You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Previous Top News: 2019


  • Five years after EPIC first recommended that the Federal Aviation Administration establish drone identification rules "similar to the Automated Identification System for commercial vessels,” the Federal Aviation Administration has proposed regulations that would require nearly all drones in U.S. airspace to be remotely identifiable. Drones would be required to transmit their location and identification details to an online FAA tracking system. Drones flying more than 400 feet from their operators would also be required to broadcast location and ID to surrounding areas. In 2015, EPIC wrote “Drones should be required to broadcast their registration information to allow members of the public and law enforcement officials to easily identify the operator and responsible party.” EPIC further stated any drone operating in the national airspace system include a mandatory GPS tracking feature that would always broadcast the location of a drone when aloft (latitude, longitude, and altitude), course, speed over ground, as well as owner identifying information and contact information.” The European Union’s drone regulations incorporate these recommendations. Comments on the FAA proposed rule are due March 2, 2020.

    (Dec. 31, 2019)

  • The Department of Defense is warning military personnel against using home DNA test kits, citing the privacy risks that the tests pose. “These [direct-to-consumer] genetic tests are largely unregulated and could expose personal and genetic information,” reads a DOD memo circulated to servicemembers. “Moreover, there is increased concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization or awareness.” DNA profiles contain sensitive personal data that can impact employment decisions, insurance availability, and criminal justice outcomes. EPIC’s Marc Rotenberg spoke recently with C-Span Washington Journal about the privacy risks of DNA kits. EPIC has backed privacy safeguards for genetic data in comments to federal agencies and amicus briefs for the US Supreme Court.

    (Dec. 31, 2019)

  • A federal court has ordered the National Security Commission on Artificial Intelligence to respond to EPIC's arguments that the Commission is violating a federal law requiring advisory committees to operate transparently. During a hearing in EPIC v. AI Commission, Judge Trevor N. McFadden ordered the parties to file briefs concerning the Commission's obligation to hold open meetings and publish its records. The court has already ruled that the AI Commission must comply with EPIC's Freedom of Information Act request. In the same hearing, the government stated that the Defense Department will disclose records about the AI Commission in the next 4-6 weeks. The Commission, which is tasked with developing U.S. AI policy, recently released a report to Congress criticizing the EU General Data Protection Regulation and calling for greater "government access to data on Americans." (Dec. 20, 2019)

  • The National Institute of Science and Technology study of Face Recognition Software found that false positives are up to 100 times more likely for Asian and African American faces when compared to White faces. NIST examined 189 software algorithms from 99 developers, a "majority of the industry," according to the federal agency. The highest rates of false positives were found for African American females — which NIST says is "particularly important because the consequences could include false accusations." EPIC has called for a global moratorium on the use of Face Surveillance technology. The Public Voice declaration in support of the moratorium has been endorsed by over 100 organizations and 1000 individuals in more than 40 countries. (Dec. 20, 2019)

  • The Foreign Intelligence Surveillance Court this week criticized the FBI for misleading judges, following a scathing report from the Inspector General. In a rare public order, the Court explained that the Bureau's representations were "antithetical to the heightened duty of candor" that the government must satisfy in surveillance applications. Presiding Judge Collyer wrote, "The frequency with which representations made by F.B.I. personnel turned out to be unsupported or contradicted by information in their possession, and with which they withheld information detrimental to their case, calls into question whether information contained in other F.B.I. applications is reliable." The Court ordered the FBI to propose new procedures by January 10, 2020. EPIC has advocated for significant FISA reforms for almost 20 years, and recently advised Congress to limit Section 702 of FISA and to sunset Section 215 of the Patriot Act. (Dec. 19, 2019)

  • Today the EU Advocate General issued an advisory opinion in "Schrems 2.0," a case about Facebook’s transfer of personal data to the United States. The Advocate General backed data transfers generally but sharply criticized the EU-US Privacy Shield agreement. The Advocate also said that data protection authorities must enforce privacy obligations. The Advocate General cited EPIC's expert submissions in the case concerning the adequacy of US privacy law. The case follows the European Court's landmark decision in Schrems v. DPC striking down the "Safe Harbor" arrangement. The European Court of Justice is expected to issue a binding opinion in the next few months. After the original Schrems opinion, EPIC testified in Congress. EPIC's Marc Rotenberg urged Congress to "modernize" US privacy law and also establish an independent privacy agency. (Dec. 19, 2019)

  • A new poll of registered voters found that 79% of Americans believe that Congress should enact privacy legislation and 65% of voters said data privacy is "one of the biggest issues our society faces." The Morning Consult poll found bipartisan consensus: 83% of Democrats and 82% of Republicans said that privacy legislation should be an important or top priority for Congress. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger privacy laws. EPIC advocates for comprehensive privacy legislation and the establishment of a U.S. data protection agency. (Dec. 19, 2019)

  • Emails obtained by EPIC in a FOIA lawsuit show that now Justice Kavanaugh, as a top White House advisor, drafted several speeches defending warrantless wiretapping after the New York Times exposed the controversial program in 2005. EPIC has created an index of the email subject lines to illustrate Kavanaugh's role in President Bush's 2006 State of the Union, former Attorney General Gonzales' January 2006 speech at Georgetown Law, and speeches promoting border surveillance. Kavanaugh was particularly involved in revising a paragraph on the NSA program in the 2006 State of the Union. Documents previously obtained by EPIC revealed that Kavanaugh exchanged hundreds of emails with White House and DOJ staff about the NSA surveillance program and gathered legal justifications for the program. Congress ended the controversial program in 2015, following extensive hearings. On the DC Circuit Court of Appeals in 2015, Judge Kavanaugh issued a surprising opinion on surveillance authority. Senator Leahy pursued Kavanaugh's views on surveillance during the Supreme Court nomination hearing. (Dec. 18, 2019)

  • Facebook has admitted that it can determine a user's location even after the user has disabled location services. The statement came in response to a letter from Sens. Josh Hawley (R-Mo.) and Chris Coons (D-Del.). Sen. Hawley tweeted: "There is no opting out. No control over your personal information. That's Big Tech. And that's why Congress needs to take action." The FTC's 2011 consent order with Facebook, followed EPIC's 2009 complaint which established that Facebook ignores user privacy settings. EPIC is challenging the proposed 2019 settlement in part because it does not fix the location tracking problem. A federal court has ordered both Facebook and the FTC to file replies to EPIC. In a related matter, an EPIC case required Accuweather to end surreptitious tracking of users. (Dec. 17, 2019)

  • Today the FTC finalized a settlement with Unrollme without making changes, as EPIC had urged. Unrollme is an email management company that "falsely told consumers that it would not 'touch' their personal emails in order to persuade consumers to provide access to their email accounts." The FTC required the company to delete personal data it had unlawfully obtained. EPIC further advised the FTC to require Unrollme to notify all users of past deceptive practices and to obtain reauthorization from users before using personal data. The FTC declined to adopt EPIC's recommendations. The agency responded to EPIC that "the Commission has now determined that the public interest would best be served by issuing the Complaint and the Decision and Order in the above-entitled proceeding in final form without any modifications." EPIC routinely comments on proposed FTC settlements in accordance with a provision that requires the agency to seek public comment before finalizing any proposed settlements. (Dec. 17, 2019)

  • EPIC has moved for summary judgment in EPIC v. DOJ, concerning law enforcement's collection of cell site location data through "§ 2703(d) orders." In Carpenter v. United States, the Supreme Court ruled that these searches were unconstitutional. EPIC filed multiple Freedom of Information Act requests to obtain the government orders issued between 2016 and 2019. However, the DOJ claimed that it "does not track" the information EPIC sought and refused to search for records. EPIC explained to the Court that the DOJ has not satisfied its obligations under the FOIA. EPIC also charged that the agency has engaged in "an unlawful pattern and practice" of refusing to search files even when it could do so. EPIC stated that "This unlawful agency practice impacts EPIC and all other requesters who would seek disclosure of records" at the Department of Justice. The case is EPIC v. DOJ, No, 18-1814 (D.D.C.). (Dec. 17, 2019)

  • Mary Stone Ross, former President of Californians for Consumer Privacy, will join the Electronic Privacy Information Center (EPIC) as Associate Director in January 2020. Ross led the most successful privacy campaign in US history gathering 600,000 signatures for a California ballot initiative. That campaign led to enactment of the California Consumer Privacy Act, the most comprehensive consumer privacy law in the United States. The CCPA goes into effect January 1, 2020. EPIC President Marc Rotenberg said, "We are thrilled that Mary is joining EPIC. She brings to EPIC a powerful combination of deep policy expertise, effective grassroots engagement, and concrete legislative results that have benefitted consumers across the country." Press release. (Dec. 17, 2019)

  • EPIC and a coalition of organizations led by Fight for the Future issued a product warning for Amazon Ring devices, the neighborhood surveillance system posing as a doorbell. The Ring devices have been hacked to initiate conversations with children, leaked user WiFi passwords, assisted ICE with deportations, and used in racially discriminatory profiling. Five prominent Senators have demanded that Amazon provide information about Ring's facial recognition techniques. EPIC has recently launched a campaign to Ban Face Surveillance worldwide. (Dec. 17, 2019)

  • The Inspector General's review of FISA applications for the FBI's investigation into Russian interference in the 2016 Presidential Election raises new concerns about the use of the surveillance authority. The Inspector General concluded that the FBI investigation was properly predicated and there was no evidence of political bias or improper motivation. However, the IG Report also detailed significant misrepresentations and errors made in the investigation designated "Crossfire Hurricane." The Report found that "FBI personnel fell far short of the requirement in FBI policy that they ensure that all factual statements in a FISA application are 'scrupulously accurate.'" EPIC has advocated for significant FISA reforms for more than a decade, and recently advised Congress to reform Section 702 of FISA and to sunset Section 215 of the Patriot Act. (Dec. 17, 2019)

  • According to recent news reports, the FTC may pursue an injunction against Facebook to prevent the integration of WhatsApp and Instagram user data. Analysts noted that integration would make it more difficult to break up the company if required by a subsequent antitrust review. When Facebook proposed to acquire WhatsApp in 2014, EPIC filed a complaint with the FTC advising the agency to block the sale unless adequate privacy safeguards were established for WhatsApp user data.The FTC wrote in response "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook." The European Commission fined Facebook 122 million dollars in 2017 for misleading statements about the integration of the data sets. In a recent filing with a federal court, EPIC wrote "the Commission also seems entirely unconcerned by Facebook's planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission." (Dec. 17, 2019)

  • An order from a federal court in Washington, DC creates an opportunity for groups and individuals to file amicus briefs about the proposed FTC settlement with Facebook. The proposed settlement concerns violations of consumer privacy and the adequacy of the settlement. EPIC argued, "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest." EPIC explained that the proposed settlement "largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices." EPIC asked the court to provide an opportunity for others to file amicus briefs. The deadline for motions is December 17, 2019. (Dec. 16, 2019)

  • Today EPIC petitioned the U.S. Supreme Court to review the D.C. Circuit decision in EPIC v. Commerce, which denied EPIC the right to obtain privacy impact assessments that the Census Bureau was required to publish before adding the citizenship question to the 2020 Census. EPIC told the Court that the lower court decision conflicts with earlier Supreme Court opinions and creates obstacles to public access to privacy impact assessments that Congress never intended. EPIC warned the Court that the decision makes the impact assessment obligation "essentially unenforceable." Earlier this year, the Supreme Court's decision in Commerce v. New York led to the removal of the citizenship question from the 2020 Census. EPIC filed an amicus brief in support of that outcome. (Dec. 16, 2019)

  • The U.S. Supreme Court announced that it will consider President Trump's appeals to block subpoenas by Congressional committees and the Manhattan District attorney for his financial records, including tax returns.The Second Circuit rejected the President's attempt to block a grand jury subpoena, finding "no support" for the argument "that a President's private and non‐privileged documents may be absolutely shielded from judicial scrutiny." EPIC previously sought public release of President Trump's tax returns in EPIC v. IRS, arguing that disclosure was necessary to correct numerous factual misstatements made by the President. In EPIC v. IRS II, EPIC is currently seeking "offers-in-compromise" and related tax records of President Trump and his businesses. (Dec. 13, 2019)

  • Following widespread protest over the proposed sale of the .ORG domain by the Public Interest Registry to a private equity fund, ICANN posted a response. In a blog post, the ICANN CEO and Board Chair acknowledged that "PIR must obtain ICANN's prior approval before any transaction that would result in a change of control of the registry operator." ICANN further stated that it sent a letter to both ISOC and PIR, "asking them to please be clear and open in all of their communications." EPIC President Marc Rotenberg, a founding board member and former chair of PIR, said that the secrecy of the deal was "a failure of process." He told the Financial Times "You can't make decisions about the allocation of internet domain names in the dark." In a recent commentary for The Hill, Rotenberg said that ICANN should block the sale. Prior to establishing PIR, EPIC launched The Public Voice project to promote civil society participation in decisions concerning the future of the Internet. (Dec. 13, 2019)

  • The Transatlantic Consumer Dialogue (TACD) and the Heinrich Boll Stiftung Foundation published a new report on the privacy practices of Amazon, Netflix, and Spotify in the EU and the US. "Privacy in the EU and US: Consumer experiences across three global platforms" revealed that the companies provided less protection to US users, and that none of the companies complied fully with GDPR. The report recommends "baseline federal data protection and privacy law that does not pre-empt stronger state privacy protections and that creates an independent data protection agency." EPIC's recent report on federal privacy legislation Grading on a Curve: Privacy Legislation in the 116th Congress evaluates federal privacy bills. EPIC has called for comprehensive baseline, federal legislation and the creation of a data protection agency. (Dec. 12, 2019)

  • In response to EPIC's Public Record Request, the Idaho Department of Correction released several documents about its risk assessment instrument, the "Level of Service Inventory-Revised" (LSI-R). Revealed in an annotated scoresheet that informs the LSI-R's calculation, the Idaho Department of Corrections uses several subjective categories to calculate an offender's risk and recidivism rate--including information about the alleged criminality of a defendant's social network, participation in leisurely activity, and mental health. EPIC also obtained a detailed scoring guide, LSI-R training materials, validation studies, and contract details. Only two validation studies were produced, and they were thirteen years apart. EPIC has obtained documents about pre-trial risk assessments as well as a scoring system developed by the DHS to assign risk assessments to travelers, including US citizens. EPIC has urged government agencies to make transparent algorithmic-based decision making. (Dec. 11, 2019)

  • EPIC today submitted comments to the FTC on the agency's regulatory review of the Children's Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should : (1) maintain the strong safeguards for children's data, (2) reject the "school official exception", (3) the FTC define the term "commercial purpose" and ensure that children's personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eights of a data breach of children's data by a company subject to COPPA. EPIC said "the FTC must now establish clear safeguards for children's data gathered in schools." EPIC testified before Congress in 1996 in support of the original children's privacy law. The FTC previously considered EPIC's recommendations in an early review of the COPPA Rule and incorporated several of EPIC's recommendations in the 2013 regulations. (Dec. 11, 2019)

  • Today the U.S. District Court for the District of Columbia ordered both Facebook and the FTC to file replies to EPIC's amicus brief and sur-replies to EPIC's motion to intervene in United States v. Facebook. The case concerns the proposed settlement between the FTC and Facebook for violations of consumer privacy. EPIC argued, "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest.” EPIC explained that the proposed settlement “largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices.” EPIC noted, the "Commission also seems entirely unconcerned by Facebook’s planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission.” Through a Freedom of Information Act Request, EPIC has uncovered more than 29,000 complaints against Facebook currently pending at the Commission. (Dec. 10, 2019)

  • A federal court has set a December 18 hearing in EPIC v. DOJ to decide whether the Department of Justice must reprocess the Mueller Report and disclose additional material to EPIC. Earlier in the day, EPIC notified the court that Roger Stone’s criminal trial had ended and that the DOJ had disclosed extensive new details about Stone during the trial. As a result, EPIC is entitled to the disclosure of additional information from the Mueller Report about Stone and his interactions with Wikileaks. The court is also expected to rule soon on EPIC’s motion to disclose the complete, unredacted Report. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. (Dec. 10, 2019)

  • European privacy advocacy group None of Your Business—led by Max Schrems—filed three complaints with the French Data Protection Authority (CNIL). The NOYB complaints charged that companies obtained "fake consent" for online tracking. Max and EPIC have challenged the use of "standard contractual clauses" in a case now before the European Court of Justice, known as "Schrems 2.0". A preliminary decision in that case is expected on December 19. Schrems met with the Privacy Coalition last month in Washington, DC to discuss the GDPR and litigation strategies. (Dec. 10, 2019)

  • In advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a statement to the Senate Judiciary Committee urging Congress to end the NSA's phone record collection program, known as "Section 215." EPIC wrote "events of the past few years make clear that Section 215 should not be renewed." Section 215 of the Patriot Act allowed the NSA to collect the telephone records of Americans. In 2013, following the Snowden disclosures, EPIC filed a petition with the Supreme Court, challenging the lawfulness of Section 215. Congress found the 215 program was ineffective and passed the USA Freedom Act to limit data collection. NSA has since acknowledged significant compliance problems. The former Director of National Intelligence also confirmed that the program was suspended. Section 215 will sunset unless Congress chooses to reauthorize the program. (Dec. 10, 2019)

  • In advance of a hearing on "Encryption on Lawful Access," EPIC wrote to the Senate Judiciary Committee "now is not the time to undermine the systems that we all rely upon to secure our data and communications." EPIC cited growing problems of data breach and cyber attack. Leading computer scientists and security experts, including members of the EPIC Advisory Board, have found that proposals to add "backdoors" for law enforcement are "unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm." EPIC previously filed an amicus brief in Apple v. FBI in support of robust security safeguards for cellphone users. EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC President Marc Rotenberg warned of the risk of NSA-mandated backdoors in a 1990 article, "The Only Locksmith in Town." (Dec. 10, 2019)

  • The FTC issued a press release today about Cambridge Analytica, the company blamed for the Brexit vote that harvested the personal data of 87 m Facebook users for voter profiling and tracking. The misuse of personal data occurred while Facebook was under a consent order and subject to the supervision of the FTC. EPIC urged the FTC to reopen the investigation of Facebook after news of the Cambridge Analytica breach in early 2018. More than 18 months after the scandal broke, the FTC found that Cambridge Analytica, a company now bankrupt, deceived consumers through its data-gathering practices. EPIC previously told Congress that the Cambridge Analytica scandal could have been avoided if the FTC had enforced its own Consent Order. (Dec. 7, 2019)

  • In comments to the California Attorney General on proposed regulations to the California Consumer Privacy Act, EPIC backed provisions that would strength consumer protections and identified topics for future action, such as the creation of data protection agency. EPIC's comments followed from its recent report on federal privacy legislation, Grading on a Curve: Privacy Legislation in the 116th Congress. EPIC has long supported state efforts to establish strong privacy safeguards, and opposed federal preemption. EPIC's State Policy Project provides expertise to the states to help shape effective privacy laws. (Dec. 6, 2019)

  • Customs and Border Protection has removed its proposal to require U.S. citizens to undergo mandatory face recognition at airports, following widespread protest. Currently, only foreign nationals are required to undergo facial screening at airports. According to a CBP spokesperson, the agency has "no current plans to require U.S. citizens to provide photographs upon entry and exit from the United States," and that it "intends to have the planned regulatory action...removed from the unified agenda next time its published." Senator Ed Markey previously blasted CBP's proposal. After CBP reversed its proposed plan, Senator Markey stated "we cannot take our right to privacy for granted. Americans still need protection from facial recognition technology..." and that the planned to introduce legislation to ban biometric surveillance. EPIC is pursuing a lawsuit to uncover documents about the opt-out procedures in CBP's Biometric Entry-Exit program. Congress has explained to Congress and the agency that its Biometric Entry-Exit program unfairly burdens travelers exercising their rights to opt-out of biometric identification. EPIC recently launched a global campaign calling for a moratorium on the use of face recognition for mass surveillance. (Dec. 5, 2019)

  • Facebook has filed a petition asking the Supreme Court to review a decision that allows lawsuits against Facebook for the unlawful collection of facial images. In Patel v. Facebook, the Ninth Circuit held that that an Illinois biometrics law protects "concrete privacy interests" and that violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that users can sue companies that violate rights protected by privacy laws. EPIC has long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition. EPIC recently launched a campaign and resource page to ban face surveillance. (Dec. 5, 2019)

  • Senators Cory Booker (D-NJ) and Ron Wyden (D-OR) sent letters to health insurance companies and two government agencies (the FTC and Centers for Medicare and Medicaid Services) asking how they're addressing bias in health care algorithms. The Senators wrote: "Unfortunately, both the people who design these complex systems, and the massive sets of data that are used, have many historical and human biases built in. Without very careful consideration, the algorithms they subsequently create can further perpetuate those very biases." Booker and Wyden recently introduced the Algorithmic Accountability Act, which would direct businesses to correct discriminatory algorithms. EPIC has promoted Algorithmic Transparency, supported the Universal Guidelines for AI, and published the first reference book on AI policy. (Dec. 4, 2019)

  • Senator Ed Markey has blasted the DHS's proposal to mandate facial recognition at US airports, stating "this proposal would amount to disturbing government coercion, and as the recent data breach at Customs and Border Protection shows, Homeland Security cannot be trusted to keep our information safe and secure." Senator Markey asked the DHS to withdraw the proposal and said he would introduce legislation to "ensure that innocent American citizens are never forced to hand over their facial recognition information." EPIC is pursuing a lawsuit to uncover documents about the CBP Entry-Exit program. In comments to the agency and Congress, EPIC explained that the agency unfairly burden travelers who exercise their rights to opt-out of biometric identification. EPIC has recently launched a global campaign, calling for a moratorium on the use of facial recognition for mass surveillance. (Dec. 4, 2019)

  • A federal court has ruled that the National Security Commission on Artificial Intelligence is an agency subject to the Freedom of Information Act. EPIC has sought to make the activities of the AI Commission open to the public, and EPIC sued the Commission when it ignored EPIC's FOIA request. In subsequent briefing, EPIC made clear that the Commission is subject to FOIA under the plain text of the law. Judge Trevor N. McFadden, writing in EPIC v. AI Commission, rejected the Commission's arguments that it is exempt from the law. "[L]ike a stranger offering candy to a child, the Government invites the Court not to read [the FOIA] literally," the court wrote. "The Government has not convinced the Court that it should ignore what Congress said." In 2018, EPIC and leading scientific organizations, including AAAS, ACM and IEEE, and nearly 100 experts urged the White House to ensure a public process for the development of AI policy. (Dec. 3, 2019)

  • In advance of a hearing on "Legislative Proposals to Protect Consumer Data Privacy," EPIC told the Senate Commerce Committee that the U.S. needs a Data Protection Agency. "The FTC's problems are not lack of budget or staff. The FTC has not even filled the current post for a Chief Technologist. The FTC has simply failed to use its resources and authorities to safeguard consumers," EPIC said. EPIC recently obtained documents revealing 3,000 new complaints against Facebook since the Commission proposed the $5 b settlement with Facebook. EPIC's Freedom of Information Act lawsuit had previously found 26,000 complaints pending against the social media giant. "The FTC is simply ignoring thousands of consumer privacy complaints about Facebook's ongoing business practices," EPIC said to the Committee. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress, sets out the key elements of a modern privacy law, including federal baseline legislation and the creation of a Data Protection Agency. (Dec. 3, 2019)

  • The FTC entered into settlements with four companies that misrepresented their participation in the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework. These frameworks permit the transfer of Europeans' personal data to the U.S. with an assurance of privacy protection. The settlements require the companies to halt misrepresentations about compliance, but provides no remedy to those EU citizens whose personal data was collected. EPIC has repeatedly told Congress that that the FTC lacks effective enforcement authority. In recent comments on the Privacy Shield, EPIC also noted the absence of a comprehensive U.S. federal privacy law and a data protection authority with the authority to enforce privacy rights. Under the Schrems decision, which provided the basis for the Privacy Shield, the Court of Justice explained that "everyone whose rights and freedoms are violated" have "the right to an effective remedy." (Dec. 3, 2019)

  • Today, the U.S. Supreme Court heard oral arguments in Georgia v. Public.Resource.Org, which concerns the copyright of a state's official law. EPIC filed an amicus brief in the case, signed by 35 experts in law and technology, stating that "free access to the law is guaranteed by our country's traditions and enabled by digital technologies." EPIC explained that "the federal government has worked to ensure that legal materials are broadly accessible to the public; the states should do the same." EPIC and its staff have long promoted online access to judicial opinions and open access to government information. EPIC routinely files amicus briefs in the US Supreme Court in cases concerning emerging privacy and civil liberties issues. (Dec. 2, 2019)

  • Congress has temporarily extended Section 215 of the Patriot Act, a controversial surveillance law that allows collection of the telephone records of Americans. EPIC had urged the Senate Judiciary Committee to end the NSA's phone record collection program. EPIC wrote "events of the past few years make clear that Section 215 should not be renewed." In 2013, following the Snowden disclosures, EPIC filed a petition with the Supreme Court, challenging the lawfulness of Section 215. Congress found the 215 program was ineffective and passed the USA Freedom Act to limit data collection. NSA has since acknowledged significant compliance problems. Both Democrats and Republicans have expressed concerns about the surveillance program. The temporary renewal in the House spending bill extends the law until March 15, 2020. (Nov. 29, 2019)

  • EPIC and DHS have filed a joint status report in EPIC v. DHS. The federal agency has agreed to reprocess previously withheld documents about election security. EPIC filed a Freedom of Information Act lawsuit in 2017, immediately after the agency's decision to designate election systems as "critical infrastructure." The announcement followed the determination that Russia meddled in the 2016 presidential election. The designation also gave the DHS new responsibilities to help protect state election systems. Over the course of litigation, DHS has provided hundreds of pages to EPIC about the agency's role in election system security. But the agency has also withheld information sought by EPIC, including: (1) documents concerning contacts between DHS and State Election Officials, (2) Election Task Force meeting minutes, (3) documents about risk characterizations and analysis reports on Russian interference; and (4) incident reports and vulnerabilities in election systems. Because the 2020 election is fast approaching, EPIC sought the prompt release of these records so that Congress and the public could assess the effectiveness of the DHS security program. The recent court filing between EPIC and the DHS should move the process forward. The case is EPIC v. DHS, 17-2047 (D.D.C). (Nov. 27, 2019)

  • EPIC has joined Access Now and other NGOs, urging ICANN to halt the sale of the .ORG domain to a private equity firm. The terms of the deal remain secret and the deal followed a controversial decision by ICANN to remove price caps. Marc Rotenberg, a founding board member and former chair of the Public Interest Registry, which manages the domain, said the sale would undermine transparency and accountability. "We established .ORG to promote the non-commercial use of the Internet and to provide an exemplar for Internet governance. ICANN should move quickly to make public the terms of the deal, provide a meaningful opportunity for public comment, and then determine if this assignment is consistent with the mission and purpose of the .ORG," said Rotenberg. (Nov. 27, 2019)

  • Ranking Member Cantwell, and Senators Schatz, Klobuchar, and Markey have introduced the Consumer Online Privacy Rights Act, a strong framework for data protection. The bill is based on Fair Information Practices and includes a private right of action so individuals can enforce their rights. The Act would also establish new standards for algorithmic accountability. The bill follows a framework recently announced by Senate Democrats for data protection and privacy. "The Consumer Online Privacy Rights Act is outstanding. The bill gives consumers meaningful rights, holds companies accountable, and protects stronger state safeguards. With the addition of a data protection agency, the bill would establish a comprehensive approach for privacy protection for the U.S.,” EPIC Policy Director Caitriona Fitzgerald said in a statement. EPIC's legislative report graded the Consumer Online Privacy Rights Act an A-. The Senate Commerce Committee will hold a hearing on privacy legislation on December 4. (Nov. 26, 2019)

  • EPIC has published the 2020 edition of The Privacy Law Sourcebook. The Privacy Law Sourcebook is the leading reference book for those interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws and key international privacy laws such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. PLS 2020 also features the California Consumer Privacy Act and the Illinois Biometric Privacy Act. PLS 2020 is available in print and Kindle editions. Other publications, including those by members of the EPIC Advisory Board, are available at the EPIC Bookstore. (Nov. 22, 2019)

  • European privacy advocate Max Schrems spoke to the Privacy Coalition in Washington DC about the GDPR. Max's group None of Your Business (NOYB) is leading the effort to enforce the new privacy law of the European Union. Max is also responsible for one of the leading privacy cases in modern privacy law, Schrems v. DPC, which protected the personal data of Europeans. Max and EPIC have challenged the use of "standard contractual clauses" in a case before the European Court of Justice, known as "Schrems 2.0." (Nov. 22, 2019)

  • EPIC has sent a statement to the New York State Senate recommending passage of legislation modeled on Fair Information Practices and creation of a Data Protection Agency. The NY Senate will hold a hearing this week on Senate Bill 5642, concerting oversight of personal data. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a privacy law. "A strong state privacy law would establish an independent state-level Data Protection Agency with resources, technical expertise, rulemaking authority and effective enforcement powers," EPIC told the New York Senate. EPIC's State Policy Project tracks privacy developments at the state level. (Nov. 21, 2019)

  • Five prominent Senators have demanded that Amazon provide information about Ring, the neighborhood surveillance system posing as a doorbell. Senators Wyden, Markey, Van Hollen, Coons, and Peters wrote that Amazon "holds a vast amount of deeply sensitive data and video footage detailing the lives of millions of Americans in and near their homes." The Senators pressed Amazon for Information about Ring and facial recognition, noting that the company has applied for facial recognition patents. The letter follows an investigation by Senator Markey into Ring's surveillance practices. Senator Markey has also sponsored the Privacy Bill of Rights Act, a bill that would limit some of Amazon's data collection practices. EPIC has recently launched a campaign to Ban Face Surveillance worldwide. After 9-11, EPIC also led the Observing Surveillance campaign to limit the use of surveillance cameras in DC. (Nov. 21, 2019)

  • In response to EPIC's Freedom of Information Act request, the Nebraska Department of Correctional Services has provided to EPIC several documents about Nebraska's use of pre-trial risk assessments. Emails among state officials reveal concerns about the accuracy of the Vant4ge algorithm used for risk assessment. The head of the state agency wrote, "there has not been consistency in how the STRONG-R training is delivered" and "there are errors in how the 'severity index' of specific crimes is coded in the Vant4ge software" which "affect the final risk and needs score calculations produced by the assessment." According to the contract obtained by EPIC, Nebraska committed to continue with Vant4ge until 2022. EPIC previously pursued several lawsuits to obtain information about "predictive policing" and "future crime prediction" algorithms. EPIC obtained documents about pre-trial risk assessments as well as a scoring system developed by the DHS to assign risk assessments to travelers, including US citizens. EPIC has urged government agencies to make transparent algorithmic-based decision making. (Nov. 21, 2019)

  • This week, Switzerland signed the Modernized International Privacy Convention. With the Swiss signature thirty-five countries now back Convention 108+. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data, algorithmic transparency, enhanced oversight. Non-members of the Council of Europe are able to sign the Convention, and EPIC and consumer groups have long urged the United States to ratify the international Privacy Convention. (Nov. 21, 2019)

  • The Pennsylvania Supreme Court ruled today that the Fifth Amendment right against self-incrimination prevents the government from requiring a suspect to divulge their computer passcode. The court found that "compelling the disclosure of a password to a computer" is testimonial, and that a limited exception to the Fifth Amendment privilege does not apply to passwords. EPIC filed an amicus brief in a similar case in the New Jersey Supreme Court. EPIC argued in State v. Andrews that the Fifth Amendment exception should be limited because it predated the vast amounts of personal data stored on computers and telephones. EPIC cited the U.S. Supreme Court's recent decisions in Riley v. California and Carpenter v. United States. EPIC has long filed amicus briefs arguing that constitutional protections should keep pace with advances in technology. (Nov. 20, 2019)

  • The Committee of European Convention 108 (the "Privacy Convention") has announced the second edition of the Rodotà Award, intended to reward innovative academic research projects to advance data protection. The award honors the memory of Stefano Rodotà, a prominent Italian law professor and candidate for the Italian presidency who championed democratic institutions, human rights, and data protection. The competition is open to researchers from all regions of the world participating in the work of the Committee of Convention 108. Application here. Deadline: 18 December 2019. Competition rules. The prize winner will be announced on Data Protection Day (28 January 2020) and will have the opportunity to present his/her work at the next Plenary session of the Committee of Convention 108 to be held in Strasbourg in July 1-3, 2020. In 2009, Prof. Rodotà received the first EPIC International Champion of Freedom Award. (Nov. 19, 2019)

  • Speaking to the Council of Europe in Strasbourg, EPIC's Marc Rotenberg urged democratic nations to move forward a policy framework for AI that safeguards human rights. "You cannot afford to wait," said Mr. Rotenberg, describing the work of EPIC to establish algorithmic accountability. In the past few years, EPIC has promoted Algorithmic Transparency, supported the Universal Guidelines for AI, and published the first reference book on AI policy. EPIC has also challenged the secrecy of the US National Commission on AI and urged the recognition of AI policy frameworks to regulate the use of AI techniques. (Nov. 19, 2019)

  • This week a federal appellate judge pressed the government about the reliability of a Google scanning algorithm that provided the basis for the warrantless search of a private email. EPIC raised concerns about the scanning technique in an amicus brief for the appeals court. In United States v. Wilson, EPIC argued that "because neither Google nor the Government explained how the image matching technique actually works or presented evidence establishing accuracy and reliability, the Government's search was unreasonable." Judge Watford told the government attorney that he "would like to hear your defense of the evidentiary record" because what we have "is this declaration from the Google person," and "I would need far more explanation of how reliable the hash matching technology is before I could validate this search." EPIC filed an amicus brief in a similar case in United States v. Miller. EPIC routinely submits amicus briefs on the privacy implications of new investigative techniques. EPIC has also long promoted algorithmic transparency to ensure accountability for AI-based decision making. (Nov. 18, 2019)

  • Google has announced that it will no longer describe the type of content on an app or webpage when conducting auctions for ads. Google stated the change was the result of "engagement with data protection authorities" and would help prevent those bidding on ads from linking individual people to sensitive content. The change raised concerns about entrenching Google's dominance over internet advertising and whether the policy change would further diminish advertising revenue for content publishers. Questions also remain as to whether the change is necessary under the GDPR if user IDs are effectively deidentified as Google has claimed. Google's modifications to its Street View data collection failed to halt multiple fines by data protection agencies for legal violations. The company's ad exchange is still under investigation for violations of the EU General Data Protection Regulation. EPIC recently urged lawmakers to unwind bad mergers, including Google's acquisition of YouTube and Nest. (Nov. 18, 2019)

  • Top Senate Democrats today unveiled key goals for comprehensive federal data privacy legislation. The Democratic Senators' proposal calls for strong consumer rights, corporate accountability, effective enforcement, data minimization, and accountability for algorithmic decision making. The proposal would not preempt stronger state privacy laws. The proposal is backed by Senators Maria Cantwell, Dianne Feinstein, Sherrod Brown, and Patty Murray, and endorsed by Senators Ron Wyden, Richard Blumenthal, Brian Schatz, and Ed Markey, as well as Minority Leader Chuck Schumer. EPIC Policy Director Caitriona Fitzgerald called the new Senate proposal a game changer. "We are now on track for the adoption of comprehensive privacy legislation in the United States," she said. "The Senate should move forward this excellent proposal." (Nov. 18, 2019)

  • According to a new poll from the Pew Research Center, 75% of Americans say there should be new regulations of what companies may do with personal data. 81% of the public believe that the risks of data collection by companies outweigh the benefits, and 66% say the same about government. 79% of Americans say they are at least somewhat concerned about how companies use personal data, 36% say they are very concerned. 79% of Americans say they are not confident that companies will admit mistakes and take responsibility if they misuse personal data. 70% of adults say their personal data is less secure than it was 5 years ago. Only 2% of respondents described digital privacy as "knowledge and consent." The survey results are based on a nationally representative panel of randomly selected U.S. adults. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger privacy laws. EPIC advocates for comprehensive privacy legislation and the establishment of a U.S. data protection agency. (Nov. 18, 2019)

  • In a FOIA lawsuit, EPIC has obtained an original draft of the proposal by former DHS Secretary Jeh Johnson to designate state election systems as critical infrastructure. Released in a set of previously withheld documents, the draft memo states "[g]iven the vital role elections play in this country, certain systems and assets of election infrastructure meet the statutory definition of critical infrastructure in fact and in law." The DHS policy was announced on January 6, 2017, the same day the ODNI found extensive Russian interference in the 2016 Presidential election. EPIC later litigated for the release of the complete ODNI report, which found that Russian intelligence services had "obtained and maintained access to elements of multiple U.S. state or local electoral boards." EPIC also obtained from DHS documents about the background and implementation of the critical infrastructure designation. Other documents released as a result of EPIC's suit show the DHS continued to encourage state efforts in election security by making federal resources available on a voluntary basis. The case is EPIC v. DHS, No. 17-2047. (Nov. 18, 2019)

  • With the conclusion of Roger Stone's trial on Friday, the Justice Department must now disclose additional sections of the Mueller Report to EPIC in EPIC v. DOJ. Previously, the agency argued that it could withhold portions of the Report because disclosure would interfere with Mr. Stone's right to a fair trial. But following Mr. Stone's conviction on seven counts, the DOJ can no longer make that claim. The material withheld by the DOJ would likely reveal the role that Wikileaks played in the 2016 presidential election. In EPIC v. DOJ, EPIC is seeking the public release of the complete and unredacted Mueller Report. A ruling is expected soon. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. (Nov. 15, 2019)

  • The Director of National Intelligence has notified Congress that U.S. intelligence agencies are no longer obtaining cell site location data without “a showing of probable cause.” The change is a direct result of the Supreme Court’s decision in Carpenter v. United States, which held the Fourth Amendment protects location records generated by mobile phones. The Director wrote that “given the significant constitutional and statutory issues the decision raises,” the intelligence community has “not sought CSLI records or global positioning system (GPS) records” without probable cause “since Carpenter was decided.” EPIC filed an amicus brief in Carpenter, joined by 36 technical experts and legal scholars (members of the EPIC Advisory Board), urging the Court to extend Constitutional protection to cell phone data. Last year, EPIC’s Marc Rotenberg wrote that "Congress now has an opportunity to update federal privacy law, providing greater clarity for digital searches after the Carpenter decision.” (Nov. 15, 2019)

  • The Internet Society announced that it plans to sell the Public Interest Registry, which manages the .ORG domain, and all of its assets to Ethos Capitol, a private equity firm. The announcement follows a decision to remove price caps on domain name purchases that was widely opposed by the user community. EPIC's Marc Rotenberg, who was a founding board member and former chair of PIR, told Gizmodo he was "very disappointed" by the news. "We built the .org domain with the specific goal of promoting the noncommercial use of the Internet," Rotenberg said. "There are many models, including ICANN itself, that could allow for effective management of the domain by a non-profit corporation. There are critical elements of transparency and accountability that will be lost when the Public Interest Registry is acquired by a private equity firm." The PIR website currently states, "PIR's believes that a best practice is transparency and accountability to itself, its stakeholders, and the public. The release of our annual IRS 990 Form provides publicly-available financial information to maintain our non-profit status in good standing." (Nov. 15, 2019)

  • The International Conference of Data Protection and Privacy Commissioners today announced a new logo and a new name: the Global Privacy Assembly (GPA). According to the Commissioners, "the new logo and name represent the evolution of the conference and the current work to modernise it, including a new policy strategy which sets out a clear vision for the organization." The GPA Policy Strategy outlines three goals for regulatory cooperation: global frameworks and standards, enforcement co-operation, and policy themes. The Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) will host the Global Privacy Assembly in Mexico City in October 2020. Francisco Javier Acuña Llamas, President of the INAI, said "Thanks to the collaboration of our colleagues, we created a logo which represents the organization's main attributes: international cooperation, knowledge sharing, independence and leadership." The Public Voice Project and the EPIC Public Voice Fund will provide opportunities for civil society organizations to participate in the work of the Global Privacy Assembly. (Nov. 15, 2019)

  • Responding to concerns raised by EPIC and others, the largest manufacturer of civilian drones in the world plans to implement a remote identification technique that would allow anyone with a smartphone to identify and track drones near them. According to DJI, "the location, altitude, speed and direction of the drone, as well as an identification number for the drone and the location of the pilot" would be available via a mobile phone app. In several comments to the FAA, EPIC urged the agency to require manufacturers to implement an active drone ID broadcasting requirement. This past summer the European Union established a requirement for real-time drone identification that aligns with EPIC's 2015 recommendations to the FAA, which stated that drone identification should be "similar to the Automated Identification System for commercial vessels." EPIC also wrote that "Because drones present substantial privacy and safety risks, EPIC recommends that any drone operating in the national airspace system include a mandatory GPS tracking feature that would always broadcast the location of a drone when aloft (latitude, longitude, and altitude), course, speed over ground, as well as owner identifying information and contact information." Speaking at the 2016 privacy commissioners conference in Marrakech, EPIC President Marc Rotenberg warned of the "identification asymmetry" that would arise if drones were not required to broadcast identifying information. (Nov. 14, 2019)

  • In a new report the European Data Protection Board is raising concerns about the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The EDPB, a group of top data protection authorities from across Europe, called for more rigorous review of compliance with the Shield, urged the Privacy and Civil Liberties Oversight Board to publish assessments of U.S. surveillance, and concluded that the Shield Ombudsperson was not a sufficient remedy for potential privacy violations. The European Commission recently renewed the agreement, despite comments from EPIC and other civil society organizations highlighting U.S. mass surveillance practices and weak privacy safeguards. (Nov. 14, 2019)

  • Senators Chris Coons (D-Del) and Mike Lee (R-Utah) today introduced legislation that will require federal law enforcement agencies to obtain a warrant before engaging in ongoing face surveillance. The Facial Recognition Technology Warrant Act of 2019 would apply to public surveillance using facial recognition technology that lasts more than 72 hours, and the warrants would expire after 30 days. EPIC recently testified before the Massachusetts Legislature in support of a moratorium on face surveillance. And a recent Public Voice petition calling for a moratorium on the use of facial recognition has received support from more than 90 organizations and 700 individuals (including many leading experts) in more than 40 countries. (Nov. 14, 2019)

