Previous Top News: 2014
- Final Act: Senator Rockefeller Proposes Drone Privacy Bill
Senator Rockefeller, the outgoing Chair of the Senate Commerce Committee and a leading privacy champion, introduced a bill to require privacy safeguards in the commercial operation of drones. The Unmanned Aircraft Systems Privacy Act of 2014 would prohibit surveillance of individuals by companies unless explicit prior consent is obtained and would require the development of remote identification transmission technologies for drones. The bill would also provide a private right on action against invasions of privacy in violation of the act and grant the FTC additional authority to regulate on commercial drone privacy issues. EPIC previously testified before Congress in support of a drone privacy law. EPIC recommended data use and retention limitations as well as additional transparency and accountability measures for drone operators. For more information, see EPIC Spotlight on Surveillance: Drones - Eyes in the Sky and EPIC: Domestic Drones. (Dec. 24, 2014) - Homeland Security Pushes Forward "Real ID"
Beginning in 2015, many federal facilities will require a "Real ID" for entry where identification is required. Several states have opted out of the Real ID Act, a federal mandate to modify the design of state drivers licenses, raising questions about the ability of people in those states to access federal buildings and board commercial aircraft. EPIC, supported by a broad coalition, opposed the Real ID regulations, arguing that many of the required identification techniques, such as facial recognition and RFID tags, compromise privacy and enable surveillance. EPIC, joined by technical experts and legal scholars, also provided detailed comments to the Department of Homeland Security about the program and later issued a L6[report: "REAL ID Implementation Review: Few Benefits, Staggering Costs" (May 2008). For more information see: EPIC: National ID and the Real ID Act. (Dec. 18, 2014) - Pew Research: Future of Data Privacy Uncertain
The Pew Research Center's new survey on "The Future of Privacy" found that experts predict that the struggle over privacy protection will continue through the next decade, though experts are divided about the likely outcomes. Among the key threats identified in the Pew study are the Internet of Things, the monetization of personal information, and increasing government surveillance. EPIC president Marc Rotenberg, one of the experts consulted, predicted, "There will be many contentious battles over the control of identity and private life. The appropriation of personal facts for commercial value — an issue that emerged with Google's 'shared endorsements' and Facebook's 'sponsored stories' — are a small glimpse of what lies ahead. The key will be the defaults: either individuals will control their online persona or it will be controlled by others." In May 2015, EPIC will release an anthology on the future of privacy. The book, "Privacy in the Modern Age: The Search for Solutions," will be published by The New Press. For more information, see EPIC: Public Opinion on Privacy. (Dec. 18, 2014) - EPIC, Coalition Urge Changes for House Procedures on National Security
EPIC and a coalition of civil liberties groups is advocating for changes that would create more oversight and accountability in Congress for national security issues. In a letter to House Speaker John Boehner and Minority Leader Nancy Pelosi, more than 50 organizations recommended that the leadership provide all Members of Congress with access to relevant information and sufficient staff assistance. That groups recommended revising procedures for the House Permanent Select Committee on Oversight so that other Committees are kept informed, unclassified reports are made public with minimal delay, and the Committee operates more openly. The groups proposed a Congressional option for whistleblowers so that information can be communicated to Members of Congress "without fear of reprisal" and a comprehensive review of the activities of the Intelligence Community since 9/11, modeled after the 9-11 Commission For more information see: EPIC: Open Government and FOIA Rocks. (Dec. 18, 2014) - New Guidelines on Government Profiling Announced
The Department of Justice has updated federal guidance on the consideration of race and other attributes when performing law enforcement activities. Federal law enforcement agencies are now prohibited from using race, ethnicity, gender, national origin, religion, sexual orientation, or gender identity when making "routine or spontaneous law enforcement decisions, such as ordinary traffic stops." The guidance permits federal law enforcement to consider these factors when engaged in national security, intelligence, immigration law, and organized crime investigation. Federal agencies including the Federal Bureau of Investigation and Customs and Border Protection routinely use immutable characteristics, like race and ethnicity, to assign "risk-assessment" profiles on individual who are not suspected of any crime. EPIC has previously urged the government to end this practice and to suspend the Automated Targeting System's "risk assessment" scoring EPIC said that the use of factors such as race and nationality to profile individuals is unconstitutional. For more information, see EPIC: Automated Targeting System, EPIC: Passenger Profiling, and EPIC: EPIC v. Customs and Border Protection (Analytical Framework for Intelligence). (Dec. 18, 2014) - Senator Franken Questions Uber About Use of Passenger Data
Senator Franken has received a response from Uber about the the ride-sharing company's privacy practices. Last month, Franken asked Uber to answer ten questions about the company treats use of passenger data. Specifically, Franken questioned Uber's use of the "God view" tool, which allows the company to track individual customers in real time. Uber failed to answer several of Senator's questions and provided "a surprising lack of detail." EPIC recently proposed "Privacy Rules for Uber," as part of the "Rideshare Privacy Act of 2015." EPIC wrote that "there should be clear legal limits on the use of 'God view,'" explaining, "any use of that feature to track or stalk passengers should be prohibited by law. And all of these legal rights should be backed with meaningful fines if the company crosses the line." EPIC concluded, "the collection of detailed information on Uber passengers is a real problem that can no longer be ignored." For more information, see EPIC: Drivers Privacy Protection Act and EPIC: Automobile Event Data Recorders (Black Boxes) and Privacy. (Dec. 17, 2014) - Strossen Joins EPIC Board of Directors
Former ACLU President Nadine Strossen has been elected to the Board of Directors of EPIC. Professor Strossen, who was recently named the John Marshall Harlan II Professor of Law at the New York Law School, is one of the world's leading experts on constitutional law, civil liberties, and international human rights. She joins a distinguished group of Internet pioneers, security experts, privacy advocates, Supreme Court advocates and policy experts on the EPIC Board and the EPIC Advisory Board. For more information, see EPIC Board of Directors and EPIC Advisory Board. (Dec. 17, 2014) - Schneier: Over 700 Million People Taking Steps to Avoid NSA Surveillance
Famed technologist and EPIC Advisory Board member Bruce Schneier pushed back against media claims that Edward Snowden's revelations about the NSA have had little impact on Internet users. A recent global survey found that 39% of Internet users who have heard of Snowden have taken steps to protect their online privacy. Some news articles have characterized these users as "merely 39%" and "only 39%." But Schneier did the math and found that Snowden’s impact has been far from insignificant: "706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing." A recent Pew survey also indicates that the NSA revelations have had a dramatic impact on Internet users. Last year, EPIC filed a petition to the U.S. Supreme Court to stop the NSA's collection of domestic telephone records, following the release of the "Verizon Order." For more information, see EPIC: In re EPIC, EPIC: Smith v. Obama, and EPIC: Foreign Intelligence Surveillance Act Reform. (Dec. 17, 2014) - "Eyes Over DC" - Department of Defense Launches Surveillance Blimps
On Friday, December 19, 2014, the US army will deploy surveillance blimps just north of the nation's capital. The surveillance blimp system, known as "JLENS," is comprised of two 250' blimps. One blimp contains aerial and ground surveillance technology that covers a 340-mile range, while the other has targeting capability. The JLENS was originally deployed in Iraq. Earlier this year, EPIC filed a Freedom of Information Act lawsuit to gain more information about the JLENS system. Preliminary documents obtained by EPIC suggested that the blimps would be equipped with video surveillance, though the Army has since claimed that video surveillance will not be deployed. However, documents obtained by EPIC in another FOIA case indicate that Customs and Border Protection is operating surveillance blimps with video surveillance. And the contractor Raytheon has demoed a video surveillance upgrade for the JLENS system. For more information see: EPIC v. Dept. of Army - Surveillance Blimps, EPIC: Unmanned Aerial Vehicles, and EPIC Spotlight on Surveillance (2005) - "Unmanned Planes Offer New Opportunities for Clandestine Government Tracking." (Dec. 17, 2014) - Dutch Privacy Officials Find Google Violates National Privacy Law
The Dutch Data Protection Authority has found that Google's 2012 privacy policy change violates Dutch data protection law. Google's policy change, which EPIC also opposed, consolidated user data across more than 60 separate services and gave Google the ability to track and profile users in extraordinary detail. The Dutch DPA has ordered Google to: (1) obtain "unambiguous consent of users for the combining of personal data" from different Google services; (2) describe in detail the personal data are used by each Google service; and (3) clearly explain to consumers that YouTube is a Google service. Google must comply with the Dutch officials' order by February 2015 or face $19 million in fines. In issuing the decision, Jacob Kohnstamm, chairman of the Dutch DPA, stated, "Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested." In 2012, EPIC sued the Federal Trade Commission to block Google's 2012 policy change, which violated a 2011 FTC Consent Order. That Consent Order followed an extensive EPIC FTC Complaint and findings by the FTC concerning Google's business practices. For more information, see EPIC: EPIC v. FTC (Enforcement of the Google Consent Order), EPIC: In re Google Buzz, and EPIC: Federal Trade Commission. (Dec. 16, 2014) - EPIC Backs Comments on Location Privacy
EPIC has joined a coalition of consumer privacy groups in comments to the Federal Communications Commission on the "Roadmap for Improving E911 Location Accuracy." EPIC and the groups explained that collecting location information without privacy protections puts customers at risk. EPIC filed similar comments with the FCC in 2007. EPIC urged the Commission to recognize that "(1) the FCC has an obligation to protect the privacy of consumer information generated by the provision of communication services; (2) current regulations do not adequately location-based information, (3) legal frameworks, notably in the European Union, provide safeguards for location data, and (4) the Commission should establish rules that limit the use of customer location-based information." EPIC has frequently advocated for express authorization prior to disclosure of "call location information." The "Roadmap" raises concerns that the location of telephone users will be routinely known to federal agencies, whether or not there is an emergency. EPIC has also filed amicus curiae briefs in the U.S. Supreme Court and the Supreme Court of New Jersey arguing that location tracking by the government is a search under the Fourth Amendment and should only be conducted with a judicial warrant. For more information, see EPIC: Locational Privacy. (Dec. 16, 2014) - EPIC to Argue Before DC Circuit for Release of Cell Phone Shutdown Policy
This week EPIC President Marc Rotenberg will argue EPIC v. DHS, No. 14-5013 before the US Court of Appeals for the DC Circuit. At issue is the public release of the policy - "SOP 303" - to shut down cell phone service in the United States. EPIC filed a filed a Freedom of Information Act request for the policy after government officials shut down cell phone service during a peaceful protest at BART subway stations in San Francisco. The government first contended it could not find the document, then located the document, then claimed it was exempt from disclosure. EPIC filed suit against the agency and a federal court ruled in EPIC's favor. On appeal, the government argued the decision should be reversed. EPIC responded that the decision was correct and SOP 303 should be released. The DC Circuit will hear arguments Thursday morning. For more information, see EPIC v. DHS - SOP 303. (Dec. 9, 2014) - Leahy FOIA Reform Bill Passes in Senate
The Senate has unanimously passed the Freedom of Information Improvement Act of 2014. (Outline of bill.) The bill, cosponsored by Senator Patrick Leahy (D-VT) and Senator John Cornyn (R-TX), requires Federal agencies to operate under a "presumption of openness." "The FOIA Improvement Act will help open the government to all Americans by placing an emphasis on openness and transparency, rather than allowing agencies simply to hide behind exemptions," Leahy and Cornyn said in a joint statement. The FOIA Improvement Act will also close a loophole that agencies have used to make requesters pay excessive fees, even when the agency takes years to process the request. EPIC has recommended many of these reforms, including changes to the "(b)(5)" exemption for agency memos. The bill goes next to the House for consideration. For more information, see EPIC: FOIA and FOIA.ROCKS. (Dec. 9, 2014) - EPIC Asks New Mexico Supreme Court to Limit Aerial Surveillance
EPIC filed an amicus brief in a New Mexico Supreme Court case considering the warrantless search of private property. State v. Davis concerns law enforcement surveillance in a low-flying helicopter. EPIC argued that warrantless surveillance around a person's home violates both property interests and an individual's reasonable expectation of privacy. EPIC also warned the New Mexico high court that "Drones will enable broader use of aerial surveillance by law enforcement" agencies. EPIC explained that "it will be necessary to establish privacy rights to protect against constant monitoring." EPIC previously testified before Congress in support of a drone privacy law and petitioned the FAA to establish privacy safeguards for drone use. For more information, see EPIC: State v. Davis and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Dec. 8, 2014) - British Court Upholds Mass Surveillance by UK Spy Agency
The Investigatory Powers Tribunal, which reviews complaints of unlawful surveillance by Britain's intelligence agencies, ruled that mass collection of online communications is legal. The complaint was brought by several privacy rights groups in the UK and focused on GCHQ's electronic surveillance program, TEMPORA, and information the UK spy agency obtained through NSA's PRISM and Upstream programs. The privacy rights groups plan to appeal the decision to the European Court of Human Rights. EPIC previously challenged the NSA's mass surveillance of U.S. phone records in a 2013 petition to the Supreme Court. EPIC's petition argued that the Foreign Intelligence Surveillance Court exceeded its authority when it ordered Verizon to turn over records on all of its customers to the NSA. The EPIC petition was supported by legal scholars and former members of the Church Committee. For more information, see In re EPIC and EPIC: Foreign Intelligence Surveillance Act Reform. (Dec. 8, 2014) - U.N. Urges All Countries to Protect Digital Privacy
The United Nations has adopted a resolution on "The Right to Privacy in the Digital Age" that reaffirms the rights and freedoms embodied in the Universal Declaration of Human Rights. The UN resolution highlights the risks of mass surveillance and warns that metadata "can reveal personal information and can give an insight into an individual's behavior, social relationships, private preferences and identity." Earlier this year, in a joint submission to the United Nations, the Brennan Center, EPIC, and other public interest organizations urged the Human Rights Council to review U.S. surveillance programs. The letter stated that U.S. "surveillance activities also violate the rights to privacy, freedom of expression, and the freedom of peaceful assembly and association..." guaranteed by the Universal Declaration of Human Rights. For more information, see EPIC: Council of Europe Privacy Convention and Public Voice - Madrid Declaration. (Dec. 8, 2014) - Congress Considers Bill to Strengthen Privacy Act
Congressman Gerry Connolly (D-VA-11) has introduced legislation to update the federal Privacy Act. The "Safeguarding Individual Privacy Against Government Invasion Act of 2014" would compensate individuals for non pecuniary harms after Privacy Act violations. The proposal is a response to FAA v. Cooper, a Supreme Court case holding that the Privacy Act does not cover mental and emotional damages. EPIC filed a "friend of the court" brief in that case, explaining that privacy laws routinely provide recovery for mental and emotional harm, that such damages are the most common consequence of privacy violations, and that civil remedies are necessary to ensure enforcement of the Privacy Act. Following the decision in FAA v. Cooper, EPIC set out proposals to strengthen the Privacy Act. EPIC has recently recommended that the Privacy and Civil Liberties Oversight Board prioritize Privacy Act enforcement. For more information, see EPIC: FAA v. Cooper, EPIC: Doe v. Chao, and EPIC: The Privacy Act of 1974. (Dec. 8, 2014) - Facebook Revises Privacy Policy
Facebook has again revised its privacy policy. Despite the new graphics, Facebook continues to collect and disclose enormous amounts of user data without meaningful consent. The use of location data has expanded dramatically. "We collect information from or about the computers, phones, or other devices where you install or access our Services," states Facebook. These include "device locations, including specific geographic locations, such as through GPS, Bluetooth, or Wi-Fi signals." Facebook is currently under a 20 year consent decree with the Federal Trade Commission as a consequence of a complaint brought by EPIC and coalition of consumer privacy organizations when the company changed the privacy settings of users. More recently consumer organizations in the US and Europe have objected to Facebook's decision to track the web activities of users and to profile offline purchase. Privacy groups have also objected to Facebook's manipulation of user news feeds. For more information, see EPIC: Facebook and EPIC: In re Facebook. (Dec. 5, 2014) - Pew Survey: Americans Wrongly Believe Privacy Policies Protect Privacy
According to a Pew Survey, over 50% of internet users in the U.S. believe privacy policies protect their information. The survey posed the following true/false statement, "When a company posts a privacy policy, it ensures that the company keeps confidential all the information it collects on users." 52% of users incorrectly answered "true." The question was based on a similar 2003 survey - which found that 57% of users believed privacy policies protected their information. In the 1999 survey on online privacy, "Surfer Beware III: Personal Privacy and the Internet", EPIC "found that the privacy policies available at many websites are typically confusing, incomplete, and inconsistent." The original EPIC survey "Surfer Beware: Personal Privacy and the Internet (1997)" was the first survey ever undertaken of Internet privacy practices. EPIC wrote at the time, "it is matter of basic fairness to inform web users when personal information is being collected and how it will be used." For more information, see EPIC: Public Opinion on Privacy. (Dec. 5, 2014) - Senator Leahy Calls on the President to End Bulk Collection of Phone Records
Today Senator Patrick Leahy (D-VT) urged President Obama to end the dragnet collection of U.S. telephone records under Section 215 of the Patriot Act. The current authorization for the NSA's bulk collection program expires on Friday, December 5, 2014. Senator Leahy's comments follow the recent efforts to pass the USA FREEDOM Act of 2014, which would end the NSA's surveillance program. Senator Leahy said that ending the reauthorization of the program "would not be a substitute for comprehensive surveillance reform legislation - but it would be an important first step." In June EPIC, joined by many organizations, urged the President and Attorney General to end the bulk collection program. And in 2013 EPIC petitioned the Supreme Court, arguing that a special surveillance court exceeded its authority when it ordered Verizon to turn over records on all of its customers to the NSA. For more information, see In re EPIC and EPIC: Foreign Intelligence Surveillance Act Reform. (Dec. 4, 2014) - California Court Strikes Down DNA Collection Law
A state appeals court in California has struck down a state law that requires collection of DNA from people arrested on felony charges. The California court ruled that DNA collection by a cheek swab is an unreasonable search and seizure prohibited by the state's constitution. "The California DNA Act intrudes too quickly and too deeply into the privacy interests of arrestees," wrote the court. The appeals court also said that the U.S. Supreme Court's ruling in Maryland v. King, which upheld a similar law in Maryland, did not apply in this case because of significant differences between each state's DNA collection laws. EPIC has participated as amicus in several cases concerning the collection of DNA. In Maryland v. King, EPIC argued that the government collection of DNA opens the door to misuse and threatens personal privacy. For more information, see EPIC: Maryland v. King, EPIC: Maryland v. Raines, EPIC: Kohler v Englade, EPIC: US v. Kincade, EPIC: Herring v. US, EPIC: Comments on TSA Biometric Systems, and EPIC: Genetic Privacy. (Dec. 4, 2014) - EPIC Pursues Information About "Hemisphere," Massive Phone Record Database
EPIC has filed a motion for summary judgment in a Freedom of Information Act lawsuit against the Drug Enforcement Administration. More than a year ago, EPIC sought documents from the agency concerning "Hemisphere," a massive AT&T call records database available to government agents. EPIC asked for the legal basis and privacy impact of the program. After the agency failed to respond to the request, EPIC filed a lawsuit. The DEA then produced several hundred pages of records. However, almost all were entirely redacted. EPIC now contends that the agency has failed to comply with the law. For more information, see EPIC: EPIC v. DEA - Hemisphere and EPIC: Freedom of Information Act. (Dec. 3, 2014) - EU Officials: Court Ruling on "Right to be Forgotten" Applies Worldwide
Privacy regulators in the European Union have issued guidelines calling for the recent "Right to be Forgotten" ruling to apply worldwide. In May, the European Union Court of Justice ruled that a European Union citizen can ask search engines to remove links in search results based on the citizen's name. However, Google chose to remove the links for only certain domains, leaving the private information subject to the ruling accessible to most users. The new report makes clear that the ruling should apply across all search engine services. The EU officials explain, "limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling." For more information, see Fact Sheet on the Right to Be Forgotten, EPIC: Right to Be Forgotten, EPIC: International Privacy Law, EPIC: Expungement. (Dec. 1, 2014) - FAA Grounds Drone Privacy Safeguards
In a letter to EPIC, the Federal Aviation Administration denied a petition to initiate a public rulemaking to address privacy and civil liberties issues posed by domestic drones. The agency stated it was not required to solicit public comments on the privacy implications of drones because privacy was "not an immediate safety concern." In March 2012, EPIC joined by over 100 other organizations, experts, and members of the public petitioned the FAA to "conduct a notice and comment rulemaking on the impact of privacy and civil liberties related to the use of drones in the United States." The agency published a notice with proposed privacy requirements for drone operators at FAA designated drone test sites. EPIC submitted comments in response to the notice, urging the agency to mandate minimum privacy standards for drone operators. After considering numerous public comments on the privacy impact of aerial drones, the FAA proposed that test site operators develop privacy policies but did not require any specific baseline privacy standards for drone operators. For more information, see EPIC: Domestic Drones and EPIC Spotlight on Surveillance: Drones - Eyes in the Sky. (Dec. 1, 2014) - EPIC Uncovers DOD Student Data Collection Procedures
The Department of Defense has released to EPIC documents on the "Joint Advertising and Market Research Studies" Recruiting Database. The database includes sensitive student information, including home address and grade point average. DOD obtains this information from high schools offering military aptitude tests, state DMVs, and commercial data brokers. The documents sought by EPIC shed light on how DOD collects, retains, uses, and safeguards student information within the database. The documents provided to EPIC also reveal that many parents demanded that DOD remove their children's records from the system. In 2005, EPIC, joined by more than 100 organizations, urged former Secretary of Defense Donald Rumsfeld to end the database because it collected unnecessary information, did not permit individuals to opt-out, and was housed at a private-sector direct marketing company. The agency now permits individuals to opt-out. For more information, see EPIC: Student Privacy and EPIC: DOD Recruiting Database. (Nov. 26, 2014) - WhatsApp Implements End-to-End Encryption
The messaging service WhatsApp has announced plans to implement end-to-end encryption for Android phones. WhatsApp gained popularity as a pro-privacy alternative to text messaging. However, privacy concerns were raised after Facebook's proposed acquisition of the company. EPIC filed two complaints with the Federal Trade Commission, urging the FTC to block the sale unless adequate privacy safeguards for WhatsApp users were established. The Commission then notified Facebook and WhatsApp that they must honor their privacy commitments to WhatsApp users. Now, WhatsApp has adopted the Open Whisper Systems protocols to ensure that users' messages are encrypted from sender to receiver and not simply between the user and the service provider. For more information, see EPIC: In re: WhatsApp. (Nov. 25, 2014) - EPIC Seeks Reports on FISA Court Decisions
In a Freedom of Information Act lawsuit against the Department of Justice, EPIC filed a Motion for Summary Judgment on Friday arguing that the agency improperly withheld surveillance reports sought by EPIC. The semiannual reports, prepared for Congressional oversight committees, summarize significant FISA Court decisions and include the total number of FISA applications filed by the government and the number of U.S. persons targeted for surveillance. They are similar to reports that are routinely disclosed to the public. EPIC argued that the "FISA Pen Register" reports should also be disclosed because they describe topics of "utmost importance to the public and are necessary to inform the ongoing debate over current surveillance authorities." EPIC maintains a summary of all the annual FISA statistics published by the Attorney General. For more information, see EPIC v. DOJ: FISA Pen Register Reports and EPIC: FISA Court Orders. (Nov. 24, 2014) - White House to End Controversial "Secure Communities" Program
President Obama's executive action on immigration will end the "Secure Communities" program. Secure Communities is a controversial deportation program that relies on extensive data collection and biometric identification. Many states, including Illinois, New York, and Massachusetts, withdrew from the Homeland Security program, warning that it undermined public safety and encouraged racial profiling. Secure Communities will be replaced by the Priority Enforcement Program, a targeted program that will focus on removing convicted criminals. EPIC, joined by a coalition of 70 organizations, previously urged the Inspector General of the Department of Justice to review the Secure Communities program. For more information, see EPIC: Secure Communities and Privacy; See also TRAC: Immigration. (Nov. 24, 2014) - EPIC Joins Call for Stronger Encryption Standards
EPIC, joined by several organizations, today urged the National Institute of Standards and Technology to adopt "secure and resilient encryption standards, free from back doors or other known vulnerabilities." The groups raised concerns that the National Security Agency would influence the standard-setting process to enable surveillance of private communications. EPIC previously advised NIST to remove its support for a random number generator algorithm that the NSA compromised. EPIC also recommended that NIST inform the public of the full extent of the NSA's involvement in the Cybersecurity Framework. EPIC President Marc Rotenberg first warned of the risk that the NSA would influence NIST encryption standards in testimony before Congress in 1989. For more information, see EPIC: Cryptography Policy. (Nov. 20, 2014) - Senate Committee Endorses FOIA Improvements Act
A bill cosponsored by Senator Patrick Leahy (D-VT) and Senator John Cornyn (R-TX) to improve the Freedom of Information Act has passed unanimously out of the Senate Judiciary Committee. The bill will strengthen the Office of Government Information Services, and will require new reporting on the use of exemptions and audits of agency FOIA processes. The FOIA Improvement Act codifies the presumption of openness and requires that agencies must demonstrate a foreseeable harm in order to withhold information. It will also close a loophole that allows agencies to still charge fees to requesters no matter how long the agency delays processing a request. The House of Representatives has already passed similar legislation. For more information see: EPIC: Open Government and FOIA.ROCKS. (Nov. 20, 2014) - Senate Republicans Block US Surveillance Reform
An effort led by Senator Patrick Leahy (D-VT) to pass the USA FREEDOM Act failed on a narrow procedural vote last night. The FREEDOM Act would have ended the NSA's bulk collection of US telephone records. The bill would also improve oversight and accountability of the Foreign Intelligence Surveillance Act. Last year, EPIC petitioned the Supreme Court to suspend the bulk collection of Americans' telephone records. EPIC's petition was supported by dozens of legal scholars and former members of the Church Committee. EPIC also testified in Congress in support of improved reporting for domestic surveillance activities. For more information, see EPIC: Foreign Intelligence Surveillance Act Reform and In re EPIC. (Nov. 19, 2014) - FTC Fines TRUSTe, Privacy Certification Company
