Previous Top News: 2014
- EPIC Urges FTC to Investigate Maricopa Data Breach. EPIC has filed a complaint with the Federal Trade Commission concerning the loss of personal information of almost 2.5 m current and former students, employees, and vendors in Maricopa County. According to EPIC, the District's failure to maintain a comprehensive information security program led to a "massive breach of names, addresses, phone numbers, e-mail addresses, Social Security numbers, dates of birth, certain demographical information, and enrollment, academic, and financial aid information." EPIC further alleges the District violated the Federal Trade Commission's Safeguards Rule by failing to protect students financial information. EPIC's complaint follows a similar complaint by DataBreaches.net. EPIC said that, "many education institutions in the United States are subject to the Safeguards Rule. The District's case is a particularly egregious example of the risk of failing to safeguard sensitive personal information." For more information, see EPIC: Student Privacy. (Sep. 29, 2014)
- EPIC Files Comments on Financial Privacy. EPIC has filed extensive comments in response to a request from the Consumer Financial Protection Bureau. EPIC urged the Bureau to limit the information debt collectors gather on consumers. EPIC advised the Bureau to prohibit debt collectors from contacting employers and others about consumer debt. EPIC also advised the Bureau to require debt collectors to protect the information they acquire and to allow consumers to see the information about hem that js collected. EPIC routinely submits comments to federal agencies, urging them to uphold the Privacy Act and protect individuals from telephone and Internet misuse. In 2004, EPIC submitted comments regarding the "CAN-SPAM" Act and the proposed National "Do Not Email" Registry. In 2006, EPIC testified before Congress regarding the Truth in Caller ID Act of 2006. And in 2009, EPIC submitted comments on the Truth in Caller ID Act of 2009, recommending a prohibition against overriding calling parties' privacy choices. For more information, see EPIC: Comments on the Fair Debt Collection Practices Act, and EPIC: The Fair Credit Reporting Act. (Sep. 29, 2014)
- The Year in Government Information: NSA Revelations, FOIA Developments, and More.
EPIC Senior Counsel
ABA Administrative Law Conference 2014(Oct. 17, 2014)
October 17, 2014
- Fourth Amendment & Privacy in the Digital Age: The Supreme Court's Cell Phone Cases and What's Next.
EPIC Senior Counsel
DC Bar(Oct. 2, 2014)
October 2, 2014
- Appeals Court Limits Military Surveillance of Civilian Internet Use. The U.S. Court of Appeals for the Ninth Circuit ruled in United States v. Dreyer that an agent for the Naval Criminal Investigative Service violated Defense Department regulations and the Posse Comitatus Act when he conducted a surveillance operation in Washington state to identify civilians who might be sharing illegal files. The 1878 Act prevents the U.S. military from enforcing laws against civilians. The appeals court ruled that the NCIS intrusion into civilian networks showed “a profound lack of regard for the important limitations on the role of the military in our civilian society.” The court also ruled that the evidence obtained by NCIS should be suppressed to “deter future violations.” In a petition to the Supreme Court, EPIC challenged the NSA’s surveillance of domestic communications. The NSA is a component of the Department of Defense. For more information, see In re EPIC and EPIC v. DOJ: Warrantless Wiretapping Program. (Sep. 26, 2014)
- “Eyes Over Washington” - EPIC Obtains New Documents About Surveillance Blimps. EPIC has obtained new documents detailing the Department of Army’s use of surveillance blimps over the nation’s capital. The documents include thirty heavily redacted pages of equipment descriptions and data. In May EPIC filed suit against the Department of the Army to obtain details about a sophisticated tracking and targeting system that will be deployed over Washington, DC during the next three years. JLENS is comprised of two 250' blimps. One blimp conducts aerial and ground surveillance over a 340-mile range, while the other has targeting capability including HELLFIRE missiles. The JLENS was originally deployed in Iraq. In the FOIA Request, EPIC asked the Army for technical specifications as well as any policies limiting domestic surveillance. An Army spokesperson said recently that JLENS will “absolutely not” include video surveillance gear. Similar blimps have been deployed by the DHS for border security. They include video surveillance. For more information, see EPIC: EPIC v. Army - Surveillance Blimps and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Sep. 26, 2014)
- FAA Okays Hollywood Drone Use, But Privacy Safeguards Remain Grounded. The Federal Aviation Administration granted six exemptions for the commercial use of drones to companies in the film and television industry this week. The agency found that the proposed operation do not “pose a threat to national airspace users or national security.” Safety requirements include: line of site tracking, restrict flights to the “sterile area” on the set, inspection after each flight, and prohibiting operation at night. The agency is currently considering another 40 requests from various commercial entities. Currently, no privacy protections are in place to address the commercial use of drones. EPIC has testified in Congress in support of a comprehensive drone privacy law—calling for use limitations, data retention limitations, transparency, and public accountability. The Federal Aviation Administration to develop drone privacy guidelines after an EPIC-lead coalition petition. EPIC also urged the agency to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones. (Sep. 26, 2014)
- Apple Announces New Privacy Enhancing Techniques. The most recent product announcement from Apple, includes several privacy enhancing techniques that EPIC has favored, including randomized MAC addresses, end-to-end encryption, robust screen lock, and implementation of secure electronic payment systems. Still, EPIC has raised questions about Health Kit, which enables the collection and transfer of sensitive medical information, and the enforcement of developer guidelines. For more information, see, EPIC: Practical Privacy Tools and EPIC: Location Privacy. (Sep. 23, 2014)
- EPIC FOIA - FBI Extends "Rap Back" Biometric Collection. EPIC has just received documents about the FBI's Rap Back program. The FBI now routinely collects biometric data for ongoing background checks on nongovernment employees. In response to EPIC's FOIA request, the FBI is currently reviewing thousands of pages about the "Rap Back" program. Rap Back is part of the FBI's Next Generation Identification initiative, one of the largest biometric databases in the world, tied to data centers managed by the Department of Homeland Security, Department of Defense, and other government agencies. EPIC previously sued the FBI for documents about the NGI database and uncovered agency acceptance of high error rates. For more information, see Spotlight on Surveillance: Next Generation Identification. (Sep. 23, 2014)
- EPIC, Coalition Call for Transparency in Public Consumer Database. In comments to the Consumer Financial Protection Bureau, EPIC and other public interest organizations urged the Bureau to publish consumer complaint narratives. The Bureau currently publishes limited complaint information on financial products and services, including debt collection and credit reports. The Bureau is now considering a plan to provide consumer perspectives on experiences with the financial industry. The consumer groups support this effort and also recommend obtaining consumer consent and removing personally identifiable information before posting the complaints. Last year, EPIC uncovered documents revealing that many student debt collection companies fail to meet legal privacy obligations. For more information, see EPIC: Comments on the Fair Debt Collection Practices Act, and EPIC: The Fair Credit Reporting Act. (Sep. 22, 2014)
- EPIC, Coalition Urge UN Human Rights Council to Review U.S. Spy Programs. In a joint submission to the United Nations, the Brennan Center, EPIC, and other public interest organizations urged the Human Rights Council to review U.S. surveillance programs. The Council regularly performs a Universal Periodic Review of the human rights record of UN Member States. As a result of the Council's last review, the U.S. Government committed to protect individual privacy and stop spying on citizens without judicial authorization. The coalition letter argues that U.S. has not honored this commitment and that U.S. "surveillance activities also violate the rights to privacy, freedom of expression, and the freedom of peaceful assembly and association..." guaranteed by the Universal Declaration of Human Rights. In January 2010, twenty-nine experts in privacy and technology affiliated with EPIC wrote to then U.S. Secretary of State Hillary Clinton to urge that the United States ratify the Council of Europe Convention on Privacy. For more information, see EPIC: Council of Europe Privacy Convention. (Sep. 18, 2014)
- Maine Judicial Conference.
Maine Judicial Conference
Director, EPIC Open Government Program
Rockport, ME(Oct. 30, 2014)
- "Bird's Eye View: Transatlantic Data Exposures and Regulatory Enforcement".
Director, EPIC Open Government Program
Privacy XChange(Nov. 3, 2014)
- FBI Says Biometric Database has Reached "Full Operational Capability". The FBI announced that the Next Generation Identification system, one of the largest biometric databases in the world, has reached "full operational capability." In 2013, EPIC filed a Freedom of Information Act lawsuit about the NGI program. EPIC obtained documents that revealed an acceptance of a 20% error rate in facial recognition searches. Earlier this year, EPIC joined a coalition of civil liberties groups to urge the Attorney General Eric Holder to release an updated Privacy Impact Assessment for the NGI. The NGI is tied to "Rap Back," the FBI's ongoing investigation of civilians in trusted positions. EPIC also obtained FOIA documents revealing FBI agreements with state DMVs to run facial recognition searches, linked to NGI, on DMV databases. EPIC's recent Spotlight on Surveillance concluded that NGI has "far-reaching implications for personal privacy and the risks of mass surveillance." For more information, see EPIC: EPIC v. FBI - Next Generation identification. (Sep. 15, 2014)
- EPIC Files FOIA Lawsuit For Reports on Electronic Voting Reliability. EPIC has filed a Freedom of Information Act lawsuit to obtain test reports about an online voting program promoted by the Department of Defense. The records sought relate to the functionality and security of electronic voting systems. The California Secretary of State, Members of Congress, and voting rights advocates have tried to obtain these documents, but DOD has kept them secret even after promising public disclosure in 2012. Computer scientists have long warned about the risks of electronic voting systems. In the complaint, EPIC states that "it is absolutely critical for the documents sought in this matter be disclosed prior to further deployment of e-voting systems in the United States." The case is EPIC v. Department of Defense, No 14-1555 (D.D.C. filed 9/11/2014). For more information, see EPIC: EPIC v. DOD - E-voting Security Tests. (Sep. 11, 2014)
- EPIC, Legal Scholars, Technical Experts Urge Federal Appeals Court to Safeguard Telephone "Metadata". EPIC has filed an amicus curiae brief, joined by 33 technical experts and legal scholars, in support of a challenge to the NSA telephone record collection program. The case Smith v. Obama will be heard by the Court of Appeals for the Ninth Circuit this fall. Earlier this year, a lower court ruled that the Fourth Amendment does not protect telephone call record information because of a 1979 case Smith v. Maryland. In the brief for the federal appeals court, EPIC wrote that "changes in technology and the Supreme Court's recent decision in Riley v. California favor a new legal rule that recognizes the privacy interest inherent in modern communications records." EPIC routinely participates as a friend of the court in cases raising novel privacy and civil liberties issues. For more information, see EPIC: Smith v. Obama, EPIC: Riley v. California, and EPIC Amicus Briefs. (Sep. 10, 2014)
- FTC To Explore "Big Data" and Discrimination. The Federal Trade Commission will host a workshop entitled "Big Data: A Tool for Inclusion or Exclusion?" The FTC will explore the effects of "big data" analytics on low-income and other underserved communities. Several members of the EPIC Advisory Board will be participating. Earlier this year, the FTC published a report on data brokers, warning that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." The White House also convened a task force and published a report on "big data" this year. At EPIC's urging, the White House included public participation in the review process. EPIC submitted extensive comments, warning about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: FTC. (Sep. 10, 2014)
- "FOIA For Attorneys: Getting Maximum Value from the Freedom of Information Act".
