EPIC Alert 24.14

1. EPIC Appeals Decision in Voter Data Case

EPIC has appealed the decision of a federal district court that declined to block the collection of sensitive voter data by the Presidential Election Commission. EPIC's case, which led the Commission to suspend the transfer of voter information three weeks ago, will now be reviewed by the U.S. Court of Appeals for the District of Columbia.

EPIC filed suit against the Commission--the first such lawsuit in the country--five days after the Commission's June 28 demand letter to state election officials. EPIC argued to the district court that the Commission failed to complete a Privacy Impact Assessment before collecting voter data and violated the constitutional right to information privacy.

In a decision issued last week, the district court agreed that EPIC had standing to bring its case because the Commission had "an obligation to disclose information" and because the Commission's actions "required [EPIC] to expend resources" in order to obtain a Privacy Impact Assessment. But the district court concluded that it could not halt the Commission's plan to aggregate millions of voter records because--in the court's view--the Commission is exempt from statutes that govern the conduct of federal agencies. The court noted, however, that "this determination may need to be revisited" at a later time. The court also warned the Commission must "strictly abide" by promises to only collect information that is "already publicly available" and to "de-identif[y]" voter data "to the extent it is made public."

EPIC's case will be heard on an expedited basis by the appeals court. "Absent expedited review," EPIC warned, "the Commission will be allowed to systematically amass the sensitive, personal information of the nation's voters without establishing any procedures to protect voter privacy or the security and integrity of the data." The Commission renewed its voter data request to state election officials on Wednesday.

The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017) and No. 17-5171 (D.C. Cir. docketed July 27, 2017).

2. EPIC Files FOIA Lawsuit Over Border Biometrics, Expanded Tracking

EPIC has filed a Freedom of Information Act lawsuit against Customs and Border Protection for information about the agency's deployment of a biometric entry/exit tracking system at airports, including airports in the U.S. The complaint combines three separate FOIA requests made by EPIC over the past year. The requests sought documents related to the use of facial recognition for entry programs and exit programs as well as the agency's use of iris recognition. The CBP's biometric entry-exit program seeks to track travelers, including U.S. citizens, as they enter and exit the United States. Trump's recent Executive Order regarding immigration ordered the expedited implementation of a biometric entry/exit tracking system.

CBP is partnering with airlines to test the implementation of biometric entry/exit programs. In May, JetBlue announced that the company would collaborate with CBP to test a new self-boarding process that used CBP's facial recognition technology to verify the identity of JetBlue customers on flights between Boston's Logan International airport and Aruba's Queen Beatrix International airport. The JetBlue self-boarding program uses CBP's database of passport, visa, and immigration photos and represents just one of several different trials to implement a biometric entry-exit program. Many of the trials require travelers to submit to facial recognition scans prior to boarding.

Biometric techniques, including facial recognition, lack proper privacy safeguards, but the government continues to increase its use of the technology. EPIC recently sent a statement to the House Homeland Security Committee in advance of a hearing on "Technology's Role on Securing the Border." EPIC described to the Committee the privacy risks of facial recognition and the increasing use of the technology despite a lack of well-defined federal regulations controlling the collection, use, dissemination, and retention of biometric identifiers.

EPIC previously sued the FBI over the Bureau's Next Generation Identification database, which contains face prints, fingerprints, and other biometrics of millions of Americans. EPIC's lawsuit against the FBI revealed that biometric identification is often inaccurate.

3. European Court Halts Retention, Bulk Transfer of Passenger Data

The top European Union court has struck down an agreement between the EU and Canada on the processing of airline passenger records.

In 2014, the EU and Canada signed a new agreement on the transfer and processing of Passenger Name Records (PNRs), replacing a previous 2006 agreement. The purpose of the airline data sharing agreements is to aid in counterterrorism efforts. The EU has similar data sharing agreements with other countries, including an agreement with the United States that allows data on travelers to be retained for 15 years. The new agreement between the EU and Canada permits the "systematic and continuous transfer of PNR data of all air travelers to a Canadian authority." The agreement permits that data to be retained for five years and transferred to other countries.