The Federal Trade Commission settled charges today that TRUSTe, a company that provides privacy certifications for online businesses including children's privacy and the US-EU Safe Harbor program, deceived consumers through its privacy seal program. The FTC charged TRUSTe with failure to conduct re-certifications for companies that displayed privacy seals, even though TRUSTe stated on its website that it conducted annual re-certifications. "TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge," said FTC Chairwoman Edith Ramirez. Under the consent agreement, TRUSTe is prohibited from misrepresenting its business practices to consumers. TRUSTe must also submit a detailed filing to the FTC every year, describing its COPPA recertification process and must pay a fine of $200K. In February, EPIC submitted comments to the Federal Trade Commission, urging the agency to improve pending settlements in several Safe Harbor enforcement actions, citing weaknesses in current Safe Harbor oversight. And just this month, EPIC filed a lengthy amicus brief in federal appeals court in support of the FTC's "Section 5" authority. For more information, see EPIC: FTC. (Nov. 17, 2014) - Senator Markey Asks Justice Department About Cell Phone Tracking Program
Senator Edward J. Markey (D-MA) has sent detailed questions to Attorney General Holder about recent reports that law enforcement agencies have deployed aircraft equipped with cell tower simulators to capture mobile phone communication. The devices, known as "IMSI catchers" or "Stingray," identify and track cell phone users. Senator Markey wrote "the sweeping nature of this program and likely collection of sensitive records...raise important questions about how the Department protects the privacy of Americans" with no connection to unlawful activities. EPIC successfully sued the FBI to obtain documents about the agency's use of Stingray devices. EPIC has also filed amicus curiae briefs in the U.S. Supreme Court and the Supreme Court of New Jersey arguing that location tracking is a search under the Fourth Amendment and should only be conducted with a judicial warrant. For more information, see EPIC: Locational Privacy and EPIC v. FBI (Stingray). (Nov. 17, 2014) - EPIC Urges Federal Court to Uphold FTC Authority to Protect Data Security
EPIC, joined by thirty-three technical experts and legal scholars, has filed an amicus brief in support of the Federal Trade Commission's authority to establish data security standards. EPIC described the extent of the data security risks in the United States, the important role of the FTC, and the danger of removing FTC authority to safeguard consumer data. EPIC said, "The FTC's authority to regulate business practices impacting consumer privacy is well established, the problem is obvious, and the agency has a clear record of success." EPIC cited 50 successful enforcement actions against companies that failed to safeguard customer data. EPIC also detailed the ongoing risks of identity theft and financial fraud facing American consumers. EPIC warned, "Removing the FTC's authority to regulate data security would be to bring dynamite to the dam." For more information, see EPIC: FTC v. Wyndham, EPIC: EPIC Amicus Curiae Briefs. (Nov. 13, 2014) - Senator Leahy Urges Swift Passage of USA Freedom Act
Senator Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, has urged swift passage of the USA FREEDOM Act, which would end the government's dragnet collection of telephone records. The bipartisan bill, which Senator Leahy introduced in July, would also improve oversight accountability for domestic surveillance activities. It has broad bipartisan support among the Intelligence Community, the technology industry, and privacy advocates. Senator Leahy said "Congress should pass the bipartisan USA FREEDOM Act without delay." Last year EPIC petitioned the US Supreme Court to end the NSA bulk record collection program. Former members of the Church Committee and dozens of legal scholars supported the EPIC petition. For more information, see EPIC: In re EPIC - NSA Telephone Record Surveillance. (Nov. 13, 2014) - EPIC Backs Internet Bill of Rights
Speaking at a conference in Brussels, "Toward a European Marco Civil," EPIC President Marc Rotenberg expressed support for The Declaration of Human Rights, an initiative of the Italian government led by Constitutional scholar Stefano Rodotà. Rotenberg said, "We must protect the political rights of Internet users, not simply the business models of Internet companies." The event was organized by the Fundamental Rights European Experts ("FREE") Group with the support of the Friedrich Eber Stiftung. For more information, see Civil Society Seoul Declaration and Madrid Privacy Declaration. (Nov. 13, 2014) - Post-Snowden, Social Media Users Concerned About Access to Personal Data
According to the Pew Research Report "Public Perceptions of Privacy and Security in the Post-Snowden Era," most users of social media are very concerned about businesses and government accessing their personal data. 80% of adults "agree" or "strongly agree" that Americans should be concerned about the government's monitoring of phone calls and internet communications. 64% believe there should be more regulation of advertisers. Almost all users rank their social security number as the most sensitive piece of personal data. EPIC has asked the House Committee on Homeland Security to suspend a DHS program that is monitoring social networks and media organizations. EPIC has recommended that the FTC to establish privacy protections for online advertising. EPIC has also urged the US Congress over many years to limit the use of the Social Security Number for commercial purposes. For more information, see EPIC: Public Opinion on Privacy, EPIC: Facebook Privacy, EPIC: Social Media Monitoring, and EPIC: Social Security Numbers. (Nov. 13, 2014) - NSA Vows to Disclose Zero-Day Vulnerabilities
In a speech delivered at Stanford University, National Security Agency director Michael Rogers announced that the NSA will no longer stockpile "zero-day exploits", software glitches that could facilitate cyber espionage. In the past, the NSA has kept these vulnerabilities secret for use in counterintelligence. Admiral Rogers announced, "the default setting is if we become aware of a vulnerability, we share it." By disclosing vulnerabilities, the NSA allows software developers to fix the glitches and keep the internet more secure. Admiral Rogers recognized that "'a fundamentally strong Internet is in the best interest of the U.S.'" In December 2013, the President's Review Group on Intelligence and Communications Technologies recommended that "US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks." The Review Group report contains 45 other similar recommendations that EPIC generally supports and the White House has pledged to adopt. Earlier this year, the NSA's policies on zero-day exploits came under scrutiny when an glitch known as the "Heartbleed bug" threatened to undermine SSL encryption across the entire internet. For more information, see EPIC: In re EPIC and EPIC: NSPD-54 Appeal. (Nov. 13, 2014) - EPIC Urges Privacy Board to Focus on Privacy Act Enforcement
EPIC has recommended that the Privacy and Civil Liberties Oversight Board prioritize Privacy Act enforcement. The Board is planning to host a conference "Defining Privacy." EPIC stated "The Privacy Act provides a sound framework for privacy protection in the United States. Government agencies within the PCLOB's purview contravene the Privacy Act's intent and pose substantial privacy risks by claiming broad exemptions from coverage under the Act. The Board must improve agency accountability by auditing programs for Privacy Act compliance and recommending expanded authorities under the Privacy Act." EPIC recently provided expert commentary at a Georgetown University Law Center conference celebrating the 40th anniversary of the Privacy Act. For more information, see EPIC: FAA v. Cooper, EPIC: Doe v. Chao, and EPIC: The Privacy Act of 1974. (Nov. 12, 2014) - EPIC Prevails in Case Against FBI About Next Generation Identification
A Federal Court has ruled that EPIC "substantially prevailed" in its open government lawsuit against the FBI for information about the agency's massive biometric database. The Court has also awarded attorneys fees to EPIC. EPIC's lawsuit led to the disclosure of hundreds of pages about "Next Generation Identification", a vast FBI database program with fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, and photographs, on millions of Americans suspected of no crime. The Court found that "There can be little dispute that the general public has a genuine, tangible interest in a system designed to store and manipulate significant quantities of its own biometric data, particularly given the great numbers of people from whom such data will be gathered." EPIC has recommended new privacy safeguards and greater Congressional oversight of the NGI program and other identification techniques. For more information, see EPIC: EPIC v. FBI - Next Generation ID and EPIC: Spotlight on Surveillance on FBI's Next Generation Identification Program. (Nov. 6, 2014) - Court Dismisses Video Privacy Case Against Redbox
A federal court of appeals has ruled that a lawsuit against Redbox will not continue. The plaintiffs argued that Redbox's disclosure of personal information to a customer service center violated the Video Privacy Protection Act of 1988. The Seventh Circuit ruled that since customer service is part of Redbox's "ordinary course of business," the disclosure is permissible under the Act. The Court also determined that the statute created standing and that it was unnecessary to show additional harm. Earlier this year, a federal court ruled that a privacy class action lawsuit against Hulu, the video streaming service, could continue. In that case, Hulu shared user data with Facebook for advertising purposes, in violation of the VPPA. EPIC has supported the Video Privacy law since its inception and has defend the statute in Congressional testimony and amicus briefs. For more information, see EPIC: Harris v. Blockbuster; EPIC: Lane v. Facebook; and EPIC: Video Privacy Protection Act. (Nov. 5, 2014) - European Privacy Groups Boycott Google Roadshow
Leading European privacy organizations have turned down invitations from Google to participate in a series of events organized by the Internet giant, designed to raise questions about a decision of the European Court of Justice regarding the right to privacy. The European Consumer Organization (BEUC), the European Digital Rights Initiative (EDRi), and Privacy International are among several of the groups that are not participating in the Google meetings. EU policymakers have also challenged the company for attacking a judicial decision of the high court of the European Union, describing the tour as a "publicity stunt." For more information, see Fact Sheet on the Right to Be Forgotten, EPIC: Right to Be Forgotten, EPIC: International Privacy Law, EPIC: Expungement, and Rotenberg, "EU Court Strikes Blow for Privacy" (USA Today). (Nov. 5, 2014) - EPIC to Oppose Changes to Judicial Rules that Would Allow Police Hacking
EPIC Senior Counsel Alan Butler will testify this week before the Judicial Conference Advisory Committee on Rules of Criminal Procedure regarding a proposed amendment to Rule 41, which governs the issuance of warrants by federal judges. The proposed amendment to Rule 41 would authorize judges to issue warrants permitting a law enforcement officer to use "remote access" to search digital files. Under the amended rule, these remote access or "computer hacking" warrants could be issued (1) in any case where the target device uses an Internet anonymizing service such as Tor, or (2) to search computers that are part of a botnet. In a written statement, EPIC's Butler argued that the proposed changes are not consistent with the Fourth Amendment because (1) there would be no notice prior to the search and (2) officers would not be required to show that delayed notice is necessary. EPIC previously filed an amicus brief in a federal appeals court, arguing that service of a warrant by fax violated a core procedural protection of the Fourth Amendment. For more information, see EPIC: United States v. Bach. (Nov. 5, 2014) - EPIC Urges Department of Defense to Adopt Strong Open Government Rules
EPIC has submitted extensive comments to the Department of Defense, opposing several the agency's proposals to amend its Freedom of Information Act program. The agency plans to modify key terms and agency practices that would disadvantage FOIA requesters and are not consistent with the purpose of the open government law. EPIC's recommended model FOIA regulations, drafted by transparency and accountability groups that promote agency accountability. EPIC did support proposed changes by the agency that favor FOIA requesters and open government EPIC routinely submits comments on FOIA regulations, warning agencies not to erect new obstacles for those seeking information about government. The Defense Logistics Agency, Privacy and Civil Liberties Oversight Board, the Federal Trade Commission, and the Interior Department have adopted EPIC's recommendations on proposed FOIA rule changes. For more information, see FOIA.ROCKS and EPIC: Open Government. (Nov. 4, 2014) - Federal Appeals Court to Hear Challenge to NSA Surveillance Program
The U.S. Court of Appeals for the D.C. Circuit is scheduled to hear arguments tomorrow (November 4, 2014) in Klayman v. Obama, a challenge to the NSA's domestic surveillance program. Klayman is one of several cases challenging the NSA's ongoing collection of domestic telephone records. In the Klayman case, Judge Richard Leon ruled that the NSA likely violated the Fourth Amendment. The government has appealed that decision. In a related case before the Ninth Circuit, EPIC filed an amicus curiae brief, arguing that communications data should be protected under the Fourth Amendment and that the 1979 decision Smith v. Maryland no longer applies, given the evolution of modern communications technology. Last year EPIC petitioned the US Supreme Court to end the NSA program, arguing that the Foreign Intelligence Surveillance Court exceeded its authority when it ordered Verizon to turn over all domestic call records to the NSA. The EPIC Petition was supported by legal scholars, technical experts, and former members of the Church Committee. For more information, see EPIC: Klayman v. Obama, EPIC: Smith v. Obama, In re EPIC. (Nov. 3, 2014) - EPIC, Coalition Urge Investigation of Closure of Open Government Requests
EPIC and 13 other transparency organizations have asked the Office of Government Information Services to launch an investigation of impermissible closures of FOIA requests. Several federal agencies have notified FOIA requesters that unprocessed requests will simply be closed by the agency if there is no further communication. There is nothing in the FOIA law or agency regulations that allow for this practice. EPIC and the coalition have asked the FOIA ombudsman to investigate and to advise agencies to end the practice. For more information see: FOIA.ROCKS and EPIC: Open Government. (Nov. 2, 2014) - EPIC Launches FOIA.ROCKS
EPIC has launched a new web site - FOIA.ROCKS - to celebrate Open Government and the Freedom of Information Act. The site includes links to several current FOIA initiatives, including a coalition letter to President Obama on FOIA reform, recommendation for model FOIA regulations and a new recommendation from EPIC to the FOIA ombudsman on the problem for FOIA requesters of "Administrative closure." For more information, see EPIC: Open Government. (Oct. 29, 2014) - FCC Levies $10 Million Fine Against Carriers for Breach of Consumer Privacy
The Federal Communications Commission announced today its largest privacy fines to date. The agency's first data security case stems from an investigation of TerraCome and YourTel American who "stored Social Security numbers, names, addresses, driver's licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access." The carriers will be fined $10 million for their breach of consumer privacy. Last month, the FCC reached a $7.4 million settlement with Verizon over privacy violations. EPIC previously urged the FCC to determine whether Verizon violated the Communications Act when it released consumer call detail information to the National Security Agency. Also, in response to a 2005 EPIC petition, the FCC strengthened privacy protections for telephone records, which EPIC defended in a "friend of the court" brief for the DC Circuit, establishing support for opt-in privacy safeguards. For more information, see EPIC: NCTA v. FCC (Concerning privacy of CPNI) and In re EPIC (NSA Telephone Records Surveillance). (Oct. 24, 2014) - Senator Rockefeller Questions Whisper About Privacy Practices
Senator Rockefeller has asked Whisper to answer several questions about the company's practices and policies. Whisper said that it does not track users and that it respects users' decisions to opt out of geolocational tracking. But the Guardian revealed that Whisper tracks "the precise time and approximate location of all messages" and specifically tracks certain users the company deems "newsworthy." Senator Rockefeller, chair of the Senate Committee on Commerce has asked Whisper to explain its tracking, data retention, and disclosure practices. EPIC has several similar matters pending before the Federal Trade Commission. For more information, see EPIC: WhatsApp, EPIC: Snapchat, and EPIC: FTC. (Oct. 24, 2014) - 50 Organizations Urge Obama to Update Freedom of Information Act
EPIC has joined a coalition of more than 50 organizations that has asked President Obama to strengthen the Freedom of Information Act. "Only statutory reform and your public commitment to that reform will ensure the commitments you have made last beyond your presidency," the groups wrote. President Obama signed a memorandum in support of Open Government the day after he was inaugurated in 2009, but open government groups say he has not done enough to promote government transparency. The groups are now urging the President to commit to a "presumption of openness" and to endorse the "foreseeable harm" standard mandated by the Attorney General. The groups would also like to see the President support a narrowing of the communication privilege and end the withholding of documents more than 25 years old. Finally, the groups said that agencies that miss statutory deadlines should not charge fees and that the FOIA ombudsman should be strengthened. For more information, see EPIC: Open Government. (Oct. 24, 2014) - EPIC Spotlight: Domestic Drones, Surveillance, and the Privacy Risks
EPIC's Spotlight on Surveillance Project returns to focus attention on domestic drone surveillance. Congress recently mandated that the Federal Aviation Administration integrate drones into the National Airspace, raising concerns about both safety and privacy. The FAA has begun granting limited exemptions to the current ban on commercial drones. EPIC's Spotlight "Eyes in the Sky" examines the surveillance capabilities of drone technology and recommend comprehensive privacy legislation. EPIC has also testified in Congress in support of drone privacy law, urged the FAA to mandate minimum privacy standards, and pursued several significant FOIA cases. For more information, see EPIC's Spotlight on Surveillance on Drones and EPIC: EPIC v. Army (Surveillance Blimps). (Oct. 23, 2014) - EPIC Recommends Research on "Privacy Enhancing Technologies"
In comments to a federal agency developing a privacy research agency, EPIC expressed support for Fair Information Practices and the Consumer Privacy Bill of Rights. EPIC also recommended research on Privacy Enhancing Technologies ("PETs") that "minimize or eliminate the collection of personally identifiable information." EPIC highlighted current privacy issues including identity theft, security breaches, financial fraud, and the increasing use of predictive analytics in big data analysis. Earlier this year, EPIC submitted comments on "Big Data and the Future of Privacy" and called for the end of opaque algorithmic profiling. The White House's subsequent report on Big Data and the Future of Privacy incorporated several recommendations from EPIC and other privacy organizations. For more information, see EPIC: Big Data and the Future of Privacy. (Oct. 23, 2014) - New Report Reviews Progress on Signals Intelligence Reform
The Office of the Director of National Intelligence has released the first report on the implementation of Presidential Policy Directive 28. In January, the President proposed a revised policy for foreign signals intelligence. Under the revised directive, PPD-28, intelligence agencies are required to "review and update" their policies and "establish new ones as necessary" to safeguard personal information collected through signals intelligence. Signals intelligence activities must also be "as tailored as feasible," and there must be limitations on the querying, use, dissemination, and retention of personal information. The report states that all intelligence agencies in place by January 17, 2015, one year after the President's speech. EPIC previously challenged the NSA's bulk collection of domestic and international call detail records. EPIC has also filed Freedom of Information Act requests with the NSA and other intelligence agencies elements seeking disclosure of current procedures regarding surveillance conducted under Executive Order 12333. For more information, see EPIC: EO 12333 and In re EPIC. (Oct. 23, 2014) - EPIC Urges Department of Transportation to Protect Driver Privacy
EPIC has submitted detailed comments to the National Highway Traffic Safety Administration, urging the agency to protect driver privacy for "vehicle-to-vehicle" (V2V) technology. The technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA is in the initial stages of mandating vehicle-to-vehicle technology. EPIC's comments pointed to several privacy and security risks with V2V techniques. EPIC urged NHTSA to "complete a more detailed privacy and security assessment of V2V communications" and to: "(1) not collect PII without the express, written authorization of the vehicle owner; (2) ensure that no data will be stored either locally or remotely; (3) require end-to-end encryption of V2V communications; (4) require end-to-end anonymity; and (5) require auto manufacturers to adhere to the Consumer Privacy Bill of Rights." Last year EPIC, joined by a coalition of consumer privacy organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Internet of Things. (Oct. 21, 2014) - Supreme Court to Rule on Privacy of Hotel Records
Today the Supreme Court agreed to hear Los Angeles v. Patel, a challenge to a local ordinance that allows police to inspect hotel guest registries without a warrant or judicial supervision. A federal appeals court ruled that the LA law was "facially" unconstitutional because the authority could violate the Fourth Amendment. The Supreme Court will consider both the scope of privacy protections for hotel guests and also whether the Fourth Amendment prohibits laws that allow unlawful searches. The second issue has far-reaching consequences because many recent laws authorize the police searches without judicial review. Thus far, courts have only considered "as applied" challenges on a case-by-case basis. EPIC will likely file an amicus brief in the Supreme Court case in support of the decision of the federal appeals court. For more information, see EPIC: Los Angeles v. Patel and EPIC: Amicus Briefs. (Oct. 20, 2014) - Obama Issues Executive Order to Strengthen Consumer Privacy
President Obama signed an Executive Order today to Improve the Security of Consumer Financial Transactions. The Order will require enhanced security features for government financial transactions, including chip-and-PIN technology which has greatly reduced financial fraud and identity crimes in Europe. The Executive Order states that "the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality..." The White House also announced a series of measures to safeguard consumer financial security, including more secure payment systems, efforts to reduce identity theft and support "algorithmic transparency." EPIC has endorsed many of these proposals. The White House also announced a summit on cybersecurity and consumer protection. For more information, see EPIC: "Cybersecurity and Data Protection in the Financial Sector" (House 2011), EPIC: "Cybersecurity and Data Protection in the Financial Sector" (Senate 2011), and EPIC: Identity Theft. (Oct. 17, 2014) - Data Protection Commissioners Urge Limits on "Big Data"
The International Data Protection Commissioners have adopted a resolution on Big Data. The resolution endorses several privacy safeguards, including purpose specification, data minimization, individual data access, anonymization, and meaningful consent when personal data is used for big data analysis. The data protection commissioners also passed a resolution supporting the UN High Commissioner's report on Privacy in the Digital Age and the Mauritius Declaration on the Internet of Things. Earlier this year, EPIC joined by 24 organizations petitioned the White House to accept public comments on its review of Big Data and the Future of Privacy. EPIC also submitted extensive comments detailing the privacy risks of big data and calling for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. For more information, see EPIC: Big Data and EPIC: Internet of Things. (Oct. 17, 2014) - EPIC Obtains New Documents About Lack of Student Privacy Enforcement
EPIC has obtained new documents from the Department of Education detailing parent and student complaints about the misuse of education records. The Department released the documents in response to an EPIC Freedom of Information Act request. EPIC is expecting to receive more documents about the agency's enforcement of the Family Educational Rights and Privacy Act. Other documents that EPIC has uncovered reveal that schools and districts have disclosed students' personal records without consent, possibly in violation of the federal student privacy law. The documents also reveal that the Department failed to investigate many FERPA complaints. For more information, see EPIC: Department of Education's FERPA Enforcement, EPIC: Student Privacy, and EPIC: Open Government. (Oct. 15, 2014) - Italy Launches Internet Bill of Rights
The Italian Parliament has proposed a Declaration of Internet Rights. The Declaration addresses a wide range of issues including Internet Access, Protection of Personal Data, Anonymity, the Right to be Forgotten, and Internet Governance. Italy, currently chair of the European Council, plays a leading role in European Union policy in 2014 and has made progress on data protection as a top priority. EPIC spoke earlier this year to the Italian Parliament about the need for a strong framework to protect the rights of Internet users. For more information, see Civil Society Seoul Declaration and Madrid Privacy Declaration. (Oct. 14, 2014) - Japan Adopts "Right to Be Forgotten"
A Japanese court has ordered Google to delete about half of the search result for a man linked to a crime he didn't commit. Judge Nobuyuki Seki of the Tokyo District Court said that the search results "infringe personal rights," and had harmed the plaintiff. A recent poll also found that 61 percent of Americans favor the EU Court of Justice decision regarding the right to be forgotten. And Canada is now debating the establishment of a similar legal right. For more information, see EPIC: Right to Be Forgotten, EPIC: Public Opinions and Privacy, and EPIC: Expungement. (Oct. 14, 2014) - Supreme Court Strikes Down Voter ID Law
The US Supreme Court has ruled that officials in Wisconsin may not requires voters to present photo ID before voting in an upcoming election. A federal court in Texas also struck down a state voter ID requirement saying it disproportionately burdened minority voters. In 2007 EPIC raised similar arguments in an amicus brief for the US Supreme Court in Crawford v. Marion County. EPIC said of the Indiana ID law, “Not only has the state failed to establish the need for the voter identification law or to address the disparate impact of the law, the state’s voter ID system is imperfect, and relies on a flawed federal identification system.” The Supreme Court upheld the law. Justice Souter dissented, saying “this statute imposes a disproportionate burden upon those without” government-issued photo IDs. For more information, see EPIC: Voter Photo ID and Privacy and EPIC: Voting Privacy. (Oct. 10, 2014) - NSA Releases "12333" Report, Fails to Address Bulk Collection
The NSA released a privacy report on its surveillance activities under 12333, an Executive Order that provides broad authority for data collection. But the report only addresses a narrow aspect of the EO 12333 collection - protections for U.S. persons in the context of targeted signal intelligence activities. The report fails to address bulk collection or privacy protections for non-U.S. persons. A previously disclosed internal audit revealed that the NSA violated both legal rules and privacy restrictions thousands of times each year since 2008. Another document shows how NSA analysts are trained to avoid giving "extraneous information" to their "FAA overseers" when they want to target an individual. The NSA privacy report did not address these previous violations. Earlier this year, EPIC urged the Privacy and Civil Liberties Oversight Board to review the surveillance activities conducted under EO 12333. EPIC is also pursuing several FOIA matters to learn more about the use of 12333 authorities. For more information, see EPIC: Executive Order 12333. (Oct. 7, 2014) - At OECD Global Forum, EPIC Urges "Algorithmic Transparency"
Speaking to delegates at the OECD Global Forum for the Knowledge Economy in Tokyo, EPIC President Marc Rotenberg urged OECD member countries to endorse "algorithmic transparency," the principle that data processes that impact individuals be made public. Mr. Rotenberg explained that companies are too secretive about what they collect and how they use personal data. Mr. Rotenberg also spoke about the growing risk of identity theft and cited the recent data breaches at Target, Home Depot, and JP Morgan, and urged OECD countries to update privacy laws. Earlier this year, EPIC submitted extensive comments on the White House's review of "Big Data and the Future of Privacy." EPIC called for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. For more information, see EPIC - Big Data, The Public Voice, CSISAC. (Oct. 3, 2014) - Department of Homeland Security Releases 2014 Privacy Report
The Department of Homeland Security released the 2014 Privacy Office Annual Report to Congress. The report describes a joint review conducted with the European Commission regarding the transfer of EU Passenger Name Records to the US. The European Commission found the redress mechanisms were lacking for passengers denied boarding. The Commission also found that DHS would often review passenger records without a legal reason. The Annual Report describes the sixth Compliance Review of the department’s social media monitoring program. The review found that the DHS began collecting GPS and geo-location of Internet users without assessing or mitigating the privacy risks. In 2012, EPIC obtained FOIA documents revealing that the Department of Homeland Security monitored social media for political dissent. For more information, see EPIC: EU-US Airline Passenger Data Disclosure and EPIC: EPIC v. DHS - media monitoring. (Oct. 2, 2014) - Facebook Responds to EPIC Complaint About "Emotions Study"
Facebook has announced revised guidelines concerning user data the company discloses to researchers. In 2012, Facebook subjected 700,000 users to an "emotional" test by manipulating their News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In response, EPIC filed a formal complaint to the Federal Trade Commission. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has also asked the FTC to require that Facebook make public the News Feed algorithm. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy, as a result of complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. The new guidelines have improved Facebook's research process, but they still raise questions about human subject testing by advertising companies. EPIC still believes the NewsFeed algorithm should be made public. For more information, see EPIC: In re: Facebook (Psychological Study) and EPIC: Federal Trade Commission. (Oct. 2, 2014) - EPIC v. CIA: EPIC Seeks Details of CIA Surveillance of Congress
