« August 2016 | Main | October 2016 »

September 2016 Archives

September 7, 2016

FTC Responds to EPIC's Complaint about WhatsApp

The Federal Trade Commission has responded to the EPIC and Center for Digital Democracy complaint about WhatsApp's plan to transfer user data, including verified phone numbers, to Facebook. The FTC stated that it prohibits companies from engaging in unfair and deceptive practices and will enforce its 2012 Consent Order with Facebook. The FTC letter also acknowledged that the EPIC-CDD complaint “contains allegations regarding statements WhatsApp has made about how it limits the use of mobile phone numbers or other personally identifiable information." The FTC said it will "carefully review" EPIC’s complaint. EPIC and CDD wrote that WhatsApp's plan to transfer user data to Facebook for user profiling and targeted advertising - without first obtaining users' opt-in consent - contradicts numerous FTC statements and violates Section 5 of the FTC Act. EPIC and CDD previously warned the Commission that it must protect the privacy interests of WhatsApp users following the acquisition by Facebook.

House Report Criticizes OPM Handling of Massive Data Breach Last Year

In a press release, the House Oversight and Government Reform Committee released a report criticizing the Office of Personnel Management’s handling of the data breach in 2015. The breach compromised the information of over 21.5 million individuals, including federal employees, their families and friends. The report concluded the OPM breach was preventable and recommended numerous measures including less use of social security numbers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also supported new limits on the collection and use of the SSN. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

EPIC, Coalition Reject Calls to Further Weaken FCC's Modest Privacy Proposal

EPIC and a coalition of consumer privacy advocates have sent a letter to the Federal Communications Commission in response to industry demands to further weaken the FCC's proposed broadband privacy rules. The groups rejects efforts  by Internet Service Providers to exempt anonymized consumer data from the privacy rules and to require opt-in consent only for sensitive information. The consumer groups also oppose mandatory arbitration and “pay-for-privacy” plans that would require consumers to pay fees for basic privacy safeguards. EPIC has called the FCC's proposed privacy rules a "modest first step" and repeatedly argued that the Commission can and should go further  to "address the full range of communications privacy issues facing US consumers."

September 8, 2016

Pokemon GO Developer Niantic Responds to Sen. Franken Inquiry into Privacy Concerns

Pokemon GO developer Niantic has responded to Sen. Al Franken’s request for information concerning the company’s data practices. Sen. Franken’s letter, sent in early July, asked Niantic to clarify the scope, purpose, and necessity of its data collection practices. Niantic’s response letter indicates that it “collects and stores” user location data to place and position users on the game’s map, but fails to explain why and for how long location data is stored. Franken also directed the company to provide a current list of the "third party service providers" with whom user data is shared. Niantic’s letter confirms that it hires third parties to provide a variety of services, but does not specifically identify any of these companies. Privacy officials in Canada, Europe, and Asia, have begun investigations of Niantic, which is tied to the Google company Alphabet. The Niantic CEO led the Google project that captured private communications in more than 30 countries around the world. The initial Pokemon Go release provided Niantic full access to the user's Google account. EPIC sent a letter to the FTC urging the Commission to investigate the privacy risks posed by Pokemon GO,  Niantic’s data collection practices, and its ties to Google.

Presidential Science Advisors Challenge Validity of Criminal Forensic Techniques

According to an upcoming report by the President’s Council of Advisors on Science and Technology, much of the forensic analysis in criminal trials is not scientifically valid. The report, to be released this month, attacks the validity of analysis of evidence like bite-marks, hair, and firearms. The "lack of rigor in the assessment of the scientific validity of forensic evidence is not just a hypothetical problem but a real and significant weakness in the judicial system,” wrote the council. The Senate Judiciary Committee held hearings in 2009 and 2012 to discuss the need to strengthen forensic science, and Sen. Patrick Leahy (D-VT) introduced a forensic reform bill in 2014. EPIC has pursued FOIA requests on the reliability of proprietary forensic techniques. EPIC also filed a brief on the reliability of novel forensic techniques in the Supreme Court case Florida v. Harris.