Director, EPIC Open Government Project
New York County Lawyers Association(Sep. 12, 2014)
New York City
September 12, 2014
- Pew Survey: Users Online Self-Censor Discussion of Government Surveillance. According to the Pew Research Report "Social Media and the 'Spiral of Silence,'" most users of social media are afraid to talk about government surveillance on Facebook, Twitter, and other social platforms. Users were more willing to share their views on government surveillance if they thought others shared the same view. Those who thought they held minority views were more likely to self-censor—an effect known as the "spiral of silence." In 2012, EPIC obtained FOIA documents revealing that the Department of Homeland Security monitored social media for political dissent. A subsequent Congressional hearing led the DHS to cancel the program. For more information, see EPIC v. DHS: Media Monitoring and EPIC: Public Opinion on Privacy. (Sep. 9, 2014)
- Education New York Urges Parents to Protect Student Privacy. Education New York, a leading student privacy rights organization, is urging students and parents to opt-out of the use of educational records for marketing purposes. The data typically includes name, address, telephone number, birth date, and other personal information in student records. Education New York’s founder Sheila Kaplan stated, "I'm thrilled that with greater awareness of the issues, more parents have been joining the fight for students’ privacy rights." EPIC has long supported stronger privacy protections for student records. In 2012, EPIC sued the Education Department concerning changes to the student privacy law. Earlier this year, EPIC a hosted panel in Washington DC with Senator Ed Markey, "Failing Grade: Education Records and Student Privacy." For more information, see EPIC v. the Department of Education and EPIC: Student Privacy. (Sep. 8, 2014)
- EPIC (Finally) Obtains Memos on Warrantless Wiretapping Program. More than eight years after filing a Freedom of Information Act request for the legal justification behind the "Warrantless Wiretapping" program of President Bush, EPIC has now obtained a mostly unredacted version of two key memos (OLC54) and (OLC85) by former Justice Department official Jack Goldsmith. EPIC requested these memos just four hours after the New York Times broke the story about the program in December 2005. When the agency failed to release the documents, EPIC filed a lawsuit. The ACLU and the National Security Archive later joined the case. These two Office of Legal Counsel memos offer the fullest justification of the warrantless wiretapping program available to date, arguing that the president has inherent constitutional power to monitor American's communications without a warrant in a time of war. But some parts of the legal analysis, including possibly contrary authority, are still being withheld. The warrantless wiretapping program was part of "Stellar Wind," a broad program of email interception, phone record collection, and data collection undertaken by the NSA without the approval of Congress. For more information see EPIC: EPIC v. DOJ: Warrantless Wiretapping Program. (Sep. 8, 2014)
- UPDATE-Army Backs Off Plan for DC Surveillance Blimp. According to the Washington Post, the Department of Army will not deploy video surveillance cameras over the nation's capital. The announcement follows the release of documents to EPIC in a Freedom Information Act lawsuit. The blimps provide radar-based aerial surveillance and targeting capabilities. A recent video by the contractor Raytheon revealed that 24/7 video surveillance feed is easily incorporated. An Army Spokesperson told the Post that the blimps will "absolutely, 100 percent" not include video capacity. A similar EPIC FOIA case against the Bureau of Customs and Border Protection revealed that drones are designed to incorporate advance video surveillance gear even when not initially deployed. For more information, see EPIC: EPIC v. Army - Surveillance Blimps, EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones, and EPIC: Freedom of Information Act Litigation. (Sep. 8, 2014)
- Federal Trade Commission Orders Google to Refund Parents $19 Million for Unauthorized Charges. The Federal Trade Commission has reached a settlement with Google over allegations that the company unfairly charged parents millions of dollars for their children's in-app purchases. The settlement mandates that Google provides full refunds for unauthorized purchases. The FTC agreement will be subject to public comments. Comments are due October 6, 2014. The Commission has previously settled charges with Apple and sued Amazon for charging parents for their kids unauthorized in-app purchases. Previously EPIC has urged the FTC to require companies subject to privacy consent orders to adhere to the Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Search Engine Privacy. (Sep. 5, 2014)
- Federal Communications Commission Fines Verizon $7.4 Million for Violating Consumer Privacy. Verizon will pay the Federal Communications Commission $7.4 million to settle claims that the company violated the privacy rights of nearly two million consumers. The FCC found that Verizon failed to inform consumers of their privacy rights, including how to prevent their personal information from being used for marketing purposes. The Verizon payment is the largest consumer privacy settlement in FCC history. In 2013, EPIC urged the FCC to investigate Verizon's disclosure of customer record information to the NSA. Also, in response to a 2005 EPIC petition, the FCC strengthened privacy protections for telephone records, which EPIC defended in a "friend of the court" brief for the DC Circuit, establishing support for opt-in privacy safeguards. For more information, see EPIC: Customer Proprietary Network Information, EPIC: NCTA v. FCC (Concerning privacy of CPNI), EPIC: US West v. FCC (Privacy of Telephone Records), and In re EPIC (NSA Telephone Records Surveillance). (Sep. 4, 2014)
- Home Depot Data Breach Exposes Millions of Credit Card Records. A data breach at Home Depot might have exposed millions of consumers' credit card records, according to an announcement from Home Depot's corporate center. "We're looking into some unusual activity that might indicate a possible payment data breach," the announcement read, "If we confirm a breach has occurred, we will make sure our customers are notified immediately." In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. In May of this year, the President's science advisors surprisingly found little risk in the massive collection of personal data by companies. However, a recent FTC report on data brokers warned that "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." EPIC has urged the White House to enact the Consumer Privacy Bill of Rights and to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: Identity Theft. (Sep. 4, 2014)
- EU Launches Investigation Into Facebook Acquisition of WhatsApp. Antitrust officials in the European Union have begun an investigation into Facebook's acquisition of the messaging service WhatsApp. WhatsApp gained popularity based on its pro-privacy approach to user data. Following the announcement of Facebook's plan to acquire the company, EPIC filed two complaints with the Federal Trade Commission, urging the FTC to block the sale unless adequate privacy safeguards for WhatsApp users were established. The Commission then notified Facebook and WhatsApp that they must honor their privacy commitments to users but questions remain about future business practices. Now European antitrust regulators have served Facebook with a questionnaire of more than 70 pages to determine whether the merger violates European antitrust laws. For more information, see EPIC: In re WhatsApp, and EPIC: FTC. (Sep. 2, 2014)
- Privacy and Security 4.
EPIC Consumer Protection Counsel
TPRC 42nd Research Conference on Communication, Information and Internet Policy(Sep. 13, 2014)
September 13, 2014
- Federal Judge - Google Privacy Settlement "Fails Smell Test". A federal judge reviewing a proposed class action settlement in a case concerning Google's disclosure of user data to third parties has said "it doesn't pass the smell test." A coalition of consumer privacy organizations, including EPIC, urged the judge to reject the settlement because it required no substantial change in Google's business practices and provided no benefit to class members. The consumer privacy organization wrote to the judge when the settlement was first proposed and again last week, before the final fairness hearing. The groups cited the skepticism expressed by Supreme Court Chief Justice John Roberts about a similar privacy settlement. The consumer privacy groups also alerted the FTC Class Action Fairness Project and the California Attorney General about the pending settlement. For more information, see EPIC: Search Engine Privacy. (Sep. 2, 2014)
- EPIC FOIA Case - Army Blimps over Washington Loaded with Surveillance Gear, Cost $1.6 Billion. EPIC has received substantial new information about the surveillance blimps, now deployed over Washington, DC. The documents were released to EPIC in a Freedom of Information Act lawsuit against the Department of the Army. The documents also reveal that the Army paid Raytheon $1.6 billion. EPiC will receive more documents about the controversial program In October. For more information, see EPIC: EPIC v. Army - Surveillance Blimps and EPIC: Freedom of Information Act Litigation. (Aug. 29, 2014)
- Consumer Privacy Organizations Urge Judge to Reject "Privacy Settlement". EPIC, joined by leading consumer protection organizations, has asked a federal judge to reject a proposed class action settlement in In re Google Referrer Header Litigation. The settlement requires no substantial change in Google's business practices and provides no benefit to class members. EPIC wrote to the same judge last year when the settlement was first proposed, urging him not to approve. The Federal Trade Commission and the California Attorney General have opposed a similar settlement. And the Chief Justice of the US Supreme Court has expressed deep skepticism about settlements that provide no benefits to class members. The judge in the Google care will rule on the settlement August 29. For more information, see EPIC: Search Engine Privacy, and EPIC: FTC. (Aug. 27, 2014)
- OECD Experts on International Security Guidelines.
OECD(Oct. 27, 2014)
October 27, 2014
- International Working Group on Data Protection and Telecommunications.
Bundesrat(Oct. 14, 2014)
October 14-15, 2014
- OECD Forum of the Knowledge Economy.
Ministry of Internal Affairs(Oct. 2, 2014)
October 2, 2014
- European Facebook Users Privacy Lawsuit Moves Forward. A group of over 25,000 European Facebook users may proceed with their lawsuit against Facebook. The users, led by privacy activist Max Schrems, sued Facebook in a court in Vienna. The users charge Facebook with violating EU privacy law by improperly handling users' data. Now that the court has approved the class action suit, Facebook must respond to the complaints. In 2011, Schrems brought a similar lawsuit against Facebook in an Irish court. In the same year, Facebook signed a consent order with the Federal Trade Commission, following a complaint filed by EPIC and a group of American consumer privacy organizations. EPIC has also filed an amicus brief in a federal class action lawsuit, opposing Facebook's use of children's images for advertising purposes. In 2013, EPIC gave the International Privacy Champion Award to Max Schrems, calling him "an innovative and effective spokesperson for the right to privacy." For more information, see EPIC: In re Facebook. (Aug. 26, 2014)
- Security Experts: EPIC Correct About Body Scanners-Invasive and Ineffective. The first independent analysis of backscatter x-ray body scanners corroborate the claims EPIC and others have made for several years: The scanners are invasive and ineffective. In a detailed report published in 2005, EPIC warned that the x-ray body scanners amounted to a virtual strip search and were an ineffective means of airport security. Freedom of Information Act documents later obtained by EPIC revealed that TSA could disable the body scanner's privacy settings, the nude images could be stored on the machines, and the scanners ran on a standard operating system making them vulnerable to outside security threats. EPIC and a coalition of civil liberties organizations then petitioned DHS Secretary Napolitano to suspend the program. When the DHS failed to do so, EPIC sued the agency. The D.C. Circuit Court of Appeals ruled in EPIC v. DHS that the agency must begin a public rule making. The backscatter X-ray scanners were subsequently removed from US airports. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology. (Aug. 22, 2014)
- Department of Transportation Seeks Public Comment on Connected Cars. The National Highway Traffic Safety Administration, at the Department of Transportation, is soliciting public comments on the privacy and security implications of connected "vehicle-to-vehicle" technology. According to the agency, the technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." The agency plans to mandate vehicle-to-vehicle technology. NHTSA is also soliciting comments on a connected car research report. Comments on both are due October 20, 2014. Last year EPIC, joined by a coalition of privacy and consumer rights organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Comments on the Privacy and Security Implications of the Internet of Things. (Aug. 21, 2014)
- Congress Investigates Airline Privacy Practices. Senator John Rockefeller (D-WV) is currently seeking information from ten U.S. airlines concerning how airlines safeguard consumer traveler data. Senator Rockefeller has requested information regarding: (1) the type of information airlines collect; (2) airlines' data retention periods; (3) airline privacy and security safeguards governing consumer information; (4) whether consumers may access and amend their information; (5) whether airlines sell or disclose consumer information and if so, to whom do they disclose the consumer data; and (6) how airlines inform consumers about airline privacy policies governing consumer information. EPIC routinely urges the Department of Homeland Security to provide privacy protections for air travelers and end the agency's secret "risk-based" passenger profiling. For more information, see EPIC: Air Travel Privacy, EPIC: Passenger Profiling, EPIC: Secure Flight, and EPIC: EPIC v. DHS (Suspension of Body Scanner Program). (Aug. 20, 2014)
- Senator Schumer Calls On Regulators to Make Fitness Data Private. Senator Charles Schumer has denounced the data collection practices of "activity trackers" such as FitBit. "Activity trackers" are mobile devices that record highly personal information about the wearer and constantly analyze the wearer's activities, including their diet, exercise, sleep, and even sexual habits. However, it is not clear whether federal privacy law protects this personal data from disclosure to third parties. EPIC has commented extensively on the privacy protections that are necessary in the "internet of things." EPIC has frequently pointed out the potential for misuse when companies collect data about sensitive consumer behavior. EPIC has made several recommendations to improve the privacy protections on devices such as "activity trackers," including requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information, see EPIC: FTC and EPIC: Practical Privacy Tools. (Aug. 14, 2014)
- Documents Obtained by EPIC Lawsuit Show NSA’s Internet Metadata Program Was Sharply Criticized By FISA Judges While Congressional Oversight Lagged for Years. In a FOIA lawsuit against the Department of Justice, EPIC has obtained many documents about the NSA's Internet Metadata program. These include the Government's original FISA application seeking authorization to collect data from millions of e-mails, as well as declarations from NSA officials describing the program. The documents show that FISA Court Judge John Bates chastised the agency for "long-standing and pervasive violations of the prior [court] orders in this matter.'' The FISA Court first authorized the program in 2004, but the documents obtained by EPIC show that the legal justification was not provided to Congress until 2009. The documents also reveal that the DOJ withheld information about the program in testimony for the Senate Intelligence hearing prior to the reauthorization of the legal authority. The program was shut down in 2011 after a detailed review. For more information, see EPIC v. DOJ (FISA Pen Register) and EPIC: Foreign Intelligence Surveillance Court. (Aug. 12, 2014)
- Privacy Interests: Big Data, UAVs and SNS.