EPIC has filed a Freedom of Information Act lawsuit against the Central Intelligence Agency for the Inspector General's report on the CIA's spying on a key Congressional oversight committee. The EPIC lawsuit follows from reports that that the CIA infiltrated a a computer network used by Senate staff to investigate the agency's detention and interrogation program. Senator Dianne Feinstein, Chair of the Senate Intelligence Committee, stated that the CIA's conduct raised far-reaching concerns about Constitutional separation of powers, and violations of computer crime and wiretapping laws. The CIA subsequently confirmed that the CIA's Inspector General had conducted an investigation and concluded the agency had "improperly" accessed Senate computers. EPIC sent a FOIA request to the CIA for the Inspector General's report but received no response. EPIC has sued for public release of the report. For more information, see: EPIC: EPIC v. CIA - CIA Spying on Congress. (Oct. 2, 2014) - California Enacts Comprehensive Student Privacy Law
California has passed the "Student Online Personal Information Protection Act," a comprehensive student privacy law. Among other provisions, the new law: (1) prohibits K-12 mobile and online service operators from using student information to target advertisements to students; (2) prohibits online service providers from creating K-12 student profiles for commercial purposes; and (3) forbids companies from selling student information. The law also requires K-12 mobile and online service operators to establish security measures and to delete student information at the request of a school or district. California also passed a law requiring schools that outsource student records to include privacy in contracts, and a law governing school social media monitoring programs. The Student Online Personal Information Protection Act incorporates many proposals EPIC outlined in the Student Privacy Bill of Rights. For more information, see EPIC: Student Privacy, EPIC: EPIC v. Education Dept., and EPIC: Echometrix. (Oct. 2, 2014) - EPIC Urges FTC to Investigate Maricopa Data Breach
EPIC has filed a complaint with the Federal Trade Commission concerning the loss of personal information of almost 2.5 m current and former students, employees, and vendors in Maricopa County. According to EPIC, the District's failure to maintain a comprehensive information security program led to a "massive breach of names, addresses, phone numbers, e-mail addresses, Social Security numbers, dates of birth, certain demographical information, and enrollment, academic, and financial aid information." EPIC further alleges the District violated the Federal Trade Commission's Safeguards Rule by failing to protect students financial information. EPIC's complaint follows a similar complaint by DataBreaches.net. EPIC said that, "many education institutions in the United States are subject to the Safeguards Rule. The District's case is a particularly egregious example of the risk of failing to safeguard sensitive personal information." For more information, see EPIC: Student Privacy. (Sep. 29, 2014) - EPIC Files Comments on Financial Privacy
EPIC has filed extensive comments in response to a request from the Consumer Financial Protection Bureau. EPIC urged the Bureau to limit the information debt collectors gather on consumers. EPIC advised the Bureau to prohibit debt collectors from contacting employers and others about consumer debt. EPIC also advised the Bureau to require debt collectors to protect the information they acquire and to allow consumers to see the information about hem that js collected. EPIC routinely submits comments to federal agencies, urging them to uphold the Privacy Act and protect individuals from telephone and Internet misuse. In 2004, EPIC submitted comments regarding the "CAN-SPAM" Act and the proposed National "Do Not Email" Registry. In 2006, EPIC testified before Congress regarding the Truth in Caller ID Act of 2006. And in 2009, EPIC submitted comments on the Truth in Caller ID Act of 2009, recommending a prohibition against overriding calling parties' privacy choices. For more information, see EPIC: Comments on the Fair Debt Collection Practices Act, and EPIC: The Fair Credit Reporting Act. (Sep. 29, 2014) - Appeals Court Limits Military Surveillance of Civilian Internet Use
The U.S. Court of Appeals for the Ninth Circuit ruled in United States v. Dreyer that an agent for the Naval Criminal Investigative Service violated Defense Department regulations and the Posse Comitatus Act when he conducted a surveillance operation in Washington state to identify civilians who might be sharing illegal files. The 1878 Act prevents the U.S. military from enforcing laws against civilians. The appeals court ruled that the NCIS intrusion into civilian networks showed “a profound lack of regard for the important limitations on the role of the military in our civilian society.” The court also ruled that the evidence obtained by NCIS should be suppressed to “deter future violations.” In a petition to the Supreme Court, EPIC challenged the NSA’s surveillance of domestic communications. The NSA is a component of the Department of Defense. For more information, see In re EPIC and EPIC v. DOJ: Warrantless Wiretapping Program. (Sep. 26, 2014) - “Eyes Over Washington” - EPIC Obtains New Documents About Surveillance Blimps
EPIC has obtained new documents detailing the Department of Army’s use of surveillance blimps over the nation’s capital. The documents include thirty heavily redacted pages of equipment descriptions and data. In May EPIC filed suit against the Department of the Army to obtain details about a sophisticated tracking and targeting system that will be deployed over Washington, DC during the next three years. JLENS is comprised of two 250' blimps. One blimp conducts aerial and ground surveillance over a 340-mile range, while the other has targeting capability, including HELLFIRE missile capability. The JLENS was originally deployed in Iraq. In the FOIA Request, EPIC asked the Army for technical specifications as well as any policies limiting domestic surveillance. An Army spokesperson said recently that JLENS will “absolutely not” include video surveillance gear. Similar blimps have been deployed by the DHS for border security. They include video surveillance. For more information, see EPIC: EPIC v. Army - Surveillance Blimps and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Sep. 26, 2014) - FAA Okays Hollywood Drone Use, But Privacy Safeguards Remain Grounded
The Federal Aviation Administration granted six exemptions for the commercial use of drones to companies in the film and television industry this week. The agency found that the proposed operation do not “pose a threat to national airspace users or national security.” Safety requirements include: line of site tracking, restrict flights to the “sterile area” on the set, inspection after each flight, and prohibiting operation at night. The agency is currently considering another 40 requests from various commercial entities. Currently, no privacy protections are in place to address the commercial use of drones. EPIC has testified in Congress in support of a comprehensive drone privacy law—calling for use limitations, data retention limitations, transparency, and public accountability. The Federal Aviation Administration to develop drone privacy guidelines after an EPIC-lead coalition petition. EPIC also urged the agency to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones. (Sep. 26, 2014) - Apple Announces New Privacy Enhancing Techniques
The most recent product announcement from Apple, includes several privacy enhancing techniques that EPIC has favored, including randomized MAC addresses, end-to-end encryption, robust screen lock, and implementation of secure electronic payment systems. Still, EPIC has raised questions about Health Kit, which enables the collection and transfer of sensitive medical information, and the enforcement of developer guidelines. For more information, see, EPIC: Practical Privacy Tools and EPIC: Location Privacy. (Sep. 23, 2014) - EPIC FOIA - FBI Extends "Rap Back" Biometric Collection
EPIC has just received documents about the FBI's Rap Back program. The FBI now routinely collects biometric data for ongoing background checks on nongovernment employees. In response to EPIC's FOIA request, the FBI is currently reviewing thousands of pages about the "Rap Back" program. Rap Back is part of the FBI's Next Generation Identification initiative, one of the largest biometric databases in the world, tied to data centers managed by the Department of Homeland Security, Department of Defense, and other government agencies. EPIC previously sued the FBI for documents about the NGI database and uncovered agency acceptance of high error rates. For more information, see Spotlight on Surveillance: Next Generation Identification. (Sep. 23, 2014) - EPIC, Coalition Call for Transparency in Public Consumer Database
In comments to the Consumer Financial Protection Bureau, EPIC and other public interest organizations urged the Bureau to publish consumer complaint narratives. The Bureau currently publishes limited complaint information on financial products and services, including debt collection and credit reports. The Bureau is now considering a plan to provide consumer perspectives on experiences with the financial industry. The consumer groups support this effort and also recommend obtaining consumer consent and removing personally identifiable information before posting the complaints. Last year, EPIC uncovered documents revealing that many student debt collection companies fail to meet legal privacy obligations. For more information, see EPIC: Comments on the Fair Debt Collection Practices Act, and EPIC: The Fair Credit Reporting Act. (Sep. 22, 2014) - EPIC, Coalition Urge UN Human Rights Council to Review U.S. Spy Programs
In a joint submission to the United Nations, the Brennan Center, EPIC, and other public interest organizations urged the Human Rights Council to review U.S. surveillance programs. The Council regularly performs a Universal Periodic Review of the human rights record of UN Member States. As a result of the Council's last review, the U.S. Government committed to protect individual privacy and stop spying on citizens without judicial authorization. The coalition letter argues that U.S. has not honored this commitment and that U.S. "surveillance activities also violate the rights to privacy, freedom of expression, and the freedom of peaceful assembly and association..." guaranteed by the Universal Declaration of Human Rights. In January 2010, twenty-nine experts in privacy and technology affiliated with EPIC wrote to then U.S. Secretary of State Hillary Clinton to urge that the United States ratify the Council of Europe Convention on Privacy. For more information, see EPIC: Council of Europe Privacy Convention. (Sep. 18, 2014) - FBI Says Biometric Database has Reached "Full Operational Capability"
The FBI announced that the Next Generation Identification system, one of the largest biometric databases in the world, has reached "full operational capability." In 2013, EPIC filed a Freedom of Information Act lawsuit about the NGI program. EPIC obtained documents that revealed an acceptance of a 20% error rate in facial recognition searches. Earlier this year, EPIC joined a coalition of civil liberties groups to urge the Attorney General Eric Holder to release an updated Privacy Impact Assessment for the NGI. The NGI is tied to "Rap Back," the FBI's ongoing investigation of civilians in trusted positions. EPIC also obtained FOIA documents revealing FBI agreements with state DMVs to run facial recognition searches, linked to NGI, on DMV databases. EPIC's recent Spotlight on Surveillance concluded that NGI has "far-reaching implications for personal privacy and the risks of mass surveillance." For more information, see EPIC: EPIC v. FBI - Next Generation identification. (Sep. 15, 2014) - EPIC Files FOIA Lawsuit For Reports on Electronic Voting Reliability
EPIC has filed a Freedom of Information Act lawsuit to obtain test reports about an online voting program promoted by the Department of Defense. The records sought relate to the functionality and security of electronic voting systems. The California Secretary of State, Members of Congress, and voting rights advocates have tried to obtain these documents, but DOD has kept them secret even after promising public disclosure in 2012. Computer scientists have long warned about the risks of electronic voting systems. In the complaint, EPIC states that "it is absolutely critical for the documents sought in this matter be disclosed prior to further deployment of e-voting systems in the United States." The case is EPIC v. Department of Defense, No 14-1555 (D.D.C. filed 9/11/2014). For more information, see EPIC: EPIC v. DOD - E-voting Security Tests. (Sep. 11, 2014) - EPIC, Legal Scholars, Technical Experts Urge Federal Appeals Court to Safeguard Telephone "Metadata"
EPIC has filed an amicus curiae brief, joined by 33 technical experts and legal scholars, in support of a challenge to the NSA telephone record collection program. The case Smith v. Obama will be heard by the Court of Appeals for the Ninth Circuit this fall. Earlier this year, a lower court ruled that the Fourth Amendment does not protect telephone call record information because of a 1979 case Smith v. Maryland. In the brief for the federal appeals court, EPIC wrote that "changes in technology and the Supreme Court's recent decision in Riley v. California favor a new legal rule that recognizes the privacy interest inherent in modern communications records." EPIC routinely participates as a friend of the court in cases raising novel privacy and civil liberties issues. For more information, see EPIC: Smith v. Obama, EPIC: Riley v. California, and EPIC Amicus Briefs. (Sep. 10, 2014) - FTC To Explore "Big Data" and Discrimination
The Federal Trade Commission will host a workshop entitled "Big Data: A Tool for Inclusion or Exclusion?" The FTC will explore the effects of "big data" analytics on low-income and other underserved communities. Several members of the EPIC Advisory Board will be participating. Earlier this year, the FTC published a report on data brokers, warning that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." The White House also convened a task force and published a report on "big data" this year. At EPIC's urging, the White House included public participation in the review process. EPIC submitted extensive comments, warning about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: FTC. (Sep. 10, 2014) - Pew Survey: Users Online Self-Censor Discussion of Government Surveillance
According to the Pew Research Report "Social Media and the 'Spiral of Silence,'" most users of social media are afraid to talk about government surveillance on Facebook, Twitter, and other social platforms. Users were more willing to share their views on government surveillance if they thought others shared the same view. Those who thought they held minority views were more likely to self-censor—an effect known as the "spiral of silence." In 2012, EPIC obtained FOIA documents revealing that the Department of Homeland Security monitored social media for political dissent. A subsequent Congressional hearing led the DHS to cancel the program. For more information, see EPIC v. DHS: Media Monitoring and EPIC: Public Opinion on Privacy. (Sep. 9, 2014) - Education New York Urges Parents to Protect Student Privacy
Education New York, a leading student privacy rights organization, is urging students and parents to opt-out of the use of educational records for marketing purposes. The data typically includes name, address, telephone number, birth date, and other personal information in student records. Education New York’s founder Sheila Kaplan stated, "I'm thrilled that with greater awareness of the issues, more parents have been joining the fight for students’ privacy rights." EPIC has long supported stronger privacy protections for student records. In 2012, EPIC sued the Education Department concerning changes to the student privacy law. Earlier this year, EPIC a hosted panel in Washington DC with Senator Ed Markey, "Failing Grade: Education Records and Student Privacy." For more information, see EPIC v. the Department of Education and EPIC: Student Privacy. (Sep. 8, 2014) - EPIC (Finally) Obtains Memos on Warrantless Wiretapping Program
More than eight years after filing a Freedom of Information Act request for the legal justification behind the "Warrantless Wiretapping" program of President Bush, EPIC has now obtained a mostly unredacted version of two key memos (OLC54) and (OLC85) by former Justice Department official Jack Goldsmith. EPIC requested these memos just four hours after the New York Times broke the story about the program in December 2005. When the agency failed to release the documents, EPIC filed a lawsuit. The ACLU and the National Security Archive later joined the case. These two Office of Legal Counsel memos offer the fullest justification of the warrantless wiretapping program available to date, arguing that the president has inherent constitutional power to monitor American's communications without a warrant in a time of war. But some parts of the legal analysis, including possibly contrary authority, are still being withheld. The warrantless wiretapping program was part of "Stellar Wind," a broad program of email interception, phone record collection, and data collection undertaken by the NSA without the approval of Congress. For more information see EPIC: EPIC v. DOJ: Warrantless Wiretapping Program. (Sep. 8, 2014) - UPDATE-Army Backs Off Plan for DC Surveillance Blimp
According to the Washington Post, the Department of Army will not deploy video surveillance cameras over the nation's capital. The announcement follows the release of documents to EPIC in a Freedom Information Act lawsuit. The blimps provide radar-based aerial surveillance and targeting capabilities. A recent video by the contractor Raytheon revealed that 24/7 video surveillance feed is easily incorporated. An Army Spokesperson told the Post that the blimps will "absolutely, 100 percent" not include video capacity. A similar EPIC FOIA case against the Bureau of Customs and Border Protection revealed that drones are designed to incorporate advance video surveillance gear even when not initially deployed. For more information, see EPIC: EPIC v. Army - Surveillance Blimps, EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones, and EPIC: Freedom of Information Act Litigation. (Sep. 8, 2014) - Federal Trade Commission Orders Google to Refund Parents $19 Million for Unauthorized Charges
The Federal Trade Commission has reached a settlement with Google over allegations that the company unfairly charged parents millions of dollars for their children's in-app purchases. The settlement mandates that Google provides full refunds for unauthorized purchases. The FTC agreement will be subject to public comments. Comments are due October 6, 2014. The Commission has previously settled charges with Apple and sued Amazon for charging parents for their kids unauthorized in-app purchases. Previously EPIC has urged the FTC to require companies subject to privacy consent orders to adhere to the Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Search Engine Privacy. (Sep. 5, 2014) - Federal Communications Commission Fines Verizon $7.4 Million for Violating Consumer Privacy
Verizon will pay the Federal Communications Commission $7.4 million to settle claims that the company violated the privacy rights of nearly two million consumers. The FCC found that Verizon failed to inform consumers of their privacy rights, including how to prevent their personal information from being used for marketing purposes. The Verizon payment is the largest consumer privacy settlement in FCC history. In 2013, EPIC urged the FCC to investigate Verizon's disclosure of customer record information to the NSA. Also, in response to a 2005 EPIC petition, the FCC strengthened privacy protections for telephone records, which EPIC defended in a "friend of the court" brief for the DC Circuit, establishing support for opt-in privacy safeguards. For more information, see EPIC: Customer Proprietary Network Information, EPIC: NCTA v. FCC (Concerning privacy of CPNI), EPIC: US West v. FCC (Privacy of Telephone Records), and In re EPIC (NSA Telephone Records Surveillance). (Sep. 4, 2014) - Home Depot Data Breach Exposes Millions of Credit Card Records
A data breach at Home Depot might have exposed millions of consumers' credit card records, according to an announcement from Home Depot's corporate center. "We're looking into some unusual activity that might indicate a possible payment data breach," the announcement read, "If we confirm a breach has occurred, we will make sure our customers are notified immediately." In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. In May of this year, the President's science advisors surprisingly found little risk in the massive collection of personal data by companies. However, a recent FTC report on data brokers warned that "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." EPIC has urged the White House to enact the Consumer Privacy Bill of Rights and to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: Identity Theft. (Sep. 4, 2014) - EU Launches Investigation Into Facebook Acquisition of WhatsApp
Antitrust officials in the European Union have begun an investigation into Facebook's acquisition of the messaging service WhatsApp. WhatsApp gained popularity based on its pro-privacy approach to user data. Following the announcement of Facebook's plan to acquire the company, EPIC filed two complaints with the Federal Trade Commission, urging the FTC to block the sale unless adequate privacy safeguards for WhatsApp users were established. The Commission then notified Facebook and WhatsApp that they must honor their privacy commitments to users but questions remain about future business practices. Now European antitrust regulators have served Facebook with a questionnaire of more than 70 pages to determine whether the merger violates European antitrust laws. For more information, see EPIC: In re WhatsApp, and EPIC: FTC. (Sep. 2, 2014) - Federal Judge - Google Privacy Settlement "Fails Smell Test"
A federal judge reviewing a proposed class action settlement in a case concerning Google's disclosure of user data to third parties has said "it doesn't pass the smell test." A coalition of consumer privacy organizations, including EPIC, urged the judge to reject the settlement because it required no substantial change in Google's business practices and provided no benefit to class members. The consumer privacy organization wrote to the judge when the settlement was first proposed and again last week, before the final fairness hearing. The groups cited the skepticism expressed by Supreme Court Chief Justice John Roberts about a similar privacy settlement. The consumer privacy groups also alerted the FTC Class Action Fairness Project and the California Attorney General about the pending settlement. For more information, see EPIC: Search Engine Privacy. (Sep. 2, 2014) - EPIC FOIA Case - Army Blimps over Washington Loaded with Surveillance Gear, Cost $1.6 Billion
EPIC has received substantial new information about the surveillance blimps, now deployed over Washington, DC. The documents were released to EPIC in a Freedom of Information Act lawsuit against the Department of the Army. The documents also reveal that the Army paid Raytheon $1.6 billion. EPiC will receive more documents about the controversial program In October. For more information, see EPIC: EPIC v. Army - Surveillance Blimps and EPIC: Freedom of Information Act Litigation. (Aug. 29, 2014) - Consumer Privacy Organizations Urge Judge to Reject "Privacy Settlement"
EPIC, joined by leading consumer protection organizations, has asked a federal judge to reject a proposed class action settlement in In re Google Referrer Header Litigation. The settlement requires no substantial change in Google's business practices and provides no benefit to class members. EPIC wrote to the same judge last year when the settlement was first proposed, urging him not to approve. The Federal Trade Commission and the California Attorney General have opposed a similar settlement. And the Chief Justice of the US Supreme Court has expressed deep skepticism about settlements that provide no benefits to class members. The judge in the Google care will rule on the settlement August 29. For more information, see EPIC: Search Engine Privacy, and EPIC: FTC. (Aug. 27, 2014) - European Facebook Users Privacy Lawsuit Moves Forward
A group of over 25,000 European Facebook users may proceed with their lawsuit against Facebook. The users, led by privacy activist Max Schrems, sued Facebook in a court in Vienna. The users charge Facebook with violating EU privacy law by improperly handling users' data. Now that the court has approved the class action suit, Facebook must respond to the complaints. In 2011, Schrems brought a similar lawsuit against Facebook in an Irish court. In the same year, Facebook signed a consent order with the Federal Trade Commission, following a complaint filed by EPIC and a group of American consumer privacy organizations. EPIC has also filed an amicus brief in a federal class action lawsuit, opposing Facebook's use of children's images for advertising purposes. In 2013, EPIC gave the International Privacy Champion Award to Max Schrems, calling him "an innovative and effective spokesperson for the right to privacy." For more information, see EPIC: In re Facebook. (Aug. 26, 2014) - Security Experts: EPIC Correct About Body Scanners-Invasive and Ineffective
The first independent analysis of backscatter x-ray body scanners corroborate the claims EPIC and others have made for several years: The scanners are invasive and ineffective. In a detailed report published in 2005, EPIC warned that the x-ray body scanners amounted to a virtual strip search and were an ineffective means of airport security. Freedom of Information Act documents later obtained by EPIC revealed that TSA could disable the body scanner's privacy settings, the nude images could be stored on the machines, and the scanners ran on a standard operating system making them vulnerable to outside security threats. EPIC and a coalition of civil liberties organizations then petitioned DHS Secretary Napolitano to suspend the program. When the DHS failed to do so, EPIC sued the agency. The D.C. Circuit Court of Appeals ruled in EPIC v. DHS that the agency must begin a public rule making. The backscatter X-ray scanners were subsequently removed from US airports. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology. (Aug. 22, 2014) - Department of Transportation Seeks Public Comment on Connected Cars
The National Highway Traffic Safety Administration, at the Department of Transportation, is soliciting public comments on the privacy and security implications of connected "vehicle-to-vehicle" technology. According to the agency, the technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." The agency plans to mandate vehicle-to-vehicle technology. NHTSA is also soliciting comments on a connected car research report. Comments on both are due October 20, 2014. Last year EPIC, joined by a coalition of privacy and consumer rights organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Comments on the Privacy and Security Implications of the Internet of Things. (Aug. 21, 2014) - Congress Investigates Airline Privacy Practices
Senator John Rockefeller (D-WV) is currently seeking information from ten U.S. airlines concerning how airlines safeguard consumer traveler data. Senator Rockefeller has requested information regarding: (1) the type of information airlines collect; (2) airlines' data retention periods; (3) airline privacy and security safeguards governing consumer information; (4) whether consumers may access and amend their information; (5) whether airlines sell or disclose consumer information and if so, to whom do they disclose the consumer data; and (6) how airlines inform consumers about airline privacy policies governing consumer information. EPIC routinely urges the Department of Homeland Security to provide privacy protections for air travelers and end the agency's secret "risk-based" passenger profiling. For more information, see EPIC: Air Travel Privacy, EPIC: Passenger Profiling, EPIC: Secure Flight, and EPIC: EPIC v. DHS (Suspension of Body Scanner Program). (Aug. 20, 2014) - Senator Schumer Calls On Regulators to Make Fitness Data Private
Senator Charles Schumer has denounced the data collection practices of "activity trackers" such as FitBit. "Activity trackers" are mobile devices that record highly personal information about the wearer and constantly analyze the wearer's activities, including their diet, exercise, sleep, and even sexual habits. However, it is not clear whether federal privacy law protects this personal data from disclosure to third parties. EPIC has commented extensively on the privacy protections that are necessary in the "internet of things." EPIC has frequently pointed out the potential for misuse when companies collect data about sensitive consumer behavior. EPIC has made several recommendations to improve the privacy protections on devices such as "activity trackers," including requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information, see EPIC: FTC and EPIC: Practical Privacy Tools. (Aug. 14, 2014) - Documents Obtained by EPIC Lawsuit Show NSA’s Internet Metadata Program Was Sharply Criticized By FISA Judges While Congressional Oversight Lagged for Years
In a FOIA lawsuit against the Department of Justice, EPIC has obtained many documents about the NSA's Internet Metadata program. These include the Government's original FISA application seeking authorization to collect data from millions of e-mails, as well as declarations from NSA officials describing the program. The documents show that FISA Court Judge John Bates chastised the agency for "long-standing and pervasive violations of the prior [court] orders in this matter.'' The FISA Court first authorized the program in 2004, but the documents obtained by EPIC show that the legal justification was not provided to Congress until 2009. The documents also reveal that the DOJ withheld information about the program in testimony for the Senate Intelligence hearing prior to the reauthorization of the legal authority. The program was shut down in 2011 after a detailed review. For more information, see EPIC v. DOJ (FISA Pen Register) and EPIC: Foreign Intelligence Surveillance Court. (Aug. 12, 2014) - Federal Trade Commission Responds to EPIC Regarding Google Settlement
The Federal Trade Commission has responded to EPIC's letter urging the agency to oppose a collusive Google class action settlement. The agency stated that it "systematically monitors compliance" with its consumer protection orders and that it "takes alleged violation[s] of an order seriously," but that it cannot publicly disclose details of its investigations until a formal complaint is issued. In 2010, Google was sued for sharing user web browsing information with advertisers. Under the proposed settlement agreement, Google will distribute several million dollars to a handful of organizations, many of which already have ties to the company. EPIC and other privacy organizations urged the Commission to formally object because the proposed agreement "confers no monetary relief to class members, compels no change in Google's behavior, and misallocates the cy pres distribution." The agency has a history of filing objections - it filed a similar objection in Fraley v. Facebook, an unfair class action settlement in the Ninth Circuit. For more information see EPIC: FTC and EPIC: Search Engine Privacy. (Aug. 7, 2014) - EPIC Demands Report Detailing CIA's Surveillance of Congress
