EPIC Alert 28.02

1. EPIC to Supreme Court: Congress Empowers People to Sue When Their Privacy Rights Are Violated

EPIC has filed an amicus brief in TransUnion LLC v. Ramirez urging the U.S. Supreme Court to hold that people can sue when their privacy rights are violated—regardless of whether they allege that the violation led to other harms.

The case concerns a suit brought under the Fair Credit Reporting Act (FCRA), a federal statute that creates privacy rights for individuals to help them maintain control over their personal information. Ramirez and many others sued after TransUnion violated the FCRA, but the company argued that the plaintiffs didn't have "standing" to sue. Standing is a constitutional doctrine that dictates when federal courts have the authority to resolve cases. Other tech companies also filed a brief arguing that the Supreme Court should limit standing in privacy lawsuits.

EPIC argued that plaintiffs in privacy cases have standing to sue and that "standing was never meant to be a complicated inquiry or a substantial barrier to the vindication of legal rights. Standing is the bare minimum that is required for a court to exercise its jurisdiction."

"Courts that require proof of consequential harm are usurping the legislative role and rewriting these privacy laws," EPIC explained, because "it is not the business of courts to tell Congress which rights are enforceable, and which are not."

"Privacy rights and their corresponding obligations are only effective if they are enforceable. But enforcement through civil litigation is not possible if courts refuse to exercise jurisdiction," EPIC added.

EPIC previously filed an amicus brief in Spokeo v. Robins and frequently files amicus briefs in cases concerning standing brought under various privacy laws.

2. EPIC Targets Amazon's Deceptive User Interface in D.C. Consumer Protection Complaint

EPIC has filed a complaint with the D.C. Attorney General alleging that Amazon unlawfully employs manipulative "dark patterns" in the Amazon Prime subscription cancellation process.

Dark patterns "are design features used to deceive, steer, or manipulate users into behavior that is profitable for an online service, but often harmful to users or contrary to their intent." Amazon employs dark patterns when customers attempt to terminate their Amazon Prime subscriptions, including "complicated navigation menus, skewed wording, confusing choices, and repeated nudging."

"Dark patterns are woven through the Amazon Prime cancellation process," EPIC wrote. "At every step, Amazon discourages users from unsubscribing and repeatedly nudges consumers into continuing to pay for a membership."

"As a result, Amazon inhibits many consumers from exiting a contractual relationship with the company; charges those consumers recurring fees; and continues to collect, retain, and use the personal data of misdirected Amazon Prime subscribers," EPIC explained.

EPIC's complaint calls on the D.C. Attorney General to halt Amazon's use of dark patterns. EPIC also warned the company that it is prepared to file suit under D.C.'s consumer protection law if Amazon fails to correct its unlawful business practices. EPIC recently signed onto a coalition letter urging the FTC to investigate Amazon's use of dark patterns in the Prime cancellation process.

3. AI Commission Recommends Key Safeguards But Ignores EPIC's Call for Binding AI Limits

The National Security Commission on Artificial Intelligence, an advisory committee charged with developing policy recommendations on the use of AI in national security and defense settings, issued its final report to Congress and the President last week.

The report urges the federal government to implement key safeguards on federal AI deployment, including mandating AI impact and risk assessments, updating standards for Privacy Act notices and privacy impact assessments, establishing an independent auditor for AI systems, empowering the Privacy and Civil Liberties Oversight Board to conduct AI oversight, and establishing a task force to recommend legal restrictions on the use of AI.

However, the report fails to propose any substantive limits on AI use for Congressional enactment, as EPIC urged the Commission to do last year. "Unless express, binding limits on the use of AI are established now, the technology will quickly outpace our collective ability to regulate it," EPIC wrote. "The Commission cannot simply kick the can down the road, particularly when governments, civil society, and private sector actors have already laid extensive groundwork for the regulation of AI." Controversially, the AI Commission's final report also fails to endorse a ban on the use of autonomous weapons.

The report was approved at the Commission's final meeting, which was publicly broadcast as a result of EPIC's open government case. EPIC successfully sued the AI Commission in order to enforce its transparency obligations, forcing the Commission to hold open meetings and disclose thousands of pages of records. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

4. EPIC to Maryland Legislators: Security Questions Need Upgrade

EPIC Policy Director Caitriona Fitzgerald testified last month before the Maryland Senate Committee on Finance in support of stronger authentication methods to protect consumers.