Privacy Interests: Big Data, UAVs and SNS
Director, EPIC Open Government Project
The Judge Advocate General's Legal Center and School(Aug. 13, 2014)
August 13, 2014
- Federal Trade Commission Responds to EPIC Regarding Google Settlement. The Federal Trade Commission has responded to EPIC's letter urging the agency to oppose a collusive Google class action settlement. The agency stated that it "systematically monitors compliance" with its consumer protection orders and that it "takes alleged violation[s] of an order seriously," but that it cannot publicly disclose details of its investigations until a formal complaint is issued. In 2010, Google was sued for sharing user web browsing information with advertisers. Under the proposed settlement agreement, Google will distribute several million dollars to a handful of organizations, many of which already have ties to the company. EPIC and other privacy organizations urged the Commission to formally object because the proposed agreement "confers no monetary relief to class members, compels no change in Google's behavior, and misallocates the cy pres distribution." The agency has a history of filing objections - it filed a similar objection in Fraley v. Facebook, an unfair class action settlement in the Ninth Circuit. For more information see EPIC: FTC and EPIC: Search Engine Privacy. (Aug. 7, 2014)
- EPIC Demands Report Detailing CIA's Surveillance of Congress. EPIC has filed a Freedom of Information Act request for the Central Intelligence Agency Inspect General's report detailing the agency's surveillance of the Congressional Intelligence Committee. In March 2014, Senator Dianne Feinstein (D-CA), head of the Senate Intelligence Committee, publicly accused the CIA of secretly removing documents from the Committee, searching computers used by the Committee, and attempting to intimidate congressional investigators by requesting a Federal Bureau of Investigation inquiry of their conduct. The Committee had been investigating the CIA's torture program. After Senator Feinstein publicly accused the agency of spying, the CIA's Inspector General conducted an investigation and concluded that the agency's actions had been improper. However, the Inspector General has failed to the actual report public. EPIC has demanded a copy of the full report, as well as associated documents. For more information see: EPIC: FOIA Cases and EPIC v. CIA (Domestic Surveillance). (Aug. 7, 2014)
- Consumer Privacy Organizations Oppose Farcical Class Action Settlement. EPIC, along with a group of consumer privacy organizations, has asked the Federal Trade Commission to object to an unfair class action settlement in California federal court. In 2010, Google was sued for sharing user web browsing information with advertisers. Under the proposed settlement agreement, Google will distribute several million dollars to a handful of organizations, many of which already have ties to the company. EPIC and other privacy organizations have argued that the proposed agreement "confers no monetary relief to class members, compels no change in Google's behavior, and misallocates the cy pres distribution" to organizations that are "not aligned with the interests of class members and do not further the purpose of the litigation." The consumer groups, who have already written to the court opposing the settlement, urged the Federal Trade Commission to object as well. The agency filed a similar objection in Fraley v. Facebook, an unfair class action settlement in the Ninth Circuit. For more information, see EPIC: FTC and EPIC: Search Engine Privacy. (Aug. 5, 2014)
- EPIC Sues FBI for Missing Privacy Reports. EPIC has filed a Freedom of Information Act lawsuit to obtain details about the Federal Bureau of Investigation's surveillance programs. The agency is required to conduct privacy impact assessments when it collects and uses personal data. However, the Bureau has failed to publicly release privacy impact assessments for many of its programs, including facial recognition, drones, and license plate readers. According to the E-Government Act and Justice Department guidelines, all privacy assessments should be made public if practicable. EPIC, joined by a coalition of organizations, recently urged the Attorney General to immediately conduct a privacy assessment of the FBI's Next Generation Identification (NGI) program. The NGI program collects massive amounts of biometric data on U.S. citizens. For more information, see EPIC: EPIC v. FBI - Privacy Assessments. (Aug. 1, 2014)
- EPIC Seeks Information About Secret Surveillance Authority. EPIC has filed a series of Freedom of Information Act requests for documents related to the Government's collection of private communications data under Executive Order 12333. EPIC is seeking secret policies that govern the collection of Internet data by U.S. intelligence agencies outside of the United States. Former government officials have warned that these procedures allow the government to spy on Americans in violation the Fourth Amendment. The Washington Post also reported last year that the NSA had infiltrated private communications held on servers abroad. EPIC's requests to the Attorney General, the Director of National Intelligence, the NSA and other intelligence agencies will help to shed light on these invasive programs. For more information, see EPIC: Executive order 12333. (Aug. 1, 2014)
- DC Circuit Rules for EPIC in Case Against NSA, Vacates Lower Court Ruling That Secret Order Is Not Subject to FOIA. The U.S. Court of Appeals for the D.C. Circuit ruled in favor of EPIC today in a Freedom of Information Act case seeking the full text of National Security Presidential Directive 54, a previously-secret Presidential order granting the government broad authority over cybersecurity matters. EPIC successfully obtained the Directive from the NSA, and the DC Circuit has vacated the lower court’s Fall 2013 ruling that NSPD-54 was not an “agency record” subject to the FOIA. The Directive also includes the Comprehensive National Cybersecurity Initiative and evidences government efforts to enlist private sector companies to assist in monitoring Internet traffic. EPIC has several related FOIA cases against the NSA pending in federal court. For more information, see EPIC v. NSA: NSPD-54 Appeal and EPIC: Freedom of Information Act Cases. (Jul. 31, 2014)
- Senators Markey and Hatch Introduce Student Privacy Legislation. Today, Senators Edward Markey (D-MA) and Orrin Hatch (R-UT) introduced legislation to require privacy safeguards for education records and prohibit the use of student information for advertising purposes. The "Protecting Student Privacy Act of 2014" would give students the right to access and amend their records that are held by private companies. The bill also requires schools to minimize the amount of personally identifiable information transferred to private companies. The bill requires companies to destroy student information "when the information is no longer needed for the specified purpose." The bill incorporates many of the proposals EPIC set out in the Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy. (Jul. 30, 2014)
- Senator Leahy Introduces Bill to End NSA Bulk Record Collection. Today Senator Patrick Leahy (D-VT), joined by Democratic and Republican Senators, introduced legislation to end the NSA's practice of collecting telephone records of Americans. Leahy described the bill as "the most significant reform of government surveillance authorities since Congress passed the USA PATRIOT Act 13 years ago." The USA Freedom Act would require require the government to specify specific "search terms" to obtain telephone record information. The government would have to demonstrate that it has a "reasonable, articulable suspicion" that the search term is associated with a foreign terrorist organization. The bill also requires a comprehensive transparency report for the use of FISA surveillance authorities. However, the bill exempts the FBI from certain reporting requirements. Civil liberties organizations support the bill. EPIC previously filed a Petition for Mandamus with the U.S. Supreme Court, seeking to end the bulk collection of American's phone records. EPIC's petition was supported by legal scholars, technical experts, and former members of the Church Committee. For more information, see In re EPIC and EPIC: FISA Reform. (Jul. 29, 2014)
- Federal and State Wiretaps Up 5% in 2013 According to Annual Report, But Stats Don't Support FBI Claims of "Going Dark". The Administrative Office of the U.S. Courts has issued the 2013 Wiretap Report, detailing the use of surveillance authorities by law enforcement agencies. This annual report, one of the most comprehensive issued by any agency, provides an insight into the debate over surveillance authorities and the use of privacy-enhancing technologies. In 2013, wiretap applications increased 5%, from 3,576 to 3,395. Authorities encountered encryption during 41 investigations, but encryption prevented the government from deciphering messages in only 9 cases. This statistic contradicts claims that law enforcement agencies are "going dark" as new technologies emerge. Of the 3,074 individuals arrested based on wiretaps in 2013, only 709 individuals were convicted based on wiretap evidence. EPIC has repeatedly called on greater transparency of FISA surveillance, citing the Wiretap Report as a model for other agencies. EPIC also maintains a comprehensive index of the annual wiretap reports and FISA reports. For more information, see EPIC: Title III Wiretap Orders, EPIC: Wiretapping, and EPIC: Foreign Intelligence Surveillance Act. (Jul. 29, 2014)
- EPIC, Consumer Groups Challenge Facebook on Web Snooping. EPIC, along with a coalition of consumer groups, has urged the Federal Trade Commission to block Facebook's plan to collect users' web browsing history. Facebook recently announced plans to collect user data from sites all over the web. But the practice may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users' express consent. The groups asked the FTC "to act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current U.S. and EU law." EPIC has also filed a FOIA request, seeking the FTC's communications with Facebook about this change. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: FTC. (Jul. 29, 2014)
- Developing Policies for the Internet of Things.
"Developing Policies for the Internet of Things"
Aspen Institute Communication and Society Program(Aug. 13, 2014)
Aug 13-16, 2014
- The Privacy Class Action Landscape.
American Bar Association(Aug. 8, 2014)
August 8, 2014
- Obama Drone Order Fails to Safeguard Privacy. According to reports, President Obama is set to issue an executive order on drone privacy. The order would call for the development of voluntary best practices for the commercial use of drones. Senator Markey and Representative Welch immediately responded to the reports with a letter to the President urging "strong, enforceable rules - not voluntary best practices...." EPIC has testified in Congress in support of a comprehensive drone privacy law. EPIC called for drone legislation to include use limitations, data retention limitations, transparency, and public accountability. The Federal Aviation Administration agreed to address drone privacy issues after an EPIC-led coalition petitioned the agency two years ago. Last year, EPIC urged the agency to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones. (Jul. 25, 2014)
- EPIC Tells Congress FTC Does Not Enforce Consent Orders. EPIC has sent a letter to the House Committee on Oversight and Government Regulation stating that the Federal Trade Commission rarely enforces "Section 5" consent orders. EPIC also said that the Commission has never modified a consent order in response to public comments or required companies to implement the Consumer Privacy Bill of Rights. The Committee believed the Commission has gone too far to protect the privacy of American consumers. EPIC wrote "the opposite is true." Senator Rockefeller also wrote a letter, urging the Committee not to interfere in the FTC's "well-established legal authority." For more information, see EPIC: Wyndham Hotels and EPIC: FTC. (Jul. 25, 2014)
- EPIC Urges Privacy Board to Address Concerns About 12333 Surveillance Authority. EPIC National Security Counsel Jeramie Scott has urged the Privacy and Civil Liberties Oversight Board to focus on surveillance conducted under Executive Order 12333. The Executive Order, signed in 1981, granted broad surveillance authority to the Intelligence Community with little oversight. The Order has enabled vast surveillance of Americans, but has received little attention. EPIC previously urged the Privacy Board to establish greater legal protection for metadata, increase safeguards for personal data, and minimize data collection. At the Board's first public meeting in 2012, EPIC recommended that the Board ensure Privacy Act adherence and investigate privacy concerns with the Fusion Center program, closed-circuit television surveillance, body scanners, surveillance drones, and Suspicious Activity Reporting. So far, the Privacy Board has focused almost entirely on "section 215" and "section 702" surveillance programs. For more information, See EPIC: Executive Order 12333. (Jul. 22, 2014)
- EPIC Files Lawsuit For Details of Government Profiling System. EPIC has filed a Freedom of Information Act lawsuit about a controversial government data mining program, operated by the Department of Homeland Security. The "Analytical Framework for Intelligence" contains a vast amount of sensitive personal information obtained from government agencies and the private sector. The system is used by the DHS for link analysis, anomaly detection, pattern analysis, and predictive modeling. The system also incorporates "risk assessment" scores from the Automated Targeting System also operated by the DHS. EPIC has urged the suspension of the risk assessment system, arguing that the use of such factors as race and nationality in a government database is unconstitutional. The case is EPIC v. Customs and Border Protection, No 14-1217 (D.D.C. filed 7/18/2014). For more information see: EPIC: Automated Targeting System, EPIC: Open Government and EPIC: EPIC v. Customs and Border Protection (Analytical Framework for Intelligence). (Jul. 18, 2014)
- EPIC Uncovers Complaints from Education Department about Misuse of Education Records. EPIC has obtained documents from the Department of Education detailing parent and student complaints about the misuse of educational records. The Department released the documents in response to an EPIC Freedom of Information Act request. The documents reveal that schools and districts have disclosed students' personal records without consent, possibly in violation of the Family Educational Rights and Privacy Act. The documents also reveal that the Department failed to investigate many FERPA complaints. EPIC is expecting to receive more documents about the agency’s enforcement of the federal student privacy law. For more information, see EPIC: Student Privacy and EPIC: Open Government. (Jul. 18, 2014)
- EPIC Seeks Government Report about Security of Internet Voting. EPIC has filed a Freedom of Information Act request with the Department of Defense for records detailing the security of online voting. The agency administers the Federal Voting Assistance Program, which has promoted online voting and provided funding to states for internet voting technology. Computer scientists have expressed concern about the reliability of these systems and privacy risks for voters. At a Congressional hearing in 2012, the agency promised to release the results of security tests it had conducted on voting software by December 2012. Because the agency has failed to make the test results public, EPIC has demanded these results, as well as related documents, be disclosed. For more information see: EPIC: Open Government and EPIC: Voting Privacy. (Jul. 18, 2014)
- Following EPIC Complaint, Senator Seeks Investigation of Facebook User Manipulation Study. Senator Mark Warner has asked the Federal Trade Commission to investigate the legality of Facebook's emotional manipulation study. In a letter to the Commission, Senator Warner stated that "it is not clear whether Facebook users were adequately informed and given an opportunity to opt-in or opt-out." He asked the FTC to conduct an investigation to see "if this 2012 experiment violated Section 5 of the FTC Act or the 2011 consent agreement with Facebook," two issues raised in EPIC's earlier complaint. "The company purposefully messed with people's minds," wrote EPIC in a complaint to the Commission. EPIC charged that Facebook violated a consent decree that required the company to respect user privacy and also engaged in a deceptive trade practice. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 17, 2014)
- Privacy Rights In the Age of Drones: The Role of States.
EPIC National Security Counsel
Midwestern Legislative Conference(Jul. 16, 2014)
July 16, 2014
- Global Survey: Widespread Opposition to US Communications Surveillance, Drones. A new survey from Pew Research finds overwhelming opposition to the US monitoring of emails and phone calls. There appears to be little variation by region or culture, with high levels of opposition found in countries in Europe, South America, Asia, and the Middle East. According to the survey "Global Opinions of U.S. Surveillance," the four countries that believe US surveillance is acceptable are the United States, the Philippines, India, and Nigeria. A related Pew Survey found widespread opposition to drone strikes. For more information, see EPIC: Public Opinion on Privacy. (Jul. 16, 2014)
- Pew Research Publishes "Net Threats" Report. The Pew Research Internet Project has released a "Canvassing of Experts" that finds growing concerns about the future of the Internet. According to the report, current trends could "sharply disrupt the way the Internet works for many users." Among the threats identified: state censorship, surveillance, diminished user trust, commercialization and centralization. EPIC President Marc Rotenberg pointed to the growing concentration of the Internet industry and said "There should be many information sources, more distributed, and with less concentration of control....We need many more small and mid-size firms that are stable and enduring." For more information, see EPIC: Public Opinion on Privacy. (Jul. 16, 2014)
- FTC Sues Amazon Over Billing for Childrens' In-App Purchases. The FTC has filed a lawsuit alleging that "Amazon.com, Inc. has billed parents and other account holders for millions of dollars in unauthorized in-app charges incurred by children." FTC Chairwoman Edith Ramirez said, "Amazon's in-app system allowed children to incur unlimited charges on their parents' accounts without permission. Even Amazon's own employees recognized the serious problem its process created." The FTC recently settled similar charges with Apple. In that case, the FTC charged Apple with "billing consumers for millions of dollars of charges incurred by children in kids' mobile apps without their parents' consent." Under the terms of the settlement, Apple must provide a refund for affected consumers and must change its billing practices to ensure that it has obtained express, informed consent from consumers before charging them for items sold in mobile apps. Previously, EPIC filed a complaint with the FTC over Amazon's collection of children's data. EPIC explained that Amazon was violating the Children's Online Privacy Protection Act by allowing children to post content, including personally identifiable information, without their parents' permission. EPIC currently has several complaints pending with the FTC. For more information, see EPIC: FTC. (Jul. 11, 2014)
- EPIC Defends FOIA Victory in Federal Appeals Court. EPIC has filed a brief in response to an appeal by the Department of Justice in EPIC v. DHS, concerning the government policy to disrupt cellular networks. EPIC won a major FOIA victory when a federal district court ruled that the DHS could not withhold "SOP 303," a government procedure to shut down cellular phone service. EPIC sought the policy after authorities shut down cell phone service at a peaceful protest in San Francisco. The government argued it did not need to release the document to EPIC because it was a "law enforcement technique" and because it would endanger the physical safety of an individual. The federal court rejected those arguments and ordered that the document be disclosed to EPIC, pending a decision on the appeal. For more details, see EPIC v. DHS—SOP 303. (Jul. 8, 2014)
- EPIC Challenges Facebook's Manipulation of Users, Files FTC Complaint. EPIC has filed a formal complaint to the Federal Trade Commission concerning Facebook's manipulation of users' News Feeds for psychological research. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has charged that the study violates a privacy consent order and is a deceptive trade practice. In 2012, Facebook subjected 700,000 users to an "emotional" test with the manipulation of News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In the complaint, EPIC explained that Facebook's misuse of data is a deceptive practice subject to FTC enforcement. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy. The consent decree resulted from complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 3, 2014)
- Congress May Cut Funding For Surveillance Blimps Over DC. The Department of the Army is seeking $54 million to fund the Joint Land Attack Cruise Missile Defense Elevated Netted Sensor System, or JLENS. The request is part of the Fiscal Year 2015 Defense Budget that Congress is currently considering. The system consists of long-range surveillance technologies and targeting capabilities including HELLFIRE missiles. JLENS was originally deployed in war zones in Iraq and Afghanistan. The Army wants to test the system in Washington, DC, but the program has come under scrutiny by Congress because of cost overruns. EPIC recently filed a Freedom of Information lawsuit against the Army, seeking more information about the JLENS program. For more information, see EPIC: EPIC v. Army - Surveillance Blimps. (Jul. 3, 2014)
- 23rd Annual Aspen Institute Roundtable on Information Technology.