  • EPIC joined a coalition of civil liberties and immigrant rights organizations to urge the Department of Justice to rescind a proposed rule that effectively requires the DHS to collect DNA from all non-US persons the agency detains or arrests. The coalition stated that the proposed rule was an "unacceptable and unnecessary privacy intrusion" that will impact not only the individual's DNA being collected but also family members, including American citizens. In an amicus brief to the Supreme Court, EPIC argued that law enforcement's warrantless collection of DNA is unconstitutional. In the 2013 brief, EPIC described the "dramatic and unpredictable" expansion of the government's DNA collection over the past decade. (Nov. 13, 2019)

  • In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review must consider data protection and that the Federal Trade Commission must block Google's plan to acquire Fitbit. "Far from protecting market competition and promoting innovation, the Commission is facilitating industry consolidation," EPIC said in the statement released in advance of the hearing. EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC noted that if the FTC approves Google's acquisition of Fitbit, it will be the 230th firm that Google/Alphabet has acquired "with barely a whimper from the Federal Trade Commission." EPIC said: "This is not antitrust enforcement. This is agency negligence." EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC warned the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. (Nov. 12, 2019)

  • Following a DC consumer protection suit that EPIC filed against AccuWeather in 2018, the company has stopped deceptively gathering users' location data. In its Complaint, EPIC charged that AccuWeather grabbed consumers' location data even when they expressly opted out of location tracking. EPIC also charged that AccuWeather failed to disclose that it transferred location data to advertisers. Now AccuWeather, following EPIC's case, has changed its business practices. Users can decline dvertising and other non-functional uses of their device information, and users can delete the information that AccuWeather collects about their device. EPIC has long advocated for the privacy of location data. EPIC filed a "friend of the court" brief with the US Supreme Court in, Carpenter v. US, a case concerning police surveillance and a complaint with the Federal Trade Commission concerning Uber's tracking of subscribers. EPIC also opposed Apple's tracking of iPhone users. EPIC also maintains detailed webpages on location privacy. (Nov. 12, 2019)

  • EPIC told a federal court this week that the National Security Commission on Artificial Intelligence must comply with the Freedom of Information Act. Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of” AI in a national security setting. But the Commission has operated largely in secret and claims that it is exempt from open government laws. The Commission has received almost 200 closed-door briefings, with no published agendas and no public minutes. EPIC, which filed suit against the Commission in September, explained that Congress left “no doubt that the AI Commission is subject to the FOIA.” The Commission recently released a report to Congress, which criticized the EU General Data Protection Regulation and called for greater "government access to data on Americans." EPIC’s case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Nov. 8, 2019)

  • The influential LIBE Committee of the European Parliament has issued a long-awaited report on a proposal to create rules for law enforcement access to personal data stored outside the EU. The report of the Parliament on "e-Evidence" would revise an earlier proposal and create new safeguards, permitting access orders only when strictly necessary, restricting the circumstances when orders may be issued, limiting the use of information collected, and expanding remedies for individuals subject to unlawful access. Speaking at the European Parliament on the e-Evidence proposal last year, EPIC called for similar safeguards for law enforcement access to data, as well as data minimization, transparency, and notice to indivduals. EPIC recently led a coalition of 20 civil society organizations objecting to data access under the less protective U.S.-U.K. Agreement. (Nov. 7, 2019)

  • The International Grand Committee on Fake News and Disinformation, meeting in Dublin, agreed today to principles to advance the global regulation of social media. EPIC President Marc Rotenberg, who spoke earlier in the day to the Committee, praised the outcome. “This is an important step forward,” said Mr. Rotenberg. “The Committee has recognized that self-regulation has failed and that social media firms must be subject to the rule of law and democratic institutions. EPIC fully supports the recommendation for transparency regarding the source, targeting methodology and levels of funding for all online political advertising. But the Committee will need to do more to safeguard election integrity.” Mr. Rotenberg’s prepared statement highlighted an opinion of the former European Data Protection Supervisor Giovanni Buttarelli, who said the solution to the challenge of fake news “is to be found beyond content management and transparency. We also need better enforcement of the rules on data processing, especially sensitive information such as health, political and religious views, and accountability." (Nov. 7, 2019)

  • In testimony before the International Committee on Fake News, EPIC President Marc Rotenberg today called for an end to Facebook's political ads. "The company's view of political advertising is both reckless and irresponsible," said Rotenberg. He added that advertising revenue should "flow back to traditional media and help strengthen independent journalism." EPIC also urged enforcement of the GDPR. "History must not repeat itself," said Rotenberg, citing the failure of the US Federal Trade Commission to act when it had the opportunity to do so. The international Committee, meeting in Dublin, is comprised of lawmakers from 14 countries, including Rep. Cicilline, chair of the House committee on antitrust. (Nov. 7, 2019)

  • Today, EPIC filed a complaint with the FTC alleging that recruiting company HireVue has committed unfair and deceptive practices in violation of the FTC Act. EPIC charged that HireVue falsely denies it uses facial recognition. EPIC also said the company failed to comply with baseline standards for AI decision-making, such as the OECD AI Principles and the Universal Guidelines for AI. The company purports to evaluate a job applicant's qualifications based upon their appearance by means of an opaque, proprietary algorithm. EPIC has brought many similar consumer privacy complaints to the FTC, including a complaint on Facebook's facial recognition practices that contributed to the FTC's 2019 settlement with Facebook. Last year EPIC also asked the FTC to investigate the Universal Tennis Rating system, a secret technique for scoring high school athletes. (Nov. 6, 2019)

  • EPIC joined over 50 organizations in a declaration on the harms of social media surveillance by law enforcement. The groups said that social media surveillance is "often covert and conducted without oversight" and allows law enforcement "to monitor and archive information on millions of people's activities." As EPIC explained in a Spotlight on Surveillance, such surveillance "will subject more innocent people to government investigation." In an op-ed last year, EPIC Senior Counsel, Jeramie Scott, explained how private industry fuels social media monitoring, creating huge databases of personal data that is sold to law enforcement. (Nov. 6, 2019)

  • Following the release of a report by the US Commission on Artificial Intelligence, EPIC is seeking specific information about recommendations that could impact the privacy rights of Americans. EPIC previously sued the Commission to make public its records and meetings. Now EPIC wants to know why the Commission criticized the EU General Data Protection Regulation and why the Commission wants to amend U.S. privacy laws to allow "government access to data on Americans." EPIC is also curious why the Commission selectively published the names of organizations and businesses it consulted. The Commission is chaired by former Google CEO Eric Schmidt. EPIC filed suit against the Commission earlier this year to ensure transparency and public participation. The Commission has held more than 200 closed-door meetings. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C). (Nov. 6, 2019)

  • Representatives Eshoo and Lofgren have introduced the Online Privacy Act, a comprehensive framework for data protection in the United States. The bill would establish a data protection agency, create meaningful privacy safeguards for consumers, and hold companies accountable for the collection and use of personal data. The bill is based on Fair Information Practices and includes a provision on algorithmic accountability. "The Online Privacy Act sets out strong rights for Internet users, promotes innovation, and establishes a data protection agency. This is the bill that Congress should enact,” EPIC Policy Director Caitriona Fitzgerald said in a statement. EPIC's legislative report graded the Online Privacy Act the #1 privacy bill in Congress. (Nov. 5, 2019)

  • In advance of a hearing on reauthorizing the Freedom Act, EPIC sent a statement to the Senate Judiciary Committee urging Congress to end the NSA's phone record collection program, known as "Section 215." EPIC wrote "events of the past few years make clear that Section 215 should not be renewed." Section 215 of the Patriot Act allowed the NSA to collect the telephone records of Americans. In 2013, following the Snowden disclosures, EPIC filed a petition with the Supreme Court, challenging the lawfulness of Section 215. Congress found the 215 program was ineffective and passed the USA Freedom Act to limit data collection. NSA has since acknowledged significant compliance problems. The Director of National Intelligence also confirmed that the program was suspended. Section 215 will sunset unless Congress chooses to reauthorize the program. (Nov. 5, 2019)

  • In a statement to the D.C. City Council, EPIC urged council members to ban the use of facial recognition technology on police-worn body cameras. The Council held a public roundtable to assess the use of police body-worn cameras by the Metropolitan Police Department. EPIC described the growing opposition to facial recognition technology in the United States as well as internationally. EPIC previously testified before the City Council on body cameras, stating there are "more productive means to achieve police accountability that do not carry the risk of increasing surveillance." A 2017 study of MPD body cameras found that the cameras had no impact on police use of force and civilian complaints. (Nov. 5, 2019)

  • EPIC, the Brennan Center and over 40 organizations have opposed the Department of Homeland Security plan to collect social media identifiers from immigrants and foreign travelers. The civil liberties coalition warned of the "chilling effect on speech, intrusion of privacy, and disparate impact" the plan would have. As EPIC explained in a Spotlight on Surveillance, government collection of social media data raises substantial privacy and civil liberties concerns. EPIC previously opposed a proposal by the DHS to collect social media identifiers. In EPIC v. DHS, a 2011 Freedom of Information Act case, EPIC uncovered the first agency plan to monitor social media. (Nov. 5, 2019)

  • Presidential Candidate Cory Booker has introduced the No Biometric Barriers to Housing Act, a bill to ban the use of facial recognition technology in public housing. “Facial recognition technology has been repeatedly shown to be incomplete and inaccurate, regularly targeting and misidentifying women and people of color. We need better safeguards and more research before we test this emerging technology on those who live in public housing and risk their privacy, safety, and peace of mind,” Senator Booker said. Congresswoman Yvette Clarke (D-NY) introduced similar legislation in the House in July. The House bill now has 10 cosponsors. EPIC recently testified before the Massachusetts Legislature in support of a moratorium on face surveillance. EPIC also organized a civil society declaration endorsed by over 80 organizations and 650 individuals to suspend the deployment of facial surveillance technology. (Nov. 4, 2019)

  • In a statement to the Senate Judiciary Committee, EPIC urged lawmakers to pass legislation to safeguard consumer data from foreign adversaries. Prior to a hearing on "How Corporations and Big Tech Leave Our Data Exposed to Criminals, China, and Other Bad Actors," EPIC explained that "U.S. businesses, with their vast collections of personal data, remain the target of cyber-attack by criminals and foreign adversaries." EPIC warned the Senate about foreign access to consumer data in testimony over two years ago. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress, sets out the key elements of a privacy law, including federal baseline legislation and the creation of a Data Protection Agency. (Nov. 4, 2019)

  • A report released today by the National Security Commission on Artificial Intelligence raises new concerns about privacy and human rights safeguards for the use of AI by the federal government. The report to Congress acknowledges that "AI tools present states with greater capabilities to monitor and track their citizens or those of other states" and that AI "increases the risk of human rights abuses or violation of individual privacy[.]" The Commission also calls for AI uses that are "consistent with constitutional principles of due process, individual privacy, equal protection, and non-discrimination." But the report criticizes the EU's "privacy-first approach" to AI, calling the GDPR "a significant obstacle in any efforts to standardize privacy regulations," even though many leading US companies have agreed to comply with the privacy law. The Commission's report was drafted almost entirely in secret, in violation of multiple open government laws. In September, EPIC filed suit against the Commission to ensure transparency and public participation. EPIC's case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Nov. 4, 2019)

  • A federal appeals court has ruled that President Trump's accountants must turn over eight years of the President's personal tax returns to the Manhattan district attorney. The Second Circuit Court of Appeals rejected the President's attempt to block a grand jury subpoena for the returns, finding "no support" for the argument "that a President's private and non‐privileged documents may be absolutely shielded from judicial scrutiny." EPIC previously sought President Trump's tax returns in EPIC v. IRS, arguing that disclosure was necessary to correct numerous factual misstatements made by the President about his taxes. In EPIC v. IRS II, EPIC is seeking "offers-in-compromise" and related tax records of President Trump and his businesses. (Nov. 4, 2019)

  • In a statement released today, Marc Rotenberg said that EPIC would oppose Google's proposed acquisition of the fitness tracking company Fitbit. Mr. Rotenberg said the deal should not be approved. "There is no reason to trust Google's assurances about privacy protection," Mr. Rotenberg said, citing previous matters involving Doubleclick, YouTube, Google HomeMini, and Nest. Noting statements antitrust enforcement by the the FTC Chairman and the Assistant Attorney General, Mr. Rotenberg also said, "The Google-Fitbit deal is a test of their commitment to competition, innovation, and data protection." EPIC brought the 2012 case against the FTC for the agency's failure to enforce the 2011 consent order against Google after the company consolidated user data across multiple services. (Nov. 4, 2019)

  • In a New York Times article, consumer advocate Ralph Nader endorsed the creation of a data protection agency. Nader told the Times that the U.S. needs a "new agency when the abuse pattern is so expansive that the authority in the existing agencies is obsolete and inadequate.” Rashid Robinson, President of Color of Change, said "We need to have a new data protection agency, an agency that examines the social, ethical impact of high-risk data practices.” EPIC and consumer groups have urged Congress to establish a data protection agency. EPIC has long advocated for a U.S. Data Protection Agency, noting that the United States is one of the few democracies in the world that does not have a federal data protection agency. (Nov. 3, 2019)

  • A bipartisan group of Senators has introduced legislation that would give users the option to engage with a platform without being manipulated by algorithms driven by user-specific data. The Filter Bubble Transparency Act, sponsored by Senators Thune (R-SD), Blumenthal (D-CT), Moran (R-Kan.), Blackburn (R-Tenn.) and Warner (D-Va.), would require large platforms to provide users with the option of a filter bubble-free view of the information they provide. "This legislation is about transparency and consumer control," said Senator Thune. EPIC board member Shoshana Zuboff said, "Filter bubbles divide and conquer. The Filter Bubble Transparency Act begins the work of breaking this manipulative and divisive cycle." However, the bill stops short of requiring Internet companies to reveal the algorithms used to manipulate users. EPIC first warned the Federal Trade Commission about the risk of opaque search algorithms in 2011. EPIC has since advocated for Algorithmic Transparency and urged adoption of the Universal Guidelines for AI. In a 2017 statement for the Senate Commerce Committee EPIC wrote, "It is becoming increasingly clear that Congress must regulate AI to ensure accountability and transparency." (Nov. 1, 2019)

  • The National Security Commission on Artificial Intelligence held yet another closed-door meeting last week to finalize its upcoming report to Congress and the President. Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI to address national security and defense needs. But the Commission has operated almost entirely in secret, unlawfully denying the public access to its meetings and withholding nearly all of its records. In September, EPIC filed an open government lawsuit against the AI Commission to ensure transparency and public participation. The Commission's report is due to be released next week. EPIC’s case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Nov. 1, 2019)

  • Next week the Supreme Court will consider Kansas v. Glover, a case concerning car stops and the status of the registered owner's license. EPIC filed an amicus brief in the case which could lead to police stopping any vehicle if the registered owner's license is suspended. EPIC warned that the Court's decision, when combined with automated license plate readers, could "dramatically alter police practices" and "unfairly burden disadvantaged communities." EPIC provided empirical data for the Court that indicate that police use license plate readers more frequently in disadvantaged communities. EPIC also provided data that car sharing is more prevalent in these communities and therefore that many drivers whose license is not suspended will be stopped. EPIC noted that the Supreme Court has previously established legal safeguards in response to evolving policing techniques, such as GPS tracking devices, (US v. Jones), cell phones searches (Riley v. California), and location data collection (Carpenter v. United States). EPIC recommended that the Court recognize the role of automated license plate readers in police stops. EPIC routinely files amicus briefs in federal and state courts concerning emerging privacy issues. (Oct. 31, 2019)

  • New emails released in EPIC's lawsuit show that Justice Kavanaugh, as a White House adviser, defended the controversial warrantless wiretapping program that Congress ended in 2015. Following a New York Times article which revealed government wiretapping without judicial authority, Kavanaugh circulated legal justifications for the program. The emails obtained by EPIC also show that Kavanaugh and then Justice Department lawyer Neil Gorsuch placed a USA Today op-ed defending the program. In the nomination hearing for the federal appeals court, Kavanaugh downplayed his role in the wiretapping program, though judge Kavanaugh later defended the NSA program based on a novel legal theory that leading scholars disputed. Documents previously obtained by EPIC revealed that Kavanaugh exchanged hundreds of emails with White House and DOJ staff about the NSA surveillance program. (Oct. 31, 2019)

  • The UK Information Commissioner's Office is raising concerns about the use of "live-streaming facial recognition" (LFR). In an official opinion, Commissioner Elizabeth Denham said that the deployment of facial recognition technology by law enforcement must comply with data protection law. The ICO opinion "recognises the high statutory threshold that must be met to justify the use of LFR, and demonstrate accountability, under the UK's data protection law." A recent Public Voice petition calling for a moratorium on the use of facial recogntion has received support from more than 80 organizations and 600 individuals, including many leading experts. (Oct. 31, 2019)

  • In a statement to the House Commerce Committee, EPIC recommended reauthorization of the SAFE WEB Act and federal baseline privacy legislation. "The Safe WEB Act should be reauthorized - cross-border enforcement and cooperation is critical for effective protection of US consumers. But it is just as critical for effective protection that Congress enact a comprehensive baseline privacy legislation and establish a U.S Data Protection Agency," EPIC said in advance of the hearing. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress, sets out the key elements of a privacy law. EPIC previously testified before both the House Commerce Committee and the Senate Commerce Committee on the SAFE WEB Act. (Oct. 29, 2019)

  • A coalition of 20 civil society organizations are objecting to the proposed U.S.-U.K. CLOUD Act Agreement, which will allow cross-border data access and wiretapping by law enforcement agencies. In a letter to Congress, the groups explained the Agreement "fails to adequately protect the privacy and due process rights of U.S. and U.K. citizens." The coalition urged Congress to block the Agreement. In testimony before the European Parliament and in an amicus brief for the Supreme Court in United States v. Microsoft, EPIC has argued that cross-border access to personal data requires robust human rights protections, including notice, judicial authorization, and transparency. (Oct. 29, 2019)

  • A new report from the Axon AI and Policing Technology Ethics Board details problems with automated license plate readers, including the disproportionate impact on communities of color and the long-term tracking of innocent drivers. The Axon report recommends public review prior to use of license plate readers. The report also recommends that license plate reader alerts should not be sufficient grounds to stop a vehicle. EPIC made a similar recommendation in an amicus brief for the U.S. Supreme Court for Kansas v. Glover, arguing against traffic stops based solely on alerts that a registered owner's license is suspended. EPIC previously obtained documents about the extensive use of license plate readers by the Department of Homeland Security and the Federal Bureau of Investigation. EPIC's Senior Counsel Jeramie Scott has warned about the risk of mass surveillance with technologies such as license plate readers. (Oct. 28, 2019)

  • The Department of Justice has proposed a rule that effectively requires the DHS to collect DNA from any non-US person the agency detains or arrests. The deadline for public comments is November 12, 2019 and can be submitted here. EPIC has supported increased privacy protections for DNA. In an amicus brief to the Supreme Court, EPIC argued that law enforcement's warrantless collection of DNA is unconstitutional. In the 2013 brief, EPIC described the "dramatic and unpredictable" expansion of the government's DNA collection over the past decade. (Oct. 25, 2019)

  • Meeting in Tirana, Albania, the 41st International Conference of Data Protection and Privacy Commissioners adopted resolutions on privacy as a fundamental right, human error in data breaches, and social media and violent extremist content online. The Commissioners also adopted resolutions on strategic direction, cross-border enforcement, and regulatory cooperation between data protection agencies and consumer protection and competition authorities. Civil society has urged the data protection commissioners to support a moratorium on facial recognition technology. A petition organized by the Public Voice received support from more than 80 organizations and 500 individuals (including leading experts) in more than 40 countries. Privacy International and the Open Markets Institute were among the civil society speakers at the conference. The 2020 conference will be held in Mexico City. The ICDPPC will also be renamed the "Global Privacy Assembly." (Oct. 24, 2019)

  • EPIC advised the Senate Banking Committee for a hearing on "Data Ownership: Exploring Implications for Data Privacy Rights and Data Valuation" that "data portability" will not help consumers, but would likely facilitate mergers and consolidation in the Internet industry. EPIC said Congress should pass baseline federal legislation modeled on the Fair Information Practices and establish a U.S. Data Protection Agency. EPIC recently published "Grading on a Curve: Privacy Legislation in the 116th Congress" evaluating the current privacy bills in Congress. (Oct. 24, 2019)

  • During today's House Financial Services hearing, Rep. Nydia Velazquez [D-NY] grilled Mark Zuckerberg about the misrepresentations Facebook made to regulators when it acquired WhatsApp — misrepresentations that led to fines in the EU. "Why should we believe what you and Calibra are saying about protecting customer #privacy and financial data?" said Rep. Velazquez. EPIC raised the same issue in a July statement to the House Financial Services Committee, saying "Facebook clearly cannot be trusted with consumers' financial data" and outlining Facebook's long history of failing to protect user data. EPIC is challenging the proposed settlement between the Federal Trade Commission and Facebook, charging that the Commission has failed to investigate thousands of pending complaints against the company. (Oct. 23, 2019)

  • The European Commission has renewed the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The Commission concluded the recent FTC-Facebook settlement did not bar enforcement actions related to the Privacy Shield. The Commission also noted positively the appointment of a Ombudsperson to receive complaints about U.S. surveillance, FTC enforcement actions for false Privacy Shield certifications, and assurances from the U.S. intelligence community that specific selectors are used to limit foreign intelligence collection. The Commission did urge the FTC to bring actions for substantive violations of the Shield. In comments on the Privacy Shield and in a letter to Congress, EPIC called for a permanent end to the broad telephone record collection under Section 215 of the Patriot Act. The validity of the Privacy Shield is still in dispute in several cases before Europe's highest court. (Oct. 23, 2019)

  • A federal appeals court has let stand a ruling that users can sue Facebook for collecting and using their facial images. The court previously held in Patel v. Facebook that an Illinois biometrics law protects "concrete privacy interests" and violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that the violation of a privacy law is sufficient for users to sue a company. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition. (Oct. 23, 2019)

  • Speaking at the annual meeting of the privacy commissioners, EPIC President Marc Rotenberg presented a declaration from civil society calling for a moratorium on the further deployment of facial recognition. The declaration, organized by the Public Voice coalition, has gathered the support of more than 60 organizations and many leading experts in 30 countries around the world. The declaration calls on countries to (1) suspend the further deployment of facial recognition for mass surveillance; (2) review all facial recognition systems to determine whether personal data was obtained lawfully; (3) undertake research to assess bias and risk; and (4) establish legal rules, technical standards, and ethical guidelines before further deployment occurs. Mr. Rotenberg explained that around the world there is growing opposition to the deployment of facial recognition and urged the international data protection commissioners to act. (Oct. 23, 2019)

  • EPIC Policy Director Caitriona Fitzgerald will testify today before the Massachusetts Legislature in support of a bill to establish a moratorium on the use of facial recognition by state agencies. Under S. 1385 and H. 1538 the use of facial recognition technology by the state would be banned until privacy and security safeguards are in place. EPIC recommended eight principles that must be adhered to prior to deployment of facial recognition technology: 1) prohibition on mass surveillance; 2) provably non-discriminatory; 3) minimal retention; 4) transparency; 5) security; 6) monitoring for inappropriate uses; 7) accountability; and 8) independent auditing. EPIC noted the growing use of facial recognition technology in China and Hong Kong, as well as the bipartisan support for a facial recognition moratorium in Congress. (Oct. 22, 2019)

  • Today the D.C. City Council held a public roundtable on Five Years of the Metropolitan Police Department's Body-Worn Camera Program: Reflections and Next Steps. In 2015, EPIC testified before the D.C. City Council regarding police body-worn cameras. EPIC warned of the surveillance risks of body cameras and argued there are more effective means to address police accountability. EPIC previously testified before the DC City Council in 2008, warning that "facial recognition that will make it possible to identify people in public places." EPIC also launched the Observing Surveillance project in 2003 to draw attention to the growing surveillance of DC residents by integrated camera systems. California has recently banned the use of police-worn body cameras. (Oct. 21, 2019)

  • EPIC has told a House committee that the Freedom of Information Act is critical to keep the Department of Homeland Security accountable. The House Homeland Security Committee held a hearing this week on "The Public’s Right to Know: FOIA at the Department of Homeland Security.” EPIC has brought many FOIA cases against the DHS, including those concerning backscatter x-ray devices in airports, a DHS program to track journalists, and the CBP biometric entry-exit system. In 2011, EPIC urged Congress to end the agency’s political review of FOIA requests. In 2012, EPIC led an effort to reform the DHS treatment of fee wavers. And in 2016, the DHS revised FOIA regulations, reflecting several of EPIC’s recommendations. In comments this week, EPIC observed that DHS’s FOIA processing does not compare favorably with other federal agencies. EPIC recommended that DHS improve the processing of FOIA requests and respond to appeal authorities. EPIC wrote that continued oversight of the DHS is critical. "No federal agency has greater budget authority to develop systems of surveillance directed towards U.S. residents,” EPIC said. (Oct. 18, 2019)

  • EPIC has advised the FBI to withdraw a proposal to remove Privacy Act compliance obligations for the National Crime Information Center. The FBI is seeking broad exemptions to regulations that promote records accuracy, ensure data subject access, and limit over collection of personal data. EPIC wrote that the proposed exemptions would "lead to increasing record inaccuracy and the misuse of personal information.” There are numerous reports of misuse of the data in the NCIC and growing concerns about record accuracy. In 2003, EPIC organized a coalition of nearly 90 organizations to urge accuracy in the NCIC record systems. EPIC also submitted amicus briefs to the Supreme Court in Herring v. US and Kansas v. Glover warning about inaccurate records in police databases that would lead to unlawful searches and car stops. (Oct. 18, 2019)

  • In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review should consider data protection. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram. (Oct. 18, 2019)

  • EPIC joined a coalition of organizations calling for Congress to reform Section 702 of the Foreign Intelligence Surveillance Act amidst debate over whether to reauthorize related authorities which are about to expire. The letter follows release of FISA Court rulings that FBI violated the law when it searched for information about Americans in communications intercepted for foreign intelligence purposes. The Court also required the agency use new safeguards. The coalition letter urges Congress to prohibit these "backdoor searches" and calls for an end to "abouts" collection - a broad surveillance technique involving collection of communications that are not to or from a surveillance target. In January 2018, as the result of a FOIA lawsuit EPIC obtained a report explaining how the FBI searches of Americans' data collected under the 702 program. (Oct. 17, 2019)

  • In a statement to the Senate Commerce Committee, EPIC has called for a moratorium on the use of facial recognition by the Transportation Security Administration. "Because TSA has failed to establish the necessary privacy safeguards, including ensuring that travelers are able to exercise their legal right to opt-out,” EPIC said, "we request you suspend the TSA’s use of facial image technology pending the completion of required public rulemaking by CBP.” EPIC added, "There is currently no legal authority for DHS’ or TSA’s use of facial recognition technology." After a Buzzfeed story earlier this year featured documents obtained by EPIC about plans to expand facial recognition at airports, Senators Ed Markey (D-MA) and Mike Lee (R-UT) called for the suspension of the program. Many cities and states are moving now to limit the use of facial recognition technology. (Oct. 16, 2019)

  • A federal court denied a motion for a preliminary injunction against the National Commission on Artificial Intelligence. The Commission is chaired by former Google CEO Eric Schmidt, dominated by representatives of large tech firms, and has operated in near total secrecy. EPIC filed a Freedom of Information Act lawsuit to open the records and meetings of the AI Commission to the public. Today EPIC urged the court to issue a preliminary injunction to compel the production of records, an unusual motion in a FOIA case. The court denied the motion but agreed to consider whether the Commission is subject to FOIA on an expedited briefing schedule. The Commission is expected to release a report to the President and Congress on November 5, but to date the Commission has provided little information about its activities, meetings, or planned recommendations. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Oct. 16, 2019)

  • EPIC Board Member Danielle Citron will testify today before the House Energy & Commerce Committee regarding corporate responsibility for online activity. In her written testimony, Professor Citron stated, "Section 230 should be revised to condition the legal shield on reasonable content moderation practices in the face of clear illegality that causes demonstrable harm. That would return the statute to its original purpose—to allow companies to act more responsibly, not less." In an amicus brief filed with the Second Circuit Court of Appeals last year, EPIC said that Section 230, a provision in the Communication Decency Act, was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." Professor Citron was recently selected for the prestigious MacArthur Fellowship and is the author of Hate Crimes in Cyberspace, available at the EPIC Bookstore.
    (Oct. 16, 2019)

  • Today EPIC filed an amicus brief in United States v. Facebook, a case concerning the proposed settlement between the Federal Trade Commission and Facebook. EPIC argued, "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest.” EPIC explained that the proposed settlement “largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices.” EPIC noted, the "Commission also seems entirely unconcerned by Facebook’s planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission.” EPIC previously filed a motion to intervene in the case that has not yet been resolved by the court. Through a Freedom of Information Act Request, EPIC has uncovered more than 29,000 complaints against Facebook currently pending at the Commission. (Oct. 16, 2019)

  • EPIC will argue in federal court on Wednesday that the National Commission on Artificial Intelligence has violated the Freedom of Information Act and must immediately process EPIC’s FOIA Requests to the Commission. Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI in the United States. EPIC filed multiple requests for access to Commission meetings and records. But the Commission has operated almost entirely in secret, even as it prepares to submit recommendations to Congress and the President on November 5. EPIC filed suit against the Commission last month and asked the court to issue a preliminary injunction. The Commission is chaired by former Google CEO Eric Schmidt and dominated by representatives of large tech firms, including Microsoft, Amazon, and Oracle. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Oct. 16, 2019)

  • EPIC has filed an amicus brief in the U.S Supreme Court case Georgia v. Public.Resource.Org, which concerns Georgia’s copyright of the state’s official annotated code. EPIC’s brief, signed by thirty-five experts in law and technology, urged the Supreme Court “to recognize that free access to the law is not only guaranteed by our country’s traditions but also enabled by digital technologies.” EPIC explained that “the federal government has worked to ensure that government materials, including legal materials, are broadly accessible to the public; the states should do the same.” EPIC and its staff have worked for almost thirty years to promote online access to judicial opinions and open access to government information. EPIC routinely files amicus briefs in the US Supreme Court in cases concerning emerging privacy and civil liberties issues. (Oct. 15, 2019)

  • Senator Maria Cantwell [D-WA], Ranking Member on the Senate Commerce Committee, has sent a letter to Federal Trade Commission Chairman Joseph Simons regarding the FTC's controversial settlement with Facebook. "I am concerned that the settlement lets Facebook off the hook for unspecified violations, and given the many public reports of Facebook's mishandling of consumer data, it is difficult to fully understand the impact of this provision on the settlement on the data privacy protection of the millions of U.S. consumers that have used and continue to use Facebook," Cantwell wrote to Simons. Through a Freedom of Information Act Request. EPIC has obtained thousands of new consumer complaints (part 1, part 2) against Facebook. EPIC is formally challenging the proposed settlement, charging that the Commission has failed to investigate thousands of complaints against the company. (Oct. 15, 2019)

  • EPIC has asked the D.C. Circuit Court of Appeals to reverse a lower court decision allowing the FAA's Drone Advisory Committee to conduct much of its work in secret. EPIC filed suit last year against the industry-dominated Committee, which has consistently ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the Committee was forced to disclose hundreds of pages of records that it unlawfully withheld. But the lower court ruled that the Committee did not need to disclose records from its secretive subcommittees, where many drone policy recommendations were developed. The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.). (Oct. 11, 2019)

  • This week the Director of National Intelligence declassified several opinions from the Foreign Intelligence Surveillance Court and Court of Review concerning Section 702 of the FISA. The courts determined that the FBI violated the law when it searched for information about Americans in communications intercepted for foreign intelligence purposes. The documents also reveal that FBI repeatedly exceeded the scope of its authority to search for Americans’ information. The Court of Review ruled in July of this year that the FBI must record every search of an American’s data and the basis for that search. As a result of these rulings, the FBI has changed its surveillance. In January 2018 EPIC obtained a Justice Department report detailing concerns with the FBI’s “backdoor searches.” EPIC has long advocated for reform of U.S. surveillance laws, which do not adequately protect the fundamental rights of Americans or of individuals abroad. (Oct. 10, 2019)

  • The California Attorney General, Xavier Becerra, announced today a Notice of Proposed Rulemaking Action for the California Consumer Privacy Act. The proposed regulations will "establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.” The California Attorney General held several public forums about the proposed regulations, and will hold four more public hearings to provide interested parties with an opportunity to comment. The deadline to submit written comments is December 6, 2019. A recent report from EPIC on privacy legislation in Congress notes that some lawmakers are seeking to preempt strong consumer privacy laws in states such as California. (Oct. 10, 2019)

  • As a consequence of its Freedom of Information Act lawsuit, EPIC v DOJ, EPIC has obtained previously undisclosed memos from the Mueller investigation. One memo released to EPIC summarizes Mueller's investigation of a suspected “unregistered agent of a foreign government.” The memo was submitted one day after the Justice Department released a redacted version of the Mueller Report. The Special Counsel previously disclosed that it investigated Paul Manafort, Rick Gates, Michael Flynn, George Papadopoulos, and Carter Page as possible foreign agents. Additional documents will be forthcoming in EPIC’s open government case concerning Russian interference in the 2016 election. EPIC is also seeking the disclosure of the complete and unredacted Mueller Report in EPIC v. Department of Justice. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. (Oct. 10, 2019)

  • The Russian government “sought to influence the 2016 U.S. presidential election” as part of a “broader, sophisticated, and ongoing information warfare campaign designed to sow discord in American politics and society,” according to a report from the Senate Intelligence Committee. The bipartisan report confirms earlier findings by the U.S. Intelligence Community, Special Counsel Robert Mueller, and the Intelligence Committee itself. In EPIC v. Department of Justice, EPIC is seeking the disclosure of the complete and unredacted Mueller Report, which would provide further information about Russian election interference. A ruling is expected in the case this month. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. (Oct. 8, 2019)

  • A federal judge in New York has ordered President Trump to turn over eight years of personal tax returns to the Manhattan district attorney. Judge Victor Marrero rejected the President's attempt to block a grand jury subpoena for the returns, holding that the President is not immune from state criminal prosecution. "The Court cannot square a vision of presidential immunity that would place the President above the law with the text of the Constitution," the court wrote. EPIC previously sought President Trump's tax returns in EPIC v. IRS, arguing that disclosure was necessary to correct numerous factual misstatements made by the President about his taxes. In EPIC v. IRS II, EPIC is seeking "offers-in-compromise" and related tax records of President Trump and his businesses.

    (Oct. 7, 2019)

  • The UK has released the text of the US-UK CLOUD Act Agreement. The agreement permits cross-border access to personal data without judicial approval, allows for law enforcement investigations under lower standards than in the U.S., and lacks notice to data subjects who are subject to surveillance. In testimony before the European Parliament, EPIC International Counsel Eleni Kyriakides argued that cross-border access to personal data should ensure robust human rights protections, such as notice, judicial authorization, and transparency.

    (Oct. 7, 2019)

  • Senators Edward J. Markey (D-Mass.), Richard Blumenthal (D-Conn.), Josh Hawley (R-Mo.), and Marsha Blackburn (R-Tenn.) wrote a letter to the FTC urging the Commission “to prioritize enhancing protections for kids, not advancing the interests of data collectors.” The Senators criticized the agency’s recent settlement with YouTube, saying “the monetary penalty provided almost no deterrence value at all and was not paired with sufficient structural injunctions to prevent future violations by Google.” The FTC is reviewing the Children’s Online Privacy Protection Act Rule and is seeking public comments. EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. (Oct. 4, 2019)

  • EPIC has joined over 75 organizations urging the Administration to rescind the recent Executive Order on Federal Advisory Committees. The executive order would require the elimination of one-third of existing advisory committees. The coalition letter explains that federal advisory committees enable public participation and help hold federal agencies accountable. The groups wanted that the arbitrary elimination of advisory committees will result in fewer opportunities for the public to participate in agency decision making. EPIC recently filed an open government lawsuit against the National Commission on Artificial Intelligence to ensure that the Commission complies with advisory commission requirements. Around the time EPIC filed its lawsuit, the Commission announced a public conference and opened a Twitter account. The case is EPIC v. AI Commission, no. 19-2906 (D.D.C). (Oct. 4, 2019)

  • The US and UK have signed a CLOUD Act "executive agreement,” permitting cross-border access, by law enforcement agencies, to personal communications without a warrant.The agreement will enter into force within 180 days if Congress does not pass a resolution of disapproval. To form the agreement, the Attorney General must certify to Congress that the country's domestic law "affords robust substantive and procedural protections for privacy and civil liberties.” Privacy rights organizations in the UK have challenged the adequacy of legal protections for communications data. EPIC has also argued in the European Data Protection Law review that the CLOUD Act fails to include key human rights protections, such as notice, judicial authorization, and transparency EPIC submitted an amicus brief in the related Supreme Court case United States v. Microsoft, pointing to fundamental rights obligations for cross-border access to personal data, and published "Digital Free for All Part Deux: European Commission Proposal on E-Evidence" in Just Security. (Oct. 3, 2019)

  • EPIC hosted D.C. Attorney General Karl Racine for a meeting with the Privacy Coalition. General Racine discussed his office’s initiatives on privacy, algorithmic discrimination, and antitrust. Last year, the Attorney General sued Facebook under the D.C. Consumer Protection Procedures Act for the mishandling of user data that led to Cambridge Analytica breach. And General Racine joined with others AGs investigating Google for anti-competitive conduct. EPIC has filed a Consumer Protection Procedures Act lawsuit against AccuWeather, challenging the misuse of personal data of D.C. residents. EPIC also recently filed an amicus brief in support of the plaintiffs in Attias v. CareFirst, Inc, a data breach that allowed hackers to obtain 1.1 million customer records from D.C.'s largest health insurer. (Oct. 3, 2019)

  • The Court of Justice for the European Union has ruled that member states may order internet providers to remove globally content found to be defamatory. In Eva Glawischnig-Piesczek v Facebook Ireland, the Court ruled that the e-Commerce directive does not prohibit orders to remove content from all domains globally that is identical or equivalent to content found to be defamatory. However, Court said Member States must ensure measures "which produce effects worldwide take due account" of internet rules on an international level. The EPIC 2018 Privacy Law Sourcebook, a comprehensive overview of privacy laws in the US and around the world, is available in the EPIC bookstore. (Oct. 3, 2019)

  • EPIC has submitted an assessment of privacy rights and surveillance practices in the US to the UN Human Rights Council for the periodic review of US compliance with international human rights standard. After the last periodic review, the UN strongly recommended the US implement private sector and government privacy safeguards. However, EPIC told the Rights Council that the US still "lacks meaningful privacy enforcement, a comprehensive data privacy law, and has failed to curtail mass surveillance of U.S. and non-U.S. persons." EPIC also submitted a comprehensive EPIC report drafted for data protection experts from around the world. EPIC’s earlier comments for a separate UN review were incorporated by the UN Human Rights Committee. (Oct. 3, 2019)

  • EPIC has provided a comprehensive report on the latest developments in U.S. privacy law and policy for the 66th meeting of the International Working Group on Data Protection, to be held in Brussels. The International Working Group includes data protection authorities and experts from around the world who review emerging privacy challenges, such as location tracking, DNA collection, and face recognition. The EPIC Fall 2019 report details the debate over reauthorization of the NSA call record collection program, EPIC's ranking of consumer privacy proposals, the FTC Facebook and YouTube settlements, and more. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Oct. 3, 2019)

  • A federal court in Washington, DC has scheduled a Wednesday, October 16 hearing in EPIC v. AI Commission, EPIC’s lawsuit to open the records and meetings of the National Commission on Artificial Intelligence. Judge Trevor N. McFadden also ordered the AI Commission to respond to EPIC’s motion for a preliminary injunction by Tuesday, October 8. EPIC filed the lawsuit after the Commission failed to provide EPIC access to its meetings and records, operating in near-total secrecy for six months. The Commission is chaired by former Google CEO Eric Schmidt and dominated by representatives of large tech firms, including Microsoft, Amazon, and Oracle. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Oct. 1, 2019)

  • Judge Reggie B. Walton said Tuesday that he expects to make a ruling within 30 days in EPIC’s case for the release of the complete Mueller Report. The statement came during a hearing on EPIC’s lawsuit and a related case brought by CNN. EPIC brought the first suit in the nation for the release of the unredacted Mueller Report and argued for its release in August. Judge Walton also criticized the Department of Justice for the agency’s slow processing of requests for Special Counsel records, saying that the purpose of the FOIA has been “totally undermined by a lack of resources.” EPIC’s case is EPIC v. DOJ, No. 19-810 (D.D.C.). The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. (Oct. 1, 2019)

  • EPIC Policy Director Caitriona Fitzgerald testified today before the Massachusetts Legislature in support of proposals to establish a state Commission to examine the use of “automated decision systems.” Under H2701 and S1876 a Commission will make recommendations to ensure the state’s use of algorithms is fair and transparent. EPIC supports algorithmic transparency and opposed systemic bias in "risk assessment" tools used in the criminal justice system. EPIC has filed Freedom of Information lawsuits to obtain information about "predictive policing" and "future crime prediction" algorithms. EPIC President Marc Rotenberg has called for laws that mandate algorithmic transparency and prohibit automated decision-making that results in discrimination. (Oct. 1, 2019)

  • The Court of Justice for the European Union has ruled that under EU law companies must obtain active, specific consent from users to store persistent identifiers, or “cookies," on the user's device. In Planet49, the Court ruled that a pre-checked box does not constitute consent. The case was brought by the German Federation of Consumer Organisations. The European high court also ruled that companies must inform users about the duration of the cookie and whether data will be transferred to third parties. EPIC made a similar argument about consent in the first US case concerning cookies, contending that US federal wiretap law requires companies to obtain explicit consent from users for tracking. (Oct. 1, 2019)

  • EPIC has filed an open government lawsuit against the National Security Commission on Artificial Intelligence, following the Commission’s repeated failure to make its records and meetings open to the public. Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI in the United States. EPIC filed multiple requests for access to Commission meetings and records. But the Commission has operated almost entirely in secret, even as it prepares to submit recommendations to Congress and the President. “Public access to the records and meetings of the AI Commission is vital to ensure government transparency and democratic accountability.” The Commission is chaired by former Google CEO Eric Schmidt and dominated by representatives of large tech firms, including Microsoft, Amazon, and Oracle. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Sep. 27, 2019)

