You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

EPIC Alert 26.18

EPIC Alert logo

1. In Mueller Case, EPIC Obtains Memos About Suspected Agent of a Foreign Power

As a result of its Freedom of Information Act lawsuit, EPIC v. Department of Justice, EPIC has obtained previously undisclosed memos from the Special Counsel investigation into Russian interference in the 2016 election.

One memo released to EPIC summarizes Special Counsel Mueller's investigation of a suspected "unregistered agent of a foreign government." The memo was submitted one day after the Justice Department released a redacted version of the Mueller Report. The Special Counsel previously disclosed that it investigated Paul Manafort, Rick Gates, Michael Flynn, George Papadopoulos, and Carter Page as possible foreign agents, but the Justice Department is refusing to identify the subject of the report obtained by EPIC.

EPIC also obtained a series of annual status updates from Mueller to the Attorney General, including details about the progress of the investigation and criminal charges brought by the Special Counsel.

EPIC is seeking the disclosure of the complete and unredacted Mueller Report in EPIC v. Department of Justice. A decision is expected in the case later this month. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore.

2. EPIC to Massachusetts Legislature: Establish AI Commission

EPIC Policy Director Caitriona Fitzgerald testified before the Massachusetts Legislature this month in support of proposals establishing a state Commission to examine the use of "automated decision systems."

Under H2701 and S1876, a Commission will identify all of the state's uses of artificial intelligence and make recommendations to ensure the state's reliance on algorithms is fair and transparent. If the proposal is enacted, Massachusetts will join Vermont, Alabama, New York City, and New York State in creating AI commissions since 2017.

EPIC's Fitzgerald told the Legislature that EPIC supports the provisions of the bill "requiring the commission to examine the manner by which state agencies validate and test the automated systems they use." EPIC also supports the Legislature's strong emphasis on transparency, auditability, and accountability of automated decision systems.

EPIC recommended improvements to the bill, including strengthening the publication requirement of the Commission's findings; requiring regular public input; and ensuring diversity among Commission members. EPIC also urged the state to "require access to the source code of underlying systems regardless of their creator to allow meaningful review." In March, Idaho passed a law to ensure that criminal defendants can review the data and calculations used conduct pre-trial risk assessments in their cases.

EPIC's State Policy Project seeks to ensure strong state protections for privacy and civil liberties. EPIC supports algorithmic transparency and is opposed systemic bias in "risk assessment" tools used in the criminal justice system. EPIC has filed Freedom of Information lawsuits to obtain information about "predictive policing" and "future crime prediction" algorithms. EPIC President Marc Rotenberg has called for laws that mandate algorithmic transparency and prohibit automated decision-making that results in discrimination.

3. EPIC Provides U.S. Report for Privacy Experts Meeting

EPIC has provided a comprehensive country report on the latest developments in U.S. privacy law and policy for the 66th meeting of the International Working Group on Data Protection, held this month in Brussels.

The International Working Group is comprised of data protection authorities and experts from around the world who review emerging privacy challenges, such as location tracking, DNA collection, and facial recognition. The International Working Group meets twice a year to exchange information and coordinate data protection recommendations.

The EPIC Fall 2019 report details major U.S. privacy developments, including the debate over reauthorization of the NSA call record collection program, EPIC's ranking of consumer privacy proposals, the FTC Facebook and YouTube settlements. EPIC's report also details major U.S. Supreme Court and federal court rulings on law enforcement traffic stops, scraping of personal data, a user's ability to sue Facebook for facial recognition abuses, and more. And EPIC's report highlights some of EPIC's key achievements in the field of privacy, AI policy, and data protection.

EPIC has historically provided the U.S. country report to the IWG. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

4. In Court, EPIC Argues AI Commission Broke Open Records Law

EPIC argued in federal court on Wednesday that the National Commission on Artificial Intelligence has violated the Freedom of Information Act and must immediately process EPIC's FOIA Requests to the Commission. Although the court denied EPIC's motion for a preliminary injunction, the court signaled that the Commission is subject to the FOIA and ordered expedited briefing in the case.

Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI in the United States. EPIC filed multiple requests for access to Commission meetings and records. But the Commission has operated almost entirely in secret, even as it prepares to submit recommendations to Congress and the President.

EPIC filed suit against the AI Commission last month. EPIC also asked the court to issue a preliminary injunction ordering the Commission and the Department of Defense to immediately process EPIC's records requests. The Commission is due to issue a report to Congress and the President on November 5.

"Without speedy disclosure of the requested records, EPIC will be denied its right to learn the basis of the Commission's findings, to assess the Commission's recommendations, and to meaningfully respond to the report that the Commission will release in a little over three weeks," EPIC told the court last week.

The Commission is chaired by former Google CEO Eric Schmidt and dominated by representatives of large tech firms, including Microsoft, Amazon, and Oracle. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

5. D.C. Attorney General Racine Speaks at EPIC

EPIC recently hosted D.C. Attorney General Karl Racine for a meeting with the Privacy Coalition. Attorney General Racine discussed his office's initiatives on privacy, algorithmic discrimination, and antitrust.