EPIC has filed a Freedom of Information Act request for the Central Intelligence Agency Inspect General's report detailing the agency's surveillance of the Congressional Intelligence Committee. In March 2014, Senator Dianne Feinstein (D-CA), head of the Senate Intelligence Committee, publicly accused the CIA of secretly removing documents from the Committee, searching computers used by the Committee, and attempting to intimidate congressional investigators by requesting a Federal Bureau of Investigation inquiry of their conduct. The Committee had been investigating the CIA's torture program. After Senator Feinstein publicly accused the agency of spying, the CIA's Inspector General conducted an investigation and concluded that the agency's actions had been improper. However, the Inspector General has failed to the actual report public. EPIC has demanded a copy of the full report, as well as associated documents. For more information see: EPIC: FOIA Cases and EPIC v. CIA (Domestic Surveillance). (Aug. 7, 2014) - Consumer Privacy Organizations Oppose Farcical Class Action Settlement
EPIC, along with a group of consumer privacy organizations, has asked the Federal Trade Commission to object to an unfair class action settlement in California federal court. In 2010, Google was sued for sharing user web browsing information with advertisers. Under the proposed settlement agreement, Google will distribute several million dollars to a handful of organizations, many of which already have ties to the company. EPIC and other privacy organizations have argued that the proposed agreement "confers no monetary relief to class members, compels no change in Google's behavior, and misallocates the cy pres distribution" to organizations that are "not aligned with the interests of class members and do not further the purpose of the litigation." The consumer groups, who have already written to the court opposing the settlement, urged the Federal Trade Commission to object as well. The agency filed a similar objection in Fraley v. Facebook, an unfair class action settlement in the Ninth Circuit. For more information, see EPIC: FTC and EPIC: Search Engine Privacy. (Aug. 5, 2014) - EPIC Sues FBI for Missing Privacy Reports
EPIC has filed a Freedom of Information Act lawsuit to obtain details about the Federal Bureau of Investigation's surveillance programs. The agency is required to conduct privacy impact assessments when it collects and uses personal data. However, the Bureau has failed to publicly release privacy impact assessments for many of its programs, including facial recognition, drones, and license plate readers. According to the E-Government Act and Justice Department guidelines, all privacy assessments should be made public if practicable. EPIC, joined by a coalition of organizations, recently urged the Attorney General to immediately conduct a privacy assessment of the FBI's Next Generation Identification (NGI) program. The NGI program collects massive amounts of biometric data on U.S. citizens. For more information, see EPIC: EPIC v. FBI - Privacy Assessments. (Aug. 1, 2014) - EPIC Seeks Information About Secret Surveillance Authority
EPIC has filed a series of Freedom of Information Act requests for documents related to the Government's collection of private communications data under Executive Order 12333. EPIC is seeking secret policies that govern the collection of Internet data by U.S. intelligence agencies outside of the United States. Former government officials have warned that these procedures allow the government to spy on Americans in violation the Fourth Amendment. The Washington Post also reported last year that the NSA had infiltrated private communications held on servers abroad. EPIC's requests to the Attorney General, the Director of National Intelligence, the NSA and other intelligence agencies will help to shed light on these invasive programs. For more information, see EPIC: Executive order 12333. (Aug. 1, 2014) - DC Circuit Rules for EPIC in Case Against NSA, Vacates Lower Court Ruling That Secret Order Is Not Subject to FOIA
The U.S. Court of Appeals for the D.C. Circuit ruled in favor of EPIC today in a Freedom of Information Act case seeking the full text of National Security Presidential Directive 54, a previously-secret Presidential order granting the government broad authority over cybersecurity matters. EPIC successfully obtained the Directive from the NSA, and the DC Circuit has vacated the lower court’s Fall 2013 ruling that NSPD-54 was not an “agency record” subject to the FOIA. The Directive also includes the Comprehensive National Cybersecurity Initiative and evidences government efforts to enlist private sector companies to assist in monitoring Internet traffic. EPIC has several related FOIA cases against the NSA pending in federal court. For more information, see EPIC v. NSA: NSPD-54 Appeal and EPIC: Freedom of Information Act Cases. (Jul. 31, 2014) - Senators Markey and Hatch Introduce Student Privacy Legislation
Today, Senators Edward Markey (D-MA) and Orrin Hatch (R-UT) introduced legislation to require privacy safeguards for education records and prohibit the use of student information for advertising purposes. The "Protecting Student Privacy Act of 2014" would give students the right to access and amend their records that are held by private companies. The bill also requires schools to minimize the amount of personally identifiable information transferred to private companies. The bill requires companies to destroy student information "when the information is no longer needed for the specified purpose." The bill incorporates many of the proposals EPIC set out in the Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy. (Jul. 30, 2014) - Senator Leahy Introduces Bill to End NSA Bulk Record Collection
Today Senator Patrick Leahy (D-VT), joined by Democratic and Republican Senators, introduced legislation to end the NSA's practice of collecting telephone records of Americans. Leahy described the bill as "the most significant reform of government surveillance authorities since Congress passed the USA PATRIOT Act 13 years ago." The USA Freedom Act would require require the government to specify specific "search terms" to obtain telephone record information. The government would have to demonstrate that it has a "reasonable, articulable suspicion" that the search term is associated with a foreign terrorist organization. The bill also requires a comprehensive transparency report for the use of FISA surveillance authorities. However, the bill exempts the FBI from certain reporting requirements. Civil liberties organizations support the bill. EPIC previously filed a Petition for Mandamus with the U.S. Supreme Court, seeking to end the bulk collection of American's phone records. EPIC's petition was supported by legal scholars, technical experts, and former members of the Church Committee. For more information, see In re EPIC and EPIC: FISA Reform. (Jul. 29, 2014) - Federal and State Wiretaps Up 5% in 2013 According to Annual Report, But Stats Don't Support FBI Claims of "Going Dark"
The Administrative Office of the U.S. Courts has issued the 2013 Wiretap Report, detailing the use of surveillance authorities by law enforcement agencies. This annual report, one of the most comprehensive issued by any agency, provides an insight into the debate over surveillance authorities and the use of privacy-enhancing technologies. In 2013, wiretap applications increased 5%, from 3,576 to 3,395. Authorities encountered encryption during 41 investigations, but encryption prevented the government from deciphering messages in only 9 cases. This statistic contradicts claims that law enforcement agencies are "going dark" as new technologies emerge. Of the 3,074 individuals arrested based on wiretaps in 2013, only 709 individuals were convicted based on wiretap evidence. EPIC has repeatedly called on greater transparency of FISA surveillance, citing the Wiretap Report as a model for other agencies. EPIC also maintains a comprehensive index of the annual wiretap reports and FISA reports. For more information, see EPIC: Title III Wiretap Orders, EPIC: Wiretapping, and EPIC: Foreign Intelligence Surveillance Act. (Jul. 29, 2014) - EPIC, Consumer Groups Challenge Facebook on Web Snooping
EPIC, along with a coalition of consumer groups, has urged the Federal Trade Commission to block Facebook's plan to collect users' web browsing history. Facebook recently announced plans to collect user data from sites all over the web. But the practice may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users' express consent. The groups asked the FTC "to act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current U.S. and EU law." EPIC has also filed a FOIA request, seeking the FTC's communications with Facebook about this change. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: FTC. (Jul. 29, 2014) - Obama Drone Order Fails to Safeguard Privacy
According to reports, President Obama is set to issue an executive order on drone privacy. The order would call for the development of voluntary best practices for the commercial use of drones. Senator Markey and Representative Welch immediately responded to the reports with a letter to the President urging "strong, enforceable rules - not voluntary best practices...." EPIC has testified in Congress in support of a comprehensive drone privacy law. EPIC called for drone legislation to include use limitations, data retention limitations, transparency, and public accountability. The Federal Aviation Administration agreed to address drone privacy issues after an EPIC-led coalition petitioned the agency two years ago. Last year, EPIC urged the agency to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones. (Jul. 25, 2014) - EPIC Tells Congress FTC Does Not Enforce Consent Orders
EPIC has sent a letter to the House Committee on Oversight and Government Regulation stating that the Federal Trade Commission rarely enforces "Section 5" consent orders. EPIC also said that the Commission has never modified a consent order in response to public comments or required companies to implement the Consumer Privacy Bill of Rights. The Committee believed the Commission has gone too far to protect the privacy of American consumers. EPIC wrote "the opposite is true." Senator Rockefeller also wrote a letter, urging the Committee not to interfere in the FTC's "well-established legal authority." For more information, see EPIC: Wyndham Hotels and EPIC: FTC. (Jul. 25, 2014) - EPIC Urges Privacy Board to Address Concerns About 12333 Surveillance Authority
EPIC National Security Counsel Jeramie Scott has urged the Privacy and Civil Liberties Oversight Board to focus on surveillance conducted under Executive Order 12333. The Executive Order, signed in 1981, granted broad surveillance authority to the Intelligence Community with little oversight. The Order has enabled vast surveillance of Americans, but has received little attention. EPIC previously urged the Privacy Board to establish greater legal protection for metadata, increase safeguards for personal data, and minimize data collection. At the Board's first public meeting in 2012, EPIC recommended that the Board ensure Privacy Act adherence and investigate privacy concerns with the Fusion Center program, closed-circuit television surveillance, body scanners, surveillance drones, and Suspicious Activity Reporting. So far, the Privacy Board has focused almost entirely on "section 215" and "section 702" surveillance programs. For more information, See EPIC: Executive Order 12333. (Jul. 22, 2014) - Privacy Lawsuit Against Google for Policy Change Moves Forward
A federal court in California has ruled that a class action privacy lawsuit against Google can continue. The plaintiffs are Android users who sued Google in 2012 after the company consolidated user data across many separate services, including Gmail, Google+, and Youtube. They allege that Google concealed a plan to modify its privacy policies and also that Google violated the privacy policy for GooglePlay. After dismissing similar claims, the court held that the case may now go forward. In 2012, EPIC objected to the same change in Google's policy and urged the Federal Trade Commission to block the change because of a 2011 consent order in which Google agreed not to combine user data without user consent. After the FTC failed to act, EPIC sued the agency. Members of Congress, state Attorneys General, European Justice Officials, technical experts, and IT managers in government and the private sector also expressed concern about the 2012 Google policy change. For more information, see EPIC: EPIC v. FTC (Google Consent Order) and EPIC: FTC. (Jul. 22, 2014) - EPIC Files Lawsuit For Details of Government Profiling System
EPIC has filed a Freedom of Information Act lawsuit about a controversial government data mining program, operated by the Department of Homeland Security. The "Analytical Framework for Intelligence" contains a vast amount of sensitive personal information obtained from government agencies and the private sector. The system is used by the DHS for link analysis, anomaly detection, pattern analysis, and predictive modeling. The system also incorporates "risk assessment" scores from the Automated Targeting System also operated by the DHS. EPIC has urged the suspension of the risk assessment system, arguing that the use of such factors as race and nationality in a government database is unconstitutional. The case is EPIC v. Customs and Border Protection, No 14-1217 (D.D.C. filed 7/18/2014). For more information see: EPIC: Automated Targeting System, EPIC: Open Government and EPIC: EPIC v. Customs and Border Protection (Analytical Framework for Intelligence). (Jul. 18, 2014) - EPIC Uncovers Complaints from Education Department about Misuse of Education Records
EPIC has obtained documents from the Department of Education detailing parent and student complaints about the misuse of educational records. The Department released the documents in response to an EPIC Freedom of Information Act request. The documents reveal that schools and districts have disclosed students' personal records without consent, possibly in violation of the Family Educational Rights and Privacy Act. The documents also reveal that the Department failed to investigate many FERPA complaints. EPIC is expecting to receive more documents about the agency’s enforcement of the federal student privacy law. For more information, see EPIC: Student Privacy and EPIC: Open Government. (Jul. 18, 2014) - EPIC Seeks Government Report about Security of Internet Voting
EPIC has filed a Freedom of Information Act request with the Department of Defense for records detailing the security of online voting. The agency administers the Federal Voting Assistance Program, which has promoted online voting and provided funding to states for internet voting technology. Computer scientists have expressed concern about the reliability of these systems and privacy risks for voters. At a Congressional hearing in 2012, the agency promised to release the results of security tests it had conducted on voting software by December 2012. Because the agency has failed to make the test results public, EPIC has demanded these results, as well as related documents, be disclosed. For more information see: EPIC: Open Government and EPIC: Voting Privacy. (Jul. 18, 2014) - Following EPIC Complaint, Senator Seeks Investigation of Facebook User Manipulation Study
Senator Mark Warner has asked the Federal Trade Commission to investigate the legality of Facebook's emotional manipulation study. In a letter to the Commission, Senator Warner stated that "it is not clear whether Facebook users were adequately informed and given an opportunity to opt-in or opt-out." He asked the FTC to conduct an investigation to see "if this 2012 experiment violated Section 5 of the FTC Act or the 2011 consent agreement with Facebook," two issues raised in EPIC's earlier complaint. "The company purposefully messed with people's minds," wrote EPIC in a complaint to the Commission. EPIC charged that Facebook violated a consent decree that required the company to respect user privacy and also engaged in a deceptive trade practice. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 17, 2014) - Global Survey: Widespread Opposition to US Communications Surveillance, Drones
A new survey from Pew Research finds overwhelming opposition to the US monitoring of emails and phone calls. There appears to be little variation by region or culture, with high levels of opposition found in countries in Europe, South America, Asia, and the Middle East. According to the survey "Global Opinions of U.S. Surveillance," the four countries that believe US surveillance is acceptable are the United States, the Philippines, India, and Nigeria. A related Pew Survey found widespread opposition to drone strikes. For more information, see EPIC: Public Opinion on Privacy. (Jul. 16, 2014) - Pew Research Publishes "Net Threats" Report
The Pew Research Internet Project has released a "Canvassing of Experts" that finds growing concerns about the future of the Internet. According to the report, current trends could "sharply disrupt the way the Internet works for many users." Among the threats identified: state censorship, surveillance, diminished user trust, commercialization and centralization. EPIC President Marc Rotenberg pointed to the growing concentration of the Internet industry and said "There should be many information sources, more distributed, and with less concentration of control....We need many more small and mid-size firms that are stable and enduring." For more information, see EPIC: Public Opinion on Privacy. (Jul. 16, 2014) - FTC Sues Amazon Over Billing for Childrens' In-App Purchases
The FTC has filed a lawsuit alleging that "Amazon.com, Inc. has billed parents and other account holders for millions of dollars in unauthorized in-app charges incurred by children." FTC Chairwoman Edith Ramirez said, "Amazon's in-app system allowed children to incur unlimited charges on their parents' accounts without permission. Even Amazon's own employees recognized the serious problem its process created." The FTC recently settled similar charges with Apple. In that case, the FTC charged Apple with "billing consumers for millions of dollars of charges incurred by children in kids' mobile apps without their parents' consent." Under the terms of the settlement, Apple must provide a refund for affected consumers and must change its billing practices to ensure that it has obtained express, informed consent from consumers before charging them for items sold in mobile apps. Previously, EPIC filed a complaint with the FTC over Amazon's collection of children's data. EPIC explained that Amazon was violating the Children's Online Privacy Protection Act by allowing children to post content, including personally identifiable information, without their parents' permission. EPIC currently has several complaints pending with the FTC. For more information, see EPIC: FTC. (Jul. 11, 2014) - EPIC Defends FOIA Victory in Federal Appeals Court
EPIC has filed a brief in response to an appeal by the Department of Justice in EPIC v. DHS, concerning the government policy to disrupt cellular networks. EPIC won a major FOIA victory when a federal district court ruled that the DHS could not withhold "SOP 303," a government procedure to shut down cellular phone service. EPIC sought the policy after authorities shut down cell phone service at a peaceful protest in San Francisco. The government argued it did not need to release the document to EPIC because it was a "law enforcement technique" and because it would endanger the physical safety of an individual. The federal court rejected those arguments and ordered that the document be disclosed to EPIC, pending a decision on the appeal. For more details, see EPIC v. DHS—SOP 303. (Jul. 8, 2014) - EPIC Challenges Facebook's Manipulation of Users, Files FTC Complaint
EPIC has filed a formal complaint to the Federal Trade Commission concerning Facebook's manipulation of users' News Feeds for psychological research. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has charged that the study violates a privacy consent order and is a deceptive trade practice. In 2012, Facebook subjected 700,000 users to an "emotional" test with the manipulation of News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In the complaint, EPIC explained that Facebook's misuse of data is a deceptive practice subject to FTC enforcement. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy. The consent decree resulted from complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 3, 2014) - Congress May Cut Funding For Surveillance Blimps Over DC
The Department of the Army is seeking $54 million to fund the Joint Land Attack Cruise Missile Defense Elevated Netted Sensor System, or JLENS. The request is part of the Fiscal Year 2015 Defense Budget that Congress is currently considering. The system consists of long-range surveillance technologies and targeting capabilities including HELLFIRE missiles. JLENS was originally deployed in war zones in Iraq and Afghanistan. The Army wants to test the system in Washington, DC, but the program has come under scrutiny by Congress because of cost overruns. EPIC recently filed a Freedom of Information lawsuit against the Army, seeking more information about the JLENS program. For more information, see EPIC: EPIC v. Army - Surveillance Blimps. (Jul. 3, 2014) - Privacy Panel Backs PRISM Program
In a surprising report, the US Privacy and Civil Liberties Oversight Board has endorsed the US government's routine collection of the Internet activities of non-US persons, broadly referred to as the "PRISM Program." The NSA obtains this information from Internet companies located in the United States. The Board cited the value of the program and compliance with the law, but said little about the impact on non-US persons. EPIC opposed a similar program concerning the collection of domestic telephone records in a petition to the US Supreme Court last year. EPIC has also said that the collection of communications by the US should be subject to international privacy law, such as the International Covenant on Civil and Political Rights. It is anticipated that foreign countries will continue to transfer cloud-based services away from US firms because of the lax privacy safeguards in the United States. For more information, see EPIC: In re EPIC and EPIC: International Privacy Standards. (Jul. 3, 2014) - FTC Releases 2014 Data Security Update, But Enforcement Questions Remain
The Federal Trade Commission has released the 2014 Privacy and Data Security Update. The report is "an overview of the FTC's enforcement, policy initiatives, and consumer outreach and business guidance in the areas of privacy and data security." In the report, the FTC explains that "If a company violates an FTC order, the FTC can seek civil monetary penalties for the violations." However, the FTC has consistently failed to enforce consent orders with Google, Facebook, and other companies that have engaged in unfair or deceptive trade practices. The Commission has also failed to modify proposed settlement agreements after seeking public comment. For more information, see EPIC: FTC, EPIC: Facebook Privacy, and EPIC: In re: Google Buzz. (Jul. 1, 2014) - Attorney General Supports Privacy Act Protections for E.U. Citizens
Speaking in Athens at a meeting between US and EU officials, Attorney General Eric Holder announced that the Obama Administration will work with Congress to extend Privacy Act protections to E.U. citizens. Mr. Holder stated, "the Obama Administration is committed to seeking legislation that would ensure that...EU citizens would have the same right to seek judicial redress for intentional or willful disclosures of protected information, and for refusal to grant access or to rectify any errors in that information, as would a U.S. citizen under the Privacy Act." EPIC has previously recommended that Privacy Act safeguards be extended to non-US persons. iIn 2012, EPIC also urged Congress to update the Privacy Act. In 2011, EPIC filed a "friend of the court" brief in the Supreme Court, arguing that the Privacy Act provides damages for mental and emotional harm. EPIC routinely submits comments to federal agencies, urging enforcement of Privacy Act protections. For more information, see EPIC: The Privacy Act of 1974 and EPIC: FAA v. Cooper. (Jul. 1, 2014) - FAA, Park Service Ground Drones, Cite Safety Concerns
The Federal Aviation Administration released a proposed Special Rule for Model Aircraft which will prohibit the use of drones for the delivery of packages and other commercial services. At the end of last year, Amazon had raised the prospect of delivering packages via drones. The agency has requested comments on the proposal. A recent Washington Post series highlighted numerous close encounters between commercial aircraft and small drones, as well as many incidents were drones fell from the sky. The National Park Service has prohibited the use of drones in national parks, citing safety concerns. Last year, EPIC urged the Federal Aviation Administration to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones. (Jun. 30, 2014) - Supreme Court Rejects Google's Street View Appeal
The U.S. Supreme Court has denied a petition from Google to reverse the decision in the Google Street View case. In Joffe v. Google, Internet users sued Google for intercepting private communications, including passwords, medical records, and financial information, of millions of users across the country. EPIC filed a friend of the court brief in support of Internet users, arguing that Wi-Fi communications are not "readily accessible to the general public," and that companies should not intercept communications of private residential networks. The Ninth Circuit agreed and found that the wiretap exception for access to "radio communications" does not apply to Wi-Fi networks. More than twelve countries have investigated Google for its collection of private Wi-Fi data, and at least nine countries have found that Google violated their national wiretap laws. For more information, see EPIC: Joffe v. Google and EPIC: Investigations of Google Street View. (Jun. 30, 2014) - FTC Ignores Public Comments on Safe Harbor Settlements
The Federal Trade Commission has settled charges against fourteen companies that misrepresented compliance with the EU-US Safe Harbor privacy arrangement. In response to the FTC's request for public comment on the pending settlements, EPIC recommended that the Commission: (1) require the companies to comply with the Consumer Privacy Bill of Rights; (2) publish the companies' consent order compliance reports as they are submitted; and (3) strengthen the sanctions against a DNA testing firm, whose misrepresentations puts genetic information at risk. However, the FTC declined to make any changes. EPIC has previously stated that the Commission's ongoing failure to modify consent orders in response to public comments is "contrary to the interests of American consumers." An Irish Court has recently asked the European Court of Justice to determine whether the Safe Harbor Arrangement still provides adequate protection for EU consumer. For more information, see EPIC: EU Data Protection Directive and EPIC: Federal Trade Commission. (Jun. 27, 2014) - Unanimous Supreme Court Upholds Privacy Rights of Cell Phone Users
The Supreme Court ruled today that a warrantless search of a cell phone violates the Fourth Amendment, even when it occurs during a lawful arrest. The Court's decision in Riley v. California makes clear that "a search of the information on a cell phone bears little resemblance to the type of brief physical search" allowed in the past. The Court said "Cell phones differ in both a quantitative and a qualitative sense from other objects that might be kept on an arrestee's person." EPIC, joined by 24 legal scholars and technical experts on the EPIC Advisory Board, filed a friend of the court brief, arguing that cell phones contain a wealth of sensitive personal data, and that officers can reasonably secure phones while they apply for a warrant to search them. EPIC wrote, "Allowing police officers to search a person's cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment." The EPIC brief was cited by the Supreme Court in its decision. For more information, see EPIC: Riley v. California. (Jun. 25, 2014) - Defense Agency Adopts Favorable Open Government Rules After EPIC Comments
The Defense Logistics Agency, an agency component within Department of Defense, has amended its Freedom of Information Act rules. EPIC submitted extensive comments on the initial proposal. EPIC said that several of the proposals are contrary to law, exceed the scope of the agency's authority, and should be withdrawn. The final rule incorporates many of EPIC's recommendations. For example, DLA revised several key definitions, including "administrative appeal," "adverse determination, and "consultation," and modified its general FOIA policy to promote agency transparency. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. The Privacy and Civil Liberties Oversight Board, the Federal Trade Commission, and the Interior Department have adopted EPIC's recommendations on proposed FOIA rule changes. For more information, see EPIC: Open Government. (Jun. 25, 2014) - Coalition to Attorney General: Review FBI's Massive Biometric Database
EPIC, EFF, ACLU, Defending Dissent, and a coalition of over 30 organizations have urged Attorney General Holder to immediately conduct a privacy assessment of the FBI's proposed "Next Generation Identification" system. NGI is a massive database that includes biometric identifiers, such as digitized fingerprints and facial images, of millions of Americans. The system is set to go fully operational despite a required privacy assessment. EPIC previously sued the FBI to obtain details about the system. According to a FOIA document obtained by EPIC, the FBI accepts a 20% error rate for facial recognition searches of the Next Generation Identification database. Last year, EPIC also obtained documents from the FBI regarding the use of facial recognition on state DMV photos. For more information, see EPIC's Spotlight on Surveillance on FBI's Next Generation Identification Program. (Jun. 25, 2014) - Senators Leahy and Cornyn Introduce FOIA Reform Bill
A bipartisan Freedom of Information Act reform bill was introduced today by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX). The FOIA Improvement Act of 2014 addresses chronic problems with overuse of exemptions by federal agencies, excessive fee assessments, and the culture of secrecy. The bill will codify a "presumption of openness" in the processing of FOIA requests. The bill will require agencies to weigh the public interest in disclosure against the agency’s interest in secrecy before withholding documents such as Office of Legal Counsel memos. The FOIA Improvement Act will also close a loophole that agencies have used to make requesters pay excessive fees, even when the agency takes years to process the request. EPIC has recommended many of these reforms. EPIC specifically recommended proposed changes to the "(b)(5)" exemption. For more information see: EPIC: FOIA Cases. (Jun. 25, 2014) - Federal Appeals Court Releases "Drone Killing" Memo, EPIC Filed Amicus
The Court of Appeals for the Second Circuit today made public the legal analysis justifying the Administration's controversial "targeted killing" drone program. The action follows an earlier ruling by the federal appeals court in New York Times v. Department of Justice. The government had argued that this memo could not be disclosed under the Freedom of Information Act because it was a privileged "deliberative" document. But the plaintiffs explained that the government relied on the analysis to defend the program and that it operated as secret law. EPIC filed an amicus brief, supported by seven open government organization, arguing that under the FOIA such a legal opinion by the Justice Department cannot be a deliberative documents. The federal appeals court agreed, and has now released the opinion to the public. Last week, in EPIC v. NSA the Department of Justice released to EPIC NSPD-54, the President Directive concerning cybersecurity. For more information, see EPIC: New York Times v. DOJ and EPIC v. DOJ - Warrantless Wiretapping Program. (Jun. 23, 2014) - EPIC with Civil Society Urge OECD to Examine "Dominant Internet Firms"
