Previous Top News: 2016
- Obama Sanctions Russia for Election “Hack"
President Obama has sanctioned the Russian government for interference with the 2016 Presidential election. Obama stated, "These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior." Throughout this year, EPIC pursued a campaign in support of data protection, contending that it was "the most important, least well understood issue" of the 2016 election. EPIC specifically warned that online voting systems were vulnerable to cyber attack. EPIC recently filed an expedited FOIA request with the FBI, seeking to determine why the agency was slow to respond to the attack on US democratic institutions by a foreign government. (Dec. 30, 2016) - EPIC Seeks FBI Records on Russian Interference in 2016 Presidential Election
EPIC has submitted an urgent Freedom of Information Act request to the FBI seeking records about the agency’s response to the Russian interference in the 2016 presidential election. According to several reports, Russian hackers infiltrated computer systems of the Democratic National Committee and the Republican National Committee. The U.S. Intelligence Community has officially attributed the attacks on the Russian government, yet questions have been raised about the failure of the FBI to investigate the attacks on the political parties of the United States. Congress is expected to establish a Select Committee to investigate the matter. “The FBI,” stated EPIC in the FOIA request, “ is entrusted with protecting the cybersecurity of the public and its institutions. The American public, thus has a great interest in understanding the nature of the FBI’s response to the Russian interference with the 2016 presidential election.” EPIC is seeking expedited processing of the FOIA request. EPIC has recently filed a FOIA lawsuit against the FBI, regarding the expansion of “Next Generation Identification,” one of the largest biometric databases in the world. (Dec. 22, 2016) - EPIC Urges Supreme Court to Protect Online Privacy, Right to Read
EPIC has filed a "friend-of-the-court" brief in Packingham v. North Carolina, a U.S. Supreme Court case about a state law that bars access to certain websites. Under a North Carolina law, released sex offenders are barred from accessing any website that allows people under 18 to create profiles and communicate online, including major news sites, such as the New York Times and CNN. In a brief joined by thirty-five technical experts, legal scholars, and civil liberties organizations, EPIC explained that North Carolina laws violates the First Amendment right to receive information, censors vast amounts of speech unrelated to protecting minors, and will lead to widespread police monitoring of all internet users. "The state can no more criminalize what an individual chooses to read on a personal electronic device than it can restrict the contents of a home library: the privacy of both is sacrosanct," EPIC wrote. EPIC regularly files amicus briefs with the US Supreme Court on emerging privacy and civil liberties issues. EPIC previously argued for First Amendment privacy protections in Doe v. Reed, Watchtower Bible v. Stratton, and Patel v. Los Angeles. (Dec. 22, 2016) - Center for Investigative Reporting: Uber Continues to Abuse Locational Data
A recent report from the Center for Investigative Reporting finds that Uber continues to allow employees broad access to rider location data, raising questions of whether the transportation service is violating the terms of a settlement with New York’s Attorney General. According to the report, "Uber gave thousands of employees access to where and when each customer travels." Uber recently changed the terms of service and expanded the collection of users location data. Uber also faces legal action in Europe over whether it should be considered a transportation service or digital platform. Last year, EPIC filed a complaint with the FTC, charging that Uber’s plan to track users and gather contact details is an unlawful and deceptive trade practice. That complaint, like many other consumer privacy complaints, is still pending before the Federal Trade Commission. (Dec. 21, 2016) - EPIC FOIA: Drone Industry Cozied Up to Public Officials
Documents obtained by EPIC reveal a steady line of communication between government officials and the drone industry leading up to the government’s policy on drones. According to the documents obtained through a Freedom of Information Act request, public officials regularly communicated with privacy sector members of the Small UAV Coalition, an industry trade group that includes Google, Amazon, and DJI, a Chinese drone company. The government’s “multistakeholder process” has been criticized for undermining democratic institutions and giving industry lobbyists preferential access to government agencies. EPIC advocated for enforceable privacy rules prior to deployment of commercial drones in the United States. After the a multistakeholder process produced voluntary guidelines, EPIC sued the FAA. The case is currently pending before the D.C. Circuit Court of Appeals. (Dec. 21, 2016) - The Verge Features EPIC FOIA Docs on Secret Profiling System
In an article today, The Verge featured an EPIC Freedom of Information Act lawsuit about a controversial government data mining program, operated by the Department of Homeland Security. EPIC is seeking documents on the "Analytical Framework for Intelligence," a program that assigns "risk assessment" scores to travelers using data from sources including the Automated Targeting System, also operated by the DHS. Travelers "don't know how the scores are being generated and what the factors are," said EPIC FOIA Counsel, John Tran. "What if there's an error? Users should have an opportunity to correct the error, users should have an opportunity to understand what goes into generating the score." The case is currently pending before a federal judge in Washington, DC. EPIC expects to obtain more records on AFI. The FOIA case is also related to EPIC's ongoing work on "Algorithmic Transparency." (Dec. 21, 2016) - Rep. Sensenbrenner Warns Trump on EU-US Data Flows
Congressman James Sensenbrenner has sent a letter to President-elect Donald Trump urging him to retain Presidential Policy Directive 28, which governs domestic and foreign signals intelligence activity. The Directive requires the intelligence community to safeguard the personal information of all individuals regardless of nationality. Sensenbrenner noted that PPD 28 also serves as a foundation for the “Privacy Shield,” a framework for commercial data flows between Europe and the United States. EPIC has urged the EU and US to strengthen safeguards for transborder data flows and is currently participating as amicus curiae in a legal challenge to Privacy Shield brought by privacy advocate Max Schrems. (Dec. 21, 2016) - European Court of Justice Holds that Data Retention Laws Violate EU Law
In a major privacy decision, the Court of Justice of the European Union has ruled that data retention schemes enacted by member states violate EU law. The case involved challenges to data retention laws in Sweden and Britain. The Court of Justice found that subscriber data, which "contain information on the private life of natural persons," "may only be stored to the extent that is necessary for the provision of the service for the purpose of billing and for interconnection payments, and for a limited time." The court further explained that fighting terrorism or crime is not, by itself, justification for indiscriminate, blanket data retention. In 2014, the Court struck down the EU Data Retention Directive, which had required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. EPIC has advocated against mandatory data retention and currently has a petition pending before the FCC to overturn the regulation requiring the retention of phone records of US telephone customers. (Dec. 21, 2016) - Congressional Working Group Releases Encryption Report
The Congressional Encryption Working Group has released a year-end report. Two Congressional Committees formed the working group following the FBI’s demand that Apple weaken cell phone security to provide access to encrypted data on an iPhone. The report, endorsed by both Republican and Democratic members of Congress, finds that “any measure that weakens encryption works against the national interest.” The report also notes that encryption is a global technology, and suggests that Congress should “foster cooperation between the law enforcement community and technology companies” instead of seeking a “one-size-fits-all” solution. EPIC has advocated for strong encryption since its founding in 1994 and published the first comprehensive survey of encryption use around the world. Earlier this year, EPIC filed a “friend of the court" brief in support of Apple's challenge in the FBI iPhone case. The EPIC amicus brief explained that encryption protects the owners of the approximately three million cell phones lost or stolen each year from criminal hacking, financial fraud, and identify theft. (Dec. 20, 2016) - EPIC Urges Amazon, Walmart, Target, and Toys "R" US to Stop Selling Toys That Spy
EPIC has joined the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy in letters to major U.S. retailers urging the companies to immediately discontinue sales of My Friend Cayla, an internet-connected doll that spies on young children. Earlier this month, EPIC filed a complaint with the Federal Trade Commission against toymaker Genesis Toys and speech recognition firm Nuance Communications over “toys that spy” on children in violations of federal privacy laws. The letters from the consumer groups, sent to Amazon, Walmart, Toys "R" Us, and Target, urge the companies "to put the welfare of children first, and to cease sales of My Friend Cayla pending investigation and action by the FTC." Toy stores across Europe have already removed Cayla from their shelves and are offering refunds to parents who purchased the toys. (Dec. 20, 2016) - EPIC Hosts Curated CRS Reports on Cyber Topics
EPIC has launched an online resource to make selected reports of the Congressional Research Service available to the public. The Congressional Research Service, housed within the US Library of Congress, provides timely reports on important legislative and policy issues pending in Congress. EPIC has reviewed CRS reports over the past decade and, with a dedicated portal, will now make available CRS reports on cyber security, surveillance, open government, drones, and other similar topics. The EPIC CRS Reports page will be frequently updated to make relevant reports widely available during the upcoming Congress. EPIC’s own work on these topics is often cited in CRS reports. (Dec. 20, 2016) - Data Stolen from Over One Billion User Accounts in Second Yahoo Data Breach
Yahoo announced this week that data was stolen from over one billion user accounts in August 2013. The breach included names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers. More than 150,000 U.S. government and military employees are among the victims. Yahoo's earlier breach drew wide-ranging concern from U.S. Senators to European privacy officials. EPIC testified in support of strong data breach notification laws in 2009 and 2011 (urging Congress to establish a short timeline for notification to users of breaches), launched the Data Protection 2016 campaign to make privacy a campaign issue, and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information. (Dec. 15, 2016) - Google Settles Wiretapping Suit, Shifts Scanning of Gmail Messages to Servers
Google and lawyers for a class of Gmail users have reached a settlement in a case concerning the company's interception of private emails. The 2015 lawsuit accused Google of violating the federal Wiretap Act and California law by surreptitiously scanning Gmail messages for advertising revenue. Google has now agreed "to eliminate any processing of email content" for advertising purposes "prior to the point" when a Gmail user can retrieve email, but scanning of Gmail users (and non-Gmail users) on Google's servers will continue. EPIC recently filed an amicus brief in a related case before the Massachusetts Supreme Court, calling attention to Google's "systematic data mining of millions of private email messages" as a clear violation of the state's Wiretap Act. EPIC has also warned of collusive settlements in consumer privacy cases that enrich lawyers and leave business practices essentially unchanged. (Dec. 15, 2016) - European Communications Privacy Law Strengthens Rights for Internet Users
A draft of the update to the European "e-Privacy Directive" provides important new safeguards for users of Internet-based services. The new regulation will apply to all online communications services, including email, instant messaging, and social media. The updated privacy law will limit tracking and profiling of Internet users. The report notes that lax rules for companies such as Facebook and Skype, "create a void of protection of confidentiality for the users of these services." The US FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The EU Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation. The Commission's formal proposal is expected in January of 2017 (Dec. 14, 2016) - EPIC Promotes Strong Crypto, Civil Society at Internet Governance Forum in Mexico
EPIC President Marc Rotenberg, speaking at the Internet Governance Forum in Guadalajara, Mexico described the early "crypto wars" during a panel on Encryption and Journalism, sponsored by UNESCO. Marc said "an email service that is not encrypted end to end is not an email service. It is something else." Marc also participated in a panel discussion on CSISAC and the role of civil society at the OECD. Copies of the latest edition of EPIC's Privacy Law Sourcebook were distributed to NGOs from Latin America. (Dec. 9, 2016) - Obama Orders Review of Hacking During 2016 Election
President Obama's top homeland security advisor Lisa Monaco announced today that the Administration has asked the intelligence community to conduct a "full review" of cyber activity during the 2016 election. In 2016, EPIC urged candidates for office to focus on data protection, calling it "the most important, least well understood issue" of the 2016 election. EPIC also published a report on the importance of the secret ballot for democratic decision making. EPIC's Freedom of Information Act litigation uncovered flaws in online voting reported by the Department of Defense just prior to the 2012 election. (Dec. 9, 2016) - EPIC's "Toys That Spy" Complaint Spurs Congressional Investigation
Senator Edward Markey (D-MA) has sent letters to toy maker Genesis Toys and speech technology developer Nuance Communications requesting information on their data collection from young children. The investigation follows EPIC's complaint filed with the Federal Trade Commission over "toys that spy" on children in violation of federal privacy laws. EPIC's complaint, joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, is part of coordinated, international efforts to ban these toys from the marketplace. Senator Markey and Rep. Joe Barton (R-TX), joined by Senator Mark Kirk (R-IL) and Rep. Bobby Rush (D-IL), introduced the Do Not Track Kids Act, comprehensive children's online privacy legislation that updates the law to protect children's personal information. (Dec. 9, 2016) - Watchdog Report Shows Wiretap Powers Ineffective
The Justice Department's Inspector General has released the latest report to Congress on government surveillance. The report includes a review of the FBI's data collection under Section 215 of the Patriot Act, which was revised by the Freedom Act. According to the IG report, FBI agents "did not identify any major case developments that resulted from use of the records obtained in response to the [Section 215] orders." Similar findings were made by the PCLOB and the Senate Judiciary Committee: section 215 has not prevented terrorist acts. The Second Circuit ruled last year that the NSA's telephone record collection program exceeded the legal authority of Section 2015. EPIC recently obtained nonpublic IG reports through a FOIA lawsuit. (Dec. 9, 2016) - Open Government Lawsuits at Near-Record Highs in 2016
Advocates, journalists, and businesses have brought a near-record 512 lawsuits under the Freedom of Information Act in 2016. The findings, complied by for FOIAproject.org by the Transactional Records Access Clearinghouse, show a 35 percent increase in FOIA litigation over the past five years. According to the new report, the lawsuits have covered diverse issues including "private email accounts, national security, immigration, the environment and even Donald Trump." In 2016, EPIC brought FOIA suits for the DOJ's secret inspector general reports, the DOT's drone task force records, and the FBI's biometric data transfer memos. (Dec. 9, 2016) - Senate Explores Security of Ground Transportation, Witnesses Express Privacy Concerns
The Senate Commerce Committee examined security issues in road and railroad transportation. Witnesses expressed concerns about the cybersecurity of commercial trucking networks, customer data, and hacking of a truck's braking systems. Witnesses also proposed a credentialing system for access port facilities. EPIC has submitted comments to NHTSA and testified before Congress on the safety and privacy risks of automated vehicles. (Dec. 9, 2016) - EPIC, Coalition Urge OMB to Protect the Privacy Act and FOIA
EPIC, OpenTheGovernment.org, and a coalition of over 40 groups urged the Office of Management and Budget to "suspend action on any pending rules or regulations that would diminish the effectiveness of the Privacy Act or the Freedom of Information Act." The Acts ensure government transparency while protecting personal information retained by government agencies. EPIC has filed numerous Freedom of Information Act lawsuits to increase transparency around government surveillance programs. In public comments to federal agencies, EPIC has consistently recommended stronger privacy protections and argued against agency proposals to exempt themselves from the safeguards of the Privacy Act. (Dec. 7, 2016) - EPIC, International Consumer Coalition Urges Recall on "Toys That Spy"
EPIC has filed a landmark complaint with the Federal Trade Commission about “toys that spy.” The complaint alleges that My Friend Cayla and i-Que Robot violate federal privacy law. “The toys subject young children to ongoing surveillance,” EPIC said in a statement. The EPIC complaint targets manufacturer Genesis Toys and Nuance Communications and describes how Internet-connected toys pose ongoing serious safety threats to children. EPIC’s complaint, joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, is part of coordinated effort to ban these toys from the marketplace. The complaint follows earlier efforts by the Norwegian Consumer Council. EPIC warned Congress about the risks of the Internet of Things, and filed complaints with the FTC about “always on” devices and “smart TVs.” (Dec. 6, 2016) - Uber Expands Data Collection, Tracks Users, as Transport Services Case is Heard by European Court
Uber is now routinely tracking the location of all of its users, even when they are not using the transportation service. Last year, EPIC filed a complaint with the FTC after Uber announced the plan to collect location data when the app operated in the background. EPIC said that Uber had engaged in unfair and deceptive trade practice. The FTC failed to act and Uber is now tracking users non-stop. In Europe, Uber is facing legal action as the European Court of Justice considers whether the company should be considered a transportation service, subject to the same rules as its competitors, or a digital platform, which operates outside the law. (Dec. 1, 2016) - Congress to Examine Artificial Intelligence
Today the Senate Commerce Committee will hold a hearing on "The Dawn of Artificial Intelligence." Experts from industry and academia will provide "a broad overview of the state of artificial intelligence, including policy implications and effects on commerce." In a prepared statement, EPIC urged the Committee to support "Algorithmic Transparency," an essential public policy strategy to make AI accountable. The hearing follows two White House reports -Preparing for the Future of Artificial Intelligence and the National Artificial Intelligence Research and Development Strategic Plan. EPIC is currently litigating several "AI" cases including EPIC v. FAA (drone surveillance), Cahen v. Toyota (autonomous vehicles), EPIC v. CPB (U.S. traveler "risk assessments"), and Secret DNA Forensic Source Code. (Nov. 30, 2016) - Congress Passes Consumer Review Fairness Act, Bans Gag Clauses
Congress has passed the Consumer Review Fairness Act, a law protecting consumers' right to post negative reviews without fear of retaliation. The bipartisan measure would make it illegal for companies to include non-disparagement clauses in consumer contracts, or to impose penalties or fees for critical reviews. The Federal Trade Commission will enforce the new law, which now awaits President Obama's signature. "By ending gag clauses, this legislation supports consumer rights and the integrity of critical feedback about products and services sold online." said Senate Commerce Committee Chairman John Thune. EPIC has long supported free speech and access to information online. (Nov. 29, 2016) - Government Breaches Continue, Hacker Compromises more than 130,000 Navy Records
In the latest government data breach, the Navy reported that a hacker gathered the personal data of more than 130,000 current and former sailors from a laptop that belonged to a government contractor. Government security vulnerabilities are on the rise. In 2015, the records of more than 21 million federal workers, friends and family members were breached. In 2016, EPIC urged candidates for office to focus on "data protection." EPIC has warned that inaccurate, insecure, and overbroad government databases pose a risks to the safety of Americans. Earlier this year, EPIC urged the Dept. of Defense and Dept. of Homeland Security to drop proposals to expand government databases that lacked adequate privacy safeguards. (Nov. 29, 2016) - FBI to Monitor Twitter
According to FBI contracting documents, the FBI has hired Dataminr to monitor in real-time more than 500 million daily tweets. EPIC has warned that these techniques of mass surveillance will subject more innocent people to government investigation. In 2012, EPIC successfully obtained documents detailing the social media monitoring program of the Department of Homeland Security, including instructions to analysts to monitor critics of the agency. EPIC's FOIA work led to a Congressional hearing on social media monitoring and government surveillance. (Nov. 29, 2016) - New Study Shows Global Increase in Comprehensive Privacy Protections
An updated study by David Banisar of the human rights organization Article 19 finds that over 100 countries now have data protection laws. Another 40 countries are considering new laws, and most countries have established a data protection authority to enforce privacy protections. Two EPIC publications - The Privacy Law Sourcebook 2016 and Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide an overview of privacy frameworks around the world and track emerging privacy challenges. EPIC has urged the US Congress to establish a federal privacy agency and to enact comprehensive privacy legislation. (Nov. 29, 2016) - DHS Releases Revised FOIA Regulations, Agrees and Disagrees with EPIC's Suggestions
The Department of Homeland Security has released revised Freedom of Information Act regulations. EPIC submitted extensive comments on the proposed changes to the agency's open government practices. The DHS agreed to make some changes, recommended by EPIC, that should improve the processing of FOIA requests. The agency maintained a broad definition of "educational institutions" so that individual researchers will be able to access government records at minimal cost, and clarified steps that could be taken to delay "administrative closure," a controversial agency practice. The agency disagreed with EPIC about agency referrals, the definition of "commercial interest," and the routine release of public information to general public. (Nov. 23, 2016) - EPIC Recommends Privacy and Safety Standards for Autonomous Vehicles
In comments to the National Highway Traffic Safety Administration, EPIC has backed strong privacy and safety standards. Responding to the "Federal Automated Vehicles Policy," EPIC said self-regulation would not be enough to protect drivers in the United States. EPIC urged the safety agency to mandate the Consumer Privacy Bill of Rights, establish new oversight authority, and protect state privacy rules for autonomous vehicles. EPIC is on the front lines of vehicle privacy as well as efforts to regulate the "Internet of Things." EPIC also defends the right of states to develop strong privacy laws. (Nov. 23, 2016) - EPIC Asks FTC to Continue "Disposal Rule"
In comments to the FTC, EPIC continued support for the FTC's Disposal Rule, which requires that businesses to take reasonable steps to protect consumer information against unauthorized access or use. EPIC told the FTC that the Rule protects consumers from identity theft. EPIC backed the initial Disposal Rule. In the 2016 comments, EPIC explained that information that can identify an individual should be covered by the rule. (Nov. 21, 2016) - EPIC Prevails in Internet Surveillance Case
A federal judge in Washington, DC has granted EPIC attorney's fees in a long-running case against the Department of Homeland Security. In 2012 EPIC sued the DHS for information about a secret program to monitor Internet traffic. The "Cyber Pilot" program applied originally to defense contractors, but a 2012 Executive Order dramatically expanded the program, raising concerns about violations of federal wiretap law. EPICs lawsuit produced the release of several thousand pages on the program. In today's extensive opinion, Judge Gladys Kessler concluded that EPIC "substantially prevailed in this litigation" and that EPIC had added "to the fund of information that citizens may use in making vital political choices." The Court awarded EPIC substantial attorneys fees for its work in the case. (Nov. 21, 2016) - EPIC FOIA: EPIC Obtains Secret Inspector General Reports
Through a Freedom of Information Act lawsuit EPIC has obtained nonpublic reports from the Department of Justice's Inspector General. The documents include audits of drug control funds. Another set of documents include audits of other grant programs, as well as a list of information security audits conducted since 2005. EPIC also obtained a previously unpublished audit of a state lab's DNA database. The mission of the DOJ Inspector General is "to detect and deter waste, fraud, abuse, and misconduct in DOJ programs and personnel." EPIC also recently sued the Federal Bureau of Investigation to obtain information on the massive biometric database "Next Generation Identification." (Nov. 21, 2016) - EPIC Sues FBI Over Biometric Data Program
EPIC has filed a FOIA lawsuit against the Federal Bureau of Investigation for information about the agency's plans to transfer biometric data to the Department of Defense. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification" system, but the FBI has resisted maintaining privacy safeguards. The Bureau previously proposed to exempt the database from many of the safeguards in the federal Privacy Act, which EPIC opposed. Then EPIC, following a FOIA lawsuit, obtained documents that revealed an error rate up to 20% for facial recognition searches in the FBI database. Now EPIC has filed an open government lawsuit to obtain a secret document that details the transfer of personal data in the FBI system to the Department of Defense. [Press Release] (Nov. 14, 2016) - UK Information Commissioner Suspends WhatsApp Data Transfer to Facebook
Facebook has agreed to suspend targeted advertising for UKWhatsApp users. The decision follows an investigation by UK Information Commissioner Elizabeth Denham. "I don't think WhatsApp has got valid consent from users to share the information," Denham stated. WhatsApp announced in August that it would transfer its users verified phone numbers to Facebook in violation of previous privacy promises. EPIC then filed a complaint with the FTC and more than a dozen US consumer groups backed the efforts. Then European Union privacy officials and officials in Spain, Germany, India, and Italy opened investigations. Back in the US, the Commission said it will "carefully review" EPIC's complaint. The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." (Nov. 8, 2016) - EPIC Urges FTC to Strengthen "Safeguard Rule"
In comments to the FTC, EPIC has asked the agency to strengthen the Safeguards Rule, which sets out basic security standards for the processing of consumer information. EPIC urged the agency to expand the scope of the Rule, which now only applies to financial institutions. EPIC also recommended that the FTC mandate compliance with the Rule and require data minimization. EPIC has previously urged the Commission to enforce the Safeguards Rule against both financial and non-financial institutions and has also recommended data minimization to safeguard consumer privacy.
