EPIC Alert 23.17

1. EPIC Prevails in FOIA Lawsuit for Government Privacy Assessments

EPIC has scored a major victory in EPIC v. Drug Enforcement Agency, a Freedom of Information Act case about secret Privacy Impact Assessments for its surveillance programs. EPIC sued the DEA last year after the agency failed to respond to EPIC's request for the nonpublic documents. A federal judge in Washington, D.C. concluded this week that the DEA failed to reasonably search for the records, and ordered the agency to conduct another search.

In 2015 EPIC filed a FOIA request with the DEA for its nonpublic PIAs which, according to the DOJ, analyze how "information in identifiable form is collected, stored, protected, shared, and managed." EPIC also sought all Initial Privacy Assessment and Privacy Threshold Analysis documents since January 2007. The latter categories of documents are used to determine whether a more thorough PIA is required for the use of new information technology.

Over the past several years, the DEA has initiated several new surveillance programs that require the completion of privacy assessments. For example, the Hemisphere program, the largest telephone record collection program in the world and a focus of another EPIC lawsuit, gives law enforcement direct access to an AT&T database of telephone call records since 2007. No privacy assessments for Hemisphere or other DEA surveillance programs were publicly available when EPIC filed its FOIA request for these documents.

In the recent D.C. federal court opinion, Judge Christopher R. Cooper concluded that although the initial search was adequate, "EPIC has raised a substantial doubt as to the sufficiency of the DEA's supplemental search" for missing PIAs. In response to EPIC's evidence of at least four PIAs that should have been found, the court determined that "it does not appear that the DEA took reasonable steps to locate these four PIAs." Judge Cooper ordered the agency to conduct an additional search or explain why an updated search is not likely to produce additional records. The DEA has until October 13 to submit its response to the court.

2. European Commission Begins Investigation of WhatsApp Privacy About-Face

EU Competition Commissioner Margrethe Vestager has opened an investigation into WhatsApp's recent announcement that it intends to transfer user data to Facebook in violation of earlier commitments to US and EU authorities. According to Vestager, "That they didn't merge data wasn't the decisive factor when the merger was approved, but it was still a part of the decision" to approve Facebook's $19 billion acquisition of the messaging app in 2014.

EPIC and the Center for Digital Democracy filed a complaint with the Federal Trade Commission last month over WhatsApp's proposed data transfer, urging the Commission to act. On August 25, 2015, WhatsApp announced plans to disclose user information to Facebook, including phone numbers and other user data, that will be connected with Facebook profiles. The companies plan to use this information to provide "friend suggestions and more relevant ads on Facebook" and to allow businesses to send WhatsApp users marketing messages. WhatsApp will provide users 30 days to opt-out of data transfers to Facebook.

WhatsApp and Facebook's plan contradicts previous promises to WhatsApp users that their personal information would not be disclosed or used for marketing purposes, and constitutes an unfair and deceptive trade practice. When Facebook purchased WhatsApp in 2014, the companies promised users of the privacy-protective messaging service that "nothing" will change for WhatsApp users' privacy. Facebook CEO Mark Zuckerberg promised, "We are absolutely not going to change plans around WhatsApp and the way it uses user data." The FTC responded that it would "carefully review" EPIC's complaint.

The proposed data transfer is being scrutinized by European privacy regulators as well. The EU's Article 29 Working Party said it would be following the policy changes "with great vigilance." The UK's Information Commissioner is also investigating the matter, noting the changes "will affect a lot of people" and users "may be concerned by the lack of control."

EPIC and CDD previously filed a complaint with the FTC over the 2014 merger, which urged the FTC to block the sale unless adequate privacy safeguards were established for WhatsApp user data. The FTC approved the deal, but warned the two companies that they must honor their privacy promises to WhatsApp users. EU regulators also approved Facebook's purchase of WhatsApp, but this approval can be revoked if companies provided inaccurate information during the approval process.

3. Pokemon GO Developer Niantic Responds to Sen. Franken Inquiry into Privacy Concerns

Pokemon GO Developer Niantic has responded to a request by Sen. Al Franken to clarify its data practices. The company's response left a number of Sen. Franken's questions unanswered and fails to adequately address ongoing privacy concerns over the popular game's collection of personal information.