  • For a hearing on “Ensuring the Public’s Right of Access to the Courts,” EPIC told the House Judiciary Committee that "in the digital age, access to court decisions is a critical component of the public’s right of access to the courts." EPIC has worked for many years to promote online access to judicial opinions, urging the federal government to make legal materials freely available on agency websites. "The public’s constitutional and common law rights of access to the law are fundamental to a society governed by the rule of law," EPIC said. EPIC also cited the work of the Internet Archive, which has worked to "promote universal access to all knowledge.” EPIC noted, "Today the Internet Archive is one of the largest libraries in the world, harnessing the power of the Internet to make information freely available." (Sep. 26, 2019)

  • In G.C. and Others v. CNIL the Court of Justice for the European Union has ruled a search engine operator must balance rights to determine whether to remove sensitive data - such as racial or ethnic origin, political opinions, religious or philosophical beliefs - from search results. Users brought suit against the CNIL after the French DPA declined to order Google to delist their sensitive data. The European Court ruled that a search engine operator which receives a request to de-list sensitive data must weigh the requester’s rights of privacy and data protection against the rights to freedom of information of internet users. EPIC publication “The Right to be Forgotten on the Internet: Google v. Spain,” an account of the original case written by former Spanish Privacy Commissioner Artemi Rallo, is available in the EPIC bookstore. (Sep. 26, 2019)

  • EPIC has joined an amicus brief, led by the National Consumer Law Center, urging a federal appellate court to rehear a case about whether a consumer can sue a company for sending an illegal text message. A panel of the court recently decided that consumers cannot sue companies that send one text message in violation of the Telephone Consumer Protection Act. The consumer brief states that the decision “opens the floodgates to mass text messaging, a result that is contrary to the plain language of the statue and Congress’s intent.” EPIC routinely files amicus briefs supporting consumers’ right in privacy cases. EPIC has filed several amicus briefs about the Telephone Consumer Protection Act. (Sep. 26, 2019)

  • The MacArthur Foundation has selected EPIC Board Member and former EPIC Board Chair, Danielle Citron for the prestigious MacArthur Fellowship. Recipients of the MacArthur Fellowship must show exceptional creativity, promise for important future advances based on a track record of significant accomplishments, and potential for the Fellowship to facilitate subsequent creative work. Professor Citron’s research has focused on cyber harassment and hate crimes. In a recent TED talk, Citron discussed Deepfakes - a technique using artificial intelligence and superimposed images to create malicious video and hoaxes, and the long-term reputational impact for victims. Her work has been featured in The New York Times, The Atlantic, Slate, The Guardian, and TIME. Danielle Citron is the author of Hate Crimes in Cyberspace (HUP 2014), available at the EPIC Bookstore. The MacArthur Foundation wrote that Danielle Citron is "a legal scholar addressing the scourge of cyber harassment by raising awareness of the toll it takes on victims and proposing reforms to combat the most extreme forms of online abuse.” (Sep. 25, 2019)

  • In advance of an FTC oversight hearing, EPIC told the House Appropriations Committee that more than 29,000 complaints against Facebook are now pending at the Federal Trade Commission. EPIC obtained documents last week revealing 3,000 new complaints against Facebook since the Commission proposed the $5 b settlement with Facebook two months ago. EPIC's Freedom of Information Act Request had previously found 26,000 complaints pending against the social media giant. "The FTC is simply ignoring thousands of consumer privacy complaints about Facebook's ongoing business practices," EPIC said to the Committee. EPIC is formally challenging the proposed settlement with Facebook, charging that the Commission has failed to investigate thousands of complaints against the company. EPIC urged the Committee to support the creation of a U.S. Data Protection Agency, saying "The Federal Trade Commission may help consumers with broken toasters, but the FTC is not an effective data protection agency." (Sep. 25, 2019)

  • In Google v. CNIL, the Court of Justice for the European Union ruled Google is not required to apply Europeans' requests to de-reference search results globally. The case follows an earlier ruling in Google v. Spain that Europeans have a right to remove links to their personal data in Google search results - the "Right to Be Forgotten." In the most recent case, the Court ruled that "currently there is no obligation under EU law, for a search engine operator...to carry out such a de-referencing on all the versions of its search engine." However, the Court also said that the search operator must "take sufficiently effective measures" to prevent searches for deferenced information from within the EU with a search engine outside of the EU. The Court also stated, in paragraph 72, that national authorities, in some circumstances, could require global delisting. EPIC supported the CNIL's approach contending that "commercial search firms should remove links to private information when asked." EPIC published "The Right to be Forgotten on the Internet: Google v. Spain" an account of the original case by former Spanish Privacy Commissioner Artemi Rallo. (Sep. 25, 2019)

  • In a second statement to the Senate Judiciary Committee, EPIC urged lawmakers to unwind bad mergers such as Facebook's acquisition of WhatsApp and Google's acquisition of YouTube and Nest. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so. (Sep. 23, 2019)

  • U.S. Rep. Mark Takano (D-CA 41) has introduced the "Justice in Forensic Algorithms Act of 2019." The Act would create federal standards for the development and use of forensic algorithms as well as prohibit the use of trade secrets privileges to prevent defense access to evidence in criminal proceedings. The Computational Forensic Algorithm Standards include considerations of bias, accuracy, precision, and reproducibility, and makes "publicly available documentation by developers of computational forensic software of the purpose and function of the software, the development process, including source and description of training data, and internal testing methodology and results, including source and description of testing data." Earlier this year, Iowa passed a law regarding pre-trial risk assessment algorithms. EPIC has advocated for Algorithmic Transparency across all applications and urges the use of the Universal Guidelines for Artificial Intelligence to guide AI regulation. A new publication from EPIC — the AI Policy Sourcebook — includes major policy frameworks for artificial intelligence. (Sep. 23, 2019)

  • In a EPIC statement to the Senate Foreign Relations Committee, EPIC has urged the U.S. Senate to reject the nomination of Marshall Billingslea for Under Secretary of State for Civilian Security, Democracy, and Human Rights. "This is a critical position in the U.S. government for human rights and should be filled by a person with a deep regard for international law and fundamental rights, such as a constitutional scholar. Mr. Billingslea simply lacks the necessary qualifications for this post," EPIC said. EPIC also said that the US should ratify the International Privacy Convention. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data and algorithmic transparency. (Sep. 23, 2019)

  • Through a Freedom of Information Act Request, EPIC has obtained thousands of new consumer complaints (part 1, part 2)against Facebook. The most recent documents, released to EPIC, follow the Commission’s proposed $5 b settlement in July. Among the complaints uncovered by EPIC are those from consumer groups and members of Congress. EPIC also obtained records of new complaints in the FTC’s Consumer Sentinel database. EPIC earlier uncovered 26,000 complaints against Facebook since the announcement of the 2011 consent order. EPIC is formally challenging the proposed settlement with Facebook, charging that the Commission has failed to investigate thousands of complaints against the company. (Sep. 22, 2019)

  • EPIC has obtained new documents concerning Robert Mueller's investigation into Russian interference in the 2016 election. The records were released in EPIC v. Department of Justice, EPIC's case for the release of the Mueller Report and related documents. The documents consist of previously undisclosed emails between Mueller's office and the Justice Department concerning the Special Counsel's budget. EPIC recently argued in court for the release of the complete and unredacted Mueller Report. A ruling in the case is expected this fall. The book "EPIC v. DOJ: The Mueller Report" is available for purchase at the EPIC Bookstore. (Sep. 19, 2019)

  • The National Security Commission on Artificial Intelligence is holding yet another closed-door meeting today—at least the fourth such meeting in the Commission's short existence. Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI to address national security and defense needs. But the Commission has operated almost entirely in secret, unlawfully refusing to publish any meeting notices or to allow any public participation. Last week, EPIC renewed its request to access Commission records and meetings. The Commission is dominated by representatives of large tech firms, including Google and Microsoft. EPIC has urged Congress to ensure that the Commission operates transparently. (Sep. 19, 2019)

  • In comments to the FTC on a proposed consent agreement with Unrollme, EPIC recommended requiring Unrollme to notify users of past deceptive practices and to obtain reauthorization from users before using personal data. According to the settlement with the FTC, Unrollme deceived users as to the privacy protections for personal emails. EPIC also respond to the Separate Statement of Commissioner Noah Phillips, warning that "continued support for 'Notice and choice' will only contribute to further erosion of privacy protection for American consumers." EPIC also suggested "if the Commissioner is genuinely concerned about restoring consumer choice and competition for Internet services, then unwinding the Facebook-WhatsApp merger, as EPIC has repeatedly urged, would be a good place to start." Agency regulations require the FTC to consider public comments before finalizing a proposed consent order. (Sep. 19, 2019)

  • Today EPIC submitted comments to the Consumer Financial Protection Bureau on the agency's proposed amendment to the Fair Debt Collection Practices Act. EPIC recommended that the CFPB: (1) clarify the definition of debt collector, (2) impose limitations on quantities of texts and emails, (3) not provide a safe harbor for debt collectors through limited-content messages, (4) impose liability for third-party disclosures by email or text, (5) require debt collector to offer a streamlined process for opt-out on any given medium, (6) limit the consumer information that can be included in debt validation notices, and (7) require debt collectors to comply with E-Sign Act consent requirements. EPIC previously advised CFPB on debt collector practices and the agency's publication of consumer narratives in the public complaint database. (Sep. 18, 2019)

  • Access Now has called on the European Commission to strike down the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. In comments to the Commission, Access Now wrote "the Privacy Shield has manifestly failed to meet the standards set by EU law from inception to today." The comments cite the limited redress provided by the Privacy Shield Ombudsperson, increased U.S. border surveillance, and the Cambridge Analytica scandal among the shortcomings in US privacy protection. EPIC's earlier comments on the Privacy Shield highlighted the failure of the U.S. to curtail surveillance authorities, the absence of a comprehensive privacy law and a data protection agency. Next month the European Commission will decide whether to renew the pact. (Sep. 18, 2019)

  • In advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a statement to the House Judiciary Committee urging Congress to end the NSA's phone record collection program, known as "Section 215." Section 215 of the Patriot Act, according to White House legal advisors including now Supreme Court Justice Brett Kavanaugh, allowed the NSA to collect in bulk the telephone records of Americans. In 2013, following the Snowden disclosures, EPIC filed a petition with the Supreme Court, challenging the lawfulness of Section 215. Congress found the 215 program was ineffective and passed the USA Freedom Act to limit data collection. NSA has since acknowledged significant compliance problems with the reformed program, and the Director of National Intelligence confirmed that the limited collection program was suspended. Section 215 will sunset unless Congress chooses to renew the program. (Sep. 18, 2019)

  • EPIC has published "The EPIC AI Policy Sourcebook 2019." The EPIC collection is the first compendium of AI policy, providing essential information to policy makers, researchers, journalists, and the public. The EPIC Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI, as well as materials from the EU, Council of Europe, national AI initiatives and professional societies IEEE and ACM. The Sourcebook also includes an extensive resources section on AI, including organizations, reports, articles, and books from around the world. "Required reading for a necessary conversation," Sherry Turkle. The EPIC AI Policy Sourcebook is now available in the EPIC Bookstore. (Sep. 17, 2019)

  • EPIC has renewed its request with the National Security Commission on Artificial Intelligence for records and access to Commission meetings. Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI to address national security and defense needs. But the Commission has operated almost entirely in secret, unlawfully refusing to publish any meeting notices or to allow any public participation. The Commission is dominated by representatives of large tech firms, including Google and Microsoft. EPIC previously requested records about the AI Commission and has urged Congress to ensure that the Commission operates transparently. (Sep. 16, 2019)

  • In a statement to the Senate Judiciary Committee, EPIC urged lawmakers to press the FTC and the Department of Justice on Enforcement of the Antitrust Laws. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so. (Sep. 16, 2019)

  • The D.C. Circuit has refused to void an earlier ruling in EPIC v. Commerce, EPIC's suit to halt the collection of citizenship data in the 2020 Census due to the government's failure to complete required privacy impact assessments. Under the E-Government Act, federal agencies must make privacy impact assessments "publicly available" before undertaking a new collection of personal data. Yet a three-judge panel of the D.C. Circuit ruled that the statute does not "vest a general right of information in the public" that would allow EPIC—one of the leading privacy organizations in the country—to obtain information about the government's data collection practices. EPIC asked the full D.C. Circuit to take the rare step of revisiting the panel's decision, but the court declined. The case is eligible for appeal to the Supreme Court, which blocked the citizenship question from being added to the 2020 Census in June. EPIC's case is EPIC v. Commerce, No. 19-5031 (D.C. Cir.). (Sep. 16, 2019)

  • With opposition growing to facial recognition, Google has decided instead to build facial recognition into Nest Hub Max, an "always on" device intended for use in the home. Google's "face match" constantly targets the facial images of each person in the household. Any interaction with the Google device is added to the secret user profile Google maintains for ad targeting. In 2014, EPIC filed a complaint with the FTC and said the "Commission clearly failed to address the significant privacy concerns presented in the Google acquisition of Nest," a related device that enabled surveillance in the home. EPIC later asked the Federal Trade Commission to require Google to spin-off Nest and to disgorge the data obtained from Nest users. A 2017 complaint to the Consumer Product Safety Commission from EPIC and consumer organizations pointed out that the "touchpad on the Google device is permanently set to 'on' so that it records all conversations without a consumer's knowledge or consent." (Sep. 16, 2019)

  • The D.C. Metro is proposing to track the cellphones of D.C. metro riders, with a network of sensors to detect Wi-Fi and Bluetooth connections. "WMATA has already begun to develop a network of digital display units and seeks to expand that network through digital place-based and location-based devices and programs," the Metro contracting document stated. After 9-11. EPIC led the Observing Surveillance campaign to limit the use of surveillance cameras in DC against residents and visitors. EPIC is pursuing a lawsuit against AccuWeather alleging that the company engaged in unlawful and deceptive practices in tracking consumers' locations in violation of the D.C. Consumer Protection Procedures Act. (Sep. 16, 2019)

  • EPIC has again written to the Senate Rules Committee regarding the meetings of a Senate "Tech Task Force," following a news item which suggested that the Rules Committee approved closed-door hearings. EPIC had called for an investigation into the meetings in the Senate Judiciary Committee hearing room, which were closed to the public and press, lacked public notice, and produced no written record. According to the POLITICO story, an unnamed staff person told a reporter that they had decided the Task Force was not subject to the open meeting requirement. EPIC was never notified of any decision. "This saga increasingly resembles a Kafka short story," EPIC wrote. EPIC has requested a written response to its requests for investigation and also wrote "we fully intend to pursue this issue until there is a favorable resolution." (Sep. 13, 2019)

  • California Governor Gavin Newsom is expected to sign legislation —The Body Camera Accountability Act- to ban the use of facial-recognition technology in law enforcement body cameras. Assembly Member Phil Ting (D), who wrote the bill, told the Washington Post "Body cameras have been used as a tool to build trust between communities and law enforcement and to provide more transparency. Putting facial recognition software into those body cameras helps destroy that trust. It turns a tool of transparency and openness into a tool of 24-hour surveillance." EPIC had long warned lawmakers about police-worn body cameras and facial recognition. In a 2015 statement for the Senate, EPIC explained that "the use of facial recognition technology by law enforcement agencies is expanding within the United States without proper oversight or input from the public." In a related commentary, EPIC Domestic Surveillance Counsel Jeramie Scott wrote, "Police body cameras may help improve police relations with the public, but steps must also be taken to ensure that concerns about privacy are addressed. As body cameras increase, we must guard against expanding their use and remain focused on true police accountability." EPIC's State Policy Project tracks privacy developments in the states. (Sep. 13, 2019)

  • EPIC, the Australian Privacy Foundation, and Privacy International submitted comments calling for a greater NGO role in oversight of the International Privacy Convention. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new articles on biometric data and algorithmic transparency, and enhanced compliance with convention terms. The coalition comments urge the Council of Europe to include NGOs in compliance review groups, increase transparency of the review process, and to evaluate national privacy remedies and derogations from the Convention. EPIC and consumer groups have also long urged the United States to ratify the international Privacy Convention. (Sep. 13, 2019)

  • The White House Budget for 2020 emphasizes privacy and ethics in AI Research and Development. The budget recommends "broad, multidisciplinary research in security and privacy," but actual funding levels remain unclear. In 1989, the Human Genome Project set aside 18 million dollars annually to examine Ethical, Legal, and Social Implications. Strategic priorities from the 2016 National Privacy Research Strategy will be carried forward. EPIC has recently published the "AI Policy Sourcebook," containing public policy frameworks for Artificial Intelligence. (Sep. 12, 2019)

  • EPIC Advisory Board Member Professor Anne Washington today testified at a hearing on "The Future of Identity in Financial Services: Threats, Challenges, and Opportunities." Professor Washington said "Ignoring AI exceptions in financial services risks excluding many in our society because they are outliers from expectations...By baking privacy, security, and usability into the design of our AI systems, we can build a more responsible and ethical data environment." EPIC supports algorithmic transparency which would reduce bias and help ensure fairness in automated decisionmaking. EPIC proposed the Universal Guidelines for Artificial Intelligence as the basis for federal legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. EPIC has recently published the "AI Policy Sourcebook," containing the Universal Guidelines and other AI policy framework. (Sep. 12, 2019)

  • EPIC has again written to the Senate Rules Committee regarding the closed-door meetings of a Senate "Tech Task Force." EPIC said that the closed-door meetings violate the Senate Rules of Procedure. As EPIC explained, "the Senate Rules of Procedure establish a strong presumption that meetings of the Senate shall be open to the public." EPIC, the Center for Digital Democracy, and the Consumer Federation of America previously asked the Rules Committee to begin an investigation, make a determination, and then require Tech Task meetings be held in accordance with the Senate Rules. The groups said "Open meetings, public notice, and hearing records are central to the integrity of the United States Senate." (Sep. 12, 2019)

  • The State Department is seeking comment on certification of the UK for a CLOUD Act agreement. The CLOUD Act permits the U.S. to enter into "executive agreements" that allow foreign authorities to order production of communications content stored in the U.S. without obtaining a warrant. To form an agreement, the Attorney General must certify to Congress that the country's domestic law "affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government." The State Department is required to take into account expert input for the certification and is seeking comments on the rule of law in the UK, protection of human rights, and other factors listed for consideration in the CLOUD Act Section 105(b)(1)(B)(i-vi). Comments must be submitted via email to IFBHR@state.gov by Friday, September 13th. Earlier this year, EPIC International Counsel Eleni Kyriakides argued in the European Data Protection Law Review that the CLOUD Act fails to include key human rights protections, such as notice, judicial authorization, and transparency. (Sep. 9, 2019)

  • A federal appeals court has ruled that LinkedIn must allow hiQ, a data analytics firm, to scrape user data from public profiles—at least, for now. The appeals court found that "hiQ's interest in continuing its business" outweighed users' privacy interests in their profile information. EPIC filed an amicus brief in the case. In 2017, a lower court permitted hiQ access to the user data of LinkedIn users. EPIC argued that "the lower court has undermined the fiduciary relationship between LinkedIn and its users." EPIC also said the order is "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." Siding with neither party, EPIC urged reversal to protect online privacy. EPIC routinely participates as amicus curiae in cases concerning consumer privacy. (Sep. 9, 2019)

  • Today, the Court of Justice for the European Union will hear challenges to the data retention laws of the UK, Belgium, and France. The Court previously invalidated European and national data retention laws that required companies to retain communications data for law enforcement purposes. The Court said the laws were a "particularly serious" interference with the right to privacy. The new challenges, brought by civil society organizations, contend that European national laws fail to comply with the earlier rulings. EPIC recently urged the FCC to repeal a similar regulation that requires the retention of US telephone records, following an earlier petition to the agency. When the FCC docketed the EPIC petition for public comment, every comment received supported an end to the data retention regulation. (Sep. 9, 2019)

  • EPIC has released a detailed analysis of the privacy bills in Congress. According to EPIC, Senator Ed Markey's Privacy Bill of Rights ranks #1. EPIC's report — Grading on a Curve: Privacy Legislation in the 116th Congress -- reviews recent developments, sets out a model bill, and assesses pending legislation. The EPIC Report finds that many of the bills in Congress lack the basic elements of a privacy law, such as an opportunity for individuals to enforce their rights. The EPIC report strongly recommends creation of a federal data protection agency. EPIC President Marc Rotenberg said, "There are shortcomings with all of the bills, but Senator Markey's is clearly the best." [Press Release] (Sep. 9, 2019)

  • EPIC has submitted an amicus brief in Kansas v. Glover, urging the Supreme Court to limit traffic stops based solely on the status of the registered owner. EPIC warned that permitting police stops based on this factor, when combined with Automated License Plate Readers, would "dramatically alter police practices" and "unfairly burden disadvantaged communities." EPIC provided empirical data for the Court which indicate that ALPRs are more widely used in disadvantaged communities and also that car sharing is more prevalent in these communities. The Supreme Court has previously expanded Fourth Amendment protections for new technologies, such as GPS tracking devices, (US v. Jones), cell phones (Riley v. California), and location data (Carpenter v. United States), in response to evolving policing techniques. EPIC recommended that the Court do the same in this case. EPIC routinely files amicus briefs in cases before federal and state courts concerning emerging privacy issues. (Sep. 6, 2019)

  • In a letter to Amazon CEO Jeff Bezos, Senator Ed Markey pressed the company to provide details about Amazon's deal with police departments for police access to the video footage from the company's Ring doorbells. Senator Markey wrote "the integration of Ring's network of cameras with law enforcement offices could easily create a surveillance network that places dangerous burdens on people of color and feeds racial anxieties in local communities." Senator Markey sought information about Amazon's plan to add facial recognition to the doorbell cameras, noting that "facial recognition technology disproportionately misidentifies African Americans and Latinos." In comments to federal law enforcement agencies and statements to Congress, EPIC has repeatedly warned of the dangers posed by facial recognition technology. Several years ago, EPIC urged the FTC to establish a moratorium on the commercial use of facial recognition technology until adequate privacy safeguards were established. (Sep. 5, 2019)

  • EPIC joined over 30 organizations calling for lawmakers to ban the government use of facial recognition technology. EPIC has long urged greater scrutiny of facial recognition. In 2016, EPIC led a coalition of 45 organizations calling for Congress to investigate the FBI's facial recognition program. Documents obtained by EPIC in 2017 showed that the Customs and Border Protection system failed to perform at a "satisfactory" level. In comments to CBP and statements to Congress, EPIC has recommended the suspension of facial recognition for identification at the border. Earlier this year, EPIC and others urged lawmakers to halt the use of face recognition technology on the general public. The coalition letter stated, "the use of face recognition technology...poses serious risks to privacy and civil liberties, threatens immigrants, broadly impacts American citizens, and has been implemented without proper safeguards in place or explicit Congressional approval." (Sep. 5, 2019)

  • A federal court has ruled that the "suspected terrorist" watchlist used by the FBI and Department of Homeland Security is unconstitutional. Judge Anthony J. Trenga held that the watchlist "imposes a substantial burden on Plaintiffs' exercise of their rights to international travel and domestic air travel" and "fails to provide constitutionally sufficient procedural due process." In 2011, documents obtained by EPIC under the Freedom of Information Act revealed the FBI's standards for adding and removing names from the watchlist and showed that individuals may remain on the FBI watch list even if charges are dropped or a case is dismissed. In 2018, EPIC obtained key records about Secure Flight, a Transportation Security Administration program that compares airline passenger records with various government watchlists. EPIC has long campaigned against the use of secret watchlists. (Sep. 5, 2019)

  • EPIC has appealed a lower court decision allowing the FAA's Drone Advisory Committee to conduct much of its work in secret. EPIC filed suit last year against the industry-dominated Committee, which has consistently ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the Committee was forced to disclose hundreds of pages of records that it unlawfully withheld. But the lower court ruled that the Committee did not need to disclose records from its secretive subcommittees, where many drone policy recommendations were developed. EPIC will now challenge that ruling before the U.S. Court of Appeals for the D.C. Circuit. The case is EPIC v. Drone Advisory Committee, No. 18-833 (D.D.C.). (Sep. 4, 2019)

  • Following a comprehensive complaint launched by the CCFC and the CDD concerning children's privacy, the Federal Trade Commission announced a settlement today with YouTube and parent company Google. The companies agreed to pay $170 million to settle claims that they violated the Children's Online Privacy Protection Act, but little will change in the companies business model. Writing in dissent, Commissioner Slaughter said, "Youtube and Google were knowingly profiting off of the unlawful tracking of children." She said the Commission should have required a "technological backstop" to ensure that behavioral advertising of children would not continue. Commissioner Chopra, also dissenting, wrote "the Commission repeats many of the same mistakes from the Facebook settlement." In a statement, Senator Markey said the FTC should have required Google to delete all data it collected from children under 13, prohibit Google from launching kids service without prior review, and required annual public audits. EPIC joined the CCFC and the CDD in the complaint to the FTC. Earlier, after Google acquired YouTube, EPIC sued the FTC to block Google's proposed consolidation of user data. The judge ruled against EPIC, but wrote "EPIC - along with many other individuals and organizations - has advanced serious concerns that may well be legitimate..." (Sep. 4, 2019)

  • Following a decision by a federal appeals court which found that Facebook had violated a state law limiting the collection of biometric identifiers including facial images, Facebook has changed the default setting for facial recognition. Beginning this week, facial recognition will be set to off by default for both new users and current users. EPIC filed an amicus brief in the biometric privacy case, Patel v. Facebook arguing that "the unlawful collection of an individual's biometric information in violation of the [state law] is an invasion of a legal right..." EPIC had repeatedly warned the Federal Trade Commission that Facebook's use of facial recognition threatened privacy. In comments on the original 2011 consent order, EPIC wrote the "Commission should require that Facebook cease creating facial recognition profiles without users' affirmative, opt-In consent." EPIC had filed a complaint with the FTC early in 2011 charging that the "secretive collection compilation and subsequent use of facial images for automated online identification adversely impacts consumers in the United States and around the world." EPIC filed similar complaints with the FTC about Facebook's use of facial recognition in 2016 and 2018 and provided detailed comments to the Commission in 2012, but the FTC simply failed to act on one of the most controversial business practices of the social media company. (Sep. 4, 2019)

  • EPIC has filed comments on the FTC's proposed consent order with the individuals responsible for the Cambridge Analytica breach that impacted 87 million Facebook users, and possibly the outcome of the Brexit vote. EPIC wrote: "the Cambridge Analytica breach could have been prevented if the Commission had enforced the Consent Order." EPIC pointed to numerous reports that Facebook's improper sharing of personal data with third party developers was known to the FTC after the 2011 Consent Order. EPIC is currently pursuing two cases against the FTC, one to obtain the release of the complete biennial audits, the other to block the FTC's proposed settlement that would leave the Facebook's business practices largely unchanged. (Sep. 3, 2019)

  • The D.C. District Court has granted Facebook's motion to intervene in EPIC's case against the Federal Trade Commission for the release of the biennial audits required by the 2011 Consent Order. The FTC turned over redacted reports to EPIC but withheld certain information, citing a confidential business information provision. EPIC explained to the court, the "release of the full audits is crucial for Congress, the States Attorneys General, and the public to evaluate how the Cambridge Analytica breach occurred." EPIC opposed Facebook's attempt to intervene but the Court granted Facebook's motion. Before the same judge, EPIC is also pursuing intervention in United States v. Facebook, a case concerning the proposed settlement between FTC and Facebook. Facebook's answer to EPIC's complaint is due September 3, 2019. The case is EPIC v. FTC, No. 18-942 (D.D.C). (Aug. 28, 2019)

  • An advocacy group has asked the U.S. Supreme Court to hear a case concerning a California law requiring charitable organizations to disclose the names and addresses of their major donors. Last year, a federal appellate court found that the law does not violate the First Amendment "because the information is collected solely for nonpublic use, and the risk of inadvertent public disclosure is slight." EPIC filed an amicus brief in the case, arguing that the reporting requirement "infringes on several First Amendment interests, including the free exercise of religion, the freedom to express views without attribution, and the freedom to join in association with others without government monitoring." Citing several data breaches concerning state records, EPIC also explained that California had "failed to implement basic data protection standards" for donor information. EPIC has argued for donor privacy and similar constitutional rights of anonymity in Packingham v. North Carolina, Doe v. Reed, and Watchtower Bible v. Stratton. (Aug. 28, 2019)

  • EPIC has filed an amended complaint against the Justice Department, charging that the agency engages in a "pattern and practice" of violating the Freedom of Information Act. Earlier EPIC filed a FOIA lawsuit to compel the DOJ to disclose records about locational surveillance that the Supreme Court ruled was unconstitutional in Carpenter v. United States. EPIC first filed requests in 2017 to obtain copies of government applications to ISPs that require the disclosure of customers communications. After EPIC filed suit in August 2018, the DOJ refused to search for the records and claimed that it "does not track" the surveillance orders. EPIC now alleges that the DOJ has engaged in a pattern and practice that violates the FOIA. Federal agencies are required by law to search for records that are "reasonably described." EPIC wrote "agency's unlawful policy, pattern, and practice of refusing to conduct a search in response to reasonably described FOIA requests such as EPIC's will continue absent intervention by this Court." The case is EPIC v. DOJ, No. 18-1814 (D.D.C.). (Aug. 26, 2019)

  • POLITICO reports that House leaders will consider a moratorium on funding facial recognition following a House Oversight Committee hearing on DHS facial recognition programs. Prior to the hearing, EPIC briefed members of the House committee about the entry-exit program at US airports. Air travelers have reported that it is difficult to opt-out and the agency has still not conducted a required rulemaking. Last month, EPIC led a coalition of over 35 organizations urging Congress to halt the use of face recognition on the general public. In a statement in April to the House Appropriations Committee, EPIC recommended that Congress halt the funding for the facial recognition program at TSA, also within the DHS. After a Buzzfeed story featured documents obtained by EPIC about plans to expand facial recognition at airports, Senators Ed Markey (D-MA) and Mike Lee (R-UT) called for the suspension of the program. (Aug. 22, 2019)

  • Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) sent a letter to the National Highway Traffic Safety Administration to ask about the steps taken to protect consumers from the security vulnerabilities of internet-connected cars. The senators wrote: "We are concerned by the lack of publicly-available information about the occurrence and handling of cyber vulnerabilities in internet-connected cars, and believe that NHTSA should be aware of these dangers in order to take possible regulatory action." In comments to NHTSA, EPIC called for national safety standards for connected cars. EPIC also underscored the privacy risks of modern vehicles in a recent amicus brief to the Supreme Court. (Aug. 22, 2019)

  • A new Gallup poll found that 48 percent of respondents said the government should boost its regulation of technology companies like Amazon, Facebook and Google, while 40 percent said regulation of these firms shouldn't change. Roughly 60 percent of self-identified liberals, union members, college graduates and Democrats support increased oversight of tech companies. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs. (Aug. 22, 2019)

  • The FTC entered into an enforcement agreement against background screening company SecurTest for falsely claiming to offer privacy protections to EU citizens. According to the FTC, SecurTest's website falsely claimed to participate in the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. The settlement requires Securtest to halt misrepresentations and submit to compliance monitoring, but provides no remedy to those EU citizens who used the service. In recent comments on the Privacy Shield, EPIC noted the absence in the US of a comprehensive federal privacy law and a data protection authority, with the authority to enforce privacy rights. The European Commission will formally decide whether to renew the pact this fall. (Aug. 22, 2019)

  • Giovanni Buttarelli, the European Data Protection Supervisor and the recipient of the 2019 EPIC Champion of Freedom Award, has passed. He was 62. "We are all profoundly saddened by this tragic loss of such a kind and brilliant individual. Throughout his life Giovanni dedicated himself completely to his family, to the service of the judiciary and the European Union and its values," Buttarelli's office said in a statement. Buttarelli led efforts in the European Union and around the world to establish privacy as a fundamental human right. At the 2018 privacy commissioners conference in Brussels, he spoke about the need to place humanity at the forefront of the digital society. Buttarelli said "we need to establish a sustainable ethics for a digital society." Buttarelli was also one of the first signatories of the Universal Guidelines for Artificial Intelligence, a framework for AI governance based on the protection of human rights. At the 2019 EPIC Champion of Freedom Awards event in Brussels, Shoshana Zuboff (11:30) said “Giovanni has lifted our sights . . . to the essence of the quality of the information society that will be our true legacy . . .” Buttarelli remarks (16:45). (Aug. 21, 2019)

  • A new lawsuit alleges that Facebook violated the Fair Housing Act by allowing advertisers to use factors such as race, sex, and disability to prevent home buyers and renters from seeing housing ads. Facebook recently settled claims and made changes to its advertising practices following lawsuits by the Department of Housing and Urban Development. EPIC is currently challenging the FTC's settlement with Facebook, arguing that it provides little benefit to Facebook users. EPIC also supports algorithmic transparency, which would reduce bias and help ensure fairness in automated decisionmaking. EPIC proposed the Universal Guidelines for Artificial Intelligence as the basis for federal legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. (Aug. 20, 2019)

  • Just Security has published a new collection of expert summaries of the Mueller Report. The collection includes two entries by Professor Jennifer Daskal, Chair of the EPIC Board, on Russian hacking operations and Special Counsel's charging decisions under the Foreign Agent Registration Act. In EPIC v. DOJ, EPIC is seeking the complete, unredacted Mueller Report. EPIC recently argued for the full release of the Report before Judge Reggie B. Walton. A ruling in the case is expected this fall. Copies of the Mueller Report obtained by EPIC, related materials, and background on the case are available for purchase at the EPIC Bookstore. (Aug. 20, 2019)

  • The Administration is seeking reauthorization of the NSA phone record collection program, according to a letter from Director of National Intelligence Dan Coats published by the New York Times. The Patriot Act "Section 215" program originally allowed the bulk collection of all telephone records of Americans. In 2013, following the Snowden disclosures, EPIC filed a petition with the Supreme Court, challenging the lawfulness of the bulk collection program. Congress then held extensive hearings which found the program was ineffective and later passed the USA Freedom Act, which limited the data collection. NSA has since acknowledged significant compliance problems with the Freedom Act, and the Coats letter confirms that the program was subsequently suspended. EPIC has joined civil liberties organizations in calling for a permanent end to the NSA's phone record collection program. (Aug. 16, 2019)

  • A Grindr user has asked the U.S. Supreme Court to review a federal appellate court's refusal to find the dating app liable for failing to remove a false profile that enabled abuse. EPIC filed an amicus brief in Herrick v. Grindr, arguing that Section 230, the law the appeals court found barred liability, was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." EPIC explained that victims may be subjected to ongoing "psychological, social, and financial harm" if internet services are not accountable for harassment and abuse. EPIC routinely files friend of the court briefs in cases concerning emerging privacy and civil liberties issues. Herrick's attorney (and EPIC Champion of Freedom Award winner) Carrie Goldberg recently published "Nobody's Victim: Fighting Psychos, Stalkers, Pervs, and Trolls." (Aug. 15, 2019)

  • EPIC has filed comments on the Council of Europe's Recommendation on AI and human rights. Drafted by a committee of human rights experts, the Recommendation is expected to be adopted by the COE in early 2020. EPIC expressed strong support for the draft Recommendation, noting nearly all of the Universal Guidelines for Artificial Intelligence principles are included. EPIC also recommended the COE incorporate UGAI principles prohibiting secret profiling and unitary scores and requiring termination of AI systems that spin out of control. Intended to maximize the benefits of AI, to minimize the risk, and to ensure the protection of human rights, over 250 experts and 60 organizations have endorsed the Universal Guidelines. EPIC also recently urged the White House to safeguard personal data in U.S. AI research and development. (Aug. 15, 2019)

  • A federal court has ruled that Georgia must replace Direct Recording Electronic voting machines before the 2020 election. The court also ruled that Georgia must develop a contingency plan with hand-marked paper ballots with optical ballot scanners and voter-verifiable, audible ballot records. EPIC, in an amicus brief joined by 31 legal scholars and technical experts, urged the court to stop Georgia's use of Direct Recording Electronic voting machines. EPIC told the court, "the continued use of these systems poses a direct threat to personal privacy, election integrity, and democratic institutions." The court cited EPIC's brief, noting "almost from their inception, DREs have been plagued by warnings that the voting machines are unreliable, insecure, and unverifiable." Georgia's Secretary of State recently announced that the state would purchase Ballot Marking Devices but technical experts have said these devices have many of the same vulnerabilities as DRE voting machines. The case is Curling v. Raffensperger. (Aug. 15, 2019)

  • EPIC has filed a reply brief in support of its motion to intervene in United States v. Facebook, a case concerning the proposed settlement between the Federal Trade Commission and Facebook. The Government and Facebook have sought to block EPIC's participation. EPIC pursued intervention to protect the interests of Facebook users and to ensure that pending complaints at the FTC were not ignored. EPIC told the court overseeing the case that the settlement "is not adequate, reasonable, or appropriate." In response to Facebook and the government, EPIC explained that the settlement is "arbitrary and capricious because the Commission seeks to grant Facebook immunity from any unlawful practices identified in prior consumer complaints, without addressing or even identifying the prior complaints." EPIC also argues that the FTC's failure to consider public comments on the settlement, as the agency is required to do under its own regulations, "denies EPIC and others the opportunity to submit comments on the consent agreement." An EPIC FOIA lawsuit uncovered more than 26,000 complaints against Facebook pending at the agency. In 2009, EPIC and other consumer privacy organizations filed the original complaint that created legal authority for the FTC to oversee Facebook's privacy practices. Many members of Congress, consumer organizations, and corporate law experts have opposed the proposed settlement, which was narrowly approved by the Commission, 3-2. (Aug. 12, 2019)

  • The National Institute of Standards and Technology has published a plan for federal involvement in developing AI technical standards. The NIST report states that it "is important for those participating in AI standards development to be aware of, and to act consistently with, U.S. government policies and principles, including those that address societal and ethical issues, governance, and privacy." NIST recommends the government (1) bolster AI standards expertise in federal agencies, (2) support public and private sector engagement in crafting AI standards, (3) translate requirements for trustworthy AI into practical standards, and (4) strategically engage around the world. NIST also calls for research into benchmarking "the reliability, robustness, and trustworthiness of AI systems" and "improve AI evaluations and methods for verification and validation," as well as the incorporation of ethical considerations and "human-centered" values. EPIC filed comments on the NIST plan, urging the U.S. to adopt the OECD Principles on Artificial Intelligence and the Universal Guidelines for AI. Both frameworks require rights-protective AI, verified as robust and reliable throughout its lifecycle. (Aug. 12, 2019)

  • EPIC and more than two dozen legal scholars and technical experts have filed comments on a White House Office of Management and Budget proposal to open federal data sets for AI research and development. "EPIC supports the public availability of data from the federal government for use in AI research, development, and testing that is not personally identifiable information," the document states. However, the experts strongly cautioned "against the use of data sets containing personally identifiable information," noting that federal agencies are under legal obligations to safeguard personal information. "EPIC's view of the use of government data for AI reflects long-standing practices in federal information policy that seek to maximize public access to public information while restricting access to personal data," the letter stated. EPIC also encouraged compliance by federal agencies with the OECD Principles on Artificial Intelligence, which the US recently endorsed, and the Universal Guidelines for AI. Both frameworks emphasize the importance of privacy protection in AI research. EPIC has previously proposed the UGAI as the basis for federal AI policy - twelve principles intended to maximize the benefits of AI, to minimize the risk, and to ensure the protection of human rights. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. (Aug. 8, 2019)

  • A federal appeals court has ruled that users can sue Facebook for collecting and using their facial images. In Patel v. Facebook, users contend that Facebook violated an Illinois biometric privacy law by creating biometric templates of their faces without their consent. The court found that the Illinois law "protects the plaintiffs' concrete privacy interests" and violations of the law "pose a material risk of harm to those privacy interests." The court cited the common law roots of the right to privacy and also noted that "the Supreme Court has recognized that advances in technology can increase the potential for unreasonable intrusions into personal privacy." EPIC filed an amicus brief in the case, arguing that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC wrote the "Illinois Biometric Information Privacy Act imposes, by statute, legal obligations on companies that choose to collect and store individuals' biometric data." EPIC said that plaintiffs must only "demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Last year, EPIC filed an amicus brief in Rosenbach v. Six Flags, where the Illinois Supreme Court unanimously decided that consumers can sue companies that violate the state's biometric privacy law. EPIC routinely submits briefs in support of consumers' right to sue in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. (Aug. 8, 2019)

  • A federal appeals court has rejected a proposed class action settlement in a case involving Google's tracking of internet users in violation of the users' privacy settings. The court was particularly "troubled" by the prior relationships between Google, class counsel, and the organizations selected to receive funds in the settlement. The court found that "if challenged by an objector, a district court must review the selected cy pres recipients to determine whether they have a significant prior affiliation with any party, counsel, or the court." EPIC had urged the court to reject the deal in an amicus brief. EPIC said the settlement was "fundamentally flawed" because "Google is allowed to continue its unlawful conduct and the class members receive no monetary relief." EPIC also explained that the selection of organizations awarded in the settlement "raise significant conflicts of interest concerns." EPIC has proposed an objective basis for courts to make determinations in consumer privacy cases that protect the interests of class members and avoid the risk of collusion between the parties in settlement. (Aug. 7, 2019)

  • A federal court in Washington, DC ruled this week that the DEA does not have to disclose to EPIC the names of the other agencies that use the Hemisphere call records database managed by AT&T. Earlier in the same FOIA case, EPIC obtained documents from DEA which revealed that both the FBI and CBP query the Hemisphere database. The agency was allowed to submit a secret affidavit in support of its claims, but the court ordered the agency to file a revised declaration, "consistent with its recent disclosures to EPIC." (Aug. 7, 2019)

  • EPIC provided comments to the Office of the Privacy Commissioner on Canada's policy for transborder data flows. EPIC urged the OPC to require that legal protection for personal data protection extend across borders, citing risks to privacy after the Capital One breach impacted affected six million Canadians. EPIC also encouraged the OPC to recognize multiple grounds for transfer, coupled with strong accountability measures. This approach is reflected in the EU General Data Protection Regulation and the Council of Europe's Modernized Privacy Convention. EPIC recently submitted comments on the third annual review of the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, the full slate appointments to the PCLOB, and U.S. endorsement of the OECD AI Principles. (Aug. 6, 2019)

  • The federal government has asked a court to deny EPIC's Motion to Intervene in United States v. Facebook, a case which concerns a proposed settlement between the Federal Trade Commission and Facebook. EPIC filed the motion to protect the privacy interests of Facebook users. EPIC argued that the settlement "is not adequate, reasonable, or appropriate." EPIC also explained that the settlement would extinguish more than 26,000 consumer complaints against Facebook pending at the FTC. EPIC has asked the court for an opportunity for EPIC and others to be heard before the settlement is finalized. EPIC filed the original complaint that created legal authority for the FTC to oversee Facebook. Many members of Congress, consumer organizations, and corporate law experts have opposed the proposed settlement, which was narrowly approved by the Commission, 3-2. (Aug. 5, 2019)

