Previous Top News: 2015
- FTC Issues Enforcement Policy Statement on Deceptive "Native" Advertising
The FTC has issued an enforcement policy statement on the use of "native" advertisements and other deceptive advertising that appear to be non-advertising content. The FTC's statement affirmed that ads must clearly be identifiable to consumers as advertising and not editorial content. EPIC previously filed an amicus brief in Fraley v. Facebook objecting to Facebook's "Sponsored Stories" that implied the user endorsed the brand to their friends. EPIC's prior complaint to the FTC regarding Facebook's privacy practices helped establish privacy rules for the social media network. (Dec. 22, 2015) - EPIC Urges OMB to Update Open Government Plan
EPIC and a coalition of transparency advocates urged the Office of Management and Budget to comply with President Obama's plan to promote open government. The OMB is expected to produce an open government plan, "describ[ing] how it will improve transparency." However, OMB Has failed to act even as the Administration has urged other governments to adopt similar plans. "The failure is particularly troubling," wrote the groups, "because OMB is an agency with a central oversight role on information policy, it has responsibility for implementation of this plan, and it often serves as the right hand of the President." EPIC and others previously called on President Obama to address weaknesses in open government administration and support FOIA reform. (Dec. 21, 2015) - Ignoring Federal Law, TSA Drops Opt-Out Option for Body Scanners
The TSA has used a "Privacy Impact Assessment Update" to announce an unlawful procedure for screening air travelers in the United States. The agency claims that it may "mandate body scanner screening for some passengers." In EPIC v. DHS (Suspension of Body Scanner Program, the D.C. Circuit Court of Appeals ruled that the screening was Constitutional because passengers could always opt out. As Judge Ginsburg explained, "any passenger may opt-out of AIT screening in favor of a patdown, which allows him to decide which of the two options for detecting a concealed, nonmetallic weapon or explosive is least invasive. "The TSA has also failed to "act promptly," as the Court mandated, to finalize the legal authority for the program. (Dec. 19, 2015) - EPIC Urges FTC to Protect Consumers Amid Surge in Cross-Device Tracking
EPIC filed comments with the FTC on a new advertising practice with significant privacy implications. EPIC urged the FTC to limit "cross-device tracking," linking what a person types on their phone with what they see on their laptop or television. EPIC said the FTC should use its enforcement authority to investigate device tracking practices. EPIC also said the FTC should prohibit the cross-device tracking of minors. EPIC has played a leading role in developing the FTC's privacy authority. Several EPIC complaints are currently pending before the FTC, concerning "always on" devices, Uber's privacy policy, and Facebook's Psychological Study. (Dec. 17, 2015) - Senators Blumenthal, Markey Propose Do Not Track Legislation
Sen. Richard Blumenthal and Sen. Edward Markey have introduced the Do Not Track Online Act of 2015, to limit online tracking. The bill directs the FTC to develop a simple Do Not Track mechanism that would allow consumers to stop companies from collecting their personal information. The bill authorizes the FTC and state attorneys general to bring enforcement actions against companies that refuse to honor consumers' requests. EPIC has previously said that an effective mechanism must ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." (Dec. 17, 2015) - EPIC to File "Friend of the Court" Brief in FCC Privacy Case
EPIC today filed a notice of intent in ACA Int'l v. FCC, a case about the consumer protections from unwanted and harassing phone calls. The Telephone Consumer Protection Act prohibits most automated solicitations unless the customer has given consent. Last summer, the Federal Communications Commission issued an order giving consumers more control to limit harassing telemarketing practices. Several marketing companies opposed the FCC order, which EPIC will now defend. EPIC contributed to the establishment of the TCPA and has submitted numerous comments to help ensure the Act's effective implementation. (Dec. 16, 2015) - House Adds Cyber Surveillance to Budget Bill
Today, the House added the Cybersecurity Act of 2015 to an expansive appropriations bill. The Cybersecurity Act was negotiated behind closed doors and represents a new version of the Cybersecurity Information Sharing Act (CISA). Previous versions of CISA have been opposed by a broad coalition of organizations. The current bill, like previous ones, would allow the government to obtain personal information from private companies without judicial oversight. The Act would also expand government secrecy. EPIC previously won a five-year court battle to obtain NSPD 54, a foundational legal document for U.S. cybersecurity policies that revealed the government's interest in enlisting the private sector to monitor user activity. (Dec. 16, 2015) - DHS and State Department Pushing for Increased Social Media Monitoring
According to reports and statements from former Homeland Security officials, the DHS has initiated three "pilot programs" to analyze social media posts during the visa review process. Prior to 2014, a DHS policy prohibited social media monitoring by immigration officials. EPIC successfully obtained documents in 2012 detailing the DHS social media monitoring policies, including instructions to analysts to monitor criticism of the agency. EPIC also submitted a letter to congressional leaders, outlining how DHS officials misrepresented their policies in a Homeland Security Committee hearing. EPIC wrote that the DHS' monitoring program should be suspended, as it exceeds the agency's statutory authority and chills First Amendment activity. (Dec. 16, 2015) - European Institutions Conclude Data Protection Reform
The EU Commission, Parliament and Council reached an agreement on a comprehensive new privacy law after four years of negotiation. The General Data Protection Regulation establishes common privacy rules across Europe and creates strong enforcement power. The law will be fully applicable in about two years. The new law is a "major step forward for consumer protection and competition," said Jan Philip Albrecht. Sophie In’t Veld said, "The EU will now have the most extensive data protection laws in the world and will set global standards." EPIC, and many consumer privacy organization have urged the US to modernize domestic privacy law. EPIC President Marc Rotenberg told USA Today, "The U.S. will need to update privacy laws to safeguard U.S. consumers and maintain trade relations with Europe." (Dec. 15, 2015) - Obama Administration Gets Failing Grade on Surveillance Reform
EPIC has launched a scorecard for the 46 surveillance reform recommendations made two years ago by the President's Review Group on Intelligence and Communications Technologies. Although some of the recommendations have been fully implemented, the Administration has failed to implement most of them. The recommendations set out to limit NSA surveillance, expand judicial oversight, create new transparency requirements, update federal privacy laws, and create a new privacy agency. During the review process, EPIC met with the review group and submitted extensive comments to the panel, specifically urging the end of the bulk record collection program. (Dec. 15, 2015) - EPIC Named Among Top-Ranked U.S. Think Tanks
EPIC has been ranked among the most influential thinks tanks in the United States. At #16, EPIC placed behind the Council on Foreign Relations and the Brookings Institution, but ahead of CSIS, the Aspen Institute, the Woodrow Wilson Center, and the New America Foundation. Established in 1994 to focus public attention on emerging privacy and human right issues, EPIC works with distinguished experts in law, public policy, and technology. Recent publications include Privacy in the Modern Age: The Search for Solutions and Privacy Law and Society. More at the EPIC Bookstore and EPIC Commentaries. (Dec. 15, 2015) - FAA Requires Drone Registration but Again Fails to Limit Drone Surveillance
The FAA has published an rule requiring drone registration by December 21st. Owners of small drones will be required to pay a small fee and provide their name, physical address, and e-mail address. The agency announced that the registration database will be searchable, but owner e-mail addresses will not be made public. EPIC filed extensive comments on the proposed registration scheme, recommending that drones broadcast registration IDs and include information about surveillance capabilities. The FAA acknowledged EPIC's comments, but failed to adopt the recommendations. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit Court of Appeals. (Dec. 14, 2015) - Congress Calls on Education Department to Protect Student Privacy
Congress has enacted the "Every Child Achieves Act of 2015," a law that provides technology funding for schools but requires extensive student data collection. In recognizing the substantial student privacy risks the law poses, Congress stated that the Education Department "should review all regulations addressing issues of student privacy, including those under this Act, and ensure that students' personally identifiable information is protected." The Act also requires ongoing compliance with L2and other applicable state privacy law. EPIC previously sued the Education Department for weakening federal student privacy protections. EPIC supports establishment of a Student Privacy Bill of Rights. (Dec. 14, 2015) - Senate Postpones Action on Weak EU-US Privacy Measure
The Senate Judiciary Committee has "held over" the Judicial Redress Act, industry-sponsored legislation regarding the transfer of personal data on Europeans to the United States. European legal experts have stated that the measure does not provide meaningful protections for the data of Europeans. Forty NGOS have recommended substantial changes to privacy law in the US and the EU to make possible the continuation of transborder data flows. EPIC has also recommended specific changes to the Judicial Redress Act. European data protection agencies are expected to begin enforcement actions against US companies after January 30, 2016. According to Govtrack, the Judicial Redress Act has a "1% chance of being enacted." (Dec. 12, 2015) - EPIC Urges Supreme Court to Review Cellphone Shutdown Case
Today, EPIC filed a brief to the U.S. Supreme Court in a long-running campaign to obtain the government's cellphone shutdown policy. EPIC has sought the secret policy from the DHS since 2012 after government officials disabled cellular service at a BART station during a peaceful protest. In the latest filing, EPIC countered the DHS's opposition to the high court's review of the case. EPIC highlighted the government's inconsistent views on the law, and urged the Court to resolve "a direct conflict between the D.C. Circuit and the Second Circuit" Courts of Appeals. EPIC successfully obtained a redacted version of the procedure, but is fighting to uncover more of the secret document. (Dec. 11, 2015) - Report on "Still Interested?" Letters Delayed Until 2016
The federal FOIA Ombudsman informed EPIC that an investigation into the open government practices of the Department of Homeland Security won't be finished until March 2016. In 2014, EPIC and other open government advocates urged the Office of Government Information Services to investigate "still interested?" letters. The DHS has sent these letters to FOIA requesters to prematurely terminate open government requests. EPIC objected to the practice and explained that "no provision in the FOIA allows for administrative closures." (Dec. 10, 2015) - Senate Judiciary Committee Holds FBI Oversight Hearing
The Senate Judiciary Committee held an oversight hearing with FBI Director James Comey. Following the calls of some political leaders to exclude Muslims from the United States, Senator Leahy warned leaders to not "succumb to the politics of fear and lose sight of our fundamental American values." Director Comey continued to advocate for weakened encryption to enable law enforcement access to private communications. EPIC has championed strong encryption and urged President Obama to reject proposals to weaken encryption. EPIC has also urged oversight of the FBI's Next Generation Identification program, a massive biometric database, that lacks appropriate privacy safeguards. (Dec. 10, 2015) - EPIC Celebrates Human Rights Day
On December 10, EPIC celebrates international Human Rights Day. On December 10, 1948, the United Nations adopted the Universal Declaration of Human Rights. The Declaration sets out civil, political, cultural, economic, and social rights. EPIC pursues the global recognition of privacy, a fundamental right set out in Article 12 of the Universal Declaration. Follow @EPICPrivacy on Twitter! #HumanRightsDay (Dec. 10, 2015) - Wyndham Settles FTC Charges Over Failure to Safeguard Customer Data
Wyndham Hotels has settled charges with the FTC that the company's data security practices unfairly exposed the financial data of hundreds of thousands of customers to hackers. Earlier this year, in FTC v. Wyndham, a federal appeals court upheld the FTC's authority to enforce data security standards. EPIC's amicus brief filed in Wyndham played an important role in defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers. (Dec. 9, 2015) - Massachusetts Court Hears Arguments in Student Privacy Case
The Massachusetts Supreme Judicial Court heard arguments yesterday in Commonwealth v. White, a case concerning both student privacy and cell phone privacy. EPIC filed an amicus brief in the case, arguing that the police should obtain a warrant before seizing a student's cell phone. EPIC explained that "digital is different," and therefore the legal standard for school searches of contraband does not apply to cell phones. EPIC also explained the significance of Riley v. California, the recent Supreme Court case on cell phone searches that upheld a warrant requirement. The EPIC State Policy Project is based in Cambridge, Massachusetts. (Dec. 9, 2015) - EPIC to Defend Privacy Statute in Federal Appellate Case
EPIC appears in court today in In re Nickelodeon, a case concerning the Video Privacy Protection Act. The privacy law bars companies from disclosing personally identifiable information about users of Internet video services. Children who watch videos on Nick.com believe that Viacom disclosed their viewing records to Google for adverting purposes. The companies dispute this, claiming that cookies and IP addresses are not personally identifiable. EPIC's "friend of the court" brief argues that the definition of personal information in the privacy law is "purposefully broad to ensure that the underlying intent of the Act--to safeguard personal information against unlawful disclosure--is preserved as technology evolves." EPIC Senior Counsel Alan Butler will represent EPIC before the court. (Dec. 8, 2015) - At UNESCO, EPIC's Rotenberg Argues for Algorithmic Transparency
Speaking at UNESCO headquarters in Paris, EPIC President Marc Rotenberg explained that algorithms, complex mathematical formulas, have an increasing impact on people's lives in such areas as commerce, employment, education, and housing. He warned that processes would continue to become more opaque as more decision making was automated. He said to experts in Freedom of Expression, Communication, and Information at UNESCO that "knowledge of the algorithm is a fundamental right, a human right," EPIC has launched a new program on Algorithmic Transparency, building on the work of several members of the EPIC Advisory Board. (Dec. 8, 2015) - EPIC Promotes Open Access to Law, Criticizes Government Website Tracking
EPIC has submitted comments recommending changes to Circular A-130, the government policy for managing federal information resources. Building on prior comments supporting increased access to public court records, EPIC urged federal agencies to make legislation, statutes, rules, regulations, and other relevant court documents available to the public on agency websites. EPIC also recommended that the federal government refrain from tracking website visitors. EPIC has previously argued against government tracking of people seeking access to public information, and pushed for increased privacy protections on government platforms. EPIC's 2009 Freedom of Information Act request revealed that government contractors providing social media services lacked privacy protections. (Dec. 5, 2015) - Austrian Supreme Court to Consider Schrems' Case against Facebook
The Austrian Supreme Court will decide if the Schrems case against Facebook can be brought as a class action. "The 'class action' is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook," says Schrems. EPIC frequently works to protect the interests of Internet users in facing common violations of privacy rights. (Dec. 4, 2015) - White House Announces Federal Privacy Council
White House OMB Director Shaun Donovan announced plans to establish a new Federal Privacy Council. The Privacy Council will develop and coordinate privacy strategies and best practices across the federal government. Director Donovan remarked, "Government has a critical role in enforcing and ensuring protections for the privacy of its citizens." Donovan also announced plans to update privacy guidance for federal agencies. Donovan highlighted the White House's efforts to protect privacy and civil liberties, including the White House Consumer Privacy Bill of Rights and Big Data Review. EPIC recently urged Congress to enact the Consumer Privacy Bill of Rights and establish an independent privacy agency. (Dec. 4, 2015) - EPIC, Coalition Criticize Platform for Comments to Government
EPIC and a coalition of open government organizations submitted a letter to the Office of Management and Budget regarding revisions to Circular A-130, a government policy for access to information resources. The groups expressed concern about a poorly designed Internet service -- GitHub -- that created "new barriers to public participation in government decision-making." EPIC and its partners called on the OMB to "ensure meaningful public participation by notifying the public of opportunities to comment and accepting comments in other formats." EPIC frequently submits comments to state and federal agencies. OMB is accepting comments on A-130 through December 5. (Dec. 4, 2015) - Schrems Pursues Legal actions to Block Data Transfers to the US
EU Privacy Advocate Max Schrems made new legal moves following the judgment of the European Court of Justice that struck down the Safe Harbor data transfer pact. He filed complaints with data protection officials in Ireland, Germany and Belgium to to block Facebook data transfers to the United States. Schrems says he wants to "ensure that this very crucial judgment is also enforced in practice when it comes to the US companies that are involved in US mass surveillance." NGOs in the Europe and the United Stated have urged governments to update domestic privacy laws and strengthen international commitments to enable the continued transfer of data between the EU and the US. (Dec. 2, 2015) - Markey and Barton Pursue VTech Data Breach
Senator Edward Markey (D-Mass.) and Congressman Joe Barton (R-Tex) have asked VTech, "How do you protect children's information?" The electronic toy produced,recently exposed the personal profiles of millions of children in a cyber hack. The personal date included names, mailing addresses, email addresses, download history, birthdates, and genders. Senator Markey and Congressman Barton asked about VTech's data and security practices, including compliance with the Children's Online Privacy Protection Act, data the company collects about children, and security standards. EPIC has testified several times before Congress on protecting children's data and supported the updates to the Childrens Online Privacy Protection Act. (Dec. 2, 2015) - Federal Court Lifts Gag Order on National Security Letter Recipient
For the first time, a federal court has lifted a national security letter gag order, allowing an Internet Service Provider to publish the FBI's demands for records of user web browsing history, IP addresses, online purchases, and location information. The FBI issues thousands of NSLs each year, forcing companies to disclose troves of consumer records without probable cause. Recipients are preventing from acknowledging these warrantless searches. EPIC filed an amicus brief in In re National Security Letter, arguing that NSL gag orders frustrate the public's right to know about government surveillance programs. (Dec. 1, 2015) - Freedom Act Goes Into Effect, NSA Bulk Data Collection Ends
The Director of National Intelligence has announced that the NSA's bulk collection of domestic telephone records under "Section 215" ended yesterday when the USA Freedom Act took effect. The Freedom Act ended the NSA's 215 Program and established new transparency and accountability rules for the Foreign Intelligence Surveillance Court. In 2012, EPIC testified before the House Judiciary Committee on the need to reform the Surveillance Court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program. (Nov. 30, 2015) - TSA Continues Delay of Legal Authority for Airport Body Scanners
The Transportation Security Administration is expected to issue a final rule on airport body scanners by March 3, 2016, nearly five years after the D.C. Circuit Court of Appeals ordered the agency to "promptly" solicit pubic comments on the controversial scanners. In 2011, EPIC successful challenged the TSA's unlawful deployment of airport body scanners. Following EPIC's lawsuit, backscatter x-ray devices were removed from U.S. airports. Still, the agency continues to ignore public comments that overwhelmingly favor less invasive security screenings. (Nov. 24, 2015) - EPIC to Receive More Documents in Boater Surveillance Case
This morning a federal judge in Washington, D.C. ordered the U.S. Coast Guard to release to EPIC, within sixty days, additional documents on the "National Automated Identification System,' a controversial boater tracking program that EPIC is investigating. According to documents previously obtained by EPIC, the Department of Homeland Security believes that boaters have "no expectation of privacy with regard to any information transmitted" on the Automated Identification System. The documents also reveal that the DHS fuses AIS data with other government data to develop detailed profiles on boaters. EPIC has previously expressed support for AIS to promote maritime safety, but warned that the NAIS system exceeds this purpose. In January, EPIC expects to receive contracts and privacy impact assessments that were previously withheld. (Nov. 24, 2015) - In Court: EPIC Urges Massachusetts to Protect Student Privacy
EPIC has filed an amicus brief in the Massachusetts Supreme Judicial Court regarding a student privacy case. EPIC said that the police should obtain a warrant before seizing a student's cell phone. Citing a recent Supreme Court case, EPIC explained "Modern cell phones . . . implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. In Riley v. California, a unanimous Supreme Court held that a search of cell phone required a warrant. EPIC previously filed an amicus brief in Commonwealth v. Connolly, a Massachusetts case concerning GPS tracking. The EPIC State Policy Project is based in Cambridge, Massachusetts. (Nov. 23, 2015) - EPIC to FAA: Proposed Registration Requirements Fall Short
The FAA Drone Task Force Final Report fails to ensure the safe operation of drones in the United States. The committee proposed only that drone operators (1) register online, (2) receive a universal registration number, and (3) mark the number on drones prior to operation. In comments to the agency, EPIC recommended that drones broadcast registration numbers, and that registration include drone surveillance capabilities and contact information for operators, such as phone numbers. The FAA's former top drone official told the Associated Press that drone surveillance capabilities will contribute to safety risks. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. That case is pending before the D.C. Circuit Court of Appeals. (Nov. 23, 2015) - EPIC Opposes NSA Plan to Expand Operations Database, Demands Privacy Act Compliance
EPIC submitted comments to the NSA objecting to the agency's proposal to expand its "Operations Records" database. This database is already largely exempt from Privacy Act safeguards, and the proposal would vastly expand the types of information collected in the database and define new routine uses for this information. EPIC's comments addressed the privacy issues raised by the Operations Records database and NSA's proposed changes, opposed further expansion of NSA's information collection activities, and demanded that NSA narrow the Privacy Act exemptions for the system if the proposal goes forward. EPIC has previously urged NSA to conduct information collection activities in compliance with the Privacy Act. (Nov. 23, 2015) - Administrative Decision Tosses LabMD Data Security Case
An administrative law judge has dismissed an FTC complaint alleging that LabMD failed to provide reasonable data security for personal information. The admin judge found that the FTC's regulation of unfair trade practices requires a showing that consumer harm was "probable," not just "possible." The decision--which is not binding on federal or state courts--leaves in place the decision in FTC v. Wyndham, which held that the FTC can enforce data security standards. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (Nov. 21, 2015) - Congress Examines (Lack of) Drone Privacy and Safety
