« July 2017 | Main | September 2017 »

August 2017 Archives

August 1, 2017

Senators Introduce Legislation to Strengthen Cybersecurity for Internet of Things

A bipartisan group of Senators, including Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA) and Steve Daines (R-MT), have introduced legislation to improve security of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require "Internet of Things" devices purchased by the U.S. government to meet minimum security standards. IoT device manufacturers who sell products to the federal government must commit that their IoT devices: (1) are patchable; (2) do not contain known vulnerabilities; (3) rely on standard protocols; and (4) do not contain hard-coded passwords. "The proliferation of insecure Internet-connected devices presents an enormous security challenge," said EPIC Advisory Board member Bruce Schneier, "The risks are no longer solely about data; they affect flesh and steel." EPIC has been at the forefront of policy efforts to establish safeguards for IoT devices, connected cars, "smart homes," consumer products, and "always on" devices. A 2015 report from the Aspen Institute also explores "Policies for the Internet of Things."

EPIC Amicus - DC Circuit Upholds Right of Data Breach Victims to Seek Legal Relief

A federal appeals court in Washington, D.C. has ruled that consumers may sue companies that fail to safeguard their personal data. Consumers sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The appeals court agreed with EPIC that the lower court was wrong to dismiss the case. "No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm," the Court wrote. EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges.

FBI Issues Final Rule on Biometric Database, Exempts Itself From Privacy Act Protections

The FBI has released a final rule claiming several Privacy Act Exemptions for the Next Generation Identification System, a database that contains the biometric data of millions of Americans, much of which is unrelated to law enforcement. EPIC had criticized the FBI's proposal to remove Privacy Act safeguards and urged the FBI to limit the scope of data collection and reduce the retention of data. However, in issuing the final rule the FBI repeatedly stated that exemptions would be used responsibly and in accordance with FBI policies and procedures. Through a FOIA lawsuit, EPIC obtained documents that revealed the NGI database contained an error rate of up to 20% on facial recognition searches. EPIC has identified several problems with the NGI database in statements to Congress oversight Committees, which have indicated strong concern about the FBI's facial recognition program.

August 4, 2017

State Department Moves Forward Plan to Collect Social Media Identifiers of Visa Applicants

The State Department filed a notice this week seeking comment on the agency's plan to make permanent the collection of social media identifiers from individuals applying for visas to enter the U.S. The public comment period is open until October 2, 2017. The State Department previously requested emergency approval for the plan. EPIC opposed the State Department initiative, and in comments earlier this year, urged the agency to drop the plan. EPIC argued that the proposal threatens privacy, First Amendment rights, risked abuse, and would disproportionately impact minority groups.

August 10, 2017

UK Government Releases Statement of Intent Describing New Data Protection Bill

The UK has released a statement of intent describing a forthcoming bill that would make major revisions to the the country's data protection law. The new rules would follow the EU's General Data Protection Regulation by strengthening rules for obtaining consent, making it easier for consumers to withdraw consent, and improving consumers' ability to access, move, and remove data about themselves. The bill would also expand the definition of "personal data" to include DNA and IP addresses and would make it a crime to re-identify individuals from anonymized data. EPIC supported the GDPR and the right to be forgotten, has explained that IP addresses are personal data, and has warned of the risks of improperly "de-identified" data. EPIC recently filed a complaint asking the FTC to investigate Google's use of a proprietary, secret algorithm Google claims can "de-identify" consumers while tracking their purchases.

House Releases Text of Automated Vehicle Bill, Preempts State Action

The House Committee on Energy & Commerce recently approved text for a bill on automated vehicles. The bill prevents the states from issuing any rule or regulation that is not identical to a Federal Motor Vehicle Safety Standard, preventing states from issuing their own safety and privacy regulations to safeguard consumers. The bill also calls for automated vehicle manufacturers to have cybersecurity and privacy plans, however it does not address who owns the data collected by automated vehicles or how consumers can access or delete their data. EPIC has opposed federal preemption for automated vehicle regulation and has repeatedly urged federal agencies and Congress to allow states to craft their own privacy and security regulations to protect public safety. EPIC has also recommended that consumers control the personal information that is created and stored by the vehicles they operate, rent, and own.

August 14, 2017

International Privacy Experts Adopt Statements on E-Learning, Intelligence Gathering

The International Working Group on Data Protection in Telecommunications has adopted new recommendations to improve privacy and security standards for e-learning platforms and government intelligence gathering. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. The Working Paper on "E-Learning Platforms" highlights privacy risks including excessive collection of students' personal data. "Towards International Principles or Instruments to Govern Intelligence Gathering" recmmendsthat DPAs participate in developing an international instrument governing intelligence activities and recommends authorities promote principles concerning "Legitimacy," "Rule of Law," and "Oversight." In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

Pew Survey Explores the Future of Online Trust

The Pew Research Center has released a report of its survey of experts on "The Fate of Online Trust in the Next Decade." Although nearly half (48%) of the over 1,000 respondents said that they expected trust to increase, 24% predicted that trust would decrease. "Technology is far outpacing security, privacy and reliability," said EPIC President Marc Rotenberg in the survey. "The problem will intensify with the Internet of Things, as the internet connects more machines in the physical world." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.