The Court of Justice of the European Union held that the PNR agreement violated EU law because "several of its provisions are incompatible with the fundamental rights recognised by the EU." The Court observed that PNR data could reveal itineraries, travel habits, individual relationships, financial situations, dietary habits, health information, and other sensitive personal information. "A transfer of sensitive data to Canada requires a precise and particularly solid justification, based on grounds other than the protection of public security against terrorism and serious transnational crime," the Court wrote. The Court advised that the agreement could not be approved unless it contained additional security measures, provided more information to travelers on the details of the program, allowed for individual notification when data is used, and contained stronger oversight rules.

EPIC has criticized overbroad passenger data transfers and argued that the EU-US agreement violates the EU data protection directive. EPIC has also been critical in the increased collection of biometric information being obtained from individuals as they enter the United States and as part of the TSA Pre-Check screening process.

4. EPIC v. ODNI: EPIC Opposes Intelligence Agency Refusal to Release Russia Report

EPIC has opposed the Director of National Intelligence's refusal to release a critical government report about Russian interference with the 2016 Presidential election.

In EPIC v. ODNI, EPIC seeks the public release of the agency's report on the Russian interference. EPIC filed suit after the ODNI published only a limited, declassified version of the ODNI report in January 2017. The government claimed in court filings that it was entitled to withhold the entire Russia report. EPIC explained to the federal district court that the ODNI's failure to provide EPIC partial information cannot satisfy the Agency's obligations under the Freedom of Information Act.

EPIC stated that release is "necessary for the public to evaluate the Intelligence Community response to the Russian interference, assess threats to democratic institutions, and ensure that agencies are taking appropriate measures to protect U.S. electoral institutions against future attack." Long after the attack on U.S. democratic institutions, "significant information asymmetry between the public and its government remains," EPIC said.

EPIC v. ODNI is one of three leading FOIA suits EPIC is pursuing under the Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. In EPIC v. IRS EPIC seeks release of President Trump's Tax records. And, in EPIC v. FBI, EPIC has already obtained the Bureau's procedures for notifying organizations that are the target of a cyber attack.

5. EPIC Files FTC Complaint to Stop Google from Tracking In-Store Purchases

EPIC has filed a complaint with the FTC asking the Commission to investigate Google's tracking of in-store purchases.

According to EPIC, Google collects billions of credit and debit card transactions and links that personal data to the activities of Internet users. The technique is only the latest in Google's attempts to reassure its advertisers that their money is well spent by linking ad views to purchases. In 2014, Google launched Store Visit Management, which allows AdWords advertisers to track how many customers click on search or display ads and subsequently visit a store. Google's latest technique, dubbed "Store Sales Measurement," uses credit and debit card transaction records to correlate in-store purchases with use of Google's services. Google said that it collects the payment transaction data from advertising clients, credit card companies, and "third-party partnerships" and capture about 70% of all credit and debit card transactions in the U.S.

Although Google claims that it protects online privacy with an algorithm that "de-identifies" consumers while tracking their purchases, Google refuses to reveal details of the algorithm. Google has said that its algorithm is based on CryptDB, which was developed in 2011 at MIT with Google funding. As EPIC's complaint explains, however, researchers were able to hack into a CryptDB protected database of healthcare records in 2015 and access over 50% of sensitive patient data at an individual level.

EPIC alleged that Google is engaging in unfair and deceptive trade practices by using a secret, proprietary algorithm to track purchases, by not revealing the identities of its third-party partners, and by making misleading claims about consumers' ability to opt out of Google's tracking. EPIC's complaint asks the FTC to stop Google's tracking of in-store purchases and determine whether Google adequately protects consumer privacy.