Speaking at a high level meeting on Internet Policy Making, EPIC President Marc Rotenberg urged the OECD to examine the impact dominant Internet firm may have on the future of innovation and freedom. Citing the Charter of the OECD Civil Society Council, Rotenberg said "dominant Internet firms are moving to consolidate their control over the Internet. It is vitally important for the OECD to develop a better understanding of the challenge industry consolidations pose to the open Internet." The OECD is well known for the International Privacy Guidelines and is currently updating the Security Guidelines, which establish a global framework for managing cyber risks. A Ministerial meeting meeting will be held in Mexico in 2016. For more information, see CSISAC, EPIC - OECD Privacy Guidelines, OECD Security Guidelines. (Jun. 23, 2014) - Obama Renews Unlawful NSA Bulk Record Collection Program
Today the Attorney General and the Director of National Intelligence announced that the President will seek a renewal of the court order authorizing the NSA's bulk collection of American telephone records through September 12, 2014. The President has chosen to renew this order despite his promise in March 2014 to end the bulk collection program and the widespread opposition from members of Congress, and the recommendations of expert panels. The Attorney General's statement suggests that "legislation would be required" to end the program, but it was the President's decision to seek renewal of the Foreign Intelligence Surveillance Court order. EPIC, along with 25 other privacy organizations, wrote a letter to the President last week urging him not to renew the order. Last summer, EPIC petitioned the Supreme Court to end the NSA's telephone record collection program. EPIC's argued that the Foreign Intelligence Surveillance Court exceeded its authority when it ordered the production of all domestic telephone records. For more information, see In re EPIC. (Jun. 20, 2014) - EPIC Seeks Records on FTC "Sign-off" for Facebook Changes
EPIC has filed a FOIA request with the Federal Trade Commission, seeking records related to Facebook's decision to collect users' internet browsing history for advertising purposes. Previously, Facebook collected user data from facebook.com and mobile apps. Now, Facebook plans to collect user data from sites all over the web. Facebook claims that the FTC was briefed about the change beforehand. However, the plan may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users’ express consent. Through the FOIA request, EPIC seeks information about the FTC's review of Facebook's plans to monitor users. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: Practical Privacy Tools. (Jun. 20, 2014) - US Federal Court Upholds "Right to be Forgotten" for Seized Data
A federal appeals court ruled that the government violated the Fourth Amendment when investigators searched computer files that had been seized in an unrelated investigation more than two and a half years earlier. The Second Circuit found that the government has a duty to delete all files not responsive to the original warrant and cannot indefinitely retain data "for use in future criminal investigations." This rule imposes a data minimization requirement on law enforcement investigators and is similar also to the much discussed "right to be forgotten." EPIC argued in favor of the data minimization principles adopted by the Ninth Circuit in US v. Comprehensive Drug Testing. For more information, see United States v. Ganias, EPIC: Quon v. City of Ontario, CA and EPIC: Code of Fair Information Practices. (Jun. 20, 2014) - Senate Cybersecurity Information Sharing Bill Proposed
Senators Dianne Feinstein and Saxby Chambliss have proposed the Cybersecurity Information Sharing Act of 2014. The Senate bill is similar to the House Cyber Intelligence Sharing and Protection Act (CISPA), which was opposed by civil liberties organizations and would have been vetoed by the White House if enacted. Like CISPA, the Senate bill allows companies to monitor private communications on their networks and to disclose user activity to the government. The bill would also exempt companies from liability for monitoring communications or disclosing user information. However, the Senate bill makes some attempt to limit the collection of personally identifiable information. EPIC recently won a five-year court battle with the NSA and obtained National Security Presidential Directive 54. The directive was issued by President Bush in 2008 and is the foundational legal document for U.S. cybersecurity policies. The Presidential Directive reveals the government’s long-standing interest in enlisting private sector companies to monitor user activity. For more information, see EPIC: Cybersecurity. (Jun. 20, 2014) - Coalition to President: End NSA's Bulk Collection Program Now
EPIC and a coalition of 25 organizations urged the President and the Attorney General to end the NSA's bulk record collection program when the current authority expires on June 20. In January, the President committed to "end the Section 215 bulk metadata program as it currently exists." The coalition letter states, "[t]he NSA's Bulk Metadata program is simply not effective." Both the Privacy and Civil Liberties Oversight Board report and the President's Review Group report found the NSA's bulk collection to be ineffective. EPIC petitioned the Supreme Court to end the NSA's bulk collection of telephone records after the program was revealed last summer. EPIC's petition argued that the Foreign Intelligence Surveillance Court exceeded its authority when it ordered the production of all domestic telephone records. For more information, see In re EPIC. (Jun. 17, 2014) - On Privacy, New Survey Places US Attitudes Among EU Countries
One of the most comprehensive surveys of privacy ever undertaken finds US attitudes toward privacy remarkably similar to those of Europeans. The survey of 15 countries on privacy, and tradeoffs consumers are prepared to make, placed the US squarely in the middle of European countries, roughly between France and Italy on one side and Germany and the Netherlands on the other. The survey looked at current concerns and support for new laws in countries around the globe. According to EMC, "only 27% say there are willing to trade some privacy for greater convenience." A large majority of respondents (81%) expect privacy will decrease in the next five years. But 9 out of1 0 respondents want new laws to limit the sale of personal data. Concerns about privacy and support for new laws is somewhat greater in the US than in other countries. For more information, see EPIC - Public Opinion on Privacy. (Jun. 16, 2014) - Canadian High Court Holds Internet Use Protected by Constitutional Privacy Right
The Supreme Court of Canada has ruled that police conducted an unconstitutional search when they used an IP address to obtain subscriber information from an Internet Service Provider without legal authorization. The Court also found Canada’s personal information protection law does not require ISPs to disclose subscriber information to law enforcement. In its analysis, the Court described information privacy as "control over, access to and use of information." The Court stressed that "anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable searches and seizures." Two recent opinions from the European Court of Justice have firmly established the right of information privacy law in EU law. EPIC has urged the US Supreme Court to recognize the right of information privacy and also to safeguard the right of anonymity. For more information, see EPIC: NASA v. Nelson, EPIC: Watchtower Bible v. Stratton, EPIC: Internet Anonymity and EPIC: Search Engine Privacy. (Jun. 13, 2014) - Facebook to Profile User Browsing, May Violate FTC Consent Order
Facebook has announced that it will collect detailed browser history on users for advertising purposes. Users who object were told to opt-out. The plan may violate a Federal Trade Commission order, prohibiting Facebook from changing its business practices without users’ express consent. The FTC order follows from complaints filed by EPIC and other consumer privacy organizations in 2009 and 2010. In issuing the order, the FTC found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." A recent Consumer Reports poll found that consumers overwhelmingly object to having their online activities tracked for advertising purposes. For more information, see EPIC: Facebook Privacy, EPIC: FTC Facebook Settlement, EPIC: Online Tracking and Behavioral Profiling, and EPIC: Practical Privacy Tools. (Jun. 12, 2014) - Senate to Hold Homeland Security Oversight Hearing
The Senate Judiciary Committee will hold an oversight hearing for the Department of Homeland Security. Secretary Jeh Johnson will testify. EPIC has objected to many of the agency's mass surveillance practices, including the secret profiling of American air travelers, the use of drones for aerial surveillance, the amassing of information on Americans into "fusion centers", and the collection of biometric identifiers. EPIC has also warned that the DHS Chief Privacy Officer has failed to safeguard privacy, a legal obligation for that office. According to the DHS, the number of privacy complaints increased in 2013. EPIC has several Freedom of Information Act case pending against the DHS. In an earlier case, EPIC determined the DHS was monitoring social media and news organizations for criticisms of the agency. Another EPIC case led to the removal of the x-ray backscatter devices from US airports. For more information, see EPIC v. DHS - Social Media Monitoring and EPIC v. DHS (Suspension of Body Scanner Program). (Jun. 10, 2014) - Apple Announces New Privacy-Enhancing Techniques in iOS 8
Apple has announced new privacy-enhancing techniques that will limit the ability of third parties to track Apple mobile devicesi. Specifically, iOS8 will use "random, locally administered MAC addresses," instead of unique device IDs, to connect to the Internet. Mobile phones can now be tracked by law enforcement and private companies because of the unique MAC address associated with the device. In 2004 when the adoption of IPv6 raised privacy concerns, EPIC recommended that MAC addresses be randomized to avoid tracking. The change in the Apple iOS implements this proposal. For more information, see EPIC: Practical Privacy Tools and EPIC: Location Privacy. (Jun. 10, 2014) - EPIC Urges FTC to Protect Snapchat Users' Privacy
EPIC has submitted comments to the Federal Trade Commission, urging the agency to require Snapchat to safeguard consumer privacy. Following a 2013 EPIC complaint, the FTC signed a consent order with Snapchat, the publisher of a mobile app that encourages users to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever," but that was false. As EPIC explained, "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." EPIC expressed support for the findings in the proposed FTC Settlement with Snapchat. But EPIC recommended that the FTC require Snapchat to implement the Consumer Privacy Bill of Rights and make Snapchat's independent privacy assessments publicly available. EPIC pursued similar claims involving false promises about data deletion with AskEraser. EPIC has also made similar recommendation for other proposed FTC consumer privacy settlements. For more information, see EPIC: In re Google, EPIC: In re Facebook, and EPIC: FTC. (Jun. 10, 2014) - EU Progress on Data Protection
Speaking in Luxembourg this week, EU Commissioner Viviane Reding said that the EU Council moved forward two key data protection goals in 2014. First, there is "agreement on the rules that govern data transfers to third countries." Second, "Ministers agreed on the territorial scope of the data protection regulation. In simple words: EU data protection law will apply to non-European companies if they do business on our territory." Ms. Reding said the EU is on track to ensure "the completion of the Digital Single Market by 2015. For more information, see EPIC - EU Data Protection Directive, EPIC - Council of Europe Privacy Convention and EPIC - "23 US NGOs Support EU Data Protection Regulation." (Jun. 9, 2014) - Senate Holds Hearing on Consumer Location Privacy Protection
The Senate recently held a hearing on the Location Privacy Protection Act of 2014 authored by Senator Franken. In an opening statement, Senator Franken said his "bill makes sure that if a company wants to get your location...they need to get your permission first." FTC Director, Jessica Rich, testified that location data is "sensitive information" that "raises privacy concerns." The FTC recently signed a 20-year consent order with Snapchat after finding the app was collecting location information in contradiction to its stated privacy policy. The FTC investigated Snapchat after EPIC filed a complaint with the agency detailing the companies deceptive practices. EPIC also filed an amicus brief in a location privacy case in which the New Jersey Supreme Court case announced a landmark decision, holding that individuals have an expectation of privacy in their cell phone data.For more information, see EPIC: Location Privacy. (Jun. 6, 2014) - EPIC v. NSA: EPIC Obtains Presidential Directive for Cybersecurity
After almost five years, EPIC has obtained National Security Presidential Directive 54. The previously classified Presidential Directive contains the full text of the Comprehensive National Cybersecurity Initiative and "establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace." This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability. EPIC first sought public release of NSPD-54 with a Freedom of Information Act request, submitted to NSA in June 2009. After the agency failed to disclose the document, EPIC filed suit. When a federal district court ruled in 2013 that the Presidential Directive was not subject to the Freedom of Information Act, EPIC then filed an appeal with the DC Circuit Court of Appeals. The document has now been disclosed to EPIC. The case is EPIC v. NSA, a Freedom of Information Act lawsuit in D.C. Circuit Court. EPIC has several related FOIA cases with the NSA pending in federal court. For more information see EPIC - EPIC v. NSA (Cybersecurity Authority). (Jun. 6, 2014) - EPIC Urges Extended Relief for Driver Privacy Claims
EPIC has filed a "friend of the court" brief in McDonough v. Anoka County, a case involving the Driver's Privacy Protection Act. That law protects the privacy of driver record information held by state Department of Motor Vehicles. EPIC argued that a court was wrong to dismiss legal claims before people knew that their information was improperly disclosed by the DMVs. EPIC said that courts should follow the "discovery rule" so that victims can bring cases after they learn their personal information has been impermissibly accessed. EPIC has frequently defended this important federal privacy law. For more information, see EPIC - Reno v. Condon, EPIC - DPPA, EPIC - Maracich v. Spears, and EPIC - Gordon v. Softech Int'l. (Jun. 6, 2014) - EPIC Open Government Director Appointed to FOIA Advisory Committee
EPIC Open Government Project Director Ginger McCall has been appointed to the federal government's Freedom of Information Act (FOIA) Modernization Committee. The Committee's goal is to advise on ways to improve the administration of FOIA. It will have 20 members - 10 from within government and 10 from outside of government - and will chaired by Office of Government Information Services director Miriam Nisbet. The first meeting of the Committee will be held at the National Archives and Records Administration in Washington, DC on June 24, from 10:00AM to 1:00PM. For more information see: NARA: Modernizing FOIA and EPIC: FOIA Cases. (Jun. 6, 2014) - EPIC, Partners Draft Model FOIA Regulations
EPIC, together with Citizens for Responsibility and Ethics in Government, the National Security Archive, and Openthegovernment.org, has drafted model Freedom of Information Act regulations. Under the National Action Plan, the Department of Justice has been tasked with creating a uniform set of FOIA regulations that would apply across the government. EPIC’s model FOIA regulations are designed to make it easier for FOIA requesters to obtain agency documents, favorable fee status, and expedited processing. They would also create a balancing test that agencies would need to satisfy before asserting Exemption 5 for internal agency memos. The model FOIA regulations have received the endorsement of more than 25 transparency and accountability groups. For more information, see ModelFOIAregs.org and EPIC: Open Government. (Jun. 6, 2014) - EPIC Celebrates 20 Years, Gives Awards to Anita Allen, Justin Amash, The Guardian, and Edward Snowden
On June 2, 2014, EPIC celebrated 20 years of privacy advocacy with an awards dinner in Washington, DC. EPIC gave the 2014 EPIC Champions of Freedom Awards to Congressman Justin Amash, The Guardian, and Edward Snowden Anita Allen received the EPIC Lifetime Achievement Award. Bruce Schneier hosted the event. EPIC President Marc Rotenberg delivered remarks. For more information, see Announcement of EPIC creation in 1994. (Jun. 5, 2014) - Report - Half of American Adults Data Hacked So far This Year
A new report finds that 432 million online accounts in the US have been hacked this year, concerning about 110 million Americans. In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. Earlier this month, the President's science advisors found little risk in the continued collection of personal data. However, the FTC's recent report on data brokers warned that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." Earlier, EPIC urged the White House to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: Identity Theft and EPIC: Choicepoint. (May. 29, 2014) - Federal Trade Commission Urges Court to Protect Student Privacy
The Federal Trade Commission is opposing the sale of student data in a bankruptcy proceeding for ConnectEDU. The company privacy policy promises it will give students "reasonable notice and an opportunity to remove personally identifiable information" from its website. The FTC said that the sale of student information "without reasonable notice to users and an opportunity to remove personal information would contradict the privacy statements originally made to users." The FTC letter also cites consent agreements with Snapchat, Google, and Facebook. Each of these consent orders was a result of an EPIC FTC complaint. Last year, EPIC filed an extensive complaint concerning Scholarships.com's business practices. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. For more information, see EPIC: Student Privacy, EPIC: In re Google Buzz, EPIC: In re Facebook, and EPIC: Federal Trade Commission. (May. 29, 2014) - DHS Privacy Complaints Increase in 2013, Many Databases Kept Secret
The Department of Homeland Security Quarterly Report to Congress details programs and databases affecting privacy. According to the agency, DHS received 964 privacy complaints between September 1, 2013 and November 30, 2013. By contrast, DHS received 295 privacy complaints during the same period in 2011. According to the report, most DHS systems complies with Privacy Act notice requirements. However, the report also indicates that the DHS maintains many databases with personally identifiable information that lack required Privacy Act notices. For more information, see EPIC: Department of Homeland Security Chief Privacy Office and Privacy. (May. 27, 2014) - FTC Report on Data Brokers Fails to Address Consumer Privacy Concerns
The Federal Trade Commission has published "Data Brokers: A Call for Transparency and Accountability." The report follows from a FTC Investigation of the data broker industry. The report describes the unbounded collection of personal information about American consumers that is then widely sold in the private sector. The Commission recommended modest legislative changes and failed to address many of consumers' privacy concerns, including profiling and "scoring" of consumers. Commissioner Julie Brill issued a statement, calling for more substantial consumers safeguards. Senators Rockefeller and Markey have also introduced The Data Broker Accountability and Transparency Act of 2014 (DATA Act), which would regulate data brokers and other companies that profit from the sale of consumer information. In 2005, EPIC testified before the the House Commerce Committee on "Identity Theft and Data Broker Services" and Urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. For more information, see EPIC: Choicepoint, EPIC: Privacy and Consumer Profiling, and EPIC: FTC. (May. 27, 2014) - EPIC Defends Commercial Driver Privacy
EPIC has submitted comments on a proposed Commercial Driver's License Drug and Alcohol Clearinghouse. Under a new law, employers of commercial drivers will be required to report drug and alcohol test results to the Clearinghouse. Employers will also be required to check the database for test results on drivers. EPIC's comments urged the Transportation Department to: (1) require anyone reporting test results to immediately correct errors and notify employers and potential employers of the inaccurate data; (2) revoke Clearinghouse registration and access for those who fail to comply with Clearinghouse rules; (3) clarify that in addition to the administration petition process, individuals may still amend their records pursuant to the Privacy Act; and (4) implement privacy enhancing techniques like data deletion and anonymization. For more information, see EPIC: Workplace Privacy. (May. 27, 2014) - House Adopts Weakened NSA Reform Bill, Senators Now Look to Improve Privacy and Transparency Protections
The U.S. House of Representatives has voted to adopt a modified USA "FREEDOM" Act. The bill no longer prohibits bulk collection of communications records. Other key provisions were also removed. Senator Leahy said that the bill is "an important step towards reforming" surveillance authorities, but expressed disappointment that the current version "does not include some of the meaningful reforms contained in the original" bill. In 2013 EPIC filed a Petition to the Supreme Court seeking to end bulk collection of telephone call records. EPIC also testified before the House in 2012 that the FISA should not be renewed without adoption of new reporting requirements. For more information, see EPIC: FISA and EPIC: FISA Reform. (May. 23, 2014) - Google Plans Advertising on Appliances, Including Nest Thermostat
In a letter to the Securities and Exchange Commission, Google announced plans to place targeted ads on Google-controlled appliances. Google wrote that "a few years from now, we and other companies could be serving ads and other content on refrigerators, car dashboards, thermostats, glasses, and watches, to name just a few possibilities." The proposal raises significant privacy concerns for the "Internet of Things." Earlier this year, EPIC warned the FTC about Google's acquisition of Nest Labs, makes of a smart thermostat, that "Google regularly collapses the privacy policies of the companies it acquires." Nonetheless, the Commission approved Google's acquisition without further review. For more information, see EPIC: In re: WhatsApp, EPIC: Google/Doubleclick and EPIC: FTC. (May. 22, 2014) - Consumer Reports: 85% of Shoppers Oppose Internet Ad Tracking
According to a recent study by Consumer Reports, consumers overwhelmingly object to having their online activities tracked for advertising purposes. The report found that 85% of consumers would not trade even anonymized personal data for targeted ads. Additionally, 76% of consumers said that targeted advertising adds "little or no value" to their shopping activities. For more information, see EPIC: Public Opinion on Privacy, EPIC: Privacy and Consumer Profiling, EPIC: Online Tracking and Behavioral Profiling, EPIC: Practical Privacy Tools. (May. 20, 2014) - Senate Judiciary Committee Hearing on FBI to Consider Drones, Facial Recognition
The Senate Judiciary Committee's oversight hearing of the FBI will take place of Wednesday, May 21. This is the first FBI oversight hearing since James Comey took over as Director. At the last oversight hearing, Director Mueller admitted that the FBI uses drones for domestic surveillance. The FBI promised to establish privacy guidelines but has failed to do so. The FBI has also failed to address the privacy implications of license plate readers and facial recognition technology. The FBI's Next Generation Identification program, a massive biometric system, is set to go fully operational this year; yet the agency has not established civil liberties safeguards. The database will employ facial recognition, iris recognition, and voice recognition. Documents obtained by EPIC under the FOIA indicate the agency is prepared to accept a 20% error rate for recognition techniques. For more information, see EPIC v. FBI - Next Generation Identification. (May. 20, 2014) - Sprint Pays FCC A Record $7.5M For Violating Do Not Call
Sprint has reached a $7.5 million settlement with the Federal Communications Commission for violations of the Do Not Call national registry. It is the FCC's largest Do Not Call settlement ever. The settlement follows a 2011 consent decree between Sprint and the FCC which also arose out of complaints from Do Not Call registrants. Under the terms of the current settlement, Sprint must develop a compliance plan, and file two years of compliance reports with the Commission. Additionally, Sprint must designate a Do Not Call Compliance Officer and retrain all employees. EPIC has spent 20 years helping to establish and enforce the Telephone Consumer Protection Act. In 2002, EPIC and ten leading advocacy groups filed comments to both the FCC and the Federal Trade Commission, advocating the creation of the Do-Not-Call Registry. EPIC has also recommended that Congress establish a National Do Not Track registry for online consumers. For more information, see EPIC: Do Not Call Registry Timeline, EPIC: Illegal Sale of Phone Records, and EPIC: Federal Trade Commission. (May. 20, 2014) - EPIC Testifies on Student Privacy before California State Assembly
EPIC's Student Privacy Project Director Khaliah Barnes testified before the California State Assembly Education Committee and Select Committee on Privacy, on "Ensuring Student Privacy in the Digital Age." EPIC's testimony: (1) explained how the U.S. Education Department’s regulations encourage mass collection of student data; (2) described the privacy risks that students today face; (3) underscored the need for data security safeguards for states, schools, and private companies accessing student information; and (4) recommended that California adopt EPIC's Student Privacy Bill of Rights. Earlier this week, Senators Markey and Hatch proposed bipartisan student privacy legislation. For more information, see EPIC: Student Privacy. (May. 16, 2014) - Senators Markey and Hatch Propose Student Privacy Legislation
Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have proposed a "Protecting Student Privacy Act." The draft bill would "(1) requires that data security safeguards be put in place to protect sensitive student data that is held by private companies; (2) prohibits the use of students' personally identifiable information to advertise or market a product or service; (3) provides parents with the right to access the personal information about their children - and amend that information if it"s incorrect — that is held by private companies just as they would if the data were held by the school itself; (4) makes transparent the name of companies that have access to student information by directing school districts to maintain a record of all outside companies with which the school contracts; (5) minimizes the amount of personally identifiable information that is transferred from schools to private companies; [and] (6) ensures private companies cannot maintain dossiers on students in perpetuity by requiring the companies to later delete personally identifiable information." The legislation highlights many of the protections EPIC endorsed in its Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy. (May. 15, 2014) - Press Groups Challenge Ban on Commercial Drones
Over a dozen news media organizations filed an amicus brief opposing the Federal Aviation Administration's ban on commercial drones. The ban was suspended earlier this year by an administrative judge. The news organizations argue that the ban violates the media’s First Amendment right of the press, however the rule concerns public safety not the content of speech or the identity of the speaker. EPIC, joined by over 100 organizations, previously petitioned the Federal Administration Agency to address the privacy issues raised by drones and the Agency agreed to do so. In response to a request for public comments last year, EPIC urged the Federal Aviation Administration to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones. (May. 13, 2014) - EPIC Obtains Letter Concerning Justice Department Non-Investigation of Google Street View
Pursuant to the Freedom of Information Act, EPIC has obtained the closing letter from the Department of Justice to Google attorneys in the Street View matter. The letter briefly mentions Google's interception and collection of private Wi-Fi communications across the United States over several years. The disclosure of the activity occurred after a European data protection authority discovered that Google's "Street View" vehicles also captured private Wi-Fi data. More than 12 countries subsequently investigated Google's programs, and at least 9 countries found Google guilty of violating their laws. The letter from the DOJ states that US officials were aware that Google's "equipment collected 'payload' data, including contents of e-mail and Internet addresses typed by users," but the Department "decided not to seek charges" against Google for violating the Wiretap Act. The Ninth Circuit recently affirmed a federal court's decision to allow a class action lawsuit against Google to move forward for wiretap violations stemming from the Street View program. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google. (May. 13, 2014) - EU Court Rules Google Must Respect Right to Delete Links
The European Court of Justice has upheld the "right to be forgotten" and ruled that Google must delete links upon request concerning private life. The Court also determined that companies are subject to the EU Data Protection Directive and that jurisdiction extends to companies that set up a branch in an EU state. The Court said that since privacy is a fundamental right, it overrules the economic interests of the company and the public interest in access to the information. However this is not the case concerning one's activity in public life. EPIC has broadly supported the privacy rights of Internet users and the specific right to "expunge" information held by commercial firms. For more information, see EPIC - In re Facebook, EPIC - Expungement, and EPIC - G.D. v. Kenny. (May. 13, 2014) - New Documents Reveal Close Ties Between NSA and Tech Companies, PBS Special to Air
New e-mails obtained under the Freedom of Information Act reveal former NSA Director Keith Alexander's close communication with technology companies regarding emerging cybersecurity threats. The CEOs of Google, Apple, Microsoft, and other technology companies were invited to classified briefings as part of the "Enduring Security Framework," a government initiative focused on sharing "cyber threat information with the private sector." EPIC previously sued the NSA to obtain records about the agency's collaboration with Google on cybersecurity, following the China hack in January 2010. In that case, the NSA refused to confirm or deny the existence of any records responsive to EPIC's request. EPIC had previously urged Google to routinely encrypt cloud-based services. PBS Frontline begins a two-part special this week that explores NSA surveillance and the role of tech companies. For more information, see EPIC v. NSA: Google/NSA Relationship and EPIC: Cybersecurity. (May. 12, 2014) - Privacy Case Moves Forward Against Facebook and Zynga