Pokemon GO exploded on the scene this year as a popular augmented-reality gaming app, at its peak reaching over 45 million users in July of 2016. That extraordinary access to consumers raised alarms among lawmakers and privacy advocates in light of the extensive personal data Niantic collects through the app, including precise location data and IP addresses. The app also accesses users' smartphone cameras. operating system, the web page the user last visited before accessing the game. When Pokemon GO was first released, users who signed up for the game with a Google account unknowingly provided Niantic "full access" to that account. Notably, Niantic's CEO previously oversaw Google's Street View project, which was the subject of controversy for its covert collection of Wi-Fi transmissions.

In a July 12^th letter to Niantic, Sen. Franken requested clarification on the scope and purpose of the company's data collection and directed Niantic to respond by August 12^th. In particular, Sen. Franken asked whether the personal data Niantic collects is actually necessary for the app to function. Niantic's response, dated August 26^th, admits the company collects and stores location information in order to accurately position users within the game, but fails to explain why that data is stored and for how long. Sen. Franken also directed the company to provide a current list of the "third party service providers" to whom user data is disclosed. Niantic confirmed that it discloses user data to third parties the company hires to provide a variety of services, but failed to specifically identify any of these companies or provide a current list as requested.

Earlier this summer, EPIC sent a letter to the Federal Trade Commission urging investigation of Niantic's data collection practices and close ties to Google. Pokemon GO "raises complex and novel privacy issues that require close FTC scrutiny," EPIC told the Commission. Privacy officials in Canada, Europe, and Asia have already begun investigations of Niantic.

4. EPIC, Coalition Reject Calls to Further Weaken FCC's Modest Privacy Proposal

EPIC and a coalition of consumer privacy advocates have sent a letter to the Federal Communications Commission in response to industry demands to further weaken the FCC's proposed broadband privacy rules.

Earlier this year, the FCC proposed a set of regulations on "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services." The FCC's proposed privacy rules would regulate only Internet Service Providers - not email, search, or social media services - and are based on a limited "transparency, choice, and security" framework. ISPs have argued that the FCC should further limit the rules by exempting anonymized data, requiring opt-in consent only for sensitive information, and allowing use of mandatory arbitration provisions and "pay-for privacy" schemes.

EPIC and other privacy advocates have rejected efforts by ISPs to further weaken the FCC's modest privacy proposal. The coalition letter warns that there is no legal basis for a special carve-out for "de-identified" customer information and that such a carve-out would be harmful to consumers. In response to industry calls to require opt-in consent only for sensitive information, the coalition noted that "Congress has given the FCC a direct and specific obligation to protect telecommunications customers' proprietary information, regardless of sensitivity."

The coalition also opposes mandatory class action clauses. Court decisions limiting consumers' ability to seek redress in class actions have, as Justice Ruth Bader Ginsburg wrote, "predictably resulted in the deprivation of consumers' rights to seek redress for losses, and . . . insulated powerful economic interests from liability for violations of consumer protection laws." Regarding pay-for-privacy plans, the coalition stressed that "consumers should not have to choose between broadband and their right to privacy."

EPIC has called the FCC's proposed privacy rules a "modest first step" and repeatedly argued that the Commission can and should go further to "address the full range of communications privacy issues facing US consumers." In comments on the FCC's proposed rulemaking, EPIC has urged the Commission "to fully apply" Fair Information Practices (FIPs) and President Obama's Consumer Privacy Bill of Rights (CPBR) to all communications data. EPIC also advised the FCC to endorse data minimization requirements, promote Privacy-Enhancing Technologies, and require meaningful opt-in consent for the use and disclosure of consumer data. The FCC is expected to vote on a final rule in the coming months.

5. House Report Criticizes OPM Handling of Massive Data Breach Last Year

Congress has release a report that criticizes the Office of Personnel Management's handling of a massive data breach last year that exposed the personal information of 21.5 million people contained in government employment background checks. The report, issued by the House Oversight Committee, faults OPM's leadership with failing to take basic steps that could have prevented or reduced the severity of the hack.