  • Data protection commissioners from several countries published a joint statement on Facebook's proposed Libra currency network. The Commissioners said "strong privacy safeguards are the foundation for innovation in the digital world" and "we are joining together to express our shared concerns about the privacy risks posed by the Libra digital currency and infrastructure." The Commissioners said Facebook has "failed to specifically address the information handling practices that will be in place to secure and protect personal information." The Commissioners cited EPIC statements for Senate and House warning stating that "Facebook clearly cannot be trusted with consumers' financial data." EPIC also joined a coalition of consumer groups calling for an end to Facebook's Libra plan. (Aug. 5, 2019)

  • Top-ranking Republicans on the House Oversight and Reform Committee sent a letter to Capital One and Amazon seeking briefings on the data breach that compromised the personal information of 106 million people. Rep. Maxine Waters, Chair of the House Committee on Financial Services, released a statement that said "I plan to work with my colleagues and take action in the Financial Services Committee on legislation to improve oversight of the cybersecurity of financial institutions." In testimony before the Senate and the House several years ago, EPIC warned Congress that US financial institutions were not doing to safeguard consumer data. Following the Capitol One data breach, EPIC President Marc Rotenberg wrote for CNN that "Congress needs to update federal privacy laws, establish meaningful oversight, and encourage business practices that are more resilient when breaches occur." (Aug. 5, 2019)

  • Following an investigation by a German data protection agency, Google has suspended Assistant for a three-month period. Johannes Caspar, the head of the Hamburg data protection agency, found Google was recording and transcribing private conversations for examination by Google contractors. Caspar said there are "significant doubts" as to whether Google Assistant complies with EU data-protection law. Caspar previously uncovered the fact that Google Street View vehicles were intercepting and recording private wifi communications, a charge that Google denied until the hard drives in the Google vehicles were examined. In the US, Google settled a "Spy-Fi" case for $7 m with state AGs following the investigation by the German privacy agency. EPIC previously asked the FTC and the Department of Justice to determine whether "always on" devices violate federal wiretap law. Neither agency has made a determination. (Aug. 2, 2019)

  • EPIC provided comments to the FTC on the agency's proposed update to the Safeguards Rule on data security for financial institutions. In the proposal, the FTC highlighted that EPIC "recommended that certain practices set forth in the FTC's Safeguards Rule Guidance, such as employee background checks, authentication requirements, and encryption, should be mandatory." EPIC's comments (1) express support for the FTC's decision to mandate baseline security requirements, (2) request that the Safeguard Rules apply to all organizations and companies that collect consumer data, and (3) urge the FTC impose data minimization requirements. Recent breaches have highlighted the need for stronger data protection laws. EPIC has renewed calls for a data protection agency in the U.S. (Aug. 1, 2019)

  • EPIC, the Center for Digital Democracy, and the Consumer Federation of America have written to the Senate Rules Committee regarding a closed-door meeting of a Senate “Tech Task Force.” The groups allege that the meeting violated the Senate Rules of Procedure for open meetings, public notice, and recording of Committee meetings. As EPIC and the groups explained, "the Senate Rules of Procedure establish a strong presumption that meetings of the Senate shall be open to the public." There are six narrow exceptions to this rule, none of which apply to the meeting of the “Judiciary Committee Tech Task Force” held on July 18, 2019 in the hearing room of the Senate Judiciary Committee. The meeting included four industry lobbyists, members of the Senate and their staff. The public and the press were not notified of the meeting, nor were they invited, nor was a record of the meeting created. EPIC, CDD, and CFA asked the Rules Committee to open an investigation and make a determination, and then instruct the Member to conduct meetings in accordance with the Senate Rules and Regulations. The groups said "Open meetings, public notice, and hearing records are central to the integrity of the United States Senate.” The groups wrote earlier to the Senator who organized the Tech Task Force, expressing support for the initiative but also urging her to establish a more "open, inclusive process." (Aug. 1, 2019)

  • The National Security Commission on Artificial Intelligence, following months of closed-door meetings, has released a four-page initial report. The disclosure follows an EPIC Freedom of Information Act request seeking the report and related records. Created by Congress in 2018, the AI Commission is tasked with considering “the methods and means necessary to advance the development of” AI to address national security and defense needs. But the Commission’s initial report makes no mention of the risks of AI, “international humanitarian law, and escalation dynamics," despite Congress’s express instructions to address these concerns. The report also contains no discussion of protecting privacy and civil liberties, as is required by an Executive Order concerning "American Leadership on Artificial Intelligence." Representatives of large tech firms, including Google and Microsoft, dominate the Commission. According to the report, the Commission has held 13 plenary and working group meetings in secret—a clear violation of the Federal Advisory Committee Act. (Aug. 1, 2019)

  • Senator Dianne Feinstein (D-CA) has introduced the Voter Privacy Act, S. 2398, a bill to ensure privacy with respect to voter information. The Act would give voters basic rights regarding their personal data: right of access, right of notice, right of deletion, right to prohibit transfer, and the right to prohibit targeting. The Federal Election Commission would oversee enforcement of the Act. “Political candidates and campaigns shouldn’t be able to use private data to manipulate and mislead voters. This bill would help put an end to such actions,” Senator Feinstein said. The bill cites EPIC Advisory Board members Julie E. Cohen's forthcoming publication “Between Truth and Power,” quoting "today's networked information flows are optimized to produce what social psychologist Shoshana Zuboffcalls instrumentarian power: They employ a radical behaviorist approach to human psychology to mobilize and reinforce patterns of motivation, cognition, and behavior that operate on automatic, near-instinctual levels and that may be manipulated instrumentally.” The Voter Privacy Act was referred to the Senate Rules Committee. (Aug. 1, 2019)

  • The Pew Charitable Trusts reports that of the 24 states legislatures that considered data privacy legislation in 2019, only a few have passed new laws. Last year, California passed the California Consumer Privacy Act of 2018, the most comprehensive consumer privacy state law ever enacted in the United States. This month, New York state passed the Stop Hacks and Improve Electronic Data Security, which imposes new obligations on businesses collecting personal data on New York residents. According to the National Conference on State Legislatures, more than 100 privacy bills are currently pending in the states. The EPIC State Policy Project monitors privacy bills nationwide (Jul. 31, 2019)

  • EPIC has filed a Freedom of Information Act request with the Department of Commerce seeking documents about Executive Order 13,880, "Collecting Information About Citizenship Status in Connection With the Decennial Census." The executive order requires federal agencies across the government to transfer personal data, subject to Privacy Act safeguards, to the Department of Commerce to determine citizenship "status." Trump also ordered the Commerce Department to develop mechanisms for expanding the collection of data, including collecting data from state governments. Trump vowed that the government "will leave no stone unturned" when seeking citizenship information from every person living in the United States. EPIC recently sent a statement to Congress, warning that the executive order could undermine Privacy Act safeguards. EPIC opposed a similar effort by the Privacy Advisory Commission on Election Integrity to gather personal data from the states. The program was eventually suspended, the data deleted, and the Commission disbanded. (Jul. 31, 2019)

  • New York state passed the Stop Hacks and Improve Electronic Data Security, which imposes new obligations on businesses collecting personal data on New York residents. The SHIELD Act requires notification to affected consumers when there is a security breach, broadens the scope of covered information, expands the definition of data breach, and extends the notification requirement to any entity with private information of a New York resident. Governor Cuomo said: "The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data." Recent breaches have highlighted the need for stronger data protection laws. EPIC has renewed calls for a data protection agency in the U.S. and also warned that federal preemption of state privacy laws will lead to an increase in data breaches and financial fraud. (Jul. 30, 2019)

  • After a settlement with Equifax, consumers can now file a claim for free credit monitoring or a cash payment of $125. If you spent time recovering from the breach or lost or spent money because of the breach, you can request payment of up to $20,000. Credit monitoring or the $125 cash payment is easy and requires no documentation, though the actual amount provided may be less depending on the total number of claims. Supporting documents are necessary if you seek payment for time lost or costs because of the breach. The settlement also requires Equifax to provide all U.S. consumers with 6 free credit reports per year. EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer remedies following the 2017 data breach. (Jul. 30, 2019)

  • Capital One bank announced that a criminal hacker stole the personal information of 106 million people who had applied for credit, including credit scores, social security numbers, and bank account numbers. By some measures, it is the largest data breach of a US bank in history. The FBI arrested the alleged hacker and filed a complaint in federal court. Capital One joins a long list of companies that have had data breaches in recent years. In testimony before the Senate and the House several years ago, EPIC warned Congress that US financial institutions were not doing to safeguard consumer data. EPIC has recently renewed calls for the creation of a US Data Protection Agency. (Jul. 30, 2019)

  • The Court of Justice for the European Union has ruled websites embedding the Facebook "like" button are responsible for user privacy. Facebook's tracking technique collects the personal data of visitors to a third-party website and transfers it to Facebook. In Fashion ID v Verbraucherzentrale NRW, the Court stated FashionID can be held jointly responsible with Facebook for compliance with Europe's data protection rules. Fashion ID must obtain prior consent from users or have a legitimate interest in processing their data. The case concerns Europe's 1995 privacy law, but implicates similar terms in the new EU General Data Protection Regulation. EPIC Senior Counsel Alan Butler also recently appeared before the Court of Justice in DPC v. Facebook. The landmark case considers whether the transfer of data to the U.S. using standard contract clauses violates fundamental rights. (Jul. 29, 2019)

  • EPIC has filed a Motion to Intervene in United States v. Facebook to protect the interests of Facebook users. The case concerns a proposed settlement between the FTC and Facebook. EPIC said the settlement "is not adequate, reasonable, or appropriate." EPIC also explained that the settlement would extinguish more than 26,000 consumer complaints against Facebook pending at the FTC. EPIC asked the court for an opportunity for EPIC and others to be heard before the settlement is finalized. EPIC filed the original complaint that created legal authority for the FTC to oversee Facebook. Back in 2011, EPIC also urged the Commission to require Facebook to restore the privacy settings of users, give users access to all of the data that Facebook keeps about them, stop making facial recognition profiles without users' consent, make the results of the government privacy audits public, and stop secretly tracking users across the web. Earlier this year, EPIC and others urged the FTC to pursue structural remedies, including the divestiture of WhatsApp. Many organizations and individuals have expressed concern about the proposed settlement, which was narrowly approved by the Commission, 3-2. More info at https://epic.org/privacy/facebook/epic2019-challenge/ (Jul. 26, 2019)

  • EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission seeking all consumer complaints pending before the Commission at the time the agency entered into the settlement with Facebook. The proposed settlement order "resolves" all consumer complaints alleging violation of the consent order prior to June 12, 2019. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. Many US privacy organizations have also filed detailed complaints with the Commission, alleging that Facebook's business practices violate the FTC Act and also the Children's Online Privacy Protection Act. The release of the information sought by EPIC could help the public and the Congress assess the adequacy of the proposed settlement. (Jul. 25, 2019)

  • The Senate Intelligence Committee has released the results of its investigation into Russian interference in the 2016 Presidential Election. The Committee found "extensive" Russian interference dating back to 2014. The EPIC Democracy and Cybersecurity Project has pursued numerous FOIA cases concerning Russian interference with the 2016 election. In EPIC v. DOJ, EPIC is seeking the complete, unredacted Mueller Report. Hearings will will take place in federal court on August 5 and August 9. In EPIC v. FBI (response to Russian cyberattacks), EPIC obtained the FBI victim notification procedures. In EPIC v. ODNI (Russian hacking), EPIC confirmed that Russia engaged in a "multi-pronged" attack against the U.S. elections. In EPIC v. IRS I, EPIC sought the release of President Trump's tax returns. In EPIC v. IRS II, EPIC is seeking the release of related business returns. And in EPIC v. DHS (election cybersecurity), EPIC obtained documents about election security procedures. (Jul. 25, 2019)

  • Facebook has disclosed that the Federal Trade Commission opened an antitrust investigation into the company. In a recent statement for a Senate Judiciary committee hearing on antitrust, EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. This year, EPIC, Color of Change, the Open Markets Institute, and others urged the FTC to spin off WhatsApp as a remedy for violations of the 2011 consent order. In a settlement announced this week, the Commission failed to do so. (Jul. 25, 2019)

  • In a 429-3 vote, the House passed a bill to combat the onslaught of robocalls. The Stopping Bad Robocalls Act would increase the fines for illegal robocalls, require phone companies to block robocalls by default, require more businesses to obtain consumer consent before calling, and much more. The Act comes two months after the Senate passed a similar bill—the Traced Act—with near unanimous support. Many criticized the Senate's bill for not going far enough. EPIC joined a coalition of consumer groups that urged members of Congress to support the House bill. EPIC has long advocated for stronger regulations surrounding robocalls. EPIC provided expert analysis to Congress, submitted numerous comments, and filed multiple amicus briefs emphasizing the need to limit robocalls. (Jul. 25, 2019)

  • U.S. Senators Patrick Leahy (D-Vt.) and Patty Murray (D-Wash.) have reintroduced legislation that would strengthen privacy protections through limiting warrantless border searches. Customs and Border Protection officials are currently authorized to stop and search drivers without a warrant or even reasonable suspicion of wrongdoing within 100 miles of any U.S. border. They can also search private land within 25 miles of the border. In practice, this means government officers have authority to conduct searches without cause in a region that includes nearly two-thirds of the U.S. population. The Border Zone Reasonableness Restoration Act of 2019 would reduce the "border zone" from 100 miles to 25 miles and only allow officers access to private property within 10 miles of the border. A companion bill was introduced in the House of Representatives by Representative Peter Welch (D-Vt.). EPIC has long advocated against privacy-invasive border surveillance and has filed numerous lawsuits to force CBP and Immigration and Customs Enforcement to be more transparent about their border surveillance practices. (Jul. 25, 2019)

  • Senators Chuck Grassley (R-IA), Patrick Leahy (D-VT), John Cornyn (R-TX), and Dianne Feinstein (D-CA) have introduced the Open and Responsive Government Act (S. 2220) to reverse the recent Supreme Court decision in Food Marketing Institute v. Argus Leader Media which overturned over 40 years of Freedom of Information Act precedent. The bill codifies the National Parks test, requiring that information may only be withheld from the public if disclosure would cause "substantial competitive harm" to the oompany that provided that information to the government. The bill also makes clear that agencies may only redact information under the FOIA's nine exemptions and cannot redact information as "non-responsive." In a press release Senator Leahy said, "The bill would limit the extent to which the government can use a recent Supreme Court opinion to justify abuses of a particular FOIA exemption to withhold information. And it would codify another court decision - one that the Trump administration increasingly ignores - prohibiting the government from withholding information on the tenuous rationale that it is supposedly not responsive to the FOIA request." According to Senator Grassley, "This balanced and bipartisan bill . . . mak[es] crystal clear where Congress stands on the public's right to know." EPIC submitted an amicus brief in the Food Marketing Institute case, warning the Court that changing the National Parks standard would deprive the public and groups such as EPIC access to important government information. EPIC frequently uses the FOIA to promote government oversight. (Jul. 25, 2019)

  • The Federal Trade Commission announced today the first fine against Facebook since EPIC and a coalition of privacy organizations filed a complaint with the Commission about the company’s businesses practices back in 2009. In a 2011 consent order the FTC said it would bar Facebook "from making any further deceptive privacy claims.” But in the years that followed, the FTC failed to act even as complaints emerged about marketing to children, privacy settings, tracking users, gathering health data, and facial recognition. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. EPIC President Marc Rotenberg said today, “The FTC’s action is too little, too late. American consumers cannot wait another decade for the Commission to act against a company that violates their privacy rights. Congress should move quickly to establish a data protection agency." (Jul. 24, 2019)

  • EPIC has sent a statement to Congress, warning that President Trump's Executive Order on Collecting Information about Citizenship Status could undermine Privacy Act safeguards. EPIC said "Although President Trump has abandoned his quest to seek citizenship information through the 2020 Census, the plan to aggregate data from other agencies in the Commerce Department is also problematic." EPIC explained that the "Executive Order contemplates both the collection of statistical data and the use of citizenship data for determinations about individuals." EPIC opposed the citizenship question in the 2020 Census, arguing in federal court that the Census Bureau failed to complete required privacy impact assessments. EPIC also filed an amicus brief in the Supreme Court case, joined by 23 legal scholars and technical experts, warning that "collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns." (Jul. 23, 2019)

  • EPIC has sent dozens of copies of "The Mueller Report: EPIC v. Department and the Special Counsel's Report on Russian Interference in the 2016 Presidential Election" to members of the House Judiciary Committee and the House Permanent Select Committee on Intelligence. Mr. Mueller is scheduled to testify before both committees on Wednesday, July 24. The book, also available at Amazon, chronicles EPIC's efforts, in a Freedom of Information Act lawsuit, to obtain the complete, unreacted report. The case is now fully briefing and hearings on the release of the complete Mueller report and related materials will take place before Judge Reggie Walton on August 5 and August 9. EPIC has also organized a panel discussion at Busboys and Poets this evening to discuss the upcoming testimony of Mr. Mueller and EPIC's case. (Jul. 23, 2019)

  • EPIC has submitted an amicus brief in State v. Andrews, a New Jersey Supreme Court case about the compelled disclosure of a cell phone passcode. In the brief, EPIC argued that the Fifth Amendment limits the ability of the government to obtain cellphone passcodes. EPIC explained that the U.S. Supreme Court's decisions in Riley v. California and Carpenter v. United States found that the vast amounts of personal data stored in cell phones "justifies strong constitutional protections." EPIC also explained that exceptions to the Fifth Amendment were adopted before personal information was "consolidated in one place." EPIC has long filed "friend of the court" briefs arguing that constitutional protections should keep pace with advances in technology. EPIC filed amicus briefs in Carpenter and Riley, which both involved the searches of cellphones. The U.S. Supreme Court cited EPIC's amicus brief in its opinion. (Jul. 23, 2019)

  • A proposed settlement with Google concerning the Street View program will provide no actual benefit to class members. With Street View, Google not only captured digital images of streets but also intercepted private wifi communications, including passwords. Beginning in 2007, EPIC and other consumer groups spent several years urging federal and state regulators to act. In 2013, 38 State Attorneys General settled claims against Google. In that settlement, Google agreed to end the collection of network data and launch a public service campaign to help users install secure wireless networks. Six years later, lawyers have just put before a federal judge a settlement that proposes that the company again end the program and launch a public service campaign. Chief Justice Robert has raised "fundamental concerns" about settlements that provide no benefits to class members and no change in business practices. In a cy press case earlier this year, Justice Thomas opposed the Gaos settlement, which also involved Google, explaining "because the class members here received no settlement fund, no meaningful injunctive relief, and no other benefit whatsoever in exchange for the settlement of their claims." EPIC seeks to promote class action fairness and has proposed objective criteria that courts should consider to protect the interests of Internet users in class action settlements. (Jul. 22, 2019)

  • The CFPB, the FTC, and 48 State AGS today announced a settlement with Equifax arising from the 2017 data breach that compromised personal data of 143 million Americans. The company, which offers authentication services, failed to safeguard the names, addresses, dates of birth and SSNs of 147 million Americans, and then failed to act once aware of the breach. EPIC President Marc Rotenberg testified before the House in 2018 and the Senate in 2017 about the Equifax breach. Rotenberg warned lawmakers and regulators that "the Equifax data breach is one of the most serious in the nation's history." EPIC urged lawmakers to update federal privacy laws and also ensure that the CFPB pursues an effective investigation. In the Harvard Business Review, Rotenberg explained the significance of the breach. "Reforms should not just fix these problems but also aim to transform the industry for the better," he wrote. Under the terms of the settlement, Equifax will pay up to 425 million to consumers impacted by the breach as well as a 100 million civil fine. EPIC has recently renewed calls for the creation of a US Data Protection Agency. (Jul. 22, 2019)

  • EPIC has filed its closing brief in EPIC v. Department of Justice, EPIC's case for the release of the complete and unredacted Mueller Report. EPIC warned the Court that “details about ongoing vulnerabilities in the US election system remain hidden from public view. The roles of well-known public officials and public figures in an effort by a foreign government to change the outcome of a US Presidential election are still kept behind a shroud of secrecy.” Judge Reggie B. Walton previously said EPIC's case should move "as expeditiously as humanly possible" and ordered the parties to brief the case on an accelerated schedule. A hearing on EPIC's motion is set for August 5. The case is EPIC v. Department of Justice, No. 19-810 (D.D.C.). Copies of the Mueller report obtained by EPIC, related materials, and background on the case are available for purchase at the EPIC Bookstore. EPIC will host a panel discussion on the Mueller Report at Busboys and Poets in Washington, D.C. on Tuesday, July 23. (Jul. 19, 2019)

  • EPIC has filed its opening brief in EPIC v. DOJ, a Freedom of Information Act case concerning predictive policing, algorithmic transparency, and executive privilege. EPIC’s case, now before the D.C. Circuit Court of Appeals, seeks the public release of a report on AI techniques in the criminal justice system. Last year, a lower court allowed the agency to assert the “presidential communications privilege” and withhold the report, but neither the D.C. Circuit nor the Supreme Court has ever permitted a federal agency to invoke that privilege. “The records sought in this [FOIA] case concern the use of predictive analytic techniques in the U.S. criminal justice system, a topic of vital public interest,” EPIC wrote. "But the questions presented on appeal have even broader significance for open government.” EPIC has pursued numerous FOIA cases concerning algorithmic transparency, passenger risk assessment, "future crime" prediction, and proprietary forensic analysis. (Jul. 19, 2019)

  • EPIC organized a coalition letter to Senator Blackburn (R-TN) and Senator Feinstein (D-CA), urging them to work with consumer and privacy groups in the newly formed Senate Judiciary tech task force. Yesterday Blackburn held a closed-door session with representatives from tech companies, including Snap and Mozilla. The coalition letter said "We need you to pursue an open and inclusive process that ensures that meetings are held in public, that a record is established, and that the voices of consumers are heard." The groups also said "the United States needs comprehensive, baseline federal legislation" and "an independent data protection agency." The groups concluded, "We can no longer let industry groups and ineffective agencies decide how much privacy Americans may have." (Jul. 19, 2019)

  • In a statement to the Senate Judiciary committee, EPIC urged lawmakers to press the FTC and the Department of Justice on Enforcement of the Antitrust Laws. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram. (Jul. 18, 2019)

  • EPIC has launched a campaign urging the creation of a Data Protection Agency in the United States. In a recent statement, EPIC President Marc Rotenberg said "A data protection agency is the cornerstone of effective privacy protection. Data protection agencies act as ombudsmen for the public. They encourage innovation and good business practices. They identify emerging privacy challenges and pursue solutions. They take enforcement action when necessary and they impose penalties that are meaningful." EPIC has repeatedly told Congress that the FTC is not an effective privacy agency. Earlier this year, EPIC joined other organizations in support of "A Framework for Privacy Protection in the United States," which said "The US needs a federal agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges." Visit epic.org/dpa for more information. (Jul. 18, 2019)

  • EPIC will host a panel discussion on the Mueller Report at Busboy's and Poets in Washington, DC on Tuesday, July 23. The event — "Behind the Black Ink" — precedes Robert Mueller's testimony next week before the House Judiciary and the House Intelligence Committees. Mueller's two-year investigation produced a 448-page report about Russian interference in the 2016 U.S. Presidential Election. EPIC is currently litigating a Freedom of Information Act lawsuit to obtain the complete, unredacted report. Speakers at the EPIC event include Alan Butler, Ryan Goodman, Jason Leopold, Marcy Wheeler, and Anne Weismann. (Jul. 18, 2019)

  • Civil society advocates are set to form a new NGO to promote privacy in Russia, Central, and Eastern Europe. The initiative was convened by Simon Davies, founder of Privacy International and author of "Privacy: A Personal Chronicle." EPIC's Public Voice Fund provided the seed funding for the project. EPIC President Marc Rotenberg said "We appreciate the good work of NGOs and academics to undertake this important collaboration." The initiative's Moderator, former Ombudsman of Georgia, Ucha Nanuashvili, stated "in the former Soviet states there's an urgent need for an initiative that brings together advocates and experts in a strong alliance." The annual meeting of the International Data Protection and Privacy Commissioners will be held this year in Tirana, Albania. The Public Voice plans to host a civil society event. (Jul. 18, 2019)

  • Former Supreme Court Justice John Paul Stevens passed this week. He was 99. EPIC remembers Justice Stevens for his many important opinions on privacy, open government, and the First Amendment. Justice Stevens played a pivotal role in cases concerning the Constitutional right of anonymity. In McIntyre v. Ohio (1995), he wrote for the Court "Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority." In Watchtower Bible, a case concerning a permit requirement for pamphleteers, he said for the Court "It is offensive . . . to the very notion of a free society that in the context of everyday public discourse a citizen must first inform the government of her desire to speak to her neighbors and then obtain a permit to do so." And in Hiibel v. Sixth Judicial District (2004), Justice Stevens wrote in dissent opposing a state stop and identify law, "A name can provide the key to a broad array of information about the person, particularly in the hands of a police officer with access to a range of law enforcement databases." Stevens was also a cryptographer for the Navy during World War II. (Jul. 17, 2019)

  • For a hearing on "Google and Censorship through Search Engines," EPIC sent a statement to the Senate Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But the European Commission found that Google rigged search results to give preference to its own shopping service. The European Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. (Jul. 17, 2019)

  • Today EPIC filed an expedited Freedom of Information Act request with the Federal Trade Commission, seeking the public release of the proposed settlement with Facebook. Last week the Wall Street Journal first reported that the FTC approved a $5 billion settlement with Facebook for violating a 2011 consent order that EPIC helped obtain. However, details about the settlement have not been disclosed. In January, EPIC recommended that the FTC 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance. In a series of FOIA cases, EPIC uncovered the biennial audits of Facebook, the number of complaints pending against Facebook at the Commission (26,000), and records of meetings by the chief agency official responsible for overseeing enforcement. EPIC also launched the #EnforceTheOrder campaign. (Jul. 15, 2019)

  • Former EPIC Advisory Board member Tim Wu will testify this week before a House committee regarding online platforms and market power. EPIC previously told the Subcommittee on Antitrust that "the internet advertising system today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The current model is not sustainable. Privacy rules can help level the playing field." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. (Jul. 15, 2019)

  • In advance of Congressional hearings on Facebook's plan to launch its own cryptocurrency called Libra, EPIC has sent statements to Senate and House Committees stating that "Facebook clearly cannot be trusted with consumers' financial data." EPIC noted Facebook's history of misrepresentations to regulators, highlighting the promises Facebook made when the company acquired WhatsApp regarding user privacy — promises Facebook has since broken. EPIC also discussed the Cambridge Analytica scandal and outlined Facebook's long history of failing to protect user data. As reported, a pending settlement with Facebook would not address proposals made by EPIC and others to strengthen Facebook's protection of user data. EPIC urged Congress to block Facebook's entry into cryptocurrency. (Jul. 15, 2019)

  • On July 11, 2019, the National Security Commission on Artificial Intelligence held its third meeting behind closed doors. Created by the National Defense Authorization Act for Fiscal Year 2019, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI to address the national security and defense needs of the U.S. Representatives of large tech firms, including Google and Microsoft, dominate the Commission. Like its first meeting in March, the AI Commission provided no notice of the meeting and no opportunity for public participation. According to reports, the AI Commission received briefings on AI research, national security uses of AI, and preparing the workforce for AI. The AI Commission's mandate specifies that comprehensive reports be made available to the public. EPIC previously filed a Freedom of Information Act request seeking a copy of the AI Commission report, which has still not been released to the public. (Jul. 15, 2019)

  • EPIC provided comments to the European Commission to inform the third annual review of the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, and an executive order to collect data about non-citizens from across the federal government. EPIC also applauded appointments to the PCLOB and the U.S. endorsement of the OECD AI Principles. The Commission approved Privacy Shield last year, but urged the U.S. to adopt privacy legislation and to join the International Privacy Convention. The European Commission will make a determination about whether to renew the Privacy Shield this fall. (Jul. 15, 2019)

  • The IRS has issued a final rule to encourage employers to truncate employees' social security numbers (SSNs) on copies of W-2s and other forms furnished to employees. The new rule is intended to aid employers' efforts to protect employees from identity theft. EPIC submitted comments to the IRS in support of the rule, but argued that the rule should require employers to truncate SSNs rather than only allowing them to do so. EPIC said: "W-2 forms have been the target of several high-profile breaches" and recommended that the IRS require truncated SSNs "to protect employees from future breaches." EPIC has participated in the leading cases involving the privacy of the SSN and has frequently testified in Congress about the need to establish privacy safeguards for the SSN to prevent identity theft and financial fraud. (Jul. 15, 2019)

  • The Federal Trade Commission has reportedly approved a $5 billion fine against Facebook, the largest fine in the Commission's history. EPIC brought the original complaint to the FTC that led to the 2011 Consent Order against Facebook. This is the first enforcement action the FTC has taken against Facebook in the eight years since the Consent Order was put in place. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC also launched the #EnforceTheOrder campaign to urge action by the FTC. In January, EPIC recommended that the FTC enforcement action 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance. (Jul. 12, 2019)

  • Today EPIC filed a complaint with the FTC alleging that the videoconferencing company Zoom has committed unfair and deceptive practices in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks. EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google. EPIC cited the Google order, which produced a $22.5 m fine, in the complaint concerning Zoom. EPIC, In re Zoom ("Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.”) (Jul. 11, 2019)

  • President Trump announced today that he will order federal agencies to transfer personal data to the Department of Commerce to determine the number of non-citizens in the United States. Trump stated, "We will utilize these vast federal databases to gain a full, complete, and accurate count of the non-citizen population including databases maintained by the Department of Homeland Security, and the Social Security Administration." President Trump has abandoned his quest to seek citizenship information on the 2020 Census after the Supreme Court ruled that the Commerce Department's decision to collect citizenship data "cannot be adequately explained" by the rationale provided by the agency. EPIC separately sought to block the Census Bureau's collection of citizenship data because the agency failed to complete required privacy impact assessments. Last month, the D.C. Circuit issued a decision in the case, ruling that EPIC did not have a legal basis to obtain Privacy Impact Assessments from the federal government. EPIC also filed an amicus brief in the Supreme Court case, joined by 23 legal scholars and technical experts, warning that "collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns." The federal Privacy Act also imposes limits on the ability of federal agencies to transfer personal data to other agencies. The DHS has previously stated that DACA applicant information would be used exclusively for the purposes for which it was provided. (Jul. 11, 2019)

  • As a result of EPIC's Freedom of Information Act request, the Federal Trade Commission released records indicating that FTC Associate Director of Enforcement James A. Kohm participated in at least 162 meetings since the Commission adopted the consent order with Facebook in 2011. Almost 140 meetings occurred after Facebook admitted to the unlawful transfer of over 87 million user profiles to Cambridge Analytica. In March 2018, the FTC said it would reopen investigation of Facebook, but the agency has never taken an enforcement action against the country. EPIC launched the #EnforceTheOrder campaign this year to urge action by the FTC. (Jul. 11, 2019)

  • A federal court in Georgia has ruled that Georgia election officials must allow the Coalition for Good Governance to review the state's election management databases. The Coalition argued that the databases "provide the roadmap that needs to be analyzed to identify flaws" in the state election system. EPIC recently filed an amicus brief in the case, joined by 31 legal scholars and technical experts. EPIC asked the federal court to stop Georgia's use of Direct Recording Electronic voting machines. Experts in election security have shown that DREs are insecure, vulnerable to attack, fail to provide a paper trail that enables auditing, and subject vote tallies to manipulation by remote adversaries. EPIC told the court, "the continued use of these systems poses a direct threat to personal privacy, election integrity, and democratic institutions." The case is Curling v. Raffensperger. (Jul. 11, 2019)

  • Senators from across the aisle have criticized recent changes to the Freedom of Information Act and vow to introduce legislation to reform the FOIA. In Food Marketing Institute v. Argus Leader Media, the Supreme Court recently narrowed public access to government records. A few days later, the Environmental Protection Agency changed its FOIA regulations without a public comment opportunity. The EPA's changes are similar to the Department of the Interior's "awareness review" that allows political appointees to decide whether to withhold information and issue a misleading "no records" response. Senators Ed Markey (D-MA) and Chuck Grassley (R-IA) are both considering legislation in response. Senator Grassley stated, "[the] recent Supreme Court ruling and even new regulations in the EPA and the Department of Interior are undermining access to public information. . . Americans deserve an accountable government, and transparency leads to accountability." EPIC wrote an amicus brief in Food Marketing Institute, warning the Court that a change in the FOIA "would deprive the public, and government watchdogs such as EPIC, of access to important information about 'what the government is up to.'" EPIC frequently uses the FOIA to promote government oversight. (Jul. 11, 2019)

  • The White House is requesting public comment on which federal data and models should be made available for AI research, development, and testing. Comments are due by August 8, 2019. The request for public comments follows from the Executive Order on Artificial Intelligence, which also requires agencies to identify privacy, civil liberties, and security concerns associated with access federal data sets. The Privacy Act of 1974 imposes limits on how government agencies collect, use, and transfer personal data. In Scientific American, EPIC has strongly favored greater use of federal data that is not personally identifiable, such as statistical data and data concerning climate change, but has warned against the use of personal data maintained by federal agencies for AI projects. EPIC also recently filed comments with the National Institute of Standards and Technology urging the U.S. to implement the OECD Principles on Artificial Intelligence and the Universal Guidelines for AI, which both emphasize the importance of privacy protection in AI research. (Jul. 11, 2019)

  • As the result of an EPIC lawsuit, the Department of Homeland Security has suspended a controversial effort to track journalists, news outlets, and social media accounts. The "Media Monitoring Services" platform would have included an "unlimited" database of personal information from journalists and media influencers, including location data, contact information, employer affiliations, and past content. EPIC filed suit last year to block the program, arguing that the DHS had failed to complete required Privacy Impact Assessments. In a settlement with EPIC, the agency acknowledged that it was not using the proposed system and agreed to complete required Privacy Impact Assessments before collecting personal data in the future. EPIC also obtained records showing that the DHS ignored the harms that media monitoring would have caused to privacy and press freedoms. (Jul. 11, 2019)

  • EPIC and a coalition of government transparency advocates have urged Senate and House leaders to remove a proposed change to the Intelligence Authorization Act for Fiscal Year 2020 that would dramatically expand the crime of disclosing the identity of intelligence agents. The CIA has been lobbying Congress to modify the Intelligence Identities Protection Act's penalties, which could be applied to whistleblowers, public interest organizations, and journalists who try to expose mismanagement, fraud, and corruption in the intelligence community. The letter from open government advocates also warned that the amendment could obstruct congressional oversight, weaken government accountability, limit public access to information, and chill journalists and public interest organizations. (Jul. 11, 2019)

  • In comments on the Federal Aviation Administration's proposal to renew the drone registration system, EPIC urged the agency to move quickly on a drone ID broadcasting requirement. EPIC explained that the European Union has recently established comprehensive rules for drone operators, including a requirement for realtime ID that aligns with EPIC's previous recommendations to the FAA. The EU will require real-time broadcasting of the drone operator registration number, the geographical position of the drone, the drone route course, and the position of the drone operator. In a letter to the FAA earlier this year, Senators Edward Markey (D-MA) and John Thune (R-SD) also urged the FAA to establish a rule for the real-time, remote identification of drones. (Jul. 11, 2019)

  • The Administrative Office of the U.S. Courts has issued the 2018 report on activities of the Foreign Intelligence Surveillance Court. The 2018 report reveals a significant decline in the number of total applications to the FISC. There were 1,318 FISA applications in 2018, down by three hundred applications from the total of 1,614 in 2017. The scrutiny of FISA applications by the Court remained steady after an uptick last year: 985 orders were granted, 261 orders were modified, 42 orders were denied in part, and 30 applications were denied in full. EPIC testified before Congress in 2012 on the need to improve review of FISA applications. EPIC Senior Counsel Alan Butler also recently appeared before Europe's highest court to provide expert analysis on U.S. surveillance law, including FISA authorities. (Jul. 11, 2019)

  • The White House is today hosting a social media summit to examine allegations of bias and censorship. EPIC objected to an earlier White House survey on this topic, noting that the White House failed to protect the privacy of respondents. EPIC told the White House that "this data collection is unlawful, unconstitutional, and itself a violation of the First Amendment." The White House has since disabled the survey. To address concerns about bias, EPIC supports algorithmic transparency and has urged federal agencies and Congress to mandate algorithmic transparency. In 2007, EPIC explained to Congress that after Google acquired YouTube, Google substituted its own subjective algorithm based on "relevance" for objective criteria, such as number of hits and user ratings. The practical consequence was to elevate the rankings of Google's own web pages and to demote the ranking of other web pages, including EPIC's. Senator Josh Hawley (R-MO) recently introduced the "Ending Support for Internet Censorship Act," which would require tech companies to submit to an external audit that proves that their algorithms and content-removal practices are politically neutral. (Jul. 11, 2019)

  • EPIC and over 35 organizations have urged Congress to halt the use of face recognition technology on the general public. The letter states that face recognition technology poses serious risks to privacy and civil liberties, threatens immigrants, broadly impacts American citizens, and has been implemented without proper safeguards or explicit Congressional approval. At a hearing this week, the House Homeland Security Committee will examinee face recognition technology. Documents previously obtained by EPIC under the FOIA, and featured at Buzzfeed, revealed flaws in facial recognition at airports. Bias is also a significant problem with the identification technique. EPIC highlighted these problems in comments to the agency and previously recommended a suspension of facial recognition at US airports. (Jul. 9, 2019)

  • The Ninth Circuit has again found that the Telephone Consumer Protection Act limits the ability of government debt collectors to make robocalls. The law prohibits automated calls to cell phones, except in emergencies or with the consent of the called party. But in 2015 Congress created an exception for calls made to collect debts guaranteed by the federal government. In Duguid v. Facebook, the Ninth Circuit found that the exception violated the First Amendment because it preference debt collectors over other companies that could might use robocall technology. The outcome is favorable for consumer privacy. EPIC filed a "friend of the court" brief in Gallion v. Charter Communications, a similar case in the Ninth Circuit, arguing that "the TCPA prohibitions are needed now more than ever." EPIC routinely files amicus briefs on consumer privacy issues, including several amicus briefs on the TCPA. (Jul. 9, 2019)

  • EPIC and the National Consumer Law Center have filed an amicus brief in a case concerning the scope of the federal law, the Telephone Consumer Protection Act, that protects consumers against robocalls. In Gadelhak v. AT&T Services, EPIC and NCLC argued that list-based systems are included among the law's definition of "autodialers." To do otherwise, the brief explained, "would undermine the law's effectiveness by inviting easy circumvention and rendering the restriction obsolete." EPIC and NCLC further explained that the "mass texting from a list, such as the system used by AT&T in this case, is precisely the type of technology the TCPA sought to restrict." The amici warned that a narrow interpretation of the law "would accelerate the rising levels of robocalls and texts." EPIC routinely files amicus briefs on consumer privacy issues, including several amicus briefs on the TCPA. (Jul. 9, 2019)

  • EPIC and 32 organizations have urged Florida Governor DeSantis to postpone the implementation of a proposed school safety database. The groups warned that the system could label students as threats based on data such as physical disabilities or those seeking mental health care. The signatories asked Governor DeSantis to immediately halt the database project and create a commission to propose measures that effectively identify and mitigate school safety threats. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy. (Jul. 9, 2019)

  • This week EPIC Senior Counsel Alan Butler will appear before the Court of Justice for the European Union in the case Data Protection Commissioner v. Facebook. The case, known as "Schrems 2.0." follows the European Court's landmark decision in Schrems v. DPC striking down the "Safe Harbor" arrangement and leading to the creation of the "Privacy Shield." The current case considers whether the transfer of personal data to the U.S. using standard contract clauses violates the fundamental rights of Europeans. At issue is Section 702 of the FISA Amendments Act and Executive Order 12333. EPIC's Butler will provide the Court with expert analysis on U.S. surveillance law. EPIC is a party to the case, along with Austrian privacy activist Max Schrems. EPIC also recently filed a brief with the European Court of Human Rights in Big Brother Watch v. UK, arguing that the Human Rights Court should review UK-U.S. intelligence transfers in assessing UK bulk surveillance. That case will be heard July 10th. (Jul. 8, 2019)

  • EPIC joined a coalition of consumer groups in a letter to Congress calling for an end to Facebook's Libra plan. Facebook, the world's largest social network company, said it planned to enter the global financial services market, likely sidestepping government oversight and democratic accountability. Several groups warned that "a careful assessment will show that the proposal is too dangerous to proceed." The coalition also identified "profound questions" about governance, national sovereignty, law enforcement, consumer protection, privacy, competition and systemic risk. Meanwhile, the Federal Trade Commission has failed to take any action in the fifteen months since the FTC reopened the investigation of Facebook, following the Cambridge Analytica scandal. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order against Facebook. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (Jul. 3, 2019)

  • In an amicus brief for the D.C. Circuit Court of Appeals, EPIC has recommended that courts recognize a common law obligation to protect the personal data that companies choose to collect. In Attias v. CareFirst, Inc., inadequate security practices allowed hackers to obtain 1.1 million customer records from D.C.'s largest health insurer. A lower court dismissed many of the privacy claims in the case. But EPIC argued to the appellate court that data breaches underscore the need for companies to be held liable for faulty security. EPIC said that courts should impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data that they collect. EPIC previously filed an amicus brief in this case supporting data breach victims. EPIC regularly files briefs defending consumer privacy. (Jul. 3, 2019)

  • The Census Bureau has confirmed that it will not collect personal data concerning citizenship status on the 2020 Census. The Bureau has instead ordered census forms to be printed without the proposed citizenship question. The decision follows a ruling by the U.S. Supreme Court blocking the citizenship question over the government's failure to provide a "reasoned explanation" for collecting citizenship information. EPIC filed a separate lawsuit to block the Census Bureau's collection of citizenship data because the agency had failed to complete required privacy impact assessments. The D.C. Circuit reached a decision in EPIC's case last week. EPIC also filed an amicus brief in the Supreme Court case, joined by 23 legal scholars and technical experts, warning that "collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns." (Jul. 2, 2019)

