's Data Use Policy accumulated 10,500 comments in English. The group Europe v. Facebook generated 30,000 comments on the German version of the page. The FTC recently issued a proposed settlement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (May. 22, 2012) - Supreme Court Set to Review Wiretap Case
The Supreme Court has agreed to hear Clapper v. Amnesty International USA, a challenge to the FISA Amendments Act of 2008. The Act expanded the Government's authority to engage in warrantless surveillance, and followed news of the Bush administration's program to wiretap international communications. A group of lawyers, journalists, and public interest organizations, who regularly engage in international communications, challenged the new law saying they feared that their private communications would be intercepted. The US Court of Appeals for the Second Circuit ruled that the case could proceed even though the plaintiffs had not established that they were subject to surveillance. The Government filed a petition for the Supreme Court to hear the case, which was granted today. EPIC recently filed an amicus brief in a Supreme Court case, First American v. Edwards, raising similar Article III standing issues in the context of a consumer protection statute. EPIC also filed an amicus brief along with the Stanford Constitutional Law Center and other interested groups, in Hepting v. AT&T, a case challenging AT&T's involvement in the FISA warrantless wiretapping program. For more information, see EPIC: Foreign Intelligence Surveillance Act (FISA). (May. 21, 2012) - EPIC Urges the Drug Enforcement Administration to Uphold Privacy Act Protections
In response to a notice of proposed rulemaking, EPIC has submitted comments to the Drug Enforcement Administration of the Department of Justice, urging the agency to uphold Privacy Act protections, and to not claim broad exemptions from the Privacy Act. The proposed rule would exempt the agency from complying with crucial Privacy Act provisions, including the rights of record access and correction, and the duty to only collect relevant and necessary personal information. The proposed rule would even excuse the agency from any civil liability arising from willful Privacy Act violations. Following the Supreme Court decision in FAA v. Cooper, EPIC has set out proposed changes to the Privacy Act that would compensate individuals for provable nonpecuniary harms caused by willful violations of the Privacy Act. For more information, see EPIC: FAA v. Cooper and EPIC: The Privacy Act of 1974. (May. 21, 2012) - Federal Appeals Court Backs Justice Department in Voting Rights Dispute
The Court of Appeals for the District of Columbia Circuit issued an opinion rejecting Shelby County, Alabama's constitutional challenge to the preclearance requirements of the Voting Rights Act of 1965. The Court held that Section 5 of the Act, which requires "covered jurisdictions" to show that new voting procedures, such as Voter ID requirements, are nondiscriminatory before those changes can be put into effect, is constitutional. Shelby County challenged the preclearance requirements after Congress reauthorized Section 5 in 2006. The Department of Justice recently blocked Voter ID laws in South Carolina and Texas through the Section 5 preclearance process. EPIC has argued that unreasonable voter ID requirements are an impermissible burden on the right to vote. For more information, see EPIC: Voter Photo ID and Privacy and EPIC: Crawford v. Marion County. (May. 18, 2012) - House Approves Amendment to Defense Spending Bill to Limit Defense Drones Surveillance
The House of Representatives has approved an amendment, introduced by Congressman Landry (R-LA), to the National Defense Authorization Act to prohibit information collected by Department of Defense drones without a warrant from being used as evidence in court. New legislation requires the Federal Aviation Administration to develop rules governing the operation of drones in the U.S. National Airspace. Shortly after passage, EPIC, joined by over 100 organizations, experts, and members of the public, submitted a petition to the FAA requesting a public rulemaking on the privacy impact of drone use in US airspace. The petition is still pending with the agency. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (May. 17, 2012) - Privacy Board Approved by Judiciary Committee, Vote Moves to Senate
The Senate Committee on the Judiciary has approved President Obama's five nominees for the Privacy and Civil Liberties Oversight Board. The Board is an independent entity charged with ensuring that fundamental rights are protected in the implementation of government programs, including cybersecurity. Originally convened in 2004, the five seats on the Board have remained vacant for the past five years. Senator Leahy, the Chairman of the Judiciary Committee, said, "When we worked to create this board, we did so to ensure that our fundamental rights and liberties would be preserved…The Senate should move quickly to confirm the nominees to the board so that they can get to their important work." For more information, see EPIC: 9/11 Commission Report and "The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11." (May. 17, 2012) - EPIC Supports Geolocation Privacy Act, Suggests Improvement
In a Statement for the Record, EPIC has expressed support for H.R. 2168, the "Geolocational Privacy and Surveillance Act," which prohibits the interception of location information by private parties and government agents acting without a search warrant. The bill will be considered at a hearing before the House Subcommittee on Crime, Terrorism, and Homeland Security. EPIC said "as communications technologies evolve, new forms of personal information are generated that require new legal safeguards." EPIC also recommended that Congress adopt purpose-specification and data limitation requirements for data stored by private companies, require affirmative consent prior to the collection of location data, and clarify an exception that permits the interception of location data made available through publicly accessible systems. For more information, see EPIC: Location Privacy. (May. 16, 2012) - FAA Revises Drone License Procedures, Privacy Petition Still Pending
The Federal Aviation Administration has announced new procedures for government agencies that operate drones in the United States. The procedures will streamline the process through which government agencies, including local law enforcement, receive drone licenses. However, the FAA has so far failed to establish privacy safeguards for drone use. On February 24, 2012, EPIC, joined by over 100 organizations, experts, and members of the public, submitted a petition to the FAA requesting a public rulemaking on the privacy impact of drone use in US airspace. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (May. 15, 2012) - EPIC Proposes Update to Privacy Act to Address Recent Supreme Court Decision
Following the recent decision of the Supreme Court in FAA v. Cooper, EPIC has set out proposed changes to the Privacy Act that would compensate individuals for provable nonpecuniary harms caused by willful violations of the Privacy Act. In Cooper, the Supreme Court held that the Privacy Act "does not unequivocally authorize" compensatory damages for mental or emotional distress. Justice Sotomayor, joined by Justices Ginsburg and Breyer, wrote in dissent that "the primary, and often only, damages sustained as a result of an invasion of privacy are . . . mental or emotional distress." EPIC recommended that the Privacy Act explicitly define "actual damages" to include provable mental and emotional distress. EPIC's letter follows an earlier request from Senator Daniel Akaka (D-HI) for comment on S.1732, the Privacy Act Modernization for the Information Age Act of 2011. For more information, see, EPIC: FAA v. Cooper and EPIC: The Privacy Act of 1974. (May. 14, 2012) - EPIC Calls on FTC to Develop Substantive Privacy Protections at Workshop on Mobile Advertising
EPIC submitted comments to the Federal Trade Commission for the May 30 workshop on mobile advertising disclosures. EPIC recommended that the agency focus on the development of substantive privacy protections, such as the Consumer Privacy Bill of Rights announced by the President earlier this year, for mobile services. EPIC also recommended that the workshop address a series of problems with the "notice and consent" approach, as well as the merits of innovative, nonverbal approaches proposed by privacy scholars. The workshop follows an FTC report calling for privacy legislation and an investigation that documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (May. 11, 2012) - On Google Spy-Fi, Senator Durbin Calls for Update to Wiretap Law, FCC Chair Agrees Law Should Protect Unencrypted Communications
In a hearing with Federal Communications Commission Chairman Julius Genachowski, Senator Dick Durbin (D. IL.) criticized the agency's decision to issue a mere $25,000 fine against Google following the investigation of Street View data collection. (Hearing video beginning at 64:20) Senator Durbin said that Google's interception and collection of private wi-fi communication was a clear violation of privacy. Chairman Genachowski defended the agency's decision but agreed with the committee chairman that "the law should protect people even if they have unencrypted wi-fi." Senator Durbin said that he would consider changes to the law if that is necessary. Senator Durbin also asked the FCC to provide the legal memoranda supporting the FCC's decision not to find Google guilty of violating the Communications Act. EPIC has a similar FOIA request pending with the agency. For more information, see EPIC: FCC Investigation of Google Street View and EPIC: Electronic Communications Privacy Act. (May. 11, 2012) - Federal Appeals Courts Sides with NSA, Rejects EPIC's Arguments that Agency Should Provide Information About Collaboration with Google
The DC Circuit Court of Appeals ruled today the National Security Agency need neither "confirm nor deny" the existence of any records about the agency's relationship with Google, even after such a collaboration was widely reported in the national media. EPIC filed a Freedom of Information Act (FOIA) request with the NSA following a cyber attack in January 2010 that led Google to contact the NSA. The NSA refused to either confirm or deny the existence of responsive records, claiming that such information is exempt from disclosure under the NSA Act. EPIC challenged this "Glomar" response and argued that the agency had a responsibility to locate records that could be disclosed, but a lower court ruled in favor of the NSA and the appellate court affirmed. EPIC has several other pending FOIA matters concerning the NSA, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. For more information, see EPIC v. NSA: Google / NSA Relationship. (May. 11, 2012) - EPIC Stresses Need For Privacy Evaluation in Drone Testing
In comments to the Federal Aviation Administration (FAA), EPIC emphasized the need for transparency and accountability in drone operations, and recommended the development of privacy protections before drones are more widely deployed in the US. The FAA Notice of Proposed Rulemaking set out proposed criteria for drone testing. Congress has tasked the FAA with facilitating the use of drones in the domestic airspace. February, EPIC, joined by a coalition of more than 100 organizations, experts, and members of the public, petitioned the FAA to conduct a rulemaking on the privacy implications of domestic drone use. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (May. 9, 2012) - Myspace Settles With FTC Over Deceptive Practices Complaint
The Federal Trade Commission has reached a settlement with the social networking service Myspace over charges that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. Advertisers were able to access the unique "Friend ID" of users and link this identifier to other personal information. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy. (May. 8, 2012) - 2011 FISA Orders Up, National Security Letters Down, No Surveillance Request Denied
According to the 2011 Foreign Intelligence Surveillance Act (FISA) Report the Justice Department submitted 1,745 applications to the Foreign Intelligence Surveillance Court, a 10.5% increase over 2010. Of the 1,745 FISA search applications, 1,676 concerned electronic surveillance. The FISA court did not deny any applications, though it did modify 30 applications. Also in 2011, the FBI made 16,511 National Security Letter requests for information pertaining to 7,201 different U.S. persons. This is a substantial decrease from the 24,287 national security letter requests concerning 14,212 U.S. persons in 2010. The annual report on FISA, released by the Department of Justice, is far less extensive than the annual wiretap report, produced by the Administrative Office of the US Courts. EPIC has recommended greater accountability for the FISA Court. For more information, see: EPIC: Foreign Intelligence Surveillance Act Court Orders 1979-2011 and EPIC: Foreign Intelligence Surveillance Act. (May. 4, 2012) - Classified Report Finds Vulnerabilities in Body Scanner Program