Continue reading "Presidential Science Advisors Challenge Validity of Criminal Forensic Techniques" »

September 9, 2016

Federal Agencies Unable to Measure FOIA Litigation Costs

In a new report the Government Accountability Office found that the Justice Department and other federal agencies are unable to determine how much they spend on defending Freedom of Information Act lawsuits. The watchdog agency found that of the 112 FOIA lawsuits decided between 2009 and 2012 in which the requester prevailed, agencies were able to calculate costs for only half, and estimated $1.4 million in costs. The GAO—which conducted the investigation in response to a request from Senators Chuck Grassley (R-IA) and Patrick Leahy (D-VT) of the Senate Judiciary Committee—urged Congress to explore the possibility of requiring agencies to track FOIA litigation costs. EPIC routinely litigates FOIA cases against federal agencies, and is currently fighting to obtain secret Inspector General reports  surveillance oversight reports, and details on the government’s largest-ever phone surveillance program

September 12, 2016

EPIC Republishes "Privacy and Human Rights," Most Comprehensive Survey of Privacy Law and Practices Ever

EPIC has published the first digital edition of Privacy and Human Rights: An International Survey of Privacy Laws and Developments. The report by EPIC and Privacy International provides an overview of key privacy topics in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Topics include biometric identification, Internet advertising, and location privacy. Over 1,100 pages, almost 6,000 footnotes, and more than 300 contributors. Now available online.

September 13, 2016

European Commission Begins Investigation of WhatsApp Privacy About-Face

Following the announcement that WhatsApp intends to transfer user data to Facebook in violation of earlier commitments, EU Competition Commissioner Margrethe Vestager has opened an investigation. Vestager stated, “That they didn’t merge data wasn’t the decisive factor when the merger was approved, but it was still a part of the decision” to approve the $19b Facebook acquisition in 2014. Last month, EPIC and the Center for Digital Democracy filed a complaint with the FTC, urging the Commission to Act. The FTC responded that it would “carefully review” EPIC’s complaint.

EPIC Prevails in FOIA Lawsuit for Government Privacy Assessments

EPIC has prevailed in EPIC v. DEA, a case involving a Freedom of Information Act request for privacy assessments the federal agency is required by law to perform. EPIC sued the Drug Enforcement Agency after the agency failed to respond to EPIC’s FOIA request. EPIC subsequently challenged the adequacy of the agency’s search. Today, the federal judge concluded that although the initial search was adequate, “EPIC has raised a substantial doubt as to the sufficiency of the DEA’s supplemental search.” The Court ordered the agency to conduct an additional search or explain why an updated search is not likely to produce additional records. EPIC pursued the DEA FOIA case after the disclosure of “Hemisphere,” perhaps the largest telephone record collection program in the world.

Continue reading "EPIC Prevails in FOIA Lawsuit for Government Privacy Assessments" »

FTC Seeks Comments on the "Disposal Rule" for Consumer Data

The Federal Trade Commission is seeking public comments on the "Disposal Rule." The Disposal Rule requires that companies delete consumer data and to protect against unauthorized use of the data. The Commission seeks comment on a variety of issues including cost-benefits analysis and industry compliance. EPIC supported the implementation of the Disposal Rule in 2004 and continues to advocate for data protection measures. EPIC has also promoted Privacy Enhancing Techniques that minimize or eliminate the collection of personal information. Identity theft continues to be the top consumer complaint reported to the Commission.

September 14, 2016

EPIC Amicus - Appeals Court Finds Inaccurate Background Reports Violate Federal Privacy Law

A federal appeals court has ruled that LexisNexis violated the Fair Credit Reporting Act by selling background reports that wrongly included criminal convictions for innocent individuals. EPIC filed an amicus brief in the case, highlighting the failure of crediting reporting agencies to adopt reasonable procedures to ensure accuracy. EPIC said that it is not enough to follow “industry standards” if  inaccurate reports still result. The court found that Lexis was negligent because it failed to “follow reasonable procedures to assure maximum possible accuracy” of the information.

September 12, 2016

EPIC Urges Policy Commission to Support Privacy Techniques

EPIC President Marc Rotenberg appeared before the recently established Commission on Evidence-Based Policymaking. Mr. Rotenberg discussed Privacy Perspectives on data use. He pointed to the federal wiretap reports and also climate data as government data sources that are enormously influential yet raise few privacy concerns. He recommended that the Commission encourage the development of Privacy Enhancing Techniques that protect personal information while enabling data analysis. Rotenberg serves on a National Academies study that will release a report on privacy and big data in early 2017.