This week a House Committee examined "The Fast-Evolving Uses and Economic Impacts of Drones." Chairman Burgess, echoing comments from other committee members, stated, "there are important questions around privacy laws and safety." The FAA Modernization and Reform Act of 2012 required the FAA to develop a "comprehensive plan" to integrate drones into national airspace by September 30, 2015. Despite missing the deadline, the FAA has granted over 2,220 exemptions for commercial drones even as safety and privacy concerns increase. More than 100 privacy experts and organizations petitioned the FAA to establish privacy safeguards prior to the deployment of drones. EPIC has sued the agency, EPIC v. FAA, to establish privacy rules for commercial drones. (Nov. 20, 2015) - Congress Explores Risk of Student Record Data Breach
A Congressional Committee held a hearing on the Education Department's information security program. In 2014, the Department's Inspector General found that the "information systems continue to be vulnerable to serious security threats." The hearing revealed that the Education Department maintains at least 139 million Social security numbers in one of its databases. The Department has 184 information systems and 120 of those systems are managed by outside parties. For years, EPIC has warned of growing student privacy and security risks. EPIC has urged congress to enact the Student Privacy Bill of Rights to protect student data. (Nov. 19, 2015) - In Court: EPIC Pursues Drone Privacy Safeguards
EPIC has filed an additional brief in EPIC v. FAA. The case follows from an act of Congress requiring a "comprehensive plan" for drone deployment and EPIC's petition, joined by more than 100 hundred experts, that urged the agency to establish drone privacy rules. In the most recent court filing, EPIC challenged the agency's rationale for dismissing the petition. EPIC also argued the FAA improperly ignored privacy concerns in a recent rulemaking on small drones. The FAA conceded that drones, "because of their size and capabilities, may enhance privacy concerns," but still did not propose privacy safeguards. The United States Court of Appeals for the DC Circuit is expected to hear argument in the case early next year. (Nov. 19, 2015) - EPIC Warns ICANN about Lack of Privacy for WHOIS Data
In comments to ICANN, EPIC urged the Internet policy organization to comply with privacy law and privacy standards. ICANN manages the Whois database, a publicly accessible repository of domain name registrants' contact information. EPIC has long criticized ICANN for exposing personal data to spammers, stalkers, and criminal investigators. Internet privacy expert Stephanie Perrin recently stated, "The existing policy and trigger mechanisms reflect at best a basic failure to comprehend the way data protection law works, at worst a determination to be as difficult and intransigent as possible." In the latest comments, EPIC warned ICANN that failure to comply with legal standards could leave the organization subject to enforcement action, following the Schrems decision in Europe. ICANN's final report is due December 1. (Nov. 18, 2015) - EPIC to Testify on Car Privacy and Data Security
EPIC Associate Director Khaliah Barnes will testify at a hearing on "The Internet of Cars" before the House Oversight and Government Reform on Wednesday, November 18, 2015. The hearing will address the safety and privacy issues confronting drivers in vehicles connected to the Internet. EPIC's prepared statement urges Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. EPIC states, "New vehicle technologies raise serious safety and privacy concerns that Congress needs to address." EPIC has previously examined the privacy and data security implications of the Internet of Things and the "Internet of Cars", and recommended strong safeguards for consumers. (Nov. 17, 2015) - NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights
Leading human rights and consumer organizations have issued a letter to urge the US and the EU to protect the fundamental right to privacy. After the Schrems decision the parties are now renegotiating the invalidated Safe Harbor arrangement. The groups warned that without significant changes to "domestic law" and "international commitments," a Safe Harbor 2.0 will almost certainly fail. NGO leaders call for a comprehensive privacy framework in the US, commitment to strong encryption and ending mass surveillance on both sides of the Atlantic. (Nov. 12, 2015) - Federal Appeals Court Revives Google Cookie Tracking Suit
A federal appeals court has reinstated a class action alleging that Google and internet advertising companies unlawfully placed tracking cookies on users' web browsers. A reasonable jury could conclude that Google's "deceitful override of the plaintiffs' cookie blockers" constitutes a "serious invasion of privacy" under California law. The appeals court also held that tracked URLs could constitute "content" under the federal Wiretap Act, though it ultimately upheld the dismissal of all federal law claims for other reasons. EPIC filed an amicus brief in a similar case, arguing that Viacom's disclosure of IP addresses and unique device identifiers to Google violated the Video Privacy Protection Act. (Nov. 12, 2015) - EPIC Supports Drone Registration Proposal
In comments to the FAA, EPIC urged the agency to require all drone operators to register in a federal drone registry. An FAA task force, lacking any privacy experts, is developing a plan for a national registry. EPIC said registration is critical for public safety and privacy protection. EPIC recommended that the FAA require drones to broadcast identification information and that the registration database detail a drone's surveillance capabilities. EPIC also urged the agency to provide privacy protections for the personal information of hobbyists. Earlier this year, EPIC sued the FAA for failing to establish privacy rules for commercial drones as mandated by Congress. (Nov. 11, 2015) - EPIC Obtains Documents on Secret DNA Forensic Source Code
In response to EPIC's state public records requests, Virginia and Pennsylvania have both released documents about "TrueAllele," a proprietary technique used in DNA forensic analysis. Virginia released to EPIC a validation study and validation summary prepared by the Virginia Department of Forensic Science. Pennsylvania produced purchase and service contracts, technical specifications, and user manuals for TrueAllele. Agencies in California, Louisiana, Pennsylvania, and Virginia have stated that they do not have access to the TrueAllele source code that they are using to produce evidence against defendants. EPIC's open government requests cited the importance of algorithmic transparency in the criminal justice system. (Nov. 10, 2015) - Court Suspends NSA Phone Record Collection Program
A federal court in Washington D.C. has ordered the National Security Administration to halt the bulk collection of domestic telephone records, ruling that the indiscriminate collection violates the Fourth Amendment. Following the USA Freedom Act, the telephone records program will expire at the end of the month. The government has moved to stay the judge's order. In 2013, EPIC brought the first challenge to the NSA surveillance program in the Supreme Court. EPIC has also testified before Congress on the need to reform the Foreign Intelligence Surveillance Court, and led a broad coalition urging the President to end the NSA surveillance program. (Nov. 10, 2015) - European Commission Issues Guidance on Data Transfers Post-Schrems
The European Commission has published guidelines for EU-US data transfer after the invalidation of the Safe Harbor framework. The Commission explained that the Safe Harbor case "underlined the importance of fundamental right to data protection." The Commission also emphasized the ongoing role of the independent data protection agencies and the Article 29 Working Party. Negotiators are attempting to create a revised arrangement. NGOs have said that fundamental rights must be protected in all data transfers. In testimony before Congress, EPIC recommended several updates to US privacy law. EPIC's Marc Rotenberg said "these changes will benefit consumers and businesses on both sides of the Atlantic." (Nov. 6, 2015) - Privacy Groups Urge Ninth Circuit to Find NSA Metadata Program Illegal
EPIC and other privacy groups have filed a friend of the court brief in United States v. Moalin, the first criminal case challenging the NSA's warrantless surveillance of Americans' telephone records. The lower court refused to reopen the case after it was revealed that data acquired by the NSA provided the primary evidence for the criminal conviction. EPIC and other groups argued in their brief that metadata is protected under the Fourth Amendment. EPIC previously argued in Smith v. Obama that "changes in technology and the Supreme Court's recent decision in Riley v. California favor a new legal rule that recognizes the privacy interest inherent in modern communications records." In In re EPIC, EPIC petitioned the Supreme Court to end the NSA's bulk telephone record collection program, which occurred with passage of the USA Freedom Act. (Nov. 5, 2015) - In EPIC Lawsuit, FAA Concedes Drone Privacy Risks
The Federal Aviation Administration has filed a brief in response to EPIC's lawsuit, EPIC v. FAA, charging that the agency failed to establish privacy rules for commercial drones as required by law. EPIC sued the agency after Congress required a "comprehensive plan" for drone deployment and a petition, backed by more than one hundred organizations and privacy experts, called for privacy safeguards. In its response to EPIC, the FAA acknowledged that the comprehensive plan "recognizes the privacy issues that may be heightened" by drone surveillance. The FAA also conceded that drones, "because of their size and capabilities, may enhance privacy concerns," but the agency has still not begun the process of developing regulations to safeguard privacy. (Nov. 5, 2015) - US Releases Updated Open Government Plan
The United States has released its Third Open Government National Action Plan, an initiative pursued by countries and NGOs participating in the Open Government Partnership. In response to recommendations proposed by EPIC and a coalition of civil society groups, the administration pledged to modernize implementation of the FOIA, streamline record declassification, and increase transparency of the intelligence community. The White House, however, failed to incorporate other recommendations such as publishing FISC opinions and pledging to limit the use of the FOIA's b(5) Exemption. EPIC and others previously called on President Obama to address weaknesses in open government administration and push for meaningful FOIA reform. (Nov. 5, 2015) - EPIC Sues for Release of Secret EU-US "Umbrella Agreement"
EPIC has sued the Department of Justice to obtain a secret agreement between the United States and the European Union concerning the transfer of personal information. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret even as Congress was voting on provisions to implement the text. "The DOJ has withheld from the public the text of an Agreement that is central to legislation currently pending before Congress and critical to a related negotiation between the United States and the European Union that implicates the fundamental rights of Americans and Europeans" wrote EPIC in the FOIA lawsuit. (Nov. 4, 2015) - Tech Funding Bills Could Upgrade Student Privacy
Congress may soon incorporate student privacy safeguards into legislation for digital learning in the classroom. Congress needs to merge two bills that provide technology funding for schools but require extensive student data collection -- the "Every Child Achieves Act of 2015" (S. 1177) and the "Student Success Act" (H.R. 5). Pending student privacy bills include the "Student Privacy Protection Act of 2015" (H.R. 3157)), the "Student Privacy Protection Act of 2015" (S. 1341), the "Student Digital Privacy and Parental Rights Act of 2015'' (H.R. 2092), and the "Protecting Student Privacy Act of 2015'' (S. 1322). EPIC supports establishment of a Student Privacy Bill of Rights. (Nov. 4, 2015) - Rep. Chaffetz Bill Would End Warrantless Stingray Surveillance
Rep. Jason Chaffetz has introduced a bill in the U.S. Congress that would prohibit government agencies from using cell-site simulators (or stingrays) without a warrant in most circumstances. The Cell-Site Simulator Act of 2015 would also explicitly exclude stingrays from the pen register statute currently used by law enforcement to conduct stingray operations with less than probable cause. The government would still be able to conduct warrantless stingray operations under the Foreign Intelligence Surveillance Act or in emergencies. An EPIC FOIA lawsuit in 2012 revealed that the FBI was using stingrays without a warrant. EPIC has also filed amicus briefs arguing that cell phone location data is protected by the Fourth Amendment. (Nov. 4, 2015) - EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law
In testimony before the US Congress, EPIC's Marc Rotenberg is expected to say that the recent decision of the European Court confirmed what everyone already knows, US privacy law is not adequate. "Our country suffers from an epidemic of data breaches and identity theft. And all the data indicates these problems are getting worse." EPIC, consumer allies, and privacy experts are urging the Congress to enact the Consumer Privacy Bill of Rights, modernize the Privacy Act, create an independent privacy agency, and ratify the International Privacy Convention. "These changes will benefit consumers and businesses on both sides of the Atlantic." (Nov. 2, 2015) - As Meetings Begin, Drone Registration Task Force Fails to Include Privacy Groups
The FAA has released the membership list of the Drone Registration Task Force, which is charged with drafting recommendations for a federal drone registry. Notably, the Task Force does not include any privacy organization or privacy experts. EPIC filed an expedited FOIA request for the Task Force membership list and called on the FAA to publicly release the information. Earlier this year, EPIC sued the FAA for failing to establish privacy rules for commercial drones as mandated by Congress. The public may submit comments on the Drone Registration plan however the Task Force meeting location and agenda remains secret. (Nov. 2, 2015) - Not So Picture Perfect: Snapchat Will Store User Content Forever
Snapchat, a popular mobile app that promised "to vanish" user messages, photos, and videos, will now store user content forever, following changes to its terms and conditions. Snapchat now claims the right to "host, store, use, display, reproduce, modify, . . .and publicly display" users' content forever. This change may violate the 2014 consent order with the Federal Trade Commission, which prohibits Snapchat from making false claims about how the company protects user information. The FTC's 2014 consent order resulted from EPIC's complaint which stated that the company violated Section 5 because "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." (Nov. 2, 2015) - EPIC Joins Call for Transparency on Number of Americans Caught in NSA Surveillance
EPIC, joined by over 30 other organizations, urged the Director of National Intelligence, James Clapper, to disclose data on how many Americans are caught up in NSA surveillance of foreign targets. Americans’ communications are incidentally collected under Section 702 of the Foreign Intelligence Surveillance Act, and the FBI searches this data without a warrant or judicial oversight. EPIC, in testimony before Congress and comments to the Privacy and Civil Liberties Oversight Board, has repeatedly called for greater oversight and transparency of surveillance authorities. (Nov. 2, 2015) - EPIC Obtains Documents on Boater Tracking Program
In response to an EPIC FOIA lawsuit, the U.S. Coast Guard has released documents relating to a controversial boater tracking program, NAIS (National Automated Information System). According to the documents obtained by EPIC, boaters have "no expectation of privacy with regard to any information transmitted on AIS." They also reveal that the agency fuses AIS data with other intelligence data to develop detailed profiles on boaters. The agency has transferred AIS data, which is subject to the Privacy Act, to at least 75 federal, state, local, and private entities. EPIC is anticipating the release of additional documents. (Oct. 30, 2015) - Supreme Court to Hear Critical Consumer Privacy Case
On Monday the Court will hear arguments in Spokeo v. Robins, a Fair Credit Reporting Act case brought on behalf of consumers whose rights were violated by the "people search" website. EPIC, technical experts, legal scholars, 15 other groups, and the U.S. Solicitor General, filed "friend of the court" briefs in support of the plaintiff. Citing the national epidemic of data breaches, identity theft, and financial fraud, EPIC argued to the Court this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC brief was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board. (Oct. 29, 2015) - Army Loses Surveillance Blimp; Blimp Roaming the East Coast
One of the military's controversial surveillance blimps has broken free from its tether in Maryland and is now drifting over Pennsylvania. According to a report, the blimp is now floating at 16,000 feet and dragging a 6,700 foot cable. Through a FOIA lawsuit filed earlier this year, EPIC uncovered details about the Army's plan to fly two "JLENS" blimps over the Washington, DC area. The several thousand documents uncovered by EPIC describe the use of JLENS, as well as the Army's relationship with the contractor Raytheon, which has proposed a video surveillance capability. (Oct. 28, 2015) - Civil Society Leaders in Amsterdam Issue Declaration on Fundamental Rights
Leading digital rights and consumer privacy organizations meeting in Amsterdam have issued a declaration "Fundamental Rights are Fundamental." Calling attention to the recent success of Max Schrems and the failure of self-regulation, the organizations said the "Bridges" report is "remarkably out of touch with the current legal reality and what we need to do to address it." The NGO leaders also criticized the organizers of the Amsterdam conference for "the failure to engage" many new challenges to data protection, including "Big Data" and drone surveillance. Privacy campaigner Simon Davies wrote, "There has never been a moment in history when the privacy regulator community needs to do more to restore trust and relevance. Instead, this week signals a new low in that trust." (Oct. 28, 2015) - Senator Leahy Opposes FOIA Exemptions in Cyber Security Bill
Senator Patrick Leahy (D-VT) urged fellow Senators to remove a proposed open government exemption in a pending cybersecurity bill. The Cybersecurity Information Sharing Act (CISA), said Sen. Leahy, "contains an overly broad new FOIA exemption that is both unnecessary and harmful." Sen. Leahy called the FOIA "our nation's premier transparency law," and said that any modifications must go through the Senate Judiciary Committee. "The Senate must have an open and honest debate about the Senate Intelligence Committee's bill and its implications for Americans' privacy and government transparency," remarked the Senator. Last year, EPIC won a five-year court battle against the NSA for NSPD 54, the foundational legal document for U.S. cybersecurity policies. EPIC has also set out recommendations for FOIA reform. (Oct. 27, 2015) - EPIC Seeks Disclosure of Drone Task Force Participants
In a letter today, EPIC called on the FAA and Department of Transportation to make public the members of a new drone task force. The task force, announced last week, will make recommendations for a federal drone registry. The Transportation Secretary said that the task force will be composed of 25 to 30 individuals, but it is unknown whether privacy and safety advocates will be included. EPIC also filed an expedited FOIA request for the information, citing the fast-approaching November 20th deadline for the task force's recommendations. (Oct. 27, 2015) - D.C. Circuit Orders TSA to Produce Schedule for Final Rule on Body Scanners
The Court of Appeal for the D.C. Circuit today ordered TSA to comply with the ruling in EPIC v. DHS and conduct an "expeditious" rulemaking on the use of body scanners at airports. EPIC successfully sued TSA in 2011 to compel notice-and-comment rulemaking after the agency failed to solicit public comments as required by law. EPIC said the body scanner program was "unlawful, invasive, and ineffective." The backscatter x-ray devices were subsequently removed from U.S. airports, though the millimeter devices remain. In 2015 the Competitive Enterprise Institute filed a petition to compel TSA to issue a final rule as required by the EPIC v. DHS mandate. TSA now has 30 days to submit a rulemaking plan to the court. (Oct. 23, 2015) - After FOI Request, EPIC Obtains Secret "Umbrella Agreement" from the EU Commission
The EU Commission, in response to a freedom of information request, has released to EPIC the text of the EU-US data transfer agreement. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret. EPIC has filed multiple FOIA requests with US federal agencies and the European Commission to obtain public release of the document. The Agreement, alongside the Judicial Redress Act, is a key document in the aftermath of the European court decision striking down the Safe Harbor arrangement. Legal scholars who have reviewed the agreement have concluded it is deeply flawed. EPIC continues to pursue the public release of the Agreement from US federal agencies. (Oct. 23, 2015) - House Committee to Examine Cell Phone Surveillance
The House Subcommittee on Information Technology will examine law enforcement use of "Stingrays," a technique for tracking cell phones users. The Department of Justice adopted guidelines that require a warrant before using Stingray devices to track the location of mobile devices. Senators Grassley and Leahy recently asked DHS Secretary Jeh Johnson to adopt a similar policy for DHS. California passed a law requiring a warrant for a Stingray. Documents obtained by EPIC in a FOIA lawsuit revealed the FBI was using the cell-site simulators without a warrant. EPIC also filed amicus briefs in U.S. v. Jones and State v. Earls, arguing that a warrant is required to obtain location information from cell phone subscribers. (Oct. 21, 2015) - House Passes Faux Privacy Bill
The House of Representatives has passed the Judicial Redress Act of 2015, which—contrary to its stated purpose—fails to extend Privacy Act protections to non-U.S. citizens. In a letter to Congress, EPIC explained that the bill does not provide adequate protection to permit transborder data flows and recommended changes to ensure protections for all personal information collected by U.S. federal agencies. Congress moved to advance the bill after announcement of the recently concluded but secret EU-US "Umbrella Agreement". EPIC submitted a Freedom of Information request for the Umbrella agreement, and recently filed an administrative appeal challenging the agency's denial of expedited processing. (Oct. 21, 2015) - House to Consider Bill on Vehicle Data Privacy and Cybersecurity
The House Energy and Commerce Committee will hold a hearing to consider a draft legislation concerning vehicle data privacy and cybersecurity. The bill would require vehicle manufacturers to establish privacy policies and would prohibit vehicle data hacking. However, the bill provides only limited enforcement of the privacy and cybersecurity provisions. EPIC has previously recommended safeguards for vehicle event data recorders (EDRs) and urged the Transportation Department to protect driver privacy. EPIC has written on the privacy and security implications of the "Internet of Things," which includes cars. (Oct. 21, 2015) - Case Against Facebook Moves Forward in Ireland
Following the ruling that invalidated the Safe Harbor arrangement, the Irish High Court has declared that the Irish Data Protection Commissioner is "obliged to investigate" Max Schrems' complaint and must follow "fair procedures under Irish and EU law." The Commissioner pledged a "quick and swift procedure." Facebook's last minute motion to join the procedure was denied. "The Schrems case underscores the need for the U.S. to strengthen its right to privacy," EPIC's Marc Rotenberg told the Washington Post. (Oct. 20, 2015) - FAA To Establish Drone Registration Database, Privacy Safeguards Still Needed
The Department of Transportation and FAA announced that drone operators will be required to register with a national drone registration database. A task force will develop recommendations for the registration process by November 20. The registration requirement is aimed at protecting public safety and promoting accountability, but creates new privacy risks. EPIC sued the FAA to develop privacy regulations for commercial drones. In EPIC v. FAA, EPIC recently argued that the agency's failure to establish privacy rules for commercial drones is a violation of law and should be overturned. (Oct. 20, 2015) - New Mexico Supreme Court Finds Warrantless Aerial Surveillance Violates Fourth Amendment
The Supreme Court of New Mexico ruled in State v. Davis that the Fourth Amendment prohibits the warrantless aerial surveillance of, and interference with, a person's private property. Specifically, the court found that "prolonged hovering close enough to the ground to cause interference with Davis' property transformed this surveillance from a lawful observation of an area left open to public view to an unconstitutional intrusion into Davis' expectation of privacy." EPIC filed a friend of the court brief and presented oral argument before the Court. EPIC said that aerial surveillance threatens privacy and property interests and that surveillance in the airspace close to a home violates the Fourth Amendment. The New Mexico Supreme Court agreed. EPIC frequently amicus briefs on emerging privacy and civil liberties issues. (Oct. 19, 2015) - European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful
Following the landmark ruling that invalidated the Safe Harbor data transfer arrangement, the Article 29 Working Party, composed of privacy officials across Europe, issued a preliminary statement. They called for solutions "enabling data transfers to the territory of the United States that respect fundamental rights." They concluded that "transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful." Also, Standard Contractual Clauses and Binding Corporate Rules will not provide an adequate basis. EPIC, US and European consumer organizations have urged lawmakers in the United States to update US privacy law. (Oct. 17, 2015) - EPIC Pursues Public Release of Secret DNA Forensic Source Code
EPIC has filed public records requests in six states to obtain the source code of "TrueAllele," a software product used in DNA forensic analysis. According to recent news reports, law enforcement officials use TrueAllele test results to establish guilt, but individuals accused of crimes are denied access to the source code that produces the results. A similar program used by New Zealand prosecutors was recently found to have a coding error that provided incorrect results in 60 cases, including a high-profile murder case. EPIC has previously urged the US Supreme Court to carefully consider the reliability of new investigative techniques and argued a federal appeals case against DNA dragnet surveillance. Citing the importance of algorithmic transparency in the criminal justice system, EPIC filed requests in California, Louisiana, New York, Ohio, Pennsylvania, and Virginia. (Oct. 14, 2015) - Government Gets Second Extension in EPIC Supreme Court Case about Cellphone Shutdown Policy
The US Supreme Court has granted the Solicitor General more time to respond to EPIC's charges that the government's effort to keep under wraps a controversial cellphone shutdown policy violates the law. EPIC has pursued public release of the government policy since BART subway officials shut down cellphone service during a peaceful protest in 2011. After EPIC prevailed in district court and a judge ordered release of the policy, the government appealed and a federal appeals court reversed. In the Supreme Court petition, EPIC argued that the was "contrary to the intent of Congress, this Court's precedent, and this Court's specific guidance on statutory interpretation." The government's response is now due on November 13. (Oct. 12, 2015) - Obama Drops Plan to Regulate Crypto
According to the New York Times, President Obama has concluded that "it is not possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that China, Russia, cybercriminals and terrorists could exploit." Earlier this year Apple CEO Tim Cook said at the EPIC Champions of Freedom dinner, "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it." EPIC launched the public campaign for the freedom to use encryption in 1994 and several of the world's leading cryptographers are members of the EPIC Advisory Board. Tim Cook received the 2015 EPIC Champion of Freedom Award. Past recipients include Max Schrems and Edward Snowden. (Oct. 11, 2015) - California Rejects Warrantless Surveillance, Enacts "CalECPA"
California Governor Jerry Brown has signed the California Electronic Communications Privacy Act (CalECPA). CalECPA requires law enforcement to obtain a warrant before accessing digital data including metadata, location data, emails, and text messages. The warrant requirement applies to searches of electronic devices themselves and to content stored by an online service provider. In response to requests from the US Congress, EPIC has made several recommendations regarding updates to the federal ECPA. EPIC has also obtained documents from the FBI concerning Stingray surveillance technology, which is now prohibited under the California bill. (Oct. 9, 2015) - California Enacts Innovative Privacy Protections for Drones and SmartTVs
California Governor Jerry Brown has signed laws that provide California residents with privacy protections against drones and SmartTVs. AB856 prohibits drone flight in the airspace above private property with the intent of taking photos, video, or a sound recording of a person. AB1116 prohibits the use of voice recognition on SmartTVs unless consumers are "prominently inform[ed]" during the initial setup of the TV. The new California law also prohibits the use of voice recording for advertising purposes. Earlier this year, EPIC filed a complaint to the Federal Trade Commission about Samsung's SmartTVs and recommended new consumer safeguards. EPIC has also recommended drone privacy safeguards to the US Congress, the FAA, and State courts. (Oct. 9, 2015) - OECD Finalizes Risk Management Guidelines
The OECD has published the new Recommendation on Digital Security Risk Management a revision of the 2002 OECD Security Guidelines. Science, Technology and Innovation Director Andrew Wyckoff said that "a totally secure digital environment is impossible". EPIC supports the Recommendations which emphasize digital security risk management "in a transparent manner and consistently with human rights and fundamental values." EPIC has long been engaged with the work of OECD and supports civil society participation at the 2016 OECD Ministerial Meeting on the Digital Economy. (Oct. 9, 2015) - Congress Holds Hearing on Drone Safety After FAA Misses Deadline on Drone Regs
The House Subcommittee on Aviation held a hearing on drone safety after the FAA's failure to meet a Congressional deadline to implement comprehensive drone regulations. The FAA Modernization and Reform Act of 2012 required the agency to develop a "Comprehensive Plan" to integrate drones into the national airspace by September 30, 2015. The agency missed the deadline. However, the FAA has granted over a 1,700 exemptions for drones to operate in the US even as safety and privacy concerns increase. Chairman LaBiondo (R-NJ) said at the hearing, "The real possibility of a mid-air collision must be taken seriously in order to prevent tragic consequences." EPIC recently sued the agency, EPIC v. FAA, to establish privacy rules for commercial drones. (Oct. 9, 2015) - EPIC Testifies Before Senate on Risks of SSN on Medicare Cards
EPIC will testify before the Senate Committee on Aging about "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" A law enacted earlier this year prohibits the inclusion of SSNs on Medicare cards, but the federal agency tasked with implementing the change has said it will take years. In a prepared statement, EPIC President Marc Rotenberg warns about the growing risk of SSN-related identity theft. Mr. Rotenberg said, "Given the growing risk of identity theft coupled to the SSN and the fact that other federal agencies have already removed the SSN from identity cards, there is simply no excuse for further delay." EPIC has long urged Congress and state legislators not to use the SSN on identity documents. (Oct. 6, 2015) - European Court Strikes Down "Safe Harbor," Focus Shifts to Adequacy of US Privacy Laws
In a stunning decision, the European Court of Justice today ruled that the transatlantic "Safe Harbor" data pact is invalid. Consumer organizations and civil liberties groups in Europe and the United States applauded the outcome. Safe Harbor had been widely criticized for failing to provide adequate data protection for users of Internet-based services. The European Parliament earlier recommended against renewal of Safe Harbor. Max Schrems, the Austrian law student who brought the case, praised the judgement and said the "solution will very likely require severe changes in US law" not "just an update to the current 'safe harbor' system." @maxschrems @EUCourtPress (Oct. 6, 2015) - Solicitor General to Support Consumers in Supreme Court Privacy Case
The Solicitor General will argue in support of consumer privacy in Spokeo v. Robins, a critical case now before the US Supreme Court about the future of federal privacy law. EPIC, and leading technical experts and legal scholars, also filed a brief in support of consumer privacy laws, highlighting the rise of data breaches and identify theft. EPIC urged the Court not to "limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The Court will hear arguments in Spokeo on November 2, 2015. (Oct. 5, 2015) - Senators Push DHS to Enact Cell Phone Monitoring Policy
Senator Chuck Grassley and Senator Patrick Leahy have asked DHS Jeh Johnson to enact a policy on cell phone surveillance devices, known as "Stingrays." The Department of Justice recently adopted new guidelines on Stingray use that requires agents to obtain a search warrant before employing Stingrays. The DOJ policy also prohibits officers from using Stingrays to intercept communications, and requires that all non-target data be deleted after use. Documents obtained by EPIC in a FOIA lawsuit revealed the FBI was using the cell-site simulators without a warrant. EPIC also filed amicus briefs in U.S. v. Jones and State v. Earls, arguing that a warrant is required to obtain location information from cell phone subscribers. (Oct. 2, 2015) - FAA Misses Deadline on Drones Regs, Also Ignores Privacy
FAA has failed to meet a Congressional deadline to implement comprehensive drone regulations. The FAA Modernization and Reform Act of 2012 required the agency to develop a "Comprehensive Plan" to integrate drones into the national airspace by September 30, 2015. The agency missed the deadline. However, the FAA has granted over a 1,700 exemptions for drones to operate in the US even as safety and privacy concerns increase. EPIC recently sued the agency, EPIC v. FAA, to establish privacy rules for commercial drones. (Oct. 2, 2015) - EPIC Urges Homeland Security to Uphold the Public's Right to Know
On International Right to Know Day, EPIC submitted comments to the Department of Homeland Security, urging the agency to uphold the Freedom of Information Act. EPIC objected to several of the agency's proposals, including changes to the FOIA that would: (1) prematurely terminate FOIA requests; (2) withhold the names of agencies to which DHS may refer FOIA requests; and (3) increase open government fees for students conducting research. EPIC also supported several changes that will make it easier for the public to obtain information from the DHS. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. (Sep. 29, 2015) - In Court: EPIC Challenges FAA Failure to Establish Drone Privacy Rules
EPIC has filed the opening brief in a lawsuit against the Federal Aviation Administration. EPIC charged that the agency’s failure to establish privacy rules for commercial drones is a violation of law and should be overturned. The EPIC lawsuit followed an Act of Congress requiring a “comprehensive plan” for the integration of drones and petition, backed by more than one hundred organizations and privacy experts, calling for privacy safeguards. EPIC stated that “As the agency has determined not to issue rules, contrary to the FAA Modernization Act and EPIC’s Rulemaking Petition, the Court must now order the agency to do so.” The case is EPIC v. FAA, No. 15-1075. The United States Court of Appeals for the DC Circuit is expected to hear oral argument in the case early next year. Press Release - EPIC v. FAA (Sep. 29, 2015) - News Reports: FTC Investigating Google Anti-Competitive Practices
According to the New York Times and Bloomberg News, the FTC is investigating whether Google unfairly prioritizes its own products on the Android platform. Google bundles several Google products on the Andriod platform and requires manufacturers to install them directly onto smartphones. DOJ pursued antitrust violations against Microsoft for this type of "tying" or "bundling" practice. EPIC previously urged the Senate and the FTC to investigate Google's business practices because of the privacy implications. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of former FTC Commissioner Pamela Harbor, who cited the close ties between monopoly practices and privacy violations. (Sep. 28, 2015) - EPIC Expresses Support for Advocate General Opinion in Schrems Case
In a statement issued today, EPIC supported a recent opinion of the Advocate General of the Court of Justice of the European Union which found that the Safe Harbor Arrangement was invalid. Safe Harbor has operated for several years as a substitute for the legal protections that would otherwise be required for the transfer of personal data across national borders. EPIC said that Safe Harbor has "given rise to significant concerns on both sides of the Atlantic about the adequacy of the privacy and security afforded personal information." Earlier today the US Mission issued a statement calling into question the opinion of the Advocate General. The Mission stated that the PRISM program, operating in conjunction with Safe Harbor and involving the mass surveillance of EU citizens, is "duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations." (Sep. 28, 2015) - EPIC celebrates International Right to Know Day
On September 28, EPIC celebrates International Right to Know Day and government transparency. EPIC has pursuednumerous FOIA cases and routinely made the information obtained available to Congress and the public. EPIC recently filed a FOIA request to obtain the secret US-EU data transfer agreement. For more information, see EPIC Open Government. @EPICprivacy #FOISuccess #IRTKD2015 (Sep. 25, 2015) - Decision by EU Legal Advisor Signals End of "Safe Harbor"
An opinion by the top advisor for Court of Justice of the European Union indicates that the "Safe Harbor" arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid. Max Schrems, who initiated the case in Ireland, stated "This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies." The European Digital Rights Initiative also supported the decision. EPIC has recommended that the US update the Privacy Act to protect EU citizens and ratify the international convention for privacy protection. (Sep. 23, 2015) - Google Ordered to Comply with Ruling of European High Court
The French Data Protection Authority, the "CNIL," has ordered Google to comply with the judgement of the Court of Justice of the European Union concerning the "Right to be Forgotten." The CNIL rejected Google's proposal to remove only a few links to the personal information it publicized widely around the world. The President of the CNIL said the decision "simply requests full observance of European legislation by non European players offering their services in Europe." EPIC has previously explained that the right to privacy is global and that the position of Google, as an operator of search engines around the world, does not make sense. (Sep. 21, 2015) - Survey: 74% of Presidential Candidate's Websites Fail on Privacy
According to an audit of the websites of the 2016 Presidential Candidates, only 6 of the 23 candidates received passing grades for their website privacy policies - Bush, Chafee, Christie, O’Malley, Santorum, and Walker. Four sites had no privacy policy at all, several failed to disclose their data disclosure practices, and several more said they would disclose personal information to others, or even sell the data. EPIC conducted the first privacy web site survey, Surfer Beware: Personal Privacy and the Internet, in 1997. And EPIC promoted non-partisan debate on privacy issues in the 2012, 2010, and 2008 Presidential elections. (Sep. 21, 2015) - EPIC Sues Coast Guard, DHS for Information on Boater Tracking Program
EPIC has sued the U.S. Coast Guard and the Department of Homeland Security to obtain information on a federal government program to track and record the location of boaters. According to EPIC, the DHS intends to transfer the data from the Nationwide Automatic Identification System to federal and state agencies, as well as foreign governments. "The NAIS program exceeds the stated purpose of marine safety and constitutes an ongoing risk to the privacy and civil liberties of mariners across the United States," wrote EPIC in the FOIA lawsuit. The boating community has expressed concern over the tracking program. A previous FOIA request from EPIC to the agency went unanswered. Press Release - EPIC v. CG, DHS, No, 15-1527. (Sep. 20, 2015) - New Report Highlights Consumer Goals for EU Privacy Law
BEUC, The European Consumer Organization, has published "My Personal Data", outlining key requirements for negotiations in Europe on the General Data Protection Regulations. BEUC underscored "the urgent need to put consumers back in control over the way their personal data is processed online." The BEUC report emphasized strong data protection principles, enhanced rights for individuals, and a comprehensive enforcement scheme. EU negotiations involve a "trilogue" of the European Parliament, the Council, and the Commission, with the EU Data Supervisor also playing an active role. In the U.S., EPIC supports the Consumer Privacy Bill of Rights and organized a coalition of consumer privacy groups to urge President Obama to enact the privacy framework into law. (Sep. 17, 2015) - Senators Markey and Blumenthal Push Automakers to Protect Drivers from Remote Hacking
Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking how each company is protecting drivers from remote hacking. Earlier this year, a reporter detailed his experience driving a hacked Jeep. Markey and Blumenthal have also introduced the SPY Car Act to establish cybersecurity and privacy requirements for new passenger vehicles. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers." (Sep. 17, 2015) - EPIC Recommends Changes to Judicial Redress Act
In a letter to the House Judiciary Committee, EPIC recommended changes to the Judicial Redress Act to provide meaningful protections for data collected on non-U.S. persons. The bill, also pending in the Senate, seeks to amend the federal Privacy Act. EPIC explained that the legislation under consideration fails to provide adequate protection to permit transborder data flows. EPIC also pointed to increasing public concern in the United States about failure to enforce the law. EPIC has previously recommended Congressional action to ensure adequate protections for all personal information collected by U.S. federal agencies. EPIC is also seeking public release of the text of the EU-US "Umbrella Agreement." (Sep. 16, 2015) - Senate Considers Modest Updates to ECPA
The Senate Judiciary Committee will hold a hearing on proposed amendments to the Electronic Communications Privacy Act. The bill under consideration would establish a warrant requirement for the disclosure of electronic communications. The ECPA Amendments Act would also require notice to customers whose communications have been collected. Senator Leahy said that passage of the bill should be a "no brainer." But the bill stops short of several updates recommended by EPIC, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Sep. 16, 2015) - Congress Moves to Advance Judicial Redress Act as Secret Police Agreement is Leaked in Europe
A Congressional committee will this week consider endorsement of the Judicial Redress Act, after announcement of the just concluded EU-US "Umbrella Agreement." EPIC filed expedited an FOIA requests to obtain the text of the secret agreement. The document was since made available by Statewatch. EPIC will pursue official release of the Agreement from US and EU authorities to the public. Regarding amendments to the Privacy Act, EPIC has made extensive recommendations for Privacy Act modernization, including specific changes to the damages provision that would correct a Supreme Court holding and address such problems as the OPM data breach. (Sep. 15, 2015) - EPIC Urges Wisconsin to Protect SSNs of Job Seekers
In testimony for the Wisconsin legislature, EPIC urged state lawmakers to protect the privacy of SSNs for job seekers. EPIC expressed support for a bill that prohibits the Department of Workforce Development from requiring SSNs from those who are trying to obtain employment information from the state. EPIC explained that other states do not require SSN collection for job seekers and urged the development of a "context-dependent" identifier. EPIC has previously warned Congress about the link between SSN misuse and identity theft. EPIC's State Policy Project is monitoring privacy bills nationwide. (Sep. 15, 2015) - In the States: California Governor Vetoes Drone Privacy Bill
Following lobbying by several tech companies, California Governor Jerry Brown has vetoed a bill that would have prohibited drone trespass over private property. Neighboring Oregon provides a civil action against drone operators who fly lower than 400 feet over private property. EPIC has testified in Congress in support of comprehensive drone privacy legislation, argued before the New Mexico Supreme Court in support of a warrant requirement for low altitude aerial surveillance, and sued the FAA for failing to establish drone privacy safeguards. (Sep. 14, 2015) - Government Gets Extension in EPIC Supreme Court Case about Cellphone Shutdown Policy
The US Supreme Court has granted the Solicitor General extra time to respond to EPIC's charges that the government's effort to keep under wraps a controversial cellphone shutdown policy violates the law. EPIC has pursued public release of the government policy since BART subway officials shut down cellphone service during a peaceful protest in 2011. After EPIC prevailed in district court and a judge ordered release of the policy, the government appealed and a federal appeals court reversed. In the Supreme Court petition, EPIC argued that the was "contrary to the intent of Congress, this Court's precedent, and this Court's specific guidance on statutory interpretation." The government's response is now due on October 14. (Sep. 14, 2015) - European Privacy Supervisor Proposes Ethics Board
The European Data Protection Supervisor will establish a new Ethics Board and has urged exploration of the "ethical dimension in future technologies to retain the value of human dignity and prevent individuals being reduced to mere data subjects." The recommendation follows the EDPS 2015-2019 Action Plan, announced earlier this year. EPIC has previously noted that computer scientists were among the first to establish ethical obligations for the development and use of new information technologies. (Sep. 12, 2015) - EPIC Pursues Public Release of EU-US Agreement on Data Transfers
EPIC has filed an expedited FOIA request to obtain a secret agreement between US and EU law enforcement agencies concerning the transfer of personal data. Citing legislation pending in Congress and NGO concern about the scope of the data protection safeguards, EPIC said "there is an urgency to inform the public" about the contents of the agreement. EPIC has pursued numerous FOIA cases and routinely made the information obtained available to Congress and the public. The agency has 10 days to respond to EPIC's request about the law enforcement "umbrella agreement." (Sep. 10, 2015) - FTC Approves Final Order With Nomi Over Location Tracking
The FTC has finalized an order with Nomi Technologies resolving allegations that Nomi engaged in deceptive trade practices. Nomi, a company that provides retailers with in-store analytics via sensor-based tracking of customers' mobile devices, falsely promised customers the ability to opt-out at stores using its services. The FTC order prohibits Nomi from misrepresenting its privacy practices in the future. EPIC has pursued several important consumer privacy issues at the FTC leading to settlements, including Google, Snapchat, Facebook and other firms. EPIC currently has a complaint pending at the FTC concerning Uber and locational tracking. (Sep. 9, 2015) - Congress to Examine Commercial Drones, Privacy and Safety Issues Loom Large
The House Judiciary Committee will hold a hearing on Unmanned Aerial Vehicles: Commercial Applications and Public Policy Implications. The FAA has granted nearly 1,500 exemptions to commercial drone operators even as public safety risks and privacy concerns increase. EPIC has sued the agency for its failure to establish privacy safeguards prior to the deployment of commercial drones in the United States. The lawsuit, EPIC v. FAA, follows an act of Congress requiring the agency to develop a "comprehensive plan" for the safe integration of drones in domestic airspace, and a petition, organized by EPIC and joined by over 100 experts organizations, calling on the FAA to establish privacy rules. EPIC previously testified in Congress in support of strong privacy legislation. (Sep. 9, 2015) - EU and US Reach Agreement on Data Protection for Investigations
US officials have concluded an agreement with their European counterparts on data protection for transatlantic criminal investigations. The EU Justice Commissioner stated "Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic." The US Congress must next pass the Judicial Redress Act for the "Umbrella Agreement" to take effect. EPIC has previously urged US ratification of Council of Europe Convention 108, "the most widely known international framework for privacy protection." (Sep. 9, 2015) - EPIC Defends Privacy Laws in Supreme Court Brief
In an amicus brief for the Supreme Court EPIC defended Congress's authority to enact laws that safeguard the privacy of American consumers. EPIC explained that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Spokeo v. Robins arises from a data broker's publication of inaccurate, personal information in violation of the Fair Credit Reporting Act. The data broker charged that, in addition to the violation of federal law, Mr. Robbins must also show that he was specifically harmed. Citing the current epidemic of privacy risks in the United States, including data breaches, identity theft, and financial fraud, EPIC wrote in the brief that this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC amicus brief in Spokeo was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board. (Sep. 8, 2015) - Federal Agencies Seek Comment on Protections for Human Research Subjects