Last year, the Attorney General sued Facebook under the D.C. Consumer Protection Procedures Act for the mishandling of user data that led to Cambridge Analytica breach. And General Racine joined with others AGs investigating Google for anti-competitive conduct.

EPIC has filed a Consumer Protection Procedures Act lawsuit against AccuWeather, challenging the misuse of personal data of D.C. residents. EPIC also recently filed an amicus brief in support of the plaintiffs in Attias v. CareFirst, Inc, a data breach that allowed hackers to obtain 1.1 million customer records from D.C.'s largest health insurer.

The Privacy Coalition is a nonpartisan association established in 1995 to promote dialogue on emerging privacy issues between civil society organizations and policy leaders.

News in Brief

EPIC Seeks Reversal of Decision Allowing FAA Drone Committee to Operate in Secret

EPIC has asked the D.C. Circuit Court of Appeals to reverse a lower court decision allowing the FAA's Drone Advisory Committee to conduct much of its work in secret. EPIC filed suit last year against the industry-dominated Committee, which has consistently ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the Committee was forced to disclose hundreds of pages of records that it unlawfully withheld. But the lower court ruled that the Committee did not need to disclose records from its secretive subcommittees, where many drone policy recommendations were developed. The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.).

EPIC Joins Effort to Safeguard Federal Advisory Committees

EPIC has joined over 75 organizations urging the Administration to rescind the recent Executive Order on Federal Advisory Committees. The executive order would require the elimination of one-third of existing advisory committees. The coalition letter explains that federal advisory committees enable public participation and help hold federal agencies accountable. The groups wanted that the arbitrary elimination of advisory committees will result in fewer opportunities for the public to participate in agency decision making. EPIC recently filed an open government lawsuit against the National Commission on Artificial Intelligence to ensure that the Commission complies with advisory commission requirements. Around the time EPIC filed its lawsuit, the Commission announced a public conference and opened a Twitter account. The case is EPIC v. AI Commission, no. 19-2906 (D.D.C).

EPIC Assesses US Privacy for United Nations Periodic Review

EPIC has submitted an assessment of privacy rights and surveillance practices in the US to the UN Human Rights Council for the periodic review of US compliance with international human rights standard. After the last periodic review, the UN strongly recommended the US implement private sector and government privacy safeguards. However, EPIC told the Rights Council that the US still "lacks meaningful privacy enforcement, a comprehensive data privacy law, and has failed to curtail mass surveillance of U.S. and non-U.S. persons." EPIC also submitted a comprehensive EPIC report drafted for data protection experts from around the world. EPIC's earlier comments for a separate UN review were incorporated by the UN Human Rights Committee.

Court: Ruling in EPIC's Mueller Report Case Expected in 30 Days

Judge Reggie B. Walton said on Oct. 1 that he expects to make a ruling within 30 days in EPIC's case for the release of the complete Mueller Report. The statement came during a hearing on EPIC's lawsuit and a related case brought by CNN. EPIC brought the first suit in the nation for the release of the unredacted Mueller Report and argued for its release in August. Judge Walton also criticized the Department of Justice for the agency's slow processing of requests for Special Counsel records, saying that the purpose of the FOIA has been "totally undermined by a lack of resources." EPIC's case is EPIC v. DOJ, No. 19-810 (D.D.C.). The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore.

New Documents from Surveillance Court Reveal FBI Violated the Law When It Searched Americans' Communications

The Director of National Intelligence recently declassified several opinions from the Foreign Intelligence Surveillance Court and Court of Review concerning Section 702 of the FISA. The courts determined that the FBI violated the law when it searched for information about Americans in communications intercepted for foreign intelligence purposes. The documents also reveal that FBI repeatedly exceeded the scope of its authority to search for Americans' information. The Court of Review ruled in July of this year that the FBI must record every search of an American's data and the basis for that search. As a result of these rulings, the FBI has changed its surveillance. In January 2018 EPIC obtained a Justice Department report detailing concerns with the FBI's "backdoor searches." EPIC has long advocated for reform of U.S. surveillance laws, which do not adequately protect the fundamental rights of Americans or of individuals abroad.

California Attorney General Announces Rulemaking on California Privacy Law

The California Attorney General, Xavier Becerra, announced today a Notice of Proposed Rulemaking Action for the California Consumer Privacy Act. The proposed regulations will "establish procedures to facilitate consumers' new rights under the CCPA and provide guidance to businesses for how to comply." The California Attorney General held several public forums about the proposed regulations, and will hold four more public hearings to provide interested parties with an opportunity to comment. The deadline to submit written comments is December 6, 2019. A recent report from EPIC on privacy legislation in Congress notes that some lawmakers are seeking to preempt strong consumer privacy laws in states such as California.

