EPIC Alert 24.24

1. 2017 Privacy Year in Review & 2018 Privacy Issues to Watch

With 2017 officially in the books, EPIC pauses to look back on the year in privacy—and to consider the year ahead.

The American public spent much of 2017 grappling with the effects of Russian interference in the 2016 election and the threat that cyberattacks pose to democratic institutions. Meanwhile, the FAA continued to shirk its obligation to implement drone privacy restrictions; facial recognition technology was implemented at the border; and toys that spy on children hit the shelves. Equifax, for its part, breached the personal data of some 145 million Americans—just shy of the 200 million-odd voters whose personal data the Presidential Election Commission unlawfully sought to collect.

But there's reason for hope in 2018. The European Union's landmark General Data Protection Regulation is set to take effect in May, a development that could also spur changes to the Privacy Shield framework that permits the flow of European consumers' personal data to the United States. Public awareness is growing of the privacy risks posed by connected cars and "always on" devices. The Supreme Court is poised, perhaps, to recognize Fourth Amendment protections for cell phone location data when it rules in Carpenter v. United States. And Congress's decision to require a Privacy Impact Assessment before the government collects personal data appears more prescient with each passing year.

Top Privacy Stories in 2017

Democratic Institutions and Cyberattacks

If 2017 in Washington, D.C., was about anything, it was about L'Affaire Russe. The year began with two reports from U.S. intelligence agencies on Russian interference in the 2016 election cycle, witnessed the appointment of Special Counsel Robert Mueller to investigate Russian meddling, and saw social media companies get dragged before Congress to answer for the Russian ads and content promoted on their platforms—and L'Affaire has yet to end. In 2017, EPIC initiated four Freedom of Information Act lawsuits to uncover details of Russian interference and began a new "Democracy and Cybersecurity" Project. In 2018, EPIC's work to preserve democratic institutions will continue.

Equifax Breaches Data of 145 Million

In 2017, Equifax breached the personal information of 145.5 million Americans. Will Congress act in 2018? There was widespread bipartisan outrage following revelations of the breach, but it remains to be seen whether Congress will pass legislation to reform the credit reporting industry and protect American consumers.

Commercial Drones Prepare for Takeoff

The Federal Aviation Administration has cleared the runaway for commercial drones, and they are set to take off in 2018. The FAA has dodged its obligation to implement privacy safeguards, so commercial drones will be buzzing above with no privacy rules in place. But in EPIC v. FAA—set for argument on January 25—the agency will be forced to explain to the D.C. Circuit why it did not consider the privacy risks of drones as Congress intended.

Presidential Election Commission Goes After Voter Data

The Presidential Election Commission—a federal body formed to "study" election integrity issues—set off alarm bells over the summer when it unlawfully sought to collect personal voter data from all fifty states and the District of Columbia. EPIC brought suit against the Commission over its failure to conduct a Privacy Impact Assessment before collecting voter data and its violation of the constitutional right to information privacy. The Commission was forced to suspend data collection as a result of EPIC's lawsuit, and there was mounting evidence at the end of the year that the Commission had suspended activities altogether. But EPIC continues to litigate against the Commission to protect voter privacy and to bring a permanent end to its voter data collection.

Facial Recognition Unveiled at U.S. Airports

In 2017, Customs and Border Protection began testing the use of facial recognition at airports after President Trump signed an executive order to expedite the implementation of a biometric entry/exit tracking system. The use of facial recognition at airports is set to expand in 2018 despite questions about the privacy risks, the supposed need for the technology, and the technology's effectiveness. Will the government be scanning your face in the new year?

That Cute Toy Is Spying on Your Kids

The 2017 holiday season brought a renewed focus on data-collecting devices masquerading as toys for children. Internet-connected toys that can have conversations with kids—like the doll "My Friend Cayla"—might seem attractive to parents, but these toys are recording everything that your children say and are easy targets for hackers. Parents can still keep their kids entertained without these dangerous toys. (Back in the day, we used to play with Legos and GI Joes, and they sure weren't spying on us.)

Top Privacy Issues to Watch in 2018

GDPR Takes Effect

The General Data Protection Regulation (GDPR)—adopted by the EU in 2016—will take effect in May of 2018. The comprehensive law includes rules on data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. EU authorities will be able to enforce GDPR for the first time in 2018, holding companies accountable for failure to comply.

Future of Privacy Shield

What happens when a group of European privacy experts sue their legislature over an important privacy deal? In 2018, we might find out. Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States, underwent its first annual joint review by the U.S. and EU in 2017. The controversial deal was approved by the European Commission, but late in 2017 the Article 29 Working Party called for a reexamination. The group said "significant concerns"—including the U.S. failure to appoint an ombudsperson to review complaints and vacancies at the Privacy and Civil Liberties Oversight Board—must be resolved by May 25, 2018 when the GDPR goes into force. If not, "the members of WP29 will take appropriate action," including litigation.