Director, EPIC Student Privacy Project
EPIC Administrative Law Counsel
Aspen Institute(Jul. 7, 2014)
July 7 - 10, 2014
- Privacy Panel Backs PRISM Program. In a surprising report, the US Privacy and Civil Liberties Oversight Board has endorsed the US government's routine collection of the Internet activities of non-US persons, broadly referred to as the "PRISM Program." The NSA obtains this information from Internet companies located in the United States. The Board cited the value of the program and compliance with the law, but said little about the impact on non-US persons. EPIC opposed a similar program concerning the collection of domestic telephone records in a petition to the US Supreme Court last year. EPIC has also said that the collection of communications by the US should be subject to international privacy law, such as the International Covenant on Civil and Political Rights. It is anticipated that foreign countries will continue to transfer cloud-based services away from US firms because of the lax privacy safeguards in the United States. For more information, see EPIC: In re EPIC and EPIC: International Privacy Standards. (Jul. 3, 2014)
- FTC Releases 2014 Data Security Update, But Enforcement Questions Remain. The Federal Trade Commission has released the 2014 Privacy and Data Security Update. The report is "an overview of the FTC's enforcement, policy initiatives, and consumer outreach and business guidance in the areas of privacy and data security." In the report, the FTC explains that "If a company violates an FTC order, the FTC can seek civil monetary penalties for the violations." However, the FTC has consistently failed to enforce consent orders with Google, Facebook, and other companies that have engaged in unfair or deceptive trade practices. The Commission has also failed to modify proposed settlement agreements after seeking public comment. For more information, see EPIC: FTC, EPIC: Facebook Privacy, and EPIC: In re: Google Buzz. (Jul. 1, 2014)
- Attorney General Supports Privacy Act Protections for E.U. Citizens. Speaking in Athens at a meeting between US and EU officials, Attorney General Eric Holder announced that the Obama Administration will work with Congress to extend Privacy Act protections to E.U. citizens. Mr. Holder stated, "the Obama Administration is committed to seeking legislation that would ensure that...EU citizens would have the same right to seek judicial redress for intentional or willful disclosures of protected information, and for refusal to grant access or to rectify any errors in that information, as would a U.S. citizen under the Privacy Act." EPIC has previously recommended that Privacy Act safeguards be extended to non-US persons. iIn 2012, EPIC also urged Congress to update the Privacy Act. In 2011, EPIC filed a "friend of the court" brief in the Supreme Court, arguing that the Privacy Act provides damages for mental and emotional harm. EPIC routinely submits comments to federal agencies, urging enforcement of Privacy Act protections. For more information, see EPIC: The Privacy Act of 1974 and EPIC: FAA v. Cooper. (Jul. 1, 2014)
- FAA, Park Service Ground Drones, Cite Safety Concerns. The Federal Aviation Administration released a proposed Special Rule for Model Aircraft which will prohibit the use of drones for the delivery of packages and other commercial services. At the end of last year, Amazon had raised the prospect of delivering packages via drones. The agency has requested comments on the proposal. A recent Washington Post series highlighted numerous close encounters between commercial aircraft and small drones, as well as many incidents were drones fell from the sky. The National Park Service has prohibited the use of drones in national parks, citing safety concerns. Last year, EPIC urged the Federal Aviation Administration to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones. (Jun. 30, 2014)
- Supreme Court Rejects Google's Street View Appeal. The U.S. Supreme Court has denied a petition from Google to reverse the decision in the Google Street View case. In Joffe v. Google, Internet users sued Google for intercepting private communications, including passwords, medical records, and financial information, of millions of users across the country. EPIC filed a friend of the court brief in support of Internet users, arguing that Wi-Fi communications are not "readily accessible to the general public," and that companies should not intercept communications of private residential networks. The Ninth Circuit agreed and found that the wiretap exception for access to "radio communications" does not apply to Wi-Fi networks. More than twelve countries have investigated Google for its collection of private Wi-Fi data, and at least nine countries have found that Google violated their national wiretap laws. For more information, see EPIC: Joffe v. Google and EPIC: Investigations of Google Street View. (Jun. 30, 2014)
- FTC Ignores Public Comments on Safe Harbor Settlements. The Federal Trade Commission has settled charges against fourteen companies that misrepresented compliance with the EU-US Safe Harbor privacy arrangement. In response to the FTC's request for public comment on the pending settlements, EPIC recommended that the Commission: (1) require the companies to comply with the Consumer Privacy Bill of Rights; (2) publish the companies' consent order compliance reports as they are submitted; and (3) strengthen the sanctions against a DNA testing firm, whose misrepresentations puts genetic information at risk. However, the FTC declined to make any changes. EPIC has previously stated that the Commission's ongoing failure to modify consent orders in response to public comments is "contrary to the interests of American consumers." An Irish Court has recently asked the European Court of Justice to determine whether the Safe Harbor Arrangement still provides adequate protection for EU consumer. For more information, see EPIC: EU Data Protection Directive and EPIC: Federal Trade Commission. (Jun. 27, 2014)
- Unanimous Supreme Court Upholds Privacy Rights of Cell Phone Users. The Supreme Court ruled today that a warrantless search of a cell phone violates the Fourth Amendment, even when it occurs during a lawful arrest. The Court's decision in Riley v. California makes clear that "a search of the information on a cell phone bears little resemblance to the type of brief physical search" allowed in the past. The Court said "Cell phones differ in both a quantitative and a qualitative sense from other objects that might be kept on an arrestee's person." EPIC, joined by 24 legal scholars and technical experts on the EPIC Advisory Board, filed a friend of the court brief, arguing that cell phones contain a wealth of sensitive personal data, and that officers can reasonably secure phones while they apply for a warrant to search them. EPIC wrote, "Allowing police officers to search a person's cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment." The EPIC brief was cited by the Supreme Court in its decision. For more information, see EPIC: Riley v. California. (Jun. 25, 2014)
- Defense Agency Adopts Favorable Open Government Rules After EPIC Comments. The Defense Logistics Agency, an agency component within Department of Defense, has amended its Freedom of Information Act rules. EPIC submitted extensive comments on the initial proposal. EPIC said that several of the proposals are contrary to law, exceed the scope of the agency's authority, and should be withdrawn. The final rule incorporates many of EPIC's recommendations. For example, DLA revised several key definitions, including "administrative appeal," "adverse determination, and "consultation," and modified its general FOIA policy to promote agency transparency. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. The Privacy and Civil Liberties Oversight Board, the Federal Trade Commission, and the Interior Department have adopted EPIC's recommendations on proposed FOIA rule changes. For more information, see EPIC: Open Government. (Jun. 25, 2014)
- Coalition to Attorney General: Review FBI's Massive Biometric Database. EPIC, EFF, ACLU, Defending Dissent, and a coalition of over 30 organizations have urged Attorney General Holder to immediately conduct a privacy assessment of the FBI's proposed "Next Generation Identification" system. NGI is a massive database that includes biometric identifiers, such as digitized fingerprints and facial images, of millions of Americans. The system is set to go fully operational despite a required privacy assessment. EPIC previously sued the FBI to obtain details about the system. According to a FOIA document obtained by EPIC, the FBI accepts a 20% error rate for facial recognition searches of the Next Generation Identification database. Last year, EPIC also obtained documents from the FBI regarding the use of facial recognition on state DMV photos. For more information, see EPIC's Spotlight on Surveillance on FBI's Next Generation Identification Program. (Jun. 25, 2014)
- Senators Leahy and Cornyn Introduce FOIA Reform Bill. A bipartisan Freedom of Information Act reform bill was introduced today by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX). The FOIA Improvement Act of 2014 addresses chronic problems with overuse of exemptions by federal agencies, excessive fee assessments, and the culture of secrecy. The bill will codify a "presumption of openness" in the processing of FOIA requests. The bill will require agencies to weigh the public interest in disclosure against the agency’s interest in secrecy before withholding documents such as Office of Legal Counsel memos. The FOIA Improvement Act will also close a loophole that agencies have used to make requesters pay excessive fees, even when the agency takes years to process the request. EPIC has recommended many of these reforms. EPIC specifically recommended proposed changes to the "(b)(5)" exemption. For more information see: EPIC: FOIA Cases. (Jun. 25, 2014)
- The Digital Self: Current Issues in Privacy.
EPIC Appellate Advocacy Counsel
Chautauqua Institution(Jul. 7, 2014)
- US-German Cyber Dialogue;Ensuring Security and Freedom.
Federal Foreign Office(Jun. 27, 2014)
June 27, 2014
- Federal Appeals Court Releases "Drone Killing" Memo, EPIC Filed Amicus. The Court of Appeals for the Second Circuit today made public the legal analysis justifying the Administration's controversial "targeted killing" drone program. The action follows an earlier ruling by the federal appeals court in New York Times v. Department of Justice. The government had argued that this memo could not be disclosed under the Freedom of Information Act because it was a privileged "deliberative" document. But the plaintiffs explained that the government relied on the analysis to defend the program and that it operated as secret law. EPIC filed an amicus brief, supported by seven open government organization, arguing that under the FOIA such a legal opinion by the Justice Department cannot be a deliberative documents. The federal appeals court agreed, and has now released the opinion to the public. Last week, in EPIC v. NSA the Department of Justice released to EPIC NSPD-54, the President Directive concerning cybersecurity. For more information, see EPIC: New York Times v. DOJ and EPIC v. DOJ - Warrantless Wiretapping Program. (Jun. 23, 2014)
- Freedom of Information Act Modernization Federal Advisory Committee Inaugural Meeting.
Director, EPIC Open Government Project
National Archives(Jun. 24, 2014)
June 24, 2014
- EPIC with Civil Society Urge OECD to Examine "Dominant Internet Firms". Speaking at a high level meeting on Internet Policy Making, EPIC President Marc Rotenberg urged the OECD to examine the impact dominant Internet firm may have on the future of innovation and freedom. Citing the Charter of the OECD Civil Society Council, Rotenberg said "dominant Internet firms are moving to consolidate their control over the Internet. It is vitally important for the OECD to develop a better understanding of the challenge industry consolidations pose to the open Internet." The OECD is well known for the International Privacy Guidelines and is currently updating the Security Guidelines, which establish a global framework for managing cyber risks. A Ministerial meeting meeting will be held in Mexico in 2016. For more information, see CSISAC, EPIC - OECD Privacy Guidelines, OECD Security Guidelines. (Jun. 23, 2014)
- Obama Renews Unlawful NSA Bulk Record Collection Program. Today the Attorney General and the Director of National Intelligence announced that the President will seek a renewal of the court order authorizing the NSA's bulk collection of American telephone records through September 12, 2014. The President has chosen to renew this order despite his promise in March 2014 to end the bulk collection program and the widespread opposition from members of Congress, and the recommendations of expert panels. The Attorney General's statement suggests that "legislation would be required" to end the program, but it was the President's decision to seek renewal of the Foreign Intelligence Surveillance Court order. EPIC, along with 25 other privacy organizations, wrote a letter to the President last week urging him not to renew the order. Last summer, EPIC petitioned the Supreme Court to end the NSA's telephone record collection program. EPIC's argued that the Foreign Intelligence Surveillance Court exceeded its authority when it ordered the production of all domestic telephone records. For more information, see In re EPIC. (Jun. 20, 2014)
- EPIC Seeks Records on FTC "Sign-off" for Facebook Changes. EPIC has filed a FOIA request with the Federal Trade Commission, seeking records related to Facebook's decision to collect users' internet browsing history for advertising purposes. Previously, Facebook collected user data from facebook.com and mobile apps. Now, Facebook plans to collect user data from sites all over the web. Facebook claims that the FTC was briefed about the change beforehand. However, the plan may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users’ express consent. Through the FOIA request, EPIC seeks information about the FTC's review of Facebook's plans to monitor users. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: Practical Privacy Tools. (Jun. 20, 2014)
- US Federal Court Upholds "Right to be Forgotten" for Seized Data. A federal appeals court ruled that the government violated the Fourth Amendment when investigators searched computer files that had been seized in an unrelated investigation more than two and a half years earlier. The Second Circuit found that the government has a duty to delete all files not responsive to the original warrant and cannot indefinitely retain data "for use in future criminal investigations." This rule imposes a data minimization requirement on law enforcement investigators and is similar also to the much discussed "right to be forgotten." EPIC argued in favor of the data minimization principles adopted by the Ninth Circuit in US v. Comprehensive Drug Testing. For more information, see United States v. Ganias, EPIC: Quon v. City of Ontario, CA and EPIC: Code of Fair Information Practices. (Jun. 20, 2014)
- Senate Cybersecurity Information Sharing Bill Proposed. Senators Dianne Feinstein and Saxby Chambliss have proposed the Cybersecurity Information Sharing Act of 2014. The Senate bill is similar to the House Cyber Intelligence Sharing and Protection Act (CISPA), which was opposed by civil liberties organizations and would have been vetoed by the White House if enacted. Like CISPA, the Senate bill allows companies to monitor private communications on their networks and to disclose user activity to the government. The bill would also exempt companies from liability for monitoring communications or disclosing user information. However, the Senate bill makes some attempt to limit the collection of personally identifiable information. EPIC recently won a five-year court battle with the NSA and obtained National Security Presidential Directive 54. The directive was issued by President Bush in 2008 and is the foundational legal document for U.S. cybersecurity policies. The Presidential Directive reveals the government’s long-standing interest in enlisting private sector companies to monitor user activity. For more information, see EPIC: Cybersecurity. (Jun. 20, 2014)
- Coalition to President: End NSA's Bulk Collection Program Now. EPIC and a coalition of 25 organizations urged the President and the Attorney General to end the NSA's bulk record collection program when the current authority expires on June 20. In January, the President committed to "end the Section 215 bulk metadata program as it currently exists." The coalition letter states, "[t]he NSA's Bulk Metadata program is simply not effective." Both the Privacy and Civil Liberties Oversight Board report and the President's Review Group report found the NSA's bulk collection to be ineffective. EPIC petitioned the Supreme Court to end the NSA's bulk collection of telephone records after the program was revealed last summer. EPIC's petition argued that the Foreign Intelligence Surveillance Court exceeded its authority when it ordered the production of all domestic telephone records. For more information, see In re EPIC. (Jun. 17, 2014)
- On Privacy, New Survey Places US Attitudes Among EU Countries. One of the most comprehensive surveys of privacy ever undertaken finds US attitudes toward privacy remarkably similar to those of Europeans. The survey of 15 countries on privacy, and tradeoffs consumers are prepared to make, placed the US squarely in the middle of European countries, roughly between France and Italy on one side and Germany and the Netherlands on the other. The survey looked at current concerns and support for new laws in countries around the globe. According to EMC, "only 27% say there are willing to trade some privacy for greater convenience." A large majority of respondents (81%) expect privacy will decrease in the next five years. But 9 out of1 0 respondents want new laws to limit the sale of personal data. Concerns about privacy and support for new laws is somewhat greater in the US than in other countries. For more information, see EPIC - Public Opinion on Privacy. (Jun. 16, 2014)
- Canadian High Court Holds Internet Use Protected by Constitutional Privacy Right. The Supreme Court of Canada has ruled that police conducted an unconstitutional search when they used an IP address to obtain subscriber information from an Internet Service Provider without legal authorization. The Court also found Canada’s personal information protection law does not require ISPs to disclose subscriber information to law enforcement. In its analysis, the Court described information privacy as "control over, access to and use of information." The Court stressed that "anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable searches and seizures." Two recent opinions from the European Court of Justice have firmly established the right of information privacy law in EU law. EPIC has urged the US Supreme Court to recognize the right of information privacy and also to safeguard the right of anonymity. For more information, see EPIC: NASA v. Nelson, EPIC: Watchtower Bible v. Stratton, EPIC: Internet Anonymity and EPIC: Search Engine Privacy. (Jun. 13, 2014)
- Facebook to Profile User Browsing, May Violate FTC Consent Order. Facebook has announced that it will collect detailed browser history on users for advertising purposes. Users who object were told to opt-out. The plan may violate a Federal Trade Commission order, prohibiting Facebook from changing its business practices without users’ express consent. The FTC order follows from complaints filed by EPIC and other consumer privacy organizations in 2009 and 2010. In issuing the order, the FTC found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." A recent Consumer Reports poll found that consumers overwhelmingly object to having their online activities tracked for advertising purposes. For more information, see EPIC: Facebook Privacy, EPIC: FTC Facebook Settlement, EPIC: Online Tracking and Behavioral Profiling, and EPIC: Practical Privacy Tools. (Jun. 12, 2014)
- Won't Someone Please Think of the Children? Kids and Privacy in the Modern World.