Senate Bill 185 requires financial institutions who choose to use security questions as an authentication method to provide customers with more than one security question option. EPIC noted that there are plenty of alternative authentication methods available today and that financial institutions should no longer be using basic security questions.

"The requirement that your password contain one uppercase letter, one lowercase letter, one symbol, and one number is meaningless if all that is required to bypass that password is your pet's name," EPIC's Fitzgerald told the Committee.

But, Fitzgerald said, if security questions are going to be used, institutions should ensure that multiple question options are given and that users are permitted to answer the questions with randomly-generated password-like answers rather than factual, semantic responses.

EPIC routinely provides testimony to Congress and state legislatures concerning emergency privacy, civil liberties, and cybersecurity issues.

5. EPIC, National Consumer Law Center Tell Court Not to Let Robocallers Off the Hook

EPIC and the National Consumer Law Center have filed an amicus brief in Lindenbaum v. Realgy urging the Sixth Circuit Court of Appeals to reject immunity for illegal robocalls made between 2015 and 2020.

The case follows the Supreme Court's decision in Barr v. American Association of Political Consultants, in which the Court held that an exception added in 2015 to the decades-old robocall restriction was unconstitutional and must be severed from the Telephone Consumer Protection Act (TCPA). As defendant in a separate robocall suit, Realgy argued that the Supreme Court's decision meant that the broad robocall ban was unenforceable for the period that the unconstitutional exception was in effect, from 2015-2020. The district court agreed and dismissed the case.

EPIC and NCLC's amicus brief argues that granting robocallers immunity "would reward those who made tens of billions of unwanted robocalls and deprive consumers of any remedy for the incessant invasion of their privacy."

"Congress has made clear that strong enforcement is essential to accomplish the goals of the TCPA," EPIC and NCLC explained. "The district court's decision to grant retroactive immunity to past TCPA violators in this case goes against Congress's clear intent and the deterrent purpose of the law."

EPIC regularly files amicus briefs supporting consumers in illegal robocall cases.

News in Brief

EPIC, ACLU, EFF Push Wisconsin Court to Limit Warrantless Forensic Searches of Cell Phones

EPIC, together with the ACLU and EFF, recently filed an amicus brief in Wisconsin v. Burch urging the Wisconsin Supreme Court to stop police from conducting warrantless forensic searches of cell phones and indefinitely retaining the data based on vague consent forms. The defendant in the case had verbally consented to a limited search of his text messages during a hit-and-run investigation. Police then asked him to sign a vague consent form that did not specify his phone would be forensically analyzed or that the data would be stored indefinitely. Police used a forensic device to download the entire contents of the phone, retained a full copy, and disclosed data that was outside the scope of his limited verbal consent to another department for use in an unrelated investigation. In their brief, EPIC, ACLU, and EFF argued that someone who consents to a limited search does not reasonably expect that police may access, copy, and store vast amounts of personal information held on their phone. These searches violate the Fourth Amendment by "enabl[ing] the State to rummage at will among a person's most personal and private information whenever it want[s], for as long as it want[s]" without a warrant. EPIC regularly files amicus briefs challenging unlawful access to cell phone data.

EPIC, Coalition Call on Biden Administration to Abandon 'Virtual Border Wall,' Invest in Migrant Communities

In letter to the Biden administration, EPIC and a coalition of 40 privacy, immigration, and civil liberties organizations urged the administration to abandon the proposed U.S. Citizenship Act of 2021 as an extension of the Trump administration's border policy. The proposed legislation would direct DHS to deploy a bevy of biometric and other surveillance technologies at points of entry and along the southern border. The letter describes how such technologies endanger the lives of migrants by pushing them onto perilous travel routes. The use of surveillance technologies at the border inevitably extends into the interior of the U.S., where the tools are deployed against protesters, communities of color, and indigenous peoples. EPIC recently urged DHS to rescind a proposed rule increasing the agency's collection of biometric information.

