EPIC Alert 24.18

1. EPIC Asks Courts to Halt Commission’s Collection of Voter Data and Deny Motion to Dismiss

EPIC’s lawsuit to halt the Presidential Election Commission’s nationwide collection of voter data is moving forward on two different fronts. On September 19, EPIC filed a brief in federal district court opposing the Commission’s motion to dismiss the case. And on September 22, EPIC filed a reply brief urging U.S. Court of Appeals for the D.C. Circuit to block any data collection until the Commission completes a legally required Privacy Impact Assessment.

In the district court, EPIC reminded the court that the Commission “undertook this effort to gather state voter records at a time of rampant data theft and with full knowledge that a foreign adversary had targeted the nation’s voting systems.” The Commission suspended its collection of voter data over the summer in response to EPIC’s suit, but it later resumed that process after the district court denied EPIC’s motion for a preliminary injunction.

The Commission’s collection of voter data is “facially unreasonable and violates the constitutional rights of registered voters across the country, including EPIC’s members,” EPIC added. “The Supreme Court has recognized that individuals have a right to informational privacy that is protected by the Due Process Clause of the Fifth Amendment. The Commission’s failure to provide protections for and limit the scope of collection of the sensitive personal information of American voters clearly violates this right.”

In the appeals court, EPIC explained that the Commission “has failed to produce a Privacy Impact Assessment as required by law prior to initiating a new collection of personal information” and that Congress “did not intend to preclude judicial review” of the Commission’s illegal conduct. EPIC argued that the Commission was unlawfully trying to duck its obligations as a federal agency and that EPIC had the right to seek an injunction against the Commission’s data collection.

The district court case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017), and the appeal is EPIC v. Commission, No. 17-5171 (D.C. Cir. filed July 27, 2017). EPIC’s appeal is set to be argued before the D.C. Circuit on Tuesday, November 21.

2. Privacy Officials Adopt Resolutions on Connected Vehicles, Collaboration, and Enforcement

The 39th International Conference of Data Protection and Privacy Commissioners (ICDPPC) meeting in Hong Kong adopted three major resolutions on emerging privacy issues. Held September 25-29, the ICDPPC conference brought together data protection authorities and the data protection community to share expertise and map out the future privacy landscape.

The resolution on Data Protection in Automated and Connected Vehicles urges all parties to “fully respect the users’ rights to the protection of their personal data and privacy” at every stage of the creation and development of new automated and connected vehicle devices or services. The resolution encourages respect for the principles of privacy by default and privacy by design. It also urges all parties to give data subjects comprehensive information as to what data is collected and processed; to utilize anonymization measures; to provide easy to use privacy controls; to implement secure data storage and communication measures; and to undertake data protection impact assessments for these technologies. The resolution recommends that all parties to enter into a dialogue with the data protection and privacy commissions to develop compliance tools for connected vehicles.

The resolution on Collaboration Between Data Protection and Consumer Protection Authorities calls for joint efforts at the international level to “protect citizens and consumers in the digital economy.” Parties to the resolution agreed to find ways to improve collaboration between Data Protection and Consumer Protection Authorities and to pursue a Digital Citizen and Consumer Working Group.

The resolution on Future Options for International Enforcement Cooperation builds on the OECD Recommendations for Cross-Border Cooperation, which recommended that Member Countries cooperate across borders in the enforcement of laws protecting privacy and data protection. This resolution aims to foster data protection compliance by organizations that process personal data across borders. It encourages all privacy enforcement authorities to cooperate with each other by sharing enforcement-related information and expertise.

EPIC regularly participates in international privacy conferences through the Public Voice, a project engaging both members of civil society and government in current internet policy issues. At last year’s conference in Marrakech, EPIC President Marc Rotenberg promoted EPIC’s work on algorithmic transparency. At this year’s conference, EPIC and other NGOs held a Public Voice event in Hong Kong that included a dialogue on emerging privacy issues with data protection officials.

3. EPIC Urges Court to Protect Facebook Users' Privacy, Disputes "Consent" in Medical Data Case

EPIC has filed a “friend of the court” brief with the Ninth Circuit in Smith v. Facebook, urging the court to find that Facebook users did not consent to being tracked by Facebook when they visited healthcare websites such as cancer.net. The lower court dismissed the case, ruling that users consented to disclosing their personal data to Facebook based on the site’s terms and conditions—even when the healthcare websites specifically stated that they would not disclose personal data.

EPIC argued that “consent is not an acid rinse that dissolves common sense. And it most certainly does not dissolve a 2012 consent order between the company and the Federal Trade Commission that governs the company’s data collection practices.” Facebook has had a history of secretly changing its privacy settings to undermine user privacy, and EPIC and other consumer privacy organizations filed complaints with the FTC in 2009 and 2010 that led to the FTC’s 2012 consent order.

