EPIC Alert 23.23

1. EPIC, Consumer Groups Urge Recall of "Toys That Spy"

EPIC has filed a landmark complaint with the Federal Trade Commission about "toys that spy." The complaint alleges that the internet-connected children's toys My Friend Cayla and i-Que Intelligent Robot violate federal privacy and consumer protection laws. "The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards," EPIC states in the FTC filing. EPIC and other consumer groups have urged the recall of the toys.

The EPIC complaint targets toy manufacturer Genesis Toys and speech recognition technology provider Nuance Communications, and describes how Internet-connected toys pose ongoing privacy and safety threats to children. The complaint outlines numerous violations of both the Children's Online Privacy Protection Act and the FTC Act's prohibition on unfair and deceptive acts and practices. Specifically, the companies unfairly and deceptively collect, use, and disclose audio files of children's voices and other personal information without providing adequate notice or obtaining verified parental consent in violation of COPPA, the FTC's COPPA Rule, and Section 5 of the Federal Trade Commission Act.

The EPIC complaint also takes issue with Genesis' failure to take reasonable security measures to prevent unauthorized Bluetooth connections with the toys. As a result, Genesis fails to prevent strangers and predators from covertly eavesdropping on children's private conversations, which "creates a substantial risk of harm because children may be subject to predatory stalking or physical danger." In addition, the complaint warns that children's voice recordings are sent to Nuance, a defense contract that may use these recordings for its voice identification services offered to law enforcement, military, and intelligence agencies.

Following EPIC's complaint, Senator Edward Markey (D-MA) sent letters to Genesis Toys and Nuance Communications requesting information on their data collection from young children. Senator Markey and Rep. Joe Barton (R-TX), joined by Senator Mark Kirk (R-IL) and Rep. Bobby Rush (D-IL), introduced the Do Not Track Kids Act, comprehensive children's online privacy legislation that updates the law to protect children's personal information.

EPIC's complaint, joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, is part of coordinated, international efforts led by the Norwegian Consumer Council to ban these toys from the marketplace. Toy stores across Europe have already removed Cayla and i-Que from their shelves and are offering refunds to parents who purchased the toys.

EPIC has previously warned Congress about the risks of the Internet of Things, and filed complaints with the FTC about "always on" devices and "smart TVs that place American consumers under constant surveillance.

2. EPIC Pursues TSA Airport Body Scanner Case

EPIC has filed a reply brief in EPIC v. TSA, EPIC's lawsuit challenging the agency's final rule mandating airport body scanners in US airports instead of alternative screening techniques that are more effective, less expensive, and less intrusive.

In 2011, EPIC challenged the intrusive and ineffective TSA screening procedure after twice filing petitions urging the TSA to end its airport body scanner program. In EPIC v. DHS, EPIC argued that the TSA violated the Administrative Procedure Act (APA) by deploying body scanners without first seeking public comment. The APA requires federal agencies to provide notice and opportunity for comment when implementing a rule that affects the rights of the public.

In EPIC v. DHS, the D.C. Circuit Court of Appeals held that the TSA violated the law by failing to undertake a public notice and comment rulemaking. Writing for a unanimous court, Judge Ginsburg found there was "no justification for having failed to conduct a notice-and-comment rulemaking," and said, "few if any regulatory procedures impose directly and significantly upon so many members of the public."

The Court also relied on the TSA's representations that "No passenger is ever required to submit to an AIT scan," concluding that "any passenger may opt-out of AIT screening in favor of a patdown, which allows him to decide which of the two options for detecting a concealed, nonmetallic weapon or explosive is least invasive." In the final rule, the TSA has removed the patdown option, in violation of the opinion of the opinion of the federal appeals court.

The TSA solicited public comments on its body scanner program in 2013, nearly two years after the D.C. Circuit ordered the agency to "promptly" do so.

EPIC urged TSA to adopt walk-through metal detectors and explore trace detection devices as less invasive screening alternatives to body scanners. More than 5,000 comments were submitted by the public to the agency, almost all in opposition to the agency's decision to adopt body scanners. Despite the public comments overwhelmingly in favor of less invasive security screenings, the agency announced that it will continue to use invasive body scanners at airports. The final rule also states that TSA "may require AIT use, without the opt-out alternative, as warranted by security considerations in order to safeguard transportation security."

EPIC challenged the final rule and filed its opening brief with the court in September. In the reply brief, EPIC refuted the agency's arguments and reiterated that walk-through metal detectors combined with explosive trace detection would be a more effective, less intrusive technique.

