« August 2014 | Main | October 2014 »

September 2014 Archives

September 2, 2014

Federal Judge - Google Privacy Settlement "Fails Smell Test"

A federal judge reviewing a proposed class action settlement in a case concerning Google's disclosure of user data to third parties has said "it doesn't pass the smell test." A coalition of consumer privacy organizations, including EPIC, urged the judge to reject the settlement because it required no substantial change in Google's business practices and provided no benefit to class members. The consumer privacy organization wrote to the judge when the settlement was first proposed and again last week, before the final fairness hearing. The groups cited the skepticism expressed by Supreme Court Chief Justice John Roberts about a similar privacy settlement. The consumer privacy groups also alerted the FTC Class Action Fairness Project and the California Attorney General about the pending settlement. For more information, see EPIC: Search Engine Privacy.

September 13, 2014

Privacy and Security 4

Privacy and Security 4

Julia Horwitz,
EPIC Consumer Protection Counsel

TPRC 42nd Research Conference on Communication, Information and Internet Policy
Arlington, VA
September 13, 2014

September 2, 2014

EU Launches Investigation Into Facebook Acquisition of WhatsApp

Antitrust officials in the European Union have begun an investigation into Facebook's acquisition of the messaging service WhatsApp. WhatsApp gained popularity based on its pro-privacy approach to user data. Following the announcement of Facebook's plan to acquire the company, EPIC filed two complaints with the Federal Trade Commission, urging the FTC to block the sale unless adequate privacy safeguards for WhatsApp users were established. The Commission then notified Facebook and WhatsApp that they must honor their privacy commitments to users but questions remain about future business practices. Now European antitrust regulators have served Facebook with a questionnaire of more than 70 pages to determine whether the merger violates European antitrust laws. For more information, see EPIC: In re WhatsApp, and EPIC: FTC.

September 4, 2014

Home Depot Data Breach Exposes Millions of Credit Card Records

A data breach at Home Depot might have exposed millions of consumers' credit card records, according to an announcement from Home Depot's corporate center. "We're looking into some unusual activity that might indicate a possible payment data breach," the announcement read, "If we confirm a breach has occurred, we will make sure our customers are notified immediately." In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. In May of this year, the President's science advisors surprisingly found little risk in the massive collection of personal data by companies. However, a recent FTC report on data brokers warned that "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." EPIC has urged the White House to enact the Consumer Privacy Bill of Rights and to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: Identity Theft.

Federal Communications Commission Fines Verizon $7.4 Million for Violating Consumer Privacy

Verizon will pay the Federal Communications Commission $7.4 million to settle claims that the company violated the privacy rights of nearly two million consumers. The FCC found that Verizon failed to inform consumers of their privacy rights, including how to prevent their personal information from being used for marketing purposes. The Verizon payment is the largest consumer privacy settlement in FCC history. In 2013, EPIC urged the FCC to investigate Verizon's disclosure of customer record information to the NSA. Also, in response to a 2005 EPIC petition, the FCC strengthened privacy protections for telephone records, which EPIC defended in a "friend of the court" brief for the DC Circuit, establishing support for opt-in privacy safeguards. For more information, see EPIC: Customer Proprietary Network Information, EPIC: NCTA v. FCC (Concerning privacy of CPNI), EPIC: US West v. FCC (Privacy of Telephone Records), and In re EPIC (NSA Telephone Records Surveillance).

September 5, 2014

Federal Trade Commission Orders Google to Refund Parents $19 Million for Unauthorized Charges

The Federal Trade Commission has reached a settlement with Google over allegations that the company unfairly charged parents millions of dollars for their children's in-app purchases. The settlement mandates that Google provides full refunds for unauthorized purchases. The FTC agreement will be subject to public comments. Comments are due October 6, 2014. The Commission has previously settled charges with Apple and sued Amazon for charging parents for their kids unauthorized in-app purchases. Previously EPIC has urged the FTC to require companies subject to privacy consent orders to adhere to the Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Search Engine Privacy.

September 8, 2014

UPDATE-Army Backs Off Plan for DC Surveillance Blimp

According to the Washington Post, the Department of Army will not deploy video surveillance cameras over the nation's capital. The announcement follows the release of documents to EPIC in a Freedom Information Act lawsuit. The blimps provide radar-based aerial surveillance and targeting capabilities. A recent video by the contractor Raytheon revealed that 24/7 video surveillance feed is easily incorporated. An Army Spokesperson told the Post that the blimps will "absolutely, 100 percent" not include video capacity. A similar EPIC FOIA case against the Bureau of Customs and Border Protection revealed that drones are designed to incorporate advance video surveillance gear even when not initially deployed. For more information, see EPIC: EPIC v. Army - Surveillance Blimps, EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones, and EPIC: Freedom of Information Act Litigation.