EPIC has filed several successful FTC complaints that led to FTC investigations, including complaints about changes to Facebook's privacy preferences and the launch of Google Buzz. EPIC has also focused on the adequacy of privacy techniques, with complaints against AskEraser (search histories that are not deleted) and Snapchat (images that do not "vanish"). EPIC's recent complaint against Google notes that the company is seeking to extend its dominance of online advertising to the physical world.

News in Brief

Report Shows Increase in Open Government Lawsuits, EPIC Among Nation's Leading FOIA Litigators

A new report from the FOIA Project shows a "dramatic rise" in the number Freedom of Information Act lawsuits filed by nonprofit and advocacy groups. According to TRAC, these organizations now account for more FOIA suits than "any other single class." EPIC was the fifth most frequent litigator among nonprofit and advocacy groups nationwide. In 2017, EPIC has filed five FOIA lawsuits. EPIC is currently litigating EPIC v. ODNI, EPIC v. FBI, and EPIC v. IRS, three of the leading open government cases concerning Russian interference with the 2016 Presidential election. Last week, EPIC filed a new FOIA lawsuit against Customs and Border Protection for information about the agency's deployment of a biometric entry/exit tracking system, including at US airports. For more information about EPIC's latest open government work, visit: https://epic.org/open_gov/.

EPIC Urges Congress to Focus on FCC and Privacy

EPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to affirm the FCC's role in protecting online privacy. EPIC also asked the Committee to press the nominees to repeal an FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submitted multiple comments to the FCC for strong online privacy protections.

EPIC Opposes Commission's Renewed Request for Voter Data

EPIC has sent an Advisory to state election officials, urging opposition to the renewed request for state voter data. The EPIC Advisory follows a letter from the Presidential Election Commission to state election officials. Following EPIC's lawsuit seeking a temporary restraining order, the Commission suspended collection of the data. The court ruled on the TRO motion, which EPIC has now appealed. The recent letter falsely claims that the Commission is only seeking "publicly available information." In fact, the Commission's June 28 letter called for the release of social security numbers, criminal records, military statuses, and other personal information protected by state laws. California Secretary of State Alex Padilla, and many state election officials, have reaffirmed their opposition to the Commission's effort to gather state voter data.

EPIC to Senate Judiciary: FBI Response to Russia Attack Must Be Examined

Following a hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the Senate Judiciary Committee. EPIC urged the Committee to explore whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In the Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election.

EPIC to Congress: Examine Facial Recognition Surveillance at the Border

EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on "Technology's Role on Securing the Border." EPIC alerted the Committee to EPIC's recent FOIA lawsuit about the federal government's deployment of a biometric "entry/exit tracking system," including at US airports. A recent Executive Order on immigration will push forward the biometric identification system, and will include citizens returning to the U.S. EPIC has warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC noted that the federal agency pursuing the border identification program is also deploying drones, and should comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance.

EPIC's Voter Data Case Moves Forward After Court Denies Injunction

A federal district court in Washington, DC has denied EPIC's motion for an injunction against the Presidential Election Commission and declined to block the Commission's nationwide collection of voter data. As EPIC told the court last week, the Commission failed to undertake and publish a Privacy Impact Assessment before collecting voter data and violated the constitutional right to information privacy. The court agreed that EPIC had "standing" to bring the case because the Commission had "an obligation to disclose information" and because the Commission's actions "required [EPIC] to expend resources" in order to obtain a Privacy Impact Assessment. But the court concluded that it could not halt the Commission's plan to aggregate millions of voter records because the Commission is exempt from statutes that govern the conduct of federal "agencies." The court noted, however, that "this determination may need to be revisited" at a later time. The court also warned the Commission must "strictly abide" by promises to only collect information that is "already publicly available" and to "de-identif[y]" voter data "to the extent it is made public." EPIC intends to press forward with the lawsuit, which led the Commission to suspend the collection of voter data two weeks ago. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). [Press Release]