(Nov. 8, 2016) - EPIC FOIA Lawsuit Reveals Failure to Conduct Privacy Assessments for DEA Surveillance Programs
In response to an EPIC FOIA lawsuit, EPIC has learned that the Drug Enforcement Administration never completed privacy impact assessments for the agency's massive license plate reader program, a telecommunications records database, and other systems of public surveillance. Despite a federal judge instructing the agency to search for records in response to the FOIA lawsuit, the DEA failed to produce the privacy assessments required by law. The outcome of EPIC v. DEA raises questions about the privacy review of the agency systems funded by Congress. EPIC is currently litigating a similar lawsuit against the FBI. (Nov. 7, 2016) - As Voters Go To Polls, EPIC Backs "Data Protection 2016," Secret Ballot
With voters heading to the polls for the 2016 Presidential election, EPIC has urged national focus on "data protection," calling it "the most important, least well understood issue" of this election season. Together with Common Cause and Verified Voting, EPIC also published a report on the importance of the secret ballot for democratic decision making. And EPIC's Freedom of Information Act litigation has uncovered flaws in online voting reported by the Department of Defense in a 2011 report. EPIC is non-partisan, educational organization and does not endorse candidates for public office. (Nov. 7, 2016) - European Parliament Explores Algorithmic Transparency
A hearing today in the European Parliament brought together technologists, ethicists, and policymakers to examine "Algorithmic Accountability and Transparency in the Digital Economy." Recently German Chancellor Angela Merkel spoke against secret algorithms, warning that that there must be more transparency and accountability. EPIC has promoted Algorithmic Transparency for many years and is currently litigating several cases on the front lines of AI, including EPIC v. FAA (drones), Cahen v. Toyota (autonomous vehicles), and algorithms in criminal justice. EPIC has also proposed two amendments to Asimov's Rules of Robotics, requiring autonomous devices to reveal the basis of their decisions and to reveal their actual identity. (Nov. 7, 2016) - EPIC Urges OMB to Strengthen Privacy Act Safeguards
EPIC has submitted comments on Circular A-108, guidelines proposed by the Office of Management and Budget for federal agency compliance with the Privacy Act. EPIC warned that agencies frequently misuse exceptions to the Privacy Act to circumvent important safeguards required by law. EPIC urged the OMB to "strengthen its guidance on federal agency implementation of the Privacy Act" and to limit the 'routine use' exemption. EPIC regularly comments on privacy safeguards for federal databases and has urged Congress to modernize the Privacy Act. (Nov. 7, 2016) - EPIC, Consumer Coalition Defend FTC Authority Over Common Carriers
EPIC joined a coalition of consumer advocates to challenge a recent federal court decision that would limit the Federal Trade Commission's authority over companies engaged in "common carrier" activities. In an amicus brief filed with the Ninth Circuit Court of Appeals, the consumer coalition urged reconsideration of the court's decision that the common carrier exemption to FTC authority is status-based, not activity-based. The brief warned the decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." Internet companies such as Google that offer some broadband service could be entirely exempt from consumer protection regulation. EPIC previously filed an amicus brief in FTC v. Wyndham to defend the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (Nov. 7, 2016) - House Members Urge FTC to Examine Internet-of-Things
In the wake of October's massive distributed denial of service attack, two members of Congress have sent a letter to Federal Trade Commission Chairwoman Edith Ramirez urging the FTC to protect consumers from insecure Internet of Things devices. Rep. Frank Pallone, Jr. and Rep. Jan Schakowsky, senior members of the House Energy and Commerce Committee, wrote that the FTC should "immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures." EPIC is at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," 'consumer products, and "always on" devices. EPIC recently urged the federal government to establish legal requirements to promote Privacy Enhancing Technologies, limit user tracking, minimize data collection, and "ensure security in both design and operation of Internet-connected devices." (Nov. 4, 2016) - Second Legal Challenge Launched Against "Privacy Shield"
La Quadrature du Net, a French privacy organization, has launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a comprehensive framework for data protection and said that Privacy Shield was not adequate. EPIC also testified before Congress on the need to update US privacy law. EPIC is currently participating as amicus curiae in related case brought by privacy advocate Max Schrems. (Nov. 3, 2016) - European Privacy Officials Pursue Investigation of WhatsApp & Yahoo
The Article 29 Working Party, an expert group of European privacy officials, is pursuing investigations of WhatsApp and Yahoo. In a letter to Facebook, the Working Party stated that the decision to transfer confidential user data from WhatsApp to Facebook has raised "serious concerns," and urged WhatApp to halt data transfers pending completion of the investigation. Separately, the group urged Yahoo to provide information about the 2014 data breach which compromised 500 million accounts. The Article 29 also pressed the company to explain why it scanned customer emails for US intelligence agencies. EPIC recently filed a complaint with the FTC regarding WhatApp, arguing that it violated a 2014 and agreement and urging the Commission to block the transfer. EPIC has also testified before Congress about the need to adopt data breach legislation and launched the Data Protection 2016 campaign. (Oct. 28, 2016) - FCC Adopts Modest Privacy Rules for Broadband Services
The Federal Communications Commission today approved privacy regulations for broadband services. The rules require ISPs to obtain consumers’ consent for "sensitive" information, which includes web browsing history and app usage, but excludes IP and MAC addresses which are also used to track Internet users. (A document obtained by EPIC under the FOIA indicates that Google lobbied for this exception.) The rules establish data breach notification requirements but permit companies to charge users for privacy protection and permit arbitration when violations of privacy rights occur. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Oct. 27, 2016) - Privacy Advocates Challenge EU-US Data Transfer Agreement
An Irish privacy organization is challenging the EU-US framework for transferring personal data, the "Privacy Shield," in the European high court. This challenge follows a decision last year invalidating the previous framework, "Safe Harbor." In that case, the Court of Justice for the European Union concluded Personal data transferred to the United States lacks adequate legal protection. EPIC is participating as amicus curiae in a related case brought by privacy advocate Max Schrems. EPIC also recently submitted a brief to the European Court of Human Rights in a challenge to UK surveillance. (Oct. 27, 2016) - UN Report Cites Threats to Freedom of Expression
A top United Nations official on the freedom of expression released a report citing "severe" threats to freedom of expression worldwide. The report flagged governments cracking down on encryption, blocking websites, suspending communications services, and over-classifying information as key concerns. EPIC described the importance of strong encryption in an amicus brief earlier this year and regularly litigates Freedom of Information Act cases to improve transparency about government surveillance. A new EPIC publication — The Privacy Law Sourcebook 2016 — provides an overview of legal instruments for privacy protection, as well as information about privacy agencies, organizations, and publications. (Oct. 25, 2016) - Google "Quietly" Changes Privacy Policy, Matches Tracking Data and User ID
Ars Technica reported this week that Google "quietly" changed its privacy policy this summer to combine tracking data and user ID - data it had previously promised to keep separated. The revised policy now says that "your activity on other sites and apps may be associated with your personal information" for ad delivery. In 2007, EPIC urged the FTC to block Google's proposed acquisition of Doubleclick, warning that Google would eventually link the Google user profile with the Doubleclick data despite the company's representations. When the FTC approved the merger without conditions, EPIC responded that the FTC "had reason to act and authority to act, and failed to do so." Currently before the FTC is a complaint from EPIC concerning WhatsApp plan to transfer user data to Facebook, breaking a privacy promise made by the company at the time of the 2014 acquisition to act "independently and autonomously." (Oct. 25, 2016) - EPIC to Testify Before Maryland House of Delegates on Cell Site Simulators
EPIC Senior Counsel Alan Butler will testify today before the Maryland House of Delegates concerning "Cell Site Simulator Technology, Historical Location Information, and Aerial Surveillance by Police." The hearing follows a recent complaint to the FCC regarding the use of "Stingrays," fake cell phone towers, by the Baltimore Police Department to intercept private communication. In a 2013 Freedom of Information Act suit against the FBI, EPIC uncovered plans involving federal and state law enforcement agencies to keep the use of Stingrays secret. EPIC has since argued in amicus briefs that cell phone location data is protected by the Fourth Amendment. Baltimore Police used Stingrays to track more than 1,700 individuals between 2007 and 2014. (Oct. 25, 2016) - EPIC Urges Massachusetts High Court to Protect Email Privacy
EPIC has filed an amicus brief in the Massachusetts Supreme Judicial Court regarding email privacy. At issue is Google's scanning of the email of non-Gmail users. EPIC argued that this is prohibited by the Massachusetts Wiretap Act. EPIC described Google's complex scanning and analysis of private communications, concluding that it was far more invasive than the interception of a telephone communications, prohibited by state law. A federal court in California recently ruled that non-Gmail users may sue Google for violation of the state wiretap law. EPIC has filed many amicus briefs in federal and state courts and participated in the successful litigation of a cellphone privacy case before the Massachusetts Judicial Court. The EPIC State Policy Project is based in Somerville, Massachusetts. (Oct. 24, 2016) - EPIC FOIA - FAA Defies Congress, Fails to Complete Drone Privacy Report
Through an EPIC Freedom of Information Act request, EPIC obtained documents revealing that the FAA never finished a drone privacy report required by Congress. The Appropriations Act of 2014, which provided funding for the agency, required the FAA to inform Congress on "how the FAA can address the impact of widespread use of [drones] on individual privacy." The FAA drone privacy report was to be completed before the end of 2015 and prior to any drone regulations were issued. Now, as the end of 2016 approaches, the FAA has moved forward with regulations lacking privacy safeguards, and the drone privacy report still unfinished. EPIC is currently suing the FAA for the agency's failure to establish drone privacy rules. (Oct. 24, 2016) - EPIC Scrutinizes FBI "Insider Threat" Database
In comments to the FBI, EPIC criticized a proposed "Insider Threat" database that would gather virtually unlimited amounts of personal data outside the protections of the federal Privacy Act. EPIC urged the FBI to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that FBI data practices pose a risk to federal employees. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. Earlier this year, EPIC filed comments with DOD and DHS regarding similarly flawed proposals to expand data collection without adequate privacy safeguards. (Oct. 20, 2016) - EPIC Promotes "Algorithmic Transparency" at Annual Meeting of Privacy Commissioners
Speaking at the 38th International Conference of the Data Protection and Privacy Commissioners in Marrakech, EPIC President Marc Rotenberg highlighted EPIC's recent work on algorithmic transparency and also proposed two amendments to Asimov's Rules of Robotics. Rotenberg cautioned that autonomous devices, such as drones, were gaining the rights of privacy - control over identity and secrecy of thought - that should be available only for people. Rotenberg also highlighted EPIC's recent publication "Privacy in the Modern Age", the Data Protection 2016 campaign, and the various publications available at the EPIC Bookstore. The 2017 Privacy Commissioners conference will be held in Hong Kong. (Oct. 20, 2016) - DC Appeals Court Hears Arguments in Telemarketing Privacy Case
The federal appeals court in Washington, D.C. heard oral arguments Wednesday in a case with major implications for telephone privacy. The suit, ACA International v. FCC, was brought against the Federal Communications Commission by telemarketing companies and others challenging rules adopted under the Telephone Consumer Protection Act that prohibit automated calls made to cell phones without their consent. EPIC and six consumer privacy groups filed an amicus brief in the case, stressing the importance of privacy protections for cell phone users. EPIC also challenged a claim made by the telemarketers that "37 million" numbers were reassigned each year, making it difficult, the companies claimed, to comply with the privacy law. During the argument, one of the judges pressed the telemarketers' attorney on the point (audio), citing research in the EPIC amicus brief. EPIC frequently participates as amicus curiae in cases that raises novel privacy issues. (Oct. 20, 2016) - EPIC and Coalition Urge Presidential Candidates to Adopt Good Government Policies
In letters to Hilary Clinton and Donald Trump, EPIC and a coalition of NGOs urged the presidential candidates to adopt good-government policies in the next administration. In the first letter, the coalition called on the nominees to adopt a rigorous code of ethics for their presidential transition teams. Citing then-Senator Obama's 2008 transition code of ethics, the coalition urged the candidates to prohibit individuals with lobbying ties and financial conflicts of interest from working in the administration. EPIC also joined a second letter calling on the next president to adopt stronger policies on government record keeping. The next president, wrote the coalition, "can demonstrate commitment to strengthening records accountability within the federal government" by directing agencies to comply with the Office of Management and Budget's 2012 government records directive, implement agency-wide record keeping training, develop open records plans, and abide by strict reporting deadlines. EPIC and other open government groups previously pushed the Obama administration to improve its implementation of the Freedom of Information Act. (Oct. 19, 2016) - EPIC, Consumer Coalition Tells FCC to Limit Health Care Robocalls
EPIC and a coalition of consumer privacy advocates have urged the Federal Communications Commission to reject a request by health insurance companies to make unlimited health-related robocalls to consumers under the Telephone Consumer Protection Act. The insurance companies asked the FCC to amend the TCPA so that once a consumer provides her phone number to her doctor, she has "consented" to receiving telemarketing calls from other health care providers on anything medically related. The coalition comments, led by the National Consumer Law Center, urge the FCC to limit the scope of consumers' consent to medical robocalls by exclude telemarketing calls and allowing only calls related to the original reason the consumer provided her phone number. EPIC supports robust telephone privacy protections and filed an amicus brief in support of the FCC's 2015 order that strengthened consumer protections under the TCPA. (Oct. 19, 2016) - New Study Shows Public Does Not Trust Social Media Privacy, Supports Stronger Privacy Laws
A new survey supported by the Craig Newmark Foundation shows that while 80% of Americans use social media daily, 96% do not trust social networks to protect their privacy. The survey found that only 7% of millennials trust these sites to protect their data. A majority of Americans surveyed also expressed concern about the lack of safety online, including fears over identity theft, email hacking, and non-consensual online tracking. Many Americans think privacy laws are too weak. Among all groups, millennials are increasingly aware of the need for stronger privacy laws. EPIC maintains a webpage devoted to Privacy and Public Opinion and has launched the Data Protection 2016 campaign to highlight privacy protection in the 2016 election. (Oct. 19, 2016) - European High Court Rules that Dynamic IP Addresses are Personal Data
The Court of Justice for the European Union has ruled that dynamic IP addresses are personal data subject to protection under data protection law. The Court said that user's identity can still be revealed through use of legal process, even though the numeric address may not be unique to the user. The Court also said that the collection of IP addresses must be limited to the purposes for which they were collected. The Court noted that personal data can be lawfully collected if it is necessary to protect cybersecurity. The European Court of Justice opinion is aligned with EPIC's recommendation for Privacy Enhancing Technologies that minimize or eliminate the collection of personally identifiable information. Internet services that do not retain IP addresses or adopt techniques that are unable to link IP addresses to a particular user may not be subject to the decision, which is binding across Europe. EPIC has made similar arguments about the scope of personal information to US courts as amicus curiae. EPIC argued in the Nickelodeon case that IP addresses and unique devices IDs are personally identifiable information subject to protection under US privacy law. Federal courts are now split on the issue and the US Supreme Court may soon resolve the matter. (Oct. 19, 2016) - Privacy Commissioners Adopt Resolutions on Student Privacy, Privacy Metrics
At the 38th International Conference of Data Protection and Privacy Commissioners, held in Marrakech, Morocco, privacy officials from around the world adopted resolutions to strengthen data protection rights. The primary resolution — An International Competency Framework on Privacy Education — addressed one of the most serious challenges to digital society, the education of students about privacy risks. Others resolutions adopted concerned Privacy Metrics, Human Rights Defenders, and International Enforcement Cooperation. EPIC has actively participated in many of the conferences through the Public Voice coalition, which sponsored NGO events at more than a dozen of the annual meetings. The Madrid Privacy Declaration was adopted by NGOs at the 2009 Public Voice meeting, held in connection with the Privacy Commissioners conference. #icdppc2016 (Oct. 19, 2016) - DoD Exempts "Insider Threat" Database from Privacy Act Safeguards
The Department of Defense has issued a final rule on the "Insider Threat" database, a program that allows the federal agency to gather virtually unlimited amounts of personal data on individuals based on broad and ambiguous standards. The Defense Department exempted itself from Privacy Act safeguards that would limit collection of personally identifiable information, and allow individuals access to their information maintained by the federal agency. In detailed comments, EPIC opposed the exemptions sought by the agency. EPIC also questioned whether that information would be adequately protected. Military officials described the 2015 data breach as an "absolute calamity." (Oct. 18, 2016) - Report: Facial Recognition is Expansive, Unregulated; Coalition Calls for DOJ Review
EPIC and a coalition of civil liberties organizations urged the Justice Department to review the disparate impact of facial recognition. The letter follows a report on law enforcement use of the technology. The report builds on work pursued by EPIC and others. Freedom of Information Act documents obtained by EPIC showed that the DHS system lacked privacy safeguards, the FBI accepts a 20% error rate for its Next Generation Identification system and has agreements to run facial recognition searches on DMV databases. In 2012, EPIC urged the Federal Trade Commission to suspend the use of facial recognition techniques pending the establishment of legal safeguards. And the 2009 Madrid Privacy Declaration, authored by NGOs and privacy experts, calls for a moratorium on the face scanning technology. (Oct. 18, 2016) - FTC's Data Protection Authority Under Attack in LabMD Case
A medical testing lab has petitioned a federal appeals court to reject the authority of the Federal Trade Commission to enforce data security standards. The commission recently found that LabMD's poor data security practices, which led to a breach of personal medical data, were "unfair" under the FTC Act and ordered the company to take corrective measures. "[T]he privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury," the commission explained. EPIC previously filed an amicus brief in FTC v. Wyndham, a similar case in which another appeals court upheld the FTC's data protection authority. The court in that case stated, "A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business." (Oct. 18, 2016) - WhatsApp Privacy Update: Spain Investigating Broken Privacy Promises
Spain is the latest country to investigate WhatsApp's transfer of user data, including the verified user phone number, to Facebook. The Spanish Data Protection Agency joins privacy regulators in Germany, India, Italy, and the U.K. that have taken action against WhatsApp's changes to privacy practices that contradict previous promises. EPIC filed a complaint with the Federal Trade Commission over the policy change in August, and more than a dozen consumer groups have backed these efforts. The Commission said it will "carefully review" EPIC's complaint. The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." (Oct. 14, 2016) - FTC Hosts Event on Drones and Privacy
Today the Federal Trade Commission will host a panel discussion on drones and privacy as part of the agency's Fall Technology Series. The Director of EPIC's Domestic Surveillance Project, Jeramie Scott, will participate in the panel. Mr. Scott previously testified before the Pennsylvania Senate on domestic drone surveillance and submitted a statement for record regarding a Maryland bill to limit drone surveillance. EPIC and leading experts previously urged the FAA to adopt privacy rules for drones, and when the agency refused, EPIC sued. EPIC v. FAA is currently pending before the D.C. Circuit Court of Appeals. (Oct. 13, 2016) - White House Releases Reports on Future of Artificial Intelligence
The White House has released two new reports on the impact of Artificial Intelligence on the US economy and related policy concerns. Preparing for the Future of Artificial Intelligence surveys the current state of AI, applications, and emerging challenges for society and public policy. The report concludes "practitioners must ensure that AI-enabled systems are governable; that they are open, transparent, and understandable; that they can work effectively with people; and that their operation will remain consistent with human values and aspirations." A companion report National Artificial Intelligence Research and Development Strategic Plan proposes a strategic plan for Federally-funded research and development in AI. President Obama will discuss these issues on October 13 at the White House Frontiers Conference in Pittsburgh. #FutureofAI EPIC has promoted Algorithmic Transparency for many years and is currently litigating several cases on the front lines of AI, including EPIC v. FAA (drones), and Cahen v. Toyota (autonomous vehicles). (Oct. 13, 2016) - EPIC Defends Consumers' Right to Sue Cable Providers for Illegal Data Retention
EPIC has filed an amicus brief urging a federal appeals court to preserve consumers' right to sue cable providers that illegally retain their data. A former Time Warner Cable subscriber brought a privacy lawsuit alleging that Time Warner held onto his personal information long after he had canceled the service, a clear violation of a provision in a federal privacy law. But a lower court wrongly dismissed the suit, concluding that there had been no "injury." In the amicus brief, EPIC said that the lower court confused "injury" with "harm." When a company violates a federal law, EPIC explained, that is a "legal injury" and the reason that the court must hear the case. EPIC filed an amicus brief in a similar case in July and regularly files briefs defending consumer privacy. (Oct. 13, 2016) - CPDP2017, Leading Data Protection Conference, Extends Paper Deadline
Computers, Privacy, and Data Protection, the international conference devoted to privacy and data protection, will now accept papers until October 22, 2016. The theme of CPDP2017 is "The Age of Intelligent Machines." CPDP2017 will be held on 25-27 January 2017 in Brussels. The CPDP2017 Call for Papers is addressed to all researchers who wish to present papers. All submitted papers will be peer reviewed by members of the CPDP 2017 Scientific Committee (and other independent reviewers where necessary) and will be commented upon by distinguished scholars. EPIC is one of many organizations sponsoring the event. The 2017 EPIC International Champion of Freedom Award will be presented at CPDP. (Oct. 6, 2016) - FCC Releases Revised Broadband Privacy Plan