The Ninth Circuit found that the companies may have violated Facebook's privacy policies when they disclosed user information for advertising purposes. Separately, the court ruled that there was no violation of the Electronic Communications Privacy Act because the data disclosed (including Facebook IDs and HTTP referers) is not "contents" of a communication. Congress is set to consider several ECPA reforms, and could fix the court's ruling by making clear that the law prevents the disclosure of personally identifiable information. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Facebook Privacy. (May. 9, 2014) - EPIC's Snapchat Privacy Complaint Results in 20-Year FTC Consent Order
Following a 2013 EPIC complaint, the FTC has signed a consent order with Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever." However, the images could be retrieved by others. As EPIC wrote in the complaint "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." In announcing the settlement, FTC Chairwoman Edith Ramirez said, "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises. Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action." Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies. EPIC pursued similar claims involve false promises about data deletion with AskEraser. The FTC will be accepting Public Comments on the proposed Snapchat consent order. For more information, see EPIC: In re Google, EPIC: In re Facebook and EPIC: FTC. (May. 8, 2014) - EPIC Sues Army for Information About DC Surveillance Blimps
EPIC has filed a Freedom of Information Act lawsuit against the Department of the Army for documents about JLENS, a sophisticated surveillance system that will be deployed over Washington, DC during the next three years. JLENS is comprised of two 250' blimps. One blimp conducts aerial and ground surveillance over a 340-mile range, while the other has targeting capability including HELLFIRE missiles. The JLENS was originally deployed in Iraq. In the FOIA request, EPIC asked the Army for technical specifications as well as any policies limiting domestic surveillance. EPIC has urged Congress to establish privacy safeguards for aerial drones. For more information, see EPIC: EPIC v. Army - Surveillance Blimps, EPIC: Drones - Unmanned Aerial Vehicles, and EPIC Spotlight on Surveillance (2005) - "Unmanned Planes Offer New Opportunities for Clandestine Government Tracking." (May. 7, 2014) - House Judiciary Committee to Consider Bill to End Bulk Surveillance, Improve NSA Oversight
The House Judiciary Committee has scheduled a markup of the USA Freedom Act. The proposed "Manager's Amendment", sponsored by James Sensenbrenner (R-WI), would prevent bulk collection of phone records and other business records, and would limit the scope of phone record searches. The bill would also (1) limit the collection of US persons communications by the NSA's PRISM program, (2) require public reports on the use of FISA surveillance, (3) require declassification of significant FISA Court opinions, and (4) create a public advocate at the FISA Court. In 2012, EPIC testified before the House Judiciary Committee on the need for public reports and the declassification of significant FISC opinions. In 2013, EPIC filed a petition with the Supreme Court, alleging that the bulk collection of telephone record was unlawful. For more information, see EPIC: FISA Reform and In re EPIC. (May. 5, 2014) - Annual FISA Report Shows Decrease in Surveillance Orders, Questions About Scope Remain
The Department of Justice has published the 2013 FISA Report. The brief report provides summary information about the government's use of the Foreign Intelligence Surveillance Act. In 2012 the Foreign Intelligence Surveillance Court granted 1,789 FISA orders and 212 "Section 215" orders. In 2013, there were 1,588 requests to conduct FISA surveillance, with 34 modifications. The FISC also granted 178 business record orders under Section 215, with 141 modified by the court. The significant number of modified orders indicates that the government's initial applications are too broad. For example, the controversial NSA Metadata program, was authorized by the surveillance court under a modified order. It is possible that in 2013 the court authorized other bulk collection programs. For more information, see EPIC: FISC Orders 1979-2014 and EPIC: FISA Graphs. (May. 1, 2014) - White House Publishes Report on "Big Data and Future of Privacy"
The White House has released a report on big data and the future of privacy. The report "Big Data: Seizing Opportunities, Preserving Values" makes several recommendations to the President: "(1) advance the Consumer Privacy Bill of Rights; (2) pass national data breach legislation; (3) extend privacy protections to non-U.S. persons; (4) ensure data collected on students in schools is used for educational purposes; (5) expand technical expertise to stop discrimination; and (6) amend the Electronic Communications Privacy Act." The report identifies discrimination as a key concern, stating "A significant finding of this report is that big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace." The report also recommends the adoption of Privacy Enhancing Technologies. EPIC urged public participation in the review process. The White House report incorporates several recommendations from EPIC and other privacy organizations. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: "Privacy in the Commercial World." (May. 1, 2014) - Facebook Introduces New Privacy Features
Amidst growing concern about Facebook's disclosure of user information to third parties, the company has announced two new privacy options. Users may now decide how much of their information to disclose to Facebook apps before signing up. Users may also test apps anonymously - without transmitting the Facebook User ID to the developer. The changes appear to be a response to the 2011 Consent Order, pursued by EPIC and a coalition of privacy organization, that requires the company to obtain express affirmative consent from users before disclosing personal information to third parties. In the first report on Internet privacy, "Surfer Beware: Personal Privacy and the Internet" (1997), EPIC said web sites should "support anonymity while developing policies and practices to protect information privacy." For more information, see EPIC: Facebook Privacy, EPIC: Internet Anonymity, and EPIC: FTC. (May. 1, 2014) - Court Denies Hulu's Motion to Dismiss Privacy Case
A federal court has ruled that a privacy class action lawsuit against Hulu, the video streaming service, may continue. Hulu users allege that the company violated the Video Privacy Protection Act by transferring personally identifiable information to both Facebook and the advertising company comScore. The Judge ruled that Hulu's transfer to Facebook of unique IDs, including the user's IP address and Facebook ID, as well as specific video titles would violate the video privacy law. However, the judge determined that Hulu only transmitted anonymized user IDs to comScore and that therefore there could be no legal violation. In 2009, EPIC filed an amicus brief in a similar case in which a company disclosed consumers' identities and video rental histories to Facebook. For more information, see Harris v. Blockbuster and EPIC: Video Privacy Protection Act. (May. 1, 2014) - Google Stops Scanning Student Emails, Ends Data Collection for Advertising
Google has announced it will stop scanning student emails for advertising purposes. Google has also stated that it will no longer display new advertisements in its Apps for Education. Google's announcement follows the demise of inBloom, a private company that acquired student data from school districts across the country. Amid public backlash, inBloom announced it was shutting down. Google and inBloom gained access to student data pursuant to the Education Department's revised regulations that significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. EPIC had previously sued the Education Department for weakening the privacy law that protects student data. Earlier this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy. (Apr. 30, 2014) - Supreme Court Considers Privacy of Cell Phones
Today the U.S. Supreme Court heard two cases presenting the question of whether the warrantless search of a cell phone following an arrest violates the Fourth Amendment. A transcript of arguments in the first case, Riley v. California, is here and the second case, United States v. Wurie, is here. The Justices acknowledged that the search of a cell phone is unlike the search of a physical object. Justice Kagan stated "People carry their entire lives on cell phones." EPIC argued in its "friend of the court" brief, signed by twenty-four prominent legal and technical scholars, that "Allowing police officers to search a person’s cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment." According to the Pew Research Group, 90% of American adults have smart phones. Approximately 12 million Americans are arrested each year. For more information, see EPIC: Riley v. California and EPIC Blog - Argument Recap: Justices Look to Limit Warrantless Cell Phone Searches. (Apr. 29, 2014) - DHS Releases Cybersecurity Report, NSA Role Remains Murky
The Department of Homeland Security had published the first Privacy and Civil Liberties Assessment Report. The report examined several federal agencies, including the Department of Defense and the Office of the Director of National Intelligence, regarding cybersecurity activities. Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," requires the reports as well as the creation of a cybersecurity framework. Last year, EPIC recommended civilian control of domestic Cybersecurity and clarification of the NSA's involvement. The Privacy and Civil Liberties Assessment Report and the cybersecurity framework both fail to clarify the NSA's role in cybersecurity. For more information, see EPIC: Cybersecurity Privacy Practical Implications. (Apr. 25, 2014) - Patent to Block Facial Recognition Follows Sale of Google Glass
A patent for a technology that shields users from nearby video cameras has emerged. The patent describes a detector that would blur the images of people on portable camera displays, preventing video surveillance. The patent surfaced following Google's release of Google Glass for sale by the general public. Google is seeking a patent for a contact lens style for Glass that would escape public detection. Google is also seeking to trademark the word "glass," which the US Patent and Trademark Office opposes. EPIC previously submitted comments to the Federal Trade Commission recommending the suspension of facial recognition techniques pending the establishment of privacy safeguards. For more information, see EPIC: Google Glass and Privacy, EPIC: Facial Recognition and EPIC: Federal Trade Commission. (Apr. 25, 2014) - Report Reveals Rise in Teens' Desire for Online Privacy
A report released by the Intelligence Group, a "youth-focused, research-based consumer insights company," reveals that teens want more online privacy than ever before. According to the report, only 11% of teens currently share "a lot about themselves online" - a 7% decrease from the same age group last year. By contrast, 17% of young adults aged 19- to 24 and 27% of adults aged 25 to 34 currently share "a lot about themselves online." The report also indicates that "about 18% of teens share content on social media at least once a day, including status updates, photos, pins, or articles, compared with 28% of 19- to 24-year-olds and 35% of 25- to 34-year-olds." Recently, EPIC objected to a settlement agreement that would allow Facebook to use images of teens in online advertising. EPIC has also filed comments with the FTC supporting stronger regulations to protect children's data online. For more information, see EPIC: Fraley v. Facebook, EPIC: COPPA and EPIC: FTC. (Apr. 25, 2014) - Tech Standard Dropped Because of Suspected NSA Influence
Following an extensive public comment process, the National Institute of Standards and Technology has removed a cryptographic algorithm from its guidance for random number generators deployed by government vendors. NIST recommends that current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible. NIST cited in own evaluation and "a lack of public confidence in the algorithm." Last year the NY Times reported that the NSA had intentionally weakened cryptographic standards to enable surveillance, raising concerns about the reliability of key Internet standards. In February, NIST released new guidelines for the development of cryptographic standards. EPIC, joined by several organizations, urged the agency to explain the extent of NSA's role in the standards development process. EPIC previously recommended that NIST inform the public of the full extent of the NSA's involvement in the Cybersecurity Framework. The Computer Security Act of 1987 was passed explicitly to prevent NSA involvement in domestic computer security. For more information, see EPIC: Computer Security Act of 1987. (Apr. 24, 2014) - Supreme Court to Hear Cell Phone Privacy Cases
The Supreme Court is set to hear oral arguments next week in two cases concerning the warrantless search of a cell phone following an arrest. EPIC filed a "friend of the court" brief, signed by twenty-four technical experts and legal scholars, arguing that the Fourth Amendment requires a warrant because of the vast amount of personal information available on a cellphone. EPIC wrote, "Allowing police officers to search a person's cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment." Also the Supreme Court this week agreed to review a case considering whether the police may detain a person based on a mistaken interpretation of the law. In Heien v. North Carolina, the person was detained by the police because of a broken taillight. EPIC routinely files amicus briefs in cases raising novel privacy issues. For more information, see EPIC: Riley v. California and EPIC: Amicus Curiae Briefs. (Apr. 24, 2014) - Amid Privacy Backlash, Student Data Firm Dissolves
inBloom, a private company that acquired student information from school districts across the country, has shut down. The company said its work "has been stalled because of generalized public concerns about data misuse..." inBloom and other companies, including Google, acquired student data following revisions to the Family Educational Rights and Privacy Act by the Department of Education that significantly weakened the student privacy law. In 2012, EPIC sued the Education Department for removing student privacy protections. Last year, EPIC testified before the Colorado State Board of Education on student privacy issues concerning inBloom. Early this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy. (Apr. 21, 2014) - Pew Survey Finds Opposition to Drones, Robots, and Google Glass
A national survey conducted by Pew Research Center and Smithsonian Magazine find the American public optimistic about revolutions in health science and transportation, and concerned about technologies of surveillance. According to the survey, 63% of Americans think it would be a change for the worse if "personal and commercial drones are given permission to fly through most U.S. airspace," while 22% think it would be a change for the better. And 65% expressed concern about increased dependence on robots. Similarly, 53% of Americans think it would be a change for the worse if most people wear implants or other devices that constantly show them information about the world around them. Women are especially wary of a future in which these devices are widespread. Google Glass, an example of such technology, has come under scrutiny from Data Protection authorities as well as Congress. EPIC, joined by 100 other organizations and experts, petitioned the Federal Aviation Administration to address public concerns about privacy and drones. For more information, see EPIC: Google Glass and Privacy and EPIC: Domestic Drones. (Apr. 21, 2014) - Appeals Court Orders Release of Classified Legal Analysis, EPIC Filed Amicus Brief
A federal court of appeals has ruled that the Department of Justice must release the legal analysis justifying the controversial "targeted killing" drone program. The government argued in New York Times v. Department of Justice that the analysis should be exempt from release as a privileged communication. But the ACLU and the New York Times, supported by EPIC and other open government organizations, argued that because the government relied on the legal reasoning to justify the drone program it cannot be kept secret. The Second Circuit agreed, ruling that the after "senior Government officials have assured the public" that the program is "lawful and that . . . advice establishes the legal boundaries," it can no longer claim that the document is exempt from FOIA. EPIC has pursued a similar case for more than seven years, seeking the disclosure of the OLC's legal analysis of the Warrantless Wiretapping program. And earlier this year EPIC wrote in the New York Times that if "the Justice Department expects others to follow its advice, the analysis that supports its conclusions should be made public." For more information, see EPIC: New York Times v. DOJ and EPIC: EPIC v. DOJ - Warrantless Wiretapping Program. (Apr. 21, 2014) - EPIC Obtains Documents About FTC's Facebook Investigation
As the result of a Freedom of Information Act request, EPIC has received several hundred pages of documents related to the Federal Trade Commission's investigation of Facebook business practices. The documents include assessments by the FTC of Facebook's privacy changes and communications with the company. EPIC has repeatedly pressed the Commission to enforce the 2012 Consent Order which barred the company from future changes to privacy settings without user consent and committed Facebook to develop a "comprehensive privacy program." EPIC also recently filed a complaint with the FTC about Facebook's acquisition of Whatsapp, an instant messaging service. The EPIC complaint resulted in a stern warning from the FTC not to violate Whatsapp user privacy. For more information see: EPIC: Facebook Privacy. (Apr. 16, 2014) - Coalition Urges White House to Recognize EU Opinion; End NSA Telephone Records Program
In a letter to the White House, a coalition of US organizations urged the Administration to recognize the recent opinion by the Court of Justice, the highest court in Europe, that ended a European data retention mandate. The European law required telephone and internet companies to retain metadata on customers for national security purposes. The European Court of Justice ruled that this practice violates the fundamental right to privacy and is illegal. The US groups argue that the opinion "bears directly on the White House's review of the NSA Telephone Records Collection Program and also the White House study of Big Data and the Future of Privacy." The groups urged the White House to 1) recognize the Court's decision in its upcoming report on big data and privacy; and 2) end the NSA telephone record collection program. The letter states that the decision by European Court "is the most significant legal opinion from any court in the world on the risks of big data and the ongoing importance of privacy protection." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. More recently, EPIC submitted extensive comments warning the White House of the enormous risks of current big data practices. For more information, see EPIC: Data Retention and EPIC: Big Data and the Future of Privacy. (Apr. 16, 2014) - EPIC v. DOJ: No Analysis of PRISM Legality
In a recently concluded Freedom of Information Act lawsuit, EPIC tried to obtain legal analysis concerning the controversial PRISM surveillance program. The Justice Department responded that "no responsive records" exist. An earlier FOIA case brought by EPIC revealed that the Office of Legal Counsel provided advice on the warrantless wiretapping program of President Bush. But apparently no similar memos exist on the legality of the mass collection of Internet traffic by the NSA. For more information, see EPIC v. DOJ (PRISM). (Apr. 11, 2014) - Court Upholds FTC Authority to Safeguard Data Privacy
A federal judge has ruled that the Federal Trade Commission has the power to enforce data security standards. In the case FTC v. Wyndham, the Commission alleged that criminals stole hundreds of thousands of credit card numbers from hotel guests because Wyndham Hotels maintained lax data security. Wyndham responded that the FTC could not bring an enforcement action against the company without first publishing regulations. Judge Esther Salas held that the FTC's authority to investigate "unfair or deceptive" business practices included data protection. FTC Chairwoman Edith Ramirez stated earlier, "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." For more information, see EPIC: Federal Trade Commission, and EPIC: Big Data and the Future of Privacy. (Apr. 11, 2014) - Car Data Privacy Bill Moves Forward in Senate
The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act, a bipartisan bill that would provide privacy safeguards for event data recorders or "black boxes." Introduced by Senators John Hoeven (R-ND) and Amy Klobuchar (D-MN), the bill prohibits unauthorized access to data that records the activities of drivers. Under the Act, data could only be obtained with: (1) written consent of all of the car owners or lessees; (2) a court or administrative order; (3) a federal transportation safety investigation if personally identifiable information is redacted; (4) emergency car crash medical response; or (5) traffic safety research if personally identifiable information is redacted. Last year EPIC, consumer privacy organizations, and members of the public, urged the National Highway Traffic Safety Administration to protect driver privacy by establishing many of the proposed safeguards in the Driver Privacy Act. For more information, see EPIC: Event Data Recorders and Privacy. (Apr. 10, 2014) - FTC Responds to EPIC Complaint on WhatsApp and Privacy
The Federal Trade Commission has notified Facebook and WhatsApp that they must honor their privacy commitments to users. According to the letter from the Director of the FTC Bureau of Consumer Protection, "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter followed a detailed complaint from EPIC and CDD concerning the privacy implications of the $19B sale to Facebook. WhatsApp had assured users of strong privacy safeguards prior to the sale. The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." For more information, see EPIC: In re: WhatsApp, EPIC: In re: Facebook and EPIC: Federal Trade Commission. (Apr. 10, 2014) - Federal Agencies Fail to Safeguard "Big Data," Breaches Doubled in Just a Few Years
The Government Accountability Office has issued a report, warning that federal agencies "have not been consistent or fully effective in responding to data breaches." The GAO found that "the number of reported information security incidents involving personally identifiable information has more than doubled over the last several years." The report further states, "the increasing number of cyber incidents at federal agencies, many involving the compromise of personally identifiable information, highlights the need for focused agency action to ensure the security of the large amount of sensitive personal information collected by the federal government." EPIC recently warned the White House about the enormous risks to Americans of current "big data" practices. EPIC and more than 20 organizations have urged the Administrations to establish strong privacy safeguards and improve accountability across the government and private sector. For more information, see EPIC: Big Data and the Future of Privacy. (Apr. 10, 2014) - FTC Commissioner Wright Meets with Industry Lobbyists, Not Consumer Representatives
Through a Freedom of Information Act request, EPIC obtained the appointment calendar of FTC Commissioner Wright. The Commissioner's calendar reveals many meetings with corporate presentatives but no meetings with public interest organizations representing consumers. One of FTC's primary missions is to protect consumers from unfair and deceptive business practices. Commissioner Wright became an FTC Commissioner in January 2013. Since then he has met with representatives from Apple, Microsoft, Verizon, Qualcomm, the Network Advertising Initiative, and the Consumer Data Industry Association. He has attended industry conferences and given talks at trade association meetings. EPIC tried several times to arrange a meeting between Commissioner Wright and the Privacy Coalition—a nonpartisan coalition of consumer, civil liberties, educational, family, library, and technology organizations. The Privacy Coalition has hosted meetings with many FTC commissioners over the past decade. After repeatedly declining a meeting with the consumer privacy organizations, EPIC filed a FOIA request for the FTC Commissioner's appointment calendar. For more information, see EPIC: Federal Trade Commission. (Apr. 8, 2014) - FOIA Groups Support EPIC in Case Against NSA
Several open government organizations, including Public Citizen, the Sunlight Foundation, the Project on Government Oversight, Citizens for Responsibility and Ethics in Washington, the Center for Effective Government and Openthegovernment.org have filed an amicus brief supporting EPIC in EPIC v. NSA. EPIC is seeking to obtain a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act Request to the NSA for NSPD-54 and several related documents. After the agency refused to disclose the Directive, EPIC sued the NSA under the Freedom of Information Act. The NSA then disclosed several documents but argued it could withhold NSPD-54 under a narrow legal exemption. Suprisingly, a federal court ruled sue sponte that NSPD-54 was not an "agency record" and simply dismissed the case. The FOIA groups argued that the judge's decision was contrary to FOIA law because NSPD-54 is an agency record and also because courts cannot dismiss such cases particularly when the agency itself thought it was subject to the law. For more information see: EPIC v. NSA. (Apr. 8, 2014) - European High Court Strikes Down Data Retention Law
In a far-reaching and dramatic opinion, the European Court of Justice has ruled that the mass storage of telecommunications data violates the fundamental right to privacy and is illegal. The Data Retention Directive required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. According to the Court, the Directive imposed "a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary." The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the Charter of Rights. The Court also said to find a privacy violation, "it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. For more information, see EPIC - Data Retention, In re EPIC. (Apr. 8, 2014) - EPIC Warns White House About Privacy Risks of "Big Data"
In response to a request from the White House, EPIC has submitted extensive comments on "Big Data and the Future of Privacy." EPIC warned the White House about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974 which responded to the challenges of "data banks." EPIC noted the dramatic increases in identity theft and security breaches. EPIC called for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. EPIC wrote "It is vitally important to update current privacy laws to minimize collection, secure the information that is collected, and prevent abuses of predictive analytics." EPIC and more than 20 organizations previously urged the White House to establish privacy protections for user data that is being gathered by large companies and government agencies. A report from the White House is expected on April 17. For more information, see EPIC: Big Data and the Future of Privacy. (Apr. 7, 2014) - After Public Outcry, Microsoft Reverses Course on Email Search
After criticism by bloggers, consumers, and privacy advocates - including EPIC - Microsoft will change a troubling provision in its privacy policy. In March, Microsoft searched a blogger's private Hotmaill account to determine whether the subscriber to the Microsoft service received leaked versions of Windows 8. At the time, Microsoft claimed that the search was permissible under the Microsoft Online terms of service. This week Microsoft, announced it would no longer search customers' accounts itself if it suspected wrongdoing and would instead refer such matters over to law enforcement. According to Microsoft, Hotmail has 170 million active users. For more information see: EPIC: Consumer Privacy Bill of Rights. (Apr. 5, 2014) - NGO Coalition Tells President "Establish Privacy Protections for Big Data"
EPIC along with more than 20 other organizations sent comments to the White House on "Big Data and the Future of Privacy." The organization urged the President to establish new safeguards for organizations collecting "big data" including transparency, accountability, robust privacy techniques, and meaningful evaluation. The groups also urged the President to enact the Consumer Privacy Bill of Rights. The incidents of security beaches and identity theft continue to increase in the United States. Meanwhile a new report reveals that consumers are secretly scored by businesses. And the President recently decided to renew the NSA's ineffective telephone record collection program. The White House agreed to accept public comments after EPIC and two dozen organizations petitioned the Office of Science and Technology Policy. The White House has sponsored several conferences on Big Data and the Future of Privacy, though some of the meeting have been closed to the public. A report from the White House is expected on April 17. For more information, see EPIC: Big Data and the Future of Privacy. (Apr. 2, 2014) - EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive
EPIC has filed its opening brief in EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see EPIC: Presidential Directives and Cybersecurity and EPIC v. NSA: NSPD-54 Appeal. (Apr. 1, 2014) - Judge Approves Controversial Settlement Over Objection of Consumer Privacy Organizations
A federal judge in California has approved a settlement agreement in a lawsuit against Google that will allow the company to continue to sell data about users' browsing history to advertisers. EPIC and several other consumer privacy organizations objected to the settlement, stating that it requires no change in Google's business practices and provides no benefit to those on whose behalf the case was brought. EPIC and the groups also recommended that the court adopt an objective basis for distributing cy pres funds, noting that the awards are often made for the benefit of the lawyers settling the case and not the class members. Class action settlements have come under increasing scrutiny in recent years, with courts increasingly concerned about collusion between attorneys and faux settlements that do not reflect the purpose of the initial lawsuit. In a case that reached the Supreme Court, Chief Justice Roberts said that courts will need to look more closely at these settlements to determine whether there are fair, whether organizations designated to receive funds reflect the interests of class members, and also the obligation of judges to carefully review these proposals. For more information, see EPIC: Search Engine Privacy and EPIC: Google Buzz. (Apr. 1, 2014) - EPIC to Commerce Department: Uphold the Public's Right to Know
In comments to the Commerce Department about proposed changes to the agency's Freedom of Information Act regulations, EPIC urged the agency not to prematurely close requests. EPIC supported several changes that will make it easier for the public to obtain information from the government agency, but objected to a specific proposal that would allow the agency to terminate pending FOIA requests if requesters do not "reasonably describe the records sought." EPIC said the change was contrary to the purpose of the open government law. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. The Privacy and Civil Liberties Oversight Board, the Federal Trade Commission, and the Interior Department have adopted EPIC's recommendations on proposed FOIA rule changes. For more information, see EPIC: Open Government. (Apr. 1, 2014) - EPIC Supports Challenge to National Security Letter "Gag Orders"