The Department of Homeland Security Office of Inspector General has completed an investigation into the effectiveness of the body scanner program as deployed in airports as a primary passenger screening system. The unclassified summary of the report notes that several vulnerabilities were found in the program, which has already cost more than $87 million. The full report consists of "Sensitive Security Information" (SSI) and will not be released to the public, according to the Inspector General. EPIC has challenged the SSI designation, arguing that it is an improper standard for classification. The Government Accountability Office, technical experts, Members of Congress, and bloggers have also questioned the effectiveness of the devices. In a federal lawsuit, EPIC challenged the body scanner program, calling it "invasive, unlawful, and ineffective." For more information, see EPIC v. DHS (Suspension of body scanners). (May. 4, 2012) - Following Maryland, Congress and California Consider Bills Banning Employers From Asking for Facebook Passwords
Reps. Eliot Engel (D-NY) and Jan Schakowsky (D-IL) introduced the Social Networking Online Protection Act, a bill that would prohibit employers, colleges, universities, and K-12 schools from seeking usernames or passwords for the social media accounts of employees or students. Similar legislation was introduced in California. Maryland became the first state to ban employers from asking employees or applicants for social networking passwords. Senators Blumenthal and Schumer have asked the Equal Employment Opportunity Commission and the U.S. Department of Justice to investigate the practice. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy. (May. 1, 2012) - FOIA "Ombudsman" Releases Open Government Report
In response to several demands from Congress, the Office of Government Information Services (OGIS) has released a long-delayed report with recommendations to improve the administration of the Freedom of Information Act. The report addresses several FOIA processing issues, but doesn't examine the significant issue of delays in FOIA processing and efforts by agencies - such as the Department of Justice - to create new obstacles for FOIA requestors. And OGIS did not address EPIC's pending request to determine whether DHS's practice of vetting FOIA requests by political appointees is permissible. For more information, see EPIC: Open Government. (May. 1, 2012) - Following EPIC FOIA Request to FCC, Google Releases "Spy-Fi" Report
Shortly after EPIC filed a Freedom of Information Act request with the Federal Communications Commission for the unredacted version of its report on Google Spy-Fi, Google has released a mostly unredacted version of the report. The FCC Report undercuts the company's prior statements that a rogue engineer was responsible for the payload data collection. Instead, it indicates that Google intentionally intercepted payload data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the project. EPIC will continue to press for more details on the investigation through FOIA requests to the Federal Communications Commission and the Department of Justice. For more information see EPIC: Investigations of Google Street View. (Apr. 30, 2012) - EPIC Appeals Denial in Surveillance Export FOIA Request; Files Follow-Up Request
EPIC has appealed a denial of a Freedom of Information Act request that sought records concerning the sale of surveillance technology by U.S. companies to repressive regimes like Syria and Yemen. "The failure to adequately justify the claim that no segregable portions of records exist violates FOIA, especially given the past practice of releasing aggregate data in response to substantially similar requests," the appeal states. EPIC also filed a follow-up request to the Department of Commerce seeking records related to the agency's investigation of companies like Blue Coat Systems, which sold surveillance devices to Syria. Recently, President Obama signed an executive order authorizing U.S. officials to impose sanctions against persons involved in the use of information and communications technology to facilitate human rights abuses in Syria and Iran. For more information, see EPIC: Freedom of Information Act. (Apr. 27, 2012) - EPIC Pursues Justice Dept. Records of Google Street View Investigation
EPIC has submitted a FOIA request to the Department of Justice for documents related to the agency's investigation of Google Street View and possible violations of federal wiretap laws. In an April 26, 2012 letter to the FCC In a related matter, Google claimed that the Department of Justice had "conducted and long ago completed its own thorough examination of the facts" related to the Google Street View matter. EPIC had asked the Justice Department to pursuer the matter. EPIC also has a pending FOIA request for the FCC's heavily redacted report on the Google Street View investigation. For more information see EPIC: Investigations of Google Street View. (Apr. 27, 2012) - Flawed Cybersecurity Bill Passes House, Headed for Senate without Privacy, FOIA Safeguards
The House of Representatives passed the Cyber Intelligence Information Protection Act ("CISPA"), a cybersecurity bill that allows the government to obtain detailed information about Internet users from the private sector. The bill preempts established privacy protections in other federal laws and opens the door for increased surveillance of individuals in the United States. The bill also creates a new Freedom of Information Act exemption, which will reduce government transparency and accountability. Earlier this year, EPIC said in a statement to the Senate that the Freedom of Information Act provides the public important information about network security, and warned that the National Security Agency has become a “black hole” for public information about cybersecurity. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relatioship). (Apr. 27, 2012) - EPIC Files Suit for FBI "Sting Ray" Cell Phone Tracking Documents
EPIC has filed a FOIA lawsuit against the FBI for documents related to the Government's use of cell phone tracking technology, known as "Sting Ray.".For more than 15 years the FBI has used cell-site simulator technology to track the location of a cell phones and other communications devices. Cell-site simulators act like a fake cell towers and can be used to monitor and track cell phone users even when the device is not in use. The technique also tracks all individuals in a region, irregardless of whether they are the suspect in an investigation. Government attorneys have recently fought against the discovery of documents related to the use of these devices. In February 2012, EPIC filed a Freedom of Information Act request with the FBI, but so far the agency has not responded or disclosed any documents as required by law. EPIC has recently filed amicus curiae briefs in Supreme Court, and Federal Court cases related to Government location tracking. For more information see: EPIC: Locational Privacy, EPIC: US v. Jones and EPIC: In re US Application for Historic Cell-Site Location Information. (Apr. 27, 2012) - District Court Panel Admonishes South Carolina in Voter ID Case
A three-judge panel overseeing a critical voter ID case, State of South Carolina v United States of America, set out an unusually detailed requirements in an Scheduling and Procedures Order issued today. According to the concurring statement of Judge Bates, joined by Judge Kollar-Kotelly, the state has engaged in delaying tactics even as it has urged a swift resolution of the matter, concerning new voting ID procedures adopted by the state. The court cited South Carolina's lack of responsiveness to the Department of Justice, "despite repeated requests" for the "final versions of the implementing procedures" for provisions of the law. The court expects to issue a final ruling in early September 2012., prior to the fall Presidential election. For more information, see EPIC: Voter Photo ID and Privacy. (Apr. 26, 2012) - Google Terms of Service Grant Company Broad Rights over Data of Google Drive Users
Google’s Terms of Service--which govern Google’s cloud-based file storage, Google Drive--give the company the right to “reproduce, modify, create derivative works” using uploaded content, as well as to “publicly perform, [and] publicly display” files. In 2009, EPIC asked the FTC to require privacy safeguards for Google's cloud-based services. EPIC cited previously-discovered privacy and security flaws, including one that disclosed user-generated documents saved on Google Docs to users of the service who lacked permission to view the files, and another that permitted unauthorized individuals to access user-generated Google Docs content. For more information, see EPIC: Cloud Computing and Privacy. (Apr. 26, 2012) - White House Targets Use of Technology by Human Rights Abusers
President Obama signed an executive order authorizing U.S. officials to impose sanctions against persons involved in the use of information and communications technology to facilitate human rights abuses in Syria and Iran. EPIC previously filed a Freedom of Information Act request seeking information regarding the export of surveillance technology by U.S. companies. In 2006, EPIC urged the Commerce Department to reexamine policies that allow for the export of surveillance technology to China. For more information, see EPIC: Freedom of Information Act. (Apr. 24, 2012) - Facebook Asks for Feedback after Policy Changes
Facebook has re-opened its Statement of Rights and Responsibilities for comment after making changes to the original document. Although users’ personal data can still be accessed by the apps of their friends, Facebook clarified that users could prevent this by changing the “Apps and Websites” settings. Facebook also deleted a provision reserving the right to “exclude or limit the provision of any service or feature in our sole discretion” in certain geographic areas after users raised concerns about censorship. The FTC recently issued a proposed settlement with Facebook after finding that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 and bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC recommended that Facebook restore the privacy settings that users had in place when the violations occurred. In response to Facebook's prior policy change, EPIC noted that the data-disclosure practices of applications implicated issues that led the creation of the consent order. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Apr. 23, 2012) - Department of Homeland Security Expands Use of Watch Lists for "Known Traveler" Program
The Department of Homeland Security has published a Privacy Impact Assessment Update for Secure Flight, a DHS program that compares airline passenger records with various watch lists. The assessment describes the agency's plans to expand the Known Traveler program so as to expedite airline screening for certain categories of individuals. The DHS also intends to incorporate into Secure Flight the Automated Targeting System, a controversial program that allows the government to assign a risk assessment number to individual travelers. That number provides the basis for further screening. In 2007, EPIC urged DHS to either suspend the Automated Targeting System or to fully apply all Privacy Act safeguards to any individual subject to ATS. In 2010, EPIC advocated for stronger privacy protections of DHS trusted traveler programs that compare passenger names against watch lists. For more information, see EPIC: Secure Flight and EPIC: Automated Targeting Systems. (Apr. 23, 2012) - Bi-Partisan Privacy Caucus Demands Answers on Drones and Privacy
Congressman Markey (D-Mass) and Congressman Barton (R-TX) sent a letter to the Federal Aviation Administration (FAA), raising concerns about the increased use of drones in the United States. The Congressmen noted, "there is...potential for drone technology to enable invasive and pervasive surveillance without adequate privacy protections." The letter called on the FAA's Acting Administrator to supply key information about the drone program, including plans to ensure that the drone licensing process includes privacy protections and public transparency. In February, EPIC, joined by a coalition of more than 100 organizations, experts, and members of the public, petitioned the FAA to conduct a rulemaking on the privacy implications of domestic drone use. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Apr. 19, 2012) - EPIC Demands Details of Federal Communications Commission's Google Investigation