The Federal Communications Commission has released a fact sheet outlining a revised proposal for broadband privacy rules. The revised rules will require ISPs to obtain consumers consent only for use of "sensitive" information. The original proposal offered privacy protections for all consumer data. ISPs will also be permitted to charge higher prices for basic privacy protections, subject to FCC review. EPIC has said that the FCC should go further to safeguard consumer privacy. The Commission plans to vote on the proposal on October 27th. (Oct. 6, 2016) - Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails
Reuters reported today that Yahoo scanned the private email of Yahoo users pursuant to a secret directive issued by the FBI. The email scanning technique, based on a search for key terms, recalled a similar FBI program “Carnivore” that was found to capture far more information than authorized, according to documents obtained by EPIC under the Freedom of Information Act. The news report also renews concerns about the scope of US Internet surveillance. The European Court of Justice struck down an EU-US data transfer deal last year, following revelations that US Internet firms collaborated with the NSA to enable mass surveillance. A related case, Irish Data Protection Commissioner v. Facebook, is now pending. The Irish High Court has selected EPIC as "a friend of the court" to "counterbalance" the submission of the United States intelligence community. (Oct. 4, 2016) - Supreme Court Won't Review Privacy Violations by Facebook, Google
The U.S. Supreme Court has declined to review two important consumer privacy cases: K.D. v. Facebook, a suit challenging Facebook’s use of young childrens’ names and images in advertising without consent, and Gourley v. Google, a suit opposing Google’s covert use of web cookies to track browsing habits. In K.D., consumers urged the Supreme Court to review a Ninth Circuit opinion, which upheld a controversial settlement. EPIC filed an amicus brief in a companion case, Fraley v. Facebook, explaining that a settlement is unfair that allows a company to continue to engage in privacy violations. In Gourley, consumers asked the Court to overrule a Third Circuit decision holding that Google's exploitation of browser privacy loopholes did not violate the Wiretap Act or Stored Communications Act. (Oct. 4, 2016) - EPIC FOIA: Google Secretly Attempted to Narrow FCC Privacy Protections, Exclude Customer IP Addresses
In response to a Freedom of Information Act request filed by EPIC, the Federal Communications Commission has released communications about the FCC’s broadband privacy rulemaking. One of the key proposals for the privacy rules concerns the scope of consumer data covered by the rule, such as a customer’s IP address. An email exchange between Google’s Vinton Cerf and FCC Chairman Tom Wheeler reveals Google’s backdoor efforts to narrow the scope of the proposed rules to exclude privacy protections for customers’ IP addresses. While EPIC has repeatedly argued that the FCC’s rules can and should go further, the current proposal would safeguard some consumer data, including IP addresses. (Oct. 4, 2016) - EPIC Opposes DHS Plan to Collect Social Media Identifiers
In comments to the Department of Homeland Security, EPIC urged the agency to drop a plan to review the social media accounts of people seeking to visit the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked abuse, and would disproportionately impact against minority groups. Documents obtained by EPIC in 2011 in a Freedom of Information Act lawsuit revealed that the DHS gathered social media comments to identify individuals, including US citizens, critical of the agency and the government. A 2012 Congressional hearing, based on the documents obtained by EPIC, revealed bipartisan opposition to the original DHS social media monitoring program. (Sep. 30, 2016) - India Joins International Opposition to WhatsApp Privacy Changes
India’s Deli High Court has ordered WhatsApp not to transfer to Facebook any user data that was collected prior to September 25, 2016, and to delete data of users who opted out of WhatsApp’s new data transfer policy prior to that date. Last month, WhatsApp announced it would begin transferring user data, including verified phone numbers, to Facebook in violation of previous privacy promises. Germany has also ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data already transferred. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC’s latest response to the consumer coalition emphasized “FTC staff’s position that companies must obtain affirmative express (opt-in) consent before making material, retroactive changes to privacy promises.” The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.” (Sep. 30, 2016) - EPIC Publishes "Privacy Law Sourcebook 2016"
EPIC proudly announces the 2016 edition of the Privacy Law Sourcebook, the definitive reference guide to US and international privacy law. The Privacy Law Sourcebook is an edited collection of the primary legal instruments for privacy protection in the modern age, including United States law, International law, and recent developments. The Sourcebook includes recent US law, such as the FREEDOM Act, and the EU General Data Protection Regulation, the UN Resolution on the Right to Privacy in the Modern Age, and regional privacy agreements. The Privacy Law Sourcebook 2016 is available for purchase from the EPIC Bookstore. EPIC will make the Privacy Law Sourcebook freely available to NGOs and human rights organizations. (Sep. 29, 2016) - Nickelodeon Plaintiffs Ask Supreme Court to Hear Video Privacy Case
The plaintiffs in the In re Nickelodeon class action recently asked the Supreme Court to hear their case. In June, a federal appeals court rejected claims that Viacom and Google violated the Video Privacy Protection Act, holding that static IP and MAC addresses are not “personally identifiable information.” The opinion contradicted a ruling from a different federal appeals court which held that unique IDs are personally identifiable under the video privacy law. EPIC filed an amicus brief in the Nickelodeon case, explaining that Congress defined personal information broadly “to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.” The petition is C.A.F. v. Viacom, case number 16-346. (Sep. 28, 2016) - Massachusetts Court Upholds Privacy Rights of Cell Phone Users
The Massachusetts Supreme Judicial Court ruled today in Commonwealth v. White that the Fourth Amendment prohibits law enforcement from seizing a cell phone based simply on an officer’s suspicion that a cell phone may be used in a crime, finding that a warrant must be obtained prior to the seizure of the phone. EPIC filed an amicus brief in the case, arguing that "digital is different," and therefore the legal standard for warrantless searches of contraband in schools does not apply to cell phones. EPIC also explained the significance of Riley v. California, the recent Supreme Court that established a warrant requirement for searches of cell phones. The EPIC State Policy Project coordinated the EPIC amicus brief in the case. (Sep. 28, 2016) - EPIC Celebrates International Access to Information Day
Today marks the first annual International Day for Universal Access to Information. This day celebrating the right to information—September 28th of every year—was established by the UN Education, Scientific, and Cultural Organization in a resolution last year. Freedom of information, declared UNESCO, "is an integral part of the fundamental right to freedom of expression," and is established as a right in the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights. International efforts to promote the right to information have also produced the Open Government Partnership, a multilateral initiative to secure transparency commitments from governments. EPIC, as part of a coalition of transparency groups, has proposed recommendations to the US open government plan, as well as plans from US agencies. (Sep. 28, 2016) - EPIC Urges Congress to Protect Voter Privacy
EPIC has sent a letter to a Congressional committee in advance of a hearing on cybersecurity and ballot integrity. EPIC warned that casting votes online threaten voter privacy. EPIC explained that the secret ballot is the cornerstone of the US election system. EPIC, Common Cause, and Verified Voting recently published The Secret Ballot at Risk: Recommendations for Protecting Democracy. The report makes specific recommendations for protecting voter privacy. EPIC has a long history of working to protect voter privacy and election integrity. (Sep. 27, 2016) - Senators Seek Answers About Yahoo's Massive Data Breach
Led by Senator Patrick Leahy, several senators sent a letter to Yahoo’s CEO, Marissa Mayer, seeking answers about the massive data breach that compromised the sensitive data of 500 million accounts. The Senators were troubled by the delay in breach notification, stating “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week.” EPIC testified in support of strong data breach notification laws in 2009 and 2011 and urged Congress to ensure that users are “notified promptly” when personal information is wrongfully disclosed. EPIC launched “Data Protection 2016” to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information. (Sep. 27, 2016) - Germany Prohibits WhatsApp Data Transfer to Facebook
Germany’s privacy regulator has ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data that has already been transferred. In a statement, German officials said that WhatsApp’s new data transfer policy constitutes “an infringement of national data protection law.” EU Competition Commissioner Margrethe Vestager has also opened an investigation into WhatsApp’s privacy changes, which contradict previous commitments to users and regulators. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC responded it would “carefully review” EPIC’s complaint. The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.” (Sep. 27, 2016) - EPIC Files Suit to Block "Invasive and Ineffective" Airport Body Scanner Program
EPIC has filed the opening brief in EPIC v. TSA II with the federal appeals court in Washington, DC, challenging the Transportation Security Administration's continued use of body scanners in US airports. TSA issued a regulation mandating the use of body scanners across the country more than five years after the court in EPIC v. TSA ordered the agency to "promptly" solicit public comments on the controversial body scanners program and nearly a decade after the agency deployed the scanners without public comments. EPIC told the court that the TSA's regulation entrenches body scanners over more effective less intrusive screening techniques, and undermines the legal right of passengers to opt out. EPIC wrote that the TSA has failed to "justify the use of invasive screening techniques, or to provide the public with an opportunity to respond to the denial of the passenger opt-out right." (Sep. 27, 2016) - Secret Ballot At Risk in Maryland After Election Board Vote
The Maryland State Board of Elections has voted to certify Maryland’s online ballot-marking system for general use, threatening voter privacy. Voters using the online-ballot marking system would receive and fill out their ballot online, risking third party access their vote. Previously online ballot-marking was permitted only to enable participation by voters with disabilities. EPIC, Verified Voting, and Common Cause recently released The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. EPIC has a long history of working to protect voter privacy and election integrity. (Sep. 27, 2016) - EPIC Tells Congress FTC Must Do More for Consumer Privacy
EPIC has sent a letter to the Senate Commerce Committee in advance of an oversight hearing on the Federal Trade Commission. EPIC explained that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. "The FTC’s failure to act in the face of mounting threats to consumer privacy and security could be catastrophic," EPIC warned. EPIC also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud. Public opinion polls show broad public support for new US privacy laws. (Sep. 26, 2016) - Data Protection 2016: 500 Million Yahoo Users Victims of Massive Data Breach
Yahoo has announced that the personal data of at least 500 million users was breached in late 2014. The breach included users’ names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election. (Sep. 22, 2016) - Consumer Groups Back Call for FTC to Investigate WhatsApp
More than a dozen US consumer organizations have asked the Federal Trade Commission to pursue the complaint EPIC and the Center for Digital Democracy filed about WhatsApp’s plan to transfer user data to Facebook. The EPIC-CDD complaint said that the changes to WhatsApp contradict promises to users that personal information would not be used for marketing purposes. The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." The FTC responded that it would “carefully review” EPIC’s complaint. The consumer coalition letter urges the Commission to “fulfill its duty to protect consumer privacy, and to investigate and enjoin WhatsApp and Facebook’s proposed change in business practices.” (Sep. 22, 2016) - Federal Judge Unseals Secret Surveillance Records
A federal judge has ordered the public release of 235 sealed records of government surveillance in response to a request from a journalist. EPIC has urged greater transparency of these "pen register and trap and trace" orders. As a result of a Freedom of Information Act lawsuit against the Justice Department, EPIC v. DOJ, EPIC made public formerly secret documents about the government’s use of pen registers to collect the records of private communications. (Sep. 22, 2016) - Pew Survey Finds Support for New US Privacy Laws, Limits on Data Retention
According to the Pew Research Center, there is broad support in the US for new legal protection for personal information. Pew found that “68% of internet users believe current laws are not good enough in protecting people’s privacy online; and 64% believe the government should do more to regulate advertisers.” Americans favor limits on how long the records of their activity are stored. Pew also found that “young adults are more focused than elders when it comes to online privacy,” and many have tried to protect their privacy, removed their names from tagged photos, and taken steps to mask their identity. According to Pew, 74% of Americans say it is “very important” to be in control of their personal information. EPIC maintains an extensive listing of polls concerning public attitudes toward privacy and has launched the Data Protection campaign to highlight privacy protection in the 2016 election.
(Sep. 22, 2016) - EPIC Advises Congress on Modernizing Telemarketing Rules to Protect Consumers
EPIC has sent a letter to the House Energy and Commerce Committee in advance of the hearing on “Modernizing the Telephone Consumer Protection Act.” The telemarketing law bars telemarketers and robocallers from contacting consumers by phone fax, or text without prior consent. EPIC urged the Committee to ensure that an update to the law “protects consumers from unwanted commercial communications.” EPIC said legal rights should be “robust, enforceable and minimally burdensome for consumers." Earlier this year, EPIC filed an amicus brief in support of strengthening TCPA protections for consumers. EPIC has also testified before Congress about the telemarketing law and submitted many comments concerning its implementation. (Sep. 21, 2016) - U.S. Proposes Voluntary Guidelines for "Automated Vehicles," Privacy and Safety Issues Remain a Challenge
The Department of Transportation has released federal guidelines for the automated vehicle industry. The Federal Automated Vehicles Policy backs the deployment of self-driving cars in the United States. The agency acknowledges privacy concerns and endorses the Consumer Privacy Bill of Rights, which EPIC supports, however the framework lacks compliance obligations and enforcement mechanisms. The agency also proposes to preempt existing state regulations that may provide stronger protections. Last year in testimony before Congress, EPIC warned of public safety risks associated with automated vehicles. And yesterday Secretary of Commerce Penny Pritzker warned the Commission on Enhancing National Cybersecurity that "as cars go driverless . . . the cyberthreats we face will only grow more widespread." The Transportation Department seeks public comments on the Guidelines for Automated Vehicles. The deadline is November 22, 2016. (Sep. 20, 2016) - Policy Commission Seeks Public Comment
The Commission on Evidence-Based Policymaking has issued a request for comments on "strategies to increase the availability and use of government data." Congress established the Commission to study whether and how data across the federal government could be combined for policy research while protecting privacy. The Commission seeks comment on several issues including privacy risks, access to data, and whether a single clearinghouse should be created. In testimony before the Commission, EPIC President Marc Rotenberg emphasized safeguards for personally identifiable information, following EPIC’s work on Re-identification and The Census and Privacy. Comments to the Commission are due on November 14, 2016. (Sep. 20, 2016) - FAA Drone Advisory Committee to Address Privacy
In its inaugural meeting, the FAA's newly assembled Drone Advisory Committee decided to address privacy concerns posed by the increasing deployment of drones in the United States. The FAA Committee, lacking consumer and privacy representatives, was assembled to make recommendations to the FAA on drone policy. According to the National Conference on State Legislatures, at least 38 states have considered drone legislation so far this year. EPIC and leading experts previously urged the FAA to adopt privacy rules for drones, and when the agency refused, EPIC sued. EPIC v. FAA is currently pending before the D.C. Circuit Court of Appeals. (Sep. 19, 2016) - White House Updates Guidance on Federal Agency Privacy Practices
The Office of Management of Budget released a memorandum that requires the head of each agency to “assess the management, structure, and operation of the agency’s privacy program.” The OMB memo provides updated guidance, requiring the designation of a Senior Agency Official for Privacy with appropriate authority to implement the agency’s privacy program, including ensuring compliance with the Privacy Act. In 2015, a breach of records at the OMB, impacted more than 22 million federal employees, family members and associates. EPIC has filed numerous comments with agencies across the federal government criticizing their lack of compliance with the Privacy Act. EPIC has also submitted amicus briefs to the US Supreme Court concerning the federal Privacy Act. (Sep. 19, 2016) - EPIC Amicus - Appeals Court Finds Inaccurate Background Reports Violate Federal Privacy Law
A federal appeals court has ruled that LexisNexis violated the Fair Credit Reporting Act by selling background reports that wrongly included criminal convictions for innocent individuals. EPIC filed an amicus brief in the case, highlighting the failure of crediting reporting agencies to adopt reasonable procedures to ensure accuracy. EPIC said that it is not enough to follow “industry standards” if inaccurate reports still result. The court found that Lexis was negligent because it failed to “follow reasonable procedures to assure maximum possible accuracy” of the information. (Sep. 14, 2016) - FTC Seeks Comments on the "Disposal Rule" for Consumer Data
The Federal Trade Commission is seeking public comments on the "Disposal Rule." The Disposal Rule requires that companies delete consumer data and to protect against unauthorized use of the data. The Commission seeks comment on a variety of issues including cost-benefits analysis and industry compliance. EPIC supported the implementation of the Disposal Rule in 2004 and continues to advocate for data protection measures. EPIC has also promoted Privacy Enhancing Techniques that minimize or eliminate the collection of personal information. Identity theft continues to be the top consumer complaint reported to the Commission. (Sep. 13, 2016) - EPIC Prevails in FOIA Lawsuit for Government Privacy Assessments
EPIC has prevailed in EPIC v. DEA, a case involving a Freedom of Information Act request for privacy assessments the federal agency is required by law to perform. EPIC sued the Drug Enforcement Agency after the agency failed to respond to EPIC’s FOIA request. EPIC subsequently challenged the adequacy of the agency’s search. Today, the federal judge concluded that although the initial search was adequate, “EPIC has raised a substantial doubt as to the sufficiency of the DEA’s supplemental search.” The Court ordered the agency to conduct an additional search or explain why an updated search is not likely to produce additional records. EPIC pursued the DEA FOIA case after the disclosure of “Hemisphere,” perhaps the largest telephone record collection program in the world. (Sep. 13, 2016) - European Commission Begins Investigation of WhatsApp Privacy About-Face
Following the announcement that WhatsApp intends to transfer user data to Facebook in violation of earlier commitments, EU Competition Commissioner Margrethe Vestager has opened an investigation. Vestager stated, “That they didn’t merge data wasn’t the decisive factor when the merger was approved, but it was still a part of the decision” to approve the $19b Facebook acquisition in 2014. Last month, EPIC and the Center for Digital Democracy filed a complaint with the FTC, urging the Commission to Act. The FTC responded that it would “carefully review” EPIC’s complaint. (Sep. 13, 2016) - EPIC Urges Policy Commission to Support Privacy Techniques
EPIC President Marc Rotenberg appeared before the recently established Commission on Evidence-Based Policymaking. Mr. Rotenberg discussed Privacy Perspectives on data use. He pointed to the federal wiretap reports and also climate data as government data sources that are enormously influential yet raise few privacy concerns. He recommended that the Commission encourage the development of Privacy Enhancing Techniques that protect personal information while enabling data analysis. Rotenberg serves on a National Academies study that will release a report on privacy and big data in early 2017. (Sep. 12, 2016) - EPIC Republishes "Privacy and Human Rights," Most Comprehensive Survey of Privacy Law and Practices Ever
EPIC has published the first digital edition of Privacy and Human Rights: An International Survey of Privacy Laws and Developments. The report by EPIC and Privacy International provides an overview of key privacy topics in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Topics include biometric identification, Internet advertising, and location privacy. Over 1,100 pages, almost 6,000 footnotes, and more than 300 contributors. Now available online. (Sep. 12, 2016) - Federal Agencies Unable to Measure FOIA Litigation Costs
In a new report the Government Accountability Office found that the Justice Department and other federal agencies are unable to determine how much they spend on defending Freedom of Information Act lawsuits. The watchdog agency found that of the 112 FOIA lawsuits decided between 2009 and 2012 in which the requester prevailed, agencies were able to calculate costs for only half, and estimated $1.4 million in costs. The GAO—which conducted the investigation in response to a request from Senators Chuck Grassley (R-IA) and Patrick Leahy (D-VT) of the Senate Judiciary Committee—urged Congress to explore the possibility of requiring agencies to track FOIA litigation costs. EPIC routinely litigates FOIA cases against federal agencies, and is currently fighting to obtain secret Inspector General reports surveillance oversight reports, and details on the government’s largest-ever phone surveillance program. (Sep. 9, 2016) - Presidential Science Advisors Challenge Validity of Criminal Forensic Techniques
According to an upcoming report by the President’s Council of Advisors on Science and Technology, much of the forensic analysis in criminal trials is not scientifically valid. The report, to be released this month, attacks the validity of analysis of evidence like bite-marks, hair, and firearms. The "lack of rigor in the assessment of the scientific validity of forensic evidence is not just a hypothetical problem but a real and significant weakness in the judicial system,” wrote the council. The Senate Judiciary Committee held hearings in 2009 and 2012 to discuss the need to strengthen forensic science, and Sen. Patrick Leahy (D-VT) introduced a forensic reform bill in 2014. EPIC has pursued FOIA requests on the reliability of proprietary forensic techniques. EPIC also filed a brief on the reliability of novel forensic techniques in the Supreme Court case Florida v. Harris. (Sep. 8, 2016) - Pokemon GO Developer Niantic Responds to Sen. Franken Inquiry into Privacy Concerns