The hack targeted the SF-86 form, a 127-page form used to conduct background checks for federal employment in sensitive positions. The form asks applicants for extensive personal information including their current and former addresses, work history, financial information, and the names and addresses of their relatives. The form also asks applicants questions about "potentially embarrassing aspects" of their life including whether they have spoken with a health care professional about mental health conditions, illegal drug use, alcohol abuse, and any financial problems they have had due to gambling.

The OPM breach exposed sensitive SF-86 forms spanning three decades, and is widely considered the most serious breach in the history of the U.S. government. The fingerprints of 5.6 million people were also stolen in the data breach. This information could be used to blackmail government employees, expose the identities of foreign contacts, and cause serious damage to counterintelligence and national security efforts.

According to the House Oversight Committee report, "Despite this high value information maintained by OPM, the agency failed to prioritize cybersecurity and adequately secure high value data," The report also found that OPM's Inspector General and the Office of Management and Budget had warned the agency of serious vulnerabilities as early as 2005. "The longstanding failure of OPM's leadership to implement basic cyber hygiene...despite years of warning from the Inspector General, represents a failure of culture and leadership," the report states.

In response, Democrats on the House Oversight Committee released a memo criticizing the report for failing to address federal contractors and their role in federal cybersecurity. The second OPM hack occurred when an individual posed as a federal contractor to gain access to the system.

EPIC recently advised OPM to limit the personal data it collects from job applicants and warned against the agency's plan to begin collecting even more information on background check forms. has long been involved in promoting Privacy Enhancing Techniques that minimize or eliminate the risk of collecting personally identifiable information as well as limits on the collection and use of Social Security numbers. Additionally, EPIC has launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.

EPIC Book Review: "Weapons of Math Destruction"

"Weapons of Mass Destruction," by Cathy O'Neil

"The menace is rising," warns Cathy O'Neil, author of the insightful new book Weapons of Math Destruction. That menace? The opaque and distorted data models--or "WMDs"--that have come to influence nearly every aspect of modern life. From higher education to criminal justice, from employment to civic engagement, our conduct is increasingly shaped by giant data sets and complex algorithms. Yet as O'Neil explains, these "neutral" models are often as flawed as their human creators, "encod[ing] poisonous prejudices" and "blithely generat[ing] their own reality." The result: the "industrial production of unfairness."

O'Neil uses her personal experience with WMDs as a starting point for the book. A former math professor at Barnard College, she left academia to do quantitative analysis at hedge fund D.E. Shaw. In 2008, as the housing and financial markets collapsed, O'Neil confronted the fundamental failure of the data models that her field had relied on. Rather than soberly predicting market behaviors, analysts had engineered flashy but defective formulas, all the while ignoring the risk of human suffering behind the numbers. Over time, O'Neil came to worry "about the separation between technical models and real people, and about the moral repercussions of that separation."

Her concern is well-founded: WMDs surround us. Many such models are profit-driven, like credit score calculations, employment screening procedures, insurance risk formulas, and online advertising algorithms. But as O'Neil describes, even well-intentioned data models can morph into WMDs. Decades after U.S. News & World Report first developed a data-driven model for ranking colleges, the magazine's "hunches" about what characterizes a good school have become gospel in the higher education world. Admissions officers design recruitment strategies to improve their schools' USNWR rankings; well-paid consultants offer their services to help those schools optimize yields; and a cottage industry of coaches and tutors work with applicants to help them navigate a numbers-driven system. Yet for all the influence they wield, the USNWR rankings have "virtually no educational value" and exclude such basic criteria as tuition and fees. O'Neil maps out similar negative feedback loops in predictive policing models, recidivism risk formulas, and campaign micro-targeting strategies.

O'Neil is no luddite: she knows that "[p]redictive models are, increasingly, the tools we will be relying on to run our institutions, deploy our resources, and manage our lives." And she's fond of data models that are transparent, rigorous, and open to continual refinement--for example, baseball statistics. But when a data model is opaque or invisible; when it can "damage or destroy lives"; and when it is capable of exponential growth, the conditions are right for a weapon of math destruction.

O'Neill offers several different proposals to stem the tide of WMDs, such as amending major data and privacy statutes and ditching certain data models altogether. Particularly exciting is her call for data scientists to pledge a "Hippocratic Oath," including a promise "not [to] be overly impressed by mathematics." Whether or not these ideas would bear fruit, O'Neill's book is worth a read simply because it raises the alarm so persuasively on WMDs. As O'Neill writes: "If we back away from them and treat mathematical models as a neutral and inevitable force, like the weather or the tides, we abdicate our responsibility."