The case is EPIC v. TSA, Case No. 16-1139 (D.C. Cir. filed May 2, 2016). Earlier this year, EPIC and 25 organizations urged Congress to hold a hearing on the TSA's authority to mandate body scanners.

3. EPIC, Coalition Urge OMB to Protect the Privacy Act and FOIA

EPIC, Open The Government, and a non-partisan coalition of over 40 groups recently urged the Office of Management and Budget to "suspend action on any pending rules or regulations that would diminish the effectiveness of the Privacy Act or the Freedom of Information Act."

"The two laws operate as bulwarks of our democracy, helping to ensure the transparency of the federal government while protecting the privacy of the personal data retained by federal agencies," the coalition told the OMB in a joint letter. "We believe it is essential that OMB leave in place the strongest possible safeguards to ensure government accountability for the next administration."

Calling the two laws "the twin pillars of government accountability," the coalition specifically asked the OMB to "oppose any new barriers to individuals seeking information under the FOIA" and to not approve any "pending rule that would expand the ability of a government agency to exempt their system of records from Privacy Act obligations[.]"

The Freedom of Information Act and the Privacy Act are both essential to the work that EPIC does. EPIC has filed numerous FOIA lawsuits to increase transparency around government surveillance programs. Mostly recently, EPIC filed suit against the Federal Bureau of Investigation seeking further records about the massive biometric database known as "Next Generation Identification."

In public comments to federal agencies, EPIC has consistently recommended stronger privacy protections and argued against agency proposals to exempt themselves from the safeguards of the Privacy Act. In October, EPIC filed comments urging the OMB "to increase its oversight and strengthen its guidance on federal agency implementation of the Privacy Act 'routine use' exemption to remain true to legislative intent and provide important safeguards for individuals' personal privacy."

4. EPIC Promotes Strong Crypto, Civil Society at Internet Governance Forum in Mexico

EPIC President Marc Rotenberg spoke at the 2016 Internet Governance Forum in Guadalajara, Mexico, promoting strong cryptography and the role of civil society at the Organization for Economic Cooperation and Development.

The IGF is a multi-stakeholder event first convened in 2005 by the United Nations General Assembly. The event brings together diverse stakeholders from public and private sectors across the globe to discuss and develop internet public policy.

Speaking at an IGF panel on Encryption and Journalism sponsored by United Nations Educational, Scientific, and Cultural Organization, Rotenberg described the early "crypto wars." He said "an email service that is not encrypted end to end is not an email service. It is something else." Marc also participated in a panel discussion on the Civil Society Information Society Advisory Council and the role of civil society at the OECD. The 2016 edition of EPIC's Privacy Law Sourcebook was distributed to Latin American non-governmental organizations.

EPIC has actively participated in many international conferences on data protection and privacy policy through the Public Voice coalition, which frequently sponsors NGOs at meetings across the globe. EPIC is also a member of the civil society wing of the OECD, CSISAC. The Privacy Law Sourcebook, EPIC's international survey of privacy laws and key developments Privacy and Human Rights, and a variety of other publications are available at the EPIC bookstore.

5. Uber Expands Data Collection, Tracks Users, as Transport Services Case is Heard by European Court

Uber is now routinely tracking the location of all of its users even when they are not using its service. Meanwhile, the ride-sharing company is facing a case in the European Court of Justice that will determine whether the company will have to follow the same rules as other transportation services.

In June of 2015, Uber changed its privacy policy to allow real-time tracking of passengers even when they are not using Uber's app. The policy also said that the app could access users' address books to "facilitate social interactions" and send out promotional communications. Users and experts characterized the policy changes as overly intrusive, especially in light of Uber's other privacy protection failures such as its 2014 data breach and abuses by Uber employees of its "God View" tool.

Uber has now begun implementing the tracking foretold in its privacy policy. Earlier this month, users started receiving pop-up messages on their smartphones asking them to give the Uber app permission to use their locations even when they are not using the app. In a statement, Uber said that it would collect location data "from the time you request a trip until . . . up to five minutes after the driver ends a trip, even if the Uber app is in the background."

In Europe, the European Court of Justice recently heard arguments in a case over whether Uber should be considered a transportation service subject to labor and safety laws or a digital platform exempt from those laws. The association of taxi companies that brought the case argues that Uber is a transportation company because its customers pay it for transportation, not technical services. Uber, however, claims that it is merely a platform that allows drivers and passengers to connect with each other. Uber has also fought several lawsuits seeking to treat its drivers as employees. Although several of these cases are still pending, recent decisions in New York and Britain determined that Uber drivers must be treated as employees.