EPIC has filed a FOIA request for the unredacted version of the FCC's Google Street View report. The Federal Communications Commission announced that it will fine Google $25,000 for obstructing an investigation concerning Google Street View and federal wiretap law. A heavily redacted report released this week revealed that the Commission found that Google impeded the investigation by "delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions." But the redacted report also raised questions about the scope of the FCC' Street View investigation. Surprisingly, the FCC concluded that Google had not violated the federal wiretap act, even though a federal court recently held otherwise. For more information, see EPIC: Investigations of Google Street View. (Apr. 19, 2012) - Coalition Urges Congress to Remove Cybersecurity FOIA Limitations
An open government coalition has asked House lawmakers to oppose provisions in "CISPA" that would cut off public access to information held by federal agencies. The Cyber Intelligence Sharing and Protection Act would allow the government to refuse to disclose broad swaths of information, otherwise subject to FOIA, that companies provide to the government. More than three dozen groups have signed the petition - including Openthegovernment.org, the Sunlight Foundation, Project On Government Oversight, and EFF. The groups have asserted that the legislation "constitutes a wholesale attack on public access to information under the Freedom of Information Act" and would impede the public's ability to evaluate whether the government is adequately combating cybersecurity threats. In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information see EPIC: Cybersecurity, EPIC: EPIC v. NSA, Litigation Under the Federal Open Government Laws 2010. (Apr. 18, 2012) - EPIC Urges Justice Department to Investigate Google for Unlawful Wiretapping
EPIC wrote a letter to Attorney General Eric Holder asking the Department of Justice to investigate Google’s collection of Wi-Fi data from residential networks by means of "Street View" vehicles. The Federal Communications Commission recently fined Google $25,000 for obstructing an investigation concerning Street View and federal wiretap law. But as EPIC noted "by the agency’s own admission, the investigation conducted was inadequate and did not address the applicability of federal wiretapping law to Google's interception of emails, usernames, passwords, browsing histories, and other personal information." Members of Congress have expressed support for EPIC's recommendation to the Justice Department. Senator Richard Blumenthal said that "Google's interception and collection of private wireless data potentially violates the Wiretap Act or other federal statutes, and I believe the Justice Department and state attorneys general should fully investigate this matter." Congressman Ed Markey said that "[t]his fine is a mere slap on the wrist for Google," and called for a more comprehensive investigation. Many countries have found Google guilty of violating national privacy laws, and a US federal court recently held that unencrypted wireless network communications are not exempt from the protections of the Wiretap Act. For more information, see EPIC: Investigation of Google Street View and EPIC: Ben Joffe v. Google. (Apr. 17, 2012) - FCC Fines Google $25,000 for Failure to Cooperate with Street View Investigation
The Federal Communications Commission announced that it will fine Google $25,000 for obstructing an investigation concerning Google Street View and federal wiretap law. The Commission found that Google impeded by "delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions." In May 2010, EPIC wrote to the FCC and urged the agency to undertake an investigation after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. Shortly afterward, the head of the FCC Bureau of Consumer and Governmental Affairs wrote that Google's behavior "clearly infringes on consumer privacy." Many countries around the world have found Google guilty of violating national privacy laws. Surprisingly, the FCC said that Google had not violated the federal wiretap act, even though a federal court recently held otherwise. For more information, see EPIC: Investigations of Google Street View and EPIC: Ben Joffe v. Google. (Apr. 16, 2012) - Facebook Offers Revised “Download Your Information” Option
The New York Times reported that Facebook would provide users with a downloadable archive containing many types of data that the company stores about users. Although the new archive contains more user information than Facebook first offered in 2010, Max Schrems, the German law student and founder of Europe v. Facebook, said that Facebook is still only providing 39 of 84 data categories. EPIC called on Facebook to give users full access to all of the data that the company keeps about them through EPIC’s Know What They Know campaign. In comments on a settlement between Facebook and the Federal Trade Commission, EPIC recommended that the FTC require Facebook to give users full access to their data. For more information, see EPIC: Facebook Privacy and EPIC: Know What They Know. (Apr. 12, 2012) - Maryland Passes Bill Banning Employers from Demanding Facebook Information
The Maryland legislature passed the first bill banning employers from asking employees or applicants for social networking passwords. The bill was introduced after Robert Collins, an employee at the Department of Public Safety and Correctional Services, was asked to turn over his Facebook password as part the process of being reinstated as a corrections officer. Recently, Senators Blumenthal and Schumer asked the Equal Employment Opportunity Commission and the U.S. Department of Justice to investigate the practice of employers asking job applicants to surrender user names and passwords for social networking sites like Facebook. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy. (Apr. 11, 2012) - Bennett, Calo, Donohue, Dwork, Kerr, and Pasquale Join EPIC Advisory Board
EPIC has announced the 2012 members of the EPIC Advisory Board. They are Colin Bennett, Professor of Political Science at University of Victoria; Ryan Calo, Director of Privacy and Robotics, Center for Internet and Society at Stanford Law School; Laura Donohue, Associate Professor at Georgetown University Law Center; Cynthia Dwork, Distinguished Scientist, Microsoft Research; Orin Kerr, Professor of Law at George Washington University; and Frank A. Pasquale , Professor of Law at Seton Hall University. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy. Joining the EPIC Board of Directors in 2012 are Grayson Barber, Pamela Jones Harbor and Ray Ozzie. Press Release. For more information, see EPIC: EPIC Advisory Board. (Apr. 10, 2012) - EPIC Urges Federal Appeals Court Court to Uphold Workplace Privacy
EPIC has filed an amicus brief in United States v. Hamilton, urging the Fourth Circuit Court of Appeals to uphold employee privacy interests in personal e-mails. The Government contends that it may obtain private emails from an employer even when they are privileged communications between spouses and there is no use policy in place, explaining that communications are subject to disclosure. The district court agreed. EPIC argued that employees in the modern workplace routinely communicate about private matters with spouses and that an employee's privacy interest cannot be retroactively waived by a use policy implemented a year later, as the lower court suggested. For more information, see EPIC: Workplace Privacy and EPIC: United States v. Hamilton. (Apr. 9, 2012) - EPIC Obtains New Details on PATRIOT Act
As the result of a Freedom of Information Act request, EPIC has obtained more than 650 pages of documents related to the PATRIOT Act. EPIC had requested information related to the FBI's abuse of PATRIOT Act authorities and documents concerning the 2009 sunset of the PATRIOT Act. The documents disclosed by the FBI include training presentations, answers to questions from Senators Leahy and Specter, and a list of reporting requirements. In an answer to Senator Leahy, the FBI stated that while it would discontinue the use of exigent letters, which the Inspector General had previously noted as a frequent source of abuse, the agency planned to continue its use of the emergency disclosures provision of the Electronic Communications Privacy Act. For more information, see EPIC: USA PATRIOT Act. (Apr. 4, 2012) - Survey Finds Widespread Consumer Concerns about Online Privacy
A national survey by Consumer Reports found that most consumers had serious concerns about their online privacy and about the collection and use of their personal data. 71 percent of respondents said they were very concerned about companies disclosing their information without their permission; 65 percent of smartphone owners were very concerned that apps could access their contacts, photos, and location data without their permission; and 53 percent were concerned about data about their online activities and purchases being used to deny employment or loans. For more information, see EPIC: Public Opinion on Privacy. (Apr. 4, 2012) - EPIC to Commerce Department: Establish Privacy Rights
EPIC submitted comments to the National Telecommunications and Information Administration of the Department of Commerce, urging the agency to implement the principles set out in the White House Consumer Privacy Bill of Rights. The Department of Commerce announced it would convene a multistakeholder process to develop enforceable codes of conduct for consumer privacy protection. EPIC wrote that the Administrative Procedures Act is a more effective and transparent way to solicit public comment and produce a meaningful outcome. For more information, see EPIC: White House - Consumer Privacy Bill of Rights and EPIC: Administrative Procedure Act Comments. (Apr. 4, 2012) - Divided Supreme Court Upholds Strip Search of those Arrested for Minor Offenses
In a 5-4 opinion by Justice Kennedy, the Supreme Court held that the suspicionless strip search of a prison detainee does not violate the Fourth Amendment. The case, Florence v. Board of Chosen Freeholders, involved a wrongful arrest based on an invalid warrant. Justices Roberts and Alito filed concurring opinions noting potential exceptions to the Court's general rule, such as when a detainee will be kept separate from the general prison population. Justice Breyer's dissenting opinion argued that strip searches are an "affront to human dignity and to individual privacy," and questioned whether they are necessary given other, less intrusive, screening methods available. EPIC has opposed the use of airport body scanners, which collect images of naked air travelers, and filed an amicus brief challenging a wrongful arrest based on errors in a Government database. For more information, see: EPIC: Herring v. US. (Apr. 4, 2012) - EPIC Urges Court to Affirm Privacy Protections for Home Wi-Fi Networks
EPIC has filed an amicus brief in the Ninth Circuit urging the court to affirm legal protections for users of home Wi-Fi networks. In Joffe v. Google, the plaintiffs sued Google for the interception and capture of private communications transferred over residential Wi-Fi networks. Google argued that it should be exempt from liability under the federal Wiretap Act because Wi-Fi communications are "readily accessible to the general public." However, a lower court held that saying "that a network is unencrypted does not render that network readily accessible to the general public and serve to remove the intentional interception of electronic communications from that network from liability under the ECPA." EPIC's brief for the Court of Appeals, which contains a detailed technical discussion of Wi-Fi technology, explains that residential Wi-Fi networks are unlike traditional radio broadcasts and should be protected Electronic Communications Privacy Act. EPIC also said that consumers should not bear the burden of securing their networks against sophisticated eavesdroppers when the purpose of the ECPA is to protect communications from such interception. For more information, see EPIC: Investigation of Google Street View, EPIC: Ben Joffe v. Google. (Apr. 2, 2012) - FTC Announces $30 Million Penalty Against Deceptive Robocallers
The Federal Trade Commission announced that a federal judge has ordered the defendants behind a deceptive robocall scheme to pay a $30 million civil penalty and surrender more than $1.1 million in ill-gotten gains. The scheme promised "cash grants" to individuals—many of whom were on the Do No Call Registry--but merely referred them to grant-related websites that charged a fee for providing general information about obtaining grants from private sources. The FTC determined that the robocalls violated the FTC Act and the Telemarketing Sales Rule. For more information, see EPIC: Federal Trade Commission and EPIC: Telephone Consumer Protection Act. (Apr. 2, 2012) - Supreme Court Limits Privacy Act Remedies
