The U.S. Court of Appeals for the D.C. Circuit ruled in favor of EPIC today in a Freedom of Information Act case seeking the full text of National Security Presidential Directive 54, a previously-secret Presidential order granting the government broad authority over cybersecurity matters. EPIC successfully obtained the Directive from the NSA, and the DC Circuit has vacated the lower court’s Fall 2013 ruling that NSPD-54 was not an “agency record” subject to the FOIA. The Directive also includes the Comprehensive National Cybersecurity Initiative and evidences government efforts to enlist private sector companies to assist in monitoring Internet traffic. EPIC has several related FOIA cases against the NSA pending in federal court. For more information, see EPIC v. NSA: NSPD-54 Appeal and EPIC: Freedom of Information Act Cases.
Today, Senators Edward Markey (D-MA) and Orrin Hatch (R-UT) introduced legislation to require privacy safeguards for education records and prohibit the use of student information for advertising purposes. The "Protecting Student Privacy Act of 2014" would give students the right to access and amend their records that are held by private companies. The bill also requires schools to minimize the amount of personally identifiable information transferred to private companies. The bill requires companies to destroy student information "when the information is no longer needed for the specified purpose." The bill incorporates many of the proposals EPIC set out in the Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy.
Today Senator Patrick Leahy (D-VT), joined by Democratic and Republican Senators, introduced legislation to end the NSA's practice of collecting telephone records of Americans. Leahy described the bill as "the most significant reform of government surveillance authorities since Congress passed the USA PATRIOT Act 13 years ago." The USA Freedom Act would require require the government to specify specific "search terms" to obtain telephone record information. The government would have to demonstrate that it has a "reasonable, articulable suspicion" that the search term is associated with a foreign terrorist organization. The bill also requires a comprehensive transparency report for the use of FISA surveillance authorities. However, the bill exempts the FBI from certain reporting requirements. Civil liberties organizations support the bill. EPIC previously filed a Petition for Mandamus with the U.S. Supreme Court, seeking to end the bulk collection of American's phone records. EPIC's petition was supported by legal scholars, technical experts, and former members of the Church Committee. For more information, see In re EPIC and EPIC: FISA Reform.
The Administrative Office of the U.S. Courts has issued the 2013 Wiretap Report, detailing the use of surveillance authorities by law enforcement agencies. This annual report, one of the most comprehensive issued by any agency, provides an insight into the debate over surveillance authorities and the use of privacy-enhancing technologies. In 2013, wiretap applications increased 5%, from 3,576 to 3,395. Authorities encountered encryption during 41 investigations, but encryption prevented the government from deciphering messages in only 9 cases. This statistic contradicts claims that law enforcement agencies are "going dark" as new technologies emerge. Of the 3,074 individuals arrested based on wiretaps in 2013, only 709 individuals were convicted based on wiretap evidence. EPIC has repeatedly called on greater transparency of FISA surveillance, citing the Wiretap Report as a model for other agencies. EPIC also maintains a comprehensive index of the annual wiretap reports and FISA reports. For more information, see EPIC: Title III Wiretap Orders, EPIC: Wiretapping, and EPIC: Foreign Intelligence Surveillance Act.
EPIC, along with a coalition of consumer groups, has urged the Federal Trade Commission to block Facebook's plan to collect users' web browsing history. Facebook recently announced plans to collect user data from sites all over the web. But the practice may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users' express consent. The groups asked the FTC "to act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current U.S. and EU law." EPIC has also filed a FOIA request, seeking the FTC's communications with Facebook about this change. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: FTC.
According to reports, President Obama is set to issue an executive order on drone privacy. The order would call for the development of voluntary best practices for the commercial use of drones. Senator Markey and Representative Welch immediately responded to the reports with a letter to the President urging "strong, enforceable rules - not voluntary best practices...." EPIC has testified in Congress in support of a comprehensive drone privacy law. EPIC called for drone legislation to include use limitations, data retention limitations, transparency, and public accountability. The Federal Aviation Administration agreed to address drone privacy issues after an EPIC-led coalition petitioned the agency two years ago. Last year, EPIC urged the agency to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones.
EPIC has sent a letter to the House Committee on Oversight and Government Regulation stating that the Federal Trade Commission rarely enforces "Section 5" consent orders. EPIC also said that the Commission has never modified a consent order in response to public comments or required companies to implement the Consumer Privacy Bill of Rights. The Committee believed the Commission has gone too far to protect the privacy of American consumers. EPIC wrote "the opposite is true." Senator Rockefeller also wrote a letter, urging the Committee not to interfere in the FTC's "well-established legal authority." For more information, see EPIC: Wyndham Hotels and EPIC: FTC.
EPIC National Security Counsel Jeramie Scott has urged the Privacy and Civil Liberties Oversight Board to focus on surveillance conducted under Executive Order 12333. The Executive Order, signed in 1981, granted broad surveillance authority to the Intelligence Community with little oversight. The Order has enabled vast surveillance of Americans, but has received little attention. EPIC previously urged the Privacy Board to establish greater legal protection for metadata, increase safeguards for personal data, and minimize data collection. At the Board's first public meeting in 2012, EPIC recommended that the Board ensure Privacy Act adherence and investigate privacy concerns with the Fusion Center program, closed-circuit television surveillance, body scanners, surveillance drones, and Suspicious Activity Reporting. So far, the Privacy Board has focused almost entirely on "section 215" and "section 702" surveillance programs. For more information, See EPIC: Executive Order 12333.
EPIC has filed a Freedom of Information Act lawsuit about a controversial government data mining program, operated by the Department of Homeland Security. The "Analytical Framework for Intelligence" contains a vast amount of sensitive personal information obtained from government agencies and the private sector. The system is used by the DHS for link analysis, anomaly detection, pattern analysis, and predictive modeling. The system also incorporates "risk assessment" scores from the Automated Targeting System also operated by the DHS. EPIC has urged the suspension of the risk assessment system, arguing that the use of such factors as race and nationality in a government database is unconstitutional. The case is EPIC v. Customs and Border Protection, No 14-1217 (D.D.C. filed 7/18/2014). For more information see: EPIC: Automated Targeting System, EPIC: Open Government and EPIC: EPIC v. Customs and Border Protection (Analytical Framework for Intelligence).
EPIC has obtained documents from the Department of Education detailing parent and student complaints about the misuse of educational records. The Department released the documents in response to an EPIC Freedom of Information Act request. The documents reveal that schools and districts have disclosed students' personal records without consent, possibly in violation of the Family Educational Rights and Privacy Act. The documents also reveal that the Department failed to investigate many FERPA complaints. EPIC is expecting to receive more documents about the agency’s enforcement of the federal student privacy law. For more information, see EPIC: Student Privacy and EPIC: Open Government.
EPIC has filed a Freedom of Information Act request with the Department of Defense for records detailing the security of online voting. The agency administers the Federal Voting Assistance Program, which has promoted online voting and provided funding to states for internet voting technology. Computer scientists have expressed concern about the reliability of these systems and privacy risks for voters. At a Congressional hearing in 2012, the agency promised to release the results of security tests it had conducted on voting software by December 2012. Because the agency has failed to make the test results public, EPIC has demanded these results, as well as related documents, be disclosed. For more information see: EPIC: Open Government and EPIC: Voting Privacy.