--John Davisson

News in Brief

EPIC Amicus: Appeals Court Finds Inaccurate Background Reports Violate Federal Privacy Law

A federal appeals court has ruled that LexisNexis violated the Fair Credit Reporting Act by selling background reports that wrongly included criminal convictions for innocent individuals. EPIC filed an amicus brief in the case, highlighting the failure of crediting reporting agencies to adopt reasonable procedures to ensure accuracy. EPIC said that it is not enough to follow "industry standards" if inaccurate reports still result. The court found that Lexis was negligent because it failed to "follow reasonable procedures to assure maximum possible accuracy" of the information.

FTC Seeks Comments on the "Disposal Rule" for Consumer Data

The Federal Trade Commission is seeking public comments on the "Disposal Rule." The Disposal Rule requires that companies delete consumer data and to protect against unauthorized use of the data. The Commission seeks comment on a variety of issues including cost-benefits analysis and industry compliance. EPIC supported the implementation of the Disposal Rule in 2004 and continues to advocate for data protection measures. EPIC has also promoted Privacy Enhancing Techniques that minimize or eliminate the collection of personal information. Identity theft continues to be the top consumer complaint reported to the Commission.

EPIC Urges Policy Commission to Support Privacy Techniques

EPIC President Marc Rotenberg appeared before the recently established Commission on Evidence-Based Policymaking. Mr. Rotenberg discussed Privacy Perspectives on data use. He pointed to the federal wiretap reports and also climate data as government data sources that are enormously influential yet raise few privacy concerns. He recommended that the Commission encourage the development of Privacy Enhancing Techniques that protect personal information while enabling data analysis. Rotenberg serves on a National Academies study that will release a report on privacy and big data in early 2017.

EPIC Republishes "Privacy and Human Rights," Most Comprehensive Survey of Privacy Law and Practices Ever

EPIC has published the first digital edition of Privacy and Human Rights: An International Survey of Privacy Laws and Developments. The report by EPIC and Privacy International provides an overview of key privacy topics in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Topics include biometric identification, Internet advertising, and location privacy. Over 1,100 pages, almost 6,000 footnotes, and more than 300 contributors. Now available online.

Federal Agencies Unable to Measure FOIA Litigation Costs

In a new report the Government Accountability Office found that the Justice Department and other federal agencies are unable to determine how much they spend on defending Freedom of Information Act lawsuits. The watchdog agency found that of the 112 FOIA lawsuits decided between 2009 and 2012 in which the requester prevailed, agencies were able to calculate costs for only half, and estimated $1.4 million in costs. The GAO--which conducted the investigation in response to a request from Senators Chuck Grassley (R-IA) and Patrick Leahy (D-VT) of the Senate Judiciary Committee--urged Congress to explore the possibility of requiring agencies to track FOIA litigation costs. EPIC routinely litigates FOIA cases against federal agencies, and is currently fighting to obtain secret Inspector General reports surveillance oversight reports, and details on the government's largest-ever phone surveillance program.

Presidential Science Advisors Challenge Validity of Criminal Forensic Techniques

According to an upcoming report by the President's Council of Advisors on Science and Technology, much of the forensic analysis in criminal trials is not scientifically valid. The report, to be released this month, attacks the validity of analysis of evidence like bite-marks, hair, and firearms. The "lack of rigor in the assessment of the scientific validity of forensic evidence is not just a hypothetical problem but a real and significant weakness in the judicial system," wrote the council. The Senate Judiciary Committee held hearings in 2009 and 2012 to discuss the need to strengthen forensic science, and Sen. Patrick Leahy (D-VT) introduced a forensic reform bill in 2014. EPIC has pursued FOIA requests on the reliability of proprietary forensic techniques. EPIC also filed a brief on the reliability of novel forensic techniques in the Supreme Court case Florida v. Harris.