  • EPIC has sent a letter to the Federal Aviation Administration, urging the agency to name privacy and security experts to the Drone Advisory Committee. EPIC filed suit last year to enforce the transparency obligations of the industry-dominated Committee, which conducted much of its work in secret. EPIC's case forced the Advisory Committee to release hundreds of documents that it unlawfully withheld. The documents obtained by EPIC show that the Committee recognized drone privacy risks and even planned to form a "Privacy Subcommittee." Yet the Committee entirely failed to address privacy issues before making final policy recommendations to the FAA. The FAA has recently come under criticism from members of Congress and the Department of Defense concerning commercial drones that enable remote surveillance. (Jul. 2, 2019)

  • The U.S. House of Representatives has filed suit to obtain six years of President Trump's personal tax returns from the IRS. Rep. Richard Neal, Chairman of the House Ways and Means Committee, has the authority under a section of the tax code to obtain the tax returns. But the IRS and Treasury Department have repeatedly refused to comply with the law. EPIC has sought the release of the President's tax records in two lawsuits: EPIC v. IRS I and EPIC v. IRS II. The D.C. Circuit's opinion in EPIC v. IRS I is cited in the House's complaint multiple times. EPIC previously urged Congress to obtain and publicly release of President Trump's tax returns. EPIC is seeking to determine the extent of Russian interference in the 2016 presidential election. (Jul. 2, 2019)

  • In an important step for transparency, the Privacy and Civil Liberties Oversight Board has published an inventory of current oversight activities. The Board announced it is reviewing NSA's search tool called "xkeyscore." The tool is used to search data collected under Executive Order 12333, a legal authority has not yet been subject to public oversight. EPIC previously sought public release of the PCLOB report on Executive Order 12333. The Board will also issue a public report on how the intelligence community is implementing proposed surveillance reforms. EPIC previously sent detailed comments to the Board, urging the oversight agency to become a "leader" in open government and recommending specific changes to agency practices regarding FOIA and open meetings. (Jul. 2, 2019)

  • Citizens for Responsibility and Ethics in Washington has filed an amicus brief in support of EPIC's case for the release of the full Mueller Report. CREW argued that the Justice Department cannot withhold parts of the Report as "deliberative" because the Report explains the Special Counsel's final decisions. "Especially in the context of an investigation into interference with our electoral process by a foreign power and potential links to the sitting President's political campaign, the public interest in disclosure is at an apex once the investigation is complete and the prosecutorial decisions have been made," CREW argued. EPIC recently moved for summary judgment to obtain the full Mueller Report. The case is EPIC v. Department of Justice, No. 19-810 (D.D.C.). Copies of the Mueller Report obtained by EPIC, related materials, and background on the case are available for purchase at the EPIC Bookstore. (Jul. 1, 2019)

  • The D.C. Circuit has issued a decision in EPIC v. Commerce, EPIC’s suit to halt the collection of citizenship data in the 2020 Census over the government’s failure to complete required Privacy Impact Assessments. Under the E-Government Act, federal agencies must make Privacy Impact Assessments “publicly available” before undertaking a new collection of personal data. Yet the D.C. Circuit ruled that the statute does not “vest a general right of information in the public” that would allow parties to obtain information about the government’s data collection practices. The court acknowledged that EPIC can sue on behalf of its members, but concluded that one of the leading privacy organizations in the country did not have a legal basis to obtain Privacy Impact Assessments from the federal government. EPIC may appeal the decision. (Jun. 29, 2019)

  • In an amicus brief, joined by 31 legal scholars and technical experts, EPIC has asked a federal court to stop Georgia’s use of Direct Recording Electronic voting machines. Experts in election security have shown that DREs are insecure, vulnerable to attack, fail to provide a paper trail that enables auditing, and subject vote tallies to manipulation by remote adversaries. DREs systems also undermine the secret ballot as particular voters could be linked to particular votes. EPIC told the court, “the continued use of these systems poses a direct threat to personal privacy, election integrity, and democratic institutions.” In 2016, EPIC published "The Secret Ballot at Risk: Recommendations for Protecting Democracy," highlighting the importance of the secret ballot for American democracy.. The case is Curling v. Raffensperger. (Jun. 28, 2019)

  • EPIC Advisory Board member and New York Law School Professor Nadine Strossen testified this week before the House Homeland Security Committee for a hearing on "Examining Social Media Companies' Efforts To Counter Online Terror Content and Misinformation." Professor Strossen advocated for non-censorial strategies to countering terror content and misinformation on social media. EPIC has previously told Congress that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. (Jun. 28, 2019)

  • The House of Representatives has passed the SAFE Act, an election security bill establishing cybersecurity safeguards for election equipment, prohibiting wireless modems in voting machines, and requiring paper ballots. The bill would also provide for grants to states that perform risk-limiting audits. EPIC, along with the U.S. Technology Policy Committee of the Association for Computing Machinery, recently filed comments to the Election Assistance Commission. The groups urged the Commission to ban internet-connected voting machinery, citing the risks to voting integrity and democratic institutions. "The EAC should ban the use of internet-connected voting machines and protect ballot secrecy," EPIC and USTPC said. EPIC has a long history of working to protect voter privacy and election integrity. (Jun. 28, 2019)

  • The Italian Data Protection Authority has fined Facebook 1 million euros for its misuse of personal data in the Cambridge Analytica scandal. The authority said that 57 Italian users downloaded the "ThisIsYourDigitalLife" app through Facebook, which enabled Cambridge Analytica to unlawfully collect the personal data of more than 200,000 Italians. Meanwhile, the Federal Trade Commission has failed to issue any fines or take any action against Facebook in the fifteen months since the Cambridge Analytica scandal broke. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order against Facebook. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (Jun. 28, 2019)

  • The Senate has confirmed three members to the Privacy and Civil Liberties Oversight Board, including EPIC Advisory Board member Travis LeBlanc. LeBlanc is a partner at Boies Schiller, and former Federal Communications Commission Enforcement Bureau Chief. Aditya Bamzai and Ed Felten were also confirmed. Aditya Bamzai is a law professor at the University of Virginia and former Department of Justice attorney. Professor Ed Felten is a former Chief Technology Officer for the FTC, former Deputy White House Science Advisor, and past member of the EPIC Advisory Board. The confirmations establish a quorum for the long dormant agency. The European Parliament has called for suspension of the Privacy Shield if the U.S. does not to improve data protection and restore the PCLOB. EPIC previously testified before PCLOB, made recommendations for PCLOB's handling of FOIA requests, and set out a broad agenda for the work of the independent agency. EPIC previously sought public release of the PCLOB report on Executive order 12333. In 2016, EPIC awarded the Champion of Freedom Award to former PCLOB Board Member Judge Patricia Wald. (Jun. 28, 2019)

  • EPIC Advisory Board member and Harvard Professor Latanya Sweeney testified this week before the House Science Committee for a hearing on "Election Security: Voting Technology Vulnerabilities." Professor Sweeney is the lead author on a paper that surveyed vulnerabilities in voter information websites in 2016. She found that the voter information websites for 35 states and DC were vulnerable to identity theft attacks, meaning a hacker could submit changes to voter registration information. Professor Sweeney recommended that Congress urge states to improve security on voter registration websites, such as using the latest version of CAPTCHAs. EPIC has long defended voter privacy including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. (Jun. 28, 2019)

  • Computers, Privacy and Data Protection, the leading international conference devoted to privacy and data protection, has opened a call for papers ahead of the 2018 conference. The 13th annual conference will take place in Brussels on January 22-24, 2020. The theme of the conference is "Data Protection and Artificial Intelligence." The CPDP 2020 call for papers is addressed to all researchers who wish to present papers at this year's conference. Papers will be reviewed by the CPDP Scientific Committee. The deadline for submission is Tuesday, October 1, 2019. EPIC is one of the founders of CPDP and an annual sponsor of the event. The EPIC International Champion of Freedom Award will be presented at CPDP. (Jun. 28, 2019)

  • Speaking at the G-20 Summit in Japan, German Chancellor Angela Merkel called for the European Commission to propose comprehensive regulation for artificial intelligence. "It will be the job of the next Commission to deliver something so that we have regulation similar to the General Data Protection Regulation that makes it clear that artificial intelligence serves humanity," Chancellor Merkel said. EPIC recently urged the U.S government to implement the OECD Principles on Artificial Intelligence and the Universal Guidelines for AI as standards for U.S. AI policy. Over 250 experts and 60 organizations, representing more than 40 countries have endorsed the Universal Guidelines, which are intended to maximize the benefits of AI, to minimize the risk, and to ensure the protection of human rights. (Jun. 28, 2019)

  • The U.S. Supreme Court has blocked the citizenship question from inclusion on the 2020 Census, upholding the result reached in a lower court. The Court ruled that the Commerce Department's decision to collect citizenship data "cannot be adequately explained" by the rationale provided by the agency. "Altogether, the evidence tells a story that does not match the explanation the Secretary gave for his decision," Chief Justice John Roberts wrote. Although the Court gave the Commerce Department a second chance to provide a "reasoned explanation" for the citizenship question, the government has said that it must begin printing forms by July 1—four days from now. EPIC is separately seeking to block the Census Bureau's collection of citizenship data because the agency has failed to complete required privacy impact assessments. A decision is expected soon from the D.C. Circuit. EPIC's case is EPIC v. Commerce, No. 19-5031 (D.C. Cir). EPIC also filed an amicus brief in the Supreme Court case, joined by 23 legal scholars and technical experts, warning that "collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns." EPIC said further "in failing to assess the risks that would result from the collection of personal data regarding citizenship status, the Census Bureau has violated its obligations under the E-Government Act." (Jun. 27, 2019)

  • A House subcommittee voted unanimously to advance a wide-ranging bill intended to crack down on robocalls. The Stopping Bad Robocalls Act (H.R. 3375) would enroll customers in free call-blocking programs and take more aggressive rulemaking steps to ensure people only get calls they ask to receive. The FTC also announced a partnership with state enforcers--"Operation Call it Quits"—to crack down on illegal robocalls. The initiative includes 94 actions targeting robocallers responsible for more than one billion calls. EPIC has worked to ensure that telephone users are protected from invasive business practices through agency comments and amicus briefs in cases such as ACA International and Gallion v. Charter Communications. (Jun. 27, 2019)

  • Special Counsel Robert Mueller will testify before Congress on Wednesday, July 17, according to the chairs of the House Judiciary and Intelligence Committees. "Americans have demanded to hear directly from the Special Counsel so they can understand what he and his team examined, uncovered, and determined about Russia's attack on our democracy," Chairmen Jerrold Nadler and Adam Schiff said in a statement. Mueller's testimony comes as EPIC is pursuing the release of the complete and unredacted Mueller Report in EPIC v. Department of Justice. Judge Reggie B. Walton will hold a hearing on EPIC's case August 5. Copies of the Mueller report obtained by EPIC, related materials, and background on the case are available for purchase at the EPIC Bookstore. (Jun. 25, 2019) (Jun. 26, 2019)

  • The Privacy and Civil Liberties Oversight Board has announced three new oversight projects. The PCLOB reviews federal agency programs to ensure they do not diminish privacy and civil liberties. The Board said it will review: (1) the use of biometrics, such as facial recognition, in airports; (2) how the FBI queries data collected under the Foreign Intelligence Surveillance Act's Section 702, including searches for US person information called "backdoor searches"; and (3) oversight of passenger identity databases used by airlines. Earlier this year, EPIC sent a statement to the Board urging limits on the government use of facial recognition and and end to backdoor searches. In 2012, EPIC sent a detailed statement to PCLOB outlining priorities for the agency. In 2016, EPIC awarded former PCLOB Board Member Judge Patricia Wald with the EPIC Champion of Freedom Award. (Jun. 26, 2019)

  • EPIC has moved for summary judgment in EPIC v. Department of Justice, EPIC's case for the release of the complete and unredacted Mueller Report. EPIC told the Court that "the nation's ability to fully assess the Report is hindered by the decision of the Justice Department to withhold critical information from the American public." EPIC argued that the Justice Department had unlawfully redacted extensive material and urged Judge Reggie B. Walton to personally review the full Report. Judge Walton previously said EPIC's case should move "as expeditiously as humanly possible" and ordered the parties to brief the case on an accelerated schedule. A hearing on EPIC's motion is set for August 5. The case is EPIC v. Department of Justice, No. 19-810 (D.D.C.). Copies of the Mueller report obtained by EPIC, related materials, and background on the case is available for purchase at the EPIC Bookstore. (Jun. 25, 2019)

  • The Supreme Court has decided to review Georgia v. Public.Resource.Org, a case in which a federal appeals court ruled that Georgia cannot copyright any part of the state's code of laws. Georgia had previously charged citizens as much as $400 to access official "annotations" to the code, which establish the meaning of the state's laws. But the appeals court concluded that "the People are the owners of these works, meaning that the works are intrinsically public domain material and, therefore, uncopyrightable." The case will likely be argued before the Supreme Court in the fall. EPIC has long advocated for public access to court documents and other sources of law. In 2015, EPIC called on federal agencies to make statutes, regulations, adjudications, and relevant court documents freely available on agency websites. (Jun. 24, 2019)

  • The Supreme Court today narrowed public access to government documents by expanding the definition of "confidential" information. The 6-3 decision by Justice Gorsuch in Food Marketing Institute v. Argus Leader Media overturns four decades of caselaw which held that a company must show substantial competitive harm to block an open government request. Writing in dissent, Justice Breyer, joined by Justices Ginsburg and Sotomayor, emphasized that the FOIA required some showing of harm to prevent public release of business records collected by federal agencies. "The whole point of FOIA is to give the public access to information it cannot otherwise obtain." In an amicus brief, EPIC warned the Court that removing the harm requirement "would deprive the public, and government watchdogs such as EPIC, of access to important information about 'what the government is up to.'" EPIC described several of its own FOIA cases -- including the now defunct airport body scanner program and the ongoing probe of Facebook -- where access to commercial records made possible meaningful oversight and reform. Twenty members of the EPIC Advisory Board, distinguished experts in law, technology, and public policy, signed the amicus brief. (Jun. 24, 2019)

  • The White House has published the 2019 update of the National Artificial Intelligence Research and Development Strategic Plan. The report sets out priorities for U.S. AI policy. The 2019 report carries forward seven recommendations from the 2016 plan. The plan underscores the need to address the ethical, legal, and societal implications of AI (Strategy #3), emphasizes safety and security (Strategy #4), and the development of standards and benchmarks (Strategy #6). A new recommendation "focuses on the increasing importance of effective partnerships between the Federal Government and academia, industry, other non-Federal entities, and international allies to generate technological breakthroughs in AI." The 2019 report acknowledges input from "researchers, research organizations, professional societies, civil society organizations and individuals." Common themes included "the importance of developing trustworthy AI systems, including fairness, ethics, accountability, and transparency of AI systems." EPIC also recommended that the US AI strategy incorporate the Universal Guidelines for Artificial Intelligence in national policy. As the report notes, "beyond purely data-related issues, however, larger questions arise about the design of AI to be inherently just, fair, transparent, and accountable." (Jun. 21, 2019)

  • The D.C. Circuit Court of Appeals ruled today that the OPM Data Breach case can move forward, reversing an earlier dismissal by a lower court. The case concerns the data breach at the U.S. Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and their family members. The Court ruled that victims of the breach have the legal right, or "standing," to sue over the failure to protect their personal data. "It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft," the Court wrote. EPIC filed an amicus brief supporting the victims' standing and arguing that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." The Court ruled that OPM did not violate the constitution in this particular case but left the door open to future lawsuits to enforce the right to information privacy. (Jun. 21, 2019)

  • In response to a Department of Homeland Security request for comments on REAL ID, EPIC urged the agency to limit data collection and ensure transparency. EPIC recommended that the agency disclose the data it collects from the states. The REAL ID Act requires the states to gather certain personal information to create identity documents that will be accepted by the federal government. Many states opposed the plan. EPIC, supported by a broad coalition, opposed REAL ID because it created a de facto national identity system and exposed Americans to data breaches by criminal hackers who compromised the authenticating documents in state DMVs. EPIC detailed the problems with REAL ID in comments to DHS on the original proposal. (Jun. 21, 2019)

  • In a statement released today, EPIC's Marc Rotenberg said the privacy organization would lobby for the creation a data protection agency in the United States. Criticizing the failure of the FTC to enforce the consent order against Facebook, Rotenberg said "the Commission has turned its back on the American public...Instead of going after the dominant tech firms that pose the greatest threats to privacy and competition, the FTC has chosen instead to go after small businesses." EPIC's President explained that EPIC had not previously lobbied Congress, but would do so now, "we have decided that EPIC can no longer stand on the sidelines." The statement concluded, "A data protection agency is the cornerstone of effective privacy protection. Data protection agencies act as ombudsmen for the public. They encourage innovation and good business practices. They identify emerging privacy challenges and pursue solutions. They take enforcement action when necessary and they impose penalties that are meaningful. Virtually every democratic country has created a privacy agency. But the United States has not. As a consequence, data breach and identity theft continue to rise in the United States. The pace of mergers is accelerating and the rate of innovation is slowing." (Jun. 21, 2019)

  • In EPIC's lawsuit against the Department of Justice concerning the Mueller investigation, a federal court has ordered the agency to "complete its searches for records responsive" to EPIC's Freedom of Information Act request by August 8. The Court also ordered the parties to appear at a hearing on August 9 to determine a schedule for the production of records to EPIC. The Court had earlier set a hearing on August 5 to consider EPIC's challenges to the many redactions in the Mueller report. Judge Walton stated that the justice Department should process EPIC's open government request as "expeditiously as humanly possible." The case is EPIC v. DOJ, No. 19-810 (D.D.C.). (Jun. 21, 2019)

  • A member of the Hong Kong Legislative Council has reported that the Hospital Authority has disclosed the patient information of political protestors to law enforcement agencies. The Hospital Authority is the statutory body governing all Hong Kong public hospitals. The Authority has denied the allegation. The Council Member Dr. Chan this week produced the hospital records of 76 patients, containing their names, ID numbers, and time, date, and location of admission. On a page marked "For Police," the patients were listed as "mass gathering outside Legco." Legco is the Legislative Council of Hong Kong. So far, four protesters identified in the hospital records have been arrested. EPIC has long advocated for strong confidentiality protections for medical records. EPIC has also warned that data collection programs can stifle freedom of expression. (Jun. 20, 2019)

  • The Supreme Court today directed a lower court to reexamine PDR Network v. Carlton & Harris Chiropractic, a case which concerns a company's efforts to disregard an FCC rule about junk faxes. The Court told the Fourth Circuit to resolve "preliminary" questions about the legal effect of the FCC rule and the company's ability to challenge the rule through the agency process. EPIC filed an amicus brief in the case. EPIC explained that permitting companies to challenge FCC rules outside the process Congress established "will exclude the voices of consumers" in agency decision-making. EPIC also explained that the company's efforts to sidestep agency rules will benefit those "who have resources to attack FCC rules." EPIC and other consumer organizations routinely provide comments to federal agencies through the federal agency rule making process. EPIC also contributed to the development of the robocall and junk fax laws. EPIC has since worked to ensure that telephone users are protected from invasive business practices through agency comments and amicus briefs in cases such as ACA International and Gallion v. Charter Communications. (Jun. 20, 2019)

  • Senator Hawley (R-MO) has introduced the "Ending Support for Internet Censorship Act." The Act would require big tech companies to submit to an external audit that proves that their algorithms and content-removal practices are politically neutral. The bill would remove the immunity big tech companies receive under Section 230 of the Communications Decency Act if the FTC found that the algorithms and content-removal practices were not neutral. In 2007 EPIC explained to the Senate Judiciary Committee that after Google acquired YouTube, Google substituted its own subjective algorithm based on "relevance" for objective criteria, such as number of hits and user ratings. The practical consequence was to elevate the rankings of Google's own web pages and to demote the ranking of other web pages, including EPIC's. EPIC subsequently launched a campaign for algorithmic transparency and urged federal agencies and Congress to mandate algorithmic transparency. (Jun. 20, 2019)

  • The Senate Homeland Security Committee has advanced a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. "This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices," said sponsor Senator Mark Warner (D-VA). EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards. The Committee also advanced a bill by Senators Gary Peters (D-MI) and Rob Portman (R-OH) that would promote coordination between the Department of Homeland Security and state and local governments in protecting against cyber threats. (Jun. 19, 2019)

  • In advance of an oversight hearing for the Consumer Product Safety Commission, EPIC wrote to the Senate Commerce Committee to say that the CPSC must do more to protect consumers and ensure security of IoT devices. EPIC advised the Commission to require manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques. EPIC told the Senate committee that "CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream." In 2017, EPIC and other consumer privacy groups petitioned the CPSC to recall Google Home Mini after it became known that a defect in the product set record to always on. In recent comments to the CPSC, EPIC urged the agency to regulate Internet of Things devices. (Jun. 19, 2019)

  • EPIC has sent a statement to a Senate committee in advance of a hearing on drone security. EPIC pointed to the new rules for drone operators in Europe. The EU drone rules require real-time drone identification. In 2015, EPIC made very similar recommendations to the FAA to improve drone safety in the United States. EPIC pointed to widely available technology for boats and planes and said that an app should allow anyone to determine the course, location, operator, and purpose of a nearby drone. EPIC restated the remote ID recommendation proposal in a recent statement to the agency. In a letter to the FAA last month, Senators Edward Markey (D-MA) and John Thune (R-SD) also urged the FAA to establish a rule for the real-time, remote identification of drones. During the hearing, an FAA official said the agency will issue a rule on remote drone identification later this year. (Jun. 18, 2019)

  • In the midst of widespread protests in Hong Kong over a proposed law for extradition, several news organizations have noted that protesters have purchased transportation services in cash rather than use the contactless payment Octopus card. Each Octopus card has a unique serial number and stores transaction records. The Octopus cards are also used for school attendance and building access. The card easily tracks the location of users. The Octopus card was the subject of privacy investigations back in 2010. EPIC has long argued that government data collection programs can stifle freedom of expression and association. EPIC presented the 2019 Champion of Freedom award to Dr. Sophie Richardson for the work of Human Rights Watch concerning surveillance in China. (Jun. 17, 2019)

  • In a recent court filing, EPIC opposed Facebook's attempt to intervene in EPIC's lawsuit against the Federal Trade Commission for the release of records concerning the company's compliance with the 2011 Consent Order. EPIC told the court hearing EPIC v. FTC that Facebook does not have standing to intervene because it has not established that it would suffer a substantial competitive harm as a result of public disclosure of the information EPIC is seeking. EPIC also explained that under the Freedom of Information Act companies do not decide for themselves what information they wish to withhold from the public. EPIC's FOIA lawsuit is one of several activities that EPIC is pursuing to hold Facebook accountable for compliance under the 2011 consent order. In a related FOIA lawsuit, EPIC determined that there are more than 26,000 complaints against Facebook currently pending at the FTC. EPIC also launched the #EnforcetheOrder campaign to pressure the FTC to take enforcement action against Facebook. The case is EPIC v. FTC, No. 18-942 (D.D.C). (Jun. 17, 2019)

  • The FTC today announced a minor settlement with a company called SecurTest over its claims concerning the EU-U.S. Privacy Shield program. The Commission also sent letters to 13 small companies for falsely claiming participation in various privacy programs. The FTC issued no fines and took no further action. The proposed consent agreement is subject to public comment after publication in the Federal Register. The announcement comes more than a year after the Commission said it would reopen the investigation of Facebook, following the Cambridge Analytica scandal. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (Jun. 14, 2019)

  • EPIC President Marc Rotenberg spoke this week with the Mueller Book Club, a national network committed to reading the Mueller Report, "cover to cover." Marc described EPIC's lawsuit to obtain the public release of the complete Mueller Report, and also EPIC's publication of the EPIC v. DOJ version of the Mueller Report, complete with the FOIA redactions and additional materials, available both in print and Kindle formats. Other speakers for the Mueller Book Club have included Eva Patterson, Gloria Steinem, Rep. Jerry Nadler, Ryan Goodman, and Neal Katyal. (Jun. 14, 2019)

  • Earlier this week, the House Homeland Security Committee held a closed-door roundtable briefing on the use of facial recognition technology by the Department of Homeland Security. The Committee met with privacy and civil liberties advocates, including EPIC Senior Counsel, Jeramie Scott. Mr. Scott highlighted EPIC's Freedom of Information Act work related to the use of face recognition at airports. Documents obtained by EPIC, and featured at Buzzfeed, revealed significant flaws in the technology. EPIC highlighted these problems in comments to the agency and an op-ed. Speaking to Members of Congress, Mr. Scott recommended that the facial recognition program to be suspended, and pointed to the recent breach of photos and other sensitive information collected by the agency. (Jun. 13, 2019)

  • The Austrian Supreme Court has ruled that complaints concerning the EU General Data Protection Regulation can be brought anywhere in the EU. The decision overturned a ruling by a lower Austrian court which held that a privacy lawsuit against Facebook had to be brought in Ireland, where the company is headquartered. Initiated by Austrian privacy activist Max Schrems, the case alleges that Facebook failed to comply with the GDPR, relying on invalid privacy policies and unlawfully processing data. Schrems recently launched the civil society organization NOYB to pursue collective actions under the GDPR. EPIC is currently participating in DPC v. Facebook before the Court of Justice for the European Union. The European high court will consider whether the transfer of data to the U.S. using standard contract clauses violates fundamental rights. EPIC Senior Counsel Alan Butler will appear before the Court of Justice on July 9th. (Jun. 13, 2019)

  • EPIC Board Member Danielle Citron testified today before the House Intelligence Committee on "The National Security Challenge of Artificial Intelligence, Manipulated Media, and Deepfakes." Professor Citron told Congress "we need a combination of law, markets, and societal resistance" to combat deep fakes and "the phenomenon is going to be increasingly felt by women and minorities." To address the manipulation of online news, EPIC has backed Algorithmic Transparency. EPIC also proposed the Universal Guidelines for Artificial Intelligence as the basis for federal legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. (Jun. 13, 2019)

  • The European Union has established a comprehensive set of drone rules for drone operators. The EU drone rules require the real-time broadcasting of certain data, including the drone operator registration number, the geographical position of the drone, the drone route course, and the position of the drone operator. In 2015, EPIC made very similar recommendations to the FAA to improve drone safety in the United States. EPIC restated the remote ID recommendation proposal in a recent statement to the agency. In a letter to the FAA last month, Senators Edward Markey (D-MA) and John Thune (R-SD) also urged the FAA to establish a rule for the real-time, remote identification of drones. (Jun. 12, 2019)

  • Prior to an FCC oversight hearing, EPIC sent a statement to the Senate Commerce Committee outlining priorities for the agency: ending the data retention regulation and protecting location data. In 2015, EPIC petitioned the FCC to repeal the data retention regulation, which requires telephone companies to keep all telephone customer records for 18 months. Every comment received by the FCC favored the EPIC petition, yet the agency has failed to withdraw the regulation. EPIC has long worked to ensure that telephone users are protected from invasive practices through agency comments and amicus briefs in cases such as ACA International and Gallion v. Charter Communications. (Jun. 12, 2019)

  • EPIC has submitted a statement to the House Judiciary Committee regarding today's hearing on "Online Platforms and Market Power, Part 1: The Free and Diverse Press." EPIC told the Committee "The internet advertising system today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The current model is not sustainable. Privacy rules can help level the playing field." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. (Jun. 11, 2019)

  • A new report from the Inspector General urges oversight of the use of Artificial Intelligence techniques by the U.S. intelligence agencies. "Reassuring statements that the [intelligence community] is currently using AI technologies - and will use AI technologies in the future - in ways consistent with the rule of law and American values will not be sufficient. The [agencies] will need to validate those statements for the American people," the Inspector General said. "Investment asymmetry between mission performance and intelligence oversight in AI efforts could lead to an accountability deficit," the statement continues, "there is little indication that investments in oversight of AI are currently a high priority." EPIC recently urged the federal government to implement the OECD Principles on Artificial Intelligence and the Universal Guidelines for AI as primary standards for U.S. AI policy. (Jun. 11, 2019)

  • The FTC hosted a roundtable with state attorneys general in Nebraska as the final hearing on competition and consumer protection in the 21st century. More than a year has passed since the FTC reopened the investigation of Facebook after the Cambridge Analytica scandal, but the FTC has not issued a fine, imposed penalties, or even updated the public about the status of the investigation. EPIC Consumer Protection Counsel Christine Bannan testified at an earlier FTC hearing that the FTC's success should be measured by the enforcement of its orders. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. Facebook anticipates a $3-5 billion fine from the FTC, but EPIC, Color of Change, and the Open Markets Institute have urged the Commission to use its equitable authorities to improve privacy protection and governance, reform hiring practices, and to spin off WhatsApp and Instagram. (Jun. 11, 2019)

  • The House Committee on Homeland Security held a hearing on TSA's policies to prevent unlawful profiling. In his opening statement, Chairman Thompson said "it is unconscionable that TSA has not developed better oversight procedures" to prevent discriminatory practices. EPIC recently submitted comments to the TSA on the agency's 2020 strategy for transportation security. EPIC routinely comments on TSA screening practices. EPIC successfully sued the agency to block the deployment of x-ray body scanners in US body scanners. (Jun. 7, 2019)

  • The House Oversight Committee held a hearing on Facial Recognition Technology (Part II): Ensuring Transparency in Government Use. EPIC submitted a statement for the Committee's earlier hearing concerning the impact of facial recognition on civil rights. EPIC urged the Committee to investigate the FBI's Next Generation Identification program. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." The FBI biometric database is one of the largest in the world, but the FBI has opposed privacy safeguards that EPIC supported. The Bureau also proposed to exempt the database from Privacy Act protections. EPIC has sued the FBI for information about the agency's plans to transfer biometric data to the Department of Defense. (Jun. 7, 2019)

  • The FCC voted to confirm that voice service providers may aggressively block unwanted robocalls before they reach consumers. The Commission stated: "While many phone companies now offer their customers call blocking tools on an opt-in basis, the Declaratory Ruling clarifies that they can provide them as the default, thus allowing them to protect more consumers from unwanted robocalls and making it more cost-effective to implement call blocking programs." EPIC has long advocated for robust telephone privacy protections. Last week, EPIC submitted comments to the FCC recommending that the agency (1) require phone providers to proactively block calls from numbers that are unassigned, unallocated, or invalid; (2) prohibit spoofing if there is an intent to defraud or cause harm; and (3) encourage the use of call authentication technology that safeguards caller anonymity. EPIC filed amicus briefs earlier this year and in 2015 that strengthened consumer protections for robocalls. (Jun. 7, 2019)

  • The Justice Department, in a court filing on Monday, failed to justify the agency's decision to withhold extensive material from EPIC contained in the Mueller Report. Without providing any specific details, the Justice Department simply asserted that it need not disclose information to the public beyond what it previously published. Notably, the Justice Department does not claim executive privilege in EPIC's Freedom of Information Act case, even though President Trump has asserted that privilege to withhold the complete Mueller Report from Congress. EPIC will file an opposition to the Justice Department's filing on June 24. EPIC is simultaneously seeking extensive records from the Special Counsel's investigation into Russian interference in the 2016 Presidential election. EPIC's case to obtain the public release of the complete Mueller Report is EPIC v. Department of Justice, No. 19-810 (D.D.C). (Jun. 4, 2019)

  • Reports indicate that the State Department will now require social media identifiers, email addresses, and phone numbers from nearly all visa applicants. EPIC submitted comments to the State Department opposing the plan to collect social media and personal communication information. EPIC urged the agency to retract the proposal, pointing out the substantial privacy, free expression, and security concerns the proposal raised. Last year, EPIC and the Brennan Center led a coalition of 55 privacy, civil liberties, and civil rights organizations in opposition to the State Department plan. EPIC, through a 2011 Freedom of Information lawsuit against the DHS, uncovered the first federal agency plan to monitor social media. Congress held hearings and the plan was suspended. (Jun. 3, 2019)

  • The Justice Department told EPIC on Monday that it has no records of any outside referrals by Special Counsel Robert Mueller for "administrative remedies, civil sanctions or other governmental action outside the criminal justice system." The disclosure comes as part of EPIC v. Department of Justice, EPIC's Freedom of Information Act lawsuit for the release of the complete Mueller Report and related Special Counsel records. EPIC obtained the annotated version of the Special Counsel's report last month and has published that version at the EPIC Bookstore. EPIC's case will go forward this summer on an expedited briefing schedule. The Justice Department will file its opening brief in the case later today. EPIC's case is EPIC v. Department of Justice, No. 19-810 (D.D.C). (Jun. 3, 2019)

  • The D.C. Superior Court denied Facebook's motion to dismiss the complaint filed by D.C. Attorney General over the privacy practices that led to Cambridge Analytica. The D.C. Attorney General alleged that Facebook failed to monitor third-party use of personal data and failed to ensure users' data was deleted. The lawsuit seeks financial penalties, and an injunction to establish safeguards to protect users' data. The court ruled that the case could proceed because "District of Columbia residents' widespread utilization of, and repeated exchange of personal information through Facebook's online social networking service, constitute 'transactions.'" EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. Facebook anticipates a $3-5 billion fine from the FTC. (Jun. 3, 2019)

  • EPIC has filed comments with the National Institute of Standards and Technology urging the U.S. to implement the OECD Principles on Artificial Intelligence and the Universal Guidelines for AI. NIST sought information from the public on the appropriate standards U.S. AI policy. EPIC called on NIST to begin implementing the OECD principles - the first international standard for AI, which the U.S. recently endorsed. EPIC also said the agency should go further by adopting the Universal Guidelines for AI. Over 250 experts and 60 organizations, representing more than 40 countries have endorsed the UGAI, which are intended to maximize the benefits of AI, to minimize the risk, and to ensure the protection of human rights. EPIC will host a panel discussion on The Future of AI Policy in the U.S. at the National Press Club in Washington, DC on June 5, with representatives from the White House, the OECD, and leading experts in technology and public policy. (May. 31, 2019)

  • EPIC has obtained records from the FAA's Drone Advisory Committee confirming the committee ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. EPIC filed suit last year to enforce the transparency obligations of the industry-dominated Committee, which conducted much of its work in secret. The Committee told the Court that it had published all of its records, but EPIC's case forced the Committee to release hundreds of documents that it unlawfully withheld. The documents show that the Committee initially recognized the importance of regulating drone privacy risks and even planned to form a "Privacy Subcommittee." Yet the Committee entirely failed to address privacy issues before making final policy recommendations to the FAA. The case is EPIC v. Drone Advisory Committee, No. 18-833 (D.D.C.). (May. 31, 2019)

  • The Irish Supreme Court has dismissed an appeal by Facebook to stop the highest court in Europe from reviewing the transfers of personal data from the EU to the US. Facebook appealed a referral to the Court of Justice for the European Union on whether the transfer of data to the U.S. with standard contract clauses violates fundamental rights. EPIC is participating in that case now before the Court of Justice, DPC v. Facebook, expected to be argued July 9th. Ruling against Facebook, the Irish Supreme Court said the decision to refer a case cannot be appealed and must be decided by the referring court and the Court of Justice. "It is for the referring court, and that court alone, whether to make a reference and, indeed, whether to withdraw or amend the same," the Court concluded. EPIC also recently filed a third-party intervention with the European Court of Human Rights in Big Brother Watch v. UK, arguing that the Court should carefully review UK-U.S. intelligence transfers in the case assessing UK bulk surveillance. (May. 31, 2019)

  • EPIC has filed a Freedom of Information Act request with the Federal Trade Commission seeking memos and internal communications about the Associate Director of the Enforcement Division James A. Kohm. Kohm is responsible for overseeing enforcement of the consent order against Facebook. Since the FTC announced the 2011 Consent Order, the FTC has never charged Facebook with a single violation of the order. In March 2018, the FTC announced an investigation of Facebook following the Cambridge Analytica scandal. 430 days have now passed with no report, no fine, and not even an update about the status of the investigation. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (May. 30, 2019)

  • EPIC, along with the U.S. Technology Policy Committee of the Association for Computing Machinery, has filed comments to the Election Assistance Commission on the Voluntary Voting System Guidelines 2.0. EPIC and USTPC supported the inclusion of strong principles for voter privacy, ballot secrecy, and data protection. The groups also urged the Commission to ban internet-connected voting machinery, citing the risks to voting integrity and democratic institutions. "The VVSG 2.0 are vital to protect our democratic institutions. The EAC should ban the use of internet-connected voting machines and protect ballot secrecy," EPIC and USTPC said. Though states are not mandated to comply with the VVSG, the guidelines help shape the election security market. In 2016, EPIC published a report on the importance of the secret ballot for democratic decision making. EPIC has a long history of working to protect voter privacy and election integrity. (May. 29, 2019)

  • Senator Richard Blumenthal, Representative Jan Schakowksy, Human Rights Watch China Director Sophie Richardson, and MIT Media Lab Director Joi Ito will receive the 2019 EPIC Champion of Freedom Award. The EPIC award is given annually to individuals who have helped safeguard the right of privacy, promote open government, and protect democratic values with courage and integrity. Past recipients include Representative Justin Amash, Apple CEO Tim Cook, Senator Kamala Harris, Garry Kasparov, Senator Patrick Leahy, Edward Snowden, and Judge Patricia Wald. The EPIC Awards dinner will take place on June 5 at the National Press Club in Washington, DC. The event is open to the public and tickets are still available. (May. 23, 2019)

  • The Senate overwhelmingly passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, sponsored by Senator John Thune (R-S.D.) and Senator Ed Markey (D-Mass.). The Act would give regulators more time to find scammers, increases civil penalties, promotes call authentication and blocking techniques, and brings together federal agencies and state attorneys general to coordinate prosecution of robocallers. EPIC has long advocated for robust telephone privacy protections and regularly files amicus briefs and comments in support of stronger consumer protections against robocalls. (May. 23, 2019)

  • A new report from the consumer group Public Citizen finds extensive conflicts of interest at the Federal Trade Commission. According to Public Citizen, most top officials at the Federal Trade Commission (FTC) become lawyers and lobbyists for major technology companies after they leave the agency or bring Silicon Valley conflicts with them when they arrive. These conflicts help explain the FTC's chronic reluctance to enforce consumer protection and antitrust laws, said Public Citizen. EPIC previously urged the FTC to block anticompetitive mergers, such as Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp, as well as to enforce the pending consent order against Facebook that EPIC helped establish in 2011. EPIC even sued the FTC when the consumer agency failed to enforce the consent order against Google, following the Buzz consent order. As of today, 423 days have passed since the FTC announced in March 2018 that it would reopen the investigation of Facebook. But still there is no fine, no report, and no update. (May. 23, 2019)

  • Today the OECD announced the OECD Principles on Artificial Intelligence, the first international standard for AI, with the backing of 42 countries. The OECD AI principles make central "the rule of law, human rights and democratic values" and set out requirements for fairness, accountability and transparency. OECD Secretary-General Gurría said the OECD AI principles "place the interests of people at its heart." Gurría also quoted Alan Turing, who once said, "We can only see a short distance ahead, but we can see plenty there that needs to be done." Civil society groups, working through the CSISAC played a key role in the development of the OECD AI Principles as did the EPIC Public Voice project. Earlier this year, EPIC President Marc Rotenberg commended the US administration for backing the OECD process, but also wrote in the New York Times that there is much more to be done. "The United States must work with other democratic countries to establish red lines for certain AI applications and ensue fairness, accountability, and transparency as AI systems are deployed." (May. 22, 2019)

  • One year after the EU General Data Protection Regulation, European authorities have received a total of 144,000 privacy complaints and identified 89,000 data breaches. Europe's comprehensive data protection law went into effect on May 25, 2018. EPIC and coalitions of consumer groups have written to ninety-five major internet companies seeking compliance with the GDPR as a baseline standard for all users worldwide, and recently proposed "A Framework for Privacy Protection in the United States." The EPIC 2018 Privacy Law Sourcebook, a comprehensive overview of privacy laws in the US and around the world, includes the full text of the GDPR. At present, the United States has neither a comprehensive federal privacy law nor a data protection agency. (May. 22, 2019)

  • Senator Hawley (R-MO) introduced the Do Not Track Act, which would create a right to control the use of personal data similar to the national Do Not Call registry that gives every person the legal right to block companies from collecting any data beyond what is necessary to provide the company's service to the user. The legislation would prohibit companies from profiling users who activate Do Not Track and would ban discrimination against those who exercise their legal rights. EPIC President Marc Rotenberg earlier testified before the House Energy and Commerce Committee on a Do Not Track bill, and stated that legislation "would need to ensure that a consumer's decision is 'enforceable, persistent, transparent, and simple'." Voluntary proposals, developed by industry groups, to limit online tracking have been ineffective and ignored. (May. 22, 2019)

  • EPIC has sent a statement to the House Committee on Oversight concerning Facial Recognition Technology. EPIC urged the Committee to investigate the FBI's Next Generation Identification program. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." The FBI biometric database is one of the largest in the world, but the FBI has opposed privacy safeguards that EPIC supported. The Bureau also proposed to exempt the database from Privacy Act protections. EPIC has sued the FBI for information about the agency's plans to transfer biometric data to the Department of Defense. (May. 21, 2019)

  • The D.C. Circuit Court of Appeals has rejected the government's attempt to pay a public interest plaintiff far less than what is owed in attorney's fees. When a plaintiff wins a public interest lawsuit, federal law often requires the defendant to reimburse the plaintiff for attorney's fees. Many defendants—including federal agencies—try to minimize those payments by using artificially low billing rates. But in D.L. v. D.C., the federal appeals court ruled that the government's calculation of attorney's fees was based on "irrelevant figures" and "wrong" assumptions that attempted to diminish the complexity and cost of public interest cases brought in Washington, DC. The decision will make it harder for the government to underpay successful public interest plaintiffs in the future. EPIC, which often recovers attorney's fees in Freedom of Information Act cases, joined in an amicus brief in the case. (May. 21, 2019)

  • Representatives Jackie Speier (D-CA) and John Katko (R-NY) reintroduced the bipartisan Intimate Privacy Protection Act. The legislation would target perpetrators who share intimate images without consent. Congresswoman Speier said the Act "will hold accountable and deter violators of intimate privacy, from vengeful exes to online predators who profit from and entertain themselves with the distribution of private intimate images." Senator Kamala Harris (D-CA) is introducing companion legislation in the U.S. Senate. EPIC has backed efforts to combat revenge porn, supported the Cyber Civil Rights Initiative, and awarded the 2017 EPIC Privacy Champion Award to Carrie Goldberg and the 2015 EPIC Award to Senator Harris. (May. 21, 2019)