Pokemon GO developer Niantic has responded to Sen. Al Franken’s request for information concerning the company’s data practices. Sen. Franken’s letter, sent in early July, asked Niantic to clarify the scope, purpose, and necessity of its data collection practices. Niantic’s response letter indicates that it “collects and stores” user location data to place and position users on the game’s map, but fails to explain why and for how long location data is stored. Franken also directed the company to provide a current list of the "third party service providers" with whom user data is shared. Niantic’s letter confirms that it hires third parties to provide a variety of services, but does not specifically identify any of these companies. Privacy officials in Canada, Europe, and Asia, have begun investigations of Niantic, which is tied to the Google company Alphabet. The Niantic CEO led the Google project that captured private communications in more than 30 countries around the world. The initial Pokemon Go release provided Niantic full access to the user's Google account. EPIC sent a letter to the FTC urging the Commission to investigate the privacy risks posed by Pokemon GO, Niantic’s data collection practices, and its ties to Google. (Sep. 8, 2016) - EPIC, Coalition Reject Calls to Further Weaken FCC's Modest Privacy Proposal
EPIC and a coalition of consumer privacy advocates have sent a letter to the Federal Communications Commission in response to industry demands to further weaken the FCC's proposed broadband privacy rules. The groups rejects efforts by Internet Service Providers to exempt anonymized consumer data from the privacy rules and to require opt-in consent only for sensitive information. The consumer groups also oppose mandatory arbitration and “pay-for-privacy” plans that would require consumers to pay fees for basic privacy safeguards. EPIC has called the FCC's proposed privacy rules a "modest first step" and repeatedly argued that the Commission can and should go further to "address the full range of communications privacy issues facing US consumers." (Sep. 7, 2016) - House Report Criticizes OPM Handling of Massive Data Breach Last Year
In a press release, the House Oversight and Government Reform Committee released a report criticizing the Office of Personnel Management’s handling of the data breach in 2015. The breach compromised the information of over 21.5 million individuals, including federal employees, their families and friends. The report concluded the OPM breach was preventable and recommended numerous measures including less use of social security numbers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also supported new limits on the collection and use of the SSN. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
(Sep. 7, 2016) - FTC Responds to EPIC's Complaint about WhatsApp
The Federal Trade Commission has responded to the EPIC and Center for Digital Democracy complaint about WhatsApp's plan to transfer user data, including verified phone numbers, to Facebook. The FTC stated that it prohibits companies from engaging in unfair and deceptive practices and will enforce its 2012 Consent Order with Facebook. The FTC letter also acknowledged that the EPIC-CDD complaint “contains allegations regarding statements WhatsApp has made about how it limits the use of mobile phone numbers or other personally identifiable information." The FTC said it will "carefully review" EPIC’s complaint. EPIC and CDD wrote that WhatsApp's plan to transfer user data to Facebook for user profiling and targeted advertising - without first obtaining users' opt-in consent - contradicts numerous FTC statements and violates Section 5 of the FTC Act. EPIC and CDD previously warned the Commission that it must protect the privacy interests of WhatsApp users following the acquisition by Facebook. (Sep. 7, 2016) - EPIC, Consumer Coalition Tells FCC to Protect Privacy, Security in Connected Cars
EPIC has joined a coalition of consumer groups in a letter to the FCC supporting safety rules for connected cars. The consumer groups endorsed a petition for rulemaking, filed earlier this year, that would establish safeguards for car communications networks. EPIC has testified before Congress on the risks of connected cars and recently filed an amicus brief in federal appeals court on vehicle-to-vehicle communications. (Aug. 30, 2016) - EPIC, CDD Charge WhatsApp Policy Change Unlawful, Urge FTC to Act
EPIC and the Center for Digital Democracy have filed a complaint with the FTC concerning WhatsApp’s plan to transfer user data, including personal phone numbers, to Facebook. This reversal contradicts WhatsApp’s previous promises to users that their personal information would not be disclosed and would not be used for marketing purposes. EPIC said that WhatsApp change in business practices is unlawful and that the FTC is obligated to act. EPIC previously filed a complaint with the FTC over Facebook’s acquisition of WhatsApp in 2014. In response, the FTC warned the two companies they must honor their privacy promises to users. The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." (Aug. 29, 2016) - Facebook to Collect WhatsApp User Data, Violating FTC Order and Privacy Promises
WhatsApp has announced plans to disclose user information to Facebook, including phone numbers and other user data, that will be connected with Facebook profiles. Facebook purchased WhatsApp in 2014, and the companies promised users of the privacy-protective messaging service that “nothing” will change for WhatsApp users' privacy. EPIC filed a complaint with the FTC over the deal, and the FTC responded by warning the two companies that they must honor their privacy promises to WhatsApp users. The letter explained that failure to obtain users' opt-in consent before changing data practices would be an unfair and deceptive trade practice and violate Facebook’s FTC Consent Order. WhatsApp’s recent announcement indicates users will have 30 days to opt-out of data transfers to Facebook, in violation of the law and the FTC’s Order. In 2012, EPIC and a coalition of consumer privacy organizations also led a successful effort at the FTC after Facebook changed the privacy settings of its users. As a result, Facebook is subject to an FTC consent order. (Aug. 25, 2016) - EPIC Sues FAA, Challenges Failure to Establish Drone Privacy Safeguards
EPIC has filed suit against the Federal Aviation Administration, arguing the agency failed to establish privacy rules for drones as required by Congress. Congress in 2012 ordered the FAA to issue "comprehensive" rules for drone use. EPIC and more than 100 organizations and experts subsequently urged the FAA to establish privacy protections prior to permitting widespread drone deployment. The FAA denied EPIC's petition. EPIC then sued the agency, but a federal appeals court ruled that EPIC's suit was premature because the agency had not yet issued a final rule and might still consider the privacy concerns raised by EPIC and others. The FAA then proceeded to issue final rules for small drones without privacy safeguards. EPIC is now challenging the agency final rule. (Aug. 23, 2016) - EPIC Opposes DHS Plan to Collect Social Media Identifiers
In comments to the Department of Homeland Security, EPIC urged the agency to drop a plan to review the social media accounts of people seeking to visit the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked abuse, and would disproportionately impact against minority groups. Documents obtained by EPIC in 2011 in a Freedom of Information Act lawsuit revealed that the DHS gathered social media comments to identify individuals, including US citizens, critical of the agency and the government. A 2012 Congressional hearing, based on the documents obtained by EPIC, revealed bipartisan opposition to the original DHS social media monitoring program. (Aug. 23, 2016) - EPIC Launches EPIC Amicus Tracker to Assist Public Interest Litigators
Today EPIC launched the EPIC Amicus Tracker, a public resource designed to help public interest litigators pursue significant privacy and civil liberties cases. The EPIC Amicus Tracker highlights cases with upcoming amicus opportunities and links to related EPIC amicus briefs. Over twenty years, EPIC has filed nearly 100 amicus briefs, often with the participation of technical experts and legal scholars, in federal and state cases concerning emerging privacy and civil liberties issues and EPIC is frequently cited in judicial opinions. EPIC hopes the EPIC Amicus Tracker will inspire other public interest litigators. (Aug. 19, 2016) - EPIC, Verified Voting, Common Cause Release Report on Ballot Secrecy
EPIC, Verified Voting, and Common Cause today released The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. All 50 states recognize ballot secrecy as a core value. Despite this, 32 states and DC are promoting Internet voting, typically for overseas and military voters, and are asking those voters to waive their right to a secret ballot. That threatens voting freedom and election integrity. The report recommends actions voters can take to protect the secrecy of their ballot, and encourages states to do more to safeguard voter privacy. EPIC has a long history of working to protect voter privacy and election integrity. (Aug. 18, 2016) - EPIC Urges Wisconsin Legislature to Safeguard Student Privacy
In testimony for the Wisconsin legislature, EPIC urged state lawmakers to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Wisconsin adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy. EPIC's State Policy Project is monitoring privacy bills nationwide. (Aug. 17, 2016) - EPIC and Coalition Recommend Improvements to Health Agency’s Open Government Rules
In comments to the Department of Health and Human Services, EPIC and a coalition of open government advocates urged the agency to update its FOIA rules to keep in line with the FOIA Improvement Act of 2016. The coalition pressed the agency to “go further to ensure greater access to public interest information.” Signed into law by President Obama on the FOIA’s 50th anniversary, the FOIA Improvement Act creates a new portal for requesters, requires the proactive disclosure of frequently requested records, strengthens the FOIA ombudsman, and codifies the presumption of openness. (Aug. 17, 2016) - Data Protection 2016: Nationwide Hotel Data Breach
Sheraton, Hyatt, Westin, and Marriott hotels in 10 states and Washington, D.C. have announced that hotel payment records were breached beginning as early as March 2015. Malware discovered in at least 20 hotels across the country collected customers’ names and payment card numbers, card expiration dates, and verification codes. Surprisingly, the hotels said that they will not notify individual customers of the breach. Almost every state in the country has a mandatory breach notification law. Hyatt announced another payment card breach earlier this year at 250 hotels in approximately 50 countries. EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election. (Aug. 15, 2016) - EPIC’s Rotenberg Debates FBI Director at ABA Conference
EPIC President Marc Rotenberg and FBI Director James Comey debated "Emerging Issues in National Security and Law Enforcement" at a plenary session of the ABA annual conference in San Francisco. Comey stated that Americans have "never had absolute privacy." Rotenberg replied that the Fifth Amendment grants absolute privacy as a Constitutional right. In response to the Director's comments that the FBI has 650 phones it can not decrypt, Rotenberg pointed out that in 2013, more than 3.1 million cell phones were stolen. "Crime would be much higher in United States if cell phone users did not have strong encryption," said Rotenberg. The EPIC amicus brief in Apple v. FBI highlighted the risk of weak encryption, and noted that stolen cell phones are tied to identity theft and financial fraud. (Aug. 7, 2016) - Appeals Court Affirms Consumers May Sue for Violations of Federal Law
A federal appeals court has held that consumers can sue when companies fail to comply with legal obligations established by Congress. The case concerned a hospital that sent debt collection letters to consumers without disclosures required by the Fair Debt Collections Practices Act. The court concluded that “Congress has created a new right—the right to receive the required disclosures.” As a result, the consumer can bring a lawsuit when a company fails to comply with the law. EPIC has filed several amicus briefs defending the right of consumers to sue for violations of federal privacy laws. (Aug. 5, 2016) - EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public
EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights. (Aug. 5, 2016) - White House Hosts Drone Workshop, FAA OKs Commercial Use, Ignores Privacy
The White House hosted “Drones and the Future of Aviation.” The FAA Administrator announced that the FAA will approve drone operations over people before the end of the year. The FAA also announced an industry-led task force that will promote voluntary privacy best practices. In EPIC v. FAA, EPIC challenged the FAA's failure to establish drone privacy regulations following a petition endorsed by more than 100 experts and organizations. The FAA has repeatedly acknowledged the privacy risks of drones, but has refused to establish privacy safeguards. (Aug. 4, 2016) - FTC Finds Unauthorized Data Disclosure is "Substantial Injury" to Consumers
The Federal Trade Commission unanimously reversed an administrative law judge's dismissal of the FTC's complaint against LabMD, finding that LabMD's poor data security practices are "unfair" under the FTC Act. The Commission concluded that the judge had "applied the wrong legal standard for unfairness." The FTC's opinion explained that "the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury." The FTC's authority to enforce data security standards was upheld last year in FTC v. Wyndham. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (Aug. 2, 2016) - Data Protection Experts Recommend New Protections for Internet Communications
The International Working Group on Data Protection in Telecommunications adopted new recommendations to improve the privacy and security of Internet Telephony technologies. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. "Privacy and Security Issues in Internet Telephony (VoIP)" focuses on the gap in "the legal protection and confidentiality of communications." The experts urge service provide to adopt "similar privacy and data protection" safeguards to all services. EPIC presented a comprehensive country report at the last meeting of the Working Group outlining recent developments in the United States. EPIC will host the 60th meeting of the International Working Group in Washington DC in April 2017. (Aug. 2, 2016) - Privacy Shield Sign-ons Begin
The European Commission announced that the EU-U.S. Privacy Shield data transfer arrangement is "fully operational" and U.S. "companies are able to sign up with the Department of Commerce." The framework was adopted by the European Commissioner objection by European data protection authorities, the European Data Protection Supervisor, the European Parliament, and EU and US NGOs. The deal will be subject to future legal scrutiny and experts predict that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC has urged the EU and US to strengthen safeguards for transborder data flows including redress mechanisms. (Aug. 2, 2016) - European Data Protection Supervisor Calls for Stronger Protections for Electronic Communications
The top European data protection official, the European Data Protection Supervisor, has called for strong privacy protections in the "ePrivacy Directive", an updated framework to safeguard personal information. "The scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used." The Data Protection Supervisor also said the legislation should "allow users to use end-to- end encryption without back doors". NGOs and data protection officials have also called for the reform of the European legislation after the adoption of the General Data Protection Regulation. EPIC has urged the FCC to establish a comprehensive framework for communications privacy, noting the work now underway in Europe to update privacy laws. (Jul. 27, 2016) - EPIC, Consumer Coalition Oppose Robocalls by Government Contractors
EPIC and a coalition of consumer groups have petitioned the FCC to reverse its recent decision to exempt federal contractors from restrictions on telemarketing and robocalls. The FCC incorrectly determined that the Telephone Consumer Protection Act (TCPA) “does not apply to calls made by or on behalf of the federal government in the conduct of official government business.” The petition, led by the National Consumer Law Center, warns of significant increases in unwanted robocalls from government contractors that consumers would be powerless to stop. EPIC supports robust telephone privacy protections and filed an amicus brief in support of the FCC’s 2015 order that strengthened consumer protections under the TCPA. (Jul. 26, 2016) - EPIC Explains to Federal Appeals Court that Mobile App Users Protected by Video Privacy Law
EPIC has filed an amicus brief defending the privacy rights of users of video apps. In the case, a CNN mobile app users challenged the disclosure of his video viewing history and personal information as a violation of federal privacy. In the brief for the federal appeals court, EPIC explained that that the privacy protections in the Video Privacy Protection Act apply to mobile apps that provide video service. EPIC said that the video privacy law covers the personal information collected by mobile apps, including the unique identifiers of the user’s device, and also that the privacy obligations apply to all companies that collect the viewing records of Internet users. EPIC previously filed a brief in a similar case concerning the collection of video viewing records. (Jul. 26, 2016) - EPIC Ask FTC to Investigate Privacy Risks of Pokemon GO
EPIC has urged the FTC to launch an investigation of Pokemon GO and the app's developer Niantic. When the augmented-reality app was first released, Niantic granted itself "full access" to users' Google accounts in violation of federal privacy law. Even after recent changes, the company continues to collect detailed location history and has access to smartphone cameras. Pokemon GO "raises complex and novel privacy issues that require close FTC scrutiny," EPIC told the Commission. Senator Al Franken recently sent a letter to the company asking for clarification on the scope and purpose of its data collection. Niantic has close ties to Google and its CEO oversaw Google's controversial Street View project, which was found to collect private wifi data transmissions. (Jul. 22, 2016) - EPIC Defends Right of Data Breach Victims to Seek Legal Relief
EPIC has filed an amicus brief urging a federal appeals court to protect a consumer’s ability to sue companies that fail to protect their personal information. A group of consumers sued a grocery chain after faulty security practices left their credit card information exposed to hackers. A lower court dismissed the privacy case because consumers had not yet suffered from fraudulent transactions. In its brief, EPIC explained that the court misunderstood the relevant law, confusing the legal obligations of companies to maintain good security with the harm that consumers eventually suffer. For the purposes of filing a lawsuit, EPIC said courts should focus on whether companies have violated a legal obligation such as safeguarding personal data, including credit card information. EPIC regularly files briefs defending consumer privacy. (Jul. 20, 2016) - Federal Appeals Court Strikes Down Texas Voter ID Law
A federal appeals court has ruled that a Texas voter ID law violates the Voting Rights Act. In a fractured opinion, the court held that Senate Bill 14 had a “discriminatory effect” on minorities’ voting rights, and remanded the case to the lower court. The appeals court instructed the district court to provide interim relief for individuals, which could include suspending the voter ID requirement, ahead of the November 2016 election. EPIC filed an amicus brief in the case, arguing that SB 14 also places an unconstitutional burden on voters’ rights to informational privacy because of the excessive collection of personal data. (Jul. 20, 2016) - Irish Court Approves EPIC as Amicus in Schrems Case
The Irish High Court has accepted EPIC's application to participate in a case about data protection rights and Facebook's contractual clauses. The case follows Max Schrems' complaint to the Irish Data Protection Commissioner after the European Court of Justice's decision to strike down the Safe Harbor arrangement. EPIC will provide the Irish Court, and perhaps also the Court of Justice, expert opinion on U.S. surveillance law. EPIC recently joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues. (Jul. 19, 2016) - Wisconsin Supreme Court Upholds Use of Sentencing Algorithms, But Recognizes Risks
The Wisconsin Supreme Court this week rejected a challenge to the use of a risk-assessment algorithm in a sentencing proceeding. These algorithms score an individual's risk of committing future crime. The Court sanctioned the use of such algorithms, provided they are not the exclusive determining factor of a sentence, and judges receive written warnings about the algorithm's shortcomings. Professor Danielle Citron warned that the court's faith in the secret techniques is "unwarranted" particularly because "human beings have a tendency to rely on automated decisions even when they suspect system malfunction." EPIC has advocated for algorithmic transparency and maintains a website describing the use of algorithms in the criminal justice system. (Jul. 16, 2016) - US Government Loses on Overseas Data Searches
A federal appeals court has ruled that the U.S. government cannot seize user data in foreign data centers under the Stored Communications Act. The decision reverses a lower court opinion that would have required Microsoft to hand over the contents of an email account stored in Ireland. The appeals court concluded that the purpose of the Act was to protect “users’ privacy interests in stored communications” not the creation of law enforcement powers that could reach overseas. The decision will likely bolster efforts to keep data in jurisdictions with stronger privacy safeguards. EPIC has recommended US ratification of the International Privacy Convention to preserve trans border data flows. (Jul. 14, 2016) - EPIC FOIA: Transportation Department Releases New Drone Meeting Documents
In response to an EPIC Freedom of Information Act lawsuit, the Department of Transportation has released to EPIC another set of documents from the agency's secret meetings with industry groups about drone policy. The newly released documents, which summarize an extensive three-day meeting between the FAA and industry groups, is conspicuously silent on privacy, despite public comments urging the agency to address privacy concerns. In a related development, the FAA final rule on commercial drones failed to address the privacy risks of deploying drones in the United States. (Jul. 14, 2016) - FAA Reauthorization Grounds Drone Privacy Safeguards
Shortly before adjourning, Congress passed the FAA Extension, Safety and Security Act of 2016 without drone privacy provisions authored by Senator Markey, included in the original legislation. Senator Markey said "Now is the time to prevent these eyes in the skies from becoming spies in the skies." EPIC urged Congress and the FAA to establish limits on drone surveillance. In EPIC v. FAA, EPIC challenged the FAA's failure to establish drone privacy regulations following a petition endorsed by more than 100 experts and organizations. EPIC's proposal to require remote identification of drones was incorporated in the legislation enacted by Congress. (Jul. 13, 2016) - Trade Agreements Undermine Data Protection, New Study Shows
A new report "Trade and Privacy" argues that trade agreements are at odds with EU laws that protect privacy and data protection. The study concludes "current measures used by the EU to safeguard its data protection laws in trade agreements are not sufficient." The report recommends a comprehensive exemption for data protection rules in all trade agreements, based on GATS Article XIV. EU NGOs previously recommended that consumer privacy and data policy be excluded from the Transatlantic Trade and Investment Partnership negotiations. The study was authored by scholars at the Institute for Information Law at the University of Amsterdam and commissioned by BEUC, TACD, EDRi and CDD. EPIC's Marc Rotenberg will speak about trade agreements, privacy and the internet at IGF USA 2016. (Jul. 13, 2016) - European Commission Signs Off on Flawed "Privacy Shield"
The European Commission has approved the "Privacy Shield" which will allow companies to transfer personal data of Europeans to the U.S. without legal protections. European data protection authorities, the European Data Protection Supervisor, and EU and US NGOs identified flaws with the non-binding framework. Citing a judgement of the European high court which struck down a similar framework, Max Schrems and Jan-Philipp Albrecht predicted that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC and other consumer organizations urged the EU and US to strengthen safeguards for transborder data flows. According to the Federal Trade Commission, identity theft complaints in the US increased by 47% between 2014 and 2015. (Jul. 12, 2016) - EPIC Scrutinizes FBI's Massive Biometric Database
In comments to the FBI, EPIC criticized the Bureau’s proposal to remove Privacy Act safeguards from a database containing biometric data on millions of citizens, much of it unrelated to law enforcement. Through a FOIA lawsuit, EPIC obtained documents about the “Next Generation Identification” database that revealed an error rate up to 20% for face recognition searches. EPIC warned the FBI of the privacy and civil liberties risks as well as the potential for data breaches. EPIC urged the FBI to limit the scope of data collection, reduce the retention of data, and maintain the protections of the Privacy Act. (Jul. 7, 2016) - EPIC Tells FCC to Reject "Notice and Choice" Approach to Privacy