Cell Phone Location Privacy

Can law enforcement access cell phone location records without a warrant? That's the question before the Supreme Court in Carpenter v. United States, a case set for decision in 2018. The Court will determine whether the Fourth Amendment permits the government to obtain large amounts of cell phone location data without a warrant, which in turn hinges on whether an individual has a "reasonable expectation of privacy" in that data. The Court's decision could have major implications for the privacy of cell phone users, not to mention anyone who's entrusted their personal data to a third party.

Privacy Impact Assessments

From the Office of Personnel Management data breaches to the Presidential Election Commission's demand for sensitive voter information, recent events illustrate why the federal government must conduct a rigorous, public analysis of privacy risks whenever it collects personal data. Fortunately, Congress had the foresight in 2002 to require just that: section 208 of the E-Government Act mandates that agencies create, review, and publish a comprehensive Privacy Impact Assessment before any new collection of personally identifiable information. Look for this law to gain new importance and teeth in 2018, as EPIC—the nation's leading organization on Privacy Impact Assessments—redoubles its efforts to ensure that section 208 is enforced.

Connected Cars and Public Safety

As the automotive industry rolls out more and more advanced connected cars, legislators and automakers must address the cybersecurity and public safety risks that lie along the road. By 2020, it's predicted that over a 200 million connected cars will be in use in the U.S. But with the spread of automated vehicle functions that allow cars to communicate with each other, hackers will gain more points of entry to access vast amounts of personal data—and even take control of vehicles. 2018 may prove to be a watershed year for the regulation of connected cars.

'Always On' Devices

Someone's always listening. "Always on" personal assistants, like the Amazon Echo and Google Home Mini, are becoming more popular. These products are designed to always be listening, and some of them have dangerous defects that cause them to record all of your conversations. Without appropriate regulation and oversight in the coming years, big companies listening to your most intimate conversations won't just be the plot of a Black Mirror episode.

2. D.C. Circuit Refuses to Order Privacy Assessment in EPIC's Suit Against Presidential Election Commission

The U.S. Court of Appeals for the D.C. Circuit has issued a decision in EPIC's suit against the Presidential Advisory Commission on Election Integrity concerning the collection of voter data.

The appeals court held that EPIC did not have "standing" to challenge the Commission's failure to conduct and publish a privacy impact assessment prior to the collection of state voter data, which is required by federal law. The decision was surprising as the lower court held that EPIC satisfied the standing test—not once but twice. Also, the issue on appeal concerned whether the Commission was an "agency" subject to the privacy assessment obligation. The appellate court appeared to misunderstand the purpose of the law, which is to promote transparency and accountability of government agencies when they plan to collect personal data. EPIC is planning to appeal the decision.

EPIC filed its complaint and motion for an injunction in July after the Commission undertook to collect detailed state voter data without first conducting a privacy impact assessment. The personal data included home addresses, dates of birth, political affiliations, partial social security numbers, military statuses, and voter histories. This information is typically protected by state privacy laws.

EPIC's lawsuit led the Commission to suspend the collection of voter data, to discontinue the use of an unsafe computer server, and to delete the voter information that was unlawfully obtained. Even after a court determined that the Commission was not required to conduct the assessment—the issue EPIC challenged on appeal—the Commission appeared to indefinitely suspend data collection activity.

Many states and over 150 members of Congress have opposed the Commission's efforts to collect state voter data. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.).

3. EPIC FOIA: Court Concedes Significance of Russia Report, But Fails to Order Disclosure

A federal court in Washington, D.C. has ruled that the Office of Director of National Intelligence may withhold the Complete Assessment of Russian interference in the 2016 presidential election, sought by EPIC under the Freedom of Information Act.

EPIC filed EPIC v. ODNI to obtain public release of the intelligence community's Complete Assessment of Russian interference following the ODNI's release of a short public summary in January 2016. As EPIC made clear in its complaint, "there is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks in democratic institutions."

EPIC argued that the federal agency was required to disclose the document because it contained unclassified information and because many of the report's conclusions had been released by the intelligence community in the 2016 summary. While the Court acknowledged that "the single document at issue in this Freedom of Information Act suit is of interest to a great many people, both in the United States and abroad" it ruled that "the entire report, even portions of the report that have already been released in a separate document" could be withheld by the agency. EPIC had urged the judge to undertake an independent assessment to determine whether the agency properly asserted classification authority.