EPIC (Finally) Obtains Memos on Warrantless Wiretapping Program

More than eight years after filing a Freedom of Information Act request for the legal justification behind the "Warrantless Wiretapping" program of President Bush, EPIC has now obtained a mostly unredacted version of two key memos (OLC54) and (OLC85) by former Justice Department official Jack Goldsmith. EPIC requested these memos just four hours after the New York Times broke the story about the program in December 2005. When the agency failed to release the documents, EPIC filed a lawsuit. The ACLU and the National Security Archive later joined the case. These two Office of Legal Counsel memos offer the fullest justification of the warrantless wiretapping program available to date, arguing that the president has inherent constitutional power to monitor American's communications without a warrant in a time of war. But some parts of the legal analysis, including possibly contrary authority, are still being withheld. The warrantless wiretapping program was part of "Stellar Wind," a broad program of email interception, phone record collection, and data collection undertaken by the NSA without the approval of Congress. For more information see EPIC: EPIC v. DOJ: Warrantless Wiretapping Program.

Education New York Urges Parents to Protect Student Privacy

Education New York, a leading student privacy rights organization, is urging students and parents to opt-out of the use of educational records for marketing purposes. The data typically includes name, address, telephone number, birth date, and other personal information in student records. Education New York’s founder Sheila Kaplan stated, "I'm thrilled that with greater awareness of the issues, more parents have been joining the fight for students’ privacy rights." EPIC has long supported stronger privacy protections for student records. In 2012, EPIC sued the Education Department concerning changes to the student privacy law. Earlier this year, EPIC a hosted panel in Washington DC with Senator Ed Markey, "Failing Grade: Education Records and Student Privacy." For more information, see EPIC v. the Department of Education and EPIC: Student Privacy.

September 9, 2014

Pew Survey: Users Online Self-Censor Discussion of Government Surveillance

According to the Pew Research Report "Social Media and the 'Spiral of Silence,'" most users of social media are afraid to talk about government surveillance on Facebook, Twitter, and other social platforms. Users were more willing to share their views on government surveillance if they thought others shared the same view. Those who thought they held minority views were more likely to self-censor—an effect known as the "spiral of silence." In 2012, EPIC obtained FOIA documents revealing that the Department of Homeland Security monitored social media for political dissent. A subsequent Congressional hearing led the DHS to cancel the program. For more information, see EPIC v. DHS: Media Monitoring and EPIC: Public Opinion on Privacy.

September 12, 2014

"FOIA For Attorneys: Getting Maximum Value from the Freedom of Information Act"

"FOIA For Attorneys: Getting Maximum Value from the Freedom of Information Act"

Ginger McCall,
Director, EPIC Open Government Project

New York County Lawyers Association
New York City
September 12, 2014

September 10, 2014

FTC To Explore "Big Data" and Discrimination

The Federal Trade Commission will host a workshop entitled "Big Data: A Tool for Inclusion or Exclusion?" The FTC will explore the effects of "big data" analytics on low-income and other underserved communities. Several members of the EPIC Advisory Board will be participating. Earlier this year, the FTC published a report on data brokers, warning that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." The White House also convened a task force and published a report on "big data" this year. At EPIC's urging, the White House included public participation in the review process. EPIC submitted extensive comments, warning about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: FTC.

EPIC, Legal Scholars, Technical Experts Urge Federal Appeals Court to Safeguard Telephone "Metadata"

EPIC has filed an amicus curiae brief, joined by 33 technical experts and legal scholars, in support of a challenge to the NSA telephone record collection program. The case Smith v. Obama will be heard by the Court of Appeals for the Ninth Circuit this fall. Earlier this year, a lower court ruled that the Fourth Amendment does not protect telephone call record information because of a 1979 case Smith v. Maryland. In the brief for the federal appeals court, EPIC wrote that "changes in technology and the Supreme Court's recent decision in Riley v. California favor a new legal rule that recognizes the privacy interest inherent in modern communications records." EPIC routinely participates as a friend of the court in cases raising novel privacy and civil liberties issues. For more information, see EPIC: Smith v. Obama, EPIC: Riley v. California, and EPIC Amicus Briefs.