Won't Someone Please Think of the Children? Kids and Privacy in the Modern World
Director, EPIC Student Privacy Project
Computers, Freedom, and Privacy Conference 2014(Jun. 10, 2014)
June 10, 2014
- Senate to Hold Homeland Security Oversight Hearing. The Senate Judiciary Committee will hold an oversight hearing for the Department of Homeland Security. Secretary Jeh Johnson will testify. EPIC has objected to many of the agency's mass surveillance practices, including the secret profiling of American air travelers, the use of drones for aerial surveillance, the amassing of information on Americans into "fusion centers", and the collection of biometric identifiers. EPIC has also warned that the DHS Chief Privacy Officer has failed to safeguard privacy, a legal obligation for that office. According to the DHS, the number of privacy complaints increased in 2013. EPIC has several Freedom of Information Act case pending against the DHS. In an earlier case, EPIC determined the DHS was monitoring social media and news organizations for criticisms of the agency. Another EPIC case led to the removal of the x-ray backscatter devices from US airports. For more information, see EPIC v. DHS - Social Media Monitoring and EPIC v. DHS (Suspension of Body Scanner Program). (Jun. 10, 2014)
- Apple Announces New Privacy-Enhancing Techniques in iOS 8. Apple has announced new privacy-enhancing techniques that will limit the ability of third parties to track Apple mobile devicesi. Specifically, iOS8 will use "random, locally administered MAC addresses," instead of unique device IDs, to connect to the Internet. Mobile phones can now be tracked by law enforcement and private companies because of the unique MAC address associated with the device. In 2004 when the adoption of IPv6 raised privacy concerns, EPIC recommended that MAC addresses be randomized to avoid tracking. The change in the Apple iOS implements this proposal. For more information, see EPIC: Practical Privacy Tools and EPIC: Location Privacy. (Jun. 10, 2014)
- EPIC Urges FTC to Protect Snapchat Users' Privacy. EPIC has submitted comments to the Federal Trade Commission, urging the agency to require Snapchat to safeguard consumer privacy. Following a 2013 EPIC complaint, the FTC signed a consent order with Snapchat, the publisher of a mobile app that encourages users to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever," but that was false. As EPIC explained, "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." EPIC expressed support for the findings in the proposed FTC Settlement with Snapchat. But EPIC recommended that the FTC require Snapchat to implement the Consumer Privacy Bill of Rights and make Snapchat's independent privacy assessments publicly available. EPIC pursued similar claims involving false promises about data deletion with AskEraser. EPIC has also made similar recommendation for other proposed FTC consumer privacy settlements. For more information, see EPIC: In re Google, EPIC: In re Facebook, and EPIC: FTC. (Jun. 10, 2014)
- Fifteenth Annual Institute on Privacy and Data Security Law.
EPIC Appellate Advocacy Counsel
Practising Law Institute(Jun. 17, 2014)
New York, NY
June 17, 2014
- EU Progress on Data Protection. Speaking in Luxembourg this week, EU Commissioner Viviane Reding said that the EU Council moved forward two key data protection goals in 2014. First, there is "agreement on the rules that govern data transfers to third countries." Second, "Ministers agreed on the territorial scope of the data protection regulation. In simple words: EU data protection law will apply to non-European companies if they do business on our territory." Ms. Reding said the EU is on track to ensure "the completion of the Digital Single Market by 2015. For more information, see EPIC - EU Data Protection Directive, EPIC - Council of Europe Privacy Convention and EPIC - "23 US NGOs Support EU Data Protection Regulation." (Jun. 9, 2014)
- EPIC v. NSA: EPIC Obtains Presidential Directive for Cybersecurity. After almost five years, EPIC has obtained National Security Presidential Directive 54. The previously classified Presidential Directive contains the full text of the Comprehensive National Cybersecurity Initiative and "establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace." This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability. EPIC first sought public release of NSPD-54 with a Freedom of Information Act request, submitted to NSA in June 2009. After the agency failed to disclose the document, EPIC filed suit. When a federal district court ruled in 2013 that the Presidential Directive was not subject to the Freedom of Information Act, EPIC then filed an appeal with the DC Circuit Court of Appeals. The document has now been disclosed to EPIC. The case is EPIC v. NSA, a Freedom of Information Act lawsuit in D.C. Circuit Court. EPIC has several related FOIA cases with the NSA pending in federal court. For more information see EPIC - EPIC v. NSA (Cybersecurity Authority). (Jun. 6, 2014)
- EPIC Urges Extended Relief for Driver Privacy Claims. EPIC has filed a "friend of the court" brief in McDonough v. Anoka County, a case involving the Driver's Privacy Protection Act. That law protects the privacy of driver record information held by state Department of Motor Vehicles. EPIC argued that a court was wrong to dismiss legal claims before people knew that their information was improperly disclosed by the DMVs. EPIC said that courts should follow the "discovery rule" so that victims can bring cases after they learn their personal information has been impermissibly accessed. EPIC has frequently defended this important federal privacy law. For more information, see EPIC - Reno v. Condon, EPIC - DPPA, EPIC - Maracich v. Spears, and EPIC - Gordon v. Softech Int'l. (Jun. 6, 2014)
- EPIC Open Government Director Appointed to FOIA Advisory Committee. EPIC Open Government Project Director Ginger McCall has been appointed to the federal government's Freedom of Information Act (FOIA) Modernization Committee. The Committee's goal is to advise on ways to improve the administration of FOIA. It will have 20 members - 10 from within government and 10 from outside of government - and will chaired by Office of Government Information Services director Miriam Nisbet. The first meeting of the Committee will be held at the National Archives and Records Administration in Washington, DC on June 24, from 10:00AM to 1:00PM. For more information see: NARA: Modernizing FOIA and EPIC: FOIA Cases. (Jun. 6, 2014)
- EPIC, Partners Draft Model FOIA Regulations. EPIC, together with Citizens for Responsibility and Ethics in Government, the National Security Archive, and Openthegovernment.org, has drafted model Freedom of Information Act regulations. Under the National Action Plan, the Department of Justice has been tasked with creating a uniform set of FOIA regulations that would apply across the government. EPIC’s model FOIA regulations are designed to make it easier for FOIA requesters to obtain agency documents, favorable fee status, and expedited processing. They would also create a balancing test that agencies would need to satisfy before asserting Exemption 5 for internal agency memos. The model FOIA regulations have received the endorsement of more than 25 transparency and accountability groups. For more information, see ModelFOIAregs.org and EPIC: Open Government. (Jun. 6, 2014)
- EPIC Celebrates 20 Years, Gives Awards to Anita Allen, Justin Amash, The Guardian, and Edward Snowden. On June 2, 2014, EPIC celebrated 20 years of privacy advocacy with an awards dinner in Washington, DC. EPIC gave the 2014 EPIC Champions of Freedom Awards to Congressman Justin Amash, The Guardian, and Edward Snowden Anita Allen received the EPIC Lifetime Achievement Award. Bruce Schneier hosted the event. EPIC President Marc Rotenberg delivered remarks. For more information, see Announcement of EPIC creation in 1994. (Jun. 5, 2014)
- Seventh Annual Privacy Law Scholars Conference.
Director, EPIC Student Privacy Project
EPIC Administrative Law Counsel
George Washington School of Law(Jun. 5, 2014)
June 5-6, 2014
- Report - Half of American Adults Data Hacked So far This Year. A new report finds that 432 million online accounts in the US have been hacked this year, concerning about 110 million Americans. In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. Earlier this month, the President's science advisors found little risk in the continued collection of personal data. However, the FTC's recent report on data brokers warned that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." Earlier, EPIC urged the White House to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: Identity Theft and EPIC: Choicepoint. (May. 29, 2014)
- DHS Privacy Complaints Increase in 2013, Many Databases Kept Secret. The Department of Homeland Security Quarterly Report to Congress details programs and databases affecting privacy. According to the agency, DHS received 964 privacy complaints between September 1, 2013 and November 30, 2013. By contrast, DHS received 295 privacy complaints during the same period in 2011. According to the report, most DHS systems complies with Privacy Act notice requirements. However, the report also indicates that the DHS maintains many databases with personally identifiable information that lack required Privacy Act notices. For more information, see EPIC: Department of Homeland Security Chief Privacy Office and Privacy. (May. 27, 2014)
- "Internet Policy and Governance".
"Internet Policy and Governance"
OECD(Jun. 20, 2014)
June 20, 2014
- "Toward an Internet Bill of Rights".
"Toward an Internet Bill of Rights"
Italian Parliament(Jun. 16, 2014)
June 16, 204
- "Unstoppable Right/Left Convergence: Civil Liberties".