EPIC has filed reply comments with the Federal Communications Commission on the proposed broadband privacy rules. EPIC said that the proposed rules are a modest first step and that the FCC has legal authority to do more to safeguard American consumers. EPIC also responded to erroneous statements from industry groups that the FTC's "notice and choice" framework safeguards consumer privacy. EPIC described numerous shortcomings, including lack of enforcement, frequent changes in privacy policies, and data breaches. "Notice and choice" is “directly at odds with baseline privacy standards,” EPIC said. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data. (Jul. 7, 2016) - Coalition Urges President to Nominate New Member for Oversight Board
EPIC and many privacy and civil liberties organizations have urged President Obama to promptly nominate a new member to the Privacy and Civil Liberties Oversight Board with a strong civil liberties background. The coalition argued that the Oversight Board’s “role is too important to allow it to slip back into dormancy, even for a few months.” The previous Chair David Medine recently stepped down, leaving a vacancy on the five-member panel, responsible for overseeing privacy protection. EPIC has urged the Board to review surveillance under Executive Order 12333 and recommended the Board ensure Privacy Act compliance across the federal government. (Jul. 6, 2016) - EPIC Sues for Release of Government Oversight Reports
EPIC has filed a FOIA lawsuit against the Department of Justice to obtain the agency’s secret watchdog reports. The mission of the Office of the Inspector General is “to detect and deter waste, fraud, abuse, and misconduct.” However, many of the reports are kept secret. Those reports, EPIC explained in the complaint, "are critical for the public to understand the measures taken to increase the efficiency and effectiveness of the DOJ, and as a mechanism to hold the agency accountable.” EPIC previously obtained oversight reports on the CIA surveillance of muslims in New York, and CIA spying on Senate staff. (Jul. 5, 2016) - U.N. Passes Resolution Condemning Internet Shutdowns
The United Nations Human Rights Council passed a resolution to support human rights online. The resolution condemns internet shutdowns that have become more common around the world. In accordance with the Universal Declaration of Human Rights, the resolution reaffirms the U.N.'s stance that "the same rights people have offline must also be protected online." EPIC joined an international coalition of civil society organizations to reject disruption of Internet access. EPIC previously sued the Department of Homeland Security to obtain public release of the US shutdown policy following the suspension of cell phone service during a peaceful protest at a BART transit station in San Francisco. Portions of the government policy "Standard Operating Procedure 303" were eventually released to EPIC. (Jul. 5, 2016) - White House Releases Flawed Privacy Research Agenda
The White House has announced the National Privacy Research Strategy, which the authors state "will enable the U.S. to benefit from innovative data use while protecting privacy." The National Strategy focuses on measuring the "privacy desires" of users rather than the extent of the problem or goals to safeguard privacy, such as coding Fair Information Practices, developing genuine Privacy Enhancing Techniques, or complying with Privacy Act obligations. The "National Strategy" follows from a similar report in 2014 that embraced big data without considering actual privacy risks in data collection. In 2015, the federal government lost 21.5 million records of federal employees and their families. A recent book from EPIC "Privacy in the Modern Age: The Search for Solutions" outlines several new approaches for privacy protection, and builds on earlier work by members of the EPIC Advisory Board. (Jul. 5, 2016) - Wiretaps Increase Sharply in 2015, No Evidence of Government Surveillance "Going Dark"
In 2015, combined state and federal wiretap applications increased 16% from 3,555 to 4,148. But while government surveillance applications went up dramatically, the number of cases where investigators encountered encryption dropped significantly. Encryption was encountered in only 13 cases in 2015. The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to 7 in 2015. Law enforcement claims of "going dark” continue to be undermined by surveillance reports. EPIC has repeatedly cited the Wiretap Reports as a model of transparency for government surveillance activities and maintains comprehensive charts about the reports. The reports reveal, for example, that drug offenses were the most prevalent type of criminal offense investigated using wiretaps: 79 percent of all applications for intercepts (3,292 wiretaps) in 2015 cited illegal drugs as the most serious offense under investigation. (Jul. 1, 2016) - President Obama Signs FOIA Reform Bill Into Law
Celebrating 50 years since enactment of the Freedom of Information Act, the Congress has passed, and the President has signed the FOIA Improvements Act of 2016. The Act creates a new portal for requesters, requires the proactive disclosure of frequently requested records, strengthens the Office of Government Information Services, and codifies the "Presumption of Openness" in the processing of requests for information about government. Senator Patrick Leahy (D-Vt.), a champion of open government, stated "Our founders had the revolutionary vision to create a government of, by, and for the people. Today we have helped strengthen that ideal." EPIC and many open government advocates urged the President to support these reforms. EPIC also established the website FOIA.ROCKS. (Jul. 1, 2016) - Privacy Shield Revisions Fail to Satisfy Legal Requirements
A revised draft of the Privacy Shield included some modifications on the scope of US bulk data collection, the role of the "ombudsperson," and data erasure but fails to resolve flaws previously identified by European data protection authorities and the European Data Protection Supervisor. EPIC and an international coalition of NGOs previously called for substantial changes in the Privacy Shield to respect the fundamental rights to privacy and data protection. (Jun. 29, 2016) - In EPIC FOIA Case, Court Orders DEA to Explain Secrecy about Massive Telephone Data Program
A federal court in Washington, DC ruled today that the DEA’s explanation for withholding from EPIC certain information about "Hemisphere," a massive telephone record collection program, was legally insufficient. The Court ordered the DEA to release the information requested to EPIC or provide specific reasons for the withholding. EPIC filed the FOIA lawsuit after press reports about Hemisphere, which is broader in scope than the NSA’s bulk data program. DEA continues to keep secret the names of the companies involved and the federal agencies given access to the telephone records of American consumers. (Jun. 27, 2016) - Court Misunderstands Internet Tracking in Video Privacy Case
The Third Circuit today rejected claims brought against Nickelodeon under the Video Privacy Protection Act, holding that IP and MAC addresses are not “personally identifiable information.” The opinion contradicts a First Circuit decision from earlier this year, which found that a unique Android ID and GPS coordinates constituted PII under the VPPA. The circuit split increases the possibility of U.S. Supreme Court review. The Court did find that plaintiffs could sue under state privacy law. EPIC filed an amicus brief, arguing that Congress defined PII as “purposefully broad to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.” (Jun. 27, 2016) - High Court Extends Fourth Amendment Protections to DUI Blood Tests
In Birchfield v. North Dakota, the U.S. Supreme Court today held that states cannot criminalize an individual’s refusal to submit to a warrantless blood test. The Court also found that the Fourth Amendment does not allow warrantless blood tests incident to arrest, but does permit warrantless breath tests. In the 2013 case Maryland v. King, EPIC urged the Supreme Court to protect genetic privacy by extending Fourth Amendment protections the collection of DNA from arrestees. In that case, the Supreme Court held that a cheek swab incident to an arrest was permissible. (Jun. 23, 2016) - EPIC, Coalition Demand Congressional Oversight of FBI's Vast Biometric Database
Today EPIC and a coalition of 45 organizations urged Congress to hold a hearing on the FBI’s massive biometric database and the risks of facial recognition technology. The letter follows the FBI’s recent proposal to exempt the "Next Generation Identification” database from Privacy Act safeguards—including requirements for accuracy, relevancy, and transparency. The civil liberties organizations said that “the FBI is retaining vast amounts of personal information and exposing millions of people to a potential data breach.” In the EPIC v. FBI FOIA case, EPIC obtained documents which revealed high error levels in the biometric database. (Jun. 23, 2016) - EPIC Promotes Privacy, Data Protection at OECD Ministerial
Speaking at the OECD Ministerial Conference on the Digital Economy, EPIC President Marc Rotenberg emphasized that there cannot be trade-offs between innovation and human rights. Citing widespread public concerns, Rotenberg urged the OECD member countries to address the challenge of privacy and security. "We cannot have a sustainable, inclusive economy if we cannot solve the problem of trust." EPIC collaborated with civil society groups to host the forum "Toward an Inclusive, Equitable, and Accountable Digital Economy." (Jun. 22, 2016) - FOIA Ombudsman Recommends Changes to Use of "Still Interested" Letters
The FOIA ombudsman has issued the third part of a report on the use of "still interested" letters (part 1, part 2). Such letters are used by federal agencies to prematurely terminate FOIA requests. In 2014, an EPIC-led coalition urged the Office of Government Information Services to investigate the pervasive use of such letters. Today’s report recognizes that this agency practice is "not addressed in the FOIA statute or in agency regulations,” and that reporting on the practice is inconsistent. The FOIA ombudsman urged agencies to provide additional guidance on the use of such letters, and to document the practice in annual reporting. Congress recently passed legislation to strengthen the FOIA, which the President is expected to sign. (Jun. 21, 2016) - FAA Approves Commercial Drones Without Privacy Safeguards
The FAA released the final rule on commercial drones today. Despite nearly 180 comments regarding the privacy risks of drones, the FAA failed to address the privacy risks of deploying commercial drones into the national airspace. EPIC previously filed suit against the FAA after more than 100 groups and experts petitioned the agency to conduct a rulemaking on drone privacy. EPIC also recommended the FAA implement a national database detailing the surveillance capabilities of commercial drones. The FAA has repeatedly acknowledged the privacy risks of drone deployment, but has so far refused to adopt any privacy safeguards. (Jun. 21, 2016) - States Adopt New Student Privacy Safeguards
Several states have recently enacted new student privacy laws. Colorado and Connecticut’s laws impose strict requirements on those who collect student data. Connecticut also requires that parents are notified each time a school district enters into a contract that involves student data. North Carolina enacted a student privacy law modeled after California's Student Online Personal Information Protection Act. The National Association of State Boards of Education reported that 38 states considered student privacy legislation in 2016. Ten of those states passed student privacy laws. EPIC has urged the enactment of a comprehensive student privacy bill of rights. EPIC's State Policy Project is monitoring privacy bills nationwide. (Jun. 21, 2016) - EPIC Scrutinizes DoD “Insider Threat” Database
In comments to the Department of Defense, EPIC criticized a proposed “Insider Threat” database that would gather virtually unlimited amounts of personal data on individuals based on broad and ambiguous standards. EPIC urged DoD to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DoD data practices pose a risk to federal employees. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases, and recently filed comments on a similarly flawed DHS database. (Jun. 20, 2016) - EPIC, NGOs Host Civil Society Forum at OECD Ministerial
EPIC, in coalition with civil society organizations from around the world, is hosting "Toward an Inclusive, Equitable, and Accountable Digital Economy." The forum is organized under the auspices of the Civil Society Information Society Advisory Council (CSISAC), "the voice of civil society at the OECD," in conjunction with the OECD Ministerial on the Digital Economy. The CSISAC Forum features NGO leaders, technology experts and government decision makers. The Forum is an out growth of the Public Voice campaign to promote civil society participation in decisions concerning the future of the Internet. Similar NGO meetings were held in Ottawa in 1998 and Seoul in 2008. (Jun. 20, 2016) - Supreme Court Weakens Fourth Amendment Protections During Police Stops
In Utah v. Strieff, the U.S. Supreme Court held today that an outstanding arrest warrant can attenuate “the connection between an unlawful stop and the evidence seized incident to arrest.” The holding reverses the Utah Supreme Court, which had suppressed evidence obtained by an officer who stopped Strieff illegally and ran his ID to look for outstanding warrants. EPIC and 22 technical experts filed an amicus brief, warning the Court that reversing the Utah court would allow vast amounts of personal data stored in government databases—much of it inaccurate—to provide post hoc justification for unlawful seizures. (Jun. 20, 2016) - EPIC's Rotenberg Outlines Need for International Privacy Framework
Speaking at the Council of Europe in Strasbourg, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from European consumer groups, NGOs, privacy officials, and the EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts endorsed the Council of Europe Privacy Convention. In 2010 members of the EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention. (Jun. 17, 2016) - GAO Report: FBI’s Use of Face Recognition Fails on Privacy and Accuracy
The Government Accountability Office released a report today detailing the FBI’s failure to conduct a privacy audit of the agency’s use of facial recognition or adequately test the accuracy of the technology. EPIC and a coalition of public interest groups recently urged the Justice Department to extend the public comment period for the FBI’s Next Generation Identification database, which includes facial recognition capabilities. Previous Freedom of Information Act requests by EPIC showed that the agency had numerous agreements with states to access driver license photos for facial recognition searches and that technical specifications allowed for a 20% search error rate. (Jun. 15, 2016) - EPIC Tells Congress FCC is "Under Reaching" on Privacy
EPIC has sent a letter to the House Energy and Commerce Committee in advance of a hearing on “FCC Overreach: Examining the Proposed Privacy Rules.” EPIC described the shortcomings of the ”notice and choice” privacy framework and pointed to growing levels of public concern in the United States about Internet privacy. EPIC said that the FCC’s proposed privacy rules are a modest first step and that the Communications Communication has legal authority to go much further to safeguard American consumers. EPIC has repeatedly urged the Commission to broaden the scope of the proposed privacy rules. (Jun. 13, 2016) - House to Consider Overdue FOIA Reform Bill
Congress is poised to take up a FOIA reform bill next Monday. The bill would require federal agencies to operate under a "presumption of openness" and places time limits on agency responses, improvements that EPIC has long supported. EPIC routinely uses the Freedom of Information Act to promote government oversight and agency accountability. July 4, 2016 will mark the 50th anniversary of the enactment of the FOIA. (Jun. 10, 2016) - EPIC Presses House Leaders on "Data Protection"
At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016. (Jun. 10, 2016) - EPIC Hosts Policy Forum at National Press Club
EPIC brought together privacy, security, and policy experts for a panel discussion at the National Press Club around the theme “Data Protection 2016.” Panelists explored voter privacy issues, including voter ID and online voting, and also privacy issues that could arise in the 2016 election cycle. Participants included members of the EPIC Advisory Board, representatives of the Brennan Center and Verified Voting, and the UN Rapporteur on the Right to Privacy. (Jun. 10, 2016) - EPIC FOIA: Secret Drone Task Force Ignored Privacy Concerns
A second batch of previously secret documents show that the government’s secret drone task force ignored public concerns about drone surveillance. Included in the documents are opening remarks by FAA Administrator Michael Huerta, who urged the task force to take into consideration “the interests of all stakeholders,” but who declined to invite any privacy or consumer advocates to the closed door meetings. The newly released records stem from EPIC v. DOT, a lawsuit filed to uncover records relating to the private meetings held last November in Washington, DC between agency officials and industry representatives. EPIC expects to obtain more documents from the agency. (Jun. 9, 2016) - EPIC Gives Awards to Gertner, Soltani, and Wolf
At the National Press Club in Washington, DC, EPIC presented the 2016 EPIC Lifetime Achievement Award to lawyer Chris Wolf, the 2016 EPIC Privacy Champion Award to technologist Ashkan Soltani, and the 2016 EPIC Champion of Freedom Award to judge and law professor Nancy Gertner. The EPIC awards are presented annually to those who protect privacy, open government, and democratic institutions with courage and integrity. Manoush Zomorodi, podcaster of Note to Self, and Bruce Schneier, security technologist, cohosted. (Jun. 7, 2016) - EPIC, Coalition Petitions Education Department for Data Security Rules for Student Records
EPIC, legal scholars, technical experts, and many leading privacy organizations have petitioned the Education Department to establish a data security rule to protect student records. The experts and groups explained that data breaches now plague schools and colleges across the country, following recent changes to the Family Educational Rights and Privacy Act. The petition calls for the establishment of rules for encryption, privacy enhancing techniques, and breach notification. (Jun. 6, 2016) - EPIC Propose Privacy, Security Protections for "Internet of Things"
EPIC has recommended new safeguard for the “Internet of Things.” EPIC proposed laws requiring companies to adopt Privacy Enhancing Technologies, promote data minimization, and ensure security for IoT devices. EPIC also recommend a prohibition on tracking, profiling, and monitoring of consumers using IoT services. As EPIC explained, “Protecting consumer privacy will become increasingly difficult as the Internet of Things becomes increasingly prevalent.” EPIC has worked extensively on the risks of the Internet of Things, including connected cars and “smart homes.” An EPIC complaint concerning “always on” devices, such as “smart TVs,” is pending at the Federal Trade Commission. (Jun. 4, 2016) - EPIC, Coalition Seeks Time to Review FBI Biometric Database
EPIC and a coalition of civil rights, privacy, and transparency groups urged the Department of Justice to extend the public comment period for the FBI’s Next Generation Identification database. The FBI database contains biometric data, such as fingerprint and retinal scans, on millions of Americans and raises significant privacy risks. The FBI is proposing to exempt the database from Privacy Act obligations, including legal requirements to maintain accurate records, permit individual access, and provide civil remedies. Errors plague the NGI database. In a FOIA case, EPIC v. FBI, EPIC obtained documents, which showed that the FBI accepted a 20% error rate for facial recognition matches. (Jun. 1, 2016) - Top European Privacy Official Rejects EU-US "Privacy Shield"
The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli. The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection. (May. 31, 2016) - EPIC Calls for Strong Communications Privacy Rules
EPIC has urged the Federal Communications Commission “to fully apply" the Consumer Privacy Bill of Rights to all communications services. The FCC's proposed privacy rules would regulate only broadband services and are based on the weak "notice and choice" framework.EPIC said the agency should endorse data minimization requirements, promote Privacy-Enhancing Technologies, and require opt-in consent. EPIC also urged the Commission to regulate all companies that gather consumer data for communications services. (May. 27, 2016) - Federal Court Leaves Digital Search Law Unresolved
A federal appeals court ruled today that the government did not violate the Fourth Amendment by keeping a copy of files for more than two years after an investigation because it acted in "good faith." EPIC argued that the government must adopt data minimization practices and that the use of evidence was unlawful. In a dissenting opinion, Judge Chin wrote that the search violated the Fourth Amendment. (May. 27, 2016) - Amendment Would Overturn Model Facial Recognition Privacy Law
The Illinois Biometric Information Privacy Act is one of the strongest facial recognition laws in the country. Enacted in 2008, the law prohibits the use of biometric recognition technologies without consent and provides for meaningful enforcement. But a proposed amendment would undercut legal protections, exempting facial recognition software from the law. A pending lawsuit against Facebook alleges that the company violates the law by amassing a database of users’ faceprints “without even informing its users — let alone obtaining their informed written consent.” EPIC has urged a moratorium for such surveillance techniques, pending the enactment of strong privacy laws such as those in Illinois. In much of the world, facial recognition software is illegal. (May. 27, 2016) - European Parliament Requires Changes to Privacy Shield
The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers. (May. 26, 2016) - EPIC to OPM: "If You Can't Protect It, Don't Collect It"
In comments to the Office of Personnel Management, EPIC urged the federal agency to limit the personal data it collects from job applicants. OPM currently gathers detailed personal information, including biometric data, Social Security numbers, educational history, medical records, foreign travel, drug use, and financial records. In 2015, OPM lost the personal data of 21.5 million people in a massive data breach. The OPM Director and CIO were forced to resign. OPM now proposes to collect even more personal data on more people, including distant relatives of job applicants. EPIC has previously urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information. (May. 25, 2016) - EPIC, Coalition Recommend Improvements to U.S. Open Government Plan
EPIC and a coalition of open government groups have urged the country’s trade agency to improve the open government plan for the United States. The coalition called on the United States Trade Representative to (1) make public the rules for trade negotiations, (2) publish comprehensive updates after each round of negotiation, and (3) appoint an independent transparency officer. EPIC and others also developed model Freedom of Information Act Regulations that would apply across the government. (May. 23, 2016) - Federal Court Strikes Down Obstacle to Student FOIA Requests
A federal appeals court has ruled that government agencies must give students who pursue Freedom of Information Act requests favorable fee treatment. The case involved a Ph.D. student who was charged $900 to process a FOIA request. The Department of Defense contended that students are not entitled to the favorable fee standards of “educational institutions." The D.C. Circuit disagreed and ruled today that “[s]tudents who make FOIA requests to further their coursework or other school-sponsored activities are eligible for reduced fees under FOIA because students, like teachers, are part of an educational institution.” In 2011, EPIC criticized the practice of charging students extra fees for FOIA requests, calling the government’s position “absurd.” (May. 20, 2016) - Senate Examines "Do Not Call" Law
The Senate Commerce Committee held a hearing yesterday on the Telephone Consumer Protection Act. The "TCPA" bars telemarketers and robocallers from contacting consumers by phone or fax without prior express consent. In January, EPIC filed an amicus brief to provide greater TCPA protections for consumers. EPIC said that widespread use of cellphones “has amplified the nuisance and privacy invasion caused by unwanted calls and text messages.” EPIC has testified before Congress about the TCPA and submitted many comments concerning the implementation of the consumer privacy law. (May. 19, 2016) - Senators Introduce Bill to Block Broad Remote Hacking Rules