The Department of Health and Human Services is seeking public comment on proposed revisions to the "Common Rule," ethical rules regarding biomedical and behavioral research involving human subjects in the United States. The proposal seeks to strengthen requirements for informed consent but would also exempt certain categories of research from administrative review. The Department will accept public comments on the proposed revisions until December 6, 2015. EPIC previously submitted comments to the Department of Health and Human Services, warning that medical privacy standards for deidentification were "gravely inadequate" and urged support for stronger techniques of deidentification. EPIC routinely comments on privacy issues involved in health data. (Sep. 8, 2015) - New Justice Department Policy Requires Warrants for Cell-Site Simulators
The Justice Department released new guidelines that require the Department's law enforcement components to obtain a warrant before using cell site simulator devices, often referred to as "Stingrays." The policy prohibits officers from using Stingrays to intercept communications, and requires that all non-target data be deleted after use. Documents obtained by EPIC in a Freedom of Information lawsuit revealed the FBI was using the cell-site simulators without a warrant and supplying the technology to other law enforcement agencies. EPIC also filed amicus briefs in U.S. v. Jones and State v. Earls arguing that a warrant is required to obtain location information. (Sep. 4, 2015) - D.C. Circuit Reverses Important NSA Surveillance Ruling, Sends the Case Back to Lower Court
A divided panel of the D.C. Circuit has reversed a lower court decision that the NSA bulk metadata collection program violated the Fourth Amendment. The judges in Klayman v. Obama agreed that the plaintiff did not have sufficient evidence that his telephone records were collected. But the majority of the panel agreed that the plaintiff should be allowed to conduct "discovery" to prove standing, and remanded the case to the lower court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program. (Aug. 29, 2015) - Following EPIC Complaint, FOIA Ombudsman Announces Investigation of Practices at DHS
The federal FOIA ombudsman has informed EPIC that it is investigating the FOIA practices of six DHS component agencies. In 2014, EPIC and a dozen open government organizations urged the Office of Government Information Services to investigate the impermissible closures of FOIA requests. Through "still interested" letters, some federal agencies notify FOIA requesters that unprocessed requests will be closed by the agency if there is no further communication. EPIC and the open government groups object to the practice and reminded OGIS that "no provision in the [FOIA] allows for administrative closures." An earlier EPIC letter to OGIS led to a reduction of fee payments for FOIA requesters. (Aug. 28, 2015) - Appeals Court Upholds FTC's Data Security Authority
A federal appeals court ruled that the Federal Trade Commission can enforce data security standards. In FTC v. Wyndham, the agency sued Wyndham hotels after the company exposed financial data of hundreds of thousands of customers. The company argued that the FTC lacked authority to enforce security standards, but the court disagreed. EPIC filed an amicus brief, joined by leading technical experts and legal scholars, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers. (Aug. 24, 2015) - Professor Latanya Sweeney Launches New Privacy and Technology Journal
Harvard Professor Dr. Latanya Sweeney has launched Technology Science, a new online journal for "original material dealing primarily with a social, political, personal, or organizational benefit or adverse consequence of technology." Among other papers, Technology Science currently features research on Facebook Messenger's geolocation collection and disclosure, medical privacy, and price discrimination in international travel. EPIC has worked extensively to promote locational privacy, medical privacy, and fair and transparent decision-making. Professor Sweeney serves as a member of the EPIC Advisory Board. (Aug. 21, 2015) - Federal Appeals Court Revives Driver Privacy Claims
In McDonough v. Anoka County, a federal appeals court has revived several cases under the Driver's Privacy Protection Act. A lower court previously ruled that the plaintiffs, including female journalists, failed to bring the claims in time. EPIC argued as amicus that "discovery" not "occurrence" is the correct standard for time limitations in privacy cases. Although the appellate court affirmed that some claims were time barred, it permitted many of the claims to proceed. The defendants' justifications for accessing the plaintiffs' driving records, wrote the court, "are not sufficiently convincing to undermine the reasonable inference of impermissible purpose." The appellate court also acknowledged that "[EPIC] raises legitimate concerns about the ability of identity thieves to utilize sensitive personal information found in motor vehicle records and the difficulty in detecting such a crime within the applicable limitations period." (Aug. 20, 2015) - Education Department Seeks Public Comment on Student Privacy Guidance
The Education Department is seeking public comment on new guidance to protect student medical privacy. Currently, college officials may disclose confidential student medical records for purpose unrelated to treatment, including to university attorneys engaged in litigation against students. The Department’s proposal would require colleges to obtain student written consent or a court order prior to disclosure. The Department will accept public comments on the proposed guidance until October 2, 2015. EPIC previously sued the Education Department for weakening federal student privacy rules. EPIC also proposed the Student Privacy Bill of Rights, an enforceable student privacy and data protection framework. (Aug. 20, 2015) - Without Public Comment, FTC Narrows Section 5 Authority
The Federal Trade Commission has issued a "Statement of Principles Regarding Enforcement of FTC Act as a Competition Statute." The Principles appear to narrow the ability of the Commission to pursue unfair business practices and were announced without any formal opportunity for public comment. Chairwoman Ramirez said that the Statement makes "time-honored principles explicit; it does not signal any change of course in our enforcement practices and priorities." Commissioner Olhausen dissented and noted the lack of opportunity for public comment. EPIC and others have urged the FTC to use Section 5 authority to address growing concerns about industry consolidation and privacy protection. EPIC has also noted the failure of the FTC to incorporate public comments in its proceedings, as required by law. (Aug. 14, 2015) - EPIC Challenge to FAA Failure to Establish Privacy Safeguards Moves Forward
The federal appeals court in Washington, DC has ordered briefing in EPIC's lawsuit against the Federal Aviation Administration. EPIC filed suit in March after the FAA failed to establish privacy rules for commercial drones as mandated by Congress. The EPIC lawsuit followed an earlier petition to the agency backed by more than a hundred organizations and privacy experts. The FAA had asked the D.C. Circuit to dismiss EPIC's lawsuit. But in today's order, the appellate court directed the parties to prepare merits briefing for a three-judge panel which will consider the case. (Aug. 13, 2015) - EPIC Petitions Supreme Court, Seeks Release of Cellphone Shutdown Policy
EPIC has filed a petition to the U.S. Supreme Court in a long-running battle to obtain a secret government cellphone shutdown policy. EPIC has pursued the Department of Homeland Security policy since BART officials shut down cell phone service during a peaceful protest in 2011.. The demonstrators were protesting the police's killing of an unarmed homeless man. The appellate court's decision, wrote EPIC, "is contrary to the intent of Congress, this Court's precedent, and this Court's specific guidance on statutory interpretation." A federal judge previously ruled in EPIC's favor. (Aug. 11, 2015) - EPIC Pursues Lawsuit about Secret Government Profiling Program
EPIC has filed a reply brief in federal court, rebutting the government's claim that it can withhold information about automated profiling. In EPIC v. CBP, a Freedom of Information Act case, EPIC seeks documents about the "Analytical Framework for Intelligence," which incorporates personal information from government agencies, commercial data brokers, and the Internet. The agency then uses secret, analytic tools to assign "risk assessments" to travelers, including U.S. citizens traveling solely within the United States. EPIC submitted a FOIA request in 2014 for documents relating the framework. EPIC has called for "algorithmic transparency" in automated decisions concerning individuals. (Aug. 11, 2015) - In the States: Delaware Enacts Several Privacy Laws
Delaware has recently passed four privacy laws. Under the Delaware Online Privacy and Protection Act, websites and apps must disclose the personally identifiable information they collect and how they use this information. The Student Data Privacy Protection Act enhances student privacy protections, banning companies from selling student data or using student data for targeted advertising. The Victim Online Privacy Act protects domestic violence survivors against having certain contact information posted online. The Employee/Applicant Protection for Social Media Act bars employers from demanding access to their employees' or prospective employees' social media accounts. EPIC's State Policy Project is monitoring privacy bills nationwide. (Aug. 10, 2015) - Appeals Court Upholds Fourth Amendment Protection of Location Data
The U.S. Court of Appeals for the Fourth Circuit ruled that the Fourth Amendment protects a cell phone user's location records and that officers must get a warrant to inspect them. The Fourth Circuit is the first federal appeals court to hold that the Fourth Amendment warrant requirement applies to location data following the decision by the Eleventh Circuit earlier this year permitting warrantless searches. The Supreme Court will likely review one of these two cases to resolve the split between federal appeals courts. EPIC has filed amicus curiae briefs in the New Jersey Supreme Court and the Fifth Circuit arguing that the Fourth Amendment protects an individual's location privacy. (Aug. 6, 2015) - Federal Court Strikes Down Texas Voter ID Law
The U.S. Court of Appeals for the Fifth Circuit has ruled that the strict Texas Voter ID requirement is unlawful because it would disproportionately burden minority voters, in violation of the Voting Rights Act. EPIC has previously raised similar arguments about voter privacy in its amicus brief in the Supreme Court case Crawford v. Marion County Election Board. EPIC argued in Crawford that "Not only has the state failed to establish the need for the voter identification law or to address the disparate impact of the law, the state's voter ID system is imperfect, and relies on a flawed federal identification system." EPIC also presented a statement to the House Judiciary Committee in 2007 highlighting the importance of the secret ballot. (Aug. 6, 2015) - Facebook Applies for Patent to Collect Users' Credit Scores
Facebook has applied for a patent that would allow lenders to make credit decisions on a user based on the user's Facebook activity. If the patent is approved, Facebook will be able to collect the credit scores of a user's "friends" and supply a creditor with their average score. If that average is below a certain threshold, the lender will reject the application. EPIC has filed extensive comments with the Consumer Financial Protection Bureau, urging the agency to limit the amount of information creditors can access about consumers. EPIC has called for algorithmic transparency in automated decisions concerning individuals. (Aug. 5, 2015) - EPIC Warns Boston City Council of Risks of Body Cameras
EPIC submitted a statement for the record today for the Boston City Council hearing on mandating body cameras for the Boston Police. EPIC opposes the use of "police cams" and warned the city council that body cameras could "become the next surveillance technology disproportionately aimed at the most marginalized members of society." EPIC also pointed to the potential liability for cities if harmful images are posted online. EPIC explained that there are "more productive means to achieve police accountability that do not carry the risk of increasing surveillance." EPIC stressed that if body cameras are deployed, police departments must comply with all privacy and open government laws. (Aug. 5, 2015) - Federal Court: DHS Failed to Justify Withholdings in Defense Contractor Monitoring FOIA Case
In EPIC v. DHS, a federal district court ruled that the Department of Homeland Security failed to justify withholding documents subject to the Freedom of Information Act. EPIC sued DHS to compel the disclosure of records relating to a cybersecurity program designed to monitor traffic flowing through ISPs to a select number of defense contractors. The court concluded that the agency's argument relied on "a weak assumption," but will allow the agency to submit a revised justification for withholding the records. EPIC previously won a five-year legal battle to release NSPD-54, the foundational legal document for U.S. cybersecurity policies. (Aug. 5, 2015) - Coalition Successfully Blocks Restrictive FOIA Exemptions
After receiving opposition from open government advocates and support from Senators Patrick Leahy, John Cornyn, and Charles Grassley, the Senate has removed "b(3)" Freedom of Information Act exemptions from the Senate's transportation bill. The exemptions would exclude public access to important information about safety audits, trucking company safety scores, accident footage, and records related to hazardous train service. The final bill passed the Senate 65 to 34 without the controversial language, which Senator Leahy called "bad FOIA provisions" that should have been first reviewed by the Judiciary Committee. EPIC previously set out recommendations for FOIA reform. (Aug. 5, 2015) - EPIC, Coalition Urge FCC to End Call Record Data Retention
EPIC and a coalition of leading consumer rights, human rights, and civil liberties organizations, along with members of the EPIC Advisory Board, have petitioned the Federal Communications Commission to end the FCC's rule requiring mass retention of phone records. Currently, the FCC requires phone companies to retain sensitive information on all customers, including name, address, telephone number, telephone number dialed, date, time, and length of the call for 18 months. The petition states that the FCC's mandate "violates the fundamental right to privacy, exposes consumers to data breaches, stifles innovation, and reduces competition. It is outdated and ineffective. It should end." (Aug. 4, 2015) - Federal Court Finds Fourth Amendment Protects Cell Phone Location Data
A federal court in California ruled that police must get a warrant before obtaining a user's location records. The court found individuals have a "reasonable expectation of privacy" in their cell phone location data, based on the Supreme Court's recent decisions in United States v. Jones and Riley v. California. These records, the court found, can be even "more invasive" than the "GPS device attached to the defendant's car in Jones." EPIC has filed amicus curiae briefs in the New Jersey Supreme Court and the Fifth Circuit Court of Appeals arguing that the Fourth Amendment protects an individual's locational privacy. (Aug. 4, 2015) - GAO Report: Facial Recognition Technology Implicates Consumer Privacy, But Remains Unregulated
The Government Accountability Office has published a report on commercial use of facial recognition technology. The GAO compiled the report at the request of Senator Al Franken, who objected to use of the technology by Facebook and Google. The GAO surveyed companies, federal agencies, and NGOS, including EPIC. The report explains the technology's privacy risks, but also reports that no laws or guidelines currently regulate facial recognition technology. The GAO also reports that the "extent of [the technology's] current use in commercial settings is not fully known." EPIC has frequently advocated for face recognition privacy laws. (Aug. 3, 2015) - State Department and Homeland Security Propose Open Government Rules
The State Department and the Department of Homeland Security have each proposed to amend their Freedom of Information Act programs. Both agencies propose several favorable changes to their FOIA programs, including more circumstances in which the agencies would expedite processing for open government requests. The agencies are currently accepting public comments on their proposals until September 28. EPIC recently submitted extensive comments to the Defense Department, opposing several of the agency's plans to amend its FOIA program. EPIC routinely comments on FOIA rulemakings and has had past success with the Justice Department, Federal Trade Commission, and several other federal agencies. (Aug. 3, 2015) - After Losing Appeal, Google Moves to Block Scope of European Privacy Right
Google has indicated that it does not intend to comply with a judgement of the high court in Europe after earlier losing its appeal in Google v. Spain. Earlier this year, the French Data Protection agency, consistent with the landmark decision of the European Court of Justice, instructed Google to delist certain links in all domains in which the search company operates. A recently leaked version of a Google transparency report found that the vast majority of requests for delisting concern private matters of private individuals. Support for the "right to be forgotten" continues to grow around the world with courts in Japan, Canada, and the United States acknowledging similar claims. (Jul. 30, 2015) - In Appellate Brief, EPIC Argues for Limitations on Government Digital Searches
In an amicus brief to the U.S. Court of Appeals for the Second Circuit, EPIC argued that there are Constitutional limits on government searches of electronic storage devices. EPIC urged affirmance of United States v. Ganias, which held that the Government violated the Fourth Amendment by retaining files seized years earlier. After the government appealed, the court agreed to rehear the case. EPIC argued that data minimization practices should be followed for electronic searches, particularly after the Supreme Court's decision in Riley v. California. EPIC endorsed the approach set out in United States v. Comprehensive Drug Testing, which allows a government agency to undertake appropriate searches without unnecessarily violating privacy interests. In Quon v. City of Ontario, CA (2012), EPIC recommended that the Supreme Court adopt a similar approach. (Jul. 30, 2015) - California Supreme Court to Review License Plate Records Case
The California Supreme Court has granted review of a lower court decision that prevented public release of information about "automated license plate readers." The lower court held that the information about the system to gather license plate data on all motorists was an "investigative record." EPIC urged the California Supreme Court to review the matter, stating, "as the government's ability to collect information about individuals has expanded, open record laws have become an important tool for government oversight." Documents obtained by EPIC about the FBI's use of license plate readers showed the agency failed to address the system's privacy implications. (Jul. 30, 2015) - Federal Appeals Court Recognizes "Substantial Risk of Future Harm"
In a landmark opinion, the Seventh Circuit Court of Appeals has ruled that a class action lawsuit against Neiman Marcus may continue because of the ongoing risk to customers whose personal information was compromised in a data breach. The case stems from a breach of the Neiman Marcus customer database that led to the release of 350,000 credit cards and exposed more than 9,200 customers to fraud. A lower court ruled that since the identified fraud victims had been reimbursed, Neiman Marcus was off the hook for future claims. However, the Seventh Circuit ruled that the plaintiffs, customers who were not yet aware of fraud, faced a "substantial risk of future harm," and that risk was enough to allow the class action to continue. According to the Federal Trade Commission, identity theft remains the top concern of American consumers. (Jul. 29, 2015) - New OECD Report Finds Increased Privacy Concern, Lagging National Policies
The OECD Digital Economy Outlook 2015 explores recent developments in the digital economy. The OECD report finds that Internet "users are increasingly concerned, 64% of respondents are more concerned about privacy than they were a year ago" even as few countries include online privacy in national digital strategies.The OECD also warns that the "Internet of Things" will lead to the rise of autonomous machines. Civil society groups are planning to report to the OECD at the 2016 Ministerial Meeting on the Digital Economy. (Jul. 28, 2015) - Intelligence Director Says NSA Access to Bulk Phone Record Data Will End
The Director of National Intelligence announced today that the NSA analysis of "section 215" telephone records previously gathered will end when the USA FREEDOM Act goes into effect on November 29, 2015. Earlier this month, the U.S. Surveillance Court ruled that the NSA could continue collecting records during a 180 day transition period, despite an earlier decision finding the program was unlawful. In 2012, EPIC testified before the House Judiciary Committee on the need to reform the Surveillance Court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program. (Jul. 27, 2015) - Top EU Officials Calls Privacy Reform "Europe's Big Opportunity"
Giovanni Buttarelli, the European Data Protection Supervisor, has announced "Recommendations on the EU's Options for Data Protection Reform." The Opinion sets out an assessment and recommendation for the new European Union privacy law. EU and US NGOs, including EPIC, have urged the adoption of strong safeguards. In response, the President of the European Commission stated recently that "proposed data protection rules will not drop below the level" of current law. (Jul. 27, 2015) - Open Government Groups Oppose Proposed FOIA Exemptions
Over the weekend, several open government groups urged Sen. Mitch McConnell (R) and Sen. Harry Reid (D) to remove proposed FOIA "b(3)" exemptions from a pending transportation bill. The exemptions would exclude public access to information about safety audits, trucking company safety scores, accident footage, and records related to hazardous train service. The groups oppose the exemptions and also explained that such proposals should be reviewed by the Senate Judiciary Committee which is responsible for FOIA oversight. EPIC previously set out recommendations for FOIA reform. (Jul. 27, 2015) - Justice Department Releases 2015 FOIA Reports
The DOJ has released its assessment of federal agencies' 2015 FOIA compliance reports. Every year, agencies submit reports to the Justice Department describing their progress in implementing President Obama's Memo and former AG Eric Holder's Guidelines to promote FOIA compliance. The DOJ grades progress in five areas: applying the presumption of openness, effective and responsive systems, proactively releasing information, utilizing technology, and reducing backlogs and improving response times. EPIC and other open government organizations have called on President Obama to strengthen the FOIA. (Jul. 23, 2015) - FTC Sues LifeLock For Violating Consent Agreement
The Federal Trade Commission has filed suit in federal district court against the identity theft-protection company LifeLock for violating a 2010 consent order. The FTC previously charged LifeLock with using false claims to promote its services and prohibited the company from making false claims in the future. Now, the Commission has charged LifeLock with failing to safeguard consumer data and continuing to falsely advertise to consumers, in violation of the 2010 order. EPIC has repeatedly urged the FTC to enforce consent orders and to make its review process transparent to the public. In 2012 EPIC sued the agency for its failure to enforce a consent order against Google after the company changed its privacy practices. (Jul. 22, 2015) - Senators Markey and Blumenthal Introduce Bill to Protect Drivers from Remote Hacking
Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2015." The SPY Car Act would establish cybersecurity and privacy requirements for new passenger vehicles, and inform consumers about the risks of remote hacking. The SPY Car Act follows a report from Senator Markey, which "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prohibit manufacturers from using consumer driver data for marketing purposes without consumer consent. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers." (Jul. 21, 2015) - Report Outlines Security Challenges for Online Voting
A new report from the U.S. Vote Foundation concludes that no internet voting systems provide adequate security for public elections. The report recommends "end-to-end verifiable voting," which allows voters to confirm that their votes were recorded. The system would also verify that votes are correctly tabulated. EPIC has obtained FOIA documents from the Department of Defense regarding the functionality and reliability of an e-voting. (Jul. 17, 2015) - Leaked Google Data: 95% of "Right to Be Forgotten" Requests Come From Private Individuals Concerning Private Information