Carnegie Institute(May. 27, 2014)
May 27, 2014
- FTC Report on Data Brokers Fails to Address Consumer Privacy Concerns. The Federal Trade Commission has published "Data Brokers: A Call for Transparency and Accountability." The report follows from a FTC Investigation of the data broker industry. The report describes the unbounded collection of personal information about American consumers that is then widely sold in the private sector. The Commission recommended modest legislative changes and failed to address many of consumers' privacy concerns, including profiling and "scoring" of consumers. Commissioner Julie Brill issued a statement, calling for more substantial consumers safeguards. Senators Rockefeller and Markey have also introduced The Data Broker Accountability and Transparency Act of 2014 (DATA Act), which would regulate data brokers and other companies that profit from the sale of consumer information. In 2005, EPIC testified before the the House Commerce Committee on "Identity Theft and Data Broker Services" and Urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. For more information, see EPIC: Choicepoint, EPIC: Privacy and Consumer Profiling, and EPIC: FTC. (May. 27, 2014)
- EPIC Defends Commercial Driver Privacy. EPIC has submitted comments on a proposed Commercial Driver's License Drug and Alcohol Clearinghouse. Under a new law, employers of commercial drivers will be required to report drug and alcohol test results to the Clearinghouse. Employers will also be required to check the database for test results on drivers. EPIC's comments urged the Transportation Department to: (1) require anyone reporting test results to immediately correct errors and notify employers and potential employers of the inaccurate data; (2) revoke Clearinghouse registration and access for those who fail to comply with Clearinghouse rules; (3) clarify that in addition to the administration petition process, individuals may still amend their records pursuant to the Privacy Act; and (4) implement privacy enhancing techniques like data deletion and anonymization. For more information, see EPIC: Workplace Privacy. (May. 27, 2014)
- House Adopts Weakened NSA Reform Bill, Senators Now Look to Improve Privacy and Transparency Protections. The U.S. House of Representatives has voted to adopt a modified USA "FREEDOM" Act. The bill no longer prohibits bulk collection of communications records. Other key provisions were also removed. Senator Leahy said that the bill is "an important step towards reforming" surveillance authorities, but expressed disappointment that the current version "does not include some of the meaningful reforms contained in the original" bill. In 2013 EPIC filed a Petition to the Supreme Court seeking to end bulk collection of telephone call records. EPIC also testified before the House in 2012 that the FISA should not be renewed without adoption of new reporting requirements. For more information, see EPIC: FISA and EPIC: FISA Reform. (May. 23, 2014)
- Google Plans Advertising on Appliances, Including Nest Thermostat. In a letter to the Securities and Exchange Commission, Google announced plans to place targeted ads on Google-controlled appliances. Google wrote that "a few years from now, we and other companies could be serving ads and other content on refrigerators, car dashboards, thermostats, glasses, and watches, to name just a few possibilities." The proposal raises significant privacy concerns for the "Internet of Things." Earlier this year, EPIC warned the FTC about Google's acquisition of Nest Labs, makes of a smart thermostat, that "Google regularly collapses the privacy policies of the companies it acquires." Nonetheless, the Commission approved Google's acquisition without further review. For more information, see EPIC: In re: WhatsApp, EPIC: Google/Doubleclick and EPIC: FTC. (May. 22, 2014)
- Consumer Reports: 85% of Shoppers Oppose Internet Ad Tracking. According to a recent study by Consumer Reports, consumers overwhelmingly object to having their online activities tracked for advertising purposes. The report found that 85% of consumers would not trade even anonymized personal data for targeted ads. Additionally, 76% of consumers said that targeted advertising adds "little or no value" to their shopping activities. For more information, see EPIC: Public Opinion on Privacy, EPIC: Privacy and Consumer Profiling, EPIC: Online Tracking and Behavioral Profiling, EPIC: Practical Privacy Tools. (May. 20, 2014)
- Senate Judiciary Committee Hearing on FBI to Consider Drones, Facial Recognition. The Senate Judiciary Committee's oversight hearing of the FBI will take place of Wednesday, May 21. This is the first FBI oversight hearing since James Comey took over as Director. At the last oversight hearing, Director Mueller admitted that the FBI uses drones for domestic surveillance. The FBI promised to establish privacy guidelines but has failed to do so. The FBI has also failed to address the privacy implications of license plate readers and facial recognition technology. The FBI's Next Generation Identification program, a massive biometric system, is set to go fully operational this year; yet the agency has not established civil liberties safeguards. The database will employ facial recognition, iris recognition, and voice recognition. Documents obtained by EPIC under the FOIA indicate the agency is prepared to accept a 20% error rate for recognition techniques. For more information, see EPIC v. FBI - Next Generation Identification. (May. 20, 2014)
- Sprint Pays FCC A Record $7.5M For Violating Do Not Call. Sprint has reached a $7.5 million settlement with the Federal Communications Commission for violations of the Do Not Call national registry. It is the FCC's largest Do Not Call settlement ever. The settlement follows a 2011 consent decree between Sprint and the FCC which also arose out of complaints from Do Not Call registrants. Under the terms of the current settlement, Sprint must develop a compliance plan, and file two years of compliance reports with the Commission. Additionally, Sprint must designate a Do Not Call Compliance Officer and retrain all employees. EPIC has spent 20 years helping to establish and enforce the Telephone Consumer Protection Act. In 2002, EPIC and ten leading advocacy groups filed comments to both the FCC and the Federal Trade Commission, advocating the creation of the Do-Not-Call Registry. EPIC has also recommended that Congress establish a National Do Not Track registry for online consumers. For more information, see EPIC: Do Not Call Registry Timeline, EPIC: Illegal Sale of Phone Records, and EPIC: Federal Trade Commission. (May. 20, 2014)
- EPIC Testifies on Student Privacy before California State Assembly. EPIC's Student Privacy Project Director Khaliah Barnes testified before the California State Assembly Education Committee and Select Committee on Privacy, on "Ensuring Student Privacy in the Digital Age." EPIC's testimony: (1) explained how the U.S. Education Department’s regulations encourage mass collection of student data; (2) described the privacy risks that students today face; (3) underscored the need for data security safeguards for states, schools, and private companies accessing student information; and (4) recommended that California adopt EPIC's Student Privacy Bill of Rights. Earlier this week, Senators Markey and Hatch proposed bipartisan student privacy legislation. For more information, see EPIC: Student Privacy. (May. 16, 2014)
- Senators Markey and Hatch Propose Student Privacy Legislation. Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have proposed a "Protecting Student Privacy Act." The draft bill would "(1) requires that data security safeguards be put in place to protect sensitive student data that is held by private companies; (2) prohibits the use of students' personally identifiable information to advertise or market a product or service; (3) provides parents with the right to access the personal information about their children - and amend that information if it"s incorrect — that is held by private companies just as they would if the data were held by the school itself; (4) makes transparent the name of companies that have access to student information by directing school districts to maintain a record of all outside companies with which the school contracts; (5) minimizes the amount of personally identifiable information that is transferred from schools to private companies; [and] (6) ensures private companies cannot maintain dossiers on students in perpetuity by requiring the companies to later delete personally identifiable information." The legislation highlights many of the protections EPIC endorsed in its Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy. (May. 15, 2014)
- Press Groups Challenge Ban on Commercial Drones. Over a dozen news media organizations filed an amicus brief opposing the Federal Aviation Administration's ban on commercial drones. The ban was suspended earlier this year by an administrative judge. The news organizations argue that the ban violates the media’s First Amendment right of the press, however the rule concerns public safety not the content of speech or the identity of the speaker. EPIC, joined by over 100 organizations, previously petitioned the Federal Administration Agency to address the privacy issues raised by drones and the Agency agreed to do so. In response to a request for public comments last year, EPIC urged the Federal Aviation Administration to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones. (May. 13, 2014)
- "Regulating Domestic Drones to Protect Privacy and Public Safety".
Diane Rehm Show(May. 13, 2014)
WAMU / NPR
May 13, 2014
- EPIC Obtains Letter Concerning Justice Department Non-Investigation of Google Street View. Pursuant to the Freedom of Information Act, EPIC has obtained the closing letter from the Department of Justice to Google attorneys in the Street View matter. The letter briefly mentions Google's interception and collection of private Wi-Fi communications across the United States over several years. The disclosure of the activity occurred after a European data protection authority discovered that Google's "Street View" vehicles also captured private Wi-Fi data. More than 12 countries subsequently investigated Google's programs, and at least 9 countries found Google guilty of violating their laws. The letter from the DOJ states that US officials were aware that Google's "equipment collected 'payload' data, including contents of e-mail and Internet addresses typed by users," but the Department "decided not to seek charges" against Google for violating the Wiretap Act. The Ninth Circuit recently affirmed a federal court's decision to allow a class action lawsuit against Google to move forward for wiretap violations stemming from the Street View program. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google. (May. 13, 2014)
- EU Court Rules Google Must Respect Right to Delete Links. The European Court of Justice has upheld the "right to be forgotten" and ruled that Google must delete links upon request concerning private life. The Court also determined that companies are subject to the EU Data Protection Directive and that jurisdiction extends to companies that set up a branch in an EU state. The Court said that since privacy is a fundamental right, it overrules the economic interests of the company and the public interest in access to the information. However this is not the case concerning one's activity in public life. EPIC has broadly supported the privacy rights of Internet users and the specific right to "expunge" information held by commercial firms. For more information, see EPIC - In re Facebook, EPIC - Expungement, and EPIC - G.D. v. Kenny. (May. 13, 2014)
- New Documents Reveal Close Ties Between NSA and Tech Companies, PBS Special to Air. New e-mails obtained under the Freedom of Information Act reveal former NSA Director Keith Alexander's close communication with technology companies regarding emerging cybersecurity threats. The CEOs of Google, Apple, Microsoft, and other technology companies were invited to classified briefings as part of the "Enduring Security Framework," a government initiative focused on sharing "cyber threat information with the private sector." EPIC previously sued the NSA to obtain records about the agency's collaboration with Google on cybersecurity, following the China hack in January 2010. In that case, the NSA refused to confirm or deny the existence of any records responsive to EPIC's request. EPIC had previously urged Google to routinely encrypt cloud-based services. PBS Frontline begins a two-part special this week that explores NSA surveillance and the role of tech companies. For more information, see EPIC v. NSA: Google/NSA Relationship and EPIC: Cybersecurity. (May. 12, 2014)
- Student Data Privacy: Politics and Practicalities.
Director, EPIC Student Privacy Project
Education Writers Association(May. 19, 2014)
May 19, 2014
- Legal, Regulatory and Legislative Challenges of the Broadband Revolution.
EPIC Appellate Advocacy Counsel
Minnesota Bar Association(May. 16, 2014)
May 16, 2014
- Joint Hearing Education Committee and Select Committee on Privacy: Ensuring Student Privacy in the Digital Age.
Director, EPIC Student Privacy Project
May 14, 2014 (May. 14, 2014)
- "Demistifying Urban Legends about Requesters".
"Demistifying Urban Legends about Requesters"
Director, EPIC Open Government Project
American Society of Access Professionals(May. 12, 2014)
May 12, 2014
- "Fees, Fee Waivers and Other Administrative Matters".
"Fees, Fee Waivers and Other Administrative Matters"
Director, EPIC Open Government Project
American Society of Access Professionals(May. 12, 2014)
May 12, 2014
- Privacy Case Moves Forward Against Facebook and Zynga. The Ninth Circuit found that the companies may have violated Facebook's privacy policies when they disclosed user information for advertising purposes. Separately, the court ruled that there was no violation of the Electronic Communications Privacy Act because the data disclosed (including Facebook IDs and HTTP referers) is not "contents" of a communication. Congress is set to consider several ECPA reforms, and could fix the court's ruling by making clear that the law prevents the disclosure of personally identifiable information. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Facebook Privacy. (May. 9, 2014)
- EPIC's Snapchat Privacy Complaint Results in 20-Year FTC Consent Order. Following a 2013 EPIC complaint, the FTC has signed a consent order with Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever." However, the images could be retrieved by others. As EPIC wrote in the complaint "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." In announcing the settlement, FTC Chairwoman Edith Ramirez said, "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises. Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action." Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies. EPIC pursued similar claims involve false promises about data deletion with AskEraser. The FTC will be accepting Public Comments on the proposed Snapchat consent order. For more information, see EPIC: In re Google, EPIC: In re Facebook and EPIC: FTC. (May. 8, 2014)
- EPIC Sues Army for Information About DC Surveillance Blimps. EPIC has filed a Freedom of Information Act lawsuit against the Department of the Army for documents about JLENS, a sophisticated surveillance system that will be deployed over Washington, DC during the next three years. JLENS is comprised of two 250' blimps. One blimp conducts aerial and ground surveillance over a 340-mile range, while the other has targeting capability including HELLFIRE missiles. The JLENS was originally deployed in Iraq. In the FOIA request, EPIC asked the Army for technical specifications as well as any policies limiting domestic surveillance. EPIC has urged Congress to establish privacy safeguards for aerial drones. For more information, see EPIC: EPIC v. Army - Surveillance Blimps, EPIC: Drones - Unmanned Aerial Vehicles, and EPIC Spotlight on Surveillance (2005) - "Unmanned Planes Offer New Opportunities for Clandestine Government Tracking." (May. 7, 2014)
- House Judiciary Committee to Consider Bill to End Bulk Surveillance, Improve NSA Oversight. The House Judiciary Committee has scheduled a markup of the USA Freedom Act. The proposed "Manager's Amendment", sponsored by James Sensenbrenner (R-WI), would prevent bulk collection of phone records and other business records, and would limit the scope of phone record searches. The bill would also (1) limit the collection of US persons communications by the NSA's PRISM program, (2) require public reports on the use of FISA surveillance, (3) require declassification of significant FISA Court opinions, and (4) create a public advocate at the FISA Court. In 2012, EPIC testified before the House Judiciary Committee on the need for public reports and the declassification of significant FISC opinions. In 2013, EPIC filed a petition with the Supreme Court, alleging that the bulk collection of telephone record was unlawful. For more information, see EPIC: FISA Reform and In re EPIC. (May. 5, 2014)
- Annual FISA Report Shows Decrease in Surveillance Orders, Questions About Scope Remain. The Department of Justice has published the 2013 FISA Report. The brief report provides summary information about the government's use of the Foreign Intelligence Surveillance Act. In 2012 the Foreign Intelligence Surveillance Court granted 1,789 FISA orders and 212 "Section 215" orders. In 2013, there were 1,588 requests to conduct FISA surveillance, with 34 modifications. The FISC also granted 178 business record orders under Section 215, with 141 modified by the court. The significant number of modified orders indicates that the government's initial applications are too broad. For example, the controversial NSA Metadata program, was authorized by the surveillance court under a modified order. It is possible that in 2013 the court authorized other bulk collection programs. For more information, see EPIC: FISC Orders 1979-2014 and EPIC: FISA Graphs. (May. 1, 2014)
- White House Publishes Report on "Big Data and Future of Privacy". The White House has released a report on big data and the future of privacy. The report "Big Data: Seizing Opportunities, Preserving Values" makes several recommendations to the President: "(1) advance the Consumer Privacy Bill of Rights; (2) pass national data breach legislation; (3) extend privacy protections to non-U.S. persons; (4) ensure data collected on students in schools is used for educational purposes; (5) expand technical expertise to stop discrimination; and (6) amend the Electronic Communications Privacy Act." The report identifies discrimination as a key concern, stating "A significant finding of this report is that big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace." The report also recommends the adoption of Privacy Enhancing Technologies. EPIC urged public participation in the review process. The White House report incorporates several recommendations from EPIC and other privacy organizations. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: "Privacy in the Commercial World." (May. 1, 2014)
- Facebook Introduces New Privacy Features. Amidst growing concern about Facebook's disclosure of user information to third parties, the company has announced two new privacy options. Users may now decide how much of their information to disclose to Facebook apps before signing up. Users may also test apps anonymously - without transmitting the Facebook User ID to the developer. The changes appear to be a response to the 2011 Consent Order, pursued by EPIC and a coalition of privacy organization, that requires the company to obtain express affirmative consent from users before disclosing personal information to third parties. In the first report on Internet privacy, "Surfer Beware: Personal Privacy and the Internet" (1997), EPIC said web sites should "support anonymity while developing policies and practices to protect information privacy." For more information, see EPIC: Facebook Privacy, EPIC: Internet Anonymity, and EPIC: FTC. (May. 1, 2014)
- Court Denies Hulu's Motion to Dismiss Privacy Case. A federal court has ruled that a privacy class action lawsuit against Hulu, the video streaming service, may continue. Hulu users allege that the company violated the Video Privacy Protection Act by transferring personally identifiable information to both Facebook and the advertising company comScore. The Judge ruled that Hulu's transfer to Facebook of unique IDs, including the user's IP address and Facebook ID, as well as specific video titles would violate the video privacy law. However, the judge determined that Hulu only transmitted anonymized user IDs to comScore and that therefore there could be no legal violation. In 2009, EPIC filed an amicus brief in a similar case in which a company disclosed consumers' identities and video rental histories to Facebook. For more information, see Harris v. Blockbuster and EPIC: Video Privacy Protection Act. (May. 1, 2014)
- Google Stops Scanning Student Emails, Ends Data Collection for Advertising. Google has announced it will stop scanning student emails for advertising purposes. Google has also stated that it will no longer display new advertisements in its Apps for Education. Google's announcement follows the demise of inBloom, a private company that acquired student data from school districts across the country. Amid public backlash, inBloom announced it was shutting down. Google and inBloom gained access to student data pursuant to the Education Department's revised regulations that significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. EPIC had previously sued the Education Department for weakening the privacy law that protects student data. Earlier this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy. (Apr. 30, 2014)
- Supreme Court Considers Privacy of Cell Phones. Today the U.S. Supreme Court heard two cases presenting the question of whether the warrantless search of a cell phone following an arrest violates the Fourth Amendment. A transcript of arguments in the first case, Riley v. California, is here and the second case, United States v. Wurie, is here. The Justices acknowledged that the search of a cell phone is unlike the search of a physical object. Justice Kagan stated "People carry their entire lives on cell phones." EPIC argued in its "friend of the court" brief, signed by twenty-four prominent legal and technical scholars, that "Allowing police officers to search a person’s cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment." According to the Pew Research Group, 90% of American adults have smart phones. Approximately 12 million Americans are arrested each year. For more information, see EPIC: Riley v. California and EPIC Blog - Argument Recap: Justices Look to Limit Warrantless Cell Phone Searches. (Apr. 29, 2014)
- The National Security Agency 2014: What are the Prospects for Reform?.