Senators Wyden, Paul, Baldwin, Daines, and Tester have introduced the Stop Mass Hacking Act of 2016. The law would block amendments to Rule 41 of the Federal Rules of Criminal Procedure that were recently issued by the Supreme Court. The amendments authorized judges to issue "remote access" warrants to search computers even when the targets are outside the jurisdiction of the court. EPIC criticized the Rule 41 change in a statement last year. Unless Congress takes action to block the Rule 41 amendments by December 1, the government’s surveillance authority will be expanded significantly. (May. 19, 2016) - Justice Department Releases 2016 FOIA Reports
The Justice Department has released an assessment of the 2016 FOIA compliance reports. Every year, federal agencies prepare reports describing steps taken to implement President Obama's Memo and former AG Eric Holder's Guidelines. The DOJ grades FOIA compliance in five areas: applying the presumption of openness, effective and responsive systems, proactively releasing information, utilizing technology, and reducing backlogs and improving response times. The Senate recently passed by unanimous consent the Freedom of Information Improvement Act of 2015; the bill is now in the House. EPIC and other open government organizations have called on President Obama to strengthen the FOIA. (May. 19, 2016) - EPIC Urges Appeals Court to Strike Down Voter ID Law
EPIC has urged a federal appellate court to find unconstitutional a Texas law that requires voters to obtain photo IDs. A lower court held that Senate Bill 14 violates the Voting Rights Act and burdens the constitutional right to vote. Texas appealed. In response, EPIC argued that the ID requirement also burdens the constitutional right of informational privacy. “Individuals should not be subject to excessive identification requirements to exercise fundamental democratic rights,” EPIC stated. EPIC has previously filed amicus briefs defending the right to informational privacy. (May. 17, 2016) - Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey
A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election. (May. 16, 2016) - Supreme Court Remands Consumer Privacy Case for Further Consideration
The Supreme Court has ruled in Spokeo v. Robins, a case brought under the Fair Credit Reporting Act concerning the sale of inaccurate personal data. The Court said it was necessary to determine whether plaintiffs injuries were sufficiently "concrete." Justice Ginsburg, in a dissenting opinion, wrote that remand was unnecessary, "Spokeo's misinformation 'cause[s] actual harm to [his] employment prospects.'" EPIC filed an amicus brief, joined by thirty-one technical experts and legal scholars, citing the national epidemic of data breaches. EPIC wrote this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." (May. 16, 2016) - FTC Issues Guidelines for Employment Background Screening
The Federal Trade Commission has issued new guidelines for companies that sell employment background checks. Under the Fair Credit Reporting Act companies must ensure “maximum possible accuracy” in reports about job applicants. The FTC warns that a background report incorrectly listing a criminal conviction based on bad records match —for instance, a person with a different middle name than the applicant—could violate FCRA. EPIC recently filed an amicus brief in a case brought by David A. Smith, who was denied employment after a background report incorrectly included the criminal records of David O. Smith. (May. 15, 2016) - Senator Leahy Calls for FISA Reforms
The Senate Judiciary Committee held a hearing on the FISA Amendments Act, a law that grants the government broad surveillance powers over Internet communications. The Act, commonly referred to as "Section 702,: is the basis for the NSA’s “PRISM” program. EPIC testified before the House Judiciary Committee in 2012 on the need to limit the scope of Section 702 surveillance and to improve transparency of the Foreign Intelligence Surveillance Court. US and EU NGOs have since called for the end of the section 702. This week Senator Patrick Leahy (D-VT) stated that "additional reforms are needed to protect Americans’ privacy, and restore global trust in the U.S. technology industry." (May. 13, 2016) - Top EU Legal Advisor Says IP Addresses are PII
The Advocate General, top advisor to the European Court of Justice, has issued an opinion today about Internet anonymity. He found that dynamic IP addresses are personal data subject to data protection law. The opinion concerns the case of German pirate party politician and privacy activist Patrick Breyer who is suing the German government over logging visits to government websites. "Generation Internet has a right to access information on-line just as unmonitored and without inhibition as our parents read the paper," says Breyer. The opinion is not legally binding but "is usually a good indication of how the court will eventually rule". EPIC has supported Internet anonymity since the 1990s and brought a similar challenge to the US government tracking of users of government website. (May. 12, 2016) - EPIC Urges Senate to Back Comprehensive Communications Privacy Protection
EPIC has sent a letter to the Senate Judiciary Committee in advance of a hearing on "Examining the Proposed FCC Privacy Rules." EPIC pointed to growing public concerns about the loss of privacy and the need to update federal privacy laws. EPIC explained that the neither Federal Communications Commission or the Federal Trade Commission has done enough to safeguard consumer privacy. EPIC warned that the "failure to modernize our privacy law is imposing an enormous cost on American consumers and businesses." (May. 10, 2016) - Court Rules EPIC Must Wait to Challenge Missing Drone Privacy Rules
The federal appeals court in Washington, DC ruled today that EPIC’s suit against the Federal Aviation Administration must be set aside because the agency has not yet finalized the rules for drone operations in the United States. EPIC previously filed suit against the FAA after more than 100 groups and experts petitioned the agency to conduct a rulemaking on drone privacy. The FAA has repeatedly acknowledged the need to address privacy in drone operations, but has so far refused to adopt any privacy rules. In a related case, EPIC recently uncovered the minutes of a secret FAA drone task force. According to one of the participants, the “Current state of non-regulation negatively affects the public perception of drones. There is no regulatory recourse for anyone who is negatively affected by a small UAV [drones]." (May. 10, 2016) - EPIC FOIA - Secret Drone Task Force Records Disclosed
In response to EPIC's FOIA lawsuit, the Department of Transportation has released the minutes of a secret meeting of the FAA drone task force. The task force included industry groups such as GoogleX, Amazon, and DJI, but consumer groups and privacy advocates were excluded from the hastily created advisory committee. The documents shed light on the secret meetings held last November. Several participants warned about privacy risks in drone deployment. The minutes also stated, "Current state of non-regulation negatively affects the public perception of drones. There is no regulatory recourse for anyone who is negatively affected by a small UAV [drones]." EPIC has urged the agency to do more to safeguard the public, and in EPIC v. FAA, challenged the FAA's failure to establish privacy regulations for drones. (May. 9, 2016) - Federal Court Upholds Photo Tagging Suit Against Facebook
A federal judge has rejected Facebook's argument that the company did not violate an Illinois law that requires companies to obtain consent from consumers before collecting biometric data such as a "faceprint." Describing the biometric privacy law, the court said that Facebook's position was "antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology." In 2011, EPIC filed a complaint with the Federal Trade Commission, arguing that the facial identification of users was an unfair and deceptive trade practice. In 2012, EPIC urged the FTC to suspend facial recognition "until adequate safeguards and privacy standards are established." Canada and Europe have since required Facebook to suspend the use of photo tagging. (May. 8, 2016) - EPIC Urges California Supreme Court to Protect Open Records Law
EPIC has urged the California Supreme Court to reverse a lower court decision that blocked public release of records about "automated license plate readers" operated by the state police. The lower court held that information about the public surveillance system was an “investigative record” under California law. EPIC’s amicus brief stated, "Public scrutiny is essential to counter the unique threats posed by these programs of broad-scale surveillance." EPIC had obtained documents about the FBI’s license plate reader program under the FOI law. Those records revealed that the FBI failed to address the system's privacy implications. (May. 6, 2016) - White House Report Points to Risks with Big Data
A new White House report "Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights" points to risks with big data analytics. According to the authors, "[t]he algorithmic systems that turn data into information are not infallible--they rely on the imperfect inputs, logic, probability, and people who design them." An earlier White House report warned of "the potential of encoding discrimination in automated decisions." EPIC launched a campaign on "Algorithmic Transparency" after warning about the risks of secretive decision making coupled with "big data." (May. 5, 2016) - FAA Announces Drone "Advisory Committee"
Yesterday FAA Administrator Michael Huerta announced that the FAA will establish a Drone Advisory Committee. According to Administrator Huerta, the committee "will help identify and prioritize integration challenges and improvements." Intel CEO Brian Krzanich will chair the committee. The Federal Advisory Committee Act requires federal agencies to ensure that advisory committees are “objective and accessible to the public.” EPIC previously criticized the FAA Drone Registration Task Force, which met in secret and includes no consumer groups. EPIC is currently suing the FAA for the secret meeting records of the Registration Task Force. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit Court of Appeals. (May. 5, 2016) - NY Attorney General Reports 40% Increase in Data Breaches
New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
(May. 5, 2016) - Intelligence Court Skeptical of Some FISA Applications
The Department of Justice has published the 2015 FISA report, which summarizes the use of the Foreign Intelligence Surveillance Act. The report also details the number of applications rejected or modified by the FISA Court (FISC). Overall, the Government’s applications for FISA warrants has declined since 2003 but there was a slight uptick this year with 1,456 orders granted. A significant number of orders were modified by the FISC. The FISC modified 80 orders and the Government even withdrew one application. Prior to the USA FREEDOM Act, which limited bulk collection under section 215, the FISC modified many of those orders. (May. 3, 2016) - EPIC Sues TSA to Block Mandatory Body Scanners at US Airports
EPIC has filed a lawsuit challenging the Transportation Security Administration's regulation for airport body scanners. The TSA announcement came nearly five years after a federal appeals court ordered the agency to "promptly" solicit public comments on the controversial screening procedure. Public comments overwhelmingly favored less invasive security screenings. But the TSA decided it may now mandate body scanners at US airports. In 2011, EPIC challenged the intrusive and ineffective TSA screening procedure. EPIC's new lawsuit challenges the regulation because it "denies passengers the right to opt out" of body scanner screening. EPIC also challenged the effectiveness of airport body scanners and the TSA's failure to recommend less invasive security screening. (May. 2, 2016) - Supreme Court Approves Remote Computer Hacking by Police
The U.S. Supreme Court has voted to approve changes to Rule 41 of the Federal Rules of Criminal Procedure, which will allow judges to issue "remote access" warrants. These warrants authorize mass computer searches, even when the targets are outside the jurisdiction of the court. EPIC criticized the proposal in a statement last year, arguing that the procedure enables searches outside traditional Fourth Amendment requirements and would not provide adequate notice to those subject to search. Congress can amend or reject the proposal. Senator Ron Wyden said today he would introduce legislation to reverse the proposal. (Apr. 28, 2016) - FTC Increases Scrutiny of Google's Practices, Implicating Antitrust and Privacy Interests
The FTC has reportedly expanded its investigation into Google's use of the Android operating system to exclude or demote competing services. The Commission’s increased scrutiny comes shortly after the European Commission filed formal antitrust charges against Google. Last fall, the FTC began looking at whether Google unfairly prioritizes its own products after earlier ending a similar investigation in 2012 though staff recommended litigation. EPIC previously urged the Senate and the FTC to investigate Google's dominance of essential Internet services, warning that monopoly practices implicate privacy interests. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of Commissioner Pamela Harbor, who cited the connection between monopoly practices and privacy violations. (Apr. 27, 2016) - House Passes Narrow ECPA Update
The Email Privacy Act of 2016 has passed the House 419-0 The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. Senator Leahy tweeted that "Long past time to protect American people's emails & info stored in the cloud from warrantless searches." EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Apr. 27, 2016) - FOIA Ombudsman Releases First Part of "Still Interested" Report
In response to a letter from EPIC and open government advocates, the FOIA ombudsman has issued the first part of a report on the use of "still interested" letters by federal agencies. The DHS and other agencies have sent these letters to prematurely terminate FOIA requests. In 2014, an EPIC-led coalition urged the Office of Government Information Services to investigate the pervasive use of such letters. In today's report, OGIS found that there is no "guidance or standard for reporting requests that agencies close" through "still interested" letters, and that it does not yet understand the impact such letters have on FOIA requesters. (Apr. 27, 2016) - Google Wants User Data, Opposes FCC Privacy Rules
Google has opposed new privacy rules for consumer data even as it backed the FCC's proposal to open up the set-top box. Google described new privacy safeguards as “unnecessary." The FCC’s proposal would allow Google to gain access to the TV market and consumer viewing data. EPIC has urged the FCC to enforce strong privacy rules for all companies seeking access to user data. (Apr. 27, 2016) - TSA Releases New Body Scanner Document to EPIC
In response to an EPIC FOIA request, the Transportation Security Administration has released a document describing the technical capabilities of the airport body scanners. EPIC previously obtained documents from TSA revealing that body scanners can record, store, and transmit digital strip search images of airline passengers. Last month, the TSA issued a regulation on airport body scanners, nearly five years after a federal appeals court ordered the agency to "promptly” undertake a rule making. In 2011, EPIC successfully challenged the TSA's unlawful deployment of airport body scanners. Despite public comments that overwhelmingly favor less invasive security screenings, the TSA plans to use invasive body scanners at US airports. The TSA also said it may mandate airport body scanners, even though the agency previously told the D.C. Circuit that the body scanner program was optional and the federal appeals court upheld the program, relying on the agency’s statements. (Apr. 25, 2016) - EPIC Urges FCC to Fully Enforce Cable Privacy, Extend Rules to All Set-Top Boxes
In comments filed with the FCC on a proposal to unlock the set-top box market to retail manufacturers, EPIC urged the Commission to apply the Cable Act's privacy rules directly to all companies with access to cable subscriber data. EPIC explained that the Cable Subscriber Privacy Rules are "an effective model for privacy rules in the commercial sector, particularly concerning the collection of data about cable programming." However, the FCC must clarify and enhance enforcement of these rules to address current business practices. EPIC has defended consumer privacy at the FCC for almost 20 years. (Apr. 25, 2016) - Intelligence Court Orders Government to Report on PRISM Collection
Three decisions by the Foreign Intelligence Surveillance Court (FISC) were made public this week. The Court identified serious “compliance and implementation issues” related to the Section 702 ("PRISM") surveillance program. The FISC found that the NSA did not purge personal data as required by minimization procedures, and also that the FBI failed to exclude attorney-client communications. In 2012, EPIC testified before Congress and recommended the publication of FISC opinions to facilitate public oversight. (Apr. 20, 2016) - EPIC Defends Right of Data Breach Victims to Bring Suit
EPIC has filed an amicus brief urging a federal appeals court to overturn a decision that limits the ability of data breach victims to sue. The plaintiffs sued a payroll company after their Social Security Numbers and other identifying information were exposed. A lower court dismissed the case because fraudulent transactions had not yet occurred. EPIC argued that data breach victims can sue without having to wait for specific damages. EPIC cataloged the epidemic of data breaches in the US, and explained why companies should be liable when they fail to protect the consumer data they collect. EPIC regularly files briefs defending consumer privacy. (Apr. 19, 2016) - European Parliament Adopts Comprehensive Data Protection Regulation
The European Parliament finalized a historic reform of EU data protection legislation, which will have legal force in July 2018. "The new General Data Protection Regulation will enable people to regain control of their personal data in the digital age," said Parliament Member Jan Philipp Albrecht. The rules include data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. EPIC and EU and US consumer groups have supported the European law, stating that it provides "important new protections for the privacy and security of consumers." (Apr. 14, 2016) - U.S. Government Sued Over Refusal to Notify Users of E-mail Searches
Microsoft has sued the Department of Justice, arguing that orders which prevent the company from notifying users about surveillance are unconstitutional. These secrecy orders, issued in connection with orders to disclose users’ private information, arise in thousands of cases each year. EPIC has supported similar challenges to “gag orders" and has opposed the expansion of “no notice” searches. EPIC has also recommended notice requirements for e-mail searches. (Apr. 14, 2016) - House Moves Forward on Modest ECPA Updates
The House Judiciary Committee has voted 28-0 in favor of the Email Privacy Act, H.R. 699, a bill that would establish a warrant requirement for the disclosure of all electronic communications. The law would also require notice to customers whose communications have been collected. With 314 members of the House cosponsoring, the bill is slated to be considered by the House on April 25th. Senator Leahy, who has sponsored an identical bill in the Senate, said that "Congress has waited far too long to enact these reforms." But the bill stops short of several updates recommended by EPIC, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Apr. 14, 2016) - EU Officials Call for Changes in Privacy Agreement
European privacy officials announced today that there must be changes in the draft proposal for EU-US data transfers. The Article 29 Working Party has "strong concerns" that the current text fails to provide adequate protection against commercial misuse and bulk surveillance. The Working Party cited the complexity of the redress mechanism, the lack of independence of the ombudsman, as well as the broad uses of personal data that would be permitted under the agreement. Privacy and consumer organizations have urged the EU to oppose the Privacy Shield proposal. (Apr. 13, 2016) - Senate Examines FTC's Antitrust Enforcement
The Senate Judiciary Committee recently examined the scope and application of the FTC's Section 5 antitrust enforcement authority at the hearing "Section 5 and 'Unfair Methods of Competition': Protecting Competition or Increasing Uncertainty?" EPIC Advisory Board member Tim Wu testified in support of the agency's approach, which he called "an important protection for competition." EPIC has urged the FTC to use Section 5 authority to protect consumers, arguing against Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp. EPIC has also recommended a transparent process for evaluation of substantial changes in business practices by companies subject to FTC consent orders. (Apr. 13, 2016) - EPIC Advises HHS to Safeguard Substance Abuse Patient Records
In comments to the Department of Health and Human Services, EPIC criticized the agency's proposed revisions to confidentiality rules for substance abuse patient records. The proposal would weaken consent requirements for disclosing patient records and allow linkage of substance abuse records to other databases. EPIC explained that patient privacy and public health policy require strong confidentiality protections. EPIC warned that the changes proposed by HHS would compromise record confidentiality and reduce the effectiveness of public health programs. EPIC consistently advocates for strong confidentiality protections for medical records. (Apr. 12, 2016) - President Obama: In Digital Age, People Have New Set of Privacy Expectations
In remarks at the University of Chicago Law School yesterday, President Obama named privacy as one of the constitutional issues that will be increasingly salient in the years to come. "In a society in which so much of your life is digitized, people have a whole new set of privacy expectations that are understandable,” said the President. Obama said the encryption debate was “just the tip of the iceberg of what we’re going to have to figure out.” In its brief in Apple v. FBI, EPIC recently argued that cell phone encryption was adopted to protect consumers from crime. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. (Apr. 8, 2016) - EPIC, Coalition Oppose NSA Data Transfer Plan
EPIC and over 30 organizations have urged the Obama Administration to halt proposed changes to Executive Order 12333 that would permit the NSA to transfer raw data collected to law enforcement agencies. The NSA’s vast data collection activities are traditionally limited to intelligence purposes. The proposal will permit use of NSA data by law enforcement and make personal data more widely available across the federal government. Last year, EPIC urged the Privacy and Civil Liberties Oversight Board to increase oversight of 12333. EPIC called for: (1) new limits on data collection and disclosure; (2) audit trails for surveillance activities; and (3) published legal justifications for surveillance programs. The Board is currently reviewing surveillance under EO 12333. (Apr. 8, 2016) - FAA Considers Removing Safety Rules for Small Drones, Also Ignores Privacy Concerns
The report of a secret FAA committee would relax safety rules for drones operating over populated areas. The report also makes no mention of the privacy risks of aerial surveillance by small drones. Like the FAA registration task force, the FAA small drones committee was composed of mostly industry members and did not include any privacy or consumer protection groups. The report recommends allowing drones to fly within 20' above a person or within 10' next to a person. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit. EPIC also filed a FOIA lawsuit against the FAA for the records of the secret drone task force meetings. (Apr. 8, 2016) - TACD Opposes "Privacy Shield," Urges Rejection by EU
The Transatlantic Consumer Dialogue has urged the European Commission to reject the "Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a coalition of NGOs have urged the US to adopt a robust data protection law and end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States. (Apr. 7, 2016) - DHS, Federal Agencies Publish 2016 FOIA Reports
Most federal agencies, including the Department of Homeland Security, have now published the 2016 FOIA Reports. These annual reports, required by former Attorney General Holder's 2009 FOIA Memo, describe each agency's compliance with the FOIA, including steps to taken to improve processing and promote openness. The federal FOIA ombudsman is currently investigating the practices of six DHS component agencies in response to a 2015 letter from EPIC and open government advocates. EPIC and other have recently urged the President to support bipartisan legislation aimed at improving the FOIA. (Apr. 6, 2016) - EPIC Sues Agency for Drone Task Force Meeting Records