Civil Rights, Voting Rights Groups File Suits to Block Release of Voter Data

The Texas NAACP and the League of Women Voters of Texas have filed suit against state election officials to prevent the transfer of personal voter data to the Presidential Election Commission. "The information sought by the Commission is not widely available in Texas, but instead may be released only under certain circumstances and conditions imposed by Texas's voting laws," the complaint reads. The suit notes that the state's disclosure of election records to the Commission, "even if cabined to information generally available to candidates or other organizations who are entitled to request voter information under Texas law, would undermine, and run afoul of, the State's carefully-crafted regulation of the use of voter data." The Texas case joins at least two other lawsuits--one in Florida and one in New Hampshire--seeking to block state officials from providing voter data to the Election Commission. In Washington DC, EPIC has filed suit against the Commission and is urging a federal court to issue a preliminary injunction. The Commission suspended the collection of personal voter data last week in response to EPIC's lawsuit. The Court is expected to rule on EPIC's motion shortly. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017).

70 Members of Congress Oppose Election Commission's Request for State Data

A group of more than 70 U.S. Representatives sent a letter to the Presidential Election Commission on Tuesday urging the Commission to "immediately" withdraw a nationwide request for state voter data. "The federal government has an obligation to protect the personally identifiable information of the American people," the letter reads. "We believe your June 28 request to the States would do the opposite by ignoring the critical need for robust security protocols when transmitting and storing sensitive personally identifiable information and by centralizing it in one place." As the letter notes, the Commission suspended the collection of personal voter data last week in response to EPIC's lawsuit. EPIC has asked a federal court in Washington, DC to issue an injunction against the Commission and indefinitely block the transfer of election records. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017).

FBI Warns of Privacy Risks with Internet-Connected Toys

The FBI released a Public Service Announcement warning consumers about the privacy risks of internet-connected toys. "Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions," the FBI wrote in the PSA, adding that the toys "could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed." Last year, EPIC and several consumer organizations filed a complaint with the Federal Trade Commission alleging that the "My Friend Cayla" doll violates U.S. privacy law. EPIC's complaint spurred a congressional investigation and toy stores across Europe have removed Cayla from their shelves.

EPIC Calls for End to Collection of State Voter Records by Presidential Commission

In a statement today for a Forum organized by the House Judiciary Committee and the Congressional Black Caucus, EPIC President Marc Rotenberg called for an end to the efforts of the Presidential Commission on Election Integrity to gather state voter records. Rotenberg said the program was "ill-conceived, poorly executed, and most likely unconstitutional." EPIC brought suit against the Commission, charging violations of federal laws and the federal constitution, and noting also that the Commission's plan to gather data on a military site that returned error messages was pure incompetence. The Commission has since suspended the program, pending a decision by the federal court in EPIC's case. But the Commission meets this week in Washington to discuss next steps. In the prepared statement, Rotenberg said, "I hope the Commission will simply announce the termination of the program. But if it does not, EPIC will pursue its case until we obtain a favorable outcome. And we welcome the many organizations across the country that have also filed lawsuits." The case is EPIC v. Commission, No. 17-1320 (D.D.C. July 3, 2017).