  • The OECD will announce this week The Recommendation on Artificial Intelligence, the first intergovernmental standard on AI. [OECD flyer] The OECD AI Recommendation aims to foster innovation and trust in AI by promoting the responsible stewardship of trustworthy AI while ensuring respect for human rights and democratic values. The OECD AI Standard addresses fairness, accountability, and transparency and speaks specifically to the need to respect "freedom, dignity and autonomy, privacy and data protection, non-discrimination and equality, diversity, fairness, social justice, and internationally recognised labour rights." The OECD AI standard complements existing OECD standards in areas such as privacy, cryptography, digital security risk management, and responsible business conduct. Over the past year, EPIC led an effort to promote Universal Guidelines for AI following an earlier campaign for Algorithmic Transparency. EPIC will host a panel discussion on The Future of AI Policy in the US at the National Press Club in Washington, DC on June 5, with representatives from the White House, the OECD, and leading experts in technology and public policy. Registration is open to the public. (May. 21, 2019)

  • EPIC has submitted a statement to the Senate Judiciary Committee for a hearing on online advertising. EPIC told the Committee "The 'Digital Advertising Ecosystem' today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The ad platforms are manipulated by foreign adversaries. Secrecy and complexity are increasing as accountability is diminished. It would be foolish to imagine that the current model is sustainable." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. (May. 20, 2019)

  • EPIC filed a lawsuit today to compel the State Department to release information about the transfer of facial images, gathered from visa and passport applicants, to other federal agencies. EPIC explained to the federal court in Washington, DC that the Customs and Border agency is now using those images in an unlawful border system. EPIC has called for the suspension of the CBP program. Senators Markey and Lee have also opposed expansion of the CBP program to U.S. citizens. In a related FOIA lawsuit, EPIC obtained documents concerning CBP's facial recognition program. A summary report revealed that the system did not perform operational matching at a "satisfactory" level. (May. 20, 2019)

  • In response to EPIC's Freedom of Information Act lawsuit, the National Archives has released hundreds of new emails from Justice Kavanaugh's time in the White House. The emails concern the controversial surveillance programs Total Information Awareness, Computer Assisted Passenger Prescreening System II (CAPPS II), and Secure Flight. The contents of many emails were withheld in full. EPIC's FOIA lawsuit, along with a related lawsuit by Senator Richard Blumenthal, resulted in the public release of hundreds of thousands of pages about Justice Kavanaugh's work in the White House. The records include communications between Kavanaugh and John Yoo, the author of the warrantless surveillance program. (May. 20, 2019)

  • On Thursday, U.S. District Judge Emmet G. Sullivan ordered the government to release redacted portions of the Mueller report related to Michael Flynn, President Trump's former national security adviser by May 31. In the case about false statements to FBI investigators regarding contact with the Russian Ambassador, Judge Sullivan ordered the release of parts of the redacted Mueller report and related transcripts of calls with Russian officials. This is the first instance where a judge has ordered the release of redacted portions of the Special Counsel's report on Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the nation to release the full Mueller Report. EPIC obtained the annotated version of the Special Counsel's report and has published this version at the EPIC Bookstore. EPIC's case will go forward this summer on an expedited briefing schedule. EPIC's case EPIC v. Department of Justice, No. 19-810 (D.D.C). (May. 17, 2019)

  • EPIC has sent a letter to President Trump, urging the White House to suspend the collection of personal data concerning the use of social media. The White House is seeking to collect detailed personal information including unique social profile names and citizenship status. The company hosting the form is also tracking Internet users and their devices. EPIC wrote that "this data collection is unlawful, unconstitutional, and itself a violation of the First Amendment." EPIC pointed to the failure of the White House to undertake a privacy impact assessment. EPIC also explained that the government may not compel people to reveal their names to exercise their First Amendment rights. EPIC previously forced the now-defunct Presidential Election Commission to delete personal voter data that it had unlawfully obtained without a Privacy Impact Assessment. (May. 16, 2019)

  • Members of the House of Representatives, led by Rep. Mary Gay Scanlon (D-PA, @RepMGS), have begun a public reading of the Muller Report. The reading is being broadcast live on C-SPAN. EPIC (@EPICprivacy) sued the Department of Justice for the release of the full, unredacted Mueller Report. EPIC has now obtained the document, processed pursuant to the Freedom of Information Act. EPIC has made the new version of the Muller Report and related documents available at Amazon. EPIC's FOIA case is on an expedited briefing schedule. Briefing will continue over the summer. EPIC expects to receive additional information from the Department of Justice about the Russian interference in the 2016 presidential election. (May. 16, 2019)

  • The San Francisco Board of Supervisors have passed a resolution to limit the use of surveillance technology by city departments. San Francisco will now require surveillance impact reports, annual audits, and review by the city controller. EPIC led an effort - "Observing Surveillance" - in Washington, DC after 9-11 to document the growing use of surveillance cameras in the nation's capital that led to limitations on video surveillance by the City Council. EPIC is currently seeking to limit the use of facial recognition technology at the border. The Madrid Privacy Declaration called for a "moratorium on the development or implementation of new systems of mass surveillance, including facial recognition, whole body imaging, biometric identifiers, and embedded RFID tags, subject to a full and transparent evaluation by independent authorities and democratic debate." (May. 15, 2019)

  • EPIC filed comments with the Federal Communications Commission again urging the agency to repeal a regulation that requires the bulk retention of calling records of American telephone customers. EPIC and a coalition of civil rights organizations, technical experts and legal scholars first signed a petition for repeal of the FCC regulation three years ago. When the FCC docketed the petition for public comment, every comment received by the agency favored the EPIC petition to end the data retention regulation. In comments to the agency last year, EPIC again urged the FCC to drop the requirement. In response to an agency proposal to extend the rule, EPIC explained that "the regulation is unduly burdensome, ineffectual, and threatens privacy and security." EPIC also pointed to recent cases in Europe prohibiting the mass retention of phone records. "The United States has fallen behind other advanced democracies around the world" explained EPIC to the FCC. (May. 13, 2019)

  • In comments on the Federal Aviation Administration’s proposed drone app B4UFLY EPIC reiterated the need for drones to broadcast ID, location, course and purpose. The FAA app would provide situational awareness to drone operators, but fails to provide the public with information about nearby drones. As EPIC explained, commercial planes and vessels routinely provide this information on apps widely available to the public. Further, it is unclear what data is collected by the FAA app, as the Privacy Impact Assessment provides conflicting explanations. EPIC said the FAA should limit the information it collects on non-commercial drone operators. EPIC has repeatedly called for remote, broadcast ID for drones, and led a coalition in 2012 to petition the agency to conduct a rulemaking on drone privacy. EPIC also sued the agency when it failed to establish limits on drone surveillance. (May. 13, 2019)

  • For the first time, the United Nations Human Rights Committee has asked the U.S. to report about consumer privacy protections. This is part of an annual review of compliance with the International Covenant on Civil and Political Rights. The Human Rights Committee asked the U.S. to explain what measures it has taken "to combat the interference of non-State organizations, such as Facebook, in privacy rights, including but not limited to the enforcement of judicial orders, the enactment of comprehensive privacy laws and the creation of a data protection authority." In comments to the Committee, EPIC raised concerns about the need to protect individuals against violations of the right to privacy by non-state actors, including private firms. EPIC also recently submitted comments to the UN on the surveillance industry. (May. 10, 2019)

  • EPIC has published "The Mueller Report: EPIC v. Department of Justice and the Special Counsel's Report on the Investigation Into Russian Interference." The EPIC collection includes the version of the Mueller Report obtained in EPIC v. Department of Justice, the original EPIC FOIA request, letters from the Attorney General to Congress, and the statement from the Special Counsel about the release of the report. Also included is a foreword by EPIC President Marc Rotenberg describing EPIC's related cases to obtain information about Russian interference in the 2016 presidential election, as well as a brief introduction to the Freedom of Information Act. "The Mueller Report: EPIC v. Department of Justice" is now available in the EPIC Bookstore. (May. 10, 2019)

  • Prior to a hearing on "New Entrants in the National Airspace," EPIC has urged the Senate Commerce Committee to ensure that the FAA establish drone privacy safeguards. EPIC also said the FAA should require remote identification of drones. "Currently, individuals cannot hold drone operators accountable because it is essentially impossible to identify the drone or the operator of a drone," EPIC said. EPIC recently filed comments on the FAA's proposal for external ID for drones. Last week, Senators Edward Markey (D-MA) and John Thune (R-SD) urged the FAA to quickly publish a rule for the realtime, remote identification of drones. In 2012 EPIC, backed by more than one hundred organizations and privacy experts, petitioned the agency to establish privacy safeguards for drones. EPIC also cited a 2012 law requiring the FAA to develop a "comprehensive plan" for drone deployment. EPIC subsequently filed suit against the FAA, challenging the agency rule authorizing commercial drone operations without privacy safeguards. (May. 9, 2019)

  • Senators Markey (D-Mass), Blumenthal (D-Conn.), Durbin (D-Ill.), and Hawley (R-Mo.) sent a letter to the Federal Trade Commission to launch an investigation into new evidence of Amazon violations of the Children's Online Privacy Protection Act (COPPA) with an Amazon device targeted to children. The Senators wrote: "Children are a uniquely vulnerable population. We urge the Commission to take all necessary steps to ensure their privacy as 'Internet of Things' devices targeting young consumers come to market, including promptly initiating an investigation into the Amazon Echo Dot Kids Edition’s compliance with COPPA.: The letter cites a recent complaint to the FTC by Campaign for a Commercial-Free Childhood and joined by EPIC. EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. (May. 9, 2019)

  • Senators Klobuchar (D-MN), Warner (D-VA), and Graham (D-SC) announced have introduced a bipartisan bill to make online political advertisements more transparent. The Honest Ads Act is a direct response to Russian interference in the 2016 election, which relied on anonymous political ads on Facebook, Google and Twitter. The Honest Ads Act would impose the same disclosure requirements for online ads as for TV and radio ads. "Foreign adversaries interfered in the 2016 election and are continuing to use information warfare to try to influence our government and divide Americans. We must act now to protect our democracy and prevent this kind of interference from ever happening again," Senator Klobuchar said. EPIC Consumer Protection Counsel Christine Bannan testified at the Federal Election Commission hearing in 2018 on the agency's proposed rule for political ads. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records). (May. 8, 2019)

  • President Trump has claimed executive privilege in an attempt to withhold the redacted portions of the Mueller Report from Congress. The President's assertion goes far beyond the narrow limits of the privilege and conflicts with the Attorney General's recent statement to Congress that President Trump had "no plans" to claim executive privilege over the Report. ("Exhibit 7" In EPIC v. Department of Justice.) EPIC is pursuing the release of the full Mueller Report under the Freedom of Information Act. EPIC recently obtained an annotated version of the Report that contains new details about the extensive redactions made by the Justice Department. But the government has waived any assertion of executive privilege in EPIC's case, making EPIC uniquely positioned to challenge the redactions. EPIC will have a hearing in federal court concerning the release of related materials on June 17, 2019. EPIC's case for the release of the Mueller Report—the first in the nation—is EPIC v. Department of Justice, No. 19-810 (D.D.C.). (May. 8, 2019)

  • EPIC Counsel John Davisson will argue before the D.C. Circuit Court of Appeals Wednesday morning to block the Census Bureau from collecting personal data concerning citizenship status in the 2020 Census. The argument will begin around 10:00 a.m. ET and can be live streamed here. EPIC's case challenges the Census Bureau's failure to complete privacy impact assessments required by law. The Bureau concedes that it must complete the impact assessments but has so far failed to do so. As EPIC previously warned the appeals court, "major privacy risks have not been addressed by the agency." EPIC has filed several successful lawsuits to require privacy impact assessments by federal agencies, including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. EPIC's census privacy case is EPIC v. Commerce, No. 19-5031 (D.C. Cir.). (May. 7, 2019)

  • Senators Warren and Warner and Representatives Cummings and Krishnamoorthi introduced the Data Breach Prevention and Compensation Act of 2019. The legislation would compensate consumers for stolen data, impose mandatory penalties on credit reporting agencies for data breaches, and give the FTC greater authority over data security at credit reporting agencies. The lawmakers also released a new report "Breach of Trust: CFPB's Complaint Database Shows Failure to Protect Consumers after Equifax Breach." The report found that consumers have filed over 52,000 complaints since Equifax announced the breach in September 2017. Following the Equifax data breach, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft. (May. 7, 2019)

  • EPIC today settled a Freedom of Information Act lawsuit against Customs and Border Protection. EPIC sought records about the agency's Biometric Entry-Exit program for use at US borders. As a result of the lawsuit, EPIC obtained the "Southwest Border Pedestrian Field Test" concerning the use of iris imaging and facial recognition. The report revealed that the technology did not perform operational matching at a "satisfactory" level. Relying on the documents obtained in the case, EPC has told Congress that facial recognition should be suspended until privacy safeguards are established. Senators Ed Markey (D-MA) and Mike Lee (R-UT) have also called for the suspension of the CBP program. (May. 7, 2019)

  • The International Working Group on Data Protection has adopted new recommendations for artificial intelligence and location tracking. The Berlin-based Working Group includes data protection authorities who assess emerging privacy challenges. The IWG report "Privacy and Artificial Intelligence" sets out fairness and respect for human rights, oversight, transparency and intelligibility as key elements of AI design and use. The IWG recommendations share several principles with the Universal Guidelines for Artificial Intelligence, proposed by EPIC as the basis for federal legislation and endorsed by more than 250 experts and 60 organizations. The IWG report "Wide Area Location Tracking" addresses large scale collection of location data in devices and applications, and urges limits on the transfer of the data, location tracking switched off by default, and periodic auditing by regulators. EPIC recently provided a comprehensive report for the IWG explaining recent developments in U.S. privacy law and policy. (May. 7, 2019)

  • In an amicus brief EPIC urged the Pennsylvania Supreme Court to protect the right of public employees to speak on matters of public concern on social media without fear of dismissal. The case, Carr v. Department of Transportation, concerns a state employee who was fired for comments posted to a Facebook group criticizing local school bus drivers. EPIC explained that "social media is 'the modern public square' for debate on issues of public concern," citing the U.S. Supreme Court's opinion in Packingham v. North Carolina, in which EPIC also filed an amicus. EPIC warned that "allowing the Government to fire a public employee for posts made in a private Facebook group would encourage government supervisors to surveil employees across social media." EPIC has frequently argued that the First Amendment protects the right of individuals to engage in activities free from government surveillance, in cases including City of Los Angeles v. Patel, Doe v. Reed, and Americans for Prosperity v. Becerra. (May. 7, 2019)

  • EPIC has obtained an annotated version of the Mueller Report through EPIC v. Department of Justice, EPIC's Freedom of Information Act lawsuit about the Special Counsel investigation into Russian election interference. The version of the Mueller Report provided to EPIC contains new details about the extensive redactions made by the Justice Department. EPIC will challenge those redactions as the case moves forward on an expedited schedule. Judge Reggie B. Walton has also ordered the Justice Department to disclose additional information about the Mueller Report to EPIC by June 3. EPIC's case for the release of the Mueller Report—the first in the nation—is EPIC v. Department of Justice, No. 19-810 (D.D.C.). (May. 6, 2019)

  • In advance of FTC oversight hearings, EPIC has sent a statement to both House and Senate Committees outlining the FTC's failure to protect consumer privacy and urging the creation of an independent Data Protection Agency in the United States. EPIC's recent Freedom of Information Act request revealed that there are there are over 26,000 complaints pending against Facebook. In the eight years since the FTC announced the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. "The FTC is simply ignoring thousands of consumer privacy complaints about Facebook's ongoing business practices," EPIC said. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. (May. 6, 2019)

  • In a letter to the FAA, Senators Edward Markey (D-MA) and John Thune (R-SD) urged the agency to quickly publish a rule for the realtime, remote identification of drones. The senators wrote, "remote identification will enhance safety, security, and privacy." EPIC has long called for remote identification requirement for drones, stating "Because drones present substantial privacy and safety risks, EPIC recommends that the FAA require any drone operating in the national airspace system to broadcast location when aloft (latitude, longitude, and altitude), course, speed over ground, as well as owner identifying information and contact information[.]" EPIC cited similar requirements for vessels and planes, and explained that the technology is widely available. Most recently, EPIC repeated its call for remote identification in response to a proposed rule that would allow drones to fly over people. (May. 3, 2019)

  • In response to EPIC's Freedom of Information Act request, the Department of Homeland Security confirmed that no privacy impact assessment has been completed for a vast DHS biometric database known as the "Homeland Advanced Recognition Technology." The HART database will include fingerprints, iris scans, and facial images on millions of individuals. The documents EPIC did obtain from DHS consist of privacy threshold reviews that indicate a privacy impact assessment is required and was expected by January 2019. A previous document obtained by EPIC show that the Homeland Advanced Recognition Technology database is part of the facial recognition Biometric Entry/Exit program at US airports. (May. 3, 2019)

  • A federal court today ordered the government to explain by June 3 its refusal to release substantial portions of the Mueller Report to EPIC. During a hearing on EPIC v. Department of Justice, Judge Reggie Walton reiterated the need for EPIC's open government case to move quickly and ordered the parties to file briefs over the summer. The court also ordered the government to produce related documents to EPIC about the Special Counsel investigation into Russian interference in the 2016 election. The Department of Justice will disclose a version of the Mueller Report to EPIC by May 6, which will contain additional information about the government's redactions. Hearings are scheduled in EPIC's case for the release of the Mueller Report on July 2 and August 5. EPIC's case for the release of the Mueller Report—the first in the nation—is EPIC v. Department of Justice, No. 19-810 (D.D.C.) (May. 2, 2019)

  • In a court filing today in Washington, DC, EPIC has proposed an expedited briefing schedule in its case for release of the full Mueller Report concerning "Russian Interference in the 2016 Presidential Election." EPIC also proposed that the Justice Department provide the full, unredacted report to the federal judge overseeing the case for review. The Department of Justice has informed EPIC that the agency will provide a processed version of the Mueller Report to EPIC as early as this Thursday. The parties are expected to appear before Judge Reggie Walton this Thursday at 10 am. EPIC will challenge the Department of Justice's withholding of substantial portions of the Mueller Report from the public. EPIC's case for the release of the Mueller Report—the first in the nation—is EPIC v. Department of Justice, No. 19-810 (D.D.C.). (Apr. 30, 2019)

  • According to the Office of Director National Intelligence 2018 report, the use of information on U.S. persons collected under Foreign Intelligence Surveillance Act increased. The instances in which the NSA "unmasked" - revealed a U.S. person's identity in foreign intelligence data - to another agency grew from 9,529 to 16,721. In 2018, the government also searched domestic call detail records for U.S. persons at five times the rate in 2017, rising from 31,196 to 164,682. Notably, the government notifications to defendants of the use of FISA information in criminal proceedings increased from 7 in 2017 to 14 in 2018. EPIC previously testified before Congress on the need for more public reporting about the use of FISA for domestic surveillance. Several of EPIC's recommendations, including greater detail on government surveillance activities, were incorporated in the USA Freedom Act. (Apr. 30, 2019)

  • In advance of a hearing about robocalls, EPIC has sent a statement to the House Energy & Commerce Committee saying "The FCC needs to do far more to protect consumers from robocalls." EPIC has long advocated for robust telephone privacy protections. Last week, EPIC submitted comments to the FCC recommending that the agency (1) require phone providers to proactively block calls from numbers that are unassigned, unallocated, or invalid; (2) prohibit spoofing if there is an intent to defraud or cause harm; and (3) encourage the use of call authentication technology that safeguards caller anonymity. EPIC filed amicus briefs earlier this year and in 2015 that strengthened consumer protections for robocalls. (Apr. 30, 2019)

  • Prior to a hearing on "Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework," EPIC has sent a statement and related materials to the Senate Commerce Committee advising on federal privacy legislation. EPIC Executive Director Marc Rotenberg recently wrote in the New York Times, "There is still much that Congress can do to strengthen privacy protections for Americans. Enacting federal baseline legislation and establishing a data protection agency would be a good start." EPIC also sent the Committee EPIC commentaries from the Financial Times, Techonomy, the OECD Observer, and the Harvard International Review. EPIC recently joined 16 organizations in support of "A Framework for Privacy Protection in the United States." (Apr. 30, 2019)

  • EPIC has sent a statement to the House Appropriations Committee prior to a hearing on Census oversight. EPIC urged Congress to require the Census Bureau to remove the citizenship question from the 2020 census, pending the completion and review of required Privacy Impact Assessments. EPIC told the Committee that the Census Bureau failed to complete the Privacy Impact Assessments required by Section 208 of the E-Government Act. The Census Bureau concedes that it must complete the impact assessments but has so far failed to do so. "Congress made clear that data collection simply could not occur without the completion of these assessments," EPIC explained to Congress. In EPIC v. Commerce, currently before the D.C. Circuit Court of Appeals, EPIC argued that the collection of personal data concerning citizenship status without the privacy impact assessments is unlawful. EPIC warned the federal appeals court that "major privacy risks have not been addressed by the agency." (Apr. 29, 2019)

  • According to news reports, Facebook has budgeted $3 billion for in its first-quarter earnings report, saying it expected the FTC to fine the company between $3-$5 billion. In January, EPIC and a coalition of consumer and civil rights groups sent a letter to the FTC calling on the Commission to enforce the order against Facebook by 1) imposing substantial fines; 2) establishing structural remedies; 3) requiring compliance with Fair Information Practices; 4) reforming hiring and management practices; and 5) restoring democratic governance. Also, EPIC's Freedom of Information Act request revealed that there are there are over 26,000 complaints pending against Facebook. In the eight years since the FTC announced the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. (Apr. 26, 2019)

  • In comments to inform the Transportation Security Administration's 2020 National Strategy, EPIC recommended that TSA to suspend the facial recognition program at US airports. EPIC wrote, "The TSA's use of facial recognition lacks the safeguards necessary for implementation." EPIC has also warned lawmakers and the DHS about the biometric border program that incorporates deploy facial recognition. EPIC has urged the agency to undertake a notice and comment rule making that would provide the public with the opportunity to comment on the controversial program. EPIC successfully required TSA to conduct a rulemaking on its deployment of airport body scanners in EPIC v. DHS. EPIC also recommended that TSA incorporate the Universal Guidelines for Artificial Intelligence, endorsed by over 300 organizations and experts, for AI-based systems. (Apr. 26, 2019)

  • A federal appeals court ruled today that an amendment to the federal robocall ban is unconstitutional. The Telephone Consumer Protection Act prohibits automated calls to cell phones, except in emergencies or with the consent of the called party. But in 2015 Congress created an exception for calls made to collect debts guaranteed by the federal government. The court in AAPC v. FCC found that the debt-collection exemption "undercuts" the privacy protections in the law. So the court found the exception unconstitutional and struck it from the law. EPIC filed a "friend of the court" brief in Gallion v. Charter Communications, a similar case in the Ninth Circuit, arguing that "the TCPA prohibitions are needed now more than ever." EPIC has testified in support of the TCPA and has submitted extensive comments and amicus briefs on the consumer privacy law. (Apr. 25, 2019)

  • After soliciting public comments, the Federal Trade Commission has renewed the CAN-SPAM Rule (Controlling the Assault of Non-Solicited Pornography and Marketing). The FTC rule requires subject-line labeling of commercial emails containing sexually explicit material. The rule also clarifies that a recipient of unwanted emails may not be required to pay a fee, provide additional information or take any steps beyond sending an email or visiting a web page to opt out. In confirming the final rule, the agency specifically referenced EPIC's comments in support of the rule: "For example, the Electronic Privacy Information Center ('EPIC'), a consumer advocacy group, asserted that, '[w]hile the volume of spam is lower than it was just a few years ago, the need for the Rule continues.'" EPIC continues to push the FTC to safeguard consumer privacy with the Enforce the Order campaign, urging the agency to act against Facebook. (Apr. 23, 2019)

  • An EPIC Freedom of Information Act request has revealed that the Census Bureau obtains vast quantities of noncitizens' personal data from the Department of Homeland Security without having first conducted a required Privacy Impact Assessment. Under a written agreement disclosed to EPIC, the DHS transfers the "Legal Permanent Resident File" to the Bureau each year, which includes citizenship, immigration status, marital status, and other sensitive personal information. Yet the Census Bureau conducted no analysis of the privacy risks and failed to describe the personal data gathered. In EPIC v. Commerce, EPIC has charged that the Census Bureau failed to complete required Privacy Impact Assessments prior to adding the citizenship question to the 2020 Census. The Bureau concedes that it must complete the impact assessments but has so far failed to do so. EPIC's motion to halt the citizenship question will be argued before the D.C. Circuit on May 8. (Apr. 23, 2019)

  • In comments to the Department of Defense on the proposed expansion of the "Insider Threat" Database, EPIC recommended the Department withdraw unlawful and unnecessary routine use disclosures, significantly narrow the Privacy Act exemptions, and adopt the Universal Guidelines for Artificial Intelligence. The DoD plans to collect detailed, personal information, including health data, ethnicity and race, biometric data, travel records, and social media information, on federal employees, their friends, and family members. EPIC noted widespread computer security problems at the DoD, and warned, "this system of records—despite a documented inability to protect personal data—invites the very threats the program seeks to prevent." EPIC previously commented on the creation of the system. (Apr. 22, 2019)

  • As part of an effort to promote uniformity in privacy regulations, the Department of Defense has finalized a regulation regarding the Personnel Vetting Records System. EPIC submitted detailed comments to the agency "criticizing the breadth of exemptions and expressing concerns about accountability for DoD's information collection activities." The Department of Defense responded in detail to EPIC stating, "The Department appreciates these concerns....Notwithstanding the potential availability of exemptions that DoD may need to assert for certain records in the system when circumstances warrant, exemption rules do not require the assertion of exemptions in every instance. In fact, DoD anticipates asserting exemptions in limited circumstances on a case-by-case basis....With respect to access rights in particular, the DoD anticipates generally providing access rights and exercising exemptions as the exception rather than the norm." EPIC routinely comments on the obligations of federal agencies to comply with the federal Privacy Act. EPIC recently commented on the privacy issues raised by the Department's "Insider Threat" Program, noting that the extensive collection of personal data could create new vulnerabilities. (Apr. 22, 2019)

  • The U.S. Supreme Court will hear arguments this week in a case challenging the addition of the citizenship question to the 2020 Census. EPIC filed an amicus brief in Department of Commerce v. New York, urging the Court to uphold a New York federal judge's decision to remove the question. EPIC warned that the "extraordinary reach of the Bureau into the private lives of Americans brings extraordinary risks to privacy." In a related matter, EPIC's lawsuit to block the citizenship question, EPIC v. Commerce, is currently before the D.C. Circuit with an argument scheduled for May 8. EPIC has charged that the Census Bureau failed to complete required Privacy Impact Assessments prior to the decisions to collect personal data about citizenship. The Bureau concedes that it must complete the impact assessments but has so far failed to do so. EPIC told the D.C. Circuit, "Key deadlines are fast approaching, and major privacy risks have not been addressed by the agency." (Apr. 22, 2019)

  • EPIC has filed a third-party intervention with the European Court of Human Rights in Big Brother Watch v. UK, a case concerning a bulk surveillance program of the British government. Last year the European Court ruled that the communications surveillance regime violated Article 8 of the European Convention on Human Rights, but stopped short of ruling that bulk surveillance violated the Convention. The human rights groups that brought the case requested referral to the Grand Chamber, a larger panel of judges, and urged the Court to rule mass surveillance incompatible with fundamental rights. After filing a brief in the original case explaining the broad scope of U.S. surveillance, EPIC has now filed a new brief with the Grand Chamber, arguing that the Court should carefully consider UK-U.S. intelligence transfers. U.S. surveillance does not "provide the requisite Article 8 safeguards" and transfer of intelligence to the U.K. "risks circumventing the Convention’s guarantees," EPIC explained. In an article for Just Security, EPIC called the initial ruling against UK surveillance "narrow" but "important." (Apr. 22, 2019)

  • In a court filing today, EPIC raised key questions about the version of the Mueller Report released by the Attorney General, and also about the Justice Department's inconsistent statements regarding the release. EPIC noted the extensive redactions in the report—material is withheld on approximately 178 pages of the 448-page report. EPIC explained that the Attorney General claimed "harm to ongoing matter" as the primary reason for withholding information, but that phrase is nowhere to be found in the Freedom of Information Act. EPIC also highlighted the Attorney General's statement that he gave the Report to the White House Counsel and the President's personal lawyers in advance of the press conference, even though the Justice Department previously told the Court in EPIC v. DOJ that it was not possible to disclose the report to EPIC before today. EPIC's case for the release of the Mueller Report—the first in the nation—is EPIC v. Department of Justice, No. 19-810 (D.D.C.). (Apr. 18, 2019)

  • An extensively redacted version of the Mueller Report released today reveals that Russian interference in the 2016 presidential election was much greater than previously known. The Special Counsel's investigation found that the "Russian government interfered in the 2016 presidential election in sweeping and systematic fashion." The Report details Russia's hacking of US political organizations and a large-scale social media disinformation campaign. The Report also reveals that Russia breached the computers of election officials in Florida. The Report confirms that members of the Trump family and the Trump presidential campaign enthusiastically retweeted Russian propaganda. But much in the report is still secret. The Attorney General has withheld information on more than 170 pages of the 448 page report. EPIC is currently suing for the public release of the complete Mueller Report in EPIC v. Department of Justice, No. 19-810 (D.D.C.). A hearing is scheduled in federal district court on May 2. (Apr. 18, 2019)

  • EPIC has announced the newest members of the EPIC Advisory Board. They are Professor Elizabeth Joh, Dr. Lorraine Kisselburgh, Travis LeBlanc, Dr. Bilyana Petkova, Jennifer Stoddart, Dr. Paul Vixie, and Professor Ari Waldman. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy who contribute to EPIC's work on privacy and civil liberties. The publication of the EPIC Advisory Board members are available at the EPIC Bookstore. The 2019 EPIC Champion of Freedom Awards will be presented on June 5, 2019 at the National Press Club. Press Release. (Apr. 17, 2019)

  • EPIC Consumer Protection Counsel Christine Bannan testified at the FTC's hearing on the agency's effectiveness at protecting consumer privacy. She said that the FTC's success should be measured by the enforcement of its orders. EPIC's Freedom of Information Act request revealed that there are there are over 26,000 pending consumer complaints against Facebook made while under the consent order. In the eight years since the FTC entered the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. (Apr. 16, 2019)

  • In response to Federal Aviation Administration request for comments regarding drone security and drones flying over people, EPIC urged the agency to mandate cybersecurity safeguards and privacy protections for populated areas subject to aerial surveillance. EPIC repeated the earlier recommendation that the agency require drones to broadcast identifying information, location, course, purpose, and surveillance capabilities. Earlier this year, Senator Edward Markey (D-MA) stated, "Privacy cannot be an afterthought as the FAA seeks to make it easier and safer for commercial drones to take flight." Starting with a 2012 petition, EPIC has recommended that the FAA establish drone privacy regulations and to ensure that drones broadcast ID. (Apr. 16, 2019)

  • In comments to Customs and Border Protection, EPIC recommended the adoption of the Universal Guidelines for Artificial Intelligence for a new boded controls system, the "21st Century Customs Framework." EPIC , stressed the need for transparency, accountability, and fairness in automated decisionmaking. EPIC explained “Although CBP claims that risk scores are only used on cargo,” the "impact falls on individuals.” EPIC previously submitted comments to the agency regarding the Automated Targeting System and the Intelligence Records System. Through FOIA, EPIC has also obtained information on the agency’s data systems, including the Analytical Framework for Intelligence, which assigns “risk assessments” to travelers, including U.S. citizens. (Apr. 11, 2019)

  • Through a Freedom of Information Act lawsuit, EPIC has obtained the DHS drone status report required by a Presidential Memorandum. The 2015 Memorandum required federal agencies to detail drone policies and procedures to protect privacy, civil rights, and civil liberties. The DHS report attempts to justify the use of drones by Customs and Border Protection, but a recent Inspector General report calls into question the CBP's policies and procedures. The Inspector General found that CBP failed to complete a required analysis for a drone surveillance system and failed to implement effective safeguards for information collected by drones. EPIC has called on Congress to "establish drone privacy safeguards that limit the risk of public surveillance." (Apr. 11, 2019)

  • The IRS has refused to comply with Rep. Richard Neal’s deadline to turn over President Trump's tax returns. As Chairman of the House Ways and Means Committee, Rep. Neal has the authority under a section of the tax code to obtain the tax returns. Rep. Neal's letter demanded six years of tax returns from President Trump and his business entities. It is a well established tradition for Presidents and Presidential candidates to make public their tax returns. EPIC has sought the release of the President's returns in two lawsuits: EPIC v. IRS I and EPIC v. IRS II. EPIC also sent a request to the IRS for information about Rep. Richard Neal's request. EPIC previously urged Congress to obtain and publicly release of President Trump's tax returns. EPIC is seeking to determine the extent of Russian interference in the 2016 presidential election. (Apr. 11, 2019)

  • Federal legislation introduced on Wednesday would require companies to conduct impact assessments to determine if their algorithms are "inaccurate, unfair, biased, or discriminatory." The Algorithmic Accountability Act is sponsored by Sen. Ron Wyden, Rep. Yvette Clarke, and Sen. Corey Booker. EPIC supports algorithmic transparency, which can reduce bias and help ensure fairness in automated decisionmaking. EPIC previously urged Congress to require "Algorithmic Fairness Assessments" before automated decision tools are adopted. Last year, EPIC proposed the Universal Guidelines for Artificial Intelligence as the basis for federal legislation. The Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. Both the GDPR and the Council of Europe Privacy Convention require algorithmic accountability. (Apr. 10, 2019)

  • In advance of a hearing regarding the filtering practices of internet companies, EPIC has sent a statement to the Senate Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But the European Commission found that Google rigged search results to give preference to its own shopping service. The European Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. (Apr. 10, 2019)

  • In a statement to the House Appropriations committee on Immigration and Customs Enforcement. EPIC urged close examination of the agency's profiling algorithms, warrantless searches of mobile devices, social media profiling, and the use of DACA application data for investigative purposes. EPIC said the committee should "limit funding pending assurances that ICE takes specific steps" to improve privacy. EPIC has filed multiple FOIA lawsuits against ICE regarding theses surveillance programs. (Apr. 9, 2019)

  • As the House Appropriations Committee considers the Department of Transportation's FY2020 Budget, EPIC has urged the Committee to ensure that the FAA establish and publish drone privacy procedures as required by law. EPIC also said the FAA must require remote identification of drones. "Currently, individuals cannot hold drone operators accountable because it is essentially impossible to identify the drone or the operator of a drone," EPIC said. Last month, EPIC filed comments on the FAA's interim final rule for external ID for drones. In 2012 EPIC, backed by more than one hundred organizations and privacy experts, petitioned the agency to establish privacy safeguards for drones. EPIC also cited a 2012 law requiring the FAA to develop a "comprehensive plan" for drone deployment. EPIC subsequently filed suit against the FAA, challenging the 2016 rule authorizing commercial drone operations without any privacy safeguards. (Apr. 9, 2019)

  • Judge Reggie B. Walton has set a May 2 hearing date to review the release of the Mueller Report and other records sought by EPIC in a Freedom of Information Act lawsuit against the Department of Justice. During an hour-long hearing Tuesday morning, Judge Walton emphasized that the contents of the Mueller Report are an "extremely important subject matter to the nation." Judge Walton said the Justice Department should disclose the records sought by EPIC "as expeditiously as humanly possible," though he declined to set a fixed date for release. Attorney General Barr has said he will release the report by "mid-April, if not sooner." EPIC filed the first lawsuit in the nation for the release of the Special Counsel's report on Russian interference in the 2016 election. As a result of EPIC's lawsuit, the Justice Department agreed to expedite EPIC's FOIA request. EPIC's case is EPIC v. DOJ, No. 19-810 (D.D.C.). #ReleaseTheReport (Apr. 9, 2019)

  • In a statement to the House Appropriations Committee, EPIC urged the panel to ensure that the Justice Department improves reporting on surveillance orders. "Even after the Supreme Court’s decision in Carpenter," EPIC said, "there is little to no information available to Congress or the public about how frequently the government is seeking this location data." EPIC asked the Committee to halt funding for wiretap programs until the Department of Justice improves the reporting procedures. For over 20 years, EPIC has reviewed the annual reports on the use of federal wiretap authority. EPIC also filed an amicus brief in the Carpenter case. The Supreme Court held that law enforcement must get a warrant to obtain cell site location information. (Apr. 9, 2019)

  • The European Commission's Expert Group on Artificial Intelligence has released Guidelines for Trustworthy AI. The EU Guidelines identify seven principles for ethical AI: (1) Human agency and oversight; (2) Robustness and safety; (3) Privacy and data governance (4) Transparency; (5) Diversity, non-discrimination and fairness; (6) Societal and environmental well-being; and (7) Accountability. The European Commission will open a pilot program to test implementation of the Guidelines for Trustworthy AI this summer. The EU Guidelines reflect several principles from the Universal Guidelines for Artificial Intelligence, which have been endorsed by more than 260 experts and 60 organizations in 40 countries. The Universal Guidelines are designed to protect human rights in the development and use of AI systems. (Apr. 8, 2019)

  • EPIC has filed a reply brief in its case for the the Mueller Report. EPIC explained that the public interest in the report is "overwhelming." EPIC wrote "there is no government document in recent memory that has generated more public interest." EPIC filed the first lawsuit in the nation for the release of the Special Counsel's report on Russian interference in the 2016 election. A court hearing in Washington, DC is scheduled for Tuesday morning at 9:00. EPIC's case is EPIC v. DOJ, No. 19-810 (D.D.C.). Press release. #ReleaseTheReport (Apr. 8, 2019)

  • In response to EPIC’s lawsuit seeking the Special Counsel Report—the Mueller Report—on Russian interference in the 2016 election, the Justice Department has filed an opposition to delay release of the report. EPIC filed the first lawsuit in the nation for the release of the Report. In EPIC’s motion for an injunction, EPIC explained that the public "remains in the dark as to the most consequential government investigation in recent history." After filing the lawsuit, EPIC offered to withdraw its motion if the Justice Department would promptly release the Mueller Report. The Justice Department agreed to expedite processing but declined to release the Report. In the court filing, the Justice Department acknowledged that there are over 400 pending FOIA requests related to the report of the Special Counsel. A hearing is scheduled before Judge Reggie Walton Tuesday morning at 9:00 at the U.S. District Court for the District of Columbia. EPIC's case for the release of the Mueller Report is EPIC v. DOJ, No. 19-810 (D.D.C.). (Apr. 5, 2019)

  • EPIC has submitted a Freedom of Information Act request to the Internal Revenue Service for records related to Rep. Richard Neal's request for President Trump's tax returns. As Chairman of the House Ways and Means Committee, Rep. Neal has the authority under a section of the tax code to request and receive tax returns. Rep. Neal's letter demanded the IRS to turn over six years of tax returns from President Trump and his business entities and gave the agency until April 10, 2019 to comply with the committee’s request. EPIC previously urged Congress to obtain the public release of President Trump's tax returns. EPIC has also sought the release of the president's returns in two lawsuits: EPIC v. IRS I (President Trump's personal tax records) and EPIC v. IRS II (President Trump’s business tax records). (Apr. 5, 2019)

  • In advance of a hearing on “Protecting Americans from Dangerous Products," EPIC wrote to the House Commerce Committee that the Consumer Product and Safety Commission must do more to protect consumers and ensure security of IoT devices. In recent comments to the CPSC, EPIC urged the agency to regulate Internet of Things devices, pointing to weak privacy and security safeguards. EPIC advised the Commission to require manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques. EPIC told the House committee that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.” (Apr. 5, 2019)

  • EPIC has asked the House Appropriations Committee to explore the FBI's failure to respond to cyberattacks. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." But an AP investigation found that the FBI failed to notify hundreds of officials whose email was hacked during the 2016 election. Earlier this week, the Inspector General also found that the DOJ guidelines "do not consider the needs of victims of cybercrime." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI. (Apr. 5, 2019)

  • In response to EPIC's Freedom of Information Act request, the FTC confirms that there are a total of 26,000 pending consumer complaints about Facebook made while under the consent order. In an e-mail to EPIC, the FTC provided a breakdown of the total number of complaints per year. In 2018 alone, the FTC received 8,391 consumer complaints about Facebook, nearly twice the number received in 2016 (4,612), and more than four times the number received in 2014 (1,860). In the eight years since the FTC entered the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. The FTC announced the reopening of the Facebook investigation in the wake of the Cambridge Analytica scandal. But more than a year later, the agency has failed to act. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (Apr. 3, 2019)

  • EPIC has sent a statement to the House Appropriations Committee regarding the TSA's FY2020 budget request, urging Congress to suspend the "Biometric Entry-Exit" program until privacy safeguards are established. EPIC said Congress should halt funding for TSA's facial recognition program "until CBP establishes proper privacy assessments, policies and procedures, and oversight mechanisms." EPIC recently filed a Freedom of Information Act lawsuit to determine whether travelers are able to to opt-out of facial recognition at airports. According to the CBP, the "alternative screening procedures" allow travelers to provide identification documents, such as a passport, and avoid facial recognition, which "is not mandatory for U.S. citizens." But research by EPIC indicates that CBP has made it increasingly difficult for travelers to opt-out. (Apr. 3, 2019)

  • EPIC has sent a statement to the House and Senate regarding the FY2020 appropriations for the Department of Commerce. EPIC urged Congress to require the Census Bureau to remove the citizenship question from the 2020 census, pending the completion of legally required Privacy Impact Assessments. EPIC told the committees that the Census Bureau failed to complete the Privacy Impact Assessments required by Section 208 of the E-Government Act. The Census Bureau concedes that it must complete the impact assessments but has so far failed to do so. "Congress made clear that data collection simply could not occur without the completion of these assessments," EPIC explained to Congress. In EPIC v. Commerce now before the D.C. Circuit Court of Appeals, EPIC argued that the collection of citizenship data without the privacy impact assessments is unlawful. EPIC warned the federal appeals court that, "major privacy risks have not been addressed by the agency." (Apr. 3, 2019)

  • EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy for the 65th meeting of the International Working Group on Data Protection, held this year in Bled, Slovenia. The Working Group includes Data Protection Authorities and experts from around the world who review emerging privacy challenges. The EPIC 2019 report details the reported shutdown of the NSA call record collection program, Congressional hearings on federal privacy legislation, the nomination of a Privacy Shield Ombudsperson, the Executive Order on Artificial Intelligence, and more. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Apr. 3, 2019)