EPIC has filed a FOIA lawsuit against the Department of Transportation for records of the closed-door meetings of the "Drone Registration Task Force". The agency created the Task Force late last year to develop recommendations for registering commercial drones. The Task Force--whose membership included no civil liberties organizations or privacy advocates--met in secret last November before releasing a report. EPIC submitted extensive comments to the Task Force. EPIC's lawsuit was filed just after the FAA's Aviation Rulemaking Committee of industry groups and agency officials recommended easing restrictions that prohibit businesses from flying unmanned aerial vehicles. In EPIC v. FAA, EPIC has also challenged the FAA's failure to establish privacy rules for drones. (Apr. 4, 2016) - EPIC to FTC: Google's April Fool's Disaster Likely Violates Consent Order
Google's April Fool's joke — a change in the operation of Gmail without user consent — has backfired, spectacularly. Many Gmail users inadvertently enabled the "Mic Drop" button on important emails, allowing Google to insert a GIF into their reply and then irreversibly mute the conversation. Users were outraged and Google reversed the change. EPIC informed the FTC that Google's prank also likely violates the FTC's 2011 consent order with the company following the rollout of Google Buzz. EPIC has repeatedly urged the FTC to enforce this consent order against Google, which requires the company to obtain "express affirmative consent" before changing its business practices. (Apr. 1, 2016) - FCC Moves Forward With Narrow Privacy Rules
The Federal Communications Commission has voted to adopt a Notice of Proposed Rulemaking on consumer privacy regulations. The proposal follows Chairman Wheeler's earlier draft proposal, which EPIC explained was too limited to safeguard online privacy. During the vote, Commissioner Ajit Pai echoed EPIC's view that the rulemaking should not focus solely on ISPs. EPIC has argued that the FCC proposal ignores invasive practices by Internet firms, including search companies and social media firms that track and profile Internet users. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data. (Mar. 31, 2016) - EPIC Scrutinizes DHS "Insider Threat" Database
In comments to DHS, EPIC criticized a proposed "Insider Threat" database that would gather vast amounts of personal data on individuals outside the federal agency. EPIC urged DHS to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases. (Mar. 29, 2016) - EPIC Names New Advisory Board Members
EPIC has announced the 2016 members of the EPIC Advisory Board. They are Malavika Jayaram, Max Schrems, Katie Shilton, Stephen Vladeck, Anne L. Washington, and Shoshana Zuboff. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy, who contribute to EPIC's work on privacy and human rights issues. Joining the Board of Directors of EPIC in 2016 are Danielle Citron, author of "Hate Crimes in Cyberspace." and Frank Pasquale, author of "The Black Box Society: The Secret Algorithms that Control Money and Society." (Mar. 28, 2016) - EPIC Successfully Obtains Boater Tracking Documents, Settles Case with Homeland Security
After successfully obtaining nearly 2,500 pages of documents concerning a controversial boater tracking program, EPIC has settled a Freedom of Information Act lawsuit with the Department of Homeland Security about the "Nationwide Automatic Identification Systems." According to the documents released to EPIC, the DHS believes that boaters have "no expectation of privacy with regard to any information transmitted" about the location of their boats. The documents also reveal that the agency fuses tracking data with other government data to develop detailed profiles on boaters. EPIC did not objet to the use of NAIS for marine safety; the concern is government surveillance. EPIC has also opposed a DHS plan to collect and maintain records on sea travelers. (Mar. 28, 2016) - Ninth Circuit Sends NSA Surveillance Case Back to Lower Court
A Federal Appeals court has remanded a case challenging the NSA's bulk collection of telephone records. In Smith v. Obama, the Ninth Circuit Court of Appeals instructed the lower court to consider the impact of the USA Freedom Act, which ended the bulk data collection program. EPIC, joined by thirty-three technical experts and legal scholars, filed an amicus brief in the case, arguing that modern communications systems are "entirely unlike the telephone network of the 1970s" and that a 1977 case concerning "pen registers" no longer applied. EPIC also challenged the NSA bulk collection program in a petition to the Supreme Court. (Mar. 24, 2016) - FTC Issues Warning on Cross-Device Tracking and Surveillance Apps
The Federal Trade Commission has issued warnings to 12 Android app developers that use audio beacons to track consumers across their devices and monitor TV viewing habits. The smartphone apps contain Silverpush software that constantly listens for inaudible signals emitted by TV commercials and secretly collects and transmits viewing data. The announcement appears to be a response to two earlier complaints filed by EPIC with the Commission. EPIC previously urged the FTC to limit "cross-device tracking" technology that links consumers' smartphone activity with what they see on their laptop or television. EPIC also urged the FTC and the Department of Justice to investigate "always-on" consumer devices for possible violations of the Wiretap Act, state privacy laws, or the FTC Act. (Mar. 22, 2016) - EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules
EPIC has released a memo on the FCC's draft broadband privacy rules, urging the Commission to broaden its scope and strengthen its substantive data protections. The draft rules, previewed in a fact sheet on March 10, 2016, would apply to Internet service providers (ISPs) but not to email, search, or social media services. EPIC explained that the proposal's "framing of the communications privacy challenges facing US consumers is incomplete and fails to address the full range of activities that threaten online privacy." EPIC further explained that the proposal's focus on "choice, transparency and security" will fail to safeguard consumer privacy. EPIC has urged the Commission to apply the Consumer Privacy Bill of Rights to communications data. (Mar. 20, 2016) - EPIC Intervenes in Privacy Case before European Court of Human Rights
Today EPIC filed a brief in a case before the European Court of Human Rights. The case involves a challenge brought by 10 human rights organizations arguing that surveillance by British and U.S. intelligence organizations violated their fundamental rights. In its brief, EPIC explained that the NSA's "technological capacities" enable "wide scale surveillance" and that U.S. statutes do not restrict surveillance of non-U.S. persons abroad. "The NSA collects personal data from around the world and transfer that data without adequate legal protections." EPIC routinely files amicus briefs in federal and state cases that raise novel privacy issues. This is EPIC's first brief for the Court of Human Rights in Strasbourg. (Mar. 18, 2016) - EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance
Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision. (Mar. 17, 2016) - President Obama Nominates Merrick Garland for Supreme Court
The President has nominated D.C. Circuit Chief Judge Merrick Garland for the United States Supreme Court. Garland, a former prosecutor and head of the Department of Justice's Criminal Division, has served on the D.C. Circuit for 15 years. EPIC has previously urged the Senate to hold hearings and explore the views of earlier Supreme Court nominees, including Justice Kagan, Justice Sotomayor, and Chief Justice Roberts. EPIC frequently files amicus briefs in the US Supreme Court, including Spokeo v. Robins and Utah v. Strieff in the current term. (Mar. 16, 2016) - Drone Privacy Safeguards Move Forward in Senate
A Senate committee has adopted several key privacy amendments concerning drone operations in the US. The amendments, sponsored by Senator Markey (D-Mass), limit the scope of drone surveillance and require more accountability for drone operators. Markey stated, "As more and more drones take flight in our skies, the need to protect Americans' privacy is paramount." EPIC urged Congress and the FAA to establish limits on drone surveillance and recommended the FAA establish a database detailing drone surveillance capabilities. EPIC has sued the FAA for its failure to establish commercial drone privacy rules. (Mar. 16, 2016) - NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection
More than twenty civil society groups has urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs state that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US. (Mar. 16, 2016) - Senate Passes FOIA Reform Bill
The Senate has passed by unanimous consent the Freedom of Information Improvement Act of 2015. The bill, cosponsored by Senator Patrick Leahy (D-VT) and Senator John Cornyn (R-TX), requires federal agencies to operate under a "presumption of openness," and places time limits on the FOIA's Exemption 5. Senator Leahy said that the bill "will help open the government to the 300 million Americans it serves and ensure that future administrations place an emphasis on openness and transparency." The House passed a similar bill in January 2016. Differences between the two versions must now be reconciled before President Obama can sign the bill into law. EPIC and a coalition of open government advocates urged the President to support the bipartisan legislation. (Mar. 16, 2016) - Senate to Consider FAA Funding but Drone Privacy Safeguards Missing
On March 16, 2016 the Senate will consider the FAA Reauthorization bill. Senator John Thune introduced the legislation to fund the operations of the the federal agency responsible for aviation safety. The bill requires drone operators to post privacy policies, but provides no meaningful privacy safeguards that would limit surveillance by drone operators. EPIC has urged Congress and the FAA to establish real limits on surveillance by drones. EPIC also recommended that the FAA to establish a national database detailing the surveillance capabilities of commercial drones. And after the agency failed to establish privacy rules mandated by Congress, EPIC filed a lawsuit, EPIC v. FAA that is now pending before the DC Circuit Court of Appeals. (Mar. 14, 2016) - EPIC to Testify before Pennsylvania Senate on Domestic Drone Surveillance
EPIC Domestic Surveillance Project Director Jeramie Scot will testify at a hearing on before the Pennsylvania Senate Majority on "Unmanned Aerial Vehicles." The hearing will address the private and public sector use of drones. In a prepared statement, EPIC’s Scott urges the Pennsylvania Senate to enact legislation to limit both law enforcement and commercial drone surveillance. EPIC states, “The increased use of drones to conduct various forms of surveillance must be accompanied by increased privacy protections.” EPIC previously sued the FAA for failing to establish federal privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit. (Mar. 14, 2016) - EPIC Publishes 2016 FOIA Gallery
In celebration of Sunshine Week, a national recognition of public access to information, EPIC has unveiled the 2016 FOIA Gallery. Since 2001, EPIC has released annual highlights of EPIC's most significant open government cases. In 2015, EPIC obtained records on e-voting tests from the Department of Defense, a secret EU-US data transfer agreement, and a massive boater tracking program operated by the DHS. In the latest FOIA Gallery, EPIC also highlights the victory in EPIC v. DOJ a FOIA case concerning electronic surveillance reports, EPIC v. NSA about cyber surveillance, and EPIC's role as "friend of the court" in an open government case before the California Supreme Court. (Mar. 11, 2016) - FCC to Consider Privacy Rules for ISPs
The FCC will consider a proposal for consumer privacy regulations on March 31st. According to a fact sheet, the rulemaking will "apply the privacy requirements of the Communications Act" to broadband internet access services (ISPs) but not Internet websites, search services, and social media platforms. While ISPs are engaged in invasive consumer tracking and profiling practices, focusing only on these providers misses a vast amount of data collection activities by other service providers. In a previous letter to the FCC, EPIC urged the Commission to establish a broad framework for communications privacy, based on Fair Information Practices. Separately, EPIC filed a petition with the FCC, joined by 29 organizations, to end the mandatory retention of consumer data. (Mar. 10, 2016) - FCC Reaches Settlement with Verizon over Hidden "Super Cookies"
The Federal Communications Commission reached a settlement with Verizon Wireless for its practice of placing hidden, undeletable "super cookies" on customers' smartphones without their knowledge or consent. The settlement requires Verizon to notify its customers of its targeted advertising practices and to obtain opt-in consent before sharing consumer data with third parties. Verizon must also pay a $1.35 million fine. EPIC has recently urged the FCC to undertake a broad rulemaking on communications privacy issues facing consumers, including the invasive and ubiquitous tracking practices of ISPs. EPIC has also urged the Federal Trade Commission to limit the use of persistent identifiers. (Mar. 10, 2016) - New Congressional Report Explores Legal Issues Regarding Compelled Decryption
"Encryption: Selected Legal Issues," a new report from the Congressional Research Service, explores two important legal questions that arise from government requests for compelled decryption: the Fifth Amendment right agains self-incrimination and the scope of the All Writs Act, the federal statute at issue in Apple v. FBI. EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case, pointing to the increased risk of cell phone theft and financial fraud that would result from compelled encryption. (Mar. 8, 2016) - EPIC, Consumer Privacy Groups Urge FCC to Protect Consumer Privacy
EPIC, joined by nearly a dozen consumer privacy groups, submitted a letter to the FCC reviewing the invasive consumer tracking and consumer profiling practices of Internet service providers (ISPs), which "underscore the imperative for the FCC to exercise the full extent of its rulemaking authority to protect consumer privacy." The letter explained why encryption and virtual private networks ("VPNs") are insufficient to protect consumers from ISP surveillance. The letter described how the Federal Trade Commission's reactive, "notice and choice" approach to privacy fails to provide meaningful protections for consumers. EPIC previously urged the FCC to undertake a broad rulemaking on "the full range of communications privacy issues facing US consumers." EPIC has worked with the FCC to promote consumer privacy in the communications field for more than 20 years. (Mar. 7, 2016) - DHS Privacy Office Releases 2015 Data Mining Report
The Department of Homeland Security has released the 2015 Annual Data Mining Report. The report describes several of the Agency's profiling systems that assign secret "risk assessments" to U.S. citizens. EPIC recently prevailed in a FOIA case involving a controversial DHS passenger screening program, the "Analytic Framework for Intelligence." In EPIC v. USCG, another case concerning a DHS profiling program, EPIC uncovered records about a program to track boaters operating in US waters in which DHS stated that boaters "have no expectation of privacy." The 2015 DHS report indicates expansion of agency profiling programs, including the "Automated Targeting System." (Mar. 4, 2016) - EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case
Today EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case. In Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning consumer privacy and also the Fourth Amendment. (Mar. 3, 2016) - Bill to Establish Digital Security Commission Introduced in House
Rep. Lieu (D-CA) has cosponsored bipartisan legislation to create a Digital Security Commission that will explore how law enforcement should pursue investigations without undermining constitutional privacy protections or American competitiveness. Rep. Lieu emphasized, "strong national security and a strong economy requires strong encryption." The legislation comes as Apple opposes a court order to compromise iPhone security to allow government access. Congressman Lieu called upon "the FBI and DOJ to withdraw their coercive demands of Apple and allow the democratic process to work." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Mar. 2, 2016) - TSA Ignores Federal Court, Public Comments and Mandates Airport Body Scanners
The Transportation Security Administration has issued a final rule on airport body scanners, nearly five years after the D.C. Circuit Court of Appeals ordered the agency to "promptly" solicit public comments on the controversial scanners. In 2011, EPIC successfully challenged the TSA's unlawful deployment of airport body scanners. Despite public comments that overwhelmingly favor less invasive security screenings, the agency will continue to use invasive body scanners at airports. The agency also states that it may mandate airport body scanners. EPIC and 25 organizations have urged Congress to hold a hearing on TSA's decision to end the opt-out for airport body scanners. The agency previously informed the D.C. Circuit that the body scanner program was optional. The Court concluded because "any passenger may opt-out of AIT screening in favor of a patdown" there was no violation of the Fourth Amendment. (Mar. 2, 2016) - Diffie, Hellman Win Turing Award for Public Key Encryption
Whitfield Diffie and Martin Hellman have received the 2016 Turing Award for the discovery of public key encryption, the cornerstone of network security. The award is named for Alan Turing, a computer scientist who helped pioneer modern computing and broke the German Enigma code, hastening the end of the Second World war. The Turing award is considered the Nobel Prize of computer science and is given for major contributions of lasting importance by the Association of Computing Machinery. Diffie, a member of the EPIC Advisory Board, was one of the founders of the Electronic Privacy Information Center and received the EPIC Lifetime Achievement Award in 2012. (Mar. 1, 2016) - EPIC Files Brief in Suit Over Faulty Background Checks
EPIC has filed an amicus brief in Smith v. LexisNexis Screening Solutions. The case was brought by a job applicant who was denied employment after a background report incorrectly stated that he had a criminal record. A court found that LexisNexis had violated Fair Credit Reporting Act by failing to take reasonable steps to ensure "maximum possible accuracy" in the report. LexisNexis appealed. In the amicus brief, EPIC highlighted the industry practice of selling background reports with inaccurate information. EPIC argued that companies should be strictly liable when they fail to maintain accuracy in these reports. In 2005, EPIC filed a famous FTC complaint about the data broker ChoicePoint, which ultimately led to a $10 million dollar settlement. (Mar. 1, 2016) - NY District Court Denies Government Demand to Unlock iPhone
Magistrate Judge Orenstein denied a government request under the All Writs Act to force Apple to unlock an iPhone. Judge Orenstein stated "the government's construction of the [All Writs Act] produces absurd results in application." The ruling comes the day before a Congressional hearing to address recent efforts to force Apple to decrypt iPhones. Apple is opposing a court order in another case that would require the company to make changes to the iPhone to enable government access. In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Feb. 29, 2016) - "Privacy Shield" Released, New Questions Raised
The text of the "Privacy Shield" was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the Schrems case. But the framework appears to provide less protection than the Safe Harbor arrangement it replaces. New exceptions take broad categories of personal data entirely outside the scope of the agreement. Max Schrems said "this is far from what the Court required and does not seem like a stable solution." Privacy experts will now assess the text and determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have urged the US to update its privacy laws. (Feb. 29, 2016) - NSA to Disclose Agency Records to Other Federal Agencies, Implicating Federal Privacy Act
According to the New York Times, the NSA plans to disclose intercepted private communications to other federal agencies, including records of communications concerning US persons. The substantial change in agency practices "would relax longstanding restrictions on access to the contents of the phone calls and email." In 2013, EPIC and a group of legal scholars and technical experts, petitioned the NSA to undertake a public rule making on "the agency's monitoring and collection of communications traffic within the United States." EPIC has previously urged the Department of Defense to ensure that the NSA complies with the federal Privacy Act and has opposed expansion of the "Operations Records" database. (Feb. 26, 2016) - European Commission Wrongly Denies EPIC's Request For "Privacy Shield"
The European Commission has wrongly denied EPIC's Freedom of Information request for the text of the "Privacy Shield." The Commission said the adequacy decision about Safe Harbor is "in preparation" and "negotiations with the U.S. are still ongoing." The Commission confused the text of the political agreement, known as "the Privacy Shield," with a legal determination about whether the agreement meets EU data protection law. EPIC will pursue public release of the Privacy Shield, which was previously announced, and then the release of the adequacy determination when it is final. EU and US Consumer and privacy organizations have opposed the agreement because it fails to provide adequate privacy protections. (Feb. 26, 2016) - Apple Opposes FBI Decryption Order
Today Apple filed a "motion to vacate" a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. In its brief, Apple asserts that this case is about "the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe." Apple argued that the FBI's requested court order violates the First and Fifth Amendments. Consumer Reports found that more than 3.1 million cellphones were stolen in 2013, and noted that "efforts by the telecom industry to reduce thefts don't seem to be helping matters." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Feb. 25, 2016) - House Members Seek Answers on FBI Stingray Agreements
Two leading members of the House Judiciary Committee sent a letter to FBI Director James Comey regarding Stingray surveillance devices, which intercept cellphone communications. Representative Jim Sensenbrenner (R-Wisc) and Representative Sheila Jackson Lee (D-Tx) sharply criticized the FBI's use of "non disclosure agreements" that prohibit local law enforcement agencies from discussing the use of Stingrays, even in court proceedings. The representatives noted that such secrecy "shields the technology from debate." They asked the FBI to answer specific questions about the agreements. In 2013, EPIC first uncovered these secret Stingray agreements in a Freedom of Information Act suit against the FBI. (Feb. 25, 2016) - Writers Side with Apple in Encryption Fight with FBI
In a letter to the Attorney General, leading writers and artists protested the FBI's "efforts to force Apple to create software that could effectively enable the U.S. government to unlock any iPhone." The letter from the PEN America Center highlights how "intrusions on privacy damage creative expression and free speech." EPIC has long supported strong encryption as key to the future of privacy and security. EPIC recently gave the 2015 Champion of Freedom Award to Apple CEO Tim Cook for his work in promoting encryption and protecting privacy and security. The 2016 EPIC Awards dinner will be held on June 6th in Washington, DC. (Feb. 24, 2016) - EPIC FOIA - Information about Controversial DNA Forensic Technique Released
In response to EPIC's FOIA request, the California Department of Justice has released records on a controversial forensic technique. The records show that in 2014, the state agency spent more than $300,000 on STRMix, a secret technique for matching DNA. Investigators in Australia subsequently found an error in the STRMix code that produced incorrect results in 60 criminal cases, including a high-profile murder case. STRMix promises prosecutors the ability to "[c]arry out familial searches against a database, searching for close relatives of contributors to mixed DNA profiles" but the algorithm remains secret. EPIC is pursuing FOIA requests on the secret DNA matching algorithms with state agencies across the U.S. (Feb. 23, 2016) - EPIC Recommends Greater Accountability for Government Screening Database
EPIC submitted comments to DHS urging the agency to improve transparency and privacy protections for the controversial Terrorist Screening Database that is used for Watchlist programs, such as the No Fly List, containing information that is often inaccurate and incomplete. The agency solicited comments on a proposal to remove Privacy Act safeguards while simultaneously expanding data collection and distributing data more widely across the DHS. EPIC and many other organization opposed the establishment of the Screening Database and called for the suspension pending a full review of the privacy and security implications. EPIC has testified before Congress about the risks of the Watchlist program. (Feb. 23, 2016) - President Announces $19 billion Cybersecurity Plan