National Press Club(Apr. 30, 2014)
April 30, 2014
- Teacher Seminar: Surveillance and Privacy.
Teacher Seminar: Surveillance and Privacy
Director, EPIC Student Privacy Project
Close Up Foundation(Apr. 28, 2014)
April 28, 2014
- DHS Releases Cybersecurity Report, NSA Role Remains Murky. The Department of Homeland Security had published the first Privacy and Civil Liberties Assessment Report. The report examined several federal agencies, including the Department of Defense and the Office of the Director of National Intelligence, regarding cybersecurity activities. Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," requires the reports as well as the creation of a cybersecurity framework. Last year, EPIC recommended civilian control of domestic Cybersecurity and clarification of the NSA's involvement. The Privacy and Civil Liberties Assessment Report and the cybersecurity framework both fail to clarify the NSA's role in cybersecurity. For more information, see EPIC: Cybersecurity Privacy Practical Implications. (Apr. 25, 2014)
- Patent to Block Facial Recognition Follows Sale of Google Glass. A patent for a technology that shields users from nearby video cameras has emerged. The patent describes a detector that would blur the images of people on portable camera displays, preventing video surveillance. The patent surfaced following Google's release of Google Glass for sale by the general public. Google is seeking a patent for a contact lens style for Glass that would escape public detection. Google is also seeking to trademark the word "glass," which the US Patent and Trademark Office opposes. EPIC previously submitted comments to the Federal Trade Commission recommending the suspension of facial recognition techniques pending the establishment of privacy safeguards. For more information, see EPIC: Google Glass and Privacy, EPIC: Facial Recognition and EPIC: Federal Trade Commission. (Apr. 25, 2014)
- Report Reveals Rise in Teens' Desire for Online Privacy. A report released by the Intelligence Group, a "youth-focused, research-based consumer insights company," reveals that teens want more online privacy than ever before. According to the report, only 11% of teens currently share "a lot about themselves online" - a 7% decrease from the same age group last year. By contrast, 17% of young adults aged 19- to 24 and 27% of adults aged 25 to 34 currently share "a lot about themselves online." The report also indicates that "about 18% of teens share content on social media at least once a day, including status updates, photos, pins, or articles, compared with 28% of 19- to 24-year-olds and 35% of 25- to 34-year-olds." Recently, EPIC objected to a settlement agreement that would allow Facebook to use images of teens in online advertising. EPIC has also filed comments with the FTC supporting stronger regulations to protect children's data online. For more information, see EPIC: Fraley v. Facebook, EPIC: COPPA and EPIC: FTC. (Apr. 25, 2014)
- Tech Standard Dropped Because of Suspected NSA Influence. Following an extensive public comment process, the National Institute of Standards and Technology has removed a cryptographic algorithm from its guidance for random number generators deployed by government vendors. NIST recommends that current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible. NIST cited in own evaluation and "a lack of public confidence in the algorithm." Last year the NY Times reported that the NSA had intentionally weakened cryptographic standards to enable surveillance, raising concerns about the reliability of key Internet standards. In February, NIST released new guidelines for the development of cryptographic standards. EPIC, joined by several organizations, urged the agency to explain the extent of NSA's role in the standards development process. EPIC previously recommended that NIST inform the public of the full extent of the NSA's involvement in the Cybersecurity Framework. The Computer Security Act of 1987 was passed explicitly to prevent NSA involvement in domestic computer security. For more information, see EPIC: Computer Security Act of 1987. (Apr. 24, 2014)
- Supreme Court to Hear Cell Phone Privacy Cases. The Supreme Court is set to hear oral arguments next week in two cases concerning the warrantless search of a cell phone following an arrest. EPIC filed a "friend of the court" brief, signed by twenty-four technical experts and legal scholars, arguing that the Fourth Amendment requires a warrant because of the vast amount of personal information available on a cellphone. EPIC wrote, "Allowing police officers to search a person's cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment." Also the Supreme Court this week agreed to review a case considering whether the police may detain a person based on a mistaken interpretation of the law. In Heien v. North Carolina, the person was detained by the police because of a broken taillight. EPIC routinely files amicus briefs in cases raising novel privacy issues. For more information, see EPIC: Riley v. California and EPIC: Amicus Curiae Briefs. (Apr. 24, 2014)
- Amid Privacy Backlash, Student Data Firm Dissolves. inBloom, a private company that acquired student information from school districts across the country, has shut down. The company said its work "has been stalled because of generalized public concerns about data misuse..." inBloom and other companies, including Google, acquired student data following revisions to the Family Educational Rights and Privacy Act by the Department of Education that significantly weakened the student privacy law. In 2012, EPIC sued the Education Department for removing student privacy protections. Last year, EPIC testified before the Colorado State Board of Education on student privacy issues concerning inBloom. Early this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy. (Apr. 21, 2014)
- Pew Survey Finds Opposition to Drones, Robots, and Google Glass. A national survey conducted by Pew Research Center and Smithsonian Magazine find the American public optimistic about revolutions in health science and transportation, and concerned about technologies of surveillance. According to the survey, 63% of Americans think it would be a change for the worse if "personal and commercial drones are given permission to fly through most U.S. airspace," while 22% think it would be a change for the better. And 65% expressed concern about increased dependence on robots. Similarly, 53% of Americans think it would be a change for the worse if most people wear implants or other devices that constantly show them information about the world around them. Women are especially wary of a future in which these devices are widespread. Google Glass, an example of such technology, has come under scrutiny from Data Protection authorities as well as Congress. EPIC, joined by 100 other organizations and experts, petitioned the Federal Aviation Administration to address public concerns about privacy and drones. For more information, see EPIC: Google Glass and Privacy and EPIC: Domestic Drones. (Apr. 21, 2014)
- Appeals Court Orders Release of Classified Legal Analysis, EPIC Filed Amicus Brief. A federal court of appeals has ruled that the Department of Justice must release the legal analysis justifying the controversial "targeted killing" drone program. The government argued in New York Times v. Department of Justice that the analysis should be exempt from release as a privileged communication. But the ACLU and the New York Times, supported by EPIC and other open government organizations, argued that because the government relied on the legal reasoning to justify the drone program it cannot be kept secret. The Second Circuit agreed, ruling that the after "senior Government officials have assured the public" that the program is "lawful and that . . . advice establishes the legal boundaries," it can no longer claim that the document is exempt from FOIA. EPIC has pursued a similar case for more than seven years, seeking the disclosure of the OLC's legal analysis of the Warrantless Wiretapping program. And earlier this year EPIC wrote in the New York Times that if "the Justice Department expects others to follow its advice, the analysis that supports its conclusions should be made public." For more information, see EPIC: New York Times v. DOJ and EPIC: EPIC v. DOJ - Warrantless Wiretapping Program. (Apr. 21, 2014)
- EPIC Obtains Documents About FTC's Facebook Investigation. As the result of a Freedom of Information Act request, EPIC has received several hundred pages of documents related to the Federal Trade Commission's investigation of Facebook business practices. The documents include assessments by the FTC of Facebook's privacy changes and communications with the company. EPIC has repeatedly pressed the Commission to enforce the 2012 Consent Order which barred the company from future changes to privacy settings without user consent and committed Facebook to develop a "comprehensive privacy program." EPIC also recently filed a complaint with the FTC about Facebook's acquisition of Whatsapp, an instant messaging service. The EPIC complaint resulted in a stern warning from the FTC not to violate Whatsapp user privacy. For more information see: EPIC: Facebook Privacy. (Apr. 16, 2014)
- When Bytes Bite Back: Tunneling through the Data Mines.
EPIC Associate Director
University of Kansas(Apr. 25, 2014)
Kansas City, KS
April 25, 2014
- Coalition Urges White House to Recognize EU Opinion; End NSA Telephone Records Program. In a letter to the White House, a coalition of US organizations urged the Administration to recognize the recent opinion by the Court of Justice, the highest court in Europe, that ended a European data retention mandate. The European law required telephone and internet companies to retain metadata on customers for national security purposes. The European Court of Justice ruled that this practice violates the fundamental right to privacy and is illegal. The US groups argue that the opinion "bears directly on the White House's review of the NSA Telephone Records Collection Program and also the White House study of Big Data and the Future of Privacy." The groups urged the White House to 1) recognize the Court's decision in its upcoming report on big data and privacy; and 2) end the NSA telephone record collection program. The letter states that the decision by European Court "is the most significant legal opinion from any court in the world on the risks of big data and the ongoing importance of privacy protection." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. More recently, EPIC submitted extensive comments warning the White House of the enormous risks of current big data practices. For more information, see EPIC: Data Retention and EPIC: Big Data and the Future of Privacy. (Apr. 16, 2014)
- Worthwhile Tradeoffs: Surveillance in a Constitutional Democracy Part 1.