EPIC Urges Supreme Court to Apply Constitution to Cell Phone Data

EPIC has filed a “friend-of-the-court” brief in Carpenter v. United States concerning the Fourth Amendment and location data. EPIC urged the Supreme Court to reject a 1970s case, Smith v. Maryland (1979), that allows for the warrantless collection of calling data. As EPIC told the Court, that case is from an era “when rotary phones sat on desk tops” and was decided before cell phones and location tracking. EPIC argued that "Cell phones are now as necessary to the life of Americans as they are ubiquitous.” EPIC urged the Court to extend Constitutional protection to cell phone data. Noting that Congress may also pass important privacy laws, EPIC wrote that the Supreme Court “remains the interpreter of the Fourth Amendment in our modern age." EPIC previously argued against warrantless searches of location data in Riley v. California, United States v. Jones, State v. Earls, and Commonwealth v. Connolly.

August 15, 2017

EPIC FOIA: EPIC Seeks Details of ICE, Palantir Deal

EPIC has submitted a Freedom of Information Act request to Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir. The federal agency contracted with the Peter Thiel company to establish vast databases of personal information, and develop new capabilities for searching, tracking, and profiling. EPIC is seeking the ICE contracts with Palantir, as well as training materials, reports, analysis, and other documents. The ICE Investigative Case Management System and the FALCON system now connect personal data across federal government, oftentimes in violation of the federal Privacy Act. The Intercept reported that FALCON "will eventually give agents access to more than 4 billion 'individual data records.'" In FOIA lawsuit EPIC v. CBP, EPIC uncovered Planter's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to travelers. EPIC continues to advocate for greater transparency in computer-based decision making.

EPIC Amicus - Ninth Circuit Upholds Consumers’ Right to Sue for Privacy Violations

A federal appeals court ruled today that consumers have the right to file suit when companies report inaccurate credit information about them. Spokeo, the “people search” website, argued that it couldn’t be sued for publishing false information because there was no “concrete" harm. The case went to the Supreme Court, where EPIC filed an amicus brief urging the Court not to "limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." On closer consideration, the Ninth Circuit U.S. Court of Appeals concluded that companies can’t duck the legal consequences when they violate laws that “protect consumers’ concrete interests”—including their right to privacy. “[G]iven the ubiquity and importance of consumer reports in modern life—in employment decisions, in loan applications, in home purchases, and much more—the real-world implications of material inaccuracies in those reports seem patent on their face,” the Court wrote. “[I]t makes sense that Congress might choose to protect against such harms without requiring any additional showing of injury.” EPIC regularly files amicus briefs defending consumer privacy, and filed several amicus briefs after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.

After EPIC Privacy Complaint, Uber Settles with FTC

After an EPIC complaint about Uber's privacy practices, Uber has entered into a consent agreement with the FTC. The agreement prohibits Uber from misrepresenting how it monitors or secures consumer information. As with most FTC privacy settlements, the agreement also requires Uber to implement a comprehensive privacy program and obtain periodic independent third-party audits. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases.

Justice Department Demands 1.3 Million IP Logs From Inauguration Protest Website

Federal prosecutors in Washington, DC are demanding that an internet hosting service turn over vast amounts of personally identifying data from a website used to organize Inauguration Day protests, including a reported 1.3 million IP logs. DreamHost, the hosting service, has refused to comply with the government's warrant. In a court filing DreamHost argued that prosecutors are attempting "to identify the political dissidents of the current administration" and that the government's data demand is far too broad. In 2006, EPIC opposed a similar government demand—later dropped—for week's worth of search queries entered into Google. EPIC recently filed an amicus brief in the Supreme Court urging the Court to safeguard the First Amendment right to read in the digital era.

Appeals Court Rules in Case that Aligns Privacy and Freedom of Information

A federal appeals court has ruled in an open government case with implications for informational privacy. The court concluded that “there may be a basis for redaction” of personal information in government records “where disclosure would likely result in threats, harassment, and violence.” EPIC filed an amicus brief in the case arguing that withholding personal information safeguards open government and is constitutionally required. "Open government laws and privacy laws are complimentary: the aim is to maximize both the public's access to information about the government and to safeguard personal privacy to the greatest extent feasible," EPIC wrote. EPIC has argued for similar privacy protections in ATF v. Chicago, Chicago Tribune v. University of Illinois, Ostergren v. Cuccinelli, NASA v. Nelson, and FCC v. AT&T.