EPIC filed a complaint last year with the Federal Trade Commission after Uber announced its plan to collect location data when the app operated in the background. EPIC said that Uber had engaged in unfair and deceptive trade practice. EPIC has also recommended comprehensive legislation for Uber and similar companies.

News in Brief

Google Settles Wiretapping Suit, Shifts Scanning of Gmail Messages to Servers

Google and lawyers for a class of Gmail users have reached a settlement in a federal case concerning the company's interception of private emails. The 2015 lawsuit accused Google of violating the federal Wiretap Act and California law by surreptitiously scanning Gmail messages for advertising revenue. Google has now agreed "to eliminate any processing of email content" for advertising purposes "prior to the point" when a Gmail user can retrieve email, but scanning of Gmail users (and non-Gmail users) on Google's servers will continue. EPIC recently filed an amicus brief in a related casebefore the Massachusetts Supreme Court, calling attention to Google's "systematic data mining of millions of private email messages each day" as a clear violation of the state's Wiretap Act. EPIC has also warned of collusive settlements in consumer privacy cases that enrich lawyers and leave busies practices essentially unchanged.

European Communications Privacy Law Strengthens Rights for Internet Users

A draft of the update to the European "e-Privacy Directive" provides important new safeguards for users of Internet-based services. The new regulation will apply to all online communications services, including email, instant messaging, and social media. The updated privacy law will limit tracking and profiling of Internet users. The report notes that lax rules for companies such as Facebook and Skype, "create a void of protection of confidentiality for the users of these services." The US FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The EU Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation. The Commission's formal proposal is expected in January of 2017.

Obama Orders Review of Hacking During 2016 Election

President Obama's top homeland security advisor Lisa Monaco announced today that the Administration has asked the intelligence community to conduct a "full review" of cyber activity during the 2016 election. In 2016, EPIC urged candidates for office to focus on data protection, calling it "the most important, least well understood issue" of the 2016 election. EPIC also published a report on the importance of the secret ballot for democratic decision making. EPIC's Freedom of Information Act litigation uncovered flaws in online voting reported by the Department of Defense just prior to the 2012 election.

EPIC's "Toys That Spy" Complaint Spurs Congressional Investigation

Senator Edward Markey (D-MA) has sent letters to toy maker Genesis Toys and speech technology developer Nuance Communications requesting information on their data collection from young children. The investigation follows EPIC's complaint filed with the Federal Trade Commission over "toys that spy" on children in violation of federal privacy laws. EPIC's complaint, joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, is part of coordinated, international efforts to ban these toys from the marketplace. Senator Markey and Rep. Joe Barton (R-TX), joined by Senator Mark Kirk (R-IL) and Rep. Bobby Rush (D-IL), introduced the Do Not Track Kids Act, comprehensive children's online privacy legislation that updates the law to protect children's personal information.

Watchdog Report Shows Wiretap Powers Ineffective

The Justice Department's Inspector General has released the latest report to Congress on government surveillance. The report includes a review of the FBI's data collection under Section 215 of the Patriot Act, which was revised by the Freedom Act. According to the IG report, FBI agents "did not identify any major case developments that resulted from use of the records obtained in response to the [Section 215] orders." Similar findings were made by the PCLOB and the Senate Judiciary Committee: section 215 has not prevented terrorist acts. The Second Circuit ruled last year that the NSA's telephone record collection program exceeded the legal authority of Section 2015. EPIC recently obtained nonpublic IG reports through a FOIA lawsuit.

Open Government Lawsuits at Near-Record Highs in 2016

Advocates, journalists, and businesses have brought a near-record 512 lawsuits under the Freedom of Information Act in 2016. The findings, complied by for FOIAproject.org by the Transactional Records Access Clearinghouse, show a 35 percent increase in FOIA litigation over the past five years. According to the new report, the lawsuits have covered diverse issues including "private email accounts, national security, immigration, the environment and even Donald Trump." In 2016, EPIC brought FOIA suits for the DOJ's secret inspector general reports, the DOT's drone task force records, and the FBI's biometric data transfer memos.

Senate Explores Security of Ground Transportation, Witnesses Express Privacy Concerns

The Senate Commerce Committee examined security issues in road and railroad transportation. Witnesses expressed concerns about the cybersecurity of commercial trucking networks, customer data, and hacking of a truck's braking systems. Witnesses also proposed a credentialing system for access port facilities. EPIC has submitted comments to NHTSA and testified before Congress on the safety and privacy risks of automated vehicles.