Nearly all of the "right to be forgotten" requests made to Google up to March 2015 came from everyday members of the public seeking to remove links to private information. The new data, accidentally embedded in the source code of Google's transparency report, show that just five percent of the nearly 220,000 delinking requests concerned criminals, politicians, or public officials. This revelation undercuts claims by Google and some media companies to sensationalize the right articulated by the Court of Justice of the EU last year. EPIC has defended the right to delink and argued that the right should be recognized in the United States. (Jul. 15, 2015) - EPIC Urges Investigation of "Always On" Consumer Devices
EPIC has asked the Federal Trade Commission and the Department of Justice to conduct a workshop on 'Always-On' Consumer Devices. EPIC described the increasing presence of internet-connected devices in consumer's homes, such as TVs, toys, and thermostats, that routinely record and store private communications. EPIC urged the agencies to conduct a comprehensive investigation to determine whether "always on" devices violate the Wiretap Act, state privacy laws, or the FTC Act. Earlier this year, EPIC filed a formal complaint with the FTC concerning Samsung TV, arguing that the recording of private communications in the home is an unfair and deceptive trade practice. (Jul. 9, 2015) - Congress to Hold Hearing on Encryption and Privacy
Today the Senate is holding a hearing on "Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy." FBI Director Comey, testifying today, has advocated for broken encryption to enable law enforcement access to private communications. Despite claims of "going dark" because of new encryption technologies, law enforcement encountered encryption in only 25 wiretap cases in 2014. Of those cases, non-encrypted text was obtained in all but four cases. EPIC has advocated for strong encryption and urged President Obama to reject proposals to weaken encryption. EPIC published the first comprehensive survey of encryption use around the world. And earlier this year, EPIC gave a Champion of Freedom Award to Apple CEO Tim Cook, who warned that "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it." (Jul. 8, 2015) - Leading Security Experts Oppose Government Encryption Plan
Several members of the EPIC Advisory Board, leading experts in security technology, have warned that a government plan to weaken encryption threatens the nation's critical infrastructure and puts at risk confidential personal information. Recalling a similar report from 1997, the researchers concluded that "the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. Recent reports from the US courts, available from EPIC, show that encryption has not been an obstacle to law enforcement investigations. A 1994 Internet petition led to the demise of "Clipper," the original government plan for escrowed encryption. (Jul. 7, 2015) - Justice Department Issues Guidance on "Administrative Closures" for FOIA Requests
The Department of Justice has told federal agencies to continue processing FOIA requests after EPIC and many FOIA groups objected to the practice of "administrate closures." The Department advised agencies to limit administrative closures of FOIA requests and to provide "reasonable grounds" for ending processing. The Department also said agencies should provide requesters at least 30 days to respond to a proposal to end processing of a FOIA request. In 2014 EPIC and a dozen open government organizations stated that "no provision in the [FOIA] allows for administrative closures . . ." (Jul. 7, 2015) - UN Appoints Special Rapporteur on Right to Privacy
The President of the UN Human Rights Council has selected Mr. Joseph Cannataci to serve as the first UN Special Rapporteur on the Right to Privacy. Cannataci is chair of European Information Policy and Technology Law at the University of Groningen in The Netherlands. He has served as an expert for panels on privacy, data protection, the Internet and cyber crime for the Council of Europe, the European Commission, and UNESCO. EPIC President Marc Rotenberg, a candidate for the post, expressed support for the selection. “The Human Rights Council has made a good decision. Mr. Cannataci is well qualified for this position. We look forward to working with him on this critical mandate.” (Jul. 3, 2015) - States Adopt Privacy Laws for Student Data, Breach Notification, License Plate Readers, and Drones
Several states have recently enacted new privacy laws. New Hampshire and Oregon passed student privacy legislation modeled after California's Student Online Personal Information Protection Act. Rhode Island and Connecticut enacted new consumer privacy and data breach notification laws. A new Minnesota law limits the data police may capture using automated license plate readers and requires the deletion of all data not relevant to an investigation. And the Freedom from Unwanted Surveillance Act, a law in Florida regulating the commercial use of drones, went into force this week. EPIC's State Policy Project is monitoring privacy bills nationwide. (Jul. 2, 2015) - Slight Decrease in Wiretaps in 2014, Encryption Not a Barrier to Investigations
In 2014, combined state and federal wiretap applications decreased 1%, from 3,577 to 3,555. Investigators encountered encryption in only 25 cases, and were able to obtain plain text in all but four cases. This fact contradicts claims that law enforcement agencies are "going dark" as a result of new encryption technologies. Of the 3,544 arrests based on wiretaps in 2014, only 553 resulted in convictions. The annual Wiretap Report, details government surveillance and provides insight into the debate over surveillance and the use of encryption. EPIC has repeatedly cited the annual Wiretap Report as a model for greater transparency of other surveillance activities . EPIC also maintains comprehensive tables and charts on electronic surveillance. (Jul. 2, 2015) - Surveillance Court Ignores Court Ruling, Reauthorizes NSA Bulk Collection Program
The Foreign Intelligence Surveillance Court has reauthorized the collection of domestic telephone records for 180 days. The Surveillance Court ignored the recent decision of the Federal Court of Appeals, which held that the NSA bulk collection program is unlawful. In 2012, EPIC testified before the House Judiciary Committee on the need to reform the Surveillance Court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program. Congress then passed the Freedom Act to end program, but the FISC didn't get the memo. (Jul. 1, 2015) - EPIC Pursues Documents about Secret Government Profiling Program
EPIC has filed papers in federal court challenging the government's claim that it can withhold information about automated profiling. In EPIC v. CBP, a Freedom of Information Act case, EPIC seeks documents about the "Analytical Framework for Intelligence" which incorporates personal information from government agencies, commercial data brokers, and the Internet. The agency then uses secret, analytic tools to assign "risk assessments" to travelers, including U.S. citizens traveling solely within the United States. EPIC has called for "algorithmic transparency" in automated decisions concerning individuals. (Jul. 1, 2015) - FCC To Establish Privacy Rules for Internet Services
Federal Communications Commission Chairman Tom Wheeler said that the Commission will begin rulemaking proceedings for Internet privacy this fall. "If consumers worry that they don't have sufficient privacy online, why are they going to use online?" Wheeler said. The FCC 2015 Open Internet Order, published earlier this year, would expand the agency's authority to enforce privacy rules for Internet companies. EPIC has long supported the FCC's authority to protect consumer privacy. (Jun. 29, 2015) - ICANN Swamped with User Comments Against Personal Data in WHOIS Directory
Internet users have backed a campaign to prevent ICANN's inclusion of domain owners' personal information in the publicly searchable WHOIS directory. Users concerned about privacy are encouraged to sign the online petition and email comments directly to ICANN before July 7, 2015. ICANN has already received nearly 8000 emails protesting the removal of WHOIS privacy protections. ICANN stated that no changes will be made until all public comments are reviewed. EPIC has taken a strong stance on WHOIS privacy, urging Congress to prevent registrars from selling user information to third parties, serving on the WHOIS Privacy Steering Committee, and filing a legal brief supporting the rights of domain name holders not to publish their personal information on the Internet. (Jun. 26, 2015) - EPIC Urges California Supreme Court to Protect Open Records Law
EPIC has asked the Supreme Court of California to review a lower court decision that prevented public release of information about "automated license plate readers." The lower court held that information about the system to gather license plate date on all motorists was an "investigative record." In the amicus letter EPIC stated, "as the government's ability to collect information about individuals has expanded, open record laws have become an important tool for government oversight." Documents obtained by EPIC about the FBI's use of license plate readers showed the agency failed to address the system's privacy implications. (Jun. 25, 2015) - Massive Government Data Breach Even Worse than Reported
A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in Congress and the Senate in support of stronger security measures to protect personal data. (Jun. 25, 2015) - Supreme Court Strikes Down Warrantless Searches of Hotel Guest Registries
The Supreme Court ruled today that a Los Angeles ordinance authorizing warrantless inspections of hotel guest registries is unconstitutional because it failed to provide for judicial review. The ordinance required all hotels in Los Angeles to collect detailed information on their guests for police inspection. Writing for the Court in Los Angeles v. Patel, Justice Sonia Sotomayor explained that with only a few exceptions, "searches conducted outside the judicial process" are "per se unreasonable." EPIC filed an amicus brief in the case, joined by thirty-six technical experts and legal scholars, arguing that "guest registries should not be made routinely available to the police for inspection, and they should not be collected or retained for that purpose." EPIC traced the history of US hotels as meetings places for organizations and cited the landmark Supreme Court case NAACP v. Alabama. (Jun. 22, 2015) - EPIC Files FTC Complaint Against Uber about Plan to Track Users and Gather Contact List Data
EPIC has filed a complaint with the Federal Trade Commission, charging that Uber's plan to track users and gather contact details is an unlawful and deceptive trade practice. EPIC cites Uber's history of misusing customer data as one of many reasons the Commission must act. EPIC has also recommended comprehensive legislation for Uber and other similar companies. EPIC has previously pursued successful complaints at the FTC concerning Google, Facebook, WhatsApp, Snapchat and other firms. The complaints typically lead to investigations and then to settlements following a change in business practices. (Jun. 22, 2015) - FCC Implements Strict Rules to Halt Unwanted Telemarketing
The Federal Communications Commission has adopted new rules that impose strict limits on telemarketing practices. Under the rules, consumers can halt unwanted messages by telling companies to stop calling. The rules also allow phone companies to offer call-blocking services to screen out automated telemarketing calls. In 2014, the FCC received more than 215,000 complaints from consumers regarding unwanted telephone solicitations. EPIC has previously urged the Commission to require express consumer consent for telemarketing calls and to protect wireless subscribers from telemarketing. EPIC President Marc Rotenberg helped establish the Telephone Consumer Protection Act. (Jun. 19, 2015) - Senate Rejects User Surveillance Proposal
The Senate has rejected an amendment to the National Defense Authorization Act for 2016 that would transfer user data from private companies to government agencies without judicial oversight. Senator Patrick Leahy (D-Vt) urged Senators to oppose the amendment, stating "we need a cyber-security bill, not a cyber-surveillance bill." Last year, EPIC won a five-year court battle against the NSA for NSPD 54-the foundational legal document for U.S. cybersecurity policies. The Directive reveals the NSA's interest in enlisting companies to monitor user activity in the United States. (Jun. 17, 2015) - Senator Sanders Proposes Commission on Privacy Rights in Digital Age
Senator Bernie Sanders (I-VT) has introduced a bill to establish a federal Privacy Commission. The Commission on Privacy Rights in the Digital Age would convene for two years to "examine the ways in which public agencies and private companies gather data on the people of the United States and the ways in which that data is utilized." The Commission would also "make recommendations concerning potential policy changes needed to safeguard the privacy" of Americans. EPIC has repeatedly urged Congress to establish a privacy agency. As EPIC explained in Senate testimony, similar agencies in other countries "routinely report on the handling of privacy complaints, the emergence of new privacy issues, and proposed measures to protect privacy." The United States is one of the few democratic countries in the world that does not have a federal privacy agency. (Jun. 17, 2015) - EPIC Calls for Improved Oversight of "EO 12333" Surveillance Activities
EPIC has filed extensive comments with the Privacy and Civil Liberties Oversight Board, urging enhanced oversight of Executive Order 12333. The Presidential Order was originally adopted in 1981 to limit domestic surveillance but now provides the basis for NSA mass surveillance programs. EPIC called for: (1) new limits on data collection and disclosure; (2) audit trails for surveillance activities; and (3) published legal justifications for surveillance programs. EPIC is also pursuing open government requests concerning 12333 surveillance activities with the NSA, the Attorney General, and the Director of National Intelligence. A related EPIC FOIA case, EPIC v. NSA, led to the public release of the NSA's cyber security authority. (Jun. 17, 2015) - European NGOs Critical of Council Position on New Data Protection Law
In response to an earlier proposal from the European Parliament, the European Council has approved a draft intended to update the EU1995 Data Directive. The goal of the new Regulation is to modernize, harmonize, and strengthen data protection across the European Union. However, EU NGOs, including Privacy International and EDRi, have expressed strong concern about the Council position, which creates numerous exceptions and disregards fundamental rights. In April, EPIC and a coalition of over sixty NGOs urged the EU to uphold robust data protection standards. Negotiations among the EU institutions will continue later this month. (Jun. 15, 2015) - EPIC Joins Open Government Groups in Support of FOIA Reform
EPIC and a coalition of open government advocates has urged Congress to pass FOIA reform legislation. In response to a request from the Chairman of the House Oversight and Government Reform Committee, the coalition expressed support for the FOIA Act of 2015, specifically praising a provision limiting the use of Exemption 5, which has enabled the growth of secret law. In EPIC v. DOJ, EPIC argued that agencies improperly use Exemption 5 to hide government documents from public scrutiny. EPIC also filed an amicus in NY Times v. DOJ, a successful challenge to the secrecy of the legal memos justifying the government's "targeted killing" drone program. (Jun. 12, 2015) - France Tells Google Apply Right to Be Forgotten Worldwide or Face Fines
French authorities have threatened Google with fines if it fails to apply Europe's right to be forgotten ruling to the search engine's global domains, including Google.com. Google has been reluctant to apply the landmark decision broadly, even after officials across Europe made clear that Google is violating the court judgement if it routinely discloses sensitive personal information to Internet users worldwide. EPIC explained in US News & World Report and USA Today that Google's position is illogical and inconsistent. According to a recent survey, nine out of ten voters in the United States want the right to delete links to personal information. (Jun. 12, 2015) - New Law Would Strengthen Children's Online Privacy
The "Do Not Track Kids" Act, introduced this week by Senator Markey (D-MA), Senator Blumenthal (D- CT), Rep. Barton (R-TX), and Rep. Rush (D-IL) would strengthen and expand the privacy protections afforded children in the 1998 Children's Online Privacy Protection Act. The Act extends privacy safeguards to children over 13, requires that businesses collecting information on minors comply with Fair Information Practices, and establishes a "right to be forgotten," allowing parents and minors to remove social media posts, similar to California's Eraser Law. EPIC has long advocated for the privacy rights of children, testifying in Congress 1996 in support of the Children's Privacy Law and again before the Senate in 2010 as new technologies and business practices emerged. EPIC also urged FTC in 2011 to establish stronger regulations to protect the data concerning children. (Jun. 12, 2015) - South Carolina Requires Police Body Cameras, But Blocks Public Access to Footage
South Carolina has become the first state to require law enforcement agencies to deploy body cameras. However, the law exempts police body camera footage from public records law, which appears contrary to the stated goal of promoting police accountability. Many states are considering similar legislation and EPIC's State Policy Project is monitoring bills nationwide. EPIC has submitted testimony to Congress and the D.C. City Council opposing the deployment of body cameras. But where body-worn cameras are deployed, EPIC recommends that the police agencies comply with open government laws. (Jun. 12, 2015) - Civil Society Groups Propose Open Government, Privacy Goals for US
EPIC and a coalition of civil society groups set out recommendations for the US National Action Plan, an initiative pursued by countries and NGOs participating in the Open Government Partnership. EPIC and other US NGOs urged the United States to commit to several goals including publication of FISC opinions, improving FOIA, and strengthening privacy safeguards. EPIC and others previously called on President Obama to address weaknesses in open government administration and support FOIA reform. (Jun. 10, 2015) - Massive Breach Impacts Millions of Government Employees
The Office of Personnel Management has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although 432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. (Jun. 10, 2015) - EU NGOs Push for Strong Data Protection Legislation
Following a meeting with EU NGOs, the European Data Protection Supervisor expressed support for a high level of data protection in the General Data Protection Regulation, In April, EPIC and a coalition of over sixty NGOs from around the world urged European Commissioner President Juncker to uphold robust data protection standards as the European Union considers the new Regulation. The European Commission previously promised that the Data Protection Regulation would be at least as strong as the 1995 Data Directive it replaces. (Jun. 9, 2015) - EPIC Shines Light on DARPA's "RATS" (Robust Automatic Transcription of Speech) Program
Pursuant to a FOIA request, DARPA released to EPIC documents describing a voice-to-text transcription program known as Robust Automatic Transcription of Speech, or "RATS." The agency program seeks to transform speech into text so that is can be more readily identified and analyzed. It is intended for "defense-related operations" and could be directed to private communications and public gatherings. EPIC recently challenged automatic voice transcription by Samsung televisions in an FTC complaint. (Jun. 9, 2015) - EPIC Obtains Documents on "Violent Intent Modeling and Simulation" Program
Pursuant to a FOIA request, the DHS has released to EPIC the first set of documents about a new pre-crime detection program. The so-called "Violent Intent Modeling and Simulation" Program attempts to predict violent behavior based on public record information. EPIC previously uncovered documents about the DHS's Future Attribute Screening Program, another pre-crime initiative. "Minority Report," a 2002 film starring Tom Cruise, also explored the topic of pre-crime detection. (Jun. 9, 2015) - Senators Urges FCC to Protect Consumers Against Unsolicited Calls
Almost a dozen senators have urged the Federal Communications Commission to uphold consumer privacy protections within the Telephone Consumer Protection Act. Next week the Commission will vote on two dozen proposals seeking to relax enforcement of the Act. According to Senator Markey and others, the FCC's recommendation to permit unsolicited texts and calls without consumer consent "would threaten privacy and result in an increase in disruptive and annoying calls for American consumers." The Commission will vote on the proposals during an Open Meeting on June 18, 2015. EPIC supported enactment of the TCPA and has advocated for strong enforcement. (Jun. 9, 2015) - Survey: Americans Favor Control Over Personal Information, Say Trading Data for Services is Unfair
According to a University of Pennsylvania study, 91% of Americans disagree that "If companies give me a discount, it is a fair exchange for them to collect information about me without my knowing." Although 84% of Americans "want to have control over what marketers can learn about" them online, 58% believe they have no control over what marketers can learn about them. A Pew survey last month found that 74% of Americans believe control over personal information is "very important," yet only 9% believe they have such control. EPIC maintains a webpage devoted to Privacy and Public Opinion. (Jun. 9, 2015) - Tim Cook Backs Privacy, Crypto, Freedom at EPIC Awards Dinner
Apple CEO Tim Cook gave an impassioned speech at the 2015 EPIC Champions of Freedom Award dinner. Cook said the erosion of privacy represents a threat to the American way of life. "We believe that people have a fundamental right to privacy. The American people demands it, the constitution demands it, morality demands it." Cook also opposed government efforts to weaken encryption. "So let me be crystal clear -- weakening encryption, or taking it away, harms good people that are using it for the right reasons. And ultimately, I believe it has a chilling effect on our First Amendment rights and undermines our country's founding principles." Tim Cook is the first business leader to receive the Award from EPIC. [Photo: Photograph by Jenifer Morris] (Jun. 2, 2015) - Senator Markey Speaks at EPIC Book Event
Senator Edward Markey (D-MA) appeared today at the Fund for Constitutional Government to support the release of EPIC's new anthology, "Privacy in the Modern Age: The Search for Solutions" and Bruce Schneier's NY Times bestseller "Data and Goliath." Senator Markey discussed his efforts to establish new safeguards for student privacy and to limit drone surveillance. [Photo] (Jun. 2, 2015) - Senate Passes FREEDOM Act, Ends NSA Bulk Collection
The Senate has passed the USA FREEDOM Act, sponsored by Senator Patrick Leahy (D-VT) and Senator Mike Lee (R-TX). The Act, which the President is expected to sign, ends the NSA bulk collection of domestic telephone records and establishes new transparency and accountability rules for the Foreign Intelligence Surveillance Court. In 2012, EPIC testified before the House Judiciary Committee on the need to reform the Surveillance Court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program. (Jun. 2, 2015) - Senate to Debate End of PATRIOT Act
The Senate convenes today for a rare Sunday session. Senators will consider whether to renew key provisions of the PATRIOT Act, including the NSA bulk collection program, due to expire tonight. Senator Rand Paul has said he will oppose any renewal. Also under consideration is the FREEDOM Act, sponsored by Senator Patrick Leahy (D-VT) and Senator Mike Lee (R-TX). In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, supported by experts, scholars, and members of the Church Committee, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the program. The Sunday debate will be broadcast live on CSPAN2 at 4 pm EDT. (May. 31, 2015) - UN Report Champions Encryption and Anonymity
The UN Special Rapporteur on Freedom of Expression released a report today supporting strong encryption and anonymity tools. The Rapporteur finds that, "States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression." EPIC previously urged the UN to support secure, anonymous communications, stating, "In our modern age, encryption is the key technique and anonymity is the core legal right that protects the right to privacy." EPIC published the first comprehensive survey of encryption use around the world and worked in support of the OECD Cryptography Guidelines of 1997. (May. 28, 2015) - White House Begins Shutdown of Bulk Collection Program