August 18, 2017

EPIC v. IRS: District Court Rules IRS May Withhold Trump Tax Records

A federal court in Washington, DC has ruled that the IRS may withhold President Trump's tax records sought by EPIC under the Freedom of Information Act. EPIC had argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning the President's financial ties to Russia. The President, for example, tweeted: "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING!" However, the Court ruled that “until President Trump or Congress authorizes release of the tax returns, EPIC (and the rest of the American public) will remain in the dark." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI’s response to the attack. EPIC will continue to pursue the release of President’s Trump’s tax records and related evidence of financial relations with the Russian government.

EPIC Appeals Voter Data Privacy Decision

EPIC has appealed a federal district court ruling that allowed the Presidential Election Commission to move forward with a controversial plan to gather state voter data in a White House database. EPIC told the D.C. Circuit Court of Appeals that the Commission was obligated to undertake a Privacy Impact Assessment before amassing voters’ personal information. EPIC's case, which led the Commission to suspend the collection of voter data in July, after EPIC's lawsuit revealed agency incompetence, is before the D.C. Circuit on an expedited basis. The case is EPIC v. Commission, No. 17-5171 (D.C. Cir. filed July 27, 2017).

August 23, 2017

Justice Department Withdraws Demand for Disruptj20 Visitor Logs

Facing public outrage, the Department of Justice has rescinded a demand for over 1.3 million IP logs associated with Inauguration Day protests. DreamHost challenged the warrant, which required the web hosting service to turn over practically all records about disruptj20.org, a protest website. The Justice Department warrant could have identified protestors, threatened First Amendment protections, and violated the Fourth Amendment. After widespread opposition, the DOJ narrowed the demand to exclude visitor logs and unpublished content, such as posts and emails. EPIC opposed the DOJ's demand as it had in an earlier case involving Google search histories. EPIC also recently an amicus brief in the Supreme Court urging the Court to safeguard the First Amendment right to access information online free of government surveillance.

Appeals Court OKs Collusive Google Privacy Settlement

A divided federal appeals court has upheld a decision that allows Google to continue consumer privacy violations by means of a collusive settlement. Though the case concerns Google's illegal disclosure of personal data from 129 million consumers, the settlement fails to compensate those consumers, does nothing to change Google's business practices, and diverts funds to organizations that don’t protect consumer privacy. The dissenting judge wrote that the settlement "raises a red flag" because "47% of the settlement fund is being donated to the alma maters of class counsel." EPIC twice urged the lower court to reject the settlement, arguing that it did nothing for class members and would allow Google to "continue to engage in the privacy-invading practice." EPIC has long urged courts to reject collusive settlements and has proposed objective criteria for courts to follow in class action cases.

August 24, 2017

Supreme Court of India Rules Privacy is a Fundamental Right

India's Supreme Court has ruled that privacy is a fundamental right under the Indian Constitution. In a unanimous ruling, the Court explained the "right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution." The Court also recognized that "Informational privacy is a facet of the right to privacy" and modern privacy risks are caused by both the public and private sector. The ruling may impact significant cases pending in India, including a challenge to Aadhaar, India's massive biometric identification system, and WhatsApp's privacy policy change. In 2009 NGOs and privacy experts set out the Madrid Privacy Declaration, which affirmed privacy as a fundamental human right. In 2010, EPIC urged the US Supreme Court to recognize the right of "informational privacy." EPIC explained that the Whalen decision and a famous German census case, "influenced international privacy jurisprudence, resulting in the widespread recognition of the right to informational privacy." EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world.

August 25, 2017

2018 Intelligence Authorization Reflects Concerns About Russian Hacking

In the proposed intelligence reauthorization for 2018, the Senate has included provisions reflecting widespread concern about the Russian interference in the 2016 election. Among other requirements, S. 1761 mandates a report to Congress detailing the past cyber attacks on election infrastructure and the risk of future attacks, as well as a report assessing the intelligence community response to the attacks. The bill also gives the intelligence community 90 days to develop a strategy to counter the threat of future Russian cyber attacks. And the bill requires the Director of National Intelligence to submit to Congress a report assessing the "threat of Russian money laundering to the United States." EPIC raised similar concerns in a series of leading open government cases concerning the Russian interference. In EPIC v. FBI, EPIC is seeking information about the FBI's response to the attacks and has obtained the FBI Notification Procedures that should have been followed after a cyber attack. In EPIC v. ODNI, EPIC is seeking the release of the complete intelligence report on the scope of the Russian attack. And in EPIC v. IRS, EPIC is seeking to obtain the public release of Donald Trump’s tax returns.