September 11, 2014

EPIC Files FOIA Lawsuit For Reports on Electronic Voting Reliability

EPIC has filed a Freedom of Information Act lawsuit to obtain test reports about an online voting program promoted by the Department of Defense. The records sought relate to the functionality and security of electronic voting systems. The California Secretary of State, Members of Congress, and voting rights advocates have tried to obtain these documents, but DOD has kept them secret even after promising public disclosure in 2012. Computer scientists have long warned about the risks of electronic voting systems. In the complaint, EPIC states that "it is absolutely critical for the documents sought in this matter be disclosed prior to further deployment of e-voting systems in the United States." The case is EPIC v. Department of Defense, No 14-1555 (D.D.C. filed 9/11/2014). For more information, see EPIC: EPIC v. DOD - E-voting Security Tests.

September 15, 2014

FBI Says Biometric Database has Reached "Full Operational Capability"

The FBI announced that the Next Generation Identification system, one of the largest biometric databases in the world, has reached "full operational capability." In 2013, EPIC filed a Freedom of Information Act lawsuit about the NGI program. EPIC obtained documents that revealed an acceptance of a 20% error rate in facial recognition searches. Earlier this year, EPIC joined a coalition of civil liberties groups to urge the Attorney General Eric Holder to release an updated Privacy Impact Assessment for the NGI. The NGI is tied to "Rap Back," the FBI's ongoing investigation of civilians in trusted positions. EPIC also obtained FOIA documents revealing FBI agreements with state DMVs to run facial recognition searches, linked to NGI, on DMV databases. EPIC's recent Spotlight on Surveillance concluded that NGI has "far-reaching implications for personal privacy and the risks of mass surveillance." For more information, see EPIC: EPIC v. FBI - Next Generation identification.

September 18, 2014

EPIC, Coalition Urge UN Human Rights Council to Review U.S. Spy Programs

In a joint submission to the United Nations, the Brennan Center, EPIC, and other public interest organizations urged the Human Rights Council to review U.S. surveillance programs. The Council regularly performs a Universal Periodic Review of the human rights record of UN Member States. As a result of the Council's last review, the U.S. Government committed to protect individual privacy and stop spying on citizens without judicial authorization. The coalition letter argues that U.S. has not honored this commitment and that U.S. "surveillance activities also violate the rights to privacy, freedom of expression, and the freedom of peaceful assembly and association..." guaranteed by the Universal Declaration of Human Rights. In January 2010, twenty-nine experts in privacy and technology affiliated with EPIC wrote to then U.S. Secretary of State Hillary Clinton to urge that the United States ratify the Council of Europe Convention on Privacy. For more information, see EPIC: Council of Europe Privacy Convention.

September 22, 2014

EPIC, Coalition Call for Transparency in Public Consumer Database

In comments to the Consumer Financial Protection Bureau, EPIC and other public interest organizations urged the Bureau to publish consumer complaint narratives. The Bureau currently publishes limited complaint information on financial products and services, including debt collection and credit reports. The Bureau is now considering a plan to provide consumer perspectives on experiences with the financial industry. The consumer groups support this effort and also recommend obtaining consumer consent and removing personally identifiable information before posting the complaints. Last year, EPIC uncovered documents revealing that many student debt collection companies fail to meet legal privacy obligations. For more information, see EPIC: Comments on the Fair Debt Collection Practices Act, and EPIC: The Fair Credit Reporting Act.

September 23, 2014

EPIC FOIA - FBI Extends "Rap Back" Biometric Collection

EPIC has just received documents about the FBI's Rap Back program. The FBI now routinely collects biometric data for ongoing background checks on nongovernment employees. In response to EPIC's FOIA request, the FBI is currently reviewing thousands of pages about the "Rap Back" program. Rap Back is part of the FBI's Next Generation Identification initiative, one of the largest biometric databases in the world, tied to data centers managed by the Department of Homeland Security, Department of Defense, and other government agencies. EPIC previously sued the FBI for documents about the NGI database and uncovered agency acceptance of high error rates. For more information, see Spotlight on Surveillance: Next Generation Identification.

Apple Announces New Privacy Enhancing Techniques

The most recent product announcement from Apple, includes several privacy enhancing techniques that EPIC has favored, including randomized MAC addresses, end-to-end encryption, robust screen lock, and implementation of secure electronic payment systems. Still, EPIC has raised questions about Health Kit, which enables the collection and transfer of sensitive medical information, and the enforcement of developer guidelines. For more information, see, EPIC: Practical Privacy Tools and EPIC: Location Privacy.