September 19, 2016

White House Updates Guidance on Federal Agency Privacy Practices

The Office of Management of Budget released a memorandum that requires the head of each agency to “assess the management, structure, and operation of the agency’s privacy program.” The OMB memo provides updated guidance, requiring the designation of a Senior Agency Official for Privacy with appropriate authority to implement the agency’s privacy program, including ensuring compliance with the Privacy Act. In 2015, a breach of records at the OMB, impacted more than 22 million federal employees, family members and associates. EPIC has filed numerous comments with agencies across the federal government criticizing their lack of compliance with the Privacy Act. EPIC has also submitted amicus briefs to the US Supreme Court concerning the federal Privacy Act.

FAA Drone Advisory Committee to Address Privacy

In its inaugural meeting, the FAA's newly assembled Drone Advisory Committee decided to address privacy concerns posed by the increasing deployment of drones in the United States. The FAA Committee, lacking consumer and privacy representatives, was assembled to make recommendations to the FAA on drone policy. According to the National Conference on State Legislatures, at least 38 states have considered drone legislation so far this year. EPIC and leading experts previously urged the FAA to adopt privacy rules for drones, and when the agency refused, EPIC sued. EPIC v. FAA is currently pending before the D.C. Circuit Court of Appeals.

Continue reading "FAA Drone Advisory Committee to Address Privacy" »

September 20, 2016

U.S. Proposes Voluntary Guidelines for "Automated Vehicles," Privacy and Safety Issues Remain a Challenge

The Department of Transportation has released federal guidelines for the automated vehicle industry. The Federal Automated Vehicles Policy backs the deployment of self-driving cars in the United States. The agency acknowledges privacy concerns and endorses the Consumer Privacy Bill of Rights, which EPIC supports, however the framework lacks compliance obligations and  enforcement mechanisms.  The agency also proposes to preempt existing state regulations that may provide stronger protections. Last year in testimony before Congress, EPIC warned of public safety risks associated with automated vehicles. And yesterday Secretary of Commerce Penny Pritzker warned the Commission on Enhancing National Cybersecurity that "as cars go driverless . . . the cyberthreats we face will only grow more widespread." The Transportation Department seeks public comments on the Guidelines for Automated Vehicles. The deadline is November 22, 2016.

Policy Commission Seeks Public Comment

The Commission on Evidence-Based Policymaking has issued a request for comments on "strategies to increase the availability and use of government data."  Congress established the Commission to study whether and how data across the federal government could be combined for policy research while protecting privacy.  The Commission seeks comment on several issues including privacy risks, access to data, and whether a single clearinghouse should be created.  In testimony before the Commission, EPIC President Marc Rotenberg emphasized safeguards for personally identifiable information,  following EPIC’s work on Re-identification and The Census and Privacy.  Comments to the Commission are due on November 14, 2016.

September 21, 2016

EPIC Advises Congress on Modernizing Telemarketing Rules to Protect Consumers

EPIC has sent a letter to the House Energy and Commerce Committee in advance of the hearing on “Modernizing the Telephone Consumer Protection Act.” The telemarketing law bars telemarketers and robocallers from contacting consumers by phone fax, or text without prior consent. EPIC urged the Committee to ensure that an update to the law “protects consumers from unwanted commercial communications.” EPIC said legal rights should be “robust, enforceable and minimally burdensome for consumers." Earlier this year, EPIC filed an amicus brief in support of strengthening TCPA protections for consumers. EPIC has also testified before Congress about the telemarketing law and submitted many comments concerning its implementation.

September 22, 2016

Pew Survey Finds Support for New US Privacy Laws, Limits on Data Retention

According to the Pew Research Center, there is broad support in the US for new legal protection for personal information.  Pew found that “68% of internet users believe current laws are not good enough in protecting people’s privacy online; and 64% believe the government should do more to regulate advertisers.” Americans favor limits on how long the records of their activity are stored.  Pew also found that “young adults are more focused than elders when it comes to online privacy,” and many have tried to protect their privacy, removed their names from tagged photos, and taken steps to mask their identity. According to Pew, 74% of Americans say it is “very important” to be in control of their personal information. EPIC maintains an extensive listing of polls concerning public attitudes toward privacy and has launched the Data Protection campaign to highlight privacy protection in the 2016 election.