In a 5-3 opinion, the Supreme Court held today that the Privacy Act does not allow recovery of mental and emotional damages suffered as a result of the Government's "willful and intentional violation" of the Act. Justice Alito, writing for the Court in FAA v. Cooper, said that the key term "actual damages" was ambiguous, and should be narrowly construed to limit Government liability. In a dissenting opinion, joined by two other Justices, Justice Sotomayor argued that the purpose of the Privacy Act is unambiguous: to protect individuals from "substantial harm, embarrassment, inconvenience, or unfairness" that result from Government privacy violations. EPIC filed an amicus curiae brief in the case, stating that privacy laws routinely provide recovery for mental and emotional harm, that such damages are the most common result of privacy violations, and that civil remedies are necessary to ensure enforcement of the Privacy Act. Congress is currently considering amendments to the Privacy Act. For more information, see EPIC: FAA v. Cooper and EPIC to Congress: Privacy Act Modernization Bill Should be Stronger. (Mar. 28, 2012) - FTC Announces Settlement with RockYou Over Security Flaws, COPPA Violations
The Federal Trade Commission announced a settlement with the social game site RockYou over charges that the site's poor security allowed hackers to access the personal information of 32 million users. The FTC also alleged that RockYou violated the Children's Online Privacy Protection Act Rule by knowingly collecting approximately 179,000 children's email addresses and associated passwords without the consent of their parents. The settlement prohibits future deceptive claims by the company regarding privacy and data security and future violations of the COPPA Rule, and requires the company to implement a data security program and to pay a $250,000 civil penalty. Last year, the FTC proposed new COPPA rules to better protect children, about which EPIC submitted comments. For more information, see EPIC: Children’s Online Privacy and EPIC: FTC. (Mar. 27, 2012) - EPIC to Congress: Privacy Act Modernization Bill Should be Stronger
In response to a request from Senator Daniel Akaka(D-HI), EPIC sent a letter explaining that S.1732, the Privacy Act Modernization for the Information Age Act of 2011, should be strengthened to ensure better privacy protection. The Privacy Act of 1974 governs federal agencies' collection, retention, and use of personally identifiable information. In October 2011, Senator Akaka proposed the Privacy Act Modernization bill, which would update the Privacy Act of 1974. EPIC's letter points out that the proposed circumstances under which agencies can disclose personal information should be narrowly tailored. EPIC also noted that certain proposed amendments in the bill insufficiently warn individuals of government security breaches affecting individuals' personal information. For more information, see EPIC: The Privacy Act of 1974. (Mar. 27, 2012) - DHS Privacy Office Issues Quarterly Report to Congress
The DHS Privacy Office has issued its First Quarter Fiscal Year 2012 Report to Congress. The report details DHS programs and functions that affect privacy, such as privacy impact assessments and system of records notices. The report also summarizes the 295 privacy compliance complaints that DHS has received between September 1, 2011 and November 30, 2011. EPIC has closely followed DHS Privacy Office activities, and has worked to ensure timely release of DHS privacy reports. For more information, see EPIC: Department of Homeland Security Chief Privacy Office and Privacy. (Mar. 26, 2012) - Federal Trade Commission Calls for Privacy Legislation
Today the Federal Trade Commission released Protecting Consumer Privacy in an Era of Rapid Change. The FTC report called for the enactment of baseline privacy legislation and for legislation that gives consumers the right to access personal information held by data brokers. However, the framework is not as extensive as the White House Consumer Privacy Bill of Rights and depends on industry self-regulation. EPIC previously commented on an earlier draft of the framework, pointing out that the FTC "mistakenly endorses self-regulation and 'notice and choice,' and fails to explain why it has not used its current Section 5 authority to better safeguard the interests of consumers." For more information, see EPIC: Federal Trade Commission. (Mar. 26, 2012) - Senators Call for Investigation into Employer Demands for Facebook Passwords
Senators Blumenthal and Schumer asked the Equal Employment Opportunity Commission and the Department of Justice to investigate the practice of employers asking job applicants to surrender Facebook user names and passwords. The Senators pointed out that accessing an applicant's profile could reveal sensitive information that employers are not permitted to ask about or base hiring decisions on. Thus, employers could be violating the Civil Rights Act and other federal laws, including the Stored Communication Act and the Computer Fraud and Abuse Act, which prohibit "unauthorized access" to electronic information. “Requiring applicants to provide login credentials to secure social media websites and then using those credentials to access private information stored on those sites may be unduly coercive and therefore constitute unauthorized access under both [Acts]," the letter states. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy. (Mar. 26, 2012) - Director of National Intelligence Gains New Powers, Expands Datamining of US Citizens
Under revised guidelines for the National Counterterrorism Center, the intelligence agency officials will be able to profile and track American citizens, suspected of no crime, for up to five years. The change represents a dramatic expansion of government surveillance and appears to violate the Privacy Act of 1974, which limits data exchanges across federal agencies and establishes legal rights for US citizens. In 2003, Congress put an end to a similar program. For more information, see EPIC - Total Information Awareness. (Mar. 23, 2012) - Department of Homeland Security Releases Revised Privacy Impact Assessments
The Privacy Office of DHS has released several revised Privacy Impact Assessments for various DHS programs. These reports analyze the privacy risks of federal government systems. Last year, EPIC FOIA requests regarding a Minority Report-like program called "FAST" found that the DHS had failed to adequately assess privacy risks. According to the agency, the "Future Attribute Screening Technology" program assesses "physiological and behavioral signals" to determine the probability that an individual might commit a crime. For more information, see: EPIC: Future Attribute Screening Technology (FAST) Project FOIA Request. To order the movie Minority Report from Amazon and support EPIC, click here. (Mar. 23, 2012) - Facebook Policy Changes Raises Questions About Compliance with 2011 Consent Order
Facebook has begun to review comments on changes to its Statement of Rights and Responsibilities. Among other changes, Facebook now states that a user's information is disclosed to apps used by his or her friends, that Facebook software or plugins that users download may automatically download updates, upgrades, and additional features, and that users may not tag others who do not wish to be tagged. The FTC recently issued a proposed settlement with Facebook after finding that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." In particular, the FTC found that Facebook had misled users about the extent to which their personal information would be made available to apps used by their friends. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 and bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Mar. 23, 2012) - House of Representatives Issues FOIA Request Management Report Card
The U.S. House of Representatives Committee on Oversight and Government Reform issued a "Report Card on Federal Government's Efforts to Track and Manage FOIA Requests." The Report Card assigned letter grades to agencies based upon their "ability and willingness . . . to submit information" to the House Committee about the agencies’ FOIA tracking systems. This information included the requester's name, the date of the request, a description of the records sought by requesters, the date the request was closed, and whether the agency provided responsive records to the request. The Federal Trade Commission was one of the highest scoring agencies, earning an "A+" for its FOIA management. The Department of Justice, the Department of Defense, and the Department of Homeland Security each received a "D" letter grade for their FOIA tracking systems. For more information, see: EPIC: Open Government. (Mar. 20, 2012) - EPIC to Argue for Disclosure of Google-NSA Agreement before Federal Appeals Court
EPIC will pursue its Freedom of Information Act request with the National Security Agency in scheduled arguments before the Court of Appeals for the DC Circuit this Tuesday morning. EPIC submitted the FOIA request in February 2010, following a widely reported collaboration between Google and the NSA after the China hack. The agency replied that it could "neither confirm nor deny" the existence of records responsive to EPIC's request. A lower court ruled in favor of the NSA, but EPIC has challenged that opinion, and the federal appeals court will hear the case on March 20, 2012. The case is EPIC v. NSA, No. 11-5233. (Mar. 19, 2012) - EU and US Privacy Officials Convene
Policymakers from the United States and the European Union are participating in a joint conference today on Privacy and Protection of Personal Data. EU Vice President Viviane Reding and US Commerce Secretary John Bryson issued a common statement reaffirming a commitment to privacy protection. US and EU consumer and privacy organizations also issued a statement commending the new US Consumer Privacy Bill of Rights but cautioning that the US has far more to do to safeguard the interests of users of new Internet-based services. For more information, see Public Voice - The Madrid Declaration. (Mar. 19, 2012) - EPIC Urges Court to Uphold Location Privacy in Cell Phone Tracking Case
EPIC filed a "Friend of the Court" brief in the Fifth Circuit urging the court to uphold Fourth Amendment protections for cell phone users. In the case, In re US for Historical Cell-Site Data, the lower court held that the disclosure of historical cell phone location records without a warrant would violate the Fourth Amendment. EPIC argued that this opinion should be upheld in light of the Supreme Court's recent decision in United States v. Jones, because cell phone location records are collected without the knowledge or consent of users. The records in this case, EPIC argued, create a "comprehensive map of an individual’s movements, activities, and relationships, . . . precisely the type of information that individuals reasonably and justifiably believe will remain private." For more information, see In re Historical Cell-Site Location Information, EPIC: State v. Earls, and EPIC: US v. Jones. (Mar. 19, 2012) - House and Senate Call for Investigation on Airport Body Scanner Radiation Risks
Both the House and the Senate introduced bills last month that would require the Department of Homeland Security "to contract with an independent laboratory to study the health effects of backscatter x-ray machines used at airline checkpoints operated by the Transportation Security Administration," and to provide improved notice of the health effects to airline passengers. The bills focus on the health effects of those screened by the backscatter x-ray machines, including frequent air travelers, flight crews, and individuals with greater sensitivity to radiation, such as children, pregnant women, the elderly, and cancer patients. In 2010, EPIC filed a Freedom of Information Act lawsuit asking a court to force the Department of Homeland Security to disclose documents about radiation testing results and agency fact sheets on radiation risks. For more information, see EPIC: EPIC v. DHS - Full Body Scanner Radiation Risks. (Mar. 15, 2012) - Open Government Groups Oppose Cyber Security FOIA Exemption
Open government organizations have sent a letter to Senator John McCain, opposing specific provisions in a cybersecurity bill he introduced. The SECURE IT Act would create a new Freedom of Information Act exemptions for "cyber threat information" as well as for all information shared with a cybersecurity center. FOIA exemptions limit public access to government information. The organizations stated, "Unnecessarily wide-ranging exemptions of this type have the potential to harm public safety and the national defense more than they enhance those interests." In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information, see EPIC: Cybersecurity. (Mar. 14, 2012) - Federal Agency Settles Health Privacy Case with Blue Cross for $1.5 Million