  • The Senate Commerce Committee today approved a bill to strengthen the FCC's ability to prevent robocalls. The Telephone Robocall Abuse Criminal Enforcement and Deterrence or TRACED Act, enhances the FCC's authority to issue fines against robocallers, extends the statute of limitations, and promotes call authentication and blocking adoption. EPIC has long advocated for robust telephone privacy protections. Last week, EPIC submitted comments to the FCC recommending that the agency (1) require phone providers to block calls from numbers that are unassigned, unallocated, or invalid; (2) prohibit spoofing if there is an intent to defraud or cause harm; and (3) encourage the use of call authentication technology that safeguards caller anonymity. EPIC filed amicus briefs earlier this year and in 2015 that strengthened consumer protections for robocalls. (Apr. 3, 2019)

  • Sens. Ron Wyden (D-Ore.), and Rand Paul (R-Ky.), and Reps. Justin Amash (R-Mich.), and Zoe Lofgren (D-Calif.) have introduced The Ending Mass Collection of Americans' Phone Records Act. The bill would end the NSA's collection of Americans' phone records, known as "Section 215" authority, which is set to expire on December 15, 2019. EPIC recently joined civil liberties organizations in a statement calling for the end to the NSA's phone record collection program. The USA Freedom Act limited the NSA's collection program, but the NSA has acknowledged compliance problems. In 2013, EPIC filed a petition with the Supreme Court, challenging the lawfulness of the NSA program. EPIC has long called for an end to the phone record collection program. (Apr. 3, 2019)

  • The Department of Justice has agreed to expedite EPIC’s Freedom of Information Act request for the Mueller Report. The DOJ’s concession comes after EPIC sought a preliminary injunction to compel the immediate release of the report. EPIC filed the first lawsuit in the nation for the release of the Mueller Report and related Special Counsel records. In EPIC’s motion for an injunction, EPIC explained that the public "remains in the dark as to the most consequential government investigation in recent history." The EPIC Democracy and Cybersecurity Project has pursued numerous FOIA cases concerning Russian interference with the 2016 election. In EPIC v. FBI (response to Russian cyberattacks), EPIC obtained the FBI victim notification procedures. In EPIC v. ODNI (Russian hacking), EPIC confirmed that Russia engaged in a “multi-pronged” attack against the U.S. elections. In EPIC v. IRS I, EPIC sought the release of President Trump’s tax returns. In EPIC v. IRS II, EPIC is seeking the release of related business returns. And in EPIC v. DHS (election cybersecurity), EPIC obtained documents about election security procedures. The case for the release of the Mueller Report is EPIC v. DOJ, No. 19-810 (D.D.C.). (Apr. 2, 2019)

  • A federal district court in Washington DC has set Tuesday, April 9 for a hearing in EPIC v. Department of Justice, EPIC’s lawsuit to compel the public release of the Mueller Report. Judge Reggie B. Walton also ordered the Justice Department to respond to EPIC’s motion for a preliminary injunction by Friday, April 5. EPIC filed the lawsuit after the Justice Department failed to process EPIC’s Freedom of Information Act request. In the motion for an injunction, EPIC explained that the public "remains in the dark as to the most consequential government investigation in recent history." The EPIC Democracy and Cybersecurity Project has pursued several FOIA cases concerning Russian interference with the 2016 election. In EPIC v. FBI (response to Russian cyberattacks), EPIC obtained the FBI victim notification procedures. In EPIC v. ODNI (Russian hacking), EPIC confirmed that Russia engaged in a “multi-pronged” attack against the U.S. elections. In EPIC v. IRS I, EPIC sought the release of President Trump’s tax returns. In EPIC v. IRS II, EPIC is seeking the release of related business returns. And in EPIC v. DHS (election cybersecurity), EPIC obtained documents about election security procedures. The case for the release of the Mueller Report is EPIC v. DOJ, No. 19-810 (D.D.C.). (Apr. 1, 2019)

  • The FBI’s system for notifying victims of cyberattacks is “unreliable” and “incomplete,” according to a report by the Inspector General for the Department of Justice. The IG report found that “not all victims were informed of their rights as required by” DOJ guidelines, which are “outdated since they do not consider the needs of victims of cybercrime.” In 2017, EPIC obtained through EPIC v. FBI, a FOIA lawsuit, the FBI Victim Notification Procedures that should have applied to Russian cyberattacks during the 2016 Presidential election. The FBI Notification Procedures made clear that notification should occur “even when it may interfere with another investigation or (intelligence) operation.” The records obtained by EPIC led to Associated Press investigation ("FBI gave heads-up to fraction of Russian hackers’ US targets”), which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. The EPIC Democracy and Cybersecurity Project has pursued multiple FOIA cases concerning Russian interference with the 2016 election, including EPIC v. DOJ (the Mueller Report), EPIC v. ODNI (Russian hacking), EPIC v. IRS I release of Trump's tax returns), EPIC v. IRS II (release of Trump business tax records), and EPIC v. DHS (election cybersecurity). (Apr. 1, 2019)

  • EPIC filed an amicus brief in Department of Commerce v. New York, urging the Supreme Court to uphold a New York federal judge’s decision to remove the citizenship question from the 2020 Census. EPIC warned that “collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns.” EPIC described the history of census privacy, including EPIC’s 2004 FOIA lawsuit which revealed that the Census Bureau transferred data on Arab-Americans to the DHS after 9/11. EPIC also explained that, “in failing to assess the risks that would result from the collection of personal data regarding citizenship status, the Census Bureau has violated its obligations under the E-Government Act." In a related matter, EPIC’s lawsuit to block the citizenship question, EPIC v. Commerce, is currently before the D.C. Circuit with an argument scheduled for May 8. EPIC has charged that the Census Bureau failed to complete required Privacy Impact Assessments prior to the decisions to collect personal data about citizenship. The Bureau concedes that it must complete the impact assessments but has so far failed to do so. (Apr. 1, 2019)

  • The State of Utah has become the first state in the nation to require law enforcement to obtain a warrant to obtain electronic data held by third parties such as wireless providers, email providers, search engines, or social media companies. House Bill 57, sponsored by State Representative Craig Hall (R) was signed by Governor Gary Herbert last week. Last year, the Supreme Court ruled in Carpenter v. United States that the Fourth Amendment protects location records generated by mobile phones. Recognizing that other types of data were in equal need of protections, Chief Justice John Roberts, writing for the Court, said "legislation is much preferable to the development of an entirely new body of Fourth Amendment case law." Utah took that advice and passed broad protections for essentially all data held by third-parties, with exceptions in emergency circumstances. EPIC filed an amicus brief in the Carpenter case, has recommended updates to the Electronic Communications Privacy Act, and recently proposed a comprehensive strategy for Congress to update federal law after the Carpenter decision. (Apr. 1, 2019)

  • EPIC has filed a motion for a preliminary injunction to secure the expedited release of the Mueller Report and other records concerning Russian interference in the 2016 presidential election. EPIC filed suit against the Department of Justice last week after the agency failed to process EPIC’s Freedom of Information Act request. In the motion for an injunction, EPIC explained that "Few, if any, government documents in the recent history of the United States have commanded more attention than the Mueller Report,” yet the public "remains in the dark as to the most consequential government investigation in recent history." The EPIC Democracy and Cybersecurity Project has pursued multiple FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (response to Russian cyberattacks), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of Trump's tax returns), EPIC v. IRS II (release of Trump business tax records), and EPIC v. DHS (election cybersecurity). The case for the release of the Mueller Report is EPIC v. DOJ, No. 19-810 (D.D.C.). (Mar. 29, 2019)

  • Democratic and Republican leaders in the Senate and the House have sent a letter to the Government Accountability Office requesting a comprehensive review of compliance with the Freedom of Information Act across the federal government. The letter was spearheaded by Rep. Cummings (D-MD), Senator Leahy (D-VFT), Senator Grassley (R-IA), Senator Feinstein (D-CA), Senator Cornyn (R-TX), and Rep. Jordan (R-OH). The letter stated that the GAO’s 2018 assessment revealed “inconsistent and incomplete” agency compliance with the FOIA between 2012-2016. The GAO report found that 18 agencies only implemented half of the FOIA requirements since the 2016 amendments and some agencies had backlogs of more than 1,000 FOIA requests. As part of EPIC’s Open Government project, EPIC frequently uses FOIA to obtain information about the government to improve government oversight and accountability. (Mar. 29, 2019)

  • EPIC has filed an amicus brief in United States v. Wilson, a case concerning Google’s scanning of billions of personal files for suspected unlawful content, at the behest of the federal government. EPIC argued that “because neither Google nor the Government explained how the image matching technique actually works or presented evidence establishing accuracy and reliability, the Government’s search was unreasonable.” EPIC also explained that “the lower court made a key mistake” by confusing file hashing, which uniquely identifies a file, and image matching, which is prone to false positives. Last year, EPIC filed an amicus brief in a similar case, United States v. Miller. EPIC has promoted algorithmic transparency for many years. EPIC routinely submits amicus briefs on the application of the Fourth Amendment to investigative techniques. (Mar. 29, 2019)

  • The FCC published a final rule on robocalls that establishes a single database for reassigned phone numbers, sets a minimum period of 45 days before a disconnected number may be reassigned to a new subscriber, and adopts a limited safe harbor from liability for any caller that relies upon inaccurate information in the database. EPIC submitted comments for this rulemaking, recommending that the FCC (1) require phone providers to proactively block calls from numbers that are unassigned, unallocated, or invalid; (2) prohibit spoofing if there is an intent to defraud or cause harm; and (3) encourage the use of call authentication technology that safeguards caller anonymity. EPIC has long advocated for robust telephone privacy protections. EPIC filed an amicus brief in 2015 that strengthened consumer protections for robocalls. (Mar. 29, 2019)

  • EPIC joined forty education, privacy, disability rights, and civil rights organizations to support ten principles for school safety. The principles promote student safety measures that are evidence-based and oppose the surveillance-based measures that have been proposed in many states. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy. In 2012, EPIC sued the Department of Education after it weakened a rule to protect the privacy of student records. Last year EPIC filed an amicus brief in Jackson v. McCurry, stating that teachers may not search a student's cell phone unless they have followed an explicit school policy that complies with Fourth Amendment requirements. (Mar. 29, 2019)

  • A federal appellate court has refused to find a dating app liable for failing to remove a false profile that enabled abusive conduct. EPIC filed an amicus brief in Herrick v. Grindr, arguing that the law Section 230 of the Communications Decency Act was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." EPIC explained that victims may be subjected to ongoing "psychological, social, and financial harm" if internet services are not accountable for harassment and abuse. EPIC routinely files friend of the court briefs in cases concerning emerging privacy and civil liberties issues. (Mar. 28, 2019)

  • The Department of Housing and Urban Development has charged Facebook with violating the Fair Housing Act by enabling discrimination through user profiling on the advertising platform. “Facebook is discriminating against people based upon who they are and where they live,” said HUD Secretary Ben Carson. “Using a computer to limit a person’s housing choices can be just as discriminatory as slamming a door in someone’s face.” EPIC supports "algorithmic transparency,” which could reduce bias and help ensure fairness in automated decisionmaking. EPIC proposed the Universal Guidelines for Artificial Intelligence as the basis for federal legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. EPIC has pursued numerous FOIA cases concerning algorithmic transparency, passenger risk assessment, "future crime" prediction, and proprietary forensic analysis. (Mar. 28, 2019)

  • The D.C. Circuit has rejected an attempt by the Department of Justice to cut short EPIC’s appeal in EPIC v. DOJ, a FOIA case concerning predictive policing, algorithmic transparency, and executive privilege. The appeal will now be argued before a three-judge panel of the D.C. Circuit. EPIC’s case calls for the disclosure of a “Predictive Analytics Report” drafted by the DOJ for the White House. A lower court backed the DOJ last year when the agency asserted the “presidential communications privilege” over the report. But neither the D.C. Circuit nor the Supreme Court has ever permitted a federal agency to unilaterally invoke that privilege in a FOIA case. EPIC recently filed a FOIA suit for the release of the Mueller Report, which President Trump may attempt to withhold from the public using executive privilege. EPIC has pursued numerous FOIA cases concerning algorithmic transparency, passenger risk assessment, "future crime" prediction, and proprietary forensic analysis. (Mar. 28, 2019)

  • Idaho became the first state to pass a law specifically promoting transparency, accountability, and explainability in pre-trial risk assessment tools. Pre-trial risk assessments are algorithms that help inform sentencing and bail decisions for defendants. The law prevents a trade secrecy or IP defense, requires public availability of “all documents, data, records, and information used by the builder to build or validate the pretrial risk assessment tool,” and empowers defendants to review all calculations and data that went into their risk score. The law became effective on July 1, 2019. EPIC has consistently advocated for Algorithmic Transparency and urges jurisdictions to use the Universal Guidelines for Artificial Intelligence as a guideline for AI policy. (Mar. 28, 2019)

  • In response to a FOIA request from EPIC, the FTC has confirmed that there are over 25,000 complaints about Facebook pending with the Commission. In the eight (8) years since the FTC announced a consent order barring Facebook from making any misrepresentations about use privacy, the FTC has not taken a single enforcement action against the company. And one year has now passed since the FTC announced the reopening Facebook investigation after news of the Cambridge Analytica data breach. EPIC has urged the FTC to #EnforceTheOrder against Facebook. (Mar. 27, 2019)

  • EPIC sent a statement to a Senate committee on Foreign Relations regarding the nomination of Keith Krach to Under Secretary of State. Krach would serve as the US Privacy Shield Ombudsperson, a pivotal role concerning the transfer of personal data between the EU and the US. EPIC took no position on the nominee, but wrote to underscore the urgency of Congressional action to safeguard the privacy interests of Americans. EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take three steps to update U.S. privacy law: (1) enact the comprehensive baseline privacy legislation, (2) establish an independent data protection agency, and (3) ratify the International Privacy Convention. (Mar. 26, 2019)

  • A bipartisan group of Senators, including Senator Patrick Leahy, sent a series of questions last week to Attorney General William Barr about the government's surveillance of Americans' location data. The Senators specifically asked how the Supreme Court's decision in Carpenter v. United States has impacted government surveillance programs. In Carpenter, the Court ruled that the government could not collect cell phone location data without a warrant, even if that data was held by the phone company. The Senator's questions concern possible collection of location data by intelligence agencies as well as during criminal investigations. EPIC has sued the Department of Justice to obtain records of the number of surveillance applications for location data submitted by federal prosecutors in prior years. EPIC also filed a "friend of the court" brief in Carpenter, and urged the Court to extend Constitutional protection to cell phone data. EPIC also provides the public with access to and information about the federal wiretap reports, which provide important statistics about the use of other surveillance authorities. These reports have not yet been updated to address location data collection. (Mar. 26, 2019)

  • The Supreme Court has heard oral arguments in PDR Network v. Carlton & Harris Chiropractic, which concerns a company's efforts to disregard an FCC rule about junk faxes. EPIC filed an amicus brief in the case. In the brief, EPIC explained that permitting companies to avoid FCC rules "will exclude the voices of consumers" in agency decision making. EPIC also explained that the company's efforts to sidestep agency rules will benefit those "who have resources to attack FCC rules." EPIC contributed to the development of the robocall and junk fax laws. EPIC has since worked to ensure that telephone users are protected from invasive practices through agency comments and amicus briefs in cases such as ACA International and Gallion v. Charter Communications. (Mar. 26, 2019)

  • In advance of a hearing on "Small Business Perspectives on a Federal Data Privacy Framework," EPIC has sent a statement to the the Senate committee on consumer protection. EPIC said that over the last two decades, an absence of privacy regulation has led to a growing concentration of internet services. "Privacy rules could help level the playing field," EPIC said. EPIC also warmed against preempting state laws, citing California's data breach legislation as an example. "A federal law that preempted California's ability to respond to new threats would have placed consumers and businesses at risk," EPIC said. (Mar. 26, 2019)

  • In advance of a hearing on "Improving Cybersecurity at Consumer Reporting Agencies," EPIC sent a statement to the House Oversight Committee urging the creation of a data protection agency in the United States. "The FTC also lacks the ability, authority and expertise to engage the broad range of challenges we now confront," EPIC said. EPIC cited the Federal Trade Commission's limited ability to enforce basic data protection standards, and the growing dangers of data breach, identity theft, and cyber attacks by foreign adversaries. The U.S. is one of the few democracies in the world that does not have a federal data protection agency. EPIC wrote about the need for a U.S. data protection agency in the New York Times, the Hill, and Techonomy. (Mar. 26, 2019)

  • The Supreme Court today declined to review Zappos.com, v. Stevens, a decision that allowed consumers to sue the online retailer following a breach of their personal data. More than 24 million Zappos customers were affected by the breach, which included account numbers and passwords. Zappos tried to block the lawsuit, claiming that consumers had to show additional damages. The Ninth Circuit rejected that argument, and the Supreme Court left the decision of the appeals court in place. EPIC has filed amicus briefs in similar data breach cases, including Attias v. Carefirst, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges. (Mar. 25, 2019)

  • EPIC has filed a Freedom of Information Act lawsuit to obtain the final report by Special Counsel Robert Mueller concerning Russian interference in the 2016 U.S. presidential election. Attorney General William Barr notified Congress on Friday that the Special Counsel had delivered the final report. In November 2018, EPIC submitted a detailed Freedom of Information Act request to the Department of Justice seeking records about the investigation. The Special Counsel was authorized to conduct an investigation into Russian interference, including "any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump." Special Counsel Mueller has since brought criminal charges against 34 individuals and three organizations. EPIC, through its Democracy and Cybersecurity Project, has pursued multiple FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (response to Russian cyberattacks), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of Trump's tax returns), EPIC v. IRS II (release of Trump's offers-in-compromise), and EPIC v. DHS (election cybersecurity). The case for the release of the Mueller Report is EPIC v. DOJ, No. 19-810 (D.D.C.) [Exhibits]. (Mar. 22, 2019)

  • EPIC has filed an amicus brief urging the Supreme Court to protect the public's right to access commercial information held by federal agencies. EPIC described several of its own FOIA case -- including the now defunct airport body scanner program and the ongoing probe of Facebook -- where access to commercial records made possible meaningful oversight and reform. EPIC also warned that private parties, "acting on behalf of public agencies and with public funding," often hide their activities. EPIC wrote, "The public must have access to commercial information in agency records to conduct effective oversight of government programs that implicate privacy." EPIC has filed several amicus briefs for the US Supreme Court and other federal courts in Freedom of Information Act cases. Twenty members of the EPIC Advisory Board, distinguished experts in law, technology, and public policy, signed the brief. The case is Food Marketing Institute v. Argus Leader Media, No. 18-481. (Mar. 22, 2019)

  • A new White House website "Artificial Intelligence for the American People" emphasizes "AI for American Innovation, AI for American Industry, AI for the American Worker, and AI with American Values," but still provides no opportunities for public input. The National Commission on Artificial Intelligence, tasked with advising the federal government on AI policy, also recently held its first meeting in secret. Last year, EPIC—joined by nearly 100 experts and leading scientific organizations including AAAS, ACM, FAS, and IEEE—successfully petitioned the White House Select Committee on Artificial Intelligence to incorporate public input in the committee's work. EPIC has urged US support for the Universal Guidelines for AI, a policy framework emphasizing fairness, accountability, and transparency for AI systems. (Mar. 21, 2019)

  • U.S. Senators Roy Blunt [R-MO] and Brian Schatz [D-HI] introduced a bill to protect consumers from companies collecting facial images. Senator Schatz said: "Our faces are our identities. They're personal. So the responsibility is on companies to ask people for their permission before they track and analyze their faces." EPIC previously urged the FTC to stop Facebook's use of facial recognition to capture personal identity. In 2018, EPIC charged that Facebook's facial recognition practices lacks privacy safeguards and violate the 2011 Consent Order with the FTC. EPIC has urged the FTC to #EnforceTheOrder as a one-year deadline approaches. (Mar. 21, 2019)

  • In his dissenting opinion in Frank v. Gaos, Justice Thomas set out two key guidelines for future consumer privacy litigation. First, Justice Thomas said that consumer privacy cases could go forward when a "private right" is violated, such as when a violation of a federal privacy law is alleged. The Supreme Court adopted a somewhat more narrow standard in the Spokeo v. Robbins case. Second, Justice Thomas made clear that class action settlements must provide a "meaningful" benefit to class members, which could include monetary relief or a change in business practices. Justice Thomas opposed the settlement in Gaos, explaining "because the class members here received no settlement fund, no meaningful injunctive relief, and no other benefit whatsoever in exchange for the settlement of their claims...." Justice Thomas did not rule out cy pres remainder settlements for "disposing of unclaimed or undistributable class funds" or cy pres-only settlements that provide some actual benefit to class members. EPIC set out very similar views in an amicus brief for the Supreme Court in the Gaos case, in related amicus briefs on standing and in court filings on class action fairness, as well as an academic article calling for reform of cy pres settlements. (Mar. 21, 2019)

  • The Supreme Court today sent Frank v. Gaos back to the lower courts because the Court could not decide if the proposed settlement in a privacy case was "fair, reasonable, and adequate" or if the case was properly before the Court. The case involves Google's disclosure of search histories to third parties without consent, a business practice that could violate several privacy laws. Under the terms of the settlement, there was no benefit to Internet users and Google was not prohibited from continuing the allegedly unlawful practice. In an amicus brief, EPIC stated, "the proposed settlement is bad for consumers and does nothing to change Google's business practices." EPIC and several organization objected to the original settlement on three separate occasions. EPIC routinely opposes settlements that fail to provide an actual benefit to Internet users. In this case, the Justices ordered the parties to address whether the Spokeo v. Robbins decision permits consumer privacy to go forward. EPIC filed a brief in Spokeo in support of consumers, and has filed similar briefs siding with consumers in several other cases. (Mar. 20, 2019)

  • EPIC joined civil liberties organizations this week in a statement to the House Judiciary Committee, calling for a permanent end to the NSA's phone record collection program. The groups asked that Congress to "hold hearings and make public information critical to permit an informed debate over the reauthorization of Section 215 and other provisions of the Patriot Act, which are set to expire December 15, 2019." The National Security Agency has reportedly ended the collection of Americans' phone records. The USA Freedom Act limited the NSA's bulk collection program. The NSA also acknowledged compliance problems and opposition to renewal is growing. In 2013, EPIC filed a petition with the Supreme Court, challenging the lawfulness of the NSA program. EPIC previously called for an end to the phone record collection program. (Mar. 20, 2019)

  • In a New York Times op-ed, Congressman David Cicilline (D-RI), Chairman of the House Judiciary Committee's Subcommittee on Antitrust, has asked the FTC to investigate Facebook for violating antitrust laws. Citing EPIC's work, Chairman Cicilline said "For years, privacy advocates have alerted the commission that Facebook was likely violating its commitments under the agreement. Not only did the commission fail to enforce its order, but by failing to block Facebook's acquisition of WhatsApp and Instagram, it enabled Facebook to extend its dominance." Rep. Cicilline made clear that data merger deals implicate competition law, which EPIC has long argued. Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. EPIC has launched the #EnforceTheOrder campaign to urge action on the consent order. (Mar. 19, 2019)

  • On Tuesday, March 19 at 2 pm, EPIC will host a press conference moderated by EPIC President Marc Rotenberg. The event will take place at the Fund for Constitutional Government, on Capitol Hill, across the street from the US Supreme Court. Participants include speakers from U.S. PIRG, Public Citizen, and EPIC. The event will focus on Facebook, the Federal Trade Commission, privacy and the 2011 consent order. EPIC has launched the #EnforceTheOrder Campaign to urge action on the consent order. In 2011, the agency issued a sweeping order against Facebook. The FTC Chairman said at the time, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users. Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not." Press advisory. Flyer. (Mar. 18, 2019)

  • EPIC has filed an urgent Freedom of Information Act request to the Federal Trade Commission seeking all pending complaints. As a result of the extensive work of consumer organizations, the Commission issued a consent order against Facebook in 2011 barring the company from making any future misrepresentations about the privacy and security of a user's personal information. But the FTC has failed to issue any fines or declare any of Facebook's actions, including the Cambridge Analytical scandal, a violation of the consent order. The FTC has also not published the number of pending consumer complaints against Facebook. With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder. (Mar. 18, 2019)

  • EPIC, joined by other privacy groups, submitted comments on the FAA’s interim final rule for external ID for drones. The proposal requires the external display of registration numbers on drones. While EPIC agreed external marking are preferable to hidden identifiers, EPIC said the rule did not go far enough. EPIC wrote, “Because drones present substantial privacy and safety risks, EPIC recommends that the FAA require any drone operating in the national airspace system to broadcast location when aloft (latitude, longitude, and altitude), course, speed over ground, as well as owner identifying information and contact information[.]” EPIC also suggested the agency require operators register and broadcast surveillance capabilities. EPIC has long advocated for remote identification mandates for drones and petitioned for regulation of these surveillance tools. (Mar. 15, 2019)

  • The National Security Commission on Artificial Intelligence held its first meeting this week, in secret. The Commission is tasked with advising the federal government on artificial intelligence. The Commission was established by the National Defense Authorization Act. Federal law requires commissions to operate transparently, yet the AI Commission provided no notice of the meeting and no opportunity for public participation. Last year, EPIC—joined by nearly 100 experts and leading scientific organizations including AAAS, ACM, FAS, and IEEE—successfully petitioned the White House Select Committee on Artificial Intelligence to incorporate public input in the committee's work. EPIC is now seeking the public release of the documents distributed at the AI Commission meeting. (Mar. 15, 2019)

  • In response to EPIC's Freedom of Information Act lawsuit, the National Archives has provided an index of Justice Kavanaugh's records that contains an accounting of all records released by the National Archives so far. The letter includes an index of all e-mail and text files, including those withheld in full or in part. There was unprecedented secrecy surrounding the nomination of Judge Kavanaugh to the Supreme Court. EPIC's FOIA lawsuit and a related request by Senator Richard Blumenthal resulted in the public release of hundreds of thousands of pages about Judge Kavanaugh's work in the White House. The records include communications between Kavanaugh and John Yoo, the architect of the warrantless surveillance program. (Mar. 14, 2019)

  • The U.S. Department of State has released the annual report on human rights practices across the globe. The State Dept. report reviews adherence to "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements," including the arbitrary or unlawful interference with privacy. The 2018 report highlights China's social credit system which "quantifies a person's loyalty to the government by monitoring citizens' online activity and relationships." The report also cites the Indian Supreme Court ruling that privacy is a fundamental right and Turkish authorities' investigation of more than 45,000 social media accounts between 2016 and April 2018. Two EPIC publications - The Privacy Law Sourcebook 2018 and Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide a comprehensive overview of privacy frameworks around the world and track emerging privacy challenges. (Mar. 14, 2019)

  • Bipartisan legislation governing the Internet of Things was introduced this week in the Senate and House of Representatives. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) along with Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 in the Senate, and Reps. Robin Kelly (D-IL) and Will Hurd (R-TX) filed the bill in the House. The legislation would require the National Institute of Standards and Technology to set baseline security standards for Internet-connected devices. EPIC has diligently advocated for stronger regulation of IoT, and called attention to the privacy and security risks of connected cars in comments to NTHSA, complaints to the CFPB, congressional testimony, FTC workshops, petitions to NHTSA and an amicus brief to Ninth Circuit. (Mar. 14, 2019)

  • A report from the FOIA Project places EPIC among the top FOIA litigators in the United States, as measured by the number of FOIA lawsuits filed between 2001 and 2018. The FOIA Project provides comprehensive information on federal FOIA matters, including initial FOIA requests, administrative appeals, and FOIA lawsuits, and is operated by the Transactional Records Access Clearinghouse. The 2018 report on litigation by nonprofit groups finds that EPIC has filed a total of 74 FOIA lawsuits between 2001 and 2018, approximately divided between Democratic and Republican administrations. The other groups in the top 5 are Judicial Watch (391), ACLU (130), PEER (94), and CREW (88). EPIC celebrated Sunshine Week with the 2019 EPIC FOIA Gallery, highlighting important EPIC FOIA cases from the past year. (Mar. 14, 2019)

  • In advance of a hearing on the 2020 Census, EPIC has sent a statement to the House Oversight Committee urging Congress to require the Census Bureau to remove the citizenship question from the 2020 census. EPIC told the Committee that the Census Bureau failed to complete privacy impact assessments required by law. "Congress made clear that data collection simply could not occur without the completion of these assessments" EPIC explained. In EPIC v. Commerce, a case now before the D.C. Circuit Court of Appeals, EPIC recently filed an opening brief to block the Census Bureau from collecting citizenship data in the 2020 Census. The Bureau concedes that it must complete the impact assessments but has so far failed to do so. EPIC warned the federal appeals court that "major privacy risks have not been addressed by the agency." (Mar. 13, 2019)

  • In advance of a hearing on the Freedom of Information Act, EPIC highlighted several recent open government cases. EPIC told the Committee about documents EPIC obtained through FOIA requests and litigation, including documents EPIC obtained, widely reported this week, about the plan to expand facial recognition at US airports. EPIC also described records obtained from the Federal Trade Commission about the agency's failure to enforce the consent order against Facebook. And EPIC described the open government case against the IRS seeking the release of President Trump's tax returns. Since 2001, EPIC has published an annual FOIA gallery in honor of Sunshine Week. (Mar. 13, 2019)

  • The Eleventh Circuit has issued a decision in Jackson v. McCurry. A student's family filed the case after school officials searched her cell phone without probable cause. The appeals court ruled against the the student because the law limiting searches of student cell phones was not "clearly established." EPIC filed an amicus brief, arguing that searches of student phones should be "limited to those circumstances when it is strictly necessary" after the Supreme Court's decision in Riley v. California. EPIC wrote that "most teenagers today could not survive without a cellphone." The court recognized the need to limit school searches of cell phones, noting that "the reasoning of Riley treats cellphone searches as especially intrusive in comparison to searches incident to arrest of personal property" and that "a search of a student's cellphone might require a more compelling justification than that required to search a student's other personal effects." However, the court refused to hold that this right was "clearly established." EPIC routinely files amicus briefs in cases raising new privacy issues. EPIC has also long advocated for greater student privacy protections, including a Student Privacy Bill of Rights. (Mar. 13, 2019)

  • After a Buzzfeed story featured documents obtained by EPIC about plans to expand facial recognition at airports, Senators Ed Markey (D-MA) and Mike Lee (R-UT) called for the suspension of the program. The Senators stated that "DHS should pause their efforts until American travelers fully understand exactly who has access to their facial recognition data, how long their data will be held, how their information will be safeguarded, and how they can opt out of the program altogether." Today EPIC filed a Freedom of Information lawsuit, EPIC v. CBP, to determine whether the agency is allowing travelers to opt-out of facial recognition. EPIC's earlier lawsuit against the DHS led to the removal of backscatter x-ray devices at US airports. (Mar. 12, 2019)

  • Senators Edward Markey (D-Mass.) and Josh Hawley (R-Mo.) have introduced legislation to update the Children's Online Privacy Protection Act (COPPA). The bill bans internet companies from collecting personal or location information from children under 13 without parental consent and from teens ages 13-15 without the user's consent. EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. EPIC recently submitted comments in support of the FTC's proposed extension of the information collection requirements for COPPA, but said the law "would be more effective if the FTC established new limits on how firms can collect and use children's data." (Mar. 12, 2019)

  • EPIC has filed a Freedom of Information Act lawsuit to determine whether the U.S. government is allowing travelers to opt-out of facial recognition at airports. The "alternative screening procedures" should allow travelers to provide identification documents, such as a passport, and avoid facial recognition, which "is not mandatory for U.S. citizens" according to the CBP. But research by EPIC indicates that Custom and Border Protection has modified the program, making it increasingly difficult for travelers to opt-out. This week, Buzzfeed featured documents EPIC obtained about this flawed facial recognition program, which the Administration is seeking to establish at all U.S. airports. EPIC has urged Congress to suspend the CBP Biometric Entry-Exit program until privacy safeguards and meaningful opt-out procedures are established. The case is EPIC v. CBP, No. 19-cv-689 (D.D.C. March 12, 2019). (Mar. 12, 2019)

  • Senator Josh Hawley (R-MO) has sent a letter to the Federal Trade Commission urging a more aggressive approach to privacy protection. Senator Hawley outlined the many privacy violations by tech giants in recent years, including Facebook's failure to honor the promises it made when it acquired WhatsApp, Google's use of location data, and the disclosure of personal information to third parties by many platforms. "There is no excuse for inaction," Senator Hawley said. Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder, @FTC. (Mar. 11, 2019)

  • Prior to a hearing on "GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation," EPIC has sent a letter and related materials to the Senate Judiciary Committee advising on federal privacylegislation. EPIC Executive Director Marc Rotenberg recently wrote in the New York Times, "There is still much that Congress can do to strengthen privacy protections for Americans. Enacting federal baseline legislation and establishing a data protection agency would be a good start." EPIC also sent the Committee EPIC commentaries from the Financial Times, Techonomy, the OECD Observer, and the Harvard International Review. (Mar. 11, 2019)

  • At the start of Sunshine Week, Buzzfeed featured documents obtained by EPIC about a deeply flawed facial recognition program that could impact all U.S. travelers returning to the United States. The documents, released following an EPIC FOIA request, describe the Administration's plan to extend a faulty CBP pilot program to TSA, ICE, and the Coast Guard. Documents previously obtained by EPIC, following a lawsuit against DHS, found similar problems with a facial recognition program at the southern border. (Mar. 11, 2019)

  • Speaking to the Going Digital Summit of the OECD in Paris, EPIC President Marc Rotenberg urged the OECD to adopt a bold framework for AI that will safeguard fundamental rights. "The OECD is uniquely situated to put forward an international framework that spurs innovation, and protects democratic institutions and human rights," said Mr. Rotenberg. The OECD Civil Society Advisory Council has promoted the Universal Guidelines for AI, a policy framework endorsed by more than 250 experts and 60 associations in more than 40 countries. (Mar. 11, 2019)

  • In celebration of Sunshine Week, EPIC has unveiled the 2019 FOIA Gallery. Since 2001, EPIC has published annually highlights of EPIC’s most significant open government cases and Freedom of Information Act requests. In 2018, EPIC obtained e-mails about mass surveillance programs developed by Justice Kavanaugh as a White House legal advisor, records about the controversial DHS "media monitoring program," communications between the FTC and Facebook about the agency's failure to enforce the 2011 Consent Order, and documents that revealed obscure travel blacklists in the "SecureFlight" program. In the latest FOIA gallery, EPIC also highlight a significant ruling from the D.C. Circuit in EPIC v. IRS where the court stated that the IRS "misunderstands its FOIA disclosure obligations." This is one of two cases EPIC filed to obtain the public release of President Trump's tax records. In EPIC v. IRS, the district court noted that President Trump tweeted, "For the record, I have ZERO investments in Russia. Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING!" (Mar. 11, 2019)

  • EPIC has submitted urgent Freedom of Information Act requests to the Department of Homeland Security (USCIS and the Office of Immigration Statistics) and the Census Bureau for records about the planned transfer of personal data from DHS to the Census Bureau. After a federal judge in California ruled that adding a citizenship question to the 2020 Census was unconstitutional, the AP reported that DHS would disclose to the Census Bureau personal data, including names, addresses, birth dates, Social Security numbers, and alien registration numbers. The Census Bureau confirmed that the agency was preparing an agreement with DHS to “receive administrative records.” In EPIC v. Commerce, EPIC alleges that the Bureau failed to conduct and publish required privacy impact assessments before making an uninformed decision to collect citizenship data. EPIC is seeking an injunction from the D.C. Circuit, which will hear arguments in the case in May. EPIC's appeal is EPIC v. Commerce, No. 19-5031 (D.C. Cir.). (Mar. 8, 2019)

  • In a Senate Judiciary Committee hearing earlier this week, Senator Richard Blumenthal said that antitrust enforcers must consider unwinding anticompetitive mergers. “Over the past decade tech companies have in effect been given a free pass by antitrust regulators,” Senator Blumenthal said. "Facebook perhaps should never been allowed to acquire Instagram, Google to acquire DoubleClick. I have come to the conclusion that maybe post merger, some of these transactions should be challengeable, rarely done, but still challengeable, especially when the merger is approved on conditions that are then violated.” Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. (Mar. 7, 2019)

  • In a report released this week, the Senate Homeland Security Investigations Subcommittee found that Equifax was aware of cybersecurity weaknesses for years before the massive breach in 2017, which affected 148 million U.S. consumers. The Senate report found that Equifax chose "efficient business operations rather than security protocols" that allowed a foreign government to access the authenticating details, including dates of birth and SSNs, of American consumers. In December, the House Committee on Oversight released a report which found that the Equifax breach was "entirely preventable." Following the Equifax data breach, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft. (Mar. 7, 2019)

  • A federal court in California has blocked the Census Bureau from adding a citizenship question to the 2020 Census, becoming the second court to do so. The court found that the Bureau made an arbitrary decision to include the citizenship question, then engaged in a "cynical search to find some reason, any reason" to "justify that preordained result." A federal court in New York recently blocked the citizenship question in a different case, but the Supreme Court is set to review that decision. In EPIC v. Commerce, EPIC alleges that the Bureau failed to conduct and publish required privacy impact assessments before making an uninformed decision to collect citizenship data. EPIC is seeking an injunction from the D.C. Circuit, which will hear arguments in the case in May. EPIC's appeal is EPIC v. Commerce, No. 19-5031 (D.C. Cir.). (Mar. 6, 2019)

  • The DHS Privacy Advisory Committee issued final recommendations on facial recognition use at the border. The report examined transparency, data minimization, data quality and integrity, and accountability and auditing. The report said entrants to the U.S. need notice of their rights and how to exercise those rights. The final recommendations differed only slightly from the draft recommendations. In response to EPIC's comments, the final report included recommendations for increased reporting and research of facial recognition accuracy. However, the DHS report failed to address the lack of legal authorization for the facial recognition program or establish that the program is necessary for national security. (Mar. 6, 2019)

  • In advance of a hearing on border security, EPIC sent a statement to the House Committee on Homeland Security urging an examination of surveillance programs in use at the border. EPIC asked the Committee to examine the warrantless searches of mobile devices, social media profiling, and the use of drones. EPIC has filed several FOIA lawsuits against DHS regarding these surveillance activities, warning that border surveillance programs often capture the personal data of Americans. A previous FOIA lawsuit EPIC v. CPB uncovered Palintir's role in the development of the Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to travelers, including U.S. citizens. (Mar. 5, 2019)

  • Prior to a hearing on "Inclusion in Tech: How Diversity Benefits All Americans," EPIC has sent a statement to a House committee. EPIC said that "algorithmic transparency" could reduce bias and help ensure fairness in automated decisionmaking. EPIC proposed the Universal Guidelines for Artificial Intelligence as the basis for federal legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to reform is hiring practices. "If the company wishes to connect the world," EPIC and the groups wrote, "it must also be prepared to reflect the world in all of its decision-making." (Mar. 5, 2019)

  • The National Security Agency has reportedly ended the controversial collection of Americans' phone records. The USA Freedom Act limited the NSA's bulk collection program. However, the NSA has acknowledged compliance problems and doubts remain about renewal of the program later this year. Now, a senior Hill aide has said the NSA "hasn't actually been using it for the past six months" and it is not clear "that the administration will want to start that back up." In 2013, EPIC filed a petition with the U.S. Supreme Court, challenging the lawfulness of the program. EPIC and a coalition have since called attention to the NSA's failure comply with the requirements of the Freedom Act. EPIC previously called for an end to the phone record collection program. (Mar. 5, 2019)

  • With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder. EPIC is urging the Federal Trade Commission to act before March 26, 2019. Many experts, including former FTC Chief Technology Officer Ashkan Soltani, Senator Richard Blumenthal, and former FTC Chair William Kovacic, have said that Facebook violated the consent order. EPIC has also joined with Color of Change, the Open Markets Institute and others to urge the FTC to impose a significant fine and also to break up the company, reform hiring and management practices, and install a director to represent users. Follow EPIC at @EPICprivacy for the latest on the campaign. Join us. Tweet why enforcement matters to you. Include #EnforceTheOrder @FTC @facebook. (Mar. 5, 2019)

  • In response to EPIC's Freedom of Information Act request, the Federal Bureau of Investigation has released documents (part 1, part 2, part 3) concerning the agency's use of National Security Letters to obtain information from the media. The disclosure to EPIC includes a revised policy that followed criticisms of government surveillance of journalists. In an earlier amicus brief, EPIC recommended enhanced oversight of National Security Letters. (Mar. 4, 2019)

  • EPIC has filed an opening brief in the appeal to block the Census Bureau from collecting citizenship data in the 2020 Census. EPIC told the D.C. Circuit that the Census Bureau failed to complete privacy impact assessments required by law. “This uninformed data collection by a federal agency is precisely what the E-Government Act prohibits,” EPIC explained. The Bureau concedes that it must complete the impact assessments but has so far failed to do so. EPIC warned the federal appeals court that “major privacy risks have not been addressed by the agency.” EPIC has filed numerous successful lawsuits to require privacy impact assessments, including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. EPIC's appeal is EPIC v. Commerce, No. 19-5031 (D.C. Cir.). (Mar. 2, 2019)

  • Reps. Brenda Lawrence (D-MI) and Ro Khanna (D-CA) have introduced a Congressional resolution calling for guidelines for the ethical development of artificial intelligence. The Ethical AI resolution sets out core principles, including transparency, accountability, fairness, privacy protection, public engagement, education, and safety. EPIC has proposed similar principles, the Universal Guidelines for Artificial Intelligence as the basis for AI legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. EPIC previously urged lawmakers to appoint AI Commission members who support the Universal Guidelines. (Feb. 28, 2019)

  • EPIC has filed a brief with the European Court of Human Rights detailing the public safety and privacy risks of government hacking. Privacy International v. United Kingdom asks whether remote hacking by UK intelligence services violates the European Charter of Fundamental Rights. The Court recently granted EPIC's request to intervene in the case. "Hacking tools stockpiled by governments could be used by criminals to mount cyberattacks," EPIC's brief states. EPIC also explained that "Government hacking weakens security safeguards." EPIC has long advocated for strong cybersecurity policies. (Feb. 28, 2019)

  • TikTok settled with the FTC for $5.7 million over allegations that the Chinese video app company violated the Children's Online Privacy Protection Act. The FTC complaint alleges that TikTok violated COPPA by collecting personal information from kids without parental consent. The $5.7 million fine is the Commission's largest COPPA penalty. The Commission's vote was unanimous. EPIC helped enact the children online privacy law and regularly submits comments to the FTC on children's privacy issues. (Feb. 27, 2019)