In this case, Facebook used advanced tracking techniques to track the plaintiffs on third-party websites that had Facebook’s “social plugins” such as the “like” or “share” button. Facebook used the medical data it obtained to deliver targeted advertisements to the plaintiffs relating to their specific medical conditions. Facebook’s third-party tracking covers roughly 55% of the most popular websites.

Facebook disclosed generally that it would “collect information when you visit or use third-party websites” in its “Data Policy” and “Cookies Policy.” These policies were buried in hyperlinks within Facebook’s already long and dense terms and conditions. The healthcare websites, however, specifically stated that they would not disclose data to third-party companies. The lower court nonetheless found that Facebook’s broad disclosures superseded the healthcare websites’ specific disclosures, and that the plaintiffs had therefore consented. EPIC argued that “such a sweeping exception to privacy law is out of step with current reality and undermines the rule of law.”

EPIC has previously filed amicus briefs in cases involving third-party tracking and targeted advertising, such as Marquis v. Google (regarding Google’s interception of e-mails) and In Re Nickelodeon (regarding Nick.com’s collection of personal data in violation of the Video Privacy Protection Act). EPIC also filed an amicus brief challenging a settlement over Facebook’s unauthorized use of personal information in its “sponsored stories.”

4. EPIC Backs Commission on Evidence-Based Policymaking, Urges Congress to Take Steps to Preserve Privacy

In a statement to Congress, EPIC expressed support for the findings of the Commission on Evidence-Based Policymaking. The statement preceded a hearing by U.S. House Committee on Oversight & Government Reform to discuss the Commission’s findings.

Congress established the Commission to study how data across the federal government could be combined to improve public policy while protecting privacy. The establishment of the Commission was a bipartisan effort intended to facilitate access to evidence that will enable Congress evaluate the effectiveness of government programs. Government agencies are often reluctant to release data due to the risk of inadvertently disclosing sensitive personal information.

The Commission's report recommends new privacy safeguards and encourages broader use of statistical data. One of the key recommendations of the report is the establishment of a new government agency called the National Secure Data Service. The agency would build on the infrastructure and expertise of the U.S. Census Bureau, which has good methods for securely conducting statistical analysis on confidential information. The report recommends transparency mechanisms that would inform the public about how the data is used and how confidentiality is preserved. These include the maintenance of a searchable inventory of projects using confidential data and regular audits of compliance with privacy rules. EPIC advisory board member Dr. Latanya Sweeney testified before the Committee, emphasizing the importance of government transparency for evidence-building activities.

EPIC submitted comments to the Commission urging the adoption of Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. Several of EPIC's recommendations were incorporated in the Commission report. The Commission’s report is a promising step toward strengthening the evidence-building capacity within the Federal government while protecting privacy and increasing transparency. Now the impetus is on Congress to act on the Commission’s recommendations.

5. Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million

A federal court in Washington, D.C. has dismissed two lawsuits against the Office of Personal Management (OPM) over a pair of data breaches that affected 22 million federal employees and family members. The OPM disclosed in 2015 that hackers had stolen troves of data on federal employees in two separate breaches. The stolen information included names, birthdates, current and former addresses, and Social Security numbers.

The American Federation of Government Employees and individual government workers filed a class action lawsuit against OPM in 2015, alleging that the breaches stemmed from gross negligence by federal officers. The victims sought damages and injunctive relief under the Privacy Act, Little Tucker Act, and the Administrative Procedure Act.

On September 19, the U.S. District Court for the District of Columbia granted OPM’s motion to dismiss the victims’ suit. The court concluded that the victims had failed identify a sufficient injury caused by OPM to give them “standing” to bring the suit. While the court acknowledged the OPM victim’s “troubling allegations,” it ruled that “the fact that a person’s data was taken” is not “enough by itself to create standing to sue.” The plaintiffs “did not allege that private information was ‘disclosed,’ as opposed to stolen” and did not allege “facts to show that their claimed injuries were the result of the agency’s failures,” the court wrote.

EPIC has long argued that data breach victims should not have to wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC filed comments last year with OPM recommending limits on data collection; has recommended updates to the federal Privacy Act; and has urged the Supreme Court to recognize a right to “informational privacy” and to ensure Privacy Act damages for non-economic harm.