The Department of Health and Human Services announced a settlement with Blue Cross Blue Shield after the company’s inadequate security measures allowed 57 unencrypted hard drives containing private health information to be stolen from a facility in Tennessee. The agency cannot issue a fine greater than $1.5 million, but it could have filed criminal charges or requires Blue Cross to mitigate future patient harms. For more information, see EPIC: Medical Privacy. (Mar. 14, 2012) - EPIC Urges Senate to Safeguard FOIA for Cybersecurity
In a detailed statement to the Senate for a hearing on the "Freedom of Information Act: Safeguarding Critical Infrastructure and the Public's Right to Know," EPIC said that safeguarding FOIA was critical to ensure government oversight and accountability. EPIC described how the FOIA provides the public important information about safety and security, but also warned that the National Security Agency has become a "black hole" for public information about cyber security. EPIC described several NSA programs, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. EPIC v. NSA, a challenge to the agency's "neither confirm nor deny" response to an EPIC FOIA request will be heard next week by the DC Circuit Court of Appeals. For more information, see EPIC: Cybersecurity. (Mar. 12, 2012) - Justice Department Strikes Down Texas Voter ID Law
The Department of Justice has determined that a Texas voter ID law that requires photo identification violates the Voting Rights Act of 1965. The Texas law requires voters to present a driver's license or ID card issued by the state. The law also permits a voter to use military photo ID, a US citizenship certificate that contains the person's photograph, a US passport, or a license to carry a concealed handgun. The Department of Justice found that the Texas voter ID law disproportionately affects Hispanic voters because Hispanic voters are between 47% and 120% more likely than non-Hispanic registered voters to lack acceptable photo identification. The Department of Justice found that Texas "has not met its burden of proving that . . . the proposed [voter ID law] will not have a retrogressive effect, or that any specific features of the proposed law will prevent or mitigate that retrogression." In the voting conext, "retogression" refers to the disenfranchisement of eligible voters. For more information, see EPIC: Voter Photo ID and Privacy. (Mar. 12, 2012) - EPIC Publishes 2012 FOIA Gallery
In celebration of Sunshine Week, EPIC published the EPIC FOIA Gallery: 2012. The gallery highlights key documents obtained by EPIC in the past year, including the Federal Bureau of Investigation's watch list guidelines, records of the Department of Homeland Security's social media monitoring program, Google's first Privacy Compliance Report, records detailing the government's FAST scanning program, records of the FBI's surveillance of Wikileaks supporters, and DHS records detailing the use of body scanners at the U.S. border. EPIC regularly files Freedom of Information Act requests and pursues lawsuits to force disclosure of critical documents that impact privacy. EPIC also publishes the authoritative FOIA litigation manual. For more, see EPIC Open Government and EPIC Bookstore: FOIA. (Mar. 12, 2012) - Pew Study: Search Engine Users Anxious About Collection of Personal Information
A Pew study found that users of search engines were pleased with the quality of search results but opposed targeted advertising and search results, and were generally anxious about the collection of personal information by search engines. Specifically, 73 percent of those surveyed were opposed to search engines tracking their searches, and 68 percent opposed behavioral advertising. 83 percent of respondents reported using Google to conduct searches. Recently, Google began combining user data gathered from more than sixty Google products and services—including Google search--to create a single, comprehensive profile for each user. For more information, see EPIC: Search Engine Privacy and EPIC: EPIC v. FTC. (Mar. 9, 2012) - Video, Blog Post Raise New Questions About Airport Body Scanners
A popular video "How To Get Anything Through TSA Nude Body Scanners" show that it is easy to bypass airport body scanners by hiding materials perpendicular to the plane of the scanning devices. The video also notes that traditional metal detectors, now being removed from US airports, would routinely alert to the presence of metallic objects. Still more interesting may be the recent blog post by a 25-year FBI agent, expert in aviation security, who writes that the "TSA has never foiled a terrorist plot or stopped an attack on an airliner" and that "the entire TSA paradigm is flawed." In a federal lawsuit, EPIC challenged the TSA airport scanner program, calling it "invasive, unlawful, and ineffective." For more information, see EPIC v. DHS (Suspension of body scanners). (Mar. 9, 2012) - Court Blocks Wisconsin Voter ID Law
A Wisconsin state court has granted a temporary order blocking the state from enforcing a new voter ID requirement. Wisconsin is one of eight states that now require voters to present a government-issued photo ID. Voter ID laws typically discourage voter turnout, particularly among poor and minority communities. In NAACP v. Walker, the Wisconsin court said that the "scope of impairment has been shown to be serious, extremely broad and largely needless." For more information, see EPIC: Voter Photo ID and Privacy. (Mar. 6, 2012) - DHS Privacy Office Releases 2011 Data Mining Report
The Department of Homeland Security has released the 2011 Annual Data Mining Report. The report must include all of the Agency's current activities that fall within the legislative definition of "data mining." Among other things, this year's report references the Agency's programs to profile individuals entering or leaving the country to determine who should be subject to "additional screening." A FOIA request by EPIC in 2011 revealed that the FBI's standard for inclusion on the list is "particularized derogatory information," which has never been recognized by a court of law. The report also provides information on Secure Flight and Air Cargo Advanced Screening. For more information, see EPIC: FBI Watch List FOIA and EPIC: DHS Privacy Office. (Mar. 5, 2012) - Twitter to Sell Two Years' Worth of Old Tweets
Twitter recently announced a deal with the analytics firm Datasift that authorizes Datasift to sell the content of public tweets posted over the last two years. Companies who buy the data from Datasift will be able to market to users based on the topic or location of the tweets. DataSift will be required to regularly remove tweets that users delete. Previously, Twitter gave the Library of Congress access to every public tweet since the company’s inception in 2006. In 2011, the Federal Trade Commission reached a settlement with Twitter over charges that inadequate security measures allowed computer criminals to gain administrative access to the company. For more information, see EPIC: Federal Trade Commission. (Mar. 2, 2012) - EPIC Urges DHS to Abide by Privacy Laws When Conducting Technology Research
Earlier this week, EPIC submitted comments to the DHS on "The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research." DHS sought public views on the privacy implications of ethical human subject research in information and communication technology research. EPIC said that many federal privacy laws, such as the Privacy Act of 1974, set out legal standard for how government agencies should protect personal data. EPIC strongly urged DHS to abide by federal privacy laws rather than adopt non-binding principles, which are not enforceable and provide few rights for individuals. For more information, see EPIC: Privacy and The Common Rule. (Mar. 1, 2012) - European Justice Minister Says Google Now in Violation of EU Law
European Justice Minister Vivian Reding said today that Google's March 1 changes to its terms of service violate European Union law "in numerous respects." Commissioner Reding pointed to the failure of the company to obtain user consent, the lack of transparency, and the fact that most users do not read privacy policies. European privacy officials recently concluded that the changes do not comply with the European Union Data Protection Directive and asked the company to suspend its planned changes. In the US, EPIC has urged a federal court to require the Federal Trade Commission to determine whether Google's changes changes violate a 2011 Consent Order. The court denied the motion. The case is now on appeal. For more information, see EPIC v. FTC (Google Consent Order). (Mar. 1, 2012) - EPIC Urges Court to Uphold Location Privacy in Cell Phone Tracking Case
EPIC filed a "friend of the court" brief in the New Jersey Supreme Court urging the court to uphold Fourth Amendment protections for cell phone users. In State of New Jersey v. Thomas W. Earls, the lower court held that an individual has no legitimate expectation of privacy in the location of their cell phone. EPIC argued that the lower court opinion should be overturned in light of the Supreme Court's recent decision in United States v. Jones. The cell phone tracking techniques in this case, EPIC argued, "is more invasive than the GPS tracking in Jones." For more information, see EPIC: State v. Earls, and EPIC: US v. Jones. (Feb. 29, 2012) - EPIC Sues to Block Changes to Education Privacy Rules
EPIC has filed a lawsuit under the Administrative Procedure Act against the Department of Education. EPIC's lawsuit argues that the agency's December 2011 regulations amending the Family Educational Rights and Privacy Act exceed the agency's statutory authority, and are contrary to law. In 2011, the Education Department requested public comments regarding the proposed changes. In response, EPIC submitted extensive comments, addressing the student privacy risks and the agency's lack of legal authority to make changes to the privacy law without explicit Congressional intent. The agency issued the revised regulations despite the fact that "numerous commenters . . . believe the Department lacks the statutory authority to promulgate the proposed regulations." EPIC is joined in the lawsuit by co-plaintiffs Grayson Barber, Pablo Molina, Peter G. Neumman, and Dr. Deborah Peel. The case is EPIC v. US Department of Education, No. 12-00327. For more information, see EPIC: Student Privacy. (Feb. 29, 2012) - Senators Seek Study on Voter ID Laws
A group of U.S. senators have asked the Government Accountability Office to study the “alarming number” of new state laws that will make it “significantly harder” for millions of eligible voters to cast ballots this November. New state identification laws, by one estimate, will have a direct impact on 21 million American citizens who do not have a government-issued photo ID. The majority of those people are young would-be voters, the elderly, African Americans, Hispanics, and those earning $35,000 per year or less. For more information, see EPIC: Voting Privacy and Voter Photo ID and Privacy. (Feb. 29, 2012) - Identity Theft Remains Top Concern of US Consumers
According to the Federal Trade Commission, identity theft was the top source of consumer complaints in 2011 comprising 15 percent of the 1.8 million total complaints filed. This is the 12th year in a row in which identity theft has occupied the top position. The report contains data on 30 complaint categories, which are broken down by metropolitan areas and provided to state and local law enforcement offices. For more information, see EPIC: FTC and EPIC: Identity Theft. (Feb. 29, 2012) - EU and US Consumer Groups to Google: "This plan is a mistake"
The Transatlantic Consumer Dialogue, a coalition of leading consumer organizations in North America and Europe, today urged Google CEO Larry Page to drop the plan to combine user data on March 1. Citing the pending changes to Google's terms of service, the groups said "It is both unfair and unwise for you to 'change the terms of the bargain' as you propose to do." TACD said "consumers have relied on your policies and your terms of service in choosing your products." Late Friday, EPIC filed an emergency appeal with the DC Circuit of Appeals in an attempt to force the Federal Trade Commission to take action prior to March 1. For more information, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 29, 2012) - Virginia Senate Narrowly Approves Voter ID Law
The Virginia Senate passed a controversial voter photo ID law by one vote. The bill now goes to the Virginia House for consideration. Voter ID laws implicate the privacy rights rights of voters and also discourage voter turnout particularly among poorer voters who may not have necessary credentials, such as a drivers license. In 2007, EPIC challenged the Indiana voter photo ID law. For more information, see EPIC: Voting Privacy and EPIC: Crawford v. Marion County. (Feb. 28, 2012) - FTC Chairman: Google Users Face a "brutal choice" -- Europeans: "Google's new policy does not meet the requirements of the European Directive on Data Protection."