EPIC in the News

• When apps collect more data, outrage is powerful -- sometimes, CNET, December 14, 2016
• Lobbying muscle may help tech titans trump Trump, Center for Public Integrity, December 14, 2016
• Uber's new tracking policy: An Improvement or just "invasive?", CBS News, December 12, 2016
• Privacy groups warn these 2 toys pose security risks for your kids, Daily Dot, December 12, 2016
• Web Toys Spied on Children, Privacy Groups Tell FTC, Bloomberg BNA, December 12, 2016
• Privacy Groups Claim These Popular Dolls Spy on Kids, Fortune, December 9, 2016
• Could 'smart' toys like 'My Friend Cayla' be spying on your children?, Today Show, December 9, 2016
• Internet-connected toys provide joy (and surveillance), Fox News, December 9, 2016
• 'Unprecedented levels of surveillance': Are your kids' toys spying on you?, PennLive.com, December 9, 2016
• Consumer Group Says Talking Dolls are Spying on Your Kids, Law Street, December 9, 2016
• These dolls are spying on your kids, consumer groups say, CNN, December 9, 2016
• Groups Say 'Spy Toys' Don't Play Well With Privacy Regs, Law360, December 8, 2016
• EPIC Recommends Privacy Standards For Automated Vehicles, JDSupra, December 8, 2016
• These Kids' Toys Could Be Spying on Consumers, Complaint Alleges, ATTN, December 8, 2016
• Playtime's over: Internet-connected kids toys 'fail miserably' at privacy, The Register, December 8, 2016
• Talking toys accused of sharing kids' secrets, CNET, December 7, 2016
• Uber is watching your smartphone's battery charge, The Register, December 7, 2016
• Uber's Location Tracking Aims to Add Safety at the Cost of Privacy, NBC4 Washington, December 7, 2016
• Your kids' toys could be spying on your family, CBS News, December 7, 2016
• FTC Complaint Focuses on Data Privacy of Internet-Connected Toys, Education Week, December 7, 2016
• You should probably still avoid toys that talk with your kids, TechCrunch, December 7, 2016
• WHAT'S APP WITH THIS? Why is Uber tracking passengers' location after their ride ends and can you opt out?, The Irish Sun, December 7, 2016
• Could your children's toys be violating their privacy?, The Boston Globe, December 6, 2016
• These Toys Don't Just Listen To Your Kid; They Send What They Hear To A Defense Contractor, Consumerist, December 6, 2016
• Privacy groups urge investigation of 'internet of toys', CIO, December 6, 2016
• Privacy Groups Take Aim at Internet Toys, Broadcasting & Cable, December 6, 2016
• 'Spy' toys face complaints from EU, US watchdogs, Phys.org, December 6, 2016
• Connected Toys Violate Children's Privacy Law, Advocates Say, MediaPost, December 6, 2016
• Do some toys threaten your child's privacy?, Atlanta Journal-Constitution, December 6, 2016
• Are smart toys spying on children?, New Statesman, December 6, 2016
• Are YOUR kids internet-connected toys being used to spy on them? Claims hi-tech gadgets 'fail to protect privacy', Daily Mail, December 6, 2016
• Talking Toys Could Be Spying On Your Children, Vocativ, December 6, 2016
• Uber is tracking your location even when rides are finished, The Telegraph, December 5, 2016
• Privacy Advocates Want Uber To Stop Tracking Users After Rides End, Buzzfeed News, December 5, 2016
• Uber can now track your location even after you've been dropped off and app is closed, The Sun, December 3, 2016
• Uber knows where you go, even after ride is over, Ars Technica, December 2, 2016
• Uber now collecting location data even after you leave a driver's car, Naked Security, December 1, 2016
• Uber Now Tracks Passengers' Locations Even After They're Dropped Off, NPR, December 1, 2016

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

December 15, 2016
"Delight & Despair Over Disruption Part II: The Post-Election Story"
CEO Leadership Summit
Marc Rotenberg, EPIC President
New York, NY

January 25, 2017
EPIC International Champion of Freedom Award Ceremony
Brussels, Belgium
January 25 - 27, 2017
Computers, Privacy & Data Protection 2017
Brussels, Belgium

January 27, 2017
10^th National Symposium on Tech Crime and Electronic Evidence
Alan Butler, EPIC Senior Counsel
Toronto, ON Canada

March 3, 2017
"Disruptive Technologies"
Marc Rotenberg, EPIC President
Stanford Technology Law Review
Stanford, CA

March 31 - April 1, 2017
WeRobot 2017
Yale Law School
New Haven, CT

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
National Press Club
Washington, DC