According to media reports, the Administration has decided not to renew the legal authority for the NSA’s telephone record collection program. EPIC and a coalition of privacy organizations had urged the President to end the program, which he said he would do in 2014. In 2013, EPIC filed a petition in the US Supreme Court, supported by technical experts, legal scholars, and former members of the Church Committee, arguing that the program was unlawful. The Senate is expected to take up the USA Freedom Act on May 31, the day before key provisions of the Patriot Act expire. (May. 27, 2015) - Florida Blocks Public Access to Police Body Camera Footage
Florida, a state with very broad open government laws, has exempted police body camera footage obtained inside a private residence, a health care, mental health care or social services facility or is taken in a place that a reasonable person would expect to be private from public records law. Many states are considering similar legislation and EPIC's State Policy Project is monitoring bills nationwide. EPIC has submitted testimony to Congress and the D.C. City Council in opposition to the deployment of body cameras. But, where body-worn cameras are deployed, EPIC recommends no exemptions from open government laws. (May. 27, 2015) - Justice Department Releases Drone Privacy Guidance
The Justice Department has released extensive "Policy Guidance" for the use of drones by federal agencies. The Guidance bans the use of drones to monitor activities protected by the First Amendment, requires routine logs of drone use, and requires the protection of civil liberties and privacy in all cases. However, the Guidance "does not create any right, benefit, trust, or responsibility" enforceable against the United States. EPIC supports the recommendations. EPIC has also testified before Congress in support of a comprehensive drone privacy law, petitioned the FAA for drone privacy regulations, and sued the FAA when the agency failed to create privacy safeguards. (May. 25, 2015) - Inspector General Warns: Significant Oversight of Section 215 Required
The DOJ's Office of the Inspector General released a report this month detailing the FBI's use of Section 215 and warning that "significant oversight" is required. The Inspector General describes the FBI's expanding use of 215 to collect electronic information in bulk and criticized the agency for taking seven years to develop minimization procedures. The Second Circuit ruled the NSA's telephone record collection program exceeded the legal authority under Section 215. EPIC previously petitioned the Supreme Court to suspend the program. Unless Congress votes to reauthorize or modify the authority, Section 215 is set to expire on June 1. (May. 21, 2015) - California AG Urges Congress to Reform Data Breach Notification Bill
California Attorney General Kamala Harris has admonished the House Energy and Commerce Committee about the proposed Data Security and Breach Notification Act. In a letter to Committee leadership, Harris wrote, "I urge you to recognize the important role that states play in developing innovative approaches to consumer protection, and to reject a one-size-fits all law that establishes a ceiling rather than a floor on data security and data breach notification and consumer protection." California's Constitution guarantees the right to privacy, and California passed the first ever state data breach notification law. EPIC has also warned that the House bill would preempt stronger state laws and strip the FCC of its authority to defend consumer privacy. (May. 21, 2015) - Pew Survey: Vast Majority of Americans Feel Strongly About Privacy, Want Control Over Personal Information
The Pew Research Center has published a new privacy poll on Americans' Views About Data Collection and Security. According to the Pew survey, 74% of Americans believe control over personal information is "very important," yet only 9% believe they have such control.Americans also value having the ability to share confidential matters with another trusted person. The vast majority of Americans want limits on how long companies retain records about their activities. And 65% of American adults believe there are not adequate limits on the telephone and internet data that the government collects. (May. 20, 2015) - EPIC, Coalition to President: No Encryption Backdoors
EPIC and a coalition of civil society organizations and security experts urged President Obama to reject proposal to weaken encryption used in U.S. products. Administration officials, including FBI Director Comey, have advocated for broken encryption to enable law enforcement access to private communications. The letter details how weakened encryption undermines cybersecurity and economic security. EPIC previously led the effort to oppose the "Clipper Chip," the NSA's proposal for key escrow encryption that would have severely crippled the privacy and security of online communication. EPIC also recently expressed support for encryption and anonymity in a letter to a UN Rapporteur. (May. 20, 2015) - EPIC Warns Congress of Risks of Body Cameras
EPIC submitted a statement for the record today for the Senate hearing "Can Technology Increase Protection for Law Enforcement Officers and the Public?". EPIC opposes the use of "police cams" and warned Congress that body cameras could "become the next surveillance technology disproportionately aimed at the most marginalized members of society." EPIC also pointed to the potential liability for cities if harmful images are posted online. EPIC explained that there are "more productive means to achieve police accountability that do not carry the risk of increasing surveillance." EPIC stressed that if body cameras are deployed, police departments must comply with all privacy and open government laws. (May. 20, 2015) - New Drone Privacy Law Signed by Florida Governor
Florida has a new law prohibiting the use of drones to intentionally record images of people on private property if a reasonable expectation of privacy exists. The law applies to law enforcement and private individuals, and provides for civil damages and injunctive relief. The law follows Florida's 2013 law requiring that police obtain a warrant to use drones to collect evidence. Many states are considering similar legislation and EPIC's State Policy Project is monitoring bills nationwide. EPIC has also testified in Congress in support of comprehensive drone privacy legislation, argued before the New Mexico Supreme Court in support of the warrant requirement, and sued the FAA for failing to establish drone privacy safeguards. (May. 17, 2015) - Appeals Court Turns Down EPIC's Challenge to Cellphone Shutdown Secrecy
The Court of Appeals for the D.C .Circuit has denied EPIC's petition for further review of EPIC v. DHS, 14-5013. The Court sided with the DHS earlier this year, ruling that the agency could withhold from the public its cellphone shutdown policy. EPIC then asked that the full Court review the earlier ruling, arguing that the three-judge panel misconstrued the relevant law. The case is now headed back to the district court to determine which portions of the secret document the DHS must release. EPIC brought the case after cellphone service in a BART station was shutdown in advance of a peaceful protest. (May. 14, 2015) - House Passes Surveillance Reform Bill, Deadline Looms for Senate
The House of Representatives has passed the USA Freedom Act of 2015. The bill would end the NSA's controversial domestic telephone record collection program--a program the Second Circuit Court of Appeals recently ruled was unlawful. The Freedom Act would also establish new transparency requirements for the Foreign Intelligence Court, recommended by EPIC in testimony before the House Judiciary Committee in 2012. EPIC also opposed renewal of the NSA's Section 215 orders and petitioned the Supreme Court to suspend the program. The Senate is expected to take up the bill before the June 1 expiration of Section 215 of the Patriot Act. (May. 14, 2015) - Senators Markey and Hatch Propose Student Privacy Act
Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have reintroduced the "Protecting Student Privacy Act.". The Act would strengthen the Family Educational Rights and Privacy Act, a federal student privacy law. The Student Privacy Act would also implement several of the recommendations EPIC set out in the Student Privacy Bill of Rights, including data security safeguards, students access to their information held by companies, prohibiting the use of personal data for marketing purposes, and minimizing the personal information schools transfer to third parties. (May. 13, 2015) - EPIC to Recognize Richard Clarke, Tim Cook, AG Kamala Harris, and Susan Linn at June Awards Dinner
On June 1, 2015 in Washington, D.C., EPIC will present the 2015 EPIC Champions of Freedom Awards to Richard Clarke, former National Coordinator for Security and Counter-terrorism, Apple CEO Tim Cook, California Attorney General Kamala Harris, and Susan Linn, co-founder and director of The Campaign for a Commercial-Free Childhood. Computer security expert Bruce Schneier and political analyst Hilary Rosen will host the gala event. Tickets are available to the public for purchase until May 22. (May. 11, 2015) - EPIC Warns DC City Council of Risks of Police Body Cameras
EPIC National Security Counsel Jeramie Scott testified today at a hearing before the D.C. City Council regarding police body-worn cameras. EPIC opposes deployment of "police cams" and warned the D.C. Council of the risks of mass public surveillance. EPIC also pointed to potential liability for the city if harmful images are posted online. EPIC's Scott said there are "more productive means to achieve police accountability that do not carry the risk of increasing surveillance." Scott added that if body cameras are deployed, then the Metropolitan Police Department must comply with all privacy and accountability laws. (May. 8, 2015) - Federal Appeals Court Strikes Down NSA Bulk Record Collection Program
The Second Circuit Court of Appeals ruled today that the NSA's telephone record collection program exceeds legal authority. The government claimed that it could collect all records under the Section 215 "relevance" standard. But the court rejected that argument and held that "such an expansive concept of 'relevance' is unprecedented and unwarranted." The conclusion mirrors the argument EPIC, and a coalition of technical expert, legal scholars, and former members of the Church Committee made in Petition to the Supreme Court in 2013. EPIC explained in its petition, "It is simply not possible that every phone record in the possession of a telecommunications firm could be relevant to an authorized investigation." The Second Circuit found that Section 215 does not "authorize anything approaching the breadth of the sweeping surveillance at issue here." (May. 7, 2015) - EPIC Launches State Policy Project
EPIC has launched the EPIC State Policy Project to track legislation across the county concerning privacy and civil liberties. The EPIC State Project will identify new developments and model legislation. The Project builds on EPIC's extensive work on emerging privacy and civil liberties issues in the states. The new State Project will focus on student privacy, drones, consumer data security, data breach notification, location privacy, genetic privacy, the right to be forgotten, and auto black boxes. (May. 5, 2015) - EPIC Defends Privacy of Nickelodeon Viewers
EPIC has filed an amicus brief in In re Nickelodeon, a case involving the Video Privacy Protection Act. The Act protects the privacy of a consumer's personally identifiable information ("PII"). Viacom, which offers Nickelodeon and other cable channels, claimed that personal identifiers such as IP addresses and unique device IDs are not PII and could be routinely disclosed to Google for commercial purposes without any restriction. EPIC filed in opposition to Google/Viacom and explained that the definition of PII in the Act is "purposefully broad to ensure that the underlying intent of the Act– to safeguard personal information against unlawful disclosure– is preserved as technology evolves." (May. 5, 2015) - House Committee Approves Surveillance Reform Bill
The House Judiciary Committee voted to send the USA FREEDOM Act of 2015 to the House of Representatives for further consideration prior to the June 1 Patriot Act expiration deadline. The bill would end the NSA's controversial domestic telephone record collection program. The bill would also establish new transparency requirements for Intelligence Court Orders, recommended by EPIC in testimony before the House Judiciary Committee. EPIC also opposed renewal of the NSA's Section 215 orders and petitioned the Supreme Court to suspend the program. (May. 1, 2015) - EPIC Sues Drug Enforcement Administration For Release of Privacy Assessments
EPIC has filed a Freedom of Information Act lawsuit to obtain details about the Drug Enforcement Administration’s surveillance programs. The agency is required to publish privacy impact assessments for its data collection programs. However, the agency has failed to make available privacy impact assessments for many of its programs, including the massive cell phone metadata program "Hemisphere" and a nationwide license plate reader program. EPIC has a related lawsuit against the Federal Bureau of Investigation for that agency’s privacy impact assessments for several programs including "Next Generation Identification." (May. 1, 2015) - House Members Introduce Student Privacy Bill
Congressmen Luke Messer (R-IN) and Jared Polis (D-CO) have introduced the "Student Digital Privacy and Parental Rights Act of 2015." The student privacy bill would prohibit companies from selling student information, using student information for targeted advertising, or otherwise disclosing student information for non-educational purposes. The Student Digital Privacy Act would implement portions of EPIC's Student Privacy Bill of Rights, including granting students access to their personal information collected by companies and requiring companies to provide notice of data security breaches. The bill is modeled on a new student privacy law in California. (Apr. 30, 2015) - DHS Defends Government Secrecy in "Internet Kill Switch" Case
The Department of Homeland Security has filed a brief in response to EPIC's petition for rehearing in the "Internet Kill Switch" case. EPIC is seeking the release of the public policy that allows the government to suspend cell phone service. The D.C. Circuit previously ruled that DHS may withhold the policy. EPIC pursued the shutdown policy after government officials disabled cell phone service during a peaceful protest in San Francisco. EPIC cited both free speech and public safety concerns and noted that the policy was never subject to public rule making. The Federal Communications Commission recently warned government agencies not to use "jammers," devices that block cell phone signals, because of public safety risks. (Apr. 28, 2015) - Supreme Court to Hear Privacy Case Against Spokeo
The Supreme Court will hear an important privacy case concerning the disclosure of personal information in violation of the Fair Credit Reporting Act. Spokeo claimed that the plaintiff's lacked lacked "standing" to sue after the company disclosed data protected by the FCRA. The Ninth Circuit disagreed and ruled for the plaintiffs. In the Spokeo case, the Solicitor General has filed a brief in support of the plaintiffs. EPIC filed an amicus curiae brief in First American v. Edwards, a similar case before the Court in 2011. (Apr. 27, 2015) - EPIC Demands the FAA to Establish Drone Privacy Rules
EPIC has filed extensive comments, urging the Federal Aviation Administration to propose drone privacy safeguards. In 2012, EPIC led a coalition of over 100 experts and organizations in petitioning the FAA to establish privacy protections prior to the deployment of commercial drones in the United States. EPIC stated that, "As a consequence of the FAA’s failure to establish drone privacy rules, millions of Americans now face the possibility of unchecked monitoring and harassment." EPIC has sued the agency for its failure to protect the privacy of Americans. (Apr. 25, 2015) - FTC Reaches Settlement with Customer Tracking Technology Firm Over Privacy Violations
The Federal Trade Commission announced a settlement with the firm Nomi, whose sensors recorded the physical location of customers in stores using their mobile devices' MAC addresses. Nomi's privacy policy stated that customers would be able to opt out of tracking, however, customers were not informed when they were being tracked. The settlement agreement will prohibit Nomi from deceiving consumers in their privacy policies. EPIC supports the use of privacy enhancing technologies to protect consumers from tracking, including the adoption of randomized MAC addresses that prevent persistent identification. (Apr. 24, 2015) - Senator McConnell Seeks Renewal of NSA Bulk Collection Program
Senate majority leader Mitch McConnell has introduced a bill that would extend the Patriot Act until 2020. Specifically, S. 1035 would renew the controversial Section 215 authorities for the NSA's telephone record collection program. The 215 authority is set to expire on June 1. EPIC urged the President and the Attorney General not to renew the 215 order after it became clear that the NSA routinely collected the telephone records of US citizens. EPIC previously petitioned the Supreme Court to suspend the program, arguing that the NSA program exceeded the section 215 legal authority. (Apr. 23, 2015) - Open Government Groups Oppose Cyber Security Bills
A broad coalition of organizations now oppose cybersecurity bills currently before Congress. The groups warn that the measures will increase monitoring of Internet users, increase government secrecy, and remove judicial oversight for government surveillance. Many have described the cyber security bills as "cyber surveillance" measures. Last year, EPIC won a five-year court battle against the NSA for NSPD 54-the foundational legal document for U.S. cybersecurity policies. The Directive reveals the NSA's interest in enlisting companies to monitor user activity in the United States. (Apr. 23, 2015) - Congress Proposes Bipartisan Student Privacy Bill
The House Education and Workforce Committee has proposed a discussion draft amending the Family Educational Rights and Privacy Act, a federal student privacy law. The draft recommends ways to strengthen the law, including: (1) protecting student data maintained by private companies; (2) shorter wait times for students to access their records; (3) permitting students to opt out of disclosing their data for certain research studies; (4) mandatory data security for schools; (5) written agreements detailing obligations of third parties receiving student data; (6) enhanced enforcement mechanisms; and (7) narrowing exceptions under which schools may disclose student data without consent. (Apr. 23, 2015) - Privacy Groups Appeal UK Surveillance Decision
Human rights organizations have appealed a judgment concerning GCHQ spying to the European Court of Human Rights. Liberty first challenged the GHCQ in case before the UK Investigative Powers Tribunal. The Tribunal ruled in December that the GCHQ complied Article 8 of the European Convention on Human Rights, but in February 2015 the Tribunal held that the oversight rules were not made accessible to the public as required by Article 8. (Apr. 23, 2015) - Beckstrom, Bryant and Strossen Join EPIC Advisory Board, Chip Pitts Named Chair
EPIC has announced the 2015 members of the EPIC Advisory Board. They are Rod Beckstrom, former CEO and President of ICANN, Kimberly Bryant, founder of Black Girls Code, and Nadine Strossen, professor at New York Law School and former President of the ACLU. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy. Human rights attorney and expert in corporate social responsibility Chip Pitts was also voted EPIC Board Chair. (Apr. 22, 2015) - Supreme Court Limits Traffic Stop Searches
The Supreme Court issued its opinion today in Rodriguez v. United States, a Fourth Amendment case involving the use of a drug-detection dog during a traffic stop. The Court found that it was unlawful for a police officer to detain a driver for the sole purpose of conducting a "sniff" test after the traffic stop was completed. The Supreme Court rejected the Government's argument that extending the stop to wait for a dog to search for drugs was "only a de minimis" intrusion of Fourth Amendment rights. EPIC previously filed an amicus brief in Florida v. Harris, a similar case before the Supreme Court concerning the use of canines for drug detection, arguing that the Fourth Amendment requires routine testing of investigatory techniques to assess reliability and establish reasonableness. (Apr. 21, 2015) - NGOs Urge European Commission to Uphold Privacy
EPIC has joined a coalition of over sixty NGOs from around the world in a letter to President Juncker of the European Commission, urging him to uphold robust data protection standards. The institutions of the European Union are currently negotiating the new General Data Protection Regulation. The European Commission previously promised that the Data Protection Regulation would be at least as strong as the 1995 Directive it replaces. In 2012, EPIC spoke before the European Parliament on "The Reform of the EU Data Protection Framework-Building Trust in a Digital and Global World." (Apr. 20, 2015) - NIST Seeks Comments on De-identification Report
The National Institute of Standards and Technology has released a draft report on "De-Identification of Personally Identifiable Information." The agency is requesting comments by May 15. The NIST report reviews de-identification techniques and research, including work by EPIC Advisory Board members Cynthia Dwork and Latanya Sweeney. Last year, in response to a similar request for comments, EPIC recommended Privacy Enhancing Technologies that "minimize or eliminate the collection of personally identifiable information." EPIC also expressed support for Fair Information Practices and the Consumer Privacy Bill of Rights. (Apr. 20, 2015) - "Eyes Over Washington:" EPIC Obtains Documents about Army Blimps in DC
As the result of a Freedom of Information Act lawsuit, EPIC has obtained several thousand pages about the blimps deployed by the Army, just north of the nation's capital. The records document the use of "JLENS," as well as the Army's relationship with the contractor Raytheon, which has proposed a video surveillance capability. The Army has disputed the claim that JLENS has surveillance capability. EPIC has recently filed suit against the FAA for failure to establish privacy rules for commercial drones in the US. (Apr. 15, 2015) - House Reconsiders Data Breach Bill
Members of the Energy and Commerce Committee have convened to rework the Data Security and Breach Notification Act. The Act, introduced by Reps. Blackburn and Welch, would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumer privacy. Rep. Frank Pallone and others have raised concerns. EPIC previously urged Congress to adopt baseline federal law that would allow states to develop innovative legislative responses to privacy risks. (Apr. 15, 2015) - Gunter Grass Dies at 87, Nobel Novel Basis of US Privacy Case
Famed German novelist and social critic Gunter Grass passed at age 87. Grass's first novel, The Tin Drum, was adapted for film and won the 1979 Palme d'Or and the Academy Award for Best Foreign Language Film. Grass later received the Nobel Prize in literature. The Tin Drum was also the center of a dispute concerning the privacy of video rental records. Following a complaint that the film constituted "child porn" in violation of Oklahoma law, the police sought the names of all the people who had rented the Oscar winning film. Citing the Video Privacy Protection Act, a federal court ruled the search illegal and awarded damages. (Apr. 13, 2015) - Court Awards EPIC Attorneys' Fees in FOIA Case Against NSA
A federal district court has ordered the NSA to pay EPIC attorneys fees in a lawsuit that led to the the release of a presidential cybersecurity order. Back in 2009, EPIC requested National Security Presidential Directive 54, which concerns the NSA's domestic surveillance authority. After EPIC brought suit and then an appeal to the D.C. Circuit, the NSA finally released the document to EPIC. The agency then opposed EPIC's request for attorneys fees in the case. A federal court has now ruled that NSA's refusal to disclose the document was "incorrect as a matter of law," that EPIC had "substantially prevailed," and awarded EPIC more than $31,000 in fees. (Apr. 9, 2015) - Massive AT&T Consumer Privacy Violation Results in $25 Million FCC Penalty
The Federal Communications Commission has settled an enforcement action against AT&T for the company's massive consumer privacy violations. According to the Commission, employees at AT&T call centers around the world accessed the "CPNI" (call record information) of nearly 280,000 U.S. customers without their permission. Then AT&T distributed that information to traffickers of stolen cell phones. As a condition of settlement, AT&T will pay a $25 million penalty, eclipsing the 2014 Verizon settlement as the FCC's largest ever data security action. EPIC has long supported the robust defense of CPNI privacy. (Apr. 8, 2015) - Drug Enforcement Agency Gathered Telephone Records on Millions of Americans
According to USA Today the Drug Enforcement Agency has engaged in a secret telephone record collection program involving Americans for many years. The federal agency collected the telephone call records of Americans for nearly a decade before September 11. Government officials told USA Today that the program was discontinued in 2013, but documents obtained by EPIC indicate that the DEA program "Hemisphere" is ongoing. EPIC is pursuing a Freedom of Information Act lawsuit, EPIC v. DEA, to obtain further details about the DEA's bulk collection activities. EPIC is also pursuing related suits against the National Security Agency and the Department of Justice concerning metadata collection. (Apr. 8, 2015) - Judge Approves Laughably Bad, Collusive Class Action Settlement