EPIC v. ODNI is one of four leading FOIA cases seeking public disclosure of details of the Russian interference in the 2016 election. In EPIC v. FBI, a related FOIA suit, EPIC obtained the FBI's "Victim Notification Procedures" that were the subject of a Congressional hearing in 2017

4. EPIC Supports IRS Proposal to Limit SSN Collection

EPIC has filed comments with the IRS concerning its proposed rule that would allow employers to submit the last four digits of Social Security Numbers (SSNs) on W-2 tax forms rather than full SSNs. Due to the high risk of identity theft and financial fraud, EPIC recommended that the IRS make it mandatory to truncate SSNs on W-2s, arguing that "the use of full SSNs will create unnecessary risk for those who do not truncate their SSNs."

Widespread collection and use of the SSN in both the public and private sectors over decades has made the SSN insecure and has led to increased identity theft and fraud. Congress gave the Social Security Administration the authority to use the SSN to administer retirement benefits and gave the IRS the authority to use the SSN as a tax identification number. Despite only those two agencies having express authority to use the SSN, it has become a de facto universal identifier. Due to frequent data breaches, the SSNs of a significant portion of the public are available for sale on the dark web.

The recent Equifax breach affecting 145.5 million people—almost half of all Americans—highlights the need to limit the collection and use of SSNs. EPIC told the IRS that "experts are anticipating that the Equifax breach will lead to more tax fraud and are advising people to file their tax returns early." In October, EPIC President Marc Rotenberg testified before the Senate to call for reform of the credit reporting industry in the wake of the Equifax breach.

EPIC has participated in leading cases—Greidinger v. Davis, Beacon Journal v. Akron, and Ingerman v. IRS—involving the privacy of the SSN. EPIC has frequently testified in Congress about the need to establish privacy safeguards for the SSN, including testimony in support of a law to protect seniors from identity theft by removing SSNs from Medicare cards.

5. EPIC, Coalition Urge Action on Toys that Spy

EPIC and a coalition of consumer privacy groups called on the Federal Trade Commission and toy retailers last month to protect children from "toys that spy." The coalition's renewed call to crack down on companies that sell internet-connected toys and smartwatches comes one year after the coalition filed an FTC complaint over My Friend Cayla and I-Que Intelligent Robot—toys that recorded and analyzed children's conversations. The coalition urged the FTC "and companies that sell dangerous internet-connected toys and smartwatches to act to protect children from serious safety and security threats they pose."

The coalition statement highlights research by the Norwegian Consumer Council, which uncovered the privacy and security failings with Cayla and I-Que Robot. Many retailers worldwide have pulled these toys from their shelves, but the FTC has yet to act. In Europe, Germany has banned My Friend Calya and I-Que Robot as spying devices and instructed parents to destroy them. French authorities have demanded information from the makers of Cayla and I-Que regarding the threat these toys pose to children. In addition, the FBI has warned of the privacy risks of internet-connected toys.

Many of these toys pose hacking threats. Smartwatches for kids are marketed to allow parents to track the location of their children, but research has shown that some brands can easily be overtaken by a hacker who might prey upon a child. EPIC's Sam Lester stated in an interview with NBC's Nightly News that "a lot of these toys have no security whatsoever, allowing hackers to take control of the toy and listen in on children's conversations and even interact with them." EPIC previously supported a coalition letter asking the FTC to investigate the risks that smartwatches pose to children.

Internet-connected toys also pose serious childhood development concerns. As EPIC President Marc Rotenberg stated, "kids should play with their toys and their friends, and not with surveillance devices dressed as dolls." Recently, EPIC joined consumer groups in asking Mattel to cancel plans to sell Aristotle, an "always on" device that records the private conversations of young children. The groups emphasized that "young children shouldn't be encouraged to form bonds and friendships with data-collecting devices."

News in Brief

D.C. Circuit Sets Schedule for EPIC Case to Obtain Trump Tax Returns

The D.C. Circuit Court of Appeals has set a schedule in EPIC's case to obtain President Trump's tax returns. EPIC previously argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning financial ties to Russia, such as President Trump's tweet "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." The IRS recently admitted to EPIC that it has used this authority at least 10 times in one year. The schedule for the appeal was announced the same week that Congress finalized sweeping tax legislation, but Congress and the public remain in the dark about the consequences of the legislation on the President's personal finances. According to CNN, 73% of Americans favor release of the President's tax returns. EPIC v. IRS is one of several EPIC FOIA cases concerning Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyberattack), and EPIC v. DHS (election cybersecurity). EPIC's opening brief in EPIC v. IRS is due January 24, 2018.

National Security Strategy Acknowledges Importance of Democratic Institutions, Privacy

The White House has released the 2017 National Security Strategy. The report underscores the importance of democratic institutions and the rule of law. The report states the "government must do a better job of protecting data to safeguard information and the privacy of the American people," and calls out "actors such as Russia [who] are using information tools in an attempt to undermine the legitimacy of democracies." The report also cautions that cyber policy must be pursued "In accordance with the protection of civil liberties and privacy." EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).