EPIC has filed an amicus curiae brief in In re National Security Letter, a case challenging the government's bulk collection of customer records without judicial approval. Under the current law, companies are not even allowed to discuss these subpoenas or reveal information about the number of NSLs they receive each year. EPIC argued in its friend of the court brief that this "gag order" provision frustrates the public's right to know about a far-reaching government surveillance program. EPIC routinely provides information to the public about government surveillance programs, but is unable to inform the public about NSL surveillance because of the provision now under review by a federal appeals court. For more information, see EPIC: In re NSL and EPIC: National Security Letters. (Apr. 1, 2014) - President Obama Renews Unlawful, Ineffective Surveillance Authority
According to the Attorney General and the Director of National Intelligence, President Obama has renewed the NSA's authority to collect all of the telephone records of all American telephone customers. The "Section 215" program exceeded Congressional authority and was found to be ineffective by two expert panels. At a speech on January 17, 2014, President Obama ordered a transition that will end the Section 215 bulk telephony metadata program as it currently exists. However, according to DNI Clapper, the United States filed an application with the FISC to reauthorize the existing program as previously modified for 90 days, and the FISC issued an order approving the government's application. The order issued expires on June 20, 2014. EPIC and others have strongly objected to the renewal of the 215 program. For more information, see EPIC In re EPIC. (Mar. 29, 2014) - Fandago and Credit Karma Settle FTC Charges for Weak App Security
Two companies have settled Federal Trade Commission charges that they misrepresented the security of their mobile apps. Fandango and Credit Karma failed to enable SSL encryption, leaving user data vulnerable on mobile apps. "Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps," FTC Chairwoman Edith Ramirez said in a statement. The settlements require the companies to establish data security programs, and to undergo security assessments by the Commission for the next 20 years. EPIC recently brought a complaint to the FTC concerning Scholarship.com, a company that failed to establish adequate security safeguards. Not long after the complaint from EPIC, the company implemented SSL. EPIC had earlier recommended that the Commission require encryption for all cloud-based services. For more information, see EPIC: Federal Trade Commission, and EPIC: EPIC Online Guide to Practical Privacy Tools. (Mar. 28, 2014) - Senator Leahy Urges President to End NSA Record Collection Program on Friday
In remarks published this week, Senator Patrick Leahy, Chairman of the Senate Judiciary Committee and co-sponsor of the USA FREEDOM Act, said "I welcome the President's statement that he plans to end the bulk collection of American’s phone records. That is a key element of what I and others have outlined in the USA FREEDOM Act, and that is what the American people have been demanding." Senator Leahy added, "the President could end bulk collection once and for all on Friday by not seeking reauthorization of this program. Rather than postponing action any longer, I hope he chooses this path." EPIC and others have urged the President not to renew the NSA telephone record collection authority when it expires this week. For more information, see In re EPIC. (Mar. 27, 2014) - Deadline Approaches for End of NSA's Telephone Record Collection Program
March 28 marks the deadline set by President Obama to end the NSA's bulk collection of American's telephone records. Last week, Attorney General Eric Holder confirmed that the Justice Department is ready to meet the deadline that the President has set. After extensive meetings with leaders of the Intelligence Community, both the President's Review Group and the Privacy and Civil Liberties Oversight Board found the program was ineffective and likely exceeded current legal authority. Senator Leahy, who held extensive public hearings, has stated "This program is not effective. It has to end." EPIC, supported by dozens of legal scholars and former members of the Church Committee, petitioned the US Supreme Court in July 2013 to end the "215" program. For more information, see In re EPIC and EPIC: NSA Verizon Phone Record Monitoring. (Mar. 24, 2014) - White House Updates Privacy Policy, Maintains Anonymous Access But Also Data Retention
A revised privacy policy for the White House will go into effect on April 18, 2014. Users will continue to be able to access information posted on the White House web site anonymously, though personal information will be required for some services. The data retention practice has not changed nor has the policy for the disclosure of personal data to other entities. According to the White House privacy policy, "Information you choose to share with the White House (directly and via third party sites) may be treated as public information." The White House had previously proposed a "Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights", though the policy does not reflect this approach. In the first report ever published on online privacy, "Surfer Beware: Personal Privacy and the Internet," EPIC said web sites should "support anonymity while developing policies and practices to protect information privacy." EPIC had also urged the White House to establish Privacy Act safeguard for the use of social media services. EPIC For more information, see EPIC: Privacy and Government Contracts with Social Media Companies. (Mar. 24, 2014) - Federal Trade Commission Backs Users in Facebook Privacy Case
The FTC has filed an amicus brief in a case before a federal appeals court concerning Facebook users. If a controversial settlement is approved, Facebook will display the images of users, including young children, in Facebook advertising without consent. Several Facebook users formally objected to the plan, arguing that it would violate state laws. A children's advocacy organization also objected, stating that the "settlement is actually worse than no settlement." The FTC brief explains that state privacy laws do prevent the display of children's images without consent. EPIC also filed an amicus brief in support of the users, explaining that the settlement is unfair and should be rejected. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook. (Mar. 21, 2014) - FTC Adopts EPIC's Recommendations on Improved FOIA Processing
The Federal Trade Commission has issued a final rule updating its Freedom of Information Act fee provisions. EPIC submitted extensive comments to the agency, supporting proposed fee reductions but also recommending changes to strengthen open government. The FTC adopted nearly all of EPIC's proposals. The FTC announced that all "Commission decisions, orders, and other public materials" will be electronically available to all requesters without charge. The FTC also said it would grant requesters additional time to assess fees associated with FOIA requests rather than simply terminate processing. The FTC agreed to be more lenient in resolving unpaid FOIA fees. The Commission also adopted EPIC's recommendation to disclose private sector contract rates for FOIA processing. EPIC routinely comments on agency proposals that impact FOIA requesters' rights. For more information, see EPIC: Open Government and EPIC: Federal Trade Commission. (Mar. 21, 2014) - EPIC Updates Facebook Complaint, Urges Careful Review of WhatsApp Acquisition
EPIC has filed a supplemental complaint regarding Facebook's $19 b purchase of WhatsApp. WhatsApp users had relied on the messing app's pro-privacy practices to protect their personal information, while Facebook regularly incorporates user data from the companies it acquires. In the initial complaint, EPIC urged the Federal Trade Commission to block the sale unless adequate privacy safeguard for WhatsApp user data were established. In the supplemental complaint, EPIC provided more evidence that WhatsApp users object to the acquisition. EPIC also highlighted the importance of the FTC's pre-merger review process. Recently, the Commission approved Google's purchase of Nest Labs without considering the privacy implications for consumers. For more information, see EPIC: In re WhatsApp and EPIC: Federal Trade Commission. (Mar. 21, 2014) - Google Admits to Data-Mining Student Emails
In a sworn statement filed with a federal court, Google has admitted to scanning student emails to serve students targeted advertisements. Although Google does not display ads in Apps for Education, Google "does scan [student] email" to "compile keywords for advertising" on Google sites. Google has gained access to student emails pursuant to the Education Department's recently revised regulations, which significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. Still, Google's practices appear to contravene the Education Department's "best practices" for online educational service providers. EPIC had earlier sued the Education Department for weakening the privacy law that protects student data. For more information, see: EPIC Student Privacy and EPIC: EPIC v. Dep't of Education. (Mar. 19, 2014) - EPIC Obtains Secret Attorney General Reports on Electronic Surveillance
As a result of an FOIA lawsuit, EPIC has obtained copies of the Attorney General Reports on the government's electronic surveillance activities. These reports have been submitted to Congress every six months since 2001 but have never before been disclosed to the public. These reports include new details about government collection of telephone and Internet records. The reports include the number of US persons targeted for "Pen Register" surveillance under the Foreign Intelligence Surveillance Act. The reports also contain noncompliance incidents and significant foreign intelligence court opinions, but those details have been withheld by the Justice Department. The documents obtained by EPIC also show that the Justice Department told Congress that the collection of telephone subscriber information would decrease, even after the section 215 bulk collection program began. The case is EPIC v. Dept. of Justice, No. 13-961. For more information, see EPIC v. DOJ - FISA Pen Registers and EPIC: FISA Stats. (Mar. 19, 2014) - WhatsApp Founder Responds to EPIC Privacy Complaint
Following Facebook's announced plan to purchase WhatsApp, a popular pro-privacy messaging services, EPIC urged the FTC to block the acquisition. EPIC explained to the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. WhatsApp founder Jan Koum has now published a blog post in response to the EPIC Complaint. Koum wrote, "Above all else, I want to make sure you understand how deeply I value the principle of private communication. For me, this is very personal." He added, "Make no mistake: our future partnership with Facebook will not compromise the vision that brought us to this point." For more information, see EPIC: In re WhatsApp, EPIC: Federal Trade Commission, and EPIC: In re Facebook. (Mar. 18, 2014) - EPIC Publishes 2014 FOIA Gallery, Highlights Documents Obtained Under Open Government Law
In celebration of Sunshine Week, EPIC has published the 2014 EPIC FOIA Gallery. The gallery highlights documents obtained by EPIC in the past year, such as previously secret records about government surveillance of telephone calls, FBI facial recognition technologies, DHS drones that identify human targets on the ground, the CIA's collaboration with the New York Police Department, and student debt-collectors' lax data security systems. In many of these cases, EPIC "substantially prevailed" and obtained attorneys fees. EPIC routinely pursues Freedom of Information Act matters to promote government accountability. EPIC published the first FOIA Gallery in 2001. EPIC also publishes an authoritative FOIA litigation manual. For more information, see EPIC: Open Government and EPIC Bookstore: FOIA. (Mar. 17, 2014) - European Parliament: Suspend Safe Harbor, Data Transfers to United States
The European Parliament has voted to halt the Safe Harbor program, which allowed US companies to process data on EU citizens outside of European legal protections. The resolution also recommends that Europe exclude EU-US data transfers from trade negotiations and establish legal remedies for EU citizens who face privacy violations. The resolution would protect whistleblowers, and proposes an independent European data cloud. The resolution follows a six-month investigation, led by MEP Claude Moraes, on the Mass Surveillance of EU Citizens. The report condemned programs of the US and the EU member states. EPIC had urged the Federal Trade Commission to enforce the Safe Harbor, and has recommended the US and EU exclude data transfers in trade negotiations. For more information, see EPIC: EU Data Protection Directive. (Mar. 12, 2014) - With Overwhelming Support, European Parliament Backs New Data Protection Law
In a near-unanimous vote, the European Parliament has voted in favor of a comprehensive data protection regulation. The new law will make several changes to European data privacy law, give citizens better access to their data, restrict the ways it can be used outside the European Union, and punish companies that breach the regulation with significant fines. The regulation will be the first update to European privacy legislation since the EU passed the 1995 Data Protection Directive. EU Justice Commissioner Viviane Reding stated, "The message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible." In 2012 and 2013, EPIC and over twenty other US consumer, privacy, and civil liberties groups sent letters to the European Parliament in support of this reform. The European Consumer Organization (BEUC) supports the regulation. EPIC has also spoken before the European Parliament in support of the regulation. For more information, see EPIC: EU Data Protection Directive. (Mar. 12, 2014) - Pew Internet Report Identifies Privacy Concerns, New Challenges
According to the Pew Research Report "Digital Life in 2025", experts predict the Internet will become 'like electricity' - less visible, yet more deeply embedded in people's lives for good and ill. Several respondents identified the loss of privacy, and the stratification of privacy rights, as a key concern. The Pew report, conducted with Elon University, asked experts to make predictions about the state of digital life in 2025. EPIC President Marc Rotenberg posed the question - "will the Internet of 2025 be a network of freedom and opportunity or the infrastructure of social control?" For more, see EPIC - Public Opinions on Privacy. (Mar. 12, 2014) - Federal Judge Rules Commercial Drones Legal
A federal judge has ruled that commercial drones are legal, stating that the Federal Aviation Administration has not issued an enforceable regulatory rule that governs commercial drone operation. The FAA plans to appeal the decision. In 2012, Congress told the Agency to implement a plan to integrate drones into the National Airspace by 2015. Shortly after, EPIC joined by over 100 other organizations, experts, and members of the public petitioned the FAA to address privacy as part of the integration. As a result, the Agency published a notice with proposed privacy requirements for drone operators. EPIC submitted comments in response to the notice, urging the Agency to mandate minimum privacy standards for drone operators. After considering numerous public comments on the privacy impact of aerial drones, the FAA proposed a regulation that requires test site operators to develop privacy policies but does not require any specific baseline privacy protections. Several states have passed drone privacy laws and bills are also pending in Congress. For more information, see EPIC: Domestic Drones. (Mar. 10, 2014) - EPIC Asks Supreme Court to Protect Cellphone Privacy
EPIC, joined by twenty-four technical experts and legal scholars, has filed a "friend of the court" brief in a Supreme Court case concerning the warrantless search of a cell phone. In Riley v. California, the Court will determine whether the search of a phone following an arrest violates the Fourth Amendment if no warrant is obtained. Lower courts are currently divided on this issue. EPIC's amicus brief explains that "modern cell phone technology provides access to an extraordinary amount of personal data . . . Allowing police officers to search a person's cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment." EPIC's brief describes the vast amount of personal information available on the phone and from the phone. "From a cellphone," EPIC explains "users can even see into their homes and control devices and appliances." EPIC points out that "there is no need to allow warrantless searches when currently available techniques allow law enforcement to secure the cell phone data pending a judicial determination of probable cause." EPIC routinely participates in privacy cases before the US Supreme Court. For more information, see EPIC: Riley v. California, EPIC: EPIC Amicus Curiae Briefs. (Mar. 7, 2014) - After Weakening Privacy Law, Education Department Proposes "Best Practices" for Student Data
The Education Department has issued recommendations for schools that transfer student records to online educational service providers. Following the Department's changes to a federal student privacy law, private companies and government agencies have access to student records without obtaining student consent. In the recommendations, the agency explained that the current regulations do not require written agreements for schools to disclose student information to private companies. The Education Department recommended that schools establish policies for approving online educational services, create written contracts with private companies for the use of student data, and explain to parents and students how schools collect, use, and disclose student information. The agency warned that student data held by private companies may not be protected under federal privacy laws. EPIC had earlier sued the Education Department for weakening the privacy rule that prevented companies from getting access to student data. On March 13, 2014, the Education Department will hold a webinar on its student privacy best practices. For more information, see: EPIC: Student Privacy and EPIC: EPIC v. Dept. of Education. (Mar. 7, 2014) - EPIC Urges FTC Investigation of WhatsApp Sale to Facebook
EPIC has filed a complaint to the Federal Trade Commission concerning Facebook's proposed purchase of WhatsApp. WhatsApp is a messaging service that gained popularity based on its strong pro-privacy approach to user data. WhatsApp currently has 450 million active users, many of whom have objected to the proposed acquisition. Facebook regularly incorporates data from companies it has acquired.The Federal Trade Commission has previously responded favorably to EPIC complaints concerning Google Buzz, Microsoft Passport, Changes in Facebook Privacy Settings, and Choicepoint security practices. However, the FTC approved Google's acquisition of Doubleclick over EPIC's objection. Facebook is currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy and to comply with the US-EU Safe Harbor guidelines. For more information, see EPIC: In re Google Buzz, EPIC: Microsoft Passport, EPIC: In re Facebook, and Privacy? Proposed Google/DoubleClick Merger. (Mar. 6, 2014) - EPIC Presents 2014 Domestic Privacy Champion Award to Evan Hendricks
EPIC has presented the 2014 Domestic Privacy Champion Award to Evan Hendricks, the publisher of Privacy Times. Hendricks received the award in recognition of his work in consumer privacy protection and for his work in publishing Privacy Times, a significant resource in the privacy world. In 2013, EPIC presented the Domestic Privacy Champion Award to Susan Grant. On January 28, EPIC awarded Jan Philipp Albrecht with the International Privacy Champion Award as part of International Privacy Day. (Mar. 5, 2014) - Citron, Felten, Lewis, Lysyanskaya, Marwick, McDonald, Moglen, and Vladeck Join EPIC Advisory Board
EPIC has announced the 2014 members of the EPIC Advisory Board. They are Danielle Citron, Professor at University of Maryland School of Law, Edward Felten, Professor of Computer Science and Public Affairs at Princeton University, Harry R. Lewis, Professor of Computer Science at Harvard University, Anna Lysyanskaya, Professor of Computer Science at Brown University, Alice E. Marwick, Assistant Professor of Media Studies at Fordham University, Aleecia M. McDonald, Director of Privacy at the Stanford Center for Internet & Society, Eben Moglen, Professor of Law and Legal History at Columbia Law School, and David Vladeck, Professor of Law at Georgetown University Law Center. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy. Press Release For more information, see EPIC: EPIC Advisory Board. (Mar. 5, 2014) - White House to Accept Public Comments on Big Data and Privacy Review
The White House is requesting public comments on the Obama Administration's "Big Data and the Future of Privacy" review. EPIC, joined by 24 consumer privacy, public interest, scientific, and educational organizations petitioned the Office of Science and Technology Policy last month to accept public comments. The petition stated, "The public should be given the opportunity to contribute to the OSTP's review of 'Big Data and the Future of Privacy' since it is their information that is being collected and their privacy and their future that is at stake." The letter sets out several important questions, including whether current laws are adequate and whether it is possible to maximize the benefits of big data while minimizing the risks to privacy. Comments are due by March 31, 2014. For more information, see EPIC: Big Data and the Future of Privacy. (Mar. 5, 2014) - In FOIA Lawsuit, EPIC Obtains Secret Reports on Data Collection
In a Freedom of Information Act lawsuit, EPIC has obtained reports that detail the number of times the Surveillance Court authorized the use of techniques that gather the telephone numbers and metadata of phone customers and Internet users. The previously secret reports obtained by EPIC cover the period between 2000 and 2013. The reports reveal a dramatic increase in the use of these techniques in 2004 and then a significant reduction in 2008, likely the consequence of a shift to other investigative techniques. The documents show that nearly all applications to the Surveillance Court were approved without modifications. In 2013, EPIC petitioned the Supreme Court to end the bulk telephone record collection program. Former members of the Church Committee and dozens of legal scholars supported the EPIC petition. For more information see: EPIC v. Department of Justice - Pen Register Reports, EPIC: Foreign Intelligence Surveillance Court Orders 1979-2012, and In re EPIC. (Mar. 3, 2014) - House Passes FOIA Reform Bill
The House of Representatives has passed the FOIA Oversight and Implementation Act of 2014. The bill would strengthen the Office of Government Information Services, require agencies to update their FOIA regulations, and mandate the use of a single, free website for submitting FOIA requests and appeals and receiving information about the status of the FOIA request. The bill would also require that agencies seeking to withhold information under one of the FOIA's exemptions demonstrate that there would be a "specific identifiable harm," tied to the purpose of the exemption, if disclosure occurred. The bill does not address several key transparency community proposals, including recommendations to limit the use of exemptions and to make it easier to track legislative proposals for new FOIA exemptions. The Senate is currently considering a similar bill. For more information see: EPIC: Open Government. (Feb. 28, 2014) - EPIC Files FOIA Lawsuit for Information About Massive Telco Database "Hemisphere"
EPIC has filed a Freedom of Information Act lawsuit for records about "Hemisphere," a massive telephone record collection program operated by the Drug Enforcement Agency in cooperation with AT&T. Under the program, law enforcement agencies access billions of detailed customer phone records, including location data, dating back to 1987 in routine criminal matters unrelated to national security. EPIC filed the complaint after the federal agency failed to respond to EPIC's FOIA request for information about the operation and legal authority for the program. EPIC has previously challenged the NSA's bulk collection of telephone records in a petition to the US Supreme Court. For more information, see EPIC: In re EPIC (NSA Telephone Record Surveillance), EPIC: Hemisphere and EPIC v. DEA (Hemisphere FOIA). (Feb. 28, 2014) - Supreme Court Allows Warrantless Search of Home
In a case that narrows the warrant requirement for searches of homes, the Supreme Court upheld the warrantless search of a suspect's home by the LAPD after the person objected. In Fernandez v. California, the officers returned to the apartment of the resident after he had been arrested, and obtained consent from a roommate to conduct a search. Justice Alito, writing for the 6-3 majority, found that the roommate's consent was sufficient once the defendant was no longer present. Justice Ginsburg, writing in a dissent joined by Justices Sotomayor and Kagan, argued that the decision "tells the police they may dodge" the warrant requirement and is contrary to a prior a decision of the Court. In Georgia v. Randolph, the Supreme Court previously ruled that when one occupant refuses to consent to a search, the other's consent is not sufficient to permit a search. EPIC has previously filed amicus briefs in a number of important Supreme Court Fourth Amendment cases. For more information, see EPIC: United States v. Jones, EPIC: Maryland v. King, EPIC: Amicus Curiae Briefs. (Feb. 26, 2014) - White House and MIT to Host Conference on Big Data and Privacy
On March 3, 2014, the White House and MIT will cohost "Big Data Privacy: Advancing the State of the Art in Technology and Practice." The conference is part of the White House's Big Data and the Future of Privacy initiative and will feature keynotes from Counselor to the President John Podesta and Secretary of Commerce Penny Pritzker. Scholars, privacy advocates, government representatives and private sector leaders will explore the opportunities and challenges of big data and examine the use of Privacy Enhancing Techniques. President Obama has called for a "comprehensive review of big data and the future of privacy." In response, EPIC and a coalition of consumer and scientific organizations outlined key questions for the White House to explore, and also asked the Office of Science and Technology Policy to encourage public participation. For more information see EPIC: Big Data and the Future of Privacy, EPIC: Privacy and Consumer Profiling, and EPIC: Privacy Tools. (Feb. 24, 2014) - EPIC, Coalition Urge President Obama to Advance Privacy Bill of Rights
EPIC along with a coalition of over 40 public interest organizations has urged the President to implement the Consumer Privacy Bill of Rights, a comprehensive framework for privacy protection. The letter comes on the two-year anniversary of the Administration's introduction of the Privacy Bill of Rights, which includes baseline privacy principles, such as individual control and transparency, respect for context and focused collectionm and better access, accuracy, and accountability. The President called the Privacy Bill of Rights a "blueprint for privacy in the information age" and said his Administration "will work to advance these principles and work with Congress to put them into the law." The letter from the organizations states, "We urge you to work with those in Congress who favor the privacy rights of Americans, who support updates to privacy law, and who understand why this issue is so critical to so many Americans. And let those who stand in the way explain to their constituents why they believe that it is not necessary for Congress to do anything further to protect the fundamental rights of Americans." For more information, See EPIC: White House: Consumer Privacy Bill of Rights. (Feb. 24, 2014) - EPIC Files Amicus Brief in Facebook Consumer Privacy Case, Urges Rejection of Settlement
EPIC has filed a amicus brief urging a federal appeals court to overturn a controversial consumer privacy settlement. If the Fraley v. Facebook settlement is approved, Facebook will display the images of Facebook users, including young children, for commercial endorsement without consent. Facebook users opposed "Sponsored Stories" and several have formally objected to the settlement, including a children's advocacy organization which said that the "settlement is actually worse than no settlement." The MacArthur Foundation also withdrew stating it should not have been designated to receive funds. EPIC's amicus brief in support of the objectors explains that the settlement is unfair to Facebook users and should be rejected. EPIC also notes that Chief Justice Roberts expressed concerns about a similar privacy settlement involving Facebook. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook. (Feb. 21, 2014) - EPIC Urges FTC to Strengthen Safe Harbor Settlements
EPIC has submitted comments to the Federal Trade Commission, urging the agency to improve pending settlements in several Safe Harbor enforcement actions. According to the FTC, twelve companies misrepresented compliance with the EU-US privacy arrangement. EPIC recommended that the Commission revise the proposed orders to: (1) require the companies to comply with the Consumer Privacy Bill of Rights; (2) publish the companies' consent order compliance reports as they are submitted; and (3) strengthen the sanctions against a DNA testing firm, whose misrepresentations puts genetic information at risk. EPIC also noted that the Commission's ongoing failure to modify consent orders in response to public comments is "contrary to the interests of American consumers." For more information, see EPIC: EU Data Protection Directive and EPIC: Federal Trade Commission. (Feb. 21, 2014) - DHS Open Government Report Reveals Increased Backlog and Use of Law Enforcement Exemptions
The Department of Homeland Security has released the 2013 Freedom of Information Act Report detailing the agencies attempts to comply with the federal open government law. The FOIA requires each agency to provide the numbers of requests received and processed, the time taken to respond, the outcome of each request, and other statistics. In 2013, the DHS reported a significant increase in its FOIA backlog, which rose from 28,553 unanswered requests in 2012 to 53,598 unanswered requests in 2013. Of the nine exemptions that an agency can invoke to withhold documents, DHS relied most heavily on exemption 7(C) (law enforcement records that if released would constitute an invasion of personal privacy) and 7(E) (law enforcement records that if released would disclose law enforcement techniques or procedures, which is significant because the DHS is not a law enforcement agency. DHS reported granting about 7% of requests for expedited processing. EPIC has prevailed in several FOIA lawsuits against DHS, and has also worked to reform the agency's FOIA processing practices for other requesters. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal, EPIC v. DHS - Social Media Monitoring, and EPIC v. DHS - SOP 303. (Feb. 21, 2014) - Massachusetts Court Upholds Privacy Protection for Location Records