A federal judge has approved a settlement involving Google after the company routinely disclosed the search histories of Internet users to third parties in violation of federal law. Under the settlement, Google will continue the practice and the attorneys will receive several million in fees. Google will also distribute millions to the schools the lawyers attended. None of the class members will receive any benefit. A coalition of consumer privacy organizations, including EPIC, twice urged the judge to reject the settlement. The groups cited an opinion by Supreme Court Chief Justice John Roberts about a similarly collusive settlement. (Apr. 3, 2015) - Department of Justice Adopts Improved FOIA Rule
In response to extensive comments by EPIC and the Sunlight Foundation, the Department of Justice has issued an improved final rule that will govern the agency's Freedom of Information Act practices. The initial rule would have made it difficult for FOIA requesters to obtain favorable fee status, created new obstacles to open government, and reduced agency oversight. The final rule adopted by the agency incorporates nearly all of EPIC's recommendations, including provisions that help ensure accountability, access, and favorable fee status for news media and educational requesters. EPIC routinely comments on agency FOIA rulemakings, and has had past success with the Federal Trade Commission, Privacy and Civil Liberties Oversight Board, and other federal agencies. (Apr. 3, 2015) - Court Orders Government to Respond to EPIC's Petition in Case Over Cell Phone Shutdown Policy
The federal appeals court in Washington, DC, has ordered DHS to respond to EPIC's petition to reconsider a recent decision allowing the federal agency to withhold the criteria for shutdown of cell phone networks. EPIC sued the DHS for the policy following a 2011 San Francisco BART incident, when government officials shut down cell phone service during a peaceful protest. EPIC argued that the recent decision would "create an untethered national security exemption for law enforcement agencies," and is contrary to other court decisions and the intent of Congress. The appeals court has determined that the government must respond to EPIC's petition. (Apr. 3, 2015) - EPIC Obtains E-Voting Documents, Security Questions Remain Unanswered
As the result of a Freedom of Information Act lawsuit, EPIC has obtained a September 2011 report about online voting. The report, produced in response to EPIC's July 2014 FOIA request, summarizes a pilot test of e-voting system. The report recommends several changes, including accessibility and user interface, but does little to address privacy and security concerns except for recommending "visible security features" to "give users greater confidence in the privacy and security of their ballots." EPIC will continue to pursue the documents that have been withheld from the public about the risks of online voting. (Apr. 3, 2015) - Campaign for a Commercial-Free Childhood Protests Eavesdropping Barbie
The Campaign for a Commercial-Free Childhood has launched a campaign and petition to protest Mattel's "Hello Barbie." The toy is a WiFi-connected doll with a built-in microphone. Hello Barbie records and transmits children's conversations to Mattel, where they are analyzed to determine "all the child's likes and dislikes." The advocacy group explained that Hello Barbie is "a significant violation of children's privacy...Kids using 'Hello Barbie' won't only be talking to a doll, they'll be talking directly to a toy conglomerate whose only interest in them is financial." EPIC has participated in numerous campaigns to safeguard childrens' privacy and recently filed a complaint with the FTC about Samsung's always on "SmartTV." (Apr. 2, 2015) - EPIC Sues FAA, Challenges Failure to Create Drone Privacy Safeguards
Today EPIC filed suit in the federal appeals court in Washington, DC arguing that the Federal Aviation Administration failed to establish privacy rules for commercial drones as mandated by Congress. Congress had required the FAA to develop a "comprehensive plan" for drone deployment. In 2012 EPIC and more than 100 organizations and experts also urged the federal agency to establish privacy protections prior to the deployment of commercial drones in the United States. The FAA denied the EPIC petition, claiming it "did not raise an immediate safety concern." Then last month the FAA announced a rulemaking on commercial drones and purposefully ignored privacy concerns, stating that privacy "issues are beyond the scope of this rule making." (Mar. 31, 2015) - U.S. Supreme Court Tosses Out North Carolina Lifetime GPS Tracking
Today the U.S. Supreme Court issued a per curium opinion vacating the decision of the North Carolina Supreme Court in Grady v. North Carolina. Grady challenged a court order requiring a "satellite-based [GPS] monitoring program for the duration of his natural life." The North Carolina court ruled that this was not a Fourth Amendment search. However, the U.S. Supreme Court tossed that ruling aside, finding it contrary to recent decisions in United States v. Jones and Florida v. Jardines. EPIC filed an amicus brief in Jones, joined by many leading technical experts and legal scholars. The Court held in that case that continuous GPS tracking constituted a search. (Mar. 30, 2015) - Senate Committee Approves Modest Driver Privacy Bill
The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act of 2015, a bipartisan bill limiting access to event data recorder or "black box" data. Under the Act, black box data could only be obtained with: (1) a court or administrative order; (2) consent of a car owner or lessee; (3) a federal transportation safety investigation if personal information is redacted; (4) emergency crash medical response; or (5) traffic safety research if personal information is redacted. The Senate Commerce Committee approved a stronger bill last year. EPIC previously recommended safeguards for black box data in USA Today and Costco Connect and then urged the Transportation Department to establish privacy rules for data access. (Mar. 30, 2015) - EPIC Continues Pursuit of Network Shutdown Policy
Today EPIC filed a Petition in the federals appeal court in Washington, D.C., seeking review of a recent opinion allowing DHS to withhold the criteria to shutdown cell phone networks. EPIC sued the agency for the shutdown policy following a 2011 San Francisco BART incident, where government officials shut down cell phone service during a peaceful protest. In its Petition, EPIC argued that the recent decision would "create an untethered national security exemption for law enforcement agencies," and is contrary to other court decisions and the intent of Congress. (Mar. 27, 2015) - United Nations To Create Special Rapporteur on Right to Privacy
The UN Human Rights Council has adopted a resolution on The Right to Privacy in the Digital Age that will lead to the selection of an independent expert on privacy. According to the resolution, the special rapporteur will have a broad mandate to assess developments, make recommendations, and promote the right to privacy. EPIC joined with 90 other NGOs in support of the resolution. EPIC also recently expressed support for encryption and anonymity in a letter to a UN Rapporteur. (Mar. 26, 2015) - EPIC Pursues Investigation of FTC's 2012 Investigation of Google
EPIC has filed a FOIA request with the Federal Trade Commission, reopening a 2013 FOIA request from EPIC regarding the Commission's Google antitrust investigation. After the agency closed the investigation in 2013, EPIC asked for agency communications with the White House. The FTC denied having any such records. Now, the Wall Street Journal has reported that the Chairman of the FTC attended White House meetings on the same day as Google lobbyists. EPIC also filed a request this week for the FTC staff reports recommending that the agency file an antitrust lawsuit against Google. (Mar. 26, 2015) - European Court of Justice Hears Case Challenging "Safe Harbor" Agreement and NSA Spying
The Court of Justice for the European Union heard arguments this week in Maximilian Schrems v. Data Protection Commissioner, a case filed in Ireland following the revelations of the NSA PRISM program. At issue is whether the disclosure of EU citizens' data by Facebook and other Internet companies to the NSA violates the EU Charter of Fundamental Rights, and whether the EU-US "Safe Harbor" agreement provides "adequate" data protection. A decision is likely later this year. Schrems is the recipient of the 2013 EPIC International Privacy Champion Award. (Mar. 24, 2015) - EPIC Pursues Reports from FTC's 2012 Investigation of Google
EPIC has filed a FOIA request with the Federal Trade Commission, seeking the two reports prepared by agency staff during the 2012 Google antitrust investigation. After the agency closed the investigation in 2013, asked for for agency communications with the White House. Now, the Wall Street Journal has obtained a report revealing that the Commission ignored recommendations to reform Google's anticompetitive practices. EPIC warned the FTC in 2011 about Google's search ranking manipulation after the company acquired YouTube. (Mar. 24, 2015) - Wall Street Journal Reveals FTC Ignored Google's Anticompetitive Practices
According to an internal document obtained by the WSJ, in 2012 the Federal Trade Commission ignored recommendations to reform Google's anticompetitive practices. The FTC staff report concluded that Google's "conduct has resulted-and will result-in real harm to consumers and to innovation in the online search and advertising markets." The internal FTC report said the company illegally took content from rival websites to improve its own rankings and "[w]hen competitors asked Google to stop taking their content, it threatened to remove them from its search engine. The report also found that Google altered search results "to benefit its own services at the expense of rivals." In 2011 EPIC detailed for the FTC Google's manipulation of rankings for a search on the term "privacy" after it acquired YouTube. EPIC pursued an FOIA request for agency communications with the White House after the agency closed investigation. (Mar. 23, 2015) - Most U.S. Voters Want "Right to Be Forgotten"
According to a new survey, nine out of ten voters in the United States want the right to delete links to personal information. Those voters say they would support a U.S. law that permits Internet users to ask search companies, such as Google, to remove links to certain personal information. Last May the top court in the European Union established the "right to be forgotten" as a fundamental right, protected by the EU Constitution. EU citizens may require search companies to remove personal information that is inadequate, irrelevant, and inaccurate. The recent US survey bolsters the findings of a previous US survey which found that 61% of Americans supported the right to be forgotten. EPIC has argued that the right should be established in the United States. (Mar. 20, 2015) - EPIC Files Comments with FTC on Merger Review and Consumer Privacy
EPIC, along with 26 technical experts and legal scholars, has submitted extensive comments for the FTC's review of the merger remedy process. EPIC urged the Commission to consider the privacy risks to consumers that result from the merger of big data firms. The comments detailed EPIC's efforts, over 15 years, to warn the FTC about such mergers as Abacus and DoubleClick, then DoubleClick and Google, AOL and Time Warner, and most recently Facebook and WhatsApp. EPIC urged the FTC to asses both competitive and privacy impacts of merger, and to enforce privacy commitments prior to granting merger approval. (Mar. 18, 2015) - Advisory Committee Approves Rules to Expand Police Hacking Authority
According to a news report, a committee of the Federal Judicial Conference voted on Monday to approve changes to Rule 41 of the Federal Rules of Criminal Procedure. Under the revised rule, judges could issue "remote access" warrants authorizing law enforcement to search computers remotely, even when the target is outside the jurisdiction of the court. EPIC criticized the proposal in a statement presented by EPIC Senior Counsel Alan Butler last fall, arguing that the rules would not provide adequate notice as required under the Fourth Amendment. EPIC previously filed an amicus brief on a similar issue, the delivery of warrants via facimile. The decision of the advisory committee is only one of several steps before the change is adopted by the judiciary. (Mar. 18, 2015) - EPIC Comments on Maryland Drone Bill
In a prepared statement for a hearing on a bill to limit drone surveillance, EPIC urged Maryland state legislatures to add additional privacy protections. The bill prohibits drone surveillance of "specifically targeted individuals or private property," except where a valid search warrant is obtained or explicit consent is given. EPIC recommended that the bill specifically limit police drone surveillance of First Amendment protected activities, require use and data limitations, and include additional transparency and accountability measures. EPIC previously petitioned the FAA to establish clear privacy guidelines for commercial drones and urged Congress to establish privacy safeguards to limit drone surveillance. (Mar. 17, 2015) - Pew Survey: 57% of Americans Report That Government Surveillance of US Citizens Is "Unacceptable"
The Pew Research Center has published a new report on "Americans' Privacy Strategies Post-Snowden". According to the Pew survey, 34% of Americans who know about the NSA's bulk collection of telephone records have taken "at least one step to hide or shield their information from the government." Further, 57% said that it is unacceptable for the US government to monitor the communications of US citizens. Yet 54% believe it would be "somewhat" or "very" difficult to find "tools and strategies that would help them be more private" online. EPIC maintains an Online Guide to Practical Privacy Tools and resources on Public Opinion and Privacy. EPIC also petitioned the US Supreme Court to halt NSA surveillance of domestic telephone calls. (Mar. 16, 2015) - EPIC Publishes 2015 FOIA Gallery
In celebration of Sunshine Week, EPIC has created a "FOIA Gallery" of its most significant open government cases from the past year. EPIC obtained documents about the Army's surveillance blimps over Washington, the NSA's domestic surveillance authority, the FBI's formerly secret surveillance reports, the CIA's surveillance of Congress, and license plate readers. EPIC also obtained significant court judgments in cases against the FBI concerning the Next Generation Identification system and the "Stingray" cellphone surveillance technique. EPIC published the first FOIA Gallery in 2001. (Mar. 16, 2015) - Senate Committee Approves Cyber Surveillance Bill
In a closed-door meeting, the Senate Select Committee on Intelligence approved the "Cyber Information Sharing Act of 2015". The bill would allow the government to obtain user information from private companies without judicial oversight. Companies would receive immunity for their disregard of existing privacy law. Senator Wyden, who opposed the measure, stated, "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name." Last year, EPIC won a five-year court battle against the NSA for NSPD 54—the foundational legal document for U.S. cybersecurity policies. The Directive reveals the government's long-standing interest in enlisting private sector companies to monitor user activity. (Mar. 14, 2015) - Data Breach Bill Would Preempt State Law, Weaken FCC Authority
Representatives Burgess, Blackburn, and Welch have proposed a bill for data breach notification. The Data Security and Breach Notification Act would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumers privacy. In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. In 2009 and again in 2011, EPIC favored baseline federal law that would allow states to innovate and develop new legislative responses to privacy risks. (Mar. 13, 2015) - Wikimedia Sues NSA Over Mass Internet Surveillance
Wikimedia filed a federal lawsuit against the NSA over the mass surveillance of Internet communications. Wikimedia asked the court to halt the government's upstream collection—the practice of directly tapping into the Internet backbone that carries communications across the U.S. Wikimedia argues that upstream collection exceeds statutory authority and violates the First and Fourth Amendments, as well as Article III of the Constitution. Explaining the case, Wikipedia founder Jimmy Wales wrote, "Privacy is an essential right. It makes freedom of expression possible, and sustains freedom of inquiry and association." In 2013, EPIC petitioned the Supreme Court to stop the NSA's bulk telephone metadata program. (Mar. 10, 2015) - EPIC Partially Prevails in FOIA Case, Wikileaks Investigation Ongoing
A federal judge has granted in part EPIC's motion for summary judgment in a FOIA case about the government's surveillance of Wikileaks supporters. Three divisions of the Justice Department - the FBI, the National Security Division, and the Criminal Division - failed to provide any documents in response to EPIC's FOIA request. The FBI stated that there was no surveillance of supporters and that an investigation was ongoing. Judge Rothstein sided with the FBI and the Criminal Division, but held that the National Security Division had failed to justify its withholdings. (Mar. 5, 2015) - Senators Propose Law to Regulate Data Broker Industry
Senators Markey, Blumenthal, Whitehouse and Franken have introduced the Data Broker Accountability and Transparency Act. The bill would give consumers the right to access their personal information held by data brokers and stop data brokers from disclosing or selling that information to others. Senator Markey said, "The era of data keepers has given way to the era of data reapers." In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. EPIC's FTC complaint lead to a $10 million settlement with Choicepoint. (Mar. 5, 2015) - Sen. Markey and Rep. Welch Propose Drone Privacy Legislation
Senator Markey and Representative Welch introduced the Drone Aircraft Privacy and Transparency Act of 2015. The Act would regulate the use of drones in the United States. The Drone Privacy Act requires publicly available data collection statements from operators and warrants for drone surveillance by law enforcement. Recently announced rules by the FAA and White House "fail to adequately protect the privacy of Americans," according to the Congressmen. The Drone Privacy Act incorporates recommendations by EPIC in testimony to Congress and comments to federal agencies. EPIC petitioned the FAA to establish clear privacy rules for commercial drone operators. (Mar. 3, 2015) - Federal Courts Considers FTC's Data Protection Authority
A federal appeals court heard arguments today in FTC v. Wyndham, an important data privacy case. Wyndham Hotels, which revealed hundreds of thousands of customer records following a data breach, is challenging the FTC's authority to enforce data security standards. In an amicus brief joined by legal scholars and technical experts, EPIC defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that the damage caused by data breaches - more than $500 million last year - makes data security one of the top concerns of American consumers. EPIC warned the court that "removing the FTC's authority to regulate data security would be to bring dynamite to the dam." (Mar. 3, 2015) - EPIC Files FTC Comments on Revenge Porn, Facial Recognition Privacy Risks
EPIC has filed formal comments with the Federal Trade Commission regarding a proposed consent order with Craig Brittain, a ”revenge porn” website operator. Revenge porn refers to the online distribution of sexual images without the consent of the image subject. Under the proposed order, Brittain "will have to destroy the intimate images and personal contact information he collected while operating the site.” EPIC supported the consent order, but urged the Commission to "further investigate the growing trend of companies recontextualizing images, for profit, without the knowledge or consent of the image subject.” EPIC also explained the correlation between “revenge porn” and other image privacy issues, such as facial recognition and image-based advertising. (Mar. 2, 2015) - Supreme Court to Consider Hotel Records Privacy Case, EPIC Amicus Cites Constitutional Interests
The Supreme Court will hear arguments this week in Los Angeles v. Patel, concerning the warrantless inspection of hotel records by the police. Hotel operators are challenging a city ordinance that requires the collection for police inspection of names, drivers licenses, vehicle information, payment information, and length of stay for every hotel guest. EPIC's brief, joined with thirty-six technical experts and legal scholars, argued that “individuals have a constitutional right to gather at hotels for political and religious purposes without being subject to police inspection.” EPIC traced the history of US hotels as meetings places for organizations and cited the landmark Supreme Court case NAACP v. Alabama. (Mar. 2, 2015) - White House (Commerce Dept.) Privacy Bill Not Helpful, Unworkable
The White House has released a consumer privacy proposal, prepared by the Commerce Department. The bill falls far short of the recommendations for a “Consumer Privacy Bill of Rights” set out by President Obama in 2012 and broadly supported by consumer organizations. The draft proposal lacks meaningful protections for consumers, would preempt stronger state laws, and create unnecessary regulatory burdens for businesses. EPIC has long recommended enactment of consumer privacy legislation based on “Fair Information Practices,” the basic framework for modern privacy law. (Mar. 2, 2015) - EPIC Files Lawsuit for Details About Government "Pre-crime" Program
EPIC has filed a Freedom of Information Act lawsuit about "Future Attribute Screening Technology", a "Minority Report" program that purports to identify individuals who will commit crimes in the future. EPIC filed the complaint after the DHS failed to respond to EPIC's FOIA request for information. EPIC charged that the agency uses secret algorithms to identify behavioral "abnormalities" that the agency claims indicate "mal intent." "Minority Report" is a 2002 movie with Tom Cruise about "a special police unit is able to arrest murderers before they commit their crime." (Feb. 26, 2015) - EPIC Challenges Samsung's Surveillance of the Home, Files FTC Complaint
EPIC has filed a complaint to the Federal Trade Commission about Samsung's SmartTvs. "Samsung routinely intercepts and records the private communications of consumers in their homes," EPIC wrote. EPIC detailed widespread consumer objections and charged that "privacy notices" do not diminish the harm to American consumers. In setting out the privacy violations, EPIC cited the FTC Act, the Children's Online Privacy Protection Act, The Cable Act, and the Electronic Communications Privacy Act. EPIC also noted a recent speech of FTC Chair Edith Ramirez about privacy and consumer products. EPIC asked the FTC to enjoin Samsung and other companies that engage in similar practices. (Feb. 24, 2015) - EPIC Prevails in "Stingray" Case Against FBI
EPIC has obtained nearly $30,000 in litigation fees as a result of a Freedom of Information Act case against the FBI concerning a new surveillance technology. EPIC's lawsuit produced the release of more than 4,000 pages of documents about a phony cell tower technique called "Stingray." The documents obtained by EPIC revealed that the FBI used the devices to monitor cell phones without a warrant, and provided Stingrays to other law enforcement agencies. Following objections by Senator Grassley, the FBI restricted Stingray use. In EPIC v. FBI, No. 12-667, the Federal District Court awarded EPIC nearly all of the attorneys' fees requested. (Feb. 20, 2015) - FAA Ignores Privacy Concerns in Public Rulemaking on Commercial Drones
The Federal Aviation Administration announced a public rulemaking for the integration of small commercial drones into the National airspace. The rules will establish safety procedures but will not address privacy concerns. The agency stated that privacy "issues are beyond the scope of this rule making." EPIC and 100+ organizations, experts, and members of the public petitioned the FAA to conduct a public rulemaking on the privacy impact of domestic drone use. Several members of Congress, including Senator Markey and Senator Paul have urged the establishment of privacy laws before surveillance drones are deployed in the United States. (Feb. 19, 2015) - President Orders Federal Agencies to Adopt Privacy Rules for Drone Use, FAA Proposes Weak Rules for Commercial Users
The President has issued a new Executive Order requiring all federal agencies to adopt privacy rules for drone use. The Order is intended to limit the collection and use of personally identifiable information. The rules will also require agencies to adopt transparency and accountability procedures for drone use. The Order incorporates recommendations made by EPIC in testimony to Congress and comments to several federal agencies. The Federal Aviation Administration has also proposed new regulations for commercial drone use in the United States. These rules will establish safety procedures for drone use, including maximum height, weight and line-of-sight operation, but the rules do not address the privacy impact of commercial drone use. EPIC petitioned the FAA to establish clear privacy rules for commercial drone operators. (Feb. 15, 2015) - Executive Order Calls for More Cybersecurity Info "Sharing"