NYC Establishes Algorithm Accountability Task Force

New York City has passed the first bill to examine the discriminatory impacts of "automated decision systems." A task force will develop recommendations for how to make the city's algorithms fairer and more transparent. James Vacca, the bill's sponsor, said, "If we're going to be governed by machines and algorithms and data, well, they better be transparent." EPIC supports algorithmic transparency and opposes systemic bias in "risk assessment" tools used in the criminal justice system. EPIC has filed Freedom of Information lawsuits to obtain information about "predictive policing" and "future crime prediction" algorithms. EPIC President Marc Rotenberg has called for laws that mandate algorithmic transparency and prohibit automated decision-making that results in discrimination.

FAA Advisory Panel Recommends Remote Tracking and Identification of Drones

A federal advisory panel has issued a report with recommendations for the remote tracking and identification of drones. The FAA advisory report also says that the "FAA must review privacy considerations, in consultation with privacy experts and other Federal agencies, including developing a secure system that allows for segmented access to the ID and tracking information." EPIC backed remote identification and tracking of drones in comments on the agency's drone registration rule. EPIC also recommended privacy protections for the personal data collected for hobbyist drone users, though EPIC's recommendations go beyond the proposals contained in the advisory panel report. EPIC is currently challenging the FAA's failure to establish privacy safeguards in EPIC v. FAA, which is before the D.C. Circuit Court of Appeals. Oral arguments are scheduled for January 25, 2018.

French Privacy Agency to Block WhatsApp Facebook Data Transfers

France's data protection authority CNIL has given WhatsApp one month to stop sending user data to Facebook. EPIC and the Center for Digital Democracy urged the FTC in 2014 to mandate privacy safeguards for Facebook's acquisition of WhatsApp and warned the FTC in 2016 that WhatsApp was sending user data to Facebook, violating privacy commitments. In May, Facebook was fined $122 million for misleading the European Commission during an investigation into the Facebook-WhatsApp merger, and in October, European privacy experts warned that WhatsApp was still not complying with EU data protection law.

EPIC in the News

• Federal court rejects challenge to Trump voting commission, Washington Post, December 26, 2017
• EPIC Challenge to Voter Panel Data Collection Fails, Bloomberg, December 26, 2017
• Appeals Court Throws Out Privacy Lawsuit Against 'Voter Fraud' Panel, Talking Points Memo, December 26, 2017
• Appeals court rejects challenge to Trump voter fraud panel, The Hill, December 26, 2017
• The Wildly Popular Christmas Game That Got Mistaken for Spyware, Motherboard, December 26, 2017
• Appeals court says privacy group can't challenge Trump voter fraud panel, Washington Examiner, December 26, 2017
• Court turns back challenge to Trump's voter fraud commission, Fox News, December 26, 2017
• U.S. Appeals Court Rejects Challenge to Trump Voter Fraud Panel, US News & World Report, December 26, 2017
• Could Smart Toys be Spying on Your Kids?, NBC Nightly News, December 23, 2017
• Tagged or not, you will now know when your image is used on Facebook, Daily Democrat, December 22, 2017
• EPIC Denied Access To Russian Election Meddling Report, Law360, December 20, 2017
• Don't Get Your Kid an Internet-Connected Toy, WIRED, December 20, 2017
• Facebook Is The Enemy Now, Huffington Post, December 20, 2017
• Facebook will now notify you when your photo is uploaded but untagged, Mercury News, December 20, 2017
• Facebook wants your face data — in the name of privacy, it says, Washington Post, December 19, 2017
• Watchdogs Press FTC To Investigate Connected Toys, Smartwatches, MediaPost, December 19, 2017

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Privacy Camp
January 23, 2017
Eleni Kyriakides, EPIC International Law Fellow
Brussels Belgium

EPIC International Champion of Freedom Awards
Computers, Privacy and Data Protection (CPDP) Conference
January 24, 2018
Brussels, Belgium

'The Internet of Bodies'
Computers, Privacy and Data Protection (CPDP) Conference
January 24-26, 2018
Marc Rotenberg, EPIC President
Eleni Kyriakides, EPIC International Law Fellow
Brussels, Belgium

Free Speech and the Administrative State
Center for the Study of the Administrative State, George Mason University
January 26, 2018
Alan Butler, EPIC Senior Counsel
Arlington, VA

'UTmessan - Where everything connects'
February 2, 2018
Marc Rotenberg, EPIC President
Reykjavik, Iceland

19th Annual Privacy & Security Conference
February 8, 2018
Marc Rotenberg, EPIC President (keynote)
Victoria Conference Centre
Victoria, Canada

2018 EPIC Champions of Freedom Awards Dinner
June 5, 2018 Washington, DC