August 29, 2017

Following EPIC Complaint, Uber Agrees To Stop Tracking Riders

Uber has ended the practice of tracking customers before and after they are picked up. In 2015, Uber announced the company would track the location of riders from the time they ordered a ride until after they had reached their destination. EPIC promptly filed a complaint with the FTC and stated that "This collection of user's information far exceeds what customers expect from the transportation service." The end to Uber's tracking of riders comes two weeks after Uber entered into a consent agreement with the FTC following a complaint filed EPIC that highlighted Uber's history of misusing customer data. But EPIC said the FTC settlement does not go far enough. "The FTC should have imposed stronger sanctions on Uber, required the company to disgorge the personal data it had unlawfully obtained, and required the company to restore the original privacy settings," said EPIC President Marc Rotenberg. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases.

August 30, 2017

Federal Appeals Court Rules Data Breach Case May Proceed

A federal appeals court has ruled that a major data breach case concerning Supervalu can move forward, rejecting the grocery chain's attempt to have the lawsuit dismissed. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The appeals court agreed with EPIC that the lower court was wrong to dismiss the case. However, the court held that only a consumer who could demonstrate actual financial fraud could proceed with legal claims. EPIC regularly files amicus briefs defending consumers' right to sue companies that violate their privacy, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and Spokeo v. Robins.

August 31, 2017

Court Criticizes Presidential Election Commission for Withholding Documents from the Public

A federal judge in Washington, DC expressed disbelief this week at the Presidential Election Commission’s failure to disclose documents from the July 19 inaugural public meeting. The Commission failed to make available to the public the meeting agenda and a 381-page “voter fraud” report prepared by a special interest group that was circulated privately to Commission members. Speaking at a court hearing, the federal judge overseeing the case criticized the Commission for failing “to live up to the government’s representations," about transparency. The Commission is attempting to assemble a nationwide database of voter data over the objections of state election officials. But earlier this summer, the Commission suspended collection of voter data in response to a lawsuit brought by EPIC. EPIC’s case, which calls for the disclosure of a Privacy Impact Assessment prior to the collection, is now on appeal to the D.C. Circuit Court of Appeals.

Trump Nominee to Head Privacy Board Favors Warrantless Surveillance

Donald Trump has nominated Adam Klein to head the Privacy & Civil Liberties Oversight Board (PCLOB). Klein, a senior fellow at the Center for a New American Security, recently testified that Congress should not require agencies to obtain a court order to query data collected under Section 702 of the Foreign Intelligence Surveillance Act, facilitating warrantless surveillance. As Judge Patricia Wald recently stated in remarks at the EPIC Champions of Freedom Dinner, "an agency dedicated to protecting privacy and civil liberties inside the intelligence community with access to classified material is a uniquely valuable asset in the ever difficult search for the right balance between national security and democratic values." EPIC recently urged the Senate Judiciary Committee to restore PCLOB to full strength.

EPIC Supports Continuation of CAN-SPAM Rule

EPIC has submitted comments to the Federal Trade Commission recommending the continued use of the CAN-SPAM Rule. The FTC Is reviewing the CAN-SPAM Rule, which regulates the transmission of commercial e-mail messages and prohibit certain unlawful practices, as part of a periodic review of Commission rules. EPIC expressed support for the continuation of the Rule and proposed strengthening the Rule by implementing a domain name based "Do Not E-mail" list and making it easier for consumers to opt-out of have their e-mails included in third-party e-mail lists. EPIC testified before the Senate in 2003 in support of the CAN-SPAM Act. EPIC regularly advocates for rules that protect consumers from harassing and annoying phone calls and e-mails.

Court Rules California Police Can't Avoid Public Scrutiny of License Plate Reader Program

The California Supreme Court ruled that the mass, indiscriminate collection of license plate data by California police cannot be shielded from public scrutiny. In response to an open records request by EFF and the ACLU of Southern California, Los Angeles area law enforcement attempted to prevent disclosure by claiming all license plate data were "investigative records." The court ruled that the license plate data of millions of law-abiding citizens was not an "investigative record." The Court stated, "It is hard to imagine that the Legislature intended for the records of investigations exemption to reach the large volume of data that plate scanners and other similar technologies now enable agencies to collect indiscriminately." EPIC filed an amicus brief in the public records case stating, "Public scrutiny is essential to counter the unique threats posed by these programs of broad-scale surveillance." Documents obtained by EPIC about the FBI's use of license plate readers showed the agency failed to address the system's privacy implications.

About August 2017

This page contains all entries posted to epic.org in August 2017. They are listed from oldest to newest.

July 2017 is the previous archive.

September 2017 is the next archive.

Many more can be found on the main index page or by looking through the archives.