  • The FTC announced a new task force dedicated to monitoring U.S. technology markets and investigating anticompetitive conduct. FTC Chairman Joe Simons said "it makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition." According to the FTC, the Technology Task Force will examine "prospective merger reviews" and will review "consummated technology mergers." EPIC objected to Facebook's acquisition of Whatsapp in 2014 and Google's acquisition of DoubleClick in 2007. EPIC has called on the FTC to require Google to divest Nest, after reports that the company hid listening devices in the home thermostat, and pressed the Commission to use its equitable authorities, including divestiture, to enforce consent orders. (Feb. 26, 2019)

  • The D.C. Circuit has scheduled oral argument for May in EPIC's expedited appeal to block the Census Bureau from collecting citizenship information in the 2020 Census. EPIC alleges that the Bureau failed to complete privacy impact assessments required by the E-Government Act before adding the question. A lower court denied EPIC's motion for a preliminary injunction, agreeing that the Bureau is required to conduct the detailed assessments, but oddly concluding that it is not required to do so "until the Bureau mails its first batch of Census questionnaires to the public"—a view entirely at odds with the relevant law. A federal court in New York recently blocked the citizenship question in a different case, but the Supreme Court will now review that decision. EPIC has filed numerous successful lawsuits to require privacy impact assessments, including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. EPIC's appeal is EPIC v. Commerce, No. 19-5031 (D.C. Cir.). (Feb. 26, 2019)

  • European Data Protection Supervisor Giovanni Buttarelli released the 2018 EDPS annual report. Among recent accomplishments are the 2018 Conference on Digital Ethics, adoption of an EU-Japanese data transfer deal, and implementation of the GDPR. At a press conference for the report's release, Buttarelli also recommended that the United States enact a federal privacy law, ratify the Council of Europe Privacy, Convention, and resolve long-standing concerns about mass surveillance. "In my opinion, bulk collection as such is not fully compatible with our system," Buttarelli said. EPIC has long recommended that the United States ratify the International Privacy Convention. EPIC has also proposed changes to Section 702 of the Patriot Act, which permits the bulk collection of the personal data of Europeans. (Feb. 26, 2019)

  • EPIC and a coalition of civil society organizations told the Australian Parliament that a law allowing police to require weak security for tech products should be amended. The Parliament reopened debate over the "Assistance and Access" law, broadly denounced as a threat to security and freedom of expression. Following earlier comments, the coalition has now called on the Australian Parliament to narrow the law. EPIC has long advocated for strong encryption, led the campaign against the Clipper Chip, and published the first global survey on Cryptography and Liberty. And when the FBI sued Apple in 2016 for refusing to allow law enforcement access to iPhones, EPIC filed an amicus brief in support of Apple arguing the FBI's demand "places at risk millions of cell phone users across the United States." (Feb. 25, 2019)

  • The European Court of Human Rights has accepted EPIC's request to intervene in a case concerning the legal standards for government remote hacking. Privacy International v. United Kingdom asks whether remote hacking or the use of malware by UK intelligence services violates the European Convention on Human Rights. Privacy International alleged that the hacking violates Articles 8 and 10 of the Convention, which protect right to privacy and the right to freedom of expression. EPIC previously filed a brief with the Court of Human Rights in Big Brother Watch v. UK, which found UK mass surveillance violated fundamental rights to privacy and freedom of expression. EPIC also participated as amici in Apple v. FBI, concerning a court order that would have required Apple to assist the FBI hack a seized iPhone. (Feb. 25, 2019)

  • A federal court in Washington, D.C. has ruled that EPIC's open government case against the FAA's Drone Advisory Committee can go forward. EPIC filed suit last year against the Committee, which has conducted much of its work in secret and ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. The government asked the court to dismiss EPIC's suit, but the court was "unconvinced by Defendants' arguments" and indicated that the government must "provide the full list of [Committee] records" to EPIC. However, the Court ruled that the Committee did not need to release the records of its secretive subcommittees. EPIC intends to challenge that part of the court's decision. The case is EPIC v. Drone Advisory Committee, No. 18-833 (D.D.C.). (Feb. 25, 2019)

  • EPIC has submitted an open records and meetings request concerning the National Security Commission on Artificial Intelligence. Congress established the AI Commission in August "to review advances in artificial intelligence" and ordered the Commission to publish a report by February 9. Yet no information has been disclosed about the Commission's plans, operations, or findings to date. The Commission includes executives from Google, Amazon, Microsoft, and Oracle and several former Department of Defense officials. Last year, EPIC—joined by nearly 100 experts and leading scientific organizations including AAAS, ACM, FAS, and IEEE—successfully petitioned the White House Select Committee on Artificial Intelligence to incorporate public input in the committee's work. EPIC has also proposed the Universal Guidelines for Artificial Intelligence as the basis for AI legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. EPIC previously urged lawmakers to appoint AI Commission members who support the Universal Guidelines. (Feb. 22, 2019)

  • In response to EPIC's Freedom of Information Act lawsuit, the National Archives has just released thousands of records about Justice Kavanaugh work in the White House Counsel's office after 9-11. The records include e-mails from 2002-2003, briefings, meeting memos, and correspondence, and office files about anti-terrorism legislation and access to presidential records. Emails previously released to EPIC revealed that Kavanaugh and John Yoo, architect of the warrantless surveillance program overturned by the US Congress, exchanged messages about the development of domestic surveillance programs. During the Supreme Court nomination hearing, EPIC warned the Senate that the nominee has shown little regard for the Constitutional privacy rights of Americans as a top White House legal advisor and then as a federal appellate judge. (Feb. 22, 2019)

  • A coalition of consumer groups sent a complaint to the FTC, charging that Facebook engaged in unfair and deceptive practices and violated the Children's Online Privacy Protection Act after court documents from a 2012 class action lawsuit revealed that Facebook encouraged children to make credit card purchases on Facebook's platform. Parents and minors repeatedly complained about the credit card charges, but the documents indicate that the company refused to refund charges and set up a complex complaint system to deter refund requests. EPIC helped enact the children online privacy law and regularly submits comments to the FTC on children's privacy issues. (Feb. 21, 2019)

  • The Federal Aviation Administration has published an interim final rule that will require a visible registration number on the exterior of drones. Previously, registration numbers could be hidden inside drones. EPIC supported improved drone identification, but has urged the FAA to go much further. In extensive comments to the FAA, EPIC wrote that drones should broadcast location, course, and operator identification, much like the Automated Identification Systems for planes and boats. EPIC also sued the FAA to force the agency to establish national rules to limit drone surveillance. EPIC is currently pursuing records about a key FAA task force, trying to understand why the agency has not promoted better privacy safeguards in the US. Comments on the FAA rule on "External Marking Requirement for Small Unmanned Aircraft" are due March 15, 2019 (Docket: FAA-2018-1084). EPIC recommends that commentators ask the FAA to establish stronger requirements for remote identification of drones. (Feb. 21, 2019)

  • EPIC has asked the D.C. Circuit Court of Appeals to hold oral argument by April in EPIC v. Commerce, EPIC's expedited appeal to block the Census Bureau from collecting citizenship information in the 2020 Census. EPIC alleges that the Bureau failed to complete privacy impact assessments required by the E-Government Act before adding the question. A lower court denied EPIC's motion for a preliminary injunction, agreeing that the Bureau is required to conduct the detailed assessments, but oddly concluding that it is not required to do so "until the Bureau mails its first batch of Census questionnaires to the public"—a view entirely at odds with the relevant law. A federal court in New York recently blocked the citizenship question in a different case, but the Supreme Court will now review that decision. EPIC has filed numerous successful lawsuits to require privacy impact assessments, including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. EPIC's appeal is captioned EPIC v. Commerce, No. 19-5031 (D.C. Cir.). (Feb. 21, 2019)

  • Following reports that Google installed secret listening devices in the homes security product Nest, EPIC asked the Federal Trade Commission to require Google to spin-off Nest and to disgorge the data obtained from Nest users. It is a federal crime to intercept private communications or to plant a listening device in a private residence. In 2014, EPIC filed a complaint with the Commission regarding a related merger review and noted specifically that the "Commission clearly failed to address the significant privacy concerns presented in the Google acquisition of Nest." EPIC also said at the time that the "early termination" approval of the Google/Nest merger was surprising given the Commission's extensive consideration of the Google acquisition of Doubleclick. Both the Senate Commerce Committee and the House Energy and Commerce Committee have expressed interest in merger review in the tech industry. (Feb. 20, 2019)

  • The UK House of Commons published the report "Disinformation and 'fake news'" following an eighteen-month investigation of Facebook. The report found that if Facebook had fully complied with the FTC settlement, Cambridge Analytica would not have happened. The UK report stated "It seems clear that Facebook was, at the very least, in violation of its Federal Trade Commission settlement." The FTC announced in March 2018 that it was reopening the Facebook investigation, following news that Cambridge Analytica improperly harvested the personal data of 87 millions users. Still no word from the FTC on how that one case is proceeding. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. (Feb. 20, 2019)

  • The Supreme Court has agreed to hear the government's appeal of New York v. Department of Commerce, in which a New York federal judge blocked the government from asking a citizenship question on the 2020 Census. EPIC filed an amicus brief in the case. EPIC has also sued to block the citizenship question in EPIC v. Commerce. EPIC alleges that the Bureau failed to complete privacy impact assessments before adding the question. A lower court held that the Bureau must "prepare PIAs that adequately address the collection of citizenship data in the 2020 Census," but denied a preliminary injunction. EPIC has appealed the decision. (Feb. 15, 2019)

  • EPIC has filed an amicus brief urging the Supreme Court to safeguard FCC rules that protect the public from robocalls and junk faxes. The case, PDR Network v. Carlton & Harris Chiropractic, concerns a company's efforts to disregard an FCC rule about junk faxes. EPIC explained that permitting companies to avoid FCC rules "will exclude the voices of consumers" in agency decision making. EPIC also explained that the company's efforts to sidestep agency rules will benefit those "who have resources to attack FCC rules." EPIC contributed to the development of the robocall and junk fax laws. EPIC has since worked to ensure that telephone users are protected from invasive practices through agency comments and amicus briefs in cases such as ACA International and Gallion v. Charter Communications. (Feb. 14, 2019)

  • EPIC has submitted comments the UN Special Rapporteur on Freedom of Expression for a report on the surveillance industry. The Special Rapporteur is soliciting information for a report to UN General Assembly on how surveillance technology is regulated and used around the world. EPIC's submission details a recent U.S. proposal to limit exports of surveillance technology, new limits on access to surveillance tech in the United States, and key EPIC Freedom of Information Act cases to uncover details of ICE's procurement of mobile forensics and analytics technology. EPIC pursues an extensive FOIA docket. (Feb. 14, 2019)

  • In comments to the City of New York, EPIC identified current privacy risks to New Yorkers, new challenges from the development of "smart cities" services, and also described how other cities are tackling privacy issues. The NYC Mayor's Office of Information Privacy sought input from the public on policies to best serve the privacy interests of New Yorkers. EPIC recommended that the city minimize collection of personally identifiable data, promote the use of statistical data, upgrade cyber security, and provide increased opportunity for public participation in the development of new Internet-based services. EPIC also encouraged NYC to adopt the Universal Guidelines for Artificial Intelligence when implementing AI technology. (Feb. 14, 2019)

  • EPIC joined 43 civil society organizations in a letter to Congress calling on legislators to protect civil rights, equity, and equal opportunity in the digital ecosystem. The organizations wrote that any privacy legislation must be consistent with the Civil Rights Principles for the Era of Big Data, which include: stop high-tech profiling, ensure fairness in automated decisions, preserve constitutional principles, enhance individual control of personal information, and protect people from inaccurate data. The groups said: "Platforms and other online services should not be permitted to use consumer data to discriminate against protected classes or deny them opportunities in commerce, housing, and employment, or full participation in our democracy." EPIC supports "algorithmic transparency", the public's right to know the data processes that impact their lives so they can contest decisions made by algorithms. (Feb. 13, 2019)

  • In advance of a hearing on consumer privacy, the House Energy & Commerce Committee released a GAO report calling for federal legislation to "enhance consumer protections." The announcement follows the scheduling of a Senate Commerce hearing the same week. The report highlighted the Fair Information Practices (FIPs) as a framework for federal privacy law, an approach long supported by EPIC. The GAO report further noted that the FTC has failed to use its existing authorities to regulate privacy. EPIC has advocated for the establishment of a federal data protection agency to ensure strong consumer privacy rights. (Feb. 13, 2019)

  • A recent report by the Center for State Enforcement of Antitrust and Consumer Protection Laws highlighted major privacy actions by state attorneys general, including New York's lawsuit against Apple for the FaceTime bug and California's settlement with Aetna for sending letters that revealed, through an oversized clear window, that the recipient was taking HIV-related medication. Several Attorneys General, including the DC attorney general, have sued Facebook over the Cambridge Analytica scandal. EPIC opposes federal preemption of state law, has defended the enforcement powers of state attorneys general, and established the EPIC State Policy Project to highlight model state privacy law. (Feb. 12, 2019)

  • EPIC has filed an expedited appeal in EPIC v. Commerce to block the Census Bureau from collecting citizenship information in the 2020 Census. EPIC alleged that the Bureau failed to complete privacy impact assessments before adding the citizenship question. A lower court held that the Bureau must "prepare PIAs that adequately address the collection of citizenship data in the 2020 Census" and the Bureau conceded it would complete the assessments by March. But the lower court denied EPIC's motion for a preliminary injunction, concluding that the Census Bureau is not required to conduct a privacy assessment "until the Bureau mails its first batch of Census questionnaires to the public," a view entirely at odds with the E-Government Act. EPIC has filed numerous successful lawsuits to require privacy impact assessments, including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. EPIC's case in the lower court is captioned EPIC v. Commerce, No. 18-2711 (D.D.C.). (Feb. 12, 2019)

  • President Trump today signed an executive order on Artificial Intelligence that leaves many questions unanswered. EPIC has urged both the White House and Congress to ensure public input on AI policy. EPIC has also proposed the Universal Guidelines for Artificial Intelligence as the basis for AI legislation to reduce bias in decision-making algorithms, ensure digital globalization is inclusive, create human-centered evidence-based policy, promote safety in AI deployment in national security uses, and rebuild trust in institutions. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. (Feb. 11, 2019)

  • A federal court has denied EPIC’s motion for a preliminary injunction and refused to block the Census Bureau from collecting citizenship information via the 2020 Census. As EPIC told the court, the Bureau unlawfully failed to complete multiple privacy impact assessments before it abruptly introduced the citizenship question last year. The court acknowledged that the Bureau must “prepare PIAs that adequately address the collection of citizenship data in the 2020 Census” and noted that “negative policy consequences” could result “if an agency drags its feet in performing its PIA obligations.” Nevertheless, the court held that the Bureau may drag its feet in conducting the required assessments “until the Bureau mails its first batch of Census questionnaires to the public” in 2020. EPIC has filed numerous successful lawsuits to require privacy impact assessments, including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. EPIC intends to press forward with the census case, which is captioned EPIC v. Commerce, No. 18-2711 (D.D.C.). (Feb. 8, 2019)

  • In a statement to the House Judiciary Committee, EPIC urged the panel to ensure that the Justice Department update surveillance safeguards and prioritize transparency. EPIC recommended that the Department of Justice work with Congress after the Supreme Court's decision in Carpenter, improve reporting on surveillance orders, and protect consumers in cases before the Supreme Court. EPIC's comments follow nomination hearings in the Senate for the Attorney General. The nominee was pressed on his views on bulk surveillance and law enforcement access to records held by third parties. (Feb. 8, 2019)

  • In advance of a Privacy and Civil Liberties Oversight Board forum on "Countering Terrorism while Protecting Privacy and Civil Liberties: Where do We Stand in 2019," EPIC sent a statement to the Board outlining priorities. EPIC said the Civil Liberties Board should (1) release the report on Executive Order 12333; (2) limit government use of facial recognition; (3) establish safeguard for government AI use; (4) monitor proposals for "smart" borders and assess privacy impacts on US residents; and (5) reform Section 702 surveillance authority. The independent agency reviews federal agency programs to ensure protections for privacy and civil liberties. EPIC helped establish the PCLOB. In 2003 EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out initial priorities for the PCLOB and spoke at the first meeting of the Oversight Board in 2013. In 2016, EPIC awarded former PCLOB Board Member Judge Patricia Wald with the EPIC Champion of Freedom Award. (Feb. 7, 2019)

  • In a statement to the House Judiciary Committee, EPIC urged the panel to ensure that the Justice Department updates surveillance procedure after the Supreme Court's decision in Carpenter. EPIC also said the agency should improve reporting on surveillance orders and protect consumers in cases before the Supreme Court. EPIC's comments follow hearings in the Senate for the Attorney General. Senator Leahy pressed the nominee on bulk surveillance and law enforcement access to records held by third parties after the Supreme Court held that such records are protected by the Fourth Amendment. (Feb. 7, 2019)

  • Germany's competition agency has imposed restrictions on Facebook's practice of combining user data from across its platforms, such as WhatsApp and Instagram, and prohibited the company from linking third-party data to specific Facebook user accounts. The agency President said, "Today data are a decisive factor in competition. In the case of Facebook they are the essential factor for establishing the company's dominant position." EPIC has long warned that data consolidation poses a significant threat to competition and innovation. EPIC opposed Facebook's 2014 acquisition of WhatsApp, warning that Facebook would use WhatsApp data on other platforms. In recent comments to the FTC, EPIC told the Commission that Facebook achieved its "dominance through unrivaled access to consumer data." And as early as 2008, EPIC warned that "dominant Internet firms are moving to consolidate their control over the Internet." EPIC continues to oppose platform consolidation, and recently filed an amicus brief, challenging Facebook's web tracking practices. (Feb. 7, 2019)

  • EPIC has filed a reply brief in EPIC v. Commerce urging a federal court to block the Census Bureau from adding a citizenship question to the 2020 Census. EPIC alleges that the Census Bureau failed to complete privacy impact assessments, required by law, before it abruptly added the citizenship question last year. Secretary Ross has already suggested that the census data would be used for law enforcement purposes. "Congress expected that the Bureau would conduct a comprehensive privacy review early in the process, not as the census forms were heading to the printer or delivered to the post office," EPIC told the court. A federal court in New York recently blocked the citizenship question, but the Census Bureau has appealed that decision. EPIC filed an amicus brief in the New York case and has long advocated for robust protections for census data. EPIC has also filed numerous successful lawsuits to require privacy impact assessments, including EPIC's lawsuit that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. (Feb. 6, 2019)

  • The European Court of Human Rights Grand Chamber has agreed to review Big Brother Watch v. UK, a case concerning UK surveillance power revealed by Edward Snowden. Last year the Court ruled that the communications surveillance regime narrowly violated human rights, and stopped short of ruling that bulk surveillance violated fundamental rights. The Grand Chamber, a larger panel of judges, has now agreed to hear the case again. The Chamber only agrees to review cases raising important human rights issues. The groups that brought the case requested referral and urged the Court to rule mass surveillance incompatible with human rights. EPIC filed a brief in the original case explaining that the US, which transfers intelligence data to the UK, has "technological capacities" enabling "wide scale surveillance" and that US law do not restrict surveillance of non-U.S. persons abroad. In an article, EPIC called the initial ruling against UK surveillance "narrow" but "important." (Feb. 5, 2019)

  • In advance of a hearing about the Privacy and Civil Liberties Oversight Board, EPIC sent a statement to the Senate Judiciary Committee outlining priorities. EPIC said the Civil Liberties Board should (1) release the report on Executive Order 12333; (2) review the use of facial recognition technology and propose safeguards; (3) review the use of artificial intelligence and propose safeguards; and (4) monitor proposals for "smart" borders and assess privacy impacts on US residents. The independent agency reviews federal agency programs to ensure adequate safeguards for privacy and civil liberties. EPIC helped establish the PCLOB. In 2003 EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out initial priorities for the PCLOB and spoke at the first meeting of the Oversight Board in 2013. In 2016, EPIC awarded former PCLOB Board Member Judge Patricia Wald with the EPIC Champion of Freedom Award. (Feb. 5, 2019)

  • In a hearing last week, the chiefs of the U.S. intelligence agencies told Senators that foreign adversaries will "increasingly use cyber capabilities" to "seek political, economic, and military advantage." The intelligence leaders further stated that foreign powers are "already looking to the 2020 election" in order to advance their interests, and that those powers will "almost certainly" target online operations to weaken democratic institutions. After the 2016 election, EPIC launched a project on Democracy and Cybersecurity to safeguard democratic institutions. EPIC filed a series of Freedom of Information Act lawsuits to determine the extent of Russian interference: EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). EPIC has said, "The public has a right to know the details when a foreign government attempts to influence the outcome of a U.S. presidential election. And the public has a right to know what steps have been taken to prevent future attacks." (Feb. 4, 2019)

  • EPIC will file a lawsuit today to compel a federal agency to release audits so as to determine whether the searches of electronic devices are lawful. The Border Search Directive sets out when and how Customs and Border Patrol officials may inspect cellphones, tablets, and laptop computers of travelers crossing the US border. The Directive requires the agency to develop an auditing mechanism to ensure lawful searches, yet the agency has not published the auditing requirements or the results of the audits. So, EPIC has sed for the release of the procedures. The American Bar Association recently adopted a new policy that urges Congress, the courts, and the Department of Homeland Security to enact legislation and adopt policies to protect the privacy rights of travelers. EPIC filed a related lawsuit against Immigration and Customs Enforcement for information about the warrantless searches of cell phones. (Feb. 1, 2019)

  • EPIC joined a letter with fourteen other public interest groups to Mark Zuckerberg, calling on the Facebook CEO to shut down Facebook Messenger Kids, and cease all child-targeted business operations. This coalition effort, led by Campaign for a Commercial-Free Childhood, follows reporting that Facebook made millions of dollars by intentionally duping kids into making accidental purchases while playing games. Last year, the groups called on the company to shut down Facebook Messenger Kids based on research linking adolescent social media use with depression, poor sleep habits, and unhealthy body image. Senators Markey (D-MA) and Blumenthal (D-CT) also wrote a letter to Zuckerberg requesting answers on children's use of Facebook. EPIC, civil rights, and open market groups recently urged the FTC to act on numerous violations of the 2011 Consent Order. (Jan. 30, 2019)

  • EPIC presented the 2019 International Privacy Champion Awards to Giovanni Buttarelli, European Data Protection Supervisor, and Joe McNamee, long time Executive Director of the European Digital Rights Initiative. The ceremony took place at the annual conference on Computers, Privacy, and Data Protection in Brussels, Belgium. EPIC Advisory Board members Max Schrems and Shoshana Zuboff presented the awards. The 2019 EPIC Champion of Freedom Awards will be held at the National Press Club in Washington, DC on June 5, 2019. [Press Release] (Jan. 30, 2019)

  • Leaders of the American Bar Association completed their midyear meeting yesterday and tackled a range of policy issues, including privacy at the border. The ABA adopted a new policy that "Urges the federal judiciary, Congress, and the Department of Homeland Security to enact legislation and adopt policies to protect the privacy interests of those crossing the border by imposing standards for searches and seizures of electronic devices, protection of attorney-client privilege, the work product doctrine, and lawyer-client confidentiality." The resolution was introduced by the ABA Section of Civil Rights and Social Justice and the Criminal Justice Section. EPIC Senior Counsel Alan Butler is the Chair of the ABA Civil Rights and Social Justice Section's Committee on Privacy and Information Protection. EPIC has previously submitted "friend of the court" briefs advocating for Fourth Amendment protection of cell phone data in Riley v. California and Carpenter v. United States. (Jan. 29, 2019)

  • According to the European Commission, recent figures from the European Data Protection Board reveal that EU Data Protection Authorities have received more than 95,000 complaints from citizens across the continent. In a joint statement on International Privacy Day, the Commissioners said "Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work." The European Data Protection Board also reported that the majority of the complaints were related to activities such as telemarketing, promotional e-mails, and video surveillance. In the United States, the Federal Trade Commission announced in March 2018 that it was reopening the Facebook investigation, following news that Cambridge Analytica improperly harvested the personal data of 87 millions users. Still no word from the FTC on how that one case is proceeding. (Jan. 28, 2019)

  • A new edition of GDPR Today is available now. The online hub of the latest developments in data protection, launched by EDRi, a powerful association of European NGOs, is designed to implement the EU General Data Protection Regulation. The latest issue details the EU-Japan agreement on international transfers of personal data, NGO complaints that tech companies violated individuals' right to access their data, and recent criticism of U.S. compliance with the EU-U.S. Privacy Shield. EPIC has encouraged U.S. companies to offer GDPR protections to all consumers. The 2018 Privacy Law Sourcebook also includes the full text of the GDPR. (Jan. 28, 2019)

  • The New York Times has reported that Facebook is planning to integrate WhatsApp, Facebook Messenger, and Instagram. Earlier this week, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. In 2014, EPIC and the Center for Digital Democracy warned the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." Last week, Senators Markey and Blumenthal expressed concern over the impact of the government shutdown on the FTC's investigation into Facebook. Next week, the House Commerce Committee will hold a hearing on the government shutdown's impact on the FTC's Facebook investigation. (Jan. 25, 2019)

  • A report from the European Data Protection Board, an influential independent European privacy body, criticizes U.S. oversight of the EU-U.S. Privacy Shield. The European Commission recently renewed the framework permitting the flow of European consumers' personal data to the U.S. However, the Board now states U.S. oversight of compliance lacks "substantial checks." The EU Data Protection Board encouraged the Privacy and Civil Liberties Oversight Board to review U.S. surveillance authorities, and stated that the Privacy Shield Ombudsperson could not be considered an "effective remedy" for privacy violations. During review of Privacy Shield, EPIC cited concerns about the failure of the FTC to enforce the 2011 Consent Order against Facebook, passage of the CLOUD Act, and renewal of bulk foreign intelligence surveillance. (Jan. 25, 2019)

  • The Illinois Supreme Court ruled today in Rosenbach v. Six Flags, a case about a state privacy law that protects biometric data. Parents sued the theme park after it collected a child's fingerprints, charging a violation of the Illinois biometric privacy law. The theme park claimed that it was necessary to show some additional harm, but the Illinois Court held that when companies violate the law, "the injury is real and significant." EPIC filed a "friend of the court" brief in the case, arguing that the biometric privacy law "imposes clear responsibilities on companies that collect biometric identifiers" and that if these provisions are "not enforced, the statute's subsequent provisions are of little consequence." EPIC has long advocated for strict limits on use of biometric data. EPIC also filed an amicus brief the OPM data breach, a case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case. (Jan. 25, 2019)

  • The conference on Computers, Privacy, and Data Protection begins next week in Brussels. The theme of CPDP2019 is "Data Protection and Democracy." Several members of the EPIC Advisory Board will be speaking, including Julie Cohen, Jennifer Daskal, Kristina Irion, Malavika Jayaram, Max Schrems, and Shoshana Zuboff. EPIC will be promoting new books by several members, including Simon Davies, Roger McNamee, and Shoshana Zuboff. EPIC will also present the International Privacy Awards on Wednesday, January 30. (Jan. 25, 2019)

  • This week, The Public Voice urged participants at Davos to adopt the Universal Guidelines for AI to protect human rights, and to ensure access, inclusion, and equity for global citizens. Leaders of the World Economic Forum launched the 2019 Davos conference this week, with several events on privacy and AI to develop technology policies that are "underpinned by the necessary ethical principles and values-based framework." In opening remarks, Klaus Schwab said the 4th Industrial Revolution demands human-centered, inclusive, and sustainable solutions. @ThePublicVoice urged adoption of the UGAI principles to reduce bias in decision-making algorithms, ensure digital globalization is inclusive, create human-centered evidence-based policy, promote safety in AI deployment in national security uses, and rebuild trust in institutions. (Jan. 25, 2019)

  • According to a Census Bureau report, 99 percent of commenters who gave feedback on the 2020 Census are opposed to the planned addition of the citizenship question. The Bureau received more than 136,000 comments against the collection of citizenship data, many of which were signed by multiple individuals and organizations. EPIC filed comments opposing the citizenship question, arguing that it will interfere with the census's constitutional purpose and undermine the integrity of the census. EPIC is currently seeking a preliminary injunction to block the collection of citizenship data because the Bureau failed to complete privacy impact assessments required by law. The Court has scheduled a hearing for Feb. 8. EPIC's case is EPIC v. Commerce, No. 18-2711 (D.D.C.). (Jan. 24, 2019)

  • EPIC joined a coalition of groups urging the FTC to issue strong penalties in Facebook matter. "Given that Facebook’s violations are so numerous in scale, severe in nature, impactful for such a large portion of the American public and central to the company’s business model, and given the company’s massive size and influence over American consumers, penalties and remedies that go far beyond the Commission’s recent actions are called for,” the letter stated. The groups said the FTC should 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance. (Jan. 23, 2019)

  • The Ninth Circuit has ruled that the police violated the Fourth Amendment when they asked a passenger to provide identification. The Court found that "a demand for a passenger's identification is not part of the mission of a traffic stop." As the court explained, "The identity of a passenger...will ordinarily have no relation to a driver's safe operation of a vehicle." EPIC filed a "friend of the court" brief in a similar case before the Supreme Court in 2004. In Hiibel v. Sixth Judicial District, the Supreme Court narrowly upheld a state identification law for the driver of a vehicle. EPIC argued in Hiibel that "A name is now no longer a simple identifier: it is the key to a vast, cross-referenced system of public and private databases, which lay bare the most intimate features of an individual's life." EPIC also filed amicus brief in Watchtower Bible v. Stratton, concerning the right of anonymity. In that case the Supreme Court ruled that an ordinance requiring door-to-door petitioners to obtain a permit and identify themselves violated the First Amendment. (Jan. 22, 2019)

  • EPIC is seeking a preliminary injunction to block the Census Bureau from adding a question about citizenship to the 2020 Census. EPIC alleges that the Census Bureau failed to complete privacy impact assessments, required by law, before it abruptly added the question to the census last year. EPIC explained that the "extraordinary reach of the Bureau into the private lives of Americans brings with it extraordinary risks to privacy." A federal court in New York recently blocked the citizenship question, but the Census Bureau has appealed that decision. EPIC filed an amicus brief in the New York case and has long advocated for robust protections for census data. EPIC has also filed numerous successful lawsuits to require privacy impact assessments, including EPIC's lawsuit that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. (Jan. 18, 2019)

  • In a letter to the Federal Trade Commission, Senators Ed Markey and Richard Blumenthal pushed the Commission to take swift action against Facebook, despite the government shutdown. "While we have repeatedly expressed concerns about the pace of this investigation, we fear that the current government shutdown further threatens the FTC's ability to complete this investigation," the Senators wrote. "When Americans' privacy is breached, they deserve a speedy and effective response." The letter comes nearly ten months after the FTC announced it would reopen an investigation into Facebook after EPIC's urging. Since then, EPIC has urged the Commission to act and has repeatedly highlighted Facebook's violations of the 2011 consent order in statements to Congress. The 2011 consent order followed an extensive complaint filed by EPIC and a coalition of consumer privacy organizations in 2009. (Jan. 18, 2019)

  • EPIC joined 16 organizations in support of a “A Framework for Privacy Protection in the United States." The consumer groups outlined a new approach to privacy protection: (1) enact baseline federal legislation; (2) enforce fair information practices; (3) establish a data protection agency; (4) ensure robust enforcement; (5) establish algorithmic governance; (6) prohibit “take it or leave it” terms; (7) promote privacy innovation; and (8) limit government access to personal data. The consumer framework states that the Federal Trade Commission has failed to enforce the orders it has established. "The US needs a federal agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.” [Press Release] (Jan. 17, 2019)

  • During the nomination hearing for the next Attorney General, Senator Leahy asked Mr. Barr whether the Supreme Court's recent decision in the Carpenter case affected his views on privacy. "You had said that a person has no Fourth Amendment right to these records left in the hands of third parties—the third-party doctrine—which seems to be undercut by Carpenter," observed Senator Leahy. Barr responded, somewhat surprisingly, that he had "not read that decision" but "it may modify [his] views." Senator Leahy said he would expect an answer from the nominee to a written question. EPIC filed an amicus brief in Carpenter. The Supreme Court ruled that the Fourth Amendment protects location records stored by telephone companies. (Jan. 15, 2019)

  • A federal judge has ruled that the Secretary of Commerce's decision to add the citizenship question to 2020 Census was unlawful. EPIC filed an amicus brief in the case, arguing that "history has shown that personal data, collected by the government through the census, can threaten individual rights." EPIC has also sued the Department of Commerce (EPIC v. Commerce) because the agency failed to complete a Privacy Impact Assessment prior to collecting citizenship data. A 2004 EPIC FOIA lawsuit revealed that the Census Bureau provided DHS with data on Arab Americans after 9-11, leading the Census Bureau to revise its "sensitive data" policy for transfers to law enforcement and intelligence agencies. (Jan. 15, 2019)

  • This week the Senate Judiciary Committee will begin hearings on the nomination of William Barr for Attorney General. In a statement to the Committee, EPIC warned that "Mr. Barr has consistently supported warrantless surveillance of the American people." EPIC pointed to Barr's previous Congressional testimony where he stated that FISA is "too restrictive" and that Americans have no Fourth Amendment right in records held by third parties. EPIC recommended that the Department of Justice work with Congress to update federal wiretap laws after the Supreme Court's decision in Carpenter, improve reporting on surveillance orders, and protect consumers in cases before the Supreme Court. (Jan. 14, 2019)

  • A key House panel requested an emergency briefing from the Federal Communications Commission to determine why the agency has not prevented wireless carriers from selling consumers' location data. The request followed reports that wireless providers sell location data to third parties, despite pledging to not do so after investigations last year. In 2007, EPIC urged the FCC to establish privacy safeguards for location data. And in 2010 EPIC wrote to the House Commerce Committee that "Locational privacy concerns are substantial and growing more severe." EPIC also filed a friend of the court brief in 2017 in the landmark location privacy case, Carpenter v. United States. A recent article by EPIC President Marc Rotenberg, for the American Constitution Society, sets out recommendations for Congress after the Carpenter decision. (Jan. 14, 2019)

  • EPIC is requesting to intervene in a case before the European Court of Human Rights testing the human rights standards for government hacking of computers and other devices. Brought by international NGO Privacy International, Privacy International v. United Kingdom asks whether remote hacking of devices and the use of malware by UK intelligence services violate the European Convention on Human Rights. EPIC seeks to present information to the Court on the unique privacy risks of government hacking. EPIC previously filed a brief with the Court of Human Rights in Big Brother Watch v. UK, which found UK mass surveillance violated fundamental rights to privacy and freedom of expression. EPIC also participated as amici in Apple v. FBI, concerning a court order that would have required Apple to assist the FBI hack a seized iPhone. (Jan. 11, 2019)

  • The Supreme Court agreed today to hear two cases of interest to privacy and open government advocates. One case concerns the withholding of "confidential" information requested under the Freedom of Information Act. EPIC recently sued the Federal Trade Commission for information about Facebook's privacy practices, but the FTC has claimed the records are confidential and therefore should not be released. The second case, Mitchell v. Wisconsin, concerns a state law that permits law enforcement officers to draw blood from unconscious motorists without a warrant. EPIC routinely participates as amicus in Supreme Court cases concerning open government and privacy issues. Both cases are expected to be decided by the end of the Court's term in June. (Jan. 11, 2019)

  • The opinion of a key adviser to the Europe's top court finds that that the "right to be forgotten" need not be applied worldwide. Google v. Commission nationale de l'informatique et des liberté follows a ruling in Google v. Spain that Europeans have a right, in some circumstances, to remove links to their personal data posted online by Google. The advocate general said that while Europeans are entitled to have private information delisted in the EU, search engines do not have to remove links from view in foreign domains even though they make the personal data available in those domains for commercial benefit. EPIC has supported the CNIL's approach instead, contending "the right to privacy is global." The European Court of Justice will now decide whether to adopt the opinion from the Advocate General. EPIC published "The Right to be Forgotten on the Internet: Google v. Spain" an account of the case by former Spanish Privacy Commissioner and EPIC Champion of Freedom Professor Artemi Rallo. (Jan. 11, 2019)

  • As part of a routine review, EPIC asked the United Nations Human Rights Committee to question the US about the failure to protect individuals against privacy violations by private industry. This year the Committee will review US compliance with human rights obligations under the International Covenant on Civil and Political Rights. EPIC explained that countries "have a duty to protect individuals against human rights violations by non-state actors," and pointed to Article 17 in the international agreement. "Despite record-breaking data breaches, identity theft, and extensive corporate surveillance, the U.S still lacks both comprehensive privacy legislation and a data protection authority," EPIC concluded. The EPIC 2018 Privacy Law Sourcebook provides a comprehensive overview of privacy laws in the US and around the world. (Jan. 10, 2019)

  • Newly released emails from the Bush Whitehouse reveal that Brett Kavanaugh and John Yoo, architect of the warrantless surveillance program, exchanges several messages about warrantless surveillance programs in the fall of 2001. The release follows EPIC's FOIA lawsuit for Justice Kavanaugh's records from when his nomination was before the United States Senate. The new records show that there were multiple emails about the warrantless surveillance program that was eventually overturned by the US Congress. The emails also reference a signing statement—likely for the 2001 authorization of military force — and a discussion thread "FISA [Foreign Intelligence Surveillance Act] letter." The agency previously identified several hundred e-mails about surveillance programs that Kavanaugh authored. But the text of many emails was withheld in full, leaving open questions about Kavanaugh's role in the post-9/11 surveillance programs. (Jan. 10, 2019)

  • A federal appeals court heard oral arguments in a case about whether a dating app is liable for failing to remove a false profile that enabled abusive conduct. EPIC filed an amicus brief in Herrick v. Grindr, arguing that the relevant law was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." EPIC explained that victims may be subjected to ongoing "psychological, social, and financial harm" if internet services are not accountable for harassment and abuse. EPIC routinely files friend of the court briefs in cases concerning emerging privacy and civil liberties issues. (Jan. 9, 2019)

  • The European Commission's Expert Group on Artificial Intelligence has requested comments on draft Guidelines for Trustworthy AI. The EU Guidelines state, "Trustworthy AI has two components: (1) it should respect fundamental rights, applicable regulation and core principles and values, ensuring an 'ethical purpose' and (2) it should be technically robust and reliable since, even with good intentions, a lack of technological mastery can cause unintentional harm." The EU Guidelines reflect several principles from the Universal Guidelines for Artificial Intelligence, which have been endorsed by more than 250 experts and 60 organizations in 40 countries. The Universal Guidelines promote transparency, accuracy, and fairness for AI systems. Comments to the European Commission are due January 18, 2019. The final report will be released in March 2019. (Jan. 9, 2019)

  • In comments to the FTC, EPIC recommended free credit monitoring for all consumers. The agency will require free credit monitoring for all active service members, following legislation enacted last year. EPIC said the FTC should urge Congress to extend free credit monitoring services. The statute includes several pro-consumer measures that EPIC favored: it (1) requires consumer reporting agencies to provide a consumer with free "credit freezes" that limit third party access to personal data, (2) establishes clear provisions for these freezes, and (3) creates new protections for the credit records of minors. In testimony before the Senate and House following the Equifax data breach, EPIC recommended credit freezes and free credit monitoring services. (Jan. 9, 2019)

  • In comments to the Federal Aviation Administration, EPIC praised the agency for inviting public input on technology that exposes aircraft control networks to remote hacking. EPIC previously warned the FAA that, "hackers can exploit weaknesses in drone software to gain control of a drone's movement and other features." EPIC has also called attention to the potential for connected cars and Internet of Things devices to be hacked. EPIC recommended that the FAA routinely report on the growing risks of cyber attack. (Jan. 8, 2019)

  • The National Archives has released thousands of emails Justice Kavanaugh sent between January 2001 and July 2003 while working in the White House Counsel's office. The release includes hundreds of emails concerning controversial White House surveillance programs the Archives previously identified in response to EPIC's lawsuit. In October, the National Archives revealed that Kavanaugh sent 11 e-mails to John Yoo, the architect of warrantless wiretapping; 227 e-mails about "surveillance" programs and the "Patriot Act;" and 119 e-mails concerning "CAPPS II" (passenger profiling), "Fusion Centers" (government surveillance centers), and the Privacy Act. Subsequent searches revealed thousands more emails sent to Kavanaugh about mass surveillance programs. (Jan. 7, 2019)

  • The Supreme Court has let stand an adverse lower court ruling in EPIC's case about state voter data. EPIC filed suit against the Presidential Election Commission in 2017 to halt the collection of state voter data. As a result of EPIC's case, the Commission suspended data collection, discontinued the use of an unsafe computer server, and deleted the state voter data it wrongly acquired. And the Commission was terminated last year. However, a lower court ruled that EPIC, at the time it brought the case, was limited in its ability to pursue certain claims. EPIC asked the Supreme Court to review that decision and the fact the demise of the Commission made it impossible for EPIC to challenge the ruling. But the Court left the ruling unchanged. EPIC's case in the Supreme Court is EPIC v. Commission, No. 18-267. (Jan. 7, 2019)

  • Despite comments from EPIC and others, Customs and Border Protection will collect social media information from Americans and place that data outside legal protections provided by the Privacy Act. EPIC proposed opposed the collection of personal data and said that CBP should narrow the Privacy Act exemptions. The agency responded briefly to public comments, failing to defend the agency's decision. In a related FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. (Jan. 3, 2019)

  • A federal court has blocked a New York City law requiring home-sharing platforms to disclose detailed personal information about users, ruling that the ordinance violates the Fourth Amendment. The law would have required companies such as Airbnb to disclose the names, contact information, financial data, and rental histories of hosts, even when no unlawful conduct was suspected. "An attempt by a municipality in an era before electronic data storage to compel an entire industry monthly to copy and produce its records as to all local customers would have been unthinkable under the Fourth Amendment," the court wrote. The court followed a Supreme Court case Los Angeles v. Patel, which prohibited the warrantless searches of hotel records. EPIC filed an amicus brief in Patel. The federal court also cited Carpenter v. United States, Byrd v. United States, Riley v. California, and United States v. Jones, Supreme Court cases in which EPIC also filed amicus briefs. The decision in Airbnb v. New York also has implications for the data collection practices of so-called Smart Cities. (Jan. 3, 2019)

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security