EPIC Obtains Key Information on Location Data Requests by Federal Prosecutors

The Department of Justice has, after more than three years, finally begun to respond to EPIC's request for cell phone surveillance orders issued by federal prosecutors. EPIC first requested copies of the orders in 2017 and then filed a lawsuit against the Justice Department in 2018 when the agency failed to respond. The agency has now begun issuing responses from five U.S. Attorneys' offices. The first response, received from the District of Delaware, revealed 150 applications and 2703(d) orders for cell phone location data from 2016 to 2019. Over that same period, federal prosecutors in Delaware handled 351 criminal cases. EPIC is still waiting for responses from four other U.S. Attorneys' offices. EPIC will maintain a comparative table as each district releases more information. Federal prosecutors do not currently release any comprehensive or uniform data about their collection of cell phone location data. In contrast, the Administrative Office for the U.S. Courts releases detailed reports each year about the use of federal wiretap authority. The U.S. Supreme Court ruled in 2018 in Carpenter v. United States that collection of cell phone location data without a warrant violated the Fourth Amendment. The case is EPIC v. DOJ, No. 18-1814 (D.D.C).

EPIC Joins Call for NYPD to Limit Use of Surveillance Technologies

In comments to the New York Police Department, EPIC called for meaningful limits on the use of mass surveillance technologies such as facial recognition, airplanes and drones, automated license plate readers, and social media monitoring tools. EPIC also joined in coalition comments urging the NYPD to make a good faith effort to meet the requirements of the Public Oversight of Surveillance Technologies (POST) Act. The POST Act requires the NYPD to publish impact statements and usage policies for 36 surveillance technologies. The NYPD's draft policies fail to disclose necessary information including detailed data storage, retention, and auditing practices; do not name the vendors of these technologies; and gloss over systemic racial discrimination in the use of these technologies with boilerplate language. The disclosures illuminate the use of technologies by the NYPD that enable mass surveillance and carry extensive documented risks of bias and inaccuracy. EPIC leads a campaign to Ban Face Surveillance and gathered support from over 100 organizations and experts from more than 30 countries through the Public Voice coalition.

Virginia Governor Signs Consumer Data Protection Act

Virginia Governor Ralph Northam has signed the Virginia Consumer Data Protection Act into law. "It is good to see Virginia and other states taking action to protect the privacy of their residents. States have always played a key role in establishing privacy protections," EPIC Policy Director Caitriona Fitzgerald said. "But in 2021 we need a more comprehensive and proactive approach to privacy than what Virginia adopted. We need privacy laws in the United States that address current business practices and protect individuals from all forms of corporate surveillance, algorithmic unfairness, manipulative design, and discrimination. We need privacy laws that minimize the data collected about us and encourage innovation in privacy enhancing technologies. And we need robust enforcement of these rules to make sure that the underlying business practices actually change."

EPIC, Open Government Groups Urge Administration to Exercise Transparency, Adopt New FOIA Guidelines

EPIC and a coalition open government groups recently sent a letter urging President Biden to make transparency a top priority in his new administration. The President has pledged to "bring transparency and truth back to government," and advocates like EPIC intend to hold his administration accountable to these promises. The coalition called on the President to direct agencies to adopt new Freedom of Information Act guidelines that prioritize transparency and the public interest; direct the Attorney General to issue new FOIA guidance; assess, preserve, and disclose key records of the previous administration; endorse legislative improvements laws like FOIA and the Public Records Act; and seek funding increases for public records laws. The letter emphasized that "[a]s our country's history has shown us time and time again, when government secrecy proliferates, so do civil liberties violations and obstacles to democratic accountability." EPIC's Open Government Project frequently makes use of the FOIA to obtain information from federal agencies, often litigating to force disclosure of agency records that impact critical privacy interests.

EPIC Obtains More Internal Emails From AI Commission

EPIC, as part of the open government case EPIC v. AI Commission, has obtained additional records from the National Security Commission on Artificial Intelligence. The documents include further internal emails from Commission chair and former Google CEO Eric Schmidt. The Commission recently issued its final report on the use of AI in national security and defense settings. The report makes key recommendations concerning AI impact assessments and audits but fails to propose substantive limits on AI use for Congressional enactment, as EPIC urged the Commission to do last year. EPIC successfully sued the AI Commission in 2019 to enforce its transparency obligations, forcing the Commission to hold open meetings and disclose thousands of pages of records. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

FTC Commissioner Wilson Signals Openness to Data Privacy Rulemaking

Christine Wilson, one of four current members of the Federal Trade Commission, said recently that she is open to using the FTC's rulemaking authority to regulate data privacy. "I would hope that Congress will act, but if Congress doesn't act, maybe we do spend that time," Politico quoted Commissioner Wilson as saying during a Silicon Flatirons event. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained. Acting FTC Chair Rebecca Kelly Slaughter and Commissioner Rohit Chopra have previously signaled their support for using the FTC's rulemaking authority to address consumer privacy issues.