News in Brief

EPIC Files Appeal to DC Circuit, Seeks Release of Trump Tax Returns

EPIC has appealed the decision of a federal district court which ruled that the IRS can withhold President Trump's tax records sought by EPIC under the Freedom of Information Act. EPIC had argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning the President's financial ties to Russia, such as "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." In response to a FOIA request from EPIC, the IRS recently acknowledged that it has used this authority 10 times in one year. But the district court said the power was a "rare bird" and concluded that "until President Trump or Congress authorizes release of the tax returns, EPIC (and the rest of the American public) will remain in the dark." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI's response to the attack.

EPIC to Ninth Circuit: Don’t Turn the Channel on Video Privacy Case

EPIC has filed a letter brief in a video privacy case concerning ESPN’s collection of viewer data. The court in Eichenberger v. ESPN, Inc. is trying to determine whether consumers can bring lawsuits based on a violation of federal privacy law after the Supreme Court’s decision in Spokeo v. Robins, a case about “standing” to sue. EPIC filed a brief in support of Eichenberger, arguing that "the history and judgement of Congress leaves little doubt that Congress believed a violation of the Act would be a concrete injury." EPIC also explained that "a court is not empowered to override congressional judgments as to which injuries should be legally protected.” EPIC testified before the Senate about the history and purpose of the Video Privacy Protection Act. EPIC has also filed several amicusbriefs on standing to sue in consumer privacy cases.

EPIC Calls for Greater FTC Enforcement

In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders. 

EPIC Urges Senate to Block Biometric Collection at U.S. Airports

EPIC has sent a statement to the Senate Commerce Committee following a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing and regulated use of biometrics in US airports, often targeting US citizens. EPIC previous pursued a significant lawsuit against the TSA to limit the use of body scanners. EPIC is currently seeking records from Customs and Border Protection concerning the agency's use of facial recognition for a biometric entry/exit program at airports. EPIC has also objected to a proposal to increase the collection of biometric data for the TSA Pre-Check program.

EPIC, Global Coalition Recommend Human Rights Protections for Cybercrime Proposal

EPIC joined European Digital Rights (EDRI) and a coalition of organizations to advise the Council of Europe about protecting human rights during trans-national criminal investigations. The "Global Civil Submission" states that a proposed update to the Convention on Cybercrime should include compliance with human rights principles and data protection standards for transnational data transfers. Several years ago, EPIC opposed the U.S. ratification of the Convention on Cybercrime, citing its sweeping expansion of law enforcement authority. However, EPIC and the U.S. Privacy Coalition have long campaigned for the United States ratification "Convention 108," the International Privacy Convention.

EPIC’s Rotenberg Talks Crypto and Human Rights at Commissioners’ Conference

EPIC President Marc Rotenberg discussed encryption and human rights at the International Conference of Data Protection and Privacy Commissioners in Hong Kong. Rotenberg recounted the founding of EPIC and the campaign to stop the Clipper Chip. He also described the Apple v. FBI case and the growing need for strong security with the Internet of Things. His remarks followed the presentation of the UNESCO report on encryption. Stephen Kai-yi Wong, Privacy Commissioner for Personal Data in Hong Kong, opened the conference.

Supreme Court to Hear Two Fourth Amendment Cases

The Supreme Court has agreed to review two Fourth Amendment car search cases. In Collins v. Virginia, the Court will decide whether police can search a vehicle parked in the driveway of a private home without first obtaining a warrant. In Byrd v. United States, the Court will decide whether a person driving a rental car loses their expectation of privacy in the vehicle solely because they are not the official driver on the rental agreement. The Court is already set to hear Carpenter v. United States this fall, a major Fourth Amendment case about warrantless searches of cell phone location data. EPIC filed a "friend-of-the-court" brief in that case urging the Court to extend Constitutional protection to cell phone data. EPIC regularly files briefs with the Supreme Court arguing for greater Fourth Amendment protections, including in Utah v. Strieff, Los Angeles v. Patel, and Riley v. California.

D.C. Court: Warrantless Tracking with "Stingray" Violates Fourth Amendment

The D.C. Court of Appeals has ruled that warrantless use of a cell-site simulator or "stingray" violates the Fourth Amendment. The court found that Stingray devices enable "officers who possess a person's telephone number to discover that person's precise location remotely and at will." The court held that the use of a Stingray invaded a reasonable expectation of privacy and thus, was a Fourth Amendment search. EPIC recently filed a brief in a U.S. Supreme Court casearguing that warrantless location tracking violates the Fourth Amendment. EPIC has also promoted oversight of Stingrays by law enforcement agencies. An EPIC FOIA lawsuit in 2012 revealed that the FBI was using stingrays without a warrant, and that the FBI provided Stingrays to other law enforcement agencies. EPIC has also filed amicus briefs in federal and states courts arguing that cell phone location data is protected by the Fourth Amendment.