September 26, 2014

FAA Okays Hollywood Drone Use, But Privacy Safeguards Remain Grounded

The Federal Aviation Administration granted six exemptions for the commercial use of drones to companies in the film and television industry this week. The agency found that the proposed operation do not “pose a threat to national airspace users or national security.” Safety requirements include: line of site tracking, restrict flights to the “sterile area” on the set, inspection after each flight, and prohibiting operation at night. The agency is currently considering another 40 requests from various commercial entities. Currently, no privacy protections are in place to address the commercial use of drones. EPIC has testified in Congress in support of a comprehensive drone privacy law—calling for use limitations, data retention limitations, transparency, and public accountability. The Federal Aviation Administration to develop drone privacy guidelines after an EPIC-lead coalition petition. EPIC also urged the agency to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones.

“Eyes Over Washington” - EPIC Obtains New Documents About Surveillance Blimps

EPIC has obtained new documents detailing the Department of Army’s use of surveillance blimps over the nation’s capital. The documents include thirty heavily redacted pages of equipment descriptions and data. In May EPIC filed suit against the Department of the Army to obtain details about a sophisticated tracking and targeting system that will be deployed over Washington, DC during the next three years. JLENS is comprised of two 250' blimps. One blimp conducts aerial and ground surveillance over a 340-mile range, while the other has targeting capability, including HELLFIRE missile capability. The JLENS was originally deployed in Iraq. In the FOIA Request, EPIC asked the Army for technical specifications as well as any policies limiting domestic surveillance. An Army spokesperson said recently that JLENS will “absolutely not” include video surveillance gear. Similar blimps have been deployed by the DHS for border security. They include video surveillance. For more information, see EPIC: EPIC v. Army - Surveillance Blimps and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.

Appeals Court Limits Military Surveillance of Civilian Internet Use

The U.S. Court of Appeals for the Ninth Circuit ruled in United States v. Dreyer that an agent for the Naval Criminal Investigative Service violated Defense Department regulations and the Posse Comitatus Act when he conducted a surveillance operation in Washington state to identify civilians who might be sharing illegal files. The 1878 Act prevents the U.S. military from enforcing laws against civilians. The appeals court ruled that the NCIS intrusion into civilian networks showed “a profound lack of regard for the important limitations on the role of the military in our civilian society.” The court also ruled that the evidence obtained by NCIS should be suppressed to “deter future violations.” In a petition to the Supreme Court, EPIC challenged the NSA’s surveillance of domestic communications. The NSA is a component of the Department of Defense. For more information, see In re EPIC and EPIC v. DOJ: Warrantless Wiretapping Program.

September 29, 2014

EPIC Files Comments on Financial Privacy

EPIC has filed extensive comments in response to a request from the Consumer Financial Protection Bureau. EPIC urged the Bureau to limit the information debt collectors gather on consumers. EPIC advised the Bureau to prohibit debt collectors from contacting employers and others about consumer debt. EPIC also advised the Bureau to require debt collectors to protect the information they acquire and to allow consumers to see the information about hem that js collected. EPIC routinely submits comments to federal agencies, urging them to uphold the Privacy Act and protect individuals from telephone and Internet misuse. In 2004, EPIC submitted comments regarding the "CAN-SPAM" Act and the proposed National "Do Not Email" Registry. In 2006, EPIC testified before Congress regarding the Truth in Caller ID Act of 2006. And in 2009, EPIC submitted comments on the Truth in Caller ID Act of 2009, recommending a prohibition against overriding calling parties' privacy choices. For more information, see EPIC: Comments on the Fair Debt Collection Practices Act, and EPIC: The Fair Credit Reporting Act.

EPIC Urges FTC to Investigate Maricopa Data Breach

EPIC has filed a complaint with the Federal Trade Commission concerning the loss of personal information of almost 2.5 m current and former students, employees, and vendors in Maricopa County. According to EPIC, the District's failure to maintain a comprehensive information security program led to a "massive breach of names, addresses, phone numbers, e-mail addresses, Social Security numbers, dates of birth, certain demographical information, and enrollment, academic, and financial aid information." EPIC further alleges the District violated the Federal Trade Commission's Safeguards Rule by failing to protect students financial information. EPIC's complaint follows a similar complaint by DataBreaches.net. EPIC said that, "many education institutions in the United States are subject to the Safeguards Rule. The District's case is a particularly egregious example of the risk of failing to safeguard sensitive personal information." For more information, see EPIC: Student Privacy.

About September 2014

This page contains all entries posted to epic.org in September 2014. They are listed from oldest to newest.

August 2014 is the previous archive.

October 2014 is the next archive.

Many more can be found on the main index page or by looking through the archives.