President Obama has proposed a $19 billion Cybersecurity National Action Plan that aims to modernize government IT and improve Americans' cybersecurity. The government will reduce reliance on social security numbers and promote increased use of multi-factor authentication. The plan will also establish a Commission on Enhancing National Cybersecurity. A Federal Privacy Council will coordinate federal privacy guidelines but lacks authority to enforce Privacy Act obligations. EPIC has repeatedly urged federal agencies to uphold Privacy Act protections. (Feb. 23, 2016) - Supreme Court to Consider Fourth Amendment ID-Check Case
The Supreme Court will hear arguments today in Utah v. Strieff. At issue is the use of evidence obtained from government databases following an illegal police stop. In a brief signed by twenty-one technical experts and legal scholars, EPIC warned about the vast amount of personal data, much of it inaccurate, stored in government databases and pointed to the failure of the Justice Department to enforce Privacy Act safeguards. EPIC argued that "a diminished Fourth Amendment standard coupled with a weakened Privacy Act is truly a recipe for a loss of liberty in America." EPIC had filed amicus briefs in several related Supreme Court cases, including Hiibel v. Sixth Judicial District, Tolentino v. New York, and Herring v. U.S.. (Feb. 22, 2016) - California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable
A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election. (Feb. 18, 2016) - Apple Opposes FBI Decryption Order
Apple has opposed a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. The order followed an FBI application under the All Writs Act, a law from 1789. Apple CEO Tim Cook wrote in response that the government's action "would undermine the very freedoms and liberty our government is meant to protect." In 2015, EPIC gave the Champion of Freedom Award to Mr. Cook for his work protecting privacy and promoting encryption. The EPIC 2016 Awards dinner will be held June 6 in Washington, DC. (Feb. 17, 2016) - EPIC Prevails in Passenger Screening Lawsuit Against DHS
EPIC has prevailed in EPIC v. DHS, a case involving a controversial passenger screening program operated by Customs and Border Protection. The agency combines detailed personal information with secret algorithms to assign "risk assessments" to travelers, including US citizens. EPIC sued the DHS and argued that the agency unlawfully withheld records under the Freedom of Information Act. Today, a federal judge concluded that EPIC "has the more convincing argument" and that the agency failed to disclose information about the "Analytic Framework for Intelligence" program. (Feb. 17, 2016) - "Judicial Redress Act" Provides Little Redress
The Judicial Redress Act of 2015, enacted by Congress and now on to the President for signature, fails to extend Privacy Act protections to non-U.S. citizens. EPIC previously recommended changes to protect transborder data flows. The bill, as adopted, coerces European countries to transfer data to the US, even without adequate protection, or be denied legal rights. Congress adopted the narrow amendment to the Privacy Act without any changes to benefit U.S. citizens even after a data breach compromised 21.5 records maintained by the Office of Personnel Management. EPIC explained that the OPM breach made clear the need for updates to the federal privacy law. (Feb. 12, 2016) - Google Concedes "Right to be Forgotten" Applies Worldwide
After waging an unproductive battle against the privacy rights of Internet users, Google will finally remove links to sensitive personal information. Google had challenged the legal authority of the Spanish people to protect their personal information, but lost the case Google v. Spain before the top court in Europe. Google then claimed that the links to personal data should only be removed in the country where the Internet user resided. Privacy experts said Google's position made no sense for the "global Internet." The French data protection agency threatened Google with sanctions. Google again fought back, claiming it did not need to comply with decision of the Court of Justice of the European Union. Now the company has decided to comply with the law. (Feb. 11, 2016) - Department of Commerce: Privacy Shield "does not exist"
As a response to EPIC's Freedom of Information request for the "Privacy Shield," the Commerce Department responded that "the record you requested does not exist." EU and US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577. (Feb. 10, 2016) - EPIC to Argue before Federal Appeals Court for Drone Privacy Rules
EPIC President Marc Rotenberg will argue EPIC v. FAA before the D.C. Circuit Court of Appeals on February 10, 2016. EPIC, joined by more than 100 groups and experts, petitioned the agency to conduct a public rule-making on the privacy impact of increased drone deployment in the United States. The FAA acknowledged the importance of privacy and responded in November 2014 that it would undertake the rulemaking. But in early 2015, the agency reversed course and announced it would not establish privacy safeguards for commercial drones. As of February 5, 2016, the agency has granted more than 3,300 waivers to drone operators who lack certification to demonstrate airworthiness. (Feb. 9, 2016) - Hackers Breach US Government Database, No Recourse for Non-Americans
Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under current law, non-US persons have no legal rights when federal agencies fail to safeguard their personal data. EPIC is seeking release of the so-called "Privacy Shield" and has launched a new campaign to promote Data Protection in the United States. (Feb. 9, 2016) - EPIC Launches "Data Protection 2016" to Make Privacy a Campaign Issue
Noting widespread concern about the state of privacy in America, EPIC has launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election. EPIC President Marc Rotenberg said, "Data breaches, identity theft, and government surveillance are critical issues facing American voters, yet the candidates have said hardly a word." Security expert Bruce Schneier said, "Privacy is a critical issue that touches many aspects of Americans' lives. The Presidential candidates need to have a plan to protect our personal information." DataProtection2016 shows widespread support for stronger privacy protections in the United States. Campaign materials, including buttons and stickers, are available. Donations will support the work of EPIC. (Feb. 7, 2016) - Court Orders DOJ to Justify Withholding of FISA Reports in EPIC FOIA Suit
A federal court in Washington, DC ruled today that the Justice Department's explanation for withholding information about the Foreign Intelligence Surveillance Court was "manifestly insufficient." In EPIC v. Department of Justice, EPIC is seeking release of FISA surveillance reports routinely provided to Congress. The court ordered the government to submit the reports for review, and to provide specific reasons for withholding the material sought by EPIC. For almost 20 years, EPIC has made available information about FISC orders and surveillance reports. As EPIC explained to the court, release of these materials is of the "utmost importance to the public." (Feb. 4, 2016) - EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement
EPIC has filed emergency Freedom of Information requests with the US and the EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a recent decision of the European Court of Justice. But European and American consumer organizations say the "Privacy Shield" does not provide adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously obtained the secret EU-US Umbrella Agreement in FOIA litigation. (Feb. 4, 2016) - Privacy Commissioners to Review "Privacy Shield"
The Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the "Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the Schrems judgement." (Feb. 3, 2016) - Anticipating Annulment, EU-US Negotiators Sign Off on "Privacy Shield"
Disregarding a decision of the European Court of Justice, negotiators for the US Commerce Dept., the FTC, and the European Commission have agreed to allow the continued transfer of consumer data without adequate legal protection. A virtually identical arrangement was recently struck down by the Court in the Schrems case as a violation of multiple rights of Europeans, including rights to privacy, data protection, and effective redress. Consumers in the US have also expressed concern about rising levels of data breach, identity theft, and financial fraud. EPIC and many EU and US consumer organizations urged negotiators to establish strong safeguards for the transfer of personal data. (Feb. 2, 2016) - EPIC Urges Supreme Court to Uphold Fourth Amendment Safeguards for Police Stops
EPIC has filed a "friend-of-the-court" brief in Utah v. Strieff, a U.S. Supreme Court case about whether the Fourth Amendment allows evidence to be admitted after an illegal stop. Mr. Strieff was unlawfully detained by an officer, who checked his ID and then arrested him on an unrelated outstanding warrant. In a brief, signed by twenty-one technical experts and legal scholars, EPIC detailed a number of sweeping government databases that contain inaccurate and detailed records about Americans' noncriminal activity. EPIC argued that "a diminished Fourth Amendment standard coupled with a weakened Privacy Act is truly a recipe for a loss of liberty in America." EPIC previously argued against compelled identification during police stops in Hiibel v. Sixth Judicial District and Tolentino v. New York. (Jan. 29, 2016) - Schrems Responds to US Lobby Groups on Safe Harbor
In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that "attempts by lobby groups and the US government to 'reinterpret' or 'overturn the clear judgement of the Union's highest court are fundamentally flawed." Schrems brought the successful case to the European Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide "protection against government surveillance and "essentially equivalent" protection against the commercial use of data by certified companies." Max Schrems received the 2013 EPIC Champion of Freedom Award. (Jan. 29, 2016) - "Clock is ticking" on Safe Harbor, says European Consumer Organization
BEUC, the consumer organization of the European Union, has urged European policy makers to accept a revised Safe Harbor arrangement only if it complies with the Schrems decision and "guarantees that EU citizens' fundamental rights are upheld when their data is exported to the United States." Last year, 40 consumer privacy organizations in Europe and the United States urged US Secretary Pritzker and EU Commissioner Jourova to take specific steps to close the widening EU-US data divide. Secretary Pritzker has been unwilling to meet with consumer organizations. (Jan. 29, 2016) - EPIC Celebrates International Privacy Day
EPIC celebrates January 28, International Privacy Day, which commemorates the signing of Convention 108, on January 28, 1981. The Privacy Convention was the first binding international treaty for privacy and data protection. EPIC and consumer organizations have called on the United States to ratify Convention 108. NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions. (Jan. 28, 2016) - EPIC Gives 2016 Freedom Award to Viviane Reding
EPIC has awarded the 2016 International Champion of Freedom Award to former EU Justice Minister Viviane Reding. Ms. Reding led the effort in the European Common for adoption of the new European privacy law, the General Data Protection Regulation. The EPIC awards was presented at the annual conference on L3Computers Privacy and Data Protection in Brussels. The US EPIC Champion of Freedom Awards will be presented on June 6, 2016 in Washington, DC. (Jan. 28, 2016) - U.S. Law Firm Argues U.S. Privacy Law "Essentially Equivalent"
A recent report from a U.S. law firm concludes that the United States offers essentially equivalent privacy protection to Europe. The report also finds that "This body of laws ensures that government access to data for law-enforcement and intelligence purposes is limited to what is necessary and proportionate." Of course, all travel records of Europeans are routinely transferred to the U.S. Department of Homeland Security without any legal protection. Under Section 702 of the Patriot Act, the US government routinely obtains vast amounts of personal data on non-US persons, including communications logs and website activity. Executive Order 12333 provides even broader surveillance authorities. (Jan. 27, 2016) - Pew Survey: Americans Unhappy with How Personal Data is Used by Companies
According to the recent survey of the Pew Research Center, Americans are cautious about disclosing personal data in commercial settings. They are also frequently unhappy with how companies use their data afterwards. For example, 55% of adults said it would be unacceptable for a "smart thermostat" to track their movements around their home in exchange for a discount on their energy bill. And a majority said it would not be acceptable for a car insurance company to monitor a driver's speed and location in exchange for safe driving discounts. EPIC had urged the Federal Trade Commission to investigate Google's acquisition of Nest and has a complaint pending before the FTC regarding "always on" devices. (Jan. 26, 2016) - EPIC and Consumer Privacy Groups File Brief Supporting FCC in Telephone Privacy Case
EPIC and six consumer privacy organizations have filed a "friend-of-the-court" brief in support of the Federal Communications Commission in ACA International v. FCC. The case was brought against the FCC by industry groups charged with violating the Telephone Consumer Protection Act. The FCC had made clear that companies cannot make automated or prerecorded calls to consumers without their consent. EPIC argued in its brief that widespread adoption of cell phones "has amplified the nuisance and privacy invasion caused by unwanted calls and text messages." EPIC and the consumer organizations urged the federal court to uphold the FCC order safeguarding consumers. (Jan. 25, 2016) - EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement
After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation. (Jan. 25, 2016) - EPIC Seeks to Intervene in Privacy Case Before European Court of Human Rights
EPIC has asked the European Court of Human Rights for permission to submit an amicus brief in a case concerning mass surveillance. Ten international human rights NGOs brought the case to challenge UK surveillance laws and practices. The case concerns Tempora, PRISM, and Upstream programs, and the interception of communications by UK intelligence services and the National Security Agency. EPIC proposes to assist the Court in understanding U.S. surveillance law, and to provide relevant information EPIC has obtained through freedom of information litigation. EPIC routinely files amicus briefs in cases concerning emerging privacy and civil liberties issues. (Jan. 22, 2016) - Supreme Court Rules Settlement Offers Can't Moot Consumer Class Actions
The Supreme Court has ruled that a company cannot terminate class action litigation by strategically making a settlement offer of full relief to individual plaintiffs. The case, Campbell-Ewald Co. v. Gomez, involved a consumer who refused to drop his Telephone Consumer Protection Act lawsuit in exchange for such an offer. The defendant company argued that the offer, which exceeded the statutory damages under the TCPA, mooted his case. The Justices disagreed, ruling 6-3 that "an unaccepted settlement offer has no force. Like other unaccepted contract offers, it creates no lasting right or obligation." EPIC routinely works to protect consumer privacy interests in class action settlements. (Jan. 20, 2016) - EPIC Urges FCC to Establish Communications Privacy Protections for Consumers
EPIC has submitted a letter to the Federal Communications Commission urging the agency to undertake a rulemaking to protect the communications privacy of consumers. EPIC asked the FCC to explore "the full range of communications privacy issues facing US consumers." EPIC proposed that the FCC implement Fair Information Practices and the Consumer Privacy Bill of Rights; adopt data minimization requirements; promote Privacy-Enhancing Technologies; and require opt-in consent for the use or disclosure of consumer data. EPIC suggested that the FCC model its communications privacy rules on the Code of Fair Information Practices for the National Information Infrastructure. EPIC has worked with the FCC to promote consumer privacy in the communications field for more than 20 years. (Jan. 20, 2016) - Senator Franken Presses Google on Student Privacy
Senator Al Franken (D-MN) asked Google to explain what the company does with student data, including: what types of data Google collects, to whom Google discloses student information, and whether students and schools “have control over what data is being collected and how the data are being used?” Senator Franken stated, “I believe Americans have a fundamental right to privacy, and that right includes a student or parent’s access to information about what data are being collected about them and how the data are being used.” EPIC has called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. (Jan. 16, 2016) - EPIC Urges Senate to Postpone Action on Judicial Redress Act
Today EPIC urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously wrote to the House Judiciary Committee to recommend updates to the Privacy Act. (Jan. 16, 2016) - EPIC Urges FAA to Make Drone Surveillance Capabilities Public
In comments to the FAA, EPIC urged the agency to make public the surveillance capabilities of drones operated in the United Staes. EPIC also proposed privacy safeguards for personal information. EPIC stated, "It is not the personal information of the drone registrant that should be readily available to the public, but the technical capabilities of the registered drone." The FAA recently published a rule requiring drone registration, which EPIC supported. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit Court of Appeals. (Jan. 15, 2016) - Court Upholds Facebook Settlement, Allows Continued Use of Kids' Images in Ads
A federal appeals court has upheld a 2013 settlement agreement in Fraley v. Facebook, a consumer privacy class action involving Facebook's use of young children's names and images for advertising without consent. That practice is currently prohibited in seven states. Questions were also raised about the cy pres determinations. In dissent, Judge Bea stated that the "district court abused its discretion in approving the final settlement." In an amicus brief to the Ninth Circuit, EPIC urged the appeals court to overturn the deal, explaining that the settlement is unfair to class members and authorizes continued privacy violations. In 2010, EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. (Jan. 14, 2016) - EPIC, Coalition Call for Congressional Hearings on Unlawful TSA Mandate for Body Scanners
EPIC and 25 organizations have urged Congress to hold a hearing on TSA's decision to end the opt-out for airport body scanners. Dozens of organizations petitioned the DHS secretary in 2010 to solicit public comments on the original program. In EPIC v. DHS the lawsuit that followed, the D.C. Circuit ruled that TSA violated federal law when it installed body scanners in airports without public comment. The agency said at the time that the body scanner program was optional. The Court also concluded because "any passenger may opt-out of AIT screening in favor of a patdown" there was no violation of the Fourth Amendment. (Jan. 13, 2016) - Amid Criticism of Agency Compliance, House Passes Substantial FOIA Reforms
Congress has passed the FOIA Oversight and Implementation Act, H.R. 653, which would limit exemptions that allow agencies to withhold public records, create an online portal for FOIA requests, and require agencies to post frequently requested documents. Open government advocates and members of Congress have criticized federal agencies for lax compliance with the Freedom of Information Act. The House Oversight Committee concluded that "[e]xcessive delays and redactions" have undermined the Act." The FOIA Ombudsman criticized the Transportation Security Administration for its "weak management" and lack of a "FOIA tracking system." EPIC has pursued many FOIA cases. EPIC and a coalition previously urged President Obama to strengthen the FOIA by committing to a "presumption of openness" and narrowing the use of FOIA exemptions. (Jan. 11, 2016) - Supreme Court Denies EPIC's Petition to Obtain Cellphone Shutdown Policy
Today, the U.S. Supreme Court declined to review EPIC v. DHS, concerning the government's cellphone shutdown policy. EPIC had pursued the secret policyafter government officials disabled cellular service at a BART station in San Francisco during a peaceful protest. A district court in Washington, D.C. ruled in EPIC's favor when the DHS sought to withhold the policy, but the court of appeals later overturned the ruling. EPIC urged the Supreme Court to review the case to resolve a conflict between the D.C. Circuit and the Second Circuit Courts of Appeals. EPIC also pointed to competing public safety interests when cell service is disabled, but the Court declined. Despite today's order, EPIC successfully obtained a redacted version of the shutdown policy. (Jan. 11, 2016) - Uber, New York AG Reach Settlement Over Rider Data Privacy Practices
The New York Attorney General’s office has announced a settlement in its investigation of Uber’s collection and misuse of rider locational data, as well as its failure to provide timely notice of a data breach affecting 50,000 Uber drivers. The investigation was prompted by public outcry over Uber’s “God View” tool that allowed Uber employees to obtain a specific rider’s real-time and historic location data without permission. The settlement requires the Uber to encrypt rider locational data and enhance its data security. EPIC previously filed a complaint with the FTC, charging that Uber’s plan to track users and gather contact details is an unlawful and deceptive trade practice. In the Huffington Post, EPIC also recommended privacy law to regulate Uber and other companies in the ride-sharing industry. (Jan. 7, 2016) - EPIC Urges HHS to Protect Privacy of Human Research Subjects
In comments to the Department of Health and Human Services, EPIC pointed out several flaws in proposed revisions to the "Common Rule," ethical rules regarding biomedical and behavioral research involving human subjects. While EPIC supports the agency's proposals to strengthen requirements for informed consent and to adopt a broad definition of Personally Identifiable Information, many of the proposed changes "place research interests ahead of the privacy interests" and fail to address the risks to human subjects of "Big Data" research. EPIC previously expressed concern about proposed changes to the Common Rule and continually advocates for health privacy rights. (Jan. 7, 2016) - DHS Releases Drone Privacy Best Practices
The Department of Homeland Security has released a set of drone privacy best practices. The best practices reflect many of the recommendations made by EPIC in testimony to Congress, including limiting data collection, use, dissemination, and retention. The recommendations also propose a redress program so individuals can challenge inappropriate collection. The best practices are only guidelines, but a Presidential Memorandum on drones and privacy requires that all federal agencies to establish and publish drone privacy procedures by February 2016. EPIC has sued the Federal Aviation Administration, EPIC v. FAA to establish privacy rules for commercial drones. Oral arguments are scheduled before the D.C. Circuit Court of Appeals on February 10. (Jan. 6, 2016) - EPIC Warns Education Department of Research Database Privacy Risks
In comments to the Education Department, EPIC objected to the Department's recent proposal to gather detailed student information. The Department plans to collect student data, including discipline records, to assess "data-driven instruction professional development." The Department also proposes to disclose the data to private contractors. EPIC suggested that the agency use aggregate data instead of students' personally identifiable information so as to reduce the risk that might result from a data breach. EPIC noted that the agency's Inspector General recently found that "information systems continue to be vulnerable to serious security threats." EPIC has called for a Student Privacy Bill of Rights, an enforceable privacy and data security framework. (Jan. 6, 2016) - EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit
In its fight to obtain a copy of the EU-US Umbrella Agreement, EPIC asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered default against the agency. The Agreement is central to pending legislation, which the Senate Judiciary Committee is set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress. (Jan. 6, 2016) - EPIC Opposes Sea Traveller Surveillance Program
In comments to the DHS, EPIC criticized a proposal to collect detailed records on people traveling by boat. The DHS is planning to track people arriving and departing the United States by sea, including between ports within the United States. However, DHS will ignore Privacy Act protections, and make the data collected routinely available to private companies and foreign governments. The proposal, explained EPIC, would "create a massive government database of detailed personal information that lacks accountability." EPIC has opposed other boat surveillance programs. And a FOIA case pursued by EPIC about a controversial boater tracking program revealed that the DHS fuses tracking data with other intelligence data to develop detailed profiles on boaters. (Jan. 4, 2016)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