Consumer Groups Back Call for FTC to Investigate WhatsApp

More than a dozen US consumer organizations have asked the Federal Trade Commission to pursue the complaint EPIC and the Center for Digital Democracy filed about WhatsApp’s plan to transfer user data to Facebook. The EPIC-CDD complaint said that the changes to WhatsApp contradict promises  to users that personal information would not be used for marketing purposes.  The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." The FTC responded that it would “carefully review” EPIC’s complaint. The consumer coalition letter urges the Commission to “fulfill its duty to protect consumer privacy, and to investigate and enjoin WhatsApp and Facebook’s proposed change in business practices.” 

Federal Judge Unseals Secret Surveillance Records

A federal judge has ordered the public release of 235 sealed records of government surveillance in response to a request from a journalist.  EPIC has urged greater transparency of these "pen register and trap and trace" orders. As a result of a Freedom of Information Act lawsuit  against the Justice Department, EPIC v. DOJ, EPIC made public formerly secret documents about the government’s use of pen registers to collect the records of private communications.

Data Protection 2016: 500 Million Yahoo Users Victims of Massive Data Breach

Yahoo has announced that the personal data of at least 500 million users was breached in late 2014. The breach included users’ names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.

September 26, 2016

EPIC Tells Congress FTC Must Do More for Consumer Privacy

EPIC has sent a letter to the Senate Commerce Committee in advance of an oversight hearing on the Federal Trade Commission. EPIC explained that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. "The FTC’s failure to act in the face of mounting threats to consumer privacy and security could be catastrophic," EPIC warned. EPIC  also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud. Public opinion polls show broad public support for new US privacy laws.

September 27, 2016

Secret Ballot At Risk in Maryland After Election Board Vote

The Maryland State Board of Elections has voted to certify Maryland’s online ballot-marking system for general use, threatening voter privacy. Voters using the online-ballot marking system would receive and fill out their ballot online, risking third party access their vote. Previously online ballot-marking was permitted only to enable participation by voters with disabilities. EPIC, Verified Voting, and Common Cause recently released The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. EPIC has a long history of working to protect voter privacy and election integrity.

Continue reading "Secret Ballot At Risk in Maryland After Election Board Vote" »

EPIC Files Suit to Block "Invasive and Ineffective" Airport Body Scanner Program

EPIC has filed the opening brief in EPIC v. TSA II with the federal appeals court in Washington, DC, challenging the Transportation Security Administration's continued use of body scanners in US airports. TSA issued a regulation mandating the use of body scanners across the country more than five years after the court in EPIC v. TSA ordered the agency to "promptly" solicit public comments on the controversial body scanners program and nearly a decade after the agency deployed the scanners without public comments. EPIC told the court that the TSA's regulation entrenches body scanners over more effective less intrusive screening techniques,  and undermines  the legal right of passengers to opt out. EPIC wrote that the TSA has failed to "justify the use of invasive screening techniques, or to provide the public with an opportunity to respond to the denial of the passenger opt-out right."

Germany Prohibits WhatsApp Data Transfer to Facebook

Germany’s privacy regulator has ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data that has already been transferred. In a statement, German officials said that WhatsApp’s new data transfer policy constitutes “an infringement of national data protection law.” EU Competition Commissioner Margrethe Vestager has also opened an investigation into WhatsApp’s privacy changes, which contradict previous commitments to users and regulators. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC responded it would “carefully review” EPIC’s complaint. The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”

Senators Seek Answers About Yahoo's Massive Data Breach

Led by Senator Patrick Leahy, several senators sent a letter to Yahoo’s CEO, Marissa Mayer, seeking answers about the massive data breach that compromised the sensitive data of 500 million accounts. The Senators were troubled by the delay in breach notification, stating “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week.” EPIC testified in support of strong data breach notification laws in 2009 and 2011 and urged Congress to ensure that users are “notified promptly” when personal information is wrongfully disclosed. EPIC launched “Data Protection 2016” to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.

EPIC Urges Congress to Protect Voter Privacy

EPIC has sent a letter to a Congressional committee in advance of a hearing on cybersecurity and ballot integrity. EPIC warned that casting votes online threaten voter privacy. EPIC explained that the secret ballot is the cornerstone of the US election system. EPIC, Common Cause, and Verified Voting recently published The Secret Ballot at Risk: Recommendations for Protecting Democracy. The report makes specific recommendations for protecting voter privacy. EPIC has a long history of working to protect voter privacy and election integrity.