EPIC, Coalition Call on Administration to Halt Use of Facial Recognition

In a coalition letter, EPIC and over 40 other privacy, civil liberties, and civil rights groups called on the Biden administration to (1) place a moratorium on federal use of facial recognition and other biometric technologies, (2) stop state and local governments from purchasing facial recognition services with federal funds, and (3) support the Facial Recognition and Biometric Technology Act. The coalition letter highlights the threat that facial recognition will create a panopticon of surveillance; the particular harms that people of color, women, and youth suffer from misidentification by facial recognition tools; and the widespread adoption of facial recognition without public input. Last year, EPIC and a coalition urged Congress to pass Senator Markey's Facial Recognition and Biometric Technology Act bill. In 2019, EPIC launched a campaign to Ban Face Surveillance and gathered support from over 100 organizations and experts from more than 30 countries through the Public Voice coalition.

EPIC in the News

• EPIC Urges High Court to Let Consumers Press Privacy Suits, Law 360, Mar. 10, 2021
• Privacy Violation Confers Standing, Group Argues in SCOTUS Brief, Bloomberg , Mar. 10, 2021
• How AI Will Impact The Future Of Work And Life, Forbes, Mar. 10, 2021
• FTC ripped for blacking out Facebook's privacy report, Global Data Review, Mar. 3, 2021
• Artificial intelligence panel urges US to boost tech skills amid China's rise, Chattanooga Free Press, Mar. 2, 2021
• China appears to warn India: Push too hard and the lights could go out, India Times, Mar. 1, 2021
• Schools Are Abandoning Invasive Proctoring Software After Student Backlash, VICE, Feb. 26, 2021
• FTC To Tackle 'Dark Patterns', Media Post , Feb. 25, 2021
• Brotman: Digital privacy laws should reflect our work from home pandemic lives, Roanoke News, Feb. 24, 2021
• Antitrust crusader Tim Wu likely landing in the White House, Politico, Feb. 23, 2021
• Child protection nonprofit alleges 'manipulative' upselling with math game Prodigy, NBC, Feb. 19, 2021
• Home learning maths game accused of manipulating kids, Financial Times, Feb. 19, 2021
• Why some like Apple's new privacy labels, despite their flaws, Vox, Feb. 19, 2021
• Civil rights groups ask Biden administration to oppose facial recognition, Washington Post, Feb. 18, 2021
• Virginia is about to get a major California-style data privacy law, Ars Technica, Feb. 11, 2021
• DHS Plan to Photograph All Travelers Faces Public Scrutiny, Law 360, Feb. 9, 2021
• Bipartisanship Works in State Attorneys General Lawsuits Against Big Tech's Google and Facebook, ConnPIRG, Feb. 8, 2021
• DJI and Draganfly Tried to Use the Pandemic to Get Law Enforcement to Use More Drones, Slate, Feb. 5, 2021
• There's probably creepy software on your work laptop, Telegraph Herald, Feb. 4, 2021
• Eric Schmidt's Massive Conflicts of Interest, National Legal and Policy Center, Feb. 4, 2021
• States emboldened to move on biometrics privacy legislation, Biometric Update, Feb. 3, 2021
• FTC Stands Behind Zoom Data Security Deal Despite Backlash, Law 360, Feb. 2, 2021
• FTC Finalizes Zoom Settlement, Despite Acting Chair's Dissent, Media Post , Feb. 2, 2021
• Bill addresses concerns over privacy, data security with COVID-19 tracing, monitoring, Augusta Free Press, Feb. 1, 2021
• AI vendors may have to prove systems don't discriminate, TechTarget, Feb. 1, 2021

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020)

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes "just-in-time" delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.