President Obama announced today an Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security. (Feb. 13, 2015) - EPIC Urges House to Safeguard Student Privacy
EPIC has sent a statement to a House Committee in advance of the Committee's hearing on "How Emerging Technology Affects Student Privacy." EPIC urged the Committee to "pursue effective measures that meaningfully safeguard student data," including adoption of the Student Privacy Bill of Rights, privacy enhancing techniques, and a private right of action against companies that unlawfully disclose student data. Last month, President Obama proposed legislation to "ensure that data collected in the educational context is used only for educational purposes." EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy. (Feb. 11, 2015) - EPIC Urges UN to Support Secure, Anonymous Communications
In a letter to the UN Special Rapporteur, David Kaye, EPIC urged the UN Human Rights Committee to support the use of encryption and anonymity in digital communications. The UN Special Rapporteur is studying encryption and anonymity for a report due to the UN Human Rights Council later this year. Citing extensive work over many years in support of the freedom the use encryption and the fundamental right of anonymity, EPIC stated, "In our modern age, encryption is the key technique and anonymity is the core legal right that protects the right to privacy." Last year, EPIC and others urged NIST to adopt "secure and resilient encryption standards, free from back doors or other known vulnerabilities." (Feb. 11, 2015) - In EPIC v. DHS, DC Circuit Backs Agency Secrecy on "Internet Kill Switch"
The federal court of appeals based in Washington, DC has ruled that the Department of Homeland Security may withhold from the public a secret procedure for shutting down cell phone service. EPIC pursued the DHS policy after government officials in San Francisco disabled cell phone service during a peaceful protest in 2011. EPIC sued DHS when the agency failed to release the criteria for network shutdowns. A federal judge ruled in EPIC's favor. On appeal, the D.C. Circuit held for the DHS but said that the agency might still be required to disclose some portions of the protocol. (Feb. 10, 2015) - Senator Markey Report Warns of Risks with "Connected Cars"
A report from Senator Edward Markey (D-MA) finds lax privacy practices at leading auto manufacturers. The Senator said the safeguards in the auto industry for data collection are "inconsistent" and "haphazard." The investigation also revealed, "automobile manufacturers collect large amounts of data on driving history and vehicle performance." Senator Markey has called on the Department of Transportation and the Federal Trade Commission to issue rules to protect driver privacy and security. EPIC has urged the Department of Transportation to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and said also that "cars should not spy on drivers." (Feb. 10, 2015) - UK Privacy Groups Prevail in GCHQ Spying Case
A British court that oversees intelligence gathering has ruled that GCHQ, the British spy agency, violated international human rights law with the mass collection of cellphone and Internet data. Last year, the same court ruled that data could lawfully be transferred between US and UK intelligence agencies. That earlier decision is on appeal to the European Court of Human Rights in Strasbourg. In 2013, following the disclosure of the "Verizon order," which authorized the NSA's routine collection of US telephone records, EPIC brought a petition to the US Supreme Court, arguing that the agency practice exceeded the "Section 215" authority. Dozens of legal scholars and former members of the Church Committee supported the EPIC petition. (Feb. 9, 2015) - Consumer Groups Urge FTC Review of Data Consolidation
A coalition of consumer groups has asked the Federal Trade Commission to undertake a comprehensive review of the impact on the American public of the growing consolidation of consumer data in the digital marketing industry. The groups asked the FTC to launch an investigation and hold a public workshop on protecting privacy in online transactions. EPIC has repeatedly urged the FTC to undertake a similar review. In 2007, EPIC opposed Google's acquisition of Doubleclick, the Internet advertising firm, citing the risks of growing consolidation of user data. In 2000, EPIC also opposed Doubleclick's acquisition of Abacus, a large catalog database firm. Privacy officials outside the US have begun to scrutinize these deals more closely. (Feb. 9, 2015) - Anthem breach Shows Risks of "Big Data"
One of the largest health insurers in the country has lost millions of medical records of American consumers. The most recent breach of sensitive medical information shows the dangers of "Big Data" and the mistaken conclusion of the report of the Presidents Science Advisors, which simply assumed the benefits of data collection. EPIC has urged the FTC to establish data minimization procedures for companies limit the risks of data breaches. (Feb. 5, 2015) - Congress to Hold Hearing on Student Privacy
Next week, a House committee will hold a hearing on "How Emerging Technology Affects Student Privacy." Last month, President Obama proposed legislation to safeguard student data. The legislation would "ensure that data collected in the educational context is used only for educational purposes" And prohibit companies from selling data for non-educational purposes and targeting advertising. Last year, EPIC proposed the Student Privacy Bill of Rights following growing concerns about misuse of student data. EPIC has urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy. (Feb. 5, 2015) - White House Report on "Big Data" Explores Price Discrimination, Opaque Decisionmaking
A White House report on Big Data and Differential Pricing released today examines new forms of discrimination resulting from big data analytics. The White House explained the risks to consumers, acknowledged the failure of self-regulatory efforts, and called for greater transparency and consumer control over their personal information. Last year, EPIC and a coalition of NGOs urged the President to establish privacy protections - including "algorithmic transparency", consumer control, and robust privacy techniques - to address Big Data risks. (Feb. 5, 2015) - With New Policy Changes, Facebook Tracks Users Across the Web
Over the objections of consumer privacy organizations, Facebook has implemented policy changes that allow the company to track users across the web without consent. The Dutch data protection commissioner launched an investigation after the original announcement. This week the a German privacy agency announced a similar investigation. Last year, EPIC and a coalition of consumer privacy groups urged the FTC to halt Facebook's plan to collect web-browsing information from its users. Facebook is already under a 20 year consent decree for changing users' privacy settings. The consent decree resulted from complaints brought by EPIC and others in 2009 and 2010. (Feb. 4, 2015) - Online Privacy Bills Introduced in Congress, EPIC Recommends Further Changes
Senators and House Members have introduced bills to update the federal communications privacy law. The proposals would require law enforcement agents to obtain a warrant before they could access e-mails or location data. EPIC has called for a comprehensive overhaul of the federal privacy law. EPIC has recommended protections for location data, data minimization requirements, and end-to-end encryption for commercial email services. (Feb. 4, 2015) - President Discusses Surveillance Reform, Bulk Collection Continues
Today President Obama outlined new steps on surveillance reforms. The Director of National Intelligence also released a privacy framework for non-US persons and revised agency guidelines on data collection. Last year, the President committed to end the bulk collection of American's phone records and increase oversight of intelligence gathering. But the President has not ended the bulk collection program despite the absence of evidence that the program is effective. In 2013 EPIC, joined by dozens of legal experts, petitioned the Supreme Court to find the program unlawful. (Feb. 3, 2015) - Lawmakers Renew FOIA Reform Efforts
After narrowly failing to pass FOIA legislation last year, lawmakers in the House and the Senate have introduced the FOIA Improvement Act of 2015. The bill requires Federal agencies to operate under a "presumption of openness" and aims to reduce the overuse of exemptions to withhold information from the public. Senators called for swift passage of the bipartisan legislation which promotes transparency. Last October, EPIC and others urged the President to pursue many of the reforms contained in the proposed legislation. (Feb. 3, 2015) - EPIC Defends Political Gatherings at Hotels in Brief for Supreme Court
In an amicus brief to the Supreme Court for Los Angeles v. Patel, EPIC said the issue is "whether a city can authorize the police to routinely inspect hotel guest registries without any individualized suspicion or judicial supervision." Citing the famous civil rights case NAACP v. Alabama, EPIC noted the long history of political and religious organizations gathering at hotels in the United States. EPIC wrote, "individuals have a constitutional right to gather at hotels for political and religious purposes without being subject to police inspection." EPIC said, "guest registries should not be made routinely available to the police for inspection, and they should not be collected or retained for that purpose." Thirty-six legal scholars and technical experts supported the EPIC amicus. EPIC is a leading expert in privacy and technology, and regularly files amicus briefs in appellate cases concerning emerging civil liberties issues. (Jan. 30, 2015) - Senators Challenge Verizon's Secret Mobile Tracking Program
In a letter to Verizon, Senators on the Commerce Committee challenged the company's practice of placing a "super cookie" oncustomers' smartphones. The letter follows the recent discovery that the advertising company Turn was secretly tracking Verizon customers, even after customers deleted its cookies. In the letter, the Senators asked Verizon to stop tracking users with undeletable cookies. EPIC has urged the White House and the Federal Trade Commission to limit the use of persistent identifiers. EPIC supports opt-in requirements and Privacy Enhancing Techniques for consumers, and algorithmic transparency for data collectors. (Jan. 30, 2015) - Privacy Board Renews Call for President Obama to End Bulk Collection
The Privacy and Civil Liberties Oversight Board released a report on prior recommendations regarding the NSA's domestic and global surveillance programs. The Board stated that the Obama Administration has failed to end the domestic telephone collection program. The Board stated, "the Administration can end the bulk telephone records program at any time, without congressional involvement." EPIC and a broad coalition have repeatedly urged the President end the NSA's bulk record collection program. Previously, EPIC petitioned the Supreme Court, with the support of dozens of legal experts, arguing that the NSA program was unlawful. (Jan. 30, 2015) - DOJ Reverses Course on Forensic Evidence Committee After Federal Judge Resigns in Protest
The Department of Justice has reversed a decision to limit oversight of scientific evidence after a federal judge threatened to resign in protest. The National Commission on Forensic Science, established by the DOJ, was charged with improving the reliability of forensic science but the Justice Department appeared ready to make a recommendation contrary to the Commission's purpose. Senator Patrick Leahy (D-VT) has urged better oversight of forensic evidence in the criminal justice system. EPIC also asked the Supreme Court in an amicus curiae brief in Florida v. Harris to look more closely at investigative techniques that help establish probable cause. EPIC argued that courts should ensure that techniques are adequately tested to ensure the accuracy and validity of results. The dispute over the recommendations of the National Commission on Forensic Science reflect a similar concern. (Jan. 30, 2015) - National Security Agency Violates Defense Department Privacy Rules
The Defense Department has issued a regulation for all Privacy Programs within the agency, including the National Security Agency's. EPIC urged the Department to require the NSA to comply with the Privacy Act, which permits individuals to know about government databases and to inspect their records held by federal agencies. The DoD responded that the NSA complies with the Privacy Act. However, the NSA fails to describe the databases it maintains, which contain telephone numbers, email addresses, and social media information of U.S. citizens, in violation of the Privacy Act. (Jan. 28, 2015) - FAA Settles Case Testing Legality of Commercial Drone Ban
The FAA has settled a case, Huerta v. Pirker, that challenged the agency's ability to regulate the commercial use of drones. The settlement requires the drone operator to pay a $1,100 fine for violating the FAA regulation. Despite the ban, the agency continues to grant exceptions for commercial drone use. A small drone recently crashed on the White House grounds, raising additional concerns the anticipated deployment of drones in the United States. EPIC has petitioned the FAA to establish clear privacy rules for the operation of commercial drones. (Jan. 27, 2015) - EPIC Urges House to Safeguard Consumer Privacy
EPIC has sent a statement to the House Commerce Committee for the hearing, "What are the Elements of Sound Data Breach Legislation?". EPIC had testified before the House Committee in 2011 on data breach notification, urging Congress to set a national baseline standard. EPIC also supports enactment of the Consumer Privacy Bill of Rights. EPIC also urged the House Committee to promote "algorithmic transparency." EPIC has warned that “[t]he ongoing collection of personal information in the United States without sufficient privacy safeguards has led to staggering increases in identity theft,security breaches, and financial fraud.” (Jan. 26, 2015) - EU Privacy Supervisor Sets Out New Agenda
In a speech at the Computers, Data Protection, and Privacy conference in Brussels, European Data Protection Supervisor Giovanni Buttarelli set out a new agenda for the agency. Buttarelli emphasized that "data protection is a top policy priority and a top political priority." CPDP attracted more than 1,000 participants this year. (Jan. 26, 2015) - EPIC Gives Freedom Awards to Peter Hustinx and Philip Zimmermann
EPIC has awarded the 2015 International Champion of Freedom Award to former EU Data Protection Supervisor Peter Hustinx. EPIC also gave the 2015 US Privacy Champion Award to Philip Zimmermann, the inventor of PGP. The EPIC awards were presented at the annual conference on Computers Privacy and Data Protection in Brussels. Press release. (Jan. 22, 2015) - CIA Releases Redacted Report on Surveillance of Congress
Several months after EPIC filed a Freedom of Information Act lawsuit against the Central Intelligence Agency, the agency has released the Inspector General's report on the agency's surveillance of Congress. The Inspector General launched an investigation after the Senate accused the CIA of improperly accessing the computers of Senate staff who were investigating CIA torture practices. The Inspector General found that CIA personnel improperly accessed Senate computers multiple times. The Inspector General also found that the CIA's accusations that Senate staff had improperly removed CIA files were baseless. EPIC will pursue release of the full, unredacted report. (Jan. 15, 2015) - EPIC Urges New Mexico Supreme Court to Limit Aerial Surveillance
EPIC Senior Counsel Alan Butler will argue before the New Mexico Supreme Court this week in a case concerning police surveillance. EPIC filed an amicus curiae brief in State v. Davis warning of the risk of widespread drone surveillance and arguing that aerial surveillance within the airspace surrounding an individual's home is a search under the Fourth Amendment. EPIC frequently files amicus briefs in federal and state courts on emerging privacy and civil liberties issues. (Jan. 13, 2015) - President Obama Announces New Cybersecurity Initiatives
Today the President announced several cybersecurity initiatives, including a proposal to facilitate private sector threat information disclosures. The White House proposal requires the removal of personal information prior to data transfers but privacy concerns remain. The President threatened to veto a previous bill that lacked privacy and civil liberties safeguards. A 2013 expert report set out 46 proposals for strengthening cyber security that the White House said it would adopt. EPIC supported these recommendations and has also recommended civilian leadership on cybersecurity. (Jan. 13, 2015) - Obama Calls for Disclosure of Secret Credit Scores
In a speech at the Federal Trade Commission today, President Obama called for free access to credit scores. This will improve transparency for companies that profile consumers with "big data." Last year, the White House explored "Big Data and the Future of Privacy." EPIC called for "algorithmic transparency" and urged the White House to end secret profiling that limits opportunities for consumers, employees, students, and others. (Jan. 12, 2015) - Obama Announces New Consumer Privacy Initiatives
Today the President announced several initiatives to help protect consumer privacy following many, many data breaches. The President will move forward the Consumer Privacy Bill of Rights, a model framework for federal consumer privacy legislation, that EPIC supported in comments to executive agencies, legislators, and the White House. The President also proposed that financial firms disclose credit scores and that Congress enact the Student Digital Privacy Act based on "Fair Information Practices." (Jan. 12, 2015) - President Obama Backs Student Privacy Law
Today the President will propose legislation to safeguard student data, to "ensure that data collected in the educational context is used only for educational purposes." The Student Digital Privacy Act, based on a landmark California statute, will prohibit companies from selling data for non-educational purposes and from using data for targeted advertising. Last year, EPIC called for a Student Privacy Bill of Rights to safeguard student information. EPIC has urged Congress and the Department of Education to strengthen student privacy. (Jan. 12, 2015) - EPIC Urges Congress to Hold Hearing on FBI Database
In a letter to Senators Grassley and Leahy, EPIC has urged the Senate Judiciary Committee to investigate the FBI's "Next Generation Identification" program. NGI is the most extensive biometric database in the world and raises many privacy risks. In a recent FOIA case, EPIC v. FBI, EPIC obtained documents which show that the FBI accepted a 20% error rate for facial recognition matches. EPIC and over 30 organizations have urged Attorney General Holder to conduct a privacy assessment of NGI, but the program has since gone fully operational without the required evaluation. (Jan. 9, 2015) - FTC Chair Warns About Risks of Connected Devices
In a speech at the CES conference this week, FTC Chair Edith Ramirez warned of the privacy risks of connected home devices. "In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored," Ramirez said. EPIC has written extensively on interconnected devices, known as the "Internet of Things." In comments to the FTC, EPIC described several risks, including the hidden collection of sensitive data. EPIC recommended that companies adopt Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: FTC and EPIC: Big Data. (Jan. 7, 2015) - New Report Surveys FOIA Litigation in 2014
The Transactional Records Access Clearinghouse has released its analysis of 2014 litigation under the Freedom of Information Act. TRAC found that 422 FOIA lawsuits were filed in the past year, the highest number since 2001. Among advocacy organizations, EPIC was the third most frequent filer, with seven lawsuits filed in 2014. Several notable lawsuits were also filed by the New York Times and Vice reporter Jason Leopold. The Department of Justice was the federal agency most frequently sued, followed by the Department of Defense. For more information see: EPIC: Open Government and FOIA.ROCKS. (Jan. 6, 2015) - Inspector General: Border Drone Program Expensive, Ineffective
The DHS Office of Inspector General has released a new report on the drone surveillance program operated on the US border. The Inspector General found that the government "has invested significant funds in a program that has not achieved the expected results, and it cannot demonstrate how much the program has improved border security." The report also found that Customs and Border Protection underestimated the cost of operations. The Inspector General recommends tabling any expansion of the drone surveillance program. In February 2013, EPIC petitioned the agency to suspend the border surveillance program pending the establishment of concrete privacy regulations. The petition followed an EPIC Freedom of Information Act request, which found that border drones carry advanced surveillance equipment that could intercept electronic communications and identify human targets on the ground. For more information, see EPIC: Domestic Drones and EPIC Spotlight on Surveillance: Drones - Eyes in the Sky. (Jan. 6, 2015) - Senators Seek Answers on Use of Cell Phone Surveillance Devices
Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Chuck Grassley (R-Iowa) have asked Attorney General Eric Holder and Secretary of Homeland Security Jeh Johnson several questions about the government’s use of cell site simulators or “Stingray” devices to track cell phones. According to the letter, the Senators previously asked FBI Director James Comey about the FBI’s use of cell site simulators and, after two briefings with the Senators, the FBI announced a new policy that it would obtain search warrants before using the devices, subject to certain exceptions. The new letter raises questions about the broader use of cell site simulators by other law enforcement agencies and their impact on the privacy of innocent individuals. EPIC filled a lawsuit under the Freedom of Information Act in 2012, seeking information about the FBI’s use of cell site simulators and, in particular, what legal process the agency required before deploying the technology. As a result of EPIC’s lawsuit, more than 4,000 pages of partially-redacted FBI records were released to the public. For more information, see EPIC v. FBI - Stingray / Cell Site Simulator. (Jan. 2, 2015) - Facebook Modifies User Privacy Policy
Facebook has modified its privacy and data use policies, effective January 1, 2015. Facebook will now allow advertisers to include a “buy” button directly on targeted advertisements on a user’s page. Facebook will also allow advertisers to use the location data gathered from tools like “Nearby Friends” and location "check-ins” to push geolocation-based targeted advertisements. For instance, a Facebook user who checks in near a restaurant that partners with Facebook may now be shown menu items from that restaurant. Last month, the Dutch data protection commission announced that it planned to open an investigation into Facebook’s policy modifications. In July 2014, EPIC and a coalition of consumer privacy groups urged the FTC to halt Facebook’s plan to collect web-browsing information from its users. Facebook is already under a 20 year consent decree from the FTC that requires Facebook to protect user privacy. The consent decree resulted from complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. For more information, see EPIC: Facebook Privacy; and EPIC: FTC. (Jan. 2, 2015) - FTC Charges Data Broker with Theft
The Federal Trade Commission has brought a complaint against LeapLab, a commercial data broker. According to the complaint, LeapLab bought the payday loan applications of “financially strapped consumers,” and then sold the consumer information to marketers. At least one marketing company that purchased consumer information from LeapLab used that information to steal millions of dollars from consumers’ bank accounts. “This case shows that the illegitimate use of sensitive financial information causes real harm to consumers,” said Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection. In 2005, EPIC testified before the the House Commerce Committee on "Identity Theft and Data Broker Services" and Urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. Further, EPIC's complaint to the FTC against Choicepoint lead to a $10 million settlement. For more information, see EPIC: Choicepoint, EPIC: Privacy and Consumer Profiling, and EPIC: FTC. (Jan. 2, 2015) - FTC Finalizes Snapchat Settlement
The Federal Trade Commission has approved a final order with Snapchat, the messaging service that falsely promised that messages sent and received through the service would "disappear forever.” The Commission’s investigation and initial proposed consent order followed a complaint filed by EPIC in 2013. EPIC brought the complaint against Snapchat after a researcher discovered that Snapchat photos could be retrieved by others after they should have vanished. EPIC also filed comments regarding the Commission's proposed consent order, expressing support for the Commission’s findings but recommending that Snapchat should be required to implement the Consumer Privacy Bill of Rights and make Snapchat's privacy assessments publicly available. Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies. For more information, see EPIC: In re Google, EPIC: In re Facebook and EPIC: FTC. (Jan. 2, 2015)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