September 28, 2016

EPIC Celebrates International Access to Information Day

Today marks the first annual International Day for Universal Access to Information. This day celebrating the right to information—September 28th of every year—was established by the UN Education, Scientific, and Cultural Organization in a resolution last year. Freedom of information, declared UNESCO, "is an integral part of the fundamental right to freedom of expression," and is established as a right in the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights. International efforts to promote the right to information have also produced the Open Government Partnership, a multilateral initiative to secure transparency commitments from governments. EPIC, as part of a coalition of transparency groups, has proposed recommendations to the US open government plan, as well as plans from US agencies.

Continue reading "EPIC Celebrates International Access to Information Day" »

Massachusetts Court Upholds Privacy Rights of Cell Phone Users

The Massachusetts Supreme Judicial Court ruled today in Commonwealth v. White that the Fourth Amendment prohibits law enforcement from seizing a cell phone based simply on an officer’s suspicion that a cell phone may be used in a crime, finding that a warrant must be obtained prior to the seizure of the phone. EPIC filed an amicus brief in the case, arguing that "digital is different," and therefore the legal standard for warrantless searches of contraband in schools does not apply to cell phones. EPIC also explained the significance of Riley v. California, the recent Supreme Court  that established a warrant requirement for searches of cell phones. The EPIC State Policy Project coordinated the EPIC amicus brief in the case.

Nickelodeon Plaintiffs Ask Supreme Court to Hear Video Privacy Case

The plaintiffs in the In re Nickelodeon class action recently asked the Supreme Court to hear their case.  In June, a federal appeals court rejected claims that Viacom and Google violated the Video Privacy Protection Act, holding that static IP and MAC addresses are not “personally identifiable information.” The opinion contradicted a ruling from a different federal appeals court which held that  unique IDs are personally identifiable under the video privacy law.  EPIC filed an amicus brief in the Nickelodeon case, explaining that Congress defined personal information broadly “to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.”   The petition is C.A.F. v. Viacom, case number 16-346.

September 29, 2016

EPIC Publishes "Privacy Law Sourcebook 2016"

EPIC proudly announces the 2016 edition of the Privacy Law Sourcebook, the definitive reference guide to US and international privacy law. The Privacy Law Sourcebook is an edited collection of the primary legal instruments for privacy protection in the modern age, including United States law, International law, and recent developments. The Sourcebook includes recent US law, such as the FREEDOM Act, and the EU General Data Protection Regulation, the UN Resolution on the Right to Privacy in the Modern Age, and regional privacy agreements. The Privacy Law Sourcebook 2016 is available for purchase from the EPIC Bookstore. EPIC will make the Privacy Law Sourcebook freely available to NGOs and human rights organizations.

Continue reading "EPIC Publishes "Privacy Law Sourcebook 2016"" »

September 30, 2016

India Joins International Opposition to WhatsApp Privacy Changes

India’s Deli High Court has ordered WhatsApp not to transfer to Facebook any user data that was collected prior to September 25, 2016, and to delete data of users who opted out of WhatsApp’s new data transfer policy prior to that date. Last month, WhatsApp announced it would begin transferring user data, including verified phone numbers, to Facebook in violation of previous privacy promises. Germany has also ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data already transferred. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC’s latest response to the consumer coalition emphasized “FTC staff’s position that companies must obtain affirmative express (opt-in) consent before making material, retroactive changes to privacy promises.” The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”

EPIC Opposes DHS Plan to Collect Social Media Identifiers

In comments to the Department of Homeland Security, EPIC urged the agency to drop a plan to review the social media accounts of people seeking to visit the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked abuse, and would disproportionately impact against minority groups. Documents obtained by EPIC in 2011 in a Freedom of Information Act lawsuit revealed that the DHS gathered social media comments to identify individuals, including US citizens, critical of the agency and the government. A 2012 Congressional hearing, based on the documents obtained by EPIC, revealed bipartisan opposition to the original DHS social media monitoring program. 

Continue reading "EPIC Opposes DHS Plan to Collect Social Media Identifiers" »

About September 2016

This page contains all entries posted to epic.org in September 2016. They are listed from oldest to newest.

August 2016 is the previous archive.

October 2016 is the next archive.

Many more can be found on the main index page or by looking through the archives.