Pressure is building as the March 1 deadline for Google's planned changes in user privacy approaches. In an interview with C-Span, the Chairman of the Federal Trade Commission said that users of Google services face a "brutal" choice." The head of the French Data Protection Agency, on behalf of European privacy agencies, has warned that Google's proposed change violates European Union privacy law. She is reiterated the recommendation of Europe's Justice Minister that Google suspend the change. In Washington, DC, EPIC has filed an emergency appeal with the DC Circuit Court of Appeals to force the FTC to enforce the 2011 consent order against Google. For more information, see EPIC v. FTC (Google Consent Order). (Feb. 28, 2012) - Pew Study: Social Media Users Active in Protecting Privacy
A Pew study found that users are becoming more active in managing their social media accounts. Compared to 2009, a higher percentage of users reported deleting people from their “friends” lists, deleting comments made by others on their profile, and removing their names from photos in which they were tagged. The report also found that women and young users were the most active in protecting their privacy. The Federal Trade Commission is currently finalizing a consent order with Facebook over charges that the company changed users' privacy settings to make personal information more available to the public and to Facebook's business partners. For more information, see EPIC: Social Networking Privacy, EPIC: Facebook Privacy, and EPIC: Public Opinion and Privacy. (Feb. 27, 2012) - EPIC Appeals Court Ruling in Google Privacy Case
Within hours after a federal court in Washington, DC ruled that it could not require the Federal Trade Commission to enforce a consent order against Google, EPIC filed an emergency appeal with the Court Appeals for the DC Circuit. EPIC has asked the appellate court to overturn the lower court decision before March 1, when Google will change its terms of service and consolidate user data without consent. For more information, see EPIC - EPIC v. FTC (Google Consent Order). (Feb. 27, 2012) - EPIC Petition Demands that FAA Protect Privacy and Regulate Drones
EPIC, joined by more than 100 organizations, experts, and members of the public, has sent a petition to the Federal Aviation Administration, urging the agency to address the privacy threats associated with the increased use of drones in the United States. Congress recently passed legislation requiring the Agency to assess the safety of drones used by commercial and government operators. The petition asserts that "The privacy threat posed by the deployment of drone aircraft in the United States is great. The public should be given the opportunity to comment on this development." For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Feb. 24, 2012) - Privacy Groups to Rep. Bono-Mack: "Hold *Public* Hearings on Google Privacy Changes"
Five privacy organizations, including EPIC, wrote today to Rep. Bono-Mack to urge the Chairwoman of a powerful Congressional committee to hold a public hearing on Google's proposed changes in business practices that will take effect March 1. Rep. Bono-Mack has held closed-door meetings with the Internet giant, but so far has scheduled no public hearings on the plan to consolidate user data, which EPIC alleges violates a 2011 Consent Order with the Federal Trade Commission. The consumer groups also asked the Congresswoman to urge Google to suspend its plan pending an investigation. They said there would be "overwhelming public support for this action" and cited recent statements from Members of Congress, Attorneys General, European Justice Officials, the President, technical experts, and IT managers in government and the private sector. For more information see EPIC: EPIC v. FTC. (Feb. 24, 2012) - Judge Rules that Courts Lacks Jurisdiction over FTC, Acknowledges "Serious Concerns" with Google Privacy Changes
A federal court today dismissed EPIC's lawsuit against the FTC, because the "decision to enforce the Consent Order is committed to agency discretion and is not subject to judicial review." However, the Judge also said "the Court has not reached the question of whether the new policies would violate the consent order or if they would be contrary to any other legal requirements." And she said "the FTC, which has advised the Court that the matter is under review, may ultimately decide to institute an enforcement action." EPIC will appeal the decision on judicial review, asking the DC federal appeals court to rule that courts can require federal agencies to enforce final orders. For more, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 24, 2012) - White House Sets Out Consumer Privacy Bill of Rights
The Obama Administration put forward a comprehensive privacy framework with principles designed to establish new safeguards for consumers and new responsibilities for companies that collect and use personal information. The principles include (1) individual control over the collection and use of personal data; (2) transparency; (3) respect for the context in which data is collected; (4) security; (5) access and correction rights for consumers; (6) data limitation; and (7) accountability. President Obama stated that "even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever." EPIC praised the framework and the President's support for privacy, and said that the challenge ahead would be implementation and enforcement. For more information, see EPIC: Commerce Department and EPIC: Federal Trade Commission, and EPIC: White House - Consumer Privacy Bill of Rights. (Feb. 23, 2012) - EPIC Obtains New Documents on DHS Media Monitoring, Urges Congress to Suspend Program
EPIC has submitted a letter to Congress following a hearing on DHS monitoring of social networks and media organizations. In the letter, EPIC highlights new documents obtained as a result of a FOIA lawsuit and points out to inconsistencies in DHS' testimony about the program. Though DHS testified that it does not monitor for public reaction to government proposals, the documents obtained by EPIC indicate that the DHS analysts are specifically instructed to look for criticism of the agency and then to redirect reports that would otherwise be circulated to other agencies. EPIC wrote that the DHS' monitoring program should be suspended, as it exceeds the agency's statutory authority and chills First Amendment activity. For more information, see EPIC: EPIC v. DHS: Media Monitoring. (Feb. 23, 2012) - State Attorneys General Cite Privacy Risks to Android Users, Demand Meeting with Google
Attorneys general from 36 states and territories sent a letter to Google raising new questions about the plan to consolidate user data on March 1. "The new policy forces consumers to allow information across all of these products to be shared, without giving them the ability to opt out.," the letter says. The state AGs also say "this invasion of privacy is virtually impossible to escape for the nation's Android-powered smartphone users, who comprise nearly 50% of the national smartphone market. For these consumers, avoiding Google's privacy policy change may mean buying an entirely new phone at great personal expense." The AGs point out that Google told Android users "We will not reduce your rights under this Privacy Policy without your explicit consent." Last week, EPIC filed a lawsuit to force the Federal Trade Commission to require Google to honor its previous commitments to Google users. EPIC has alleged that the proposed changes in the company's practices violate a 2011 Consent Order. For more information, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 22, 2012) - Support EPIC's Petition: Tell the FAA to Begin a Rulemaking on Drones and Privacy
The Federal Aviation Administration is about to begin a public rulemaking on public safety related to drone use. EPIC would like the FAA to also undertake a rulemaking on privacy. The use of drones in US airspace poses a real threat to important privacy interests, and the Agency has the authority to regulate the use of drones. If you would like to sign EPIC's petition, please send an e-mail with the subject line "I support the EPIC Drone Privacy Petition to the FAA," your full name, and email address or twitter handle to drones@epic.org. Your name will be added as a signatory. All emails must be received by midnight on Friday, February 24, 2012. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Feb. 22, 2012) - EPIC Urges Federal Court To Hold FTC Accountable for Failure to Enforce Google Consent Order
In a reply brief filed today in Washington, DC, EPIC said that the Federal Trade Commission's failure to enforce the Consent Order against Google prior to March 1 would cause "irreparable injury." EPIC cited Google's plans to combine user data without consent, and pointed to numerous cases that establish the need for the Court to assess the FTC's failure to act. Dismissing arguments asserted by the government that "FTC enforcement decisions are not subject to judicial review," EPIC said that Congress has clearly told the Federal Trade Commission to enforce its final orders. And in response to a claim that EPIC's request for action by March 1 is "arbitrary," EPIC wrote "If the government is unaware that Google plans to make a substantial change in its business practices on March 1, 2012, it should turn on a computer connected to the Internet." For more information, see EPIC, EPIC v. FTC (Google Consent Order). (Feb. 21, 2012) - 2013 Federal Budget Limits Body Scanners, But Expands Domestic Surveillance
According to White House budget documents and the Congressional Testimony of Secretary Napolitano, DHS will not purchase any new airport body scanners in 2013. However, the agency will expand a wide range of programs for monitoring and tracking individuals within the United States. This includes the development of biometric identification techniques for programs such as Secure Communities. DHS will also seek funding for "Einstein 3," a network intrusion detection program that enables surveillance of private networks. EPIC has urged the DHS to comply with the requirements of the federal Privacy Act, and is currently pursuing several Freedom of Information Act lawsuits against the agency. For more information see, EPIC - Body Scanners and Radiation Risks, EPIC - E-Verify, EPIC - Secure Communities, EPIC - Fusion Centers, EPIC - Drones, EPIC - Cybersecurity, EPIC - Secure Flight. (Feb. 20, 2012) - FTC Files Opposition / Motion to Dismiss in EPIC v FTC
The Federal Trade Commission today filed an opposition and a motion to dismiss in response to EPIC's complaint to compel the agency to enforce the October 2011 Consent Order against Google. The government stated that EPIC would "deprive the Commission of the discretion to exercise its enforcement authority." The government also charged that EPIC's lawsuit is "completely baseless." The papers were filed in federal District Court on the same day that the Wall Street Journal reported that Google had subverted the privacy settings of millions of users of the Internet browser software Safari. For more information see: EPIC: EPIC v. FTC (Google Consent Order). (Feb. 17, 2012) - "FOIA Matters" - EPIC Obtains Google Privacy Compliance Report
As the result of a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained a full copy of Google's first Privacy Compliance Report. Last year, spurred by a complaint pursued by EPIC, the FTC reached a settlement with Google and required the company to file regular reports with the Commission detailing its steps to comply with the Consent order. However, the report obtained by EPIC raises new questions about the company's efforts to safeguard user privacy. EPIC has recently filed a lawsuit against the FTC to compel the agency to enforce the Consent Order. For more information see: EPIC: EPIC v. FTC (Google Consent Order) and EPIC: In re Google Buzz. (Feb. 17, 2012) - EPIC to FTC: Enforce the Google Consent Order
Today EPIC wrote to the Federal Trade Commission urging it to enforce the consent order with Google in light of a recent Wall Street Journal article based on research from Stanford's Jonathan Mayer that described how Google had been circumventing the privacy settings of Safari users despite Google's promise to respect such settings. EPIC said that Google "took elaborate measures to circumvent the Safari privacy safeguards, and it benefited from the misrepresentations by the commercial value it surreptitiously obtained." EPIC has filed a lawsuit to force the FTC to require Google to comply with the Consent Order to protect the privacy interests of Google users. The FTC's Response to the EPIC motion is due February 17; EPIC's reply is due February 21, 2012. For more information, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 17, 2012) - Congress Grills Department of Homeland Security
Members of a House Committee today questioned DHS officials about the agency's monitoring of social networks and media organizations for information that "reflects adversely" on the agency or the federal government. Several members expressed support for EPIC's proposal that DHS suspend the program, warning that this activity violates First Amendment rights. New questions also arose when the DHS witnesses claimed that no other federal agencies were engaged in similar practices. According to many news sources, the FBI wants to monitor social media. The House hearing was called after EPIC obtained nearly 300 pages of documents detailing the Department of Homeland Security's activities. For more information see: EPIC v. Department of Homeland Security: Media Monitoring. (Feb. 16, 2012) - FTC Report Shows Privacy Problems with Mobile Apps
