The U.S. Customs and Border Protection, a component within the Department of Homeland Security, issued a final rule approving Global Entry, a traveler screening program, despite the substantial privacy and security risks brought to the agency's attention. Under the Global Entry program, the CBP collects detailed personal information, including social security numbers and biometric information, that should be subject to Privacy Act safeguards. However, the agency rejected EPIC's recommendations that it comply with the Privacy Act by limiting the distribution of information to only those that need the information for screening purposes. In EPIC's comments, EPIC also noted that CBP violated federal law by not conducting a Privacy Impact Assessment before implementing the new Global Entry program. For more information, see: EPIC: Global Entry.
In the Re-Authorization Bill for the Federal Aviation Administration, Congress has required the agency to develop rules governing the operation of drones within U.S. National Airspace. Currently, the only barriers to operation of unmanned aircraft are procedural requirements that oblige drone operators to obtain operation certificates. The FAA Modernization and Reform Act of 2012 requires the agency to conduct a public rule-making that will assess public safety concerns, licensing requirements, flight standards, and air traffic requirements. The FAA Secretary will also undertake safety studies and develop standards for "Safe Operation" in US airspace. However, the legislation does not consider the need to assess the privacy risks of the deployment of drones in US airspace. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
EPIC today filed a Complaint and a Motion for Temporary Restraining Order and Preliminary Injunction in Federal District Court in Washington, DC. EPIC is seeking to compel the Federal Trade Commission to act prior to March 1, when Google plans to make changes in its terms of service that will make it possible for the company to combine user data without user consent. EPIC alleges that this change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The consent order arises from a complaint that EPIC brought to the Commission in February, 2010 concerning Google Buzz and a similar attempt by Google to combine user data without user consent. For more information, see EPIC - In re Google Buzz, FTC - "FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network."
On February 16, 2012, the House Committee on Homeland Security will hold a hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy." The hearing was called after EPIC obtained nearly 300 pages of documents, as a result of a Freedom of Information Act lawsuit, detailing the Department of Homeland Security's monitoring of social networks and media organizations. The documents included guidelines from DHS instructing General Dynamics to monitor for media reports that "reflect adversely" on the agency or the federal government. For more information see: EPIC v. Department of Homeland Security: Media Monitoring.
In response to growing concern about the impact of Google's proposed policy change on user privacy and cloud-computing services, the company said that its planned privacy changes will not apply to US federal agencies. A report from Safegov.org "Google’s New Privacy Policy Is Unacceptable and Jeopardizes Government Information in the Cloud" recommended that "Google immediately suspend the application of its new privacy policy to Google Apps For Government users." Google told POLITICO's Morning Tech "cloud contracts are crafted with 'narrow, specific obligations' on how data can be used and stored. And those data requirements in the cloud contracts trump the company's standard privacy policy."
Leading privacy officials in Europe have asked Google "for a pause" in the company's planned consolidation of user data "in the interests of ensuring that there can be no misunderstanding about Google's commitments to the information rights of their users and EU citizens. . ." EU Commissioner Vivian Reding (@VivianeRedingEU) has expressed support, tweeting "Good that Europe's data protection authorities are ensuring @Google's new privacy policy complies with EU law." EPIC has urged the United States to begin the process of ratification of Council of Europe Privacy Convention, which would establish global standards for privacy protection.
EPIC has filed a Freedom of Information Act request with the Federal Trade Commission for the Privacy Report that Google was recently required to submit to the agency. The Commission had previously investigated Google after EPIC filed a complaint regarding Google's Buzz product, which transformed private user contacts into publicly available social network data. Last fall the Commission reached a settlement with Google and, as a result, the company is subject to a consent order that requires it to file regular reports with the Commission. EPIC has requested that Google's first report, filed on January 26, 2012, be released to the public. Because of Google's plan to change its business practice on March 1, 2012, EPIC has asked the FTC to expedite the disclosure of the report. For more information see EPIC: In re Google Buzz.
In detailed comments to the Federal Trade Commission, EPIC today recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. EPIC said that facial recognition is often used by strangers to determine a person's actual identity and that this poses a risk to privacy and personal security. EPIC also noted that some companies have adopted techniques that are more favorable to privacy as they allow users to control the image database while others undermine privacy, as the image database is centrally maintained. EPIC previously submitted a complaint to the FTC about Facebook's use of facial recognition technology to build a secret database of users' biometric data and allowing the company to automatically tag users in photos. The comments follow an FTC workshop exploring the privacy and security issues raised of facial recognition technology. For more information, see EPIC: Federal Trade Commission, EPIC: Face Recognition, and EPIC: Facebook and Face Recognition.
At a hearing before the Senate Judiciary Committee, EPIC Executive Director Marc Rotenberg is expected to make several recommendations to Congress about how to update and modernize the Video Privacy Protection Act, a law passed by Congress in 1988. Among the changes recommended, EPIC will propose that Congress make clear that the law covers all video service providers (including Netflix), allow users to inspect the information that video providers collect about them as well as the algorithms that are used to recommend selections, treat IP addresses and user IDs as "personally identifiable information," inflation-adjust the damages provision, and require companies to encrypt the data collected on users. For more information, see EPIC Video Privacy Protection.
Speaking this week at the Computers, Privacy and Data Protection conference, EPIC President Marc Rotenberg expressed support for the Council of Europe Privacy Convention. Two years ago, twenty-nine members of the of the EPIC Advisory Board, experts in privacy law and technology, sent a letter to US Secretary of State Hillary Clinton to urge that the United States begin the process of ratification of the Council of Europe Convention on Privacy. They wrote, "privacy is a fundamental human right. In the 21st century, it may become one of the most critical human rights of all." Speaking in Brussels, Mr. Rotenberg reiterated EPIC's support for the Convention and also called attention to recent changes that modernize and update the international privacy framework.
Eight members of Congress wrote to Google asking the company to explain the "steps [that] are being taken to ensure the protection of consumers' privacy rights." The letter follows Google's announcement that it would begin combining data gathered on consumers of over 60 Google products and services, including Gmail, Google+, Youtube, and the Android mobile operating system. The members' letter includes 11 specific questions ranging from the ways in which Google collects information to the specific consequences for Android phone users. In 2010, EPIC, along with other privacy groups, wrote a letter to Google about the company's decision to combine user data among 12 Google services. The groups warned that the practical effect would be to reduce privacy protection for users of Google services. For more information, see EPIC: In re: Google Buzz and EPIC: Google search.
EPIC has given the 2012 Privacy Champion Awards to Canadian Privacy Commissioner Jennifer Stoddart and privacy technologist Christopher Soghoian. EPIC called Stoddart a "steadfast defender of privacy" and cited her work to strengthen international collaboration among privacy officials. Of Soghoian, EPIC said he is "an expert technologist dedicated to privacy," and cited his ability to combine technical know-how, legal expertise, and clever campaign tactics. EPIC Champion of Freedom press release. Stoddart acceptance speech.
EPIC FOIA Note #20: 