CBP Plans to Exempt Social Media Data from Legal Protections

Customs and Border Protection has published a system of records notice for the "Intelligence Records System." The agency proposes to exempt the database from many Privacy Act safeguards. The database contains detailed personal data from social media and commercial data services. CBP will use the "Analytical Framework for Intelligence" to secretly profile and evaluate social media users. In the FOIA lawsuit EPIC v. CBP, EPIC uncovered Palantir's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to U.S. travelers. EPIC is now pursuing a FOIA request to Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir.

End of DACA Program Poses Privacy Risks to Dreamers

The recent Department of Homeland Security memo rescinding the Deferred Action for Childhood Arrivals program creates new privacy risks for at least 800,000 individuals. At issue is the personal data provided to DHS by DACA applicants. In the 2012 Privacy Impact Assessment, the DHS stated that personal data would be "protected from disclosure to ICE and CBP for the purpose of immigration enforcement proceedings." Now that the program is set to expire, the personal data provided by DACA applicants is at risk of use for unauthorized purposes, implicating the federal Privacy Act. EPIC has long supported vigorous enforcement of the federal Privacy Act and opposed efforts that target individuals in immigrant communities.

NGOs Meet with Privacy Commissioners at Public Voice Event in Hong Kong

The Public Voice hosted an event on September 25 with NGOs and Privacy Commissioners at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. "Emerging Privacy Issues: A Dialogue Between NGOs & DPAs" addressed emerging privacy issues, including biometric identification, Algorithmic transparency, border surveillance, the India privacy decision, and implementation of the GDPR. Speakers included Chairman Isabelle Falque-Pterrotin of the CNIL and Article 29 Working Party, Commissioner John Edwards of New Zealand, and Director Eduardo Bertoni of Argentina. Also participating were representatives of Access Now, EPIC, GP Digital, Privacy International, and the World Privacy Forum. The Public Voice, established in 1996, facilitates public participation in decisions concerning the future of the Internet.

EPIC in the News

• ESPN App User Backed By EPIC In 9th Circ. Row, Law360, October 2, 2017
• Privacy Fights To Watch At The Supreme Court, Law360, October 2, 2017
• Google, Facebook may have to reveal deepest secrets, POLITICO, October 1, 2017
• DHS Chief Can't Promise She Won't Hand Over Dreamer Data to ICE, Truthout, September 28, 2017
• High Court to rule on landmark data privacy case next week, Irish Times, September 28, 2017
• Feds Urge High Court To Uphold Cellphone Location Searches, Law360, September 28, 2017
• EPIC Backs Users In Battle Over Facebook Tracking, MediaPost, September 28, 2017
• Legal Window: US Federal Employee Information Disclosure Case stranded privacy law behind technical progress” (Chinese), Voice of America, September 24, 2017
• 22 million Americans out of luck! Judge says feds immune in massive data breach, WND, September 22, 2017
• Uber pushes privacy for iOS users with location access only when app is in use, Medianame, September 22, 2017
• Manafort wiretaps raise questions about political motives, evidence presented to FISA court, Washington Times, September 22, 2017
• Facebook’s Privacy Hokey-Pokey, Fortune, September 22, 2017
• Your Social Security number may not be secure. But how could we replace it?, Washington Post, September 21, 2017
• DOT secretary makes self-driving car privacy a footnote, WFMZ, September 21, 2017
• DOJ lets itself off the privacy hook, Naked Security, September 19, 2017
• Facebook Knows More About Russia’s Election Meddling. Shouldn’t We?, New York Times, September 17, 2017
• Trump’s Double Standard When It Comes to Privacy, Newsweek, September 16, 2017

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Film and Performances "Digital Eye"
October 16-17, 2017
Marc Rotenberg, EPIC President
Blind Whino
Washington, DC

Nordic Privacy Arena
October 23, 2017
Marc Rotenberg, EPIC President
Data Protection Forum, Stockholm, Sweden

“AI: Intelligent Machines, Smart Policies”
October 27, 2017
Marc Rotenberg, EPIC President
OECD, Paris, France

“The Convergence of Man and Machine”
November 6, 2017
Marc Rotenberg, EPIC President
Techonomy, Half Moon Bay, California

“Going Digital”
November 20, 2017
Marc Rotenberg, EPIC President
OECD, Paris, France
 
“Tech Triumph or Bloated Bubble: Innovation, Investors & Industrial Transformation”
December 14, 2017
Marc Rotenberg, EPIC President
Yale CEO Summit, New York, NY

June 5, 2018
2018 EPIC Champions of Freedom Awards Dinner
Washington, DC