The Federal Trade Commission issued a report today that found widespread failure among app stores and app developers to provide information to parents about the collection and use of children's data. The report noted that there are currently more than 500,000 apps in the Apple App Store and 380,000 in the Android Market, and that young children and teens are increasingly using smartphones for entertainment and educational purposes. The FTC report recommends that apps provide simple, short disclosures about their information collection and use practices, and that app stores assume greater role in providing information about the apps that they sell. EPIC previously submitted comments to the FTC on a proposed rule for the Children's Online Privacy Protection Act. For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Feb. 16, 2012) - FCC Issues Tougher RoboCall Rules
The Federal Communications Commission has issued new rules that strengthen consumer protections against telemarking calls. The rules require telemarketers to obtain written consent of consumers before placing a robocall, require telemarketers to allow consumers to revoke consent to a robocall during the call itself, and close a loophole that allowed telemarketers to place calls to customers with whom they had an established business relationship. EPIC was one of the consumer and privacy groups that advocated for the original Do Not Call registry. EPIC has also urged the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. For more information, see EPIC: EPIC Telemarketing and Telephone Consumer Protection Act. (Feb. 16, 2012) - EPIC Asks Congress to Suspend DHS Social Network Monitoring Program
In a Statement for the Record, EPIC has asked the House Committee on Homeland Security to suspend a DHS program that has permitted the agency to gather comments critical of the agency and the government by monitoring social networks and media organizations. The hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy" was called after EPIC obtained nearly 300 pages of documents detailing the Department of Homeland Security's activities. The documents, obtained as a result of EPIC's Freedom of Information Act lawsuit, include instructions from the DHS to General Dynamics to monitor media reports that "reflect adversely" on the agency or the federal government. For more information see: EPIC v. Department of Homeland Security: Media Monitoring. (Feb. 15, 2012) - EPIC FOIA - New Details About Automated License Plate Readers Obtained
In response to an EPIC Freedom of Information Act request, Customs and Border Protection has disclosed nearly 1,000 pages of documents on automated license plate readers and border body scanners. The documents include contracts with several companies, such as Rapiscan and L3, for vehicle and cargo screening x-ray devices. Previous documents obtained by EPIC revealed that the agency is developing integrated vehicle scanners, with backscatter x-ray, Closed Circuit Television, and automated license plate readers, that would be used with human subjects. Radiation experts have questioned the safety of these systems, which produce ionizing radiation. For more information see EPIC FOIA: Automated License Plate Readers and Border Checkpoint Body Scanners. (Feb. 14, 2012) - Google Report Raises New Questions About Compliance with Consent Order
The Google privacy compliance report, made public today, raises new questions about the company's failure to comply with an FTC Consent Order. The Order required Google to answer detailed questions about how it protects the personal information of Google users. But Google chose not to answer many of the questions. Most significantly, the company did not explain to the Commission the impact on user privacy of the proposed changes that will take place on March 1. EPIC has filed a lawsuit to force the Federal Trade Commission to require Google to comply with the Consent Order to protect the privacy interests of Google users. For more information, see EPIC v. FTC (Google Consent Order). (Feb. 10, 2012) - NIST Proposes Governance Structure for Internet Identity
The National Institute of Standards and Technology has released a report detailing the governance structure for the White House’s National Strategy for Trusted Identities in Cyberspace. EPIC, joined by the Liberty Coalition, submitted comments on the original proposal, emphasizing the need for transparency and balanced representation. NIST adopted many of EPIC’s suggestions, including the establishment of a Privacy Coordination Committee. However, the final document ignored EPIC’s recommendation that legislation be enacted to safeguard privacy. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace. (Feb. 10, 2012) - Federal Court Grants Accelerated Briefing Schedule in EPIC v. FTC
In response to EPIC's complaint and motion to compel the Federal Trade Commission to enforce a consent order against Google, a federal district court judge has ordered an accelerated briefing schedule. The FTC's Response to the EPIC briefs is due February 17, EPIC's reply is due February 21, 2012. The Court's deadlines reflect Google's imminent, substantial changes to the company's business practices. Google intends to consolidate the personal data of Google users across 60 services on March 1. EPIC contends that these changes constitute a violation of the consent order with the Federal Trade Commission. For more information, see EPIC v. FTC (Google Consent Order). (Feb. 9, 2012) - Department of Homeland Security Disregards Public Comments and Issues Final Rule that Undermines Traveler Privacy Rights
The U.S. Customs and Border Protection, a component within the Department of Homeland Security, issued a final rule approving Global Entry, a traveler screening program, despite the substantial privacy and security risks brought to the agency's attention. Under the Global Entry program, the CBP collects detailed personal information, including social security numbers and biometric information, that should be subject to Privacy Act safeguards. However, the agency rejected EPIC's recommendations that it comply with the Privacy Act by limiting the distribution of information to only those that need the information for screening purposes. In EPIC's comments, EPIC also noted that CBP violated federal law by not conducting a Privacy Impact Assessment before implementing the new Global Entry program. For more information, see: EPIC: Global Entry. (Feb. 8, 2012) - FAA Legislation Prompts Agency to Assess Safety of Drones in US Airspace
In the Re-Authorization Bill for the Federal Aviation Administration, Congress has required the agency to develop rules governing the operation of drones within U.S. National Airspace. Currently, the only barriers to operation of unmanned aircraft are procedural requirements that oblige drone operators to obtain operation certificates. The FAA Modernization and Reform Act of 2012 requires the agency to conduct a public rule-making that will assess public safety concerns, licensing requirements, flight standards, and air traffic requirements. The FAA Secretary will also undertake safety studies and develop standards for "Safe Operation" in US airspace. However, the legislation does not consider the need to assess the privacy risks of the deployment of drones in US airspace. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Feb. 8, 2012) - EPIC Sues Federal Trade Commission to Enforce Google Consent Order
EPIC today filed a Complaint and a Motion for Temporary Restraining Order and Preliminary Injunction in Federal District Court in Washington, DC. EPIC is seeking to compel the Federal Trade Commission to act prior to March 1, when Google plans to make changes in its terms of service that will make it possible for the company to combine user data without user consent. EPIC alleges that this change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The consent order arises from a complaint that EPIC brought to the Commission in February, 2010 concerning Google Buzz and a similar attempt by Google to combine user data without user consent. For more information, see EPIC - In re Google Buzz, FTC - "FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network." (Feb. 8, 2012) - Congress to Hold Hearing on Department of Homeland Security Social Network Monitoring
On February 16, 2012, the House Committee on Homeland Security will hold a hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy." The hearing was called after EPIC obtained nearly 300 pages of documents, as a result of a Freedom of Information Act lawsuit, detailing the Department of Homeland Security's monitoring of social networks and media organizations. The documents included guidelines from DHS instructing General Dynamics to monitor for media reports that "reflect adversely" on the agency or the federal government. For more information see: EPIC v. Department of Homeland Security: Media Monitoring. (Feb. 6, 2012) - Google Backs Off Privacy Policy Change for Federal Government
In response to growing concern about the impact of Google's proposed policy change on user privacy and cloud-computing services, the company said that its planned privacy changes will not apply to US federal agencies. A report from Safegov.org "Google’s New Privacy Policy Is Unacceptable and Jeopardizes Government Information in the Cloud" recommended that "Google immediately suspend the application of its new privacy policy to Google Apps For Government users." Google told POLITICO's Morning Tech "cloud contracts are crafted with 'narrow, specific obligations' on how data can be used and stored. And those data requirements in the cloud contracts trump the company's standard privacy policy." (Feb. 3, 2012) - Google Policy Change Triggers EU Privacy Revolt
Leading privacy officials in Europe have asked Google "for a pause" in the company's planned consolidation of user data "in the interests of ensuring that there can be no misunderstanding about Google's commitments to the information rights of their users and EU citizens. . ." EU Commissioner Vivian Reding (@VivianeRedingEU) has expressed support, tweeting "Good that Europe's data protection authorities are ensuring @Google's new privacy policy complies with EU law." EPIC has urged the United States to begin the process of ratification of Council of Europe Privacy Convention, which would establish global standards for privacy protection. (Feb. 3, 2012) - EPIC Seeks Public Release of Google's Privacy Report
EPIC has filed a Freedom of Information Act request with the Federal Trade Commission for the Privacy Report that Google was recently required to submit to the agency. The Commission had previously investigated Google after EPIC filed a complaint regarding Google's Buzz product, which transformed private user contacts into publicly available social network data. Last fall the Commission reached a settlement with Google and, as a result, the company is subject to a consent order that requires it to file regular reports with the Commission. EPIC has requested that Google's first report, filed on January 26, 2012, be released to the public. Because of Google's plan to change its business practice on March 1, 2012, EPIC has asked the FTC to expedite the disclosure of the report. For more information see EPIC: In re Google Buzz. (Feb. 1, 2012) - EPIC Calls for Moratorium on Facial Recognition Technology
In detailed comments to the Federal Trade Commission, EPIC today recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. EPIC said that facial recognition is often used by strangers to determine a person's actual identity and that this poses a risk to privacy and personal security. EPIC also noted that some companies have adopted techniques that are more favorable to privacy as they allow users to control the image database while others undermine privacy, as the image database is centrally maintained. EPIC previously submitted a complaint to the FTC about Facebook's use of facial recognition technology to build a secret database of users' biometric data and allowing the company to automatically tag users in photos. The comments follow an FTC workshop exploring the privacy and security issues raised of facial recognition technology. For more information, see EPIC: Federal Trade Commission, EPIC: Face Recognition, and EPIC: Facebook and Face Recognition. (Feb. 1, 2012) - EPIC to Recommend Changes to Video Privacy Law
At a hearing before the Senate Judiciary Committee, EPIC Executive Director Marc Rotenberg is expected to make several recommendations to Congress about how to update and modernize the Video Privacy Protection Act, a law passed by Congress in 1988. Among the changes recommended, EPIC will propose that Congress make clear that the law covers all video service providers (including Netflix), allow users to inspect the information that video providers collect about them as well as the algorithms that are used to recommend selections, treat IP addresses and user IDs as "personally identifiable information," inflation-adjust the damages provision, and require companies to encrypt the data collected on users. For more information, see EPIC Video Privacy Protection. Read EPIC's testimony. (Jan. 30, 2012) - EPIC Expresses Support for International Privacy Convention
Speaking this week at the Computers, Privacy and Data Protection conference, EPIC President Marc Rotenberg expressed support for the Council of Europe Privacy Convention. Two years ago, twenty-nine members of the of the EPIC Advisory Board, experts in privacy law and technology, sent a letter to US Secretary of State Hillary Clinton to urge that the United States begin the process of ratification of the Council of Europe Convention on Privacy. They wrote, "privacy is a fundamental human right. In the 21st century, it may become one of the most critical human rights of all." Speaking in Brussels, Mr. Rotenberg reiterated EPIC's support for the Convention and also called attention to recent changes that modernize and update the international privacy framework. (Jan. 27, 2012) - Congress Seeks Answers on Google's Plans for Data Consolidation