In Commonwealth v. Augustine, the Massachusetts Supreme Judicial Court ruled that an individual has a reasonable expectation of privacy in cell phone location records held by a company. Article 14 of the Massachusetts Constitution, similar to the Fourth Amendment, provides that individuals should be free from "unreasonable searches, and seizures." The court held that obtaining two weeks of phone location records was a search, requiring a warrant. EPIC filed "friend of the court" briefs in Commonwealth v. Connolly, a similar case in Massachusetts concerning warrantless GPS tracking, and State v. Earls, a case in which the New Jersey Supreme Court held that location data is protected under the state constitution. EPIC also filed a brief in In re U.S. Application for Historical Cell Site Data, where an appeals court held that users have no reasonable expectation of privacy in location records under the Fourth Amendment. The Massachusetts Supreme Court considered all three cases. For more information, see EPIC: Location Privacy. (Feb. 20, 2014) - Children's Advocacy Group Withdraws from Facebook Settlement
The Campaign for Commercial-Free Childhood has turned down $290,000 from a controversial consumer privacy settlement concerning Facebook's Sponsored Stories. The children's advocacy group said, "We now believe that this settlement is actually worse than no settlement. It harms vulnerable teenagers and their families under the guise of helping them...we cannot benefit from a settlement which we now realize is harmful to children and will impede future efforts to protect minors' privacy on Facebook." The MacArthur Foundation withdrew from the Fraley settlement last year, suggesting the funds be redirected to "other non-profit organizations engaged in the underlying issues." And in a related case, Chief Justice Roberts suggested that the Supreme Court will need to address "fundamental concerns surrounding the use of such remedies in class action litigation." EPIC has worked closely with consumer privacy organizations and federal courts to improve class action settlements, arguing that settlements in consumer privacy cases should improve consumer privacy and that awards should be allocated to organizations aligned with the interests of class members. For more information, see EPIC: Fraley v. Facebook. (Feb. 20, 2014) - DHS Cancels Nationwide License Plate Tracking System
The Department of Homeland Security has cancelled a plan to build a national license plate tracking database. The database would have included the license plate records of car owners across the country, obtained from private companies and law enforcement agencies. The request for bids lacked any consideration of privacy protections. EPIC, through various Freedom of Information Act requests, had obtained extensive documents on the current programs operated by the Customs and Border Protection and the Federal Bureau of Investigation. The documents uncovered by EPIC show that both agencies failed to adequately address the privacy implications of license plate readers. For more information, see EPIC: License Plate Recognition Systems. (Feb. 20, 2014) - Senators Rockefeller and Markey Propose Data Broker Legislation
Senators Rockefeller and Markey have introduced the The Data Broker Accountability and Transparency Act of 2014 (DATA Act). The proposed Act imposes transparency and accountability requirements on data brokers and other companies that profit from the collection and sale of consumer information. Under the DATA Act, consumers would be able to access their personal information, make corrections, and opt out of marketing schemes. The DATA Act would empower the FTC to impose civil penalties on violators, and would prohibit data brokers from collecting consumer data in deceptive ways. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: Federal Trade Commission, EPIC: Choicepoint and EPIC: Privacy and Consumer Profiling. (Feb. 13, 2014) - Senate Hears from Privacy Oversight Board, NSA "Metadata" Program is Ineffective
At a Senate Judiciary Committee hearing today, members of the Privacy and Civil Liberties Oversight Board discussed their review of the Section 215 program, concerning the collection of telephone records on US telephone customers. The Privacy Civil Liberties Board 238 page report found that the program was not effective and had not prevented any terrorist incidents. Recent reports also indicate that only 30% of phone records are actually collected, calling into question the value of the "metadata" program. Senate Judiciary Chairman Patrick Leahy stated that "the administration has not demonstrated" that the program "is uniquely valuable to justify the massive intrusion upon American's privacy." The President recently announced that the current bulk collection program would end and announced a transition process, requiring judicial approval of queries, prior to the expiration of the current authority on March 28. For more information, see EPIC: NSA Verizon Phone Record Monitoring. (Feb. 12, 2014) - Court Denies EPIC Injunction in FOIA Case for Surveillance Reports
A federal judge has denied EPIC's motion for a preliminary injunction that would have required the Department of Justice to complete processing of EPIC's Freedom of Information Act Request for FISA "Pen Register" reports within 20 days. In EPIC v. DOJ, EPIC sought public disclosure of the reports that describe the collection of the bulk Internet metadata from 2004 to 2011. The Justice Department granted EPIC's request for expedited processing in November 2013, but has not yet disclosed any responsive records. After EPIC filed suit and moved for a preliminary injunction, the Justice Department notified EPIC that it intends to complete processing of the reports by February 28, 2014. For more information, see EPIC v. DOJ (FISA Pen Register Reports). (Feb. 11, 2014) - EPIC Accepts NSA's Settlement Offer, Receives Attorneys Fees
EPIC has accepted the NSA's offer to settle a Freedom of Information Act case EPIC v. NSA. EPIC sought both National Security Presidential Directive 54, a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States, as well as documents related to NSPD 54. EPIC received some of the documents as a result of the lawsuit, "substantially prevailing" under the FOIA, and prompting the NSA to make a settlement offer to EPIC. As a consequence, EPIC will receive attorneys fees from the NSA. EPIC is simultaneously appealing the lower court's determination that NSPD-54 is not an "agency record" subject to the FOIA. It was the first time a federal court has ruled that a Presidential Directive is not subject to the Freedom of Information Act. For the appeal, EPIC has already filed a Statement of the Issue, and the parties are waiting for the D.C. Circuit Court of Appeals to set a briefing schedule. For more information, see EPIC v. NSA - Cybersecurity Authority. (Feb. 11, 2014) - EPIC, Coalition Urge White House to Listen to Public on "Big Data and Privacy"
EPIC, joined by 24 consumer privacy, public interest, scientific, and educational organizations petitioned the White House's Office of Science and Technology Policy to accept public comments on the Big Data and The Future of Privacy study now underway. The Office's primary function is to advise the President on scientific and technological issues. The President announced the Big Data review during a recent speech on NSA reform. The petition calls on the Office of Science and Technology Policy to incorporate the concerns and opinions of the public and lays out a number of important questions to consider, including whether current laws are adequate and also whether it is possible to maximize the benefits of big data while minimizing the risks to privacy. For more information, see EPIC: Privacy and Consumer Profiling. (Feb. 10, 2014) - Homeland Security Revised Traveler Screening Violates Federal Privacy Act
The Transportation Security Administration and Customs and Border Protection, components of the Department of Homeland Security, have announced plans for agency record disclosures without Privacy Act notifications. The agencies Common Operating Picture ("COP") program would permit TSA and CBP to exchange personal information held by the agencies to place travelers on federal watch lists. Although TSA and CBP have proposed new uses for personal data, the agencies have declined to solicit public comments as required by the Privacy Act. Currently, the agencies use the Automated Targeting System to perform "risk assessments." EPIC has called for DHS to suspend "risk-based" passenger profiling and to make public the algorithms that are used to assess travelers. For more information, see EPIC: Secure Flight, EPIC: Passenger Profiling, and EPIC: Air Travel Privacy. (Feb. 10, 2014) - New Limits on NSA Telephone Record Program Established, Authority Expires March 28
The Foreign Intelligence Surveillance Court has granted the government’s motion to limit access by the NSA to the bulk telephone records provided by US telephone companies. Under the new rules, the government cannot "query" the telephone metadata until after the court finds that there is a "reasonable, articulable suspicion that the selection term is associated with" a terrorist organization. The new rules also limit query results to telephone numbers within "two hops" of the selector. President Obama announced the new legal requirement during his recent speech on surveillance reform, when he committed to end the NSA’s bulk record collection program. The NSA's authority to force US telephone companies to turn over records on all their customers will expire on March 28th. The President has recommended that the Intelligence Community and the Attorney General propose an alternative to the bulk collection program prior to that deadline. For more information, see EPIC: FISC and EPIC: NSA Verizon Phone Record Monitoring. (Feb. 7, 2014) - EPIC Recommends Safeguards For Facial Recognition Technology
In a letter to the Department of Commerce, EPIC called on the agency to develop a facial recognition framework based on the Fair Information Practices ("FIPs"). The National Telecommunications and Information Administration is meeting to address the commercial use of facial recognition, which has seen a backlash. Google banned facial recognition apps and services and Europe required Facebook to discontinue the use of facial recognition for photo tagging. Today Senator Al Franken raised concerns about NameTag. Senator Franken, in a letter to the app developer, called for the delay of the apps release until best practices are established. In comments to the Federal Trade Commission, EPIC previously recommended the suspension of facial recognition technology until adequate safeguards are established. For more information, see EPIC: Face Recognition. (Feb. 5, 2014) - FTC Chair Ramirez Urges Senate to Act on Data Security Legislation
The Senate Judiciary Committee hearing on "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime" followed a series of major data breaches at Target, Neiman Marcus, and Michaels, which compromised the personal data of tens of millions of consumers. Senator Leahy, who has introduced important data privacy legislation, said "In the digital age, Americans face threats to their privacy and security unlike any time before in our Nation's history." FTC Chair Edith Ramirez expressed strong support for federal data security legislation. (2h18m). In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights, which is supported by consumer privacy organizations. For more information, see EPIC: Privacy Legislation, EPIC: Identity Theft, and EPIC: Federal Trade Commission. (Feb. 5, 2014) - EPIC Launches Privacy Rights Blog
EPIC has launched a new Privacy Rights Blog, where staff members and guests will write longer-form posts about current issues, including student privacy, domestic surveillance technology, the Fourth Amendment, FOIA law, national security oversight, and consumer privacy. These posts will provide the EPIC staff with a new way to engage our readers, and we look forward to addressing important emerging issues. If you have comments or suggestions for future blog topics, please contact us at blog [at] epic [dot] org. For more information, see Privacy Rights Blog @ EPIC.org. (Feb. 5, 2014) - "I will reform our surveillance programs," President Obama Tells Nation
Stating that "America must move off a permanent war footing," President Obama announced (video) at the State of the Union that "working with this Congress, I will reform our surveillance programs." (50:30) The President continued, (text) "because the vital work of intelligence community depends on public confidence, here and abroad, that the privacy of ordinary people is not being violated." Citing the need to close the prison in Guantanamo, the President also said "we counter terrorism not just through intelligence and military action but by remaining true to our constitutional ideals and setting an example for the rest of the world." EPIC and other consumer privacy organizations have urged the President to move forward the Consumer Privacy Bill of Rights and to support the International Privacy Convention. (Jan. 29, 2014) - EPIC Gives 2014 International Award to European Parliament Member Jan Albrecht
EPIC has given the 2014 International Champion of Freedom Award to European Parliament Member Jan Philipp Albrecht for "modernizing and defending the law of data protection." As a rapporteur for the Committee on Civl Liberties, Justice and Home Affairs, Albrecht has led the effort in the European Parliament to update European privacy law. He is also an outspoken defender of privacy rights and has promoted the investigation of the NSA program of mass surveillance. Albrecht received the award from EPIC at the annual Computers, Privacy, and Data Protection conference in Brussels. Previous award recipients include privacy activist Max Schrems, Canadian Privacy Commissioner Jennifer Stoddart, European Parliamentarian Sophie In't Veld, Australian Jurist Michael Kirby, and Constitutional Law Scholar Stefano Rodotà. The award is given by EPIC annually in recognition of January 28, International Privacy Day. (Jan. 27, 2014) - Oversight Board Calls for End of NSA Telephone Records Program
Today the Privacy and Civil Liberties Oversight Board called for the end of the section 215 program that allows the NSA to collect the telephone records of all Americans. In a comprehensive report, the Oversight Board unanimously found that "the NSA's Section 215 program has not proven useful in identifying unknown terrorists or terrorist plots" and that "telephone calling records, when collected in bulk and subjected to powerful analytic tools, can reveal highly sensitive personal information." A majority of the board also concluded that Section 215 did not permit the routine collection of all telephone records on all Americans. The report set out 12 recommendations discussing additional privacy safeguards, greater transparency, and improvements to the Foreign Intelligence Surveillance Court. The members of the Oversight Board unanimously supported almost all of the recommendations. EPIC urged the Board last year at a public workshop to (1) find that section 215 does not permit the collection of all telephone records by the NSA; (2) improve reporting of FISA activities; (3) establish new safeguards for transparency and accountability; and (4) reconsider the Constitutional basis of metadata collection in light of the scope of the government's activities and recent Supreme Court opinions. EPIC had earlier petitioned the Supreme Court to find the 215 program unlawful. Former members of the Church Committee and dozens of legal scholars supported the EPIC petition. For more information, see EPIC: In re EPIC - NSA Telephone Record Surveillance. (Jan. 23, 2014) - White House Announces Review of "Big Data and the Future of Privacy"
Following the President's speech on reform of the intelligence collection programs, White House counselor John Podesta has announced "a comprehensive review of the way that 'big data will affect the way we live and work; the relationship between government and citizens; and how public and private sectors can spur innovation and maximize the opportunities and free flow of this information while minimizing the risks to privacy." This is the first major privacy initiative announced by the White House since the release of the Consumer Privacy Bill of Rights in 2012. The undertaking will involve key officials across the federal government, including the President’s Science Advisor and the President's Council of Advisors on Science and Technology. EPIC has participated in several workshops and studies concerning the intersection of privcy and "big data." (Jan. 23, 2014) - EPIC, Amnesty International Urge President Obama to Support Privacy in Annual State of the Union
EPIC President Marc Rotenberg, Amnesty International Secretary General Salil Shetty, and members of the EPIC Advisory Board have asked President Obama to support privacy and the international privacy convention in the annual State of the Union speech next week. The State of the Union falls this year on January 28, which is also International Privacy Day. EPIC and Amnesty are urging the President to express support for privacy as a fundamental human right and to begin the process of ratification of the international Privacy Convention, supported by more than forty countries around the world. In 2013, many members of the US Congress, including Senator Patrick Leahy, expressed support for International Privacy Day. Members of the EPIC Advisory Board also wrote to then Secretary of State Hillary Clinton about the Privacy Convention, urging US support. For more information, EPIC - Council of Europe Privacy Convention, EPIC - Letter to Secretary Clinton (2010). (Jan. 23, 2014) - EPIC Files Appeal, Challenging Secrecy of Presidential Directives
EPIC has filed a Statement of the Issue Presented with the D.C. Circuit Court of Appeals. EPIC is appealing a lower court decision that NSPD 54 -- a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States -- is not subject to disclosure under the Freedom of Information Act. EPIC sought the Presidential Directive, signed by President Bush in January 2008, from the National Security Agency after the White House disclosed the existence of the Directive but not the substance. After the agency failed to respond to EPIC's FOIA request, EPIC filed an administrative appeal, and then a lawsuit. The lower court ruled in EPIC v. NSA that the Presidential Directive is not subject to the FOIA because it was not under "the control" of the NSA. It was the first time a federal court has ruled that an Presidential Directive is not subject to the Freedom of Information Act. EPIC is now asking the Court of Appeals to determine, "Whether the district court erred in holding that a Presidential Directive in the possession of a federal agency is not an agency record subject to the FOIA." For more information, see EPIC v. NSA: Cybersecurity Authority. (Jan. 22, 2014) - Obama Announces End of NSA Telephone Record Collection Program
In a widely anticipated speech (video) on reform of the NSA, President Obama announced he would end the NSA telephone record collection program, first requiring a court order for all queries and then ending the NSA massive record request prior to the next renewal. EPIC, legal scholars, the President’s Review Group, and sponsors of the USA FREEDOM Act, including Senator Patrick Leahy and Senator Ron Wyden had urged the President to take this step. The President also said that the Administration would move to implement “a majority of the recommendations” made by the Review Group. The President announced several other reform measures, including a public advocate for the Foreign Intelligence Surveillance Court, new privacy rights for non-US citizens, more transparency for data collection, a narrowed focus on foreign data collection, greater oversight of signals intelligence, a new Privacy Coordinator at the White House, and a new panel to look closely at privacy and “Big Data.” Still, the President may not have gone far enough to address the scope of NSA programs, the privacy rights of those outside the US, and the need to ensure stronger technical safeguards for Internet stability and reliability. The President also did not indicate whether the U.S. would move to ratify the Council of Europe Privacy Convention or seek legislation to enact the Consumer Privacy Bill of Rights. For more information, see White House Fact Sheet (Jan. 18, 2014) - Supreme Court to Rule on Cellphone Privacy
Today the U.S. Supreme Court granted certiorari in Riley v. California and United States v. Wurie, two cases involving the warrantless search of an individual's cell phone incident to arrest. The Court will need to determine whether the Fourth Amendment limits a law enforcement officer from searching through the troves of data that are stored on an individual's cell phone when that individual is arrested. Courts have previously held that officers can search an individual's person and effects when they place them under arrest. But modern cell phones enable access to a wealth of personal data, which is unrelated to the Government’s reason for securing an arrestee. For more information, see EPIC: Riley v. California and EPIC: Amicus Curiae Briefs. (Jan. 17, 2014) - Senate Commerce Committee Considers Rules for Domestic Drones
The Senate Committee on Commerce, Science, and Transportation held a hearing on "the Future of Unmanned Aviation in the U.S. Economy: Safety and Privacy Considerations." Senator Diane Feinstein noted the threat that drones pose to both privacy and safety, and described how a drone once flew outside her home during a demonstration. Later in the hearing, Senator Ed Markey, who held up an AR Parrot Drone during the hearing, has written legislation to safeguard privacy. And Senator Cory Booker said that drones put him "between my Star Trek aspirations and my Terminator fears." The Committee heard testimony from FAA Administrator Michael Huerta. The FAA is responsible for integrating drones into the U.S. domestic airspace by 2015. EPIC had petitioned the FAA to implement privacy rules for drones. The FAA responded to EPIC's petition and has required, as an interim step, each of the six selected test sites for drone deployment to establish a public privacy policy. For more information, see EPIC: Domestic Unmanned Aerial Vehicles and Drones. (Jan. 17, 2014) - Supreme Court Lets Stand Fourth Amendment Protections At the Border
This week the Supreme Court declined to review the decision of the Ninth Circuit in United States v. Cotterman, leaving in place expanded Fourth Amendment protections for searches occurring at the U.S. border. In Cotterman, the federal appeals court held that the Fourth Amendment requires a border agent to have reasonable suspicion before using forensic tools to search laptops, cameras, and other digital devices. The court emphasized that the "comprehensive and intrusive nature of the forensic examination" is the key factor in triggering greater Fourth Amendment scrutiny. EPIC has previously argued that advanced traveler screening methods should only be employed subject to privacy protections. For more information, see EPIC: Traveler Privacy, EPIC: Florida v. Jardines, and EPIC: Amicus Curiae briefs. (Jan. 15, 2014) - Review Group to Senate: NSA Program Has Not Prevented Threats
Members of the President's Review Group presented their recommendations for NSA reform a Senate Judiciary Committee hearing. EPIC participated in the work of the Review Group. The export panel set out 46 recommendations on a range of issues from reforming intelligence surveillance directed at United States persons to promoting prosperity, security, and openness in the networked world. The Members stated the the NSA's bulk collection of metadata had not prevented threats against the United States and recommend that the it be ended. Acknowledging privacy concerns, former CIA Deputy Director Michael Morrell also stated that "there is quite a bit of content in metadata." Last year, EPIC filed a petition in the Supreme Court challenging the legality of the NSA's telephone record collection program. Legal scholars and former members of the Church Committee supported the EPIC petition. The Supreme Court dismissed the petition without ruling on the merits. For more information, see In re EPIC.
"there is quite a bit of content in metadata" - Morrell, former CIA Deputy Director (Jan. 15, 2014) - Senator Markey Outlines New Student Privacy Legislation at EPIC Event
At a briefing on Capitol Hill hosted by EPIC, Senator Ed Markey announced plans to introduce legislation protecting student data. Senator Markey set out four principles his bill would cover: (1) student information may never be used to market products to children; (2) parents must have the right to access and amend student information held by private companies; (3) schools and private companies must safeguard student information; and (4) companies must delete student information after it is no longer needed for educational purposes. Senator Markey made the remarks at EPIC event "Failing Grade: Education Records and Student Privacy," which included leading experts in technology, student privacy, and the Chief Privacy Officer at the Department of Education. Last year, Senator Markey sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on privacy. The Education Department provided a response, suggesting that when schools outsource to private companies, they should ensure that the companies protect student data. For more information, see EPIC: Student Privacy. (Jan. 14, 2014) - DHS Appeals Ruling in EPIC's "Internet" Kill Switch Case
The Department of Homeland Security has appealed a ruling for EPIC in a Freedom of Information Case involving Standard Operating Procedure 303, a protocol which describes the government's plan for deactivating wireless communications networks. Seeking information about the First Amendment and public safety implications of the protocol, EPIC filed a FOIA lawsuit against the agency. A federal court ruled that the protocol could not be withheld under the FOIA because it was not an investigative technique and DHS had not established that releasing the document would cause harm to any individual. Therefore, the court concluded, the documents EPIC sought should be turned over. The Department of Justice has now appealed that decision to the D.C. Circuit Court of Appeals. For more information, see EPIC: EPIC v. DHS (SOP 303) and EPIC: FOIA. (Jan. 13, 2014) - EPIC Settles FOIA Case, Obtains Body Scanner Radiation Fact Sheets
EPIC has received the documents that were the subject of EPIC's Freedom of Information Act appeal to the D.C. Circuit in EPIC v. DHS (Body Scanner FOIA Appeal). The agency had previously withheld test results, fact sheets, and estimates regarding the radiation risks of body scanners used to screen passengers at airports. EPIC challenged the lower court's determination that the factual material was "deliberative" and therefore exempt from the FOIA. After filing an opening brief to the D.C. Circuit, EPIC participated in a new appellate mediation program. As a result of the mediation, EPIC obtained not only the records sought, but also attorneys' fees. The fact sheets show that the agency did not perform a "quantitative analysis" of risks and benefits before implementing the body scanner program. EPIC addressed that concern in the 2011 lawsuit EPIC v. DHS (Suspension of Body Scanner Program). That EPIC case also had a favorable outcome, and ultimately resulted in the removal of backscatter x-ray scanners from US airports. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal and EPIC v. DHS - Suspension of Body Scanner Program. (Jan. 10, 2014) - French Data Protection Authority Fines Google for Data Consolidation
The CNIL, the French data protection authority, has fined Google 150,000 Euro (approximately $200,000) for consolidating user data. The decision follows an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services to create detailed profiles on Internet users. In 2012, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Jan. 9, 2014) - Senator Leahy Proposes Consumer Privacy Legislation
Senator Leahy has introduced the Personal Data Privacy and Security Act of 2014. The Act would strengthen privacy and data security by establishing a national standard for data breach notification, and requiring companies to create a data privacy and security program to protect and secure sensitive data. The bill follows a massive data breach at Target that compromised the personal data of more than 40 million consumers. Senator Leahy stated that the bill "aims to better protect Americans from the growing threats of data breaches and identity theft" and said there would be a hearing in the Judiciary Committee later this year. In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights. For more information, see EPIC: Privacy Legislation and EPIC: Identity Theft. (Jan. 9, 2014) - Federal Communications Commission Seeks Public Comment to Protect Phone Record Privacy
The Federal Communications Commission has invited public comments on a petition requesting the FCC to rule that the sale of consumer phone records to the government is a violation of the federal Communications Act. EPIC joined the petition, which was organized by Public Knowledge. In 2013, EPIC urged the FCC to determine whether AT&T violated the Communications Act when it sold private consumer call detail information to the Drug Enforcement Administration and Central Intelligence Agency. In 2013 EPIC also wrote to the FCC to explain that Verizon had likely violated the Communications Act when it disclosed telephone records to the NSA. Public comments on the petition are due January 17, 2014 and reply comments are due February 3, 2014. For more information, see EPIC: CPNI (Customer Proprietary Network Information), and EPIC: Foreign Intelligence Surveillance Act. (Jan. 7, 2014) - Department of Defense Proposes Autonomous Drones, Expanded Surveillance Mission
A new Department of Defense report "Unmanned Systems Integrated Roadmap" sets out "a technological vision for the next 25 years" of drone deployment. The DOD report suggests that budgets cuts are increasing the need for autonomous drones with onboard intelligence. One documentary describes the role of the the Department of Defense developing sophisticated surveillance technologies. The new DOD report states that surveillance is one of the primary purposes for pursuing drone technology, particularly for "surveillance missions that involve prolonged observation." An EPIC FOIA request revealed that domestic drones deployed by the Department of Homeland Security can be deployed with the ability to intercept electronic communications and to recognize individuals on the ground. EPIC has recommended privacy safeguards to limit drone surveillance in the United States. For more information, see EPIC: Domestic Unmanned Aerial Vehicles and Drones. (Jan. 7, 2014) - Federal Appeals Court Rules that Legal Policy Memos Can Be Withheld From the Public
The Court of Appeals for the D.C. Circuit has ruled that the FBI may withhold a memo prepared by the Office of Legal Counsel concerning the law governing "exigent letter" requests to telephone companies for call records. The decision affirmed an earlier opinion that the memo was privileged advice, and exempt from disclosure under the Freedom information Act. The Electronic Frontier Foundation argued that the memo was "working law" and not simply advice from government lawyers. However, the Court of Appeals found that the FBI had not itself adopted the advice of government lawyers. In a different case where the Department of State followed the guidance of Justice Department lawyers, EPIC filed a "friend" of the court brief in support of the New York Times and the ACLU and argued for the release of opinions of the Office of Legal Counsel. For more information, see EPIC v. NSA: Cybersecurity Authority and EPIC: New York Times v. DOJ. (Jan. 3, 2014) - Snapchat Data Breach Exposes 4.6 Million Usernames
A data breach has exposed the usernames and partial phone numbers of 4.6 million users of Snapchat, a popular photo- and video-sharing app. The breach was accomplished by exploiting a flaw that was previously brought to company's attention by security researchers. Last year, EPIC filed a complaint with the Federal Trade Commission regarding Snapchat's deceptive claim that photos would "disappear forever" after a set period of time. The Federal Trade Commission has thus far failed to take action on the EPIC complaint. For more information, see EPIC: Federal Trade Commission. (Jan. 2, 2014)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