FTC Responds to EPIC's Complaint About WhatsApp

The Federal Trade Commission has responded to the EPIC and Center for Digital Democracy complaint about WhatsApp's plan to transfer user data, including verified phone numbers, to Facebook. The FTC stated that it prohibits companies from engaging in unfair and deceptive practices and will enforce its 2012 Consent Order with Facebook. The FTC letter also acknowledged that the EPIC-CDD complaint "contains allegations regarding statements WhatsApp has made about how it limits the use of mobile phone numbers or other personally identifiable information." The FTC said it will "carefully review" EPIC's complaint. EPIC and CDD wrote that WhatsApp's plan to transfer user data to Facebook for user profiling and targeted advertising - without first obtaining users' opt-in consent - contradicts numerous FTC statements and violates Section 5 of the FTC Act. EPIC and CDD previously warned the Commission that it must protect the privacy interests of WhatsApp users following the acquisition by Facebook.

EPIC in the News

• LexisNexis Division Liable for Flawed Criminal History Report, Bloomberg BNA, September 15, 2016
• WhatsApp tells Indian court it won't share messages with Facebook, Mashable, September 14, 2016
• Leaked manuals confirm Stingrays can be used for mass surveillance, bypass smartphone security,Extreme Tech, September 13, 2016
• WhatsApp updated a new privacy policy, Lexology, September 13, 2016
• DHS considering expanding biometric data collection at US borders, BiometricUpdate, September 13, 2016
• FTC seeks comment on consumer data disposal, The Hill, September 12, 2016
• Here's how to turn it off, Cosumnes Connection, September 9, 2016
• FTC To Review Facebook-WhatsApp Privacy Concerns, Law360, September 8, 2016
• Facebook's Plan for WhatsApp to Get Close Look from FTC, Fortune, September 8, 2016
• Facebook's acquisition of WhatsApp user data questioned, Consumer Affairs, September 7, 2016
• Privacy and Security in the Age of the Driverless Car, IPWatchdog, September 5, 2016
• Knightscope Robots: Enhanced Safety or More Invasive Surveillance?, The New American, September 5, 2016
• Security robots are already patrolling parking lots; next, our neighborhoods?, LA Times, September 2, 2016
• CNN Viewer Isn't CNN Subscriber, Network Tells 11th Circ., Law360, September 2, 2016
• A vote for low-tech elections, Washington Times, September 1, 2016
• Betraying Your Community's Trust: A Lesson from the WhatsApp Controversy, Small Business Trends, September 1, 2016
• Privacy Watchdogs File Complaint With FTC over WhatsApp's Privacy Policy Change , Lexology, September 1, 2016
• Privacy Group Slams Dismissal Of CNN Case At 11th Circ., Law360, September 1, 2016
• Group Blasts Lack of Privacy Concerns in U.S. Drone Rules, Courthouse News Service, August 31, 2016
• The Federal Aviation Administration's De Facto Drone Privacy Standards, Lexology, August 31, 2016
• The Market of the Incentivized Data Exchange, DMN, August 31, 2016

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).

http://www.privacylawandsociety.org/

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

https://epic.org/privacy-book/

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

September 22, 2016
Disruption or protection? The impact of privacy, data protection and cybersecurity laws on the adoption and use of technology
Alan Butler, EPIC Senior Counsel
International Bar Association
Washington, DC

September 23, 2016
"Big Data and Privacy"
Marc Rotenberg, EPIC President
National Academies of Science
Woods Hole, MA

September 28, 2016
"Dignity and the Internet: The Right to Oblivion versus The Right to Information"
Marc Rotenberg, EPIC President
Catolica Santiago, Chile

October 13, 2016
"The Misunderstood Right to Be Forgotten, and the Future of Free Expression and Privacy in the Online World"
Marc Rotenberg, EPIC President
2016 Davis, Market, Nickerson Lecture on Academic and Intellectual Freedom
Ann Arbor, MI

October 13, 2016
Fall Technology Series: Drones
Jeramie Scott, EPIC Domestic Security Counsel
Federal Trade Commission
Constitution Center
Washington, DC

October 19, 2016 - October 20, 2016
38th International Privacy Conference: Opening New Territories for Privacy
Marc Rotenberg, EPIC President
International Conference of Data Protection and Privacy Commissioners
Marrakech, Morocco

November 21, 2016 - November 23, 2016
59th Meeting of the International Working Group
Marc Rotenberg, EPIC President
International Working Group on Data Protection in Telecommunications
Berlin, Germany