EPIC in the News

• EPIC's FTC Complaint About Google, POLITICO Morning Tech, July 31, 2017
• Google told to come clean on how it tracks what you buy offline, ZDNet, July 31, 2017
• EPIC Wants FTC To Probe Google's In-Store Tracking Program, MediaPost, July 31, 2017
• Google's new program to track shoppers sparks a federal privacy complaint, Washington Post, July 30, 2017
• Trump Election Commission Renews State Voter Data Request, Bloomberg, July 28, 2017
• Voter Fraud Panel Makes Another Data Request, California Immediately Rejects, Talking Points Memo, July 27, 2017
• Trump's commission renews request for state voter data, New Hampshire Union Leader, July 27, 2017
• After court win, Trump "voter fraud panel" renews data request to states, Mic, July 27, 2017
• Colorado voter information will go to Trump's election commission next week, Denverite, July 27, 2017
• Pate welcomes election commission; notes data request 'not thought through', The Daily Nonpareil (Iowa), July 27, 2017
• Judicial Watch Leads All Nonprofit FOIA litigants, Far Ahead Of ACLU, The Daily Caller, July 27, 2017
• After legal victory, Kobach says states will be sent new letter for voter information, The Kansas City Star, July 26, 2017
• Federal judge refuses to bar collection of data by Trump's voter fraud commission, ABA Journal, July 26, 2017
• Editorial: Voters' private data should remain private, Racine Journal Times, July 26, 2017
• Judge Clears Way for Trump's Voter Fraud Panel to Collect Data, New York Times, July 25, 2017
• Federal Judge Says Trump Election Panel Can Seek Voting Data, Courthouse News Service, July 25, 2017
• Judge rules fraud commission can collect voter data, The Hill, July 25, 2017
• Journal Times editorial: Keep voters' private data private, Journal Times (WI), July 24, 2017
• New Option at Love Field Speeds You Through Security -- For a Price, Dallas Observer, July 24, 2017
• Federal judge allows Trump commission's nationwide voter data request to go forward, Washington Post, July 24, 2017
• Judge denies demand for privacy assessment on Trump voter fraud data request, POLITICO, July 24, 2017
• Court allows Trump's voter commission to proceed, Washington Times, July 24, 2017
• Trump Wins Ruling Allowing Voter Panel to Gather Information, Bloomberg, July 24, 2017
• District court refuses to block federal government voter information collection, LA Times, July 24, 2017
• Federal judge green-lights collection of voter data, CNN, July 24, 2017
• EPIC Loses Bid To Block State Voter Data Collection, Law360, July 24, 2017
• Ohio Sends US Voter Panel Links to Publicly Available Data, U.S. News & World Report, July 24, 2017
• Federal judge hands Kobach, Trump win with ruling on voter info request, Kansas City Star, July 24, 2017
• Trump voting commission wins right to collect state voter data, Ars Technica, July 24, 2017
• Trump's Absurd, Fake Voter Fraud Commission Advances After Victory Over Privacy Law in Court, Gizmodo, July 24, 2017
• Another lawsuit seeks Trump's tax returns, POLITICO, July 23, 2017
• EPIC Demands Info About Biometric Tracking At U.S. Borders, Law 360, July 21, 2017
• Texas Groups Seek to Block Release of Voter Data, Law360, July 21, 2017
• Lawyers Aren't Wizards, Slate, July 21, 2017
• On voter privacy, we've taken one step forward and two steps back, The Hill, July 20, 2017
• Trump's Voter-Fraud Commission Has Its First Meeting, The Atlantic, July 19, 2017
• The FBI Is Warning Parents About the Risks of Internet-Connected Toys Spying on Kids, Slate, July 19, 2017
• More than 3,000 Coloradans withdraw from voter registry, The Journal (CO), July 19, 2017
• Voter Fraud Panel Needn't Give Public Access, Judge Says, Law360, July 19, 2017
• Trump's voter panel responds to EPIC's lawsuit, Washington Post, July 18, 2017
• Election integrity commission says it doesn't need to make privacy assessment, Washington Times, July 18, 2017
• Trump Election Commission: A White House Team Will Handle Voter Data, BuzzFeed, July 18, 2017
• FBI warns of 'connected toy' dangers, Consumer Affairs, July 18, 2017
• Voter fraud commission urges court to allow data collection, The Hill, July 17, 2017
• Trump's voter panel responds to EPIC's lawsuit, Associated Press, July 17, 2017
• 3,700 Coloradans withdrew from voter registry in response to federal information request, Durango Herald, July 17, 2017

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy--they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

August 6, 2017 - August 8, 2017
Aspen Institute Roundtable on Artificial Intelligence
Marc Rotenberg, EPIC President
Aspen Institute
Aspen, CO

September 25, 2017 - September 29, 2017
The 39th International Conference of Data Protection and Privacy Commissioners
Marc Rotenberg, EPIC President
Hong Kong