Eight members of Congress wrote to Google asking the company to explain the "steps [that] are being taken to ensure the protection of consumers' privacy rights." The letter follows Google's announcement that it would begin combining data gathered on consumers of over 60 Google products and services, including Gmail, Google+, Youtube, and the Android mobile operating system. The members' letter includes 11 specific questions ranging from the ways in which Google collects information to the specific consequences for Android phone users. In 2010, EPIC, along with other privacy groups, wrote a letter to Google about the company's decision to combine user data among 12 Google services. The groups warned that the practical effect would be to reduce privacy protection for users of Google services. For more information, see EPIC: In re: Google Buzz and EPIC: Google search. (Jan. 27, 2012) - EPIC Gives 2012 Privacy Champion Awards to Canadian Privacy Commissioner, Privacy Technologist
EPIC has given the 2012 Privacy Champion Awards to Canadian Privacy Commissioner Jennifer Stoddart and privacy technologist Christopher Soghoian. EPIC called Stoddart a "steadfast defender of privacy" and cited her work to strengthen international collaboration among privacy officials. Of Soghoian, EPIC said he is "an expert technologist dedicated to privacy," and cited his ability to combine technical know-how, legal expertise, and clever campaign tactics. EPIC Champion of Freedom press release. Stoddart acceptance speech. (Jan. 26, 2012) - EPIC Files Suit for Documents Detailing Surveillance of WikiLeaks Supporters
EPIC has filed suit against the Department of Justice and Federal Bureau of Investigation under the Freedom of Information Act for documents detailing surveillance of WikiLeaks supporters. After WikiLeaks' November 2010 publication of diplomatic cables, the U.S. government opened investigations into WikiLeaks supporters and pressured many online donation systems, including Amazon and Paypal, to cease processing donations to WikiLeaks. In June 2011, EPIC filed Freedom of Information Act requests with the Department of Justice and the Federal Bureau of Investigation. EPIC is seeking documents that detail government requests for information about users of Facebook, Twitter, Paypal and Visa. For more information see: EPIC: Open Government. (Jan. 25, 2012) - Comprehensive Revision of European Privacy Law Announced
The European Commission has proposed modernized Data Protection rules that will simplify business compliance and establish new privacy rights for individuals. EC Justice Commissioner Viviane Reding explained, "The proposal will help build trust in online services because people will be better informed about their rights and in more control of their information." In 2009, EPIC joined 110 other civil society groups and 106 experts in endorsing the Madrid Privacy Declaration, which called for the establishment of "a new international framework for privacy protection . . . . based on the rule of law, respect for fundamental human rights, and support for democratic institutions." For more information, see EPIC: EU Data Protection Directive. (Jan. 25, 2012) - Google Changes Privacy Practices, Consolidates User Data
Google announced that it would begin combining data gathered on users of over 60 Google products and services, including Gmail, Google+, Youtube, and the Android mobile operating system. Previously, users could use one Google service, such as Google+, without having their information combined with that gathered from other services, such as Youtube. Users cannot opt out of having their data combined unless they avoid signing into their user accounts or stop using Google’s services altogether. Google’s changes come after the company began surfacing personal information from Google+ in Google search results, a move that EPIC said raised privacy and antitrust issues. In 2010, EPIC, along with other privacy groups, wrote a letter to Google over the company's decision to combine user data among 12 Google services. Google is subject to a settlement with the Federal Trade Commission that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. For more information, see EPIC: Federal Trade Commission and EPIC: Google Search. (Jan. 25, 2012) - EPIC Launches "Good to Really Know" Education Campaign
Following the announcement of the "Good the Know" advertising campaign by a major Internet firm, EPIC has launched "Good to Really Know," a brief YouTube video that offers practical advice about Internet privacy and tips for Internet users. The EPIC video covers Internet tracking and profiling. It also reminds users "It's Your Data," and offers suggestions for how Internet companies could help protect Internet privacy. (Jan. 25, 2012) - Senator Leahy Expresses Support for International Privacy Day
Senator Patrick Leahy, theChairman of the Senate Judiciary Committee, offered a statement commemorating Data Privacy Day, which takes place on January 28. Senator Leahy urged the Congress to adopt comprehensive data privacy legislation to "better protect Americans' sensitive personal data and reduce the risk of data security breaches." He also recommended changes to the Electronic Privacy Communications Act to "reflect the realities of our time" and to "keep us safe from cyber threats." EPIC will be participating in the annual Computers, Privacy, and Data Protection conference, taking place this week in Brussels. EPIC will also be announcing the recipients of the 2012 International Champion of Freedom Award and the 2012 US Privacy Champion Award. Join International Privacy Day on Facebook. (Jan. 24, 2012) - Supreme Court Upholds Fourth Amendment in GPS Tracking Case
Today the Supreme Court unanimously held in U.S. v. Jones that the warrantless use of a GPS tracking device by the police violated the Fourth Amendment. The Court said that a warrant is required "[w]here, as here, the government obtains information by physically intruding on a constitutionally protected area," like a car. Concurring opinions by Justices Sotomayor and Alito urged the court to focus on the reasonableness of the suspect's expectation of privacy because physical intrusion is unnecessary to surveillance in the digital age. EPIC, joined by 30 legal and technical experts,filed a "friend of the court" brief. EPIC warned that, "it is critical that police access to GPS tracking be subject to a warrant requirement." For more information, see EPIC: US v. Jones, and EPIC: Location Privacy. (Jan. 23, 2012) - FTC Adds Google+ to Antitrust Investigation
Bloomberg News has reported that the Federal Trade Commission has expanded its antitrust investigation of Google to include Google's social networking service, Google+. The report comes after Google announced that it would include personal data gathered from Google+ in the results of users' searches, a move that led EPIC to urge the FTC to investigate the company. EPIC said that "Google's business practices raise concerns related to both competition and the implementation of the Commission’s consent order," referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. Google first confirmed the FTC’s antitrust investigation in June 2011. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Jan. 13, 2012) - EPIC - FOIA Documents Reveal Homeland Security is Monitoring Political Dissent
As the result of EPIC v. DHS, a Freedom of Information Act lawsuit, EPIC has obtained nearly thee hundred pages of documents detailing a Department of Homeland Security's surveillance program. The documents include contracts and statements of work with General Dynamics for 24/7 media and social network monitoring and periodic reports to DHS. The documents reveal that the agency is tracking media stories that "reflect adversely" on DHS or the U.S. government. One tracking report -- "Residents Voice Opposition Over Possible Plan to Bring Guantanamo Detainees to Local Prison-Standish MI" -- summarizes dissent on blogs and social networking cites, quoting commenters. EPIC sent a request for these documents in April 2004 and filed suit against the agency in December. For more information, see EPIC: EPIC v. Department of Homeland Security: Media Monitoring. (Jan. 13, 2012) - EPIC Urges Trade Commission to Investigate Google Search
In a letter to the Federal Trade Commission, EPIC has called for an investigation of recent changes by Google to Google Search, the dominant search algorithm on the Internet. EPIC cited Google's decision to include personal data, such as photos, posts, and contact details, gathered from Google+ in Google Search results. “Google’s business practices raise concerns related to both competition and the implementation of the Commission’s consent order,” EPIC said, referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of Google products and services and subjects the company to regular privacy audits. Recently, the Senate held a hearing on Google’s use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google’s acquisition of Youtube, which allowed Google to give preferential treatment to Google's own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission. (Jan. 12, 2012) - Google Changes Search Results, Preferences Google+ Results
Google is changing the results displayed by its search engine to include data from its social network, such as photos or blog posts made by Google+ users, as well as the public Internet. Although data from a user’s Google+ contacts is not displayed publicly, Google’s changes make the personal data of users more accessible. Users can opt out of seeing personalized search results, but cannot opt out of having their information found through Google search. Also, Google's changes come at a time when the company is facing increased scrutiny over whether it distorts search results by giving preference to its own content. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. Google has also acknowledged that the FTC is investigating whether Google uses its dominance in the search field to inhibit competition in other areas. For more information, see EPIC: Google/DoubleClick. (Jan. 10, 2012) - DHS Memo Reveals Plan to Impose "Secure Communities" on All States
According to a draft memo, the Department of Homeland Security intends to require that all states comply with the agency's "Secure Communities" program by 2013. Secure communities is a controversial deportation program that relies on extensive data collection and biometric identification. Several states, including Illinois, New York and Massachusetts, objected to the federal program, citing mismanagement, and refused to participate. Previously, the DHS maintained that the program would be voluntary. For more, see EPIC: Secure Communities. (Jan. 10, 2012) - Supreme Court to Hear Case About Enhanced Search Techniques
The US Supreme Court has decided to review Florida v. Jardines, a case that addresses whether a dog sniff at the front door of a home is a search that requires probable cause. This case follows Illinois v. Caballes, a 2005 case in which the Court held that a dog sniff around a car during a routine traffic stop was not a search. The Florida Supreme Court ruled that Caballes was inapplicable in the case, and that a dog sniff in front of a home is a Fourth Amendment search. This case also implicates the government's use of "enhanced" investigative techniques that are designed to detect contraband. Because these techniques are imperfect and also allow the government to search for material that is not illegal, EPIC has argued that a Fourth Amendment probable cause standard should apply. For more information, see EPIC: EPIC v. DHS (Airport Body Scanners). (Jan. 6, 2012) - Federal Court Revives Suit Over NSA Dragnet Surveillance
A federal appeals recently revived a lawsuit, Jewel v. NSA, challenging the NSA's use of the nation's largest telecommunication providers to conduct suspicionless surveillance of Americans. The three-judge panel reversed a lower court decision that rejected claims based on lack of standing. The case will now return to the district court for a decision on the merits. The same three-judge panel also rejected a related suit against the telecommunications providers, Hepting v. AT&T, based on the "retroactive immunity" provided by Congress in 2008. EPIC, in cooperation with the Stanford Constitutional Law Center, filed a "Friend of the Court" brief in support of the plaintiffs in these cases, arguing that statutory and constitutional privacy violations are sufficient to establish standing, and that the state secrets doctrine should not bar adjudication. For more information, see EPIC: Hepting v. AT&T and EPIC: NSA Warrantless Surveillance. (Jan. 5, 2012) - EPIC Urges Appeals Court to Shed Light on Google-NSA Agreement
EPIC filed the opening brief in EPIC v. NSA, No. 11-5233, challenging the National Security Agency’s response to EPIC's Freedom of Information Act request. EPIC is seeking information about the widely publicized cybersecurity agreement between the NSA and Google that followed the January 2010 China hack. The NSA claimed it "could neither confirm nor deny" the existence of any information about its relations with Google. After the attack, Google's implemented encryption technology for Gmail by default, a privacy safeguard EPIC and technical experts had urged in 2009. For more information, see EPIC v. NSA: Google / NSA Relationship. (Jan. 4, 2012)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.