Senate Report Confirms Russia Interfered in 2016 Election

The Russian government "sought to influence the 2016 U.S. presidential election" as part of a "broader, sophisticated, and ongoing information warfare campaign designed to sow discord in American politics and society," according to a report from the Senate Intelligence Committee. The bipartisan report confirms earlier findings by the U.S. Intelligence Community, Special Counsel Robert Mueller, and the Intelligence Committee itself. In EPIC v. Department of Justice, EPIC is seeking the disclosure of the complete and unredacted Mueller Report, which would provide further information about Russian election interference. A ruling is expected in the case this month. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore.

Court Requires Trump to Disclose Tax Returns to Prosecutor

A federal judge in New York is requiring President Trump to turn over eight years of personal tax returns to the Manhattan district attorney. Judge Victor Marrero rejected the President's attempt to block a grand jury subpoena for the returns, holding that the President is not immune from state criminal prosecution. "The Court cannot square a vision of presidential immunity that would place the President above the law with the text of the Constitution," the court wrote. EPIC previously sought President Trump's tax returns in EPIC v. IRS, arguing that disclosure was necessary to correct numerous factual misstatements made by the President about his taxes. In EPIC v. IRS II, EPIC is seeking "offers-in-compromise" and related tax records of President Trump and his businesses.

UK Releases US-UK CLOUD Act Agreement

The UK has released the text of the US-UK CLOUD Act Agreement. The agreement permits cross-border access to personal data without judicial approval, allows for law enforcement investigations under lower standards than in the U.S., and lacks notice to data subjects who are subject to surveillance. In testimony before the European Parliament, EPIC International Counsel Eleni Kyriakides argued that cross-border access to personal data should ensure robust human rights protections, such as notice, judicial authorization, and transparency.

Senators Warn FTC Not to Weaken Children's Privacy Rules

Senators Edward J. Markey (D-Mass.), Richard Blumenthal (D-Conn.), Josh Hawley (R-Mo.), and Marsha Blackburn (R-Tenn.) wrote a letter to the FTC urging the Commission "to prioritize enhancing protections for kids, not advancing the interests of data collectors." The Senators criticized the agency's recent settlement with YouTube, saying "the monetary penalty provided almost no deterrence value at all and was not paired with sufficient structural injunctions to prevent future violations by Google." The FTC is reviewing the Children's Online Privacy Protection Act Rule and is seeking public comments. EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law.

US and UK Sign Law Enforcement Data Access Agreement

The US and UK have signed a CLOUD Act "executive agreement," permitting cross-border access, by law enforcement agencies, to personal communications without a warrant.The agreement will enter into force within 180 days if Congress does not pass a resolution of disapproval. To form the agreement, the Attorney General must certify to Congress that the country's domestic law "affords robust substantive and procedural protections for privacy and civil liberties." Privacy rights organizations in the UK have challenged the adequacy of legal protections for communications data. EPIC has also argued in the European Data Protection Law review that the CLOUD Act fails to include key human rights protections, such as notice, judicial authorization, and transparency EPIC submitted an amicus brief in the related Supreme Court case United States v. Microsoft, pointing to fundamental rights obligations for cross-border access to personal data, and published "Digital Free for All Part Deux: European Commission Proposal on E-Evidence" in Just Security.

Top European Court Rules Global Takedown of Defamatory Content Permissible

The Court of Justice for the European Union has ruled that member states may order internet providers to remove globally content found to be defamatory. In Eva Glawischnig-Piesczek v Facebook Ireland, the Court ruled that the e-Commerce directive does not prohibit orders to remove content from all domains globally that is identical or equivalent to content found to be defamatory. However, Court said Member States must ensure measures "which produce effects worldwide take due account" of internet rules on an international level. The EPIC 2018 Privacy Law Sourcebook, a comprehensive overview of privacy laws in the US and around the world, is available in the EPIC bookstore.

Top European Court Rules Companies Must Obtain Active User Consent to Cookies

The Court of Justice for the European Union has ruled that under EU law companies must obtain active, specific consent from users to store persistent identifiers, or "cookies," on the user's device. In Planet49, the Court ruled that a pre-checked box does not constitute consent. The case was brought by the German Federation of Consumer Organisations. The European high court also ruled that companies must inform users about the duration of the cookie and whether data will be transferred to third parties. EPIC made a similar argument about consent in the first US case concerning cookies, contending that US federal wiretap law requires companies to obtain explicit consent from users for tracking.

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The AI Policy Sourcebook 2019, edited by Marc Rotenberg (2019)

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (2019)

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

41st International Data Protection and Privacy Commissioners Conference. Oct. 21–24, 2019. Tirana, Albania. Marc Rotenberg, EPIC President.

Privacy and Personal Data Protection Enforcement. Nov. 18, 2019. EPIC and the UK ICO. OECD. Paris, France. Marc Rotenberg, EPIC President.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security