EPIC Appellate Advocacy Counsel
National Constitution Center(Apr. 17, 2014)
April 17, 2014
- EPIC v. DOJ: No Analysis of PRISM Legality. In a recently concluded Freedom of Information Act lawsuit, EPIC tried to obtain legal analysis concerning the controversial PRISM surveillance program. The Justice Department responded that "no responsive records" exist. An earlier FOIA case brought by EPIC revealed that the Office of Legal Counsel provided advice on the warrantless wiretapping program of President Bush. But apparently no similar memos exist on the legality of the mass collection of Internet traffic by the NSA. For more information, see EPIC v. DOJ (PRISM). (Apr. 11, 2014)
- Court Upholds FTC Authority to Safeguard Data Privacy. A federal judge has ruled that the Federal Trade Commission has the power to enforce data security standards. In the case FTC v. Wyndham, the Commission alleged that criminals stole hundreds of thousands of credit card numbers from hotel guests because Wyndham Hotels maintained lax data security. Wyndham responded that the FTC could not bring an enforcement action against the company without first publishing regulations. Judge Esther Salas held that the FTC's authority to investigate "unfair or deceptive" business practices included data protection. FTC Chairwoman Edith Ramirez stated earlier, "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." For more information, see EPIC: Federal Trade Commission, and EPIC: Big Data and the Future of Privacy. (Apr. 11, 2014)
- Car Data Privacy Bill Moves Forward in Senate. The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act, a bipartisan bill that would provide privacy safeguards for event data recorders or "black boxes." Introduced by Senators John Hoeven (R-ND) and Amy Klobuchar (D-MN), the bill prohibits unauthorized access to data that records the activities of drivers. Under the Act, data could only be obtained with: (1) written consent of all of the car owners or lessees; (2) a court or administrative order; (3) a federal transportation safety investigation if personally identifiable information is redacted; (4) emergency car crash medical response; or (5) traffic safety research if personally identifiable information is redacted. Last year EPIC, consumer privacy organizations, and members of the public, urged the National Highway Traffic Safety Administration to protect driver privacy by establishing many of the proposed safeguards in the Driver Privacy Act. For more information, see EPIC: Event Data Recorders and Privacy. (Apr. 10, 2014)
- FTC Responds to EPIC Complaint on WhatsApp and Privacy. The Federal Trade Commission has notified Facebook and WhatsApp that they must honor their privacy commitments to users. According to the letter from the Director of the FTC Bureau of Consumer Protection, "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter followed a detailed complaint from EPIC and CDD concerning the privacy implications of the $19B sale to Facebook. WhatsApp had assured users of strong privacy safeguards prior to the sale. The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." For more information, see EPIC: In re: WhatsApp, EPIC: In re: Facebook and EPIC: Federal Trade Commission. (Apr. 10, 2014)
- Federal Agencies Fail to Safeguard "Big Data," Breaches Doubled in Just a Few Years. The Government Accountability Office has issued a report, warning that federal agencies "have not been consistent or fully effective in responding to data breaches." The GAO found that "the number of reported information security incidents involving personally identifiable information has more than doubled over the last several years." The report further states, "the increasing number of cyber incidents at federal agencies, many involving the compromise of personally identifiable information, highlights the need for focused agency action to ensure the security of the large amount of sensitive personal information collected by the federal government." EPIC recently warned the White House about the enormous risks to Americans of current "big data" practices. EPIC and more than 20 organizations have urged the Administrations to establish strong privacy safeguards and improve accountability across the government and private sector. For more information, see EPIC: Big Data and the Future of Privacy. (Apr. 10, 2014)
- FTC Commissioner Wright Meets with Industry Lobbyists, Not Consumer Representatives. Through a Freedom of Information Act request, EPIC obtained the appointment calendar of FTC Commissioner Wright. The Commissioner's calendar reveals many meetings with corporate presentatives but no meetings with public interest organizations representing consumers. One of FTC's primary missions is to protect consumers from unfair and deceptive business practices. Commissioner Wright became an FTC Commissioner in January 2013. Since then he has met with representatives from Apple, Microsoft, Verizon, Qualcomm, the Network Advertising Initiative, and the Consumer Data Industry Association. He has attended industry conferences and given talks at trade association meetings. EPIC tried several times to arrange a meeting between Commissioner Wright and the Privacy Coalition—a nonpartisan coalition of consumer, civil liberties, educational, family, library, and technology organizations. The Privacy Coalition has hosted meetings with many FTC commissioners over the past decade. After repeatedly declining a meeting with the consumer privacy organizations, EPIC filed a FOIA request for the FTC Commissioner's appointment calendar. For more information, see EPIC: Federal Trade Commission. (Apr. 8, 2014)
- FOIA Groups Support EPIC in Case Against NSA. Several open government organizations, including Public Citizen, the Sunlight Foundation, the Project on Government Oversight, Citizens for Responsibility and Ethics in Washington, the Center for Effective Government and Openthegovernment.org have filed an amicus brief supporting EPIC in EPIC v. NSA. EPIC is seeking to obtain a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act Request to the NSA for NSPD-54 and several related documents. After the agency refused to disclose the Directive, EPIC sued the NSA under the Freedom of Information Act. The NSA then disclosed several documents but argued it could withhold NSPD-54 under a narrow legal exemption. Suprisingly, a federal court ruled sue sponte that NSPD-54 was not an "agency record" and simply dismissed the case. The FOIA groups argued that the judge's decision was contrary to FOIA law because NSPD-54 is an agency record and also because courts cannot dismiss such cases particularly when the agency itself thought it was subject to the law. For more information see: EPIC v. NSA. (Apr. 8, 2014)
- European High Court Strikes Down Data Retention Law. In a far-reaching and dramatic opinion, the European Court of Justice has ruled that the mass storage of telecommunications data violates the fundamental right to privacy and is illegal. The Data Retention Directive required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. According to the Court, the Directive imposed "a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary." The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the Charter of Rights. The Court also said to find a privacy violation, "it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. For more information, see EPIC - Data Retention, In re EPIC. (Apr. 8, 2014)
- EPIC Warns White House About Privacy Risks of "Big Data". In response to a request from the White House, EPIC has submitted extensive comments on "Big Data and the Future of Privacy." EPIC warned the White House about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974 which responded to the challenges of "data banks." EPIC noted the dramatic increases in identity theft and security breaches. EPIC called for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. EPIC wrote "It is vitally important to update current privacy laws to minimize collection, secure the information that is collected, and prevent abuses of predictive analytics." EPIC and more than 20 organizations previously urged the White House to establish privacy protections for user data that is being gathered by large companies and government agencies. A report from the White House is expected on April 17. For more information, see EPIC: Big Data and the Future of Privacy. (Apr. 7, 2014)
- NGO Coalition Tells President "Establish Privacy Protections for Big Data". EPIC along with more than 20 other organizations sent comments to the White House on "Big Data and the Future of Privacy." The organization urged the President to establish new safeguards for organizations collecting "big data" including transparency, accountability, robust privacy techniques, and meaningful evaluation. The groups also urged the President to enact the Consumer Privacy Bill of Rights. The incidents of security beaches and identity theft continue to increase in the United States. Meanwhile a new report reveals that consumers are secretly scored by businesses. And the President recently decided to renew the NSA's ineffective telephone record collection program. The White House agreed to accept public comments after EPIC and two dozen organizations petitioned the Office of Science and Technology Policy. The White House has sponsored several conferences on Big Data and the Future of Privacy, though some of the meeting have been closed to the public. A report from the White House is expected on April 17. For more information, see EPIC: Big Data and the Future of Privacy. (Apr. 2, 2014)
- EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive. EPIC has filed its opening brief in EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see EPIC: Presidential Directives and Cybersecurity and EPIC v. NSA: NSPD-54 Appeal. (Apr. 1, 2014)
- Judge Approves Controversial Settlement Over Objection of Consumer Privacy Organizations. A federal judge in California has approved a settlement agreement in a lawsuit against Google that will allow the company to continue to sell data about users' browsing history to advertisers. EPIC and several other consumer privacy organizations objected to the settlement, stating that it requires no change in Google's business practices and provides no benefit to those on whose behalf the case was brought. EPIC and the groups also recommended that the court adopt an objective basis for distributing cy pres funds, noting that the awards are often made for the benefit of the lawyers settling the case and not the class members. Class action settlements have come under increasing scrutiny in recent years, with courts increasingly concerned about collusion between attorneys and faux settlements that do not reflect the purpose of the initial lawsuit. In a case that reached the Supreme Court, Chief Justice Roberts said that courts will need to look more closely at these settlements to determine whether there are fair, whether organizations designated to receive funds reflect the interests of class members, and also the obligation of judges to carefully review these proposals. For more information, see EPIC: Search Engine Privacy and EPIC: Google Buzz. (Apr. 1, 2014)
- EPIC to Commerce Department: Uphold the Public's Right to Know. In comments to the Commerce Department about proposed changes to the agency's Freedom of Information Act regulations, EPIC urged the agency not to prematurely close requests. EPIC supported several changes that will make it easier for the public to obtain information from the government agency, but objected to a specific proposal that would allow the agency to terminate pending FOIA requests if requesters do not "reasonably describe the records sought." EPIC said the change was contrary to the purpose of the open government law. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. The Privacy and Civil Liberties Oversight Board, the Federal Trade Commission, and the Interior Department have adopted EPIC's recommendations on proposed FOIA rule changes. For more information, see EPIC: Open Government. (Apr. 1, 2014)
- Restoring Trust in Data Protection.
Academy of European Law(Apr. 7, 2014)
7 April 2014
- EPIC Supports Challenge to National Security Letter "Gag Orders". EPIC has filed an amicus curiae brief in In re National Security Letter, a case challenging the government's bulk collection of customer records without judicial approval. Under the current law, companies are not even allowed to discuss these subpoenas or reveal information about the number of NSLs they receive each year. EPIC argued in its friend of the court brief that this "gag order" provision frustrates the public's right to know about a far-reaching government surveillance program. EPIC routinely provides information to the public about government surveillance programs, but is unable to inform the public about NSL surveillance because of the provision now under review by a federal appeals court. For more information, see EPIC: In re NSL and EPIC: National Security Letters. (Apr. 1, 2014)
- President Obama Renews Unlawful, Ineffective Surveillance Authority. According to the Attorney General and the Director of National Intelligence, President Obama has renewed the NSA's authority to collect all of the telephone records of all American telephone customers. The "Section 215" program exceeded Congressional authority and was found to be ineffective by two expert panels. At a speech on January 17, 2014, President Obama ordered a transition that will end the Section 215 bulk telephony metadata program as it currently exists. However, according to DNI Clapper, the United States filed an application with the FISC to reauthorize the existing program as previously modified for 90 days, and the FISC issued an order approving the government's application. The order issued expires on June 20, 2014. EPIC and others have strongly objected to the renewal of the 215 program. For more information, see EPIC In re EPIC. (Mar. 29, 2014)
- Fandago and Credit Karma Settle FTC Charges for Weak App Security. Two companies have settled Federal Trade Commission charges that they misrepresented the security of their mobile apps. Fandango and Credit Karma failed to enable SSL encryption, leaving user data vulnerable on mobile apps. "Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps," FTC Chairwoman Edith Ramirez said in a statement. The settlements require the companies to establish data security programs, and to undergo security assessments by the Commission for the next 20 years. EPIC recently brought a complaint to the FTC concerning Scholarship.com, a company that failed to establish adequate security safeguards. Not long after the complaint from EPIC, the company implemented SSL. EPIC had earlier recommended that the Commission require encryption for all cloud-based services. For more information, see EPIC: Federal Trade Commission, and EPIC: EPIC Online Guide to Practical Privacy Tools. (Mar. 28, 2014)
- EPIC's Contemporary Privacy Litigation: Challenging The Surveillance State.
EPIC Appellate Advocacy Counsel
University of New Hampshire School of Law(Apr. 8, 2014)
April 8, 2014
- Data Privacy in the Digital Age.
EPIC Executive Director
Indiana Law Review Symposium(Apr. 4, 2014)
April 4, 2014
- Privacy, Security, and Secrecy After Snowden.
EPIC Appellate Advocacy Counsel
Cardozo School of Law(Apr. 2, 2014)
New York, NY
April 2, 2014
- Senator Leahy Urges President to End NSA Record Collection Program on Friday. In remarks published this week, Senator Patrick Leahy, Chairman of the Senate Judiciary Committee and co-sponsor of the USA FREEDOM Act, said "I welcome the President's statement that he plans to end the bulk collection of American’s phone records. That is a key element of what I and others have outlined in the USA FREEDOM Act, and that is what the American people have been demanding." Senator Leahy added, "the President could end bulk collection once and for all on Friday by not seeking reauthorization of this program. Rather than postponing action any longer, I hope he chooses this path." EPIC and others have urged the President not to renew the NSA telephone record collection authority when it expires this week. For more information, see In re EPIC. (Mar. 27, 2014)
- Federal Courts Law Review Symposium.
EPIC National Security Appellate Advocacy Fellow
Charleston School of Law(Mar. 27, 2014)
March 27, 2014
- "Who Watches the Watchers?".
"Who Watches the Watchers?"
EPIC Executive Director
Antitrust Law Spring Meeting(Mar. 26, 2014)
National Press Club
March 26, 2014
- Deadline Approaches for End of NSA's Telephone Record Collection Program. March 28 marks the deadline set by President Obama to end the NSA's bulk collection of American's telephone records. Last week, Attorney General Eric Holder confirmed that the Justice Department is ready to meet the deadline that the President has set. After extensive meetings with leaders of the Intelligence Community, both the President's Review Group and the Privacy and Civil Liberties Oversight Board found the program was ineffective and likely exceeded current legal authority. Senator Leahy, who held extensive public hearings, has stated "This program is not effective. It has to end." EPIC, supported by dozens of legal scholars and former members of the Church Committee, petitioned the US Supreme Court in July 2013 to end the "215" program. For more information, see In re EPIC and EPIC: NSA Verizon Phone Record Monitoring. (Mar. 24, 2014)
- Federal Trade Commission Backs Users in Facebook Privacy Case. The FTC has filed an amicus brief in a case before a federal appeals court concerning Facebook users. If a controversial settlement is approved, Facebook will display the images of users, including young children, in Facebook advertising without consent. Several Facebook users formally objected to the plan, arguing that it would violate state laws. A children's advocacy organization also objected, stating that the "settlement is actually worse than no settlement." The FTC brief explains that state privacy laws do prevent the display of children's images without consent. EPIC also filed an amicus brief in support of the users, explaining that the settlement is unfair and should be rejected. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook. (Mar. 21, 2014)
- FTC Adopts EPIC's Recommendations on Improved FOIA Processing. The Federal Trade Commission has issued a final rule updating its Freedom of Information Act fee provisions. EPIC submitted extensive comments to the agency, supporting proposed fee reductions but also recommending changes to strengthen open government. The FTC adopted nearly all of EPIC's proposals. The FTC announced that all "Commission decisions, orders, and other public materials" will be electronically available to all requesters without charge. The FTC also said it would grant requesters additional time to assess fees associated with FOIA requests rather than simply terminate processing. The FTC agreed to be more lenient in resolving unpaid FOIA fees. The Commission also adopted EPIC's recommendation to disclose private sector contract rates for FOIA processing. EPIC routinely comments on agency proposals that impact FOIA requesters' rights. For more information, see EPIC: Open Government and EPIC: Federal Trade Commission. (Mar. 21, 2014)
- EPIC Updates Facebook Complaint, Urges Careful Review of WhatsApp Acquisition. EPIC has filed a supplemental complaint regarding Facebook's $19 b purchase of WhatsApp. WhatsApp users had relied on the messing app's pro-privacy practices to protect their personal information, while Facebook regularly incorporates user data from the companies it acquires. In the initial complaint, EPIC urged the Federal Trade Commission to block the sale unless adequate privacy safeguard for WhatsApp user data were established. In the supplemental complaint, EPIC provided more evidence that WhatsApp users object to the acquisition. EPIC also highlighted the importance of the FTC's pre-merger review process. Recently, the Commission approved Google's purchase of Nest Labs without considering the privacy implications for consumers. For more information, see EPIC: In re WhatsApp and EPIC: Federal Trade Commission. (Mar. 21, 2014)
- Google Admits to Data-Mining Student Emails. In a sworn statement filed with a federal court, Google has admitted to scanning student emails to serve students targeted advertisements. Although Google does not display ads in Apps for Education, Google "does scan [student] email" to "compile keywords for advertising" on Google sites. Google has gained access to student emails pursuant to the Education Department's recently revised regulations, which significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. Still, Google's practices appear to contravene the Education Department's "best practices" for online educational service providers. EPIC had earlier sued the Education Department for weakening the privacy law that protects student data. For more information, see: EPIC Student Privacy and EPIC: EPIC v. Dep't of Education. (Mar. 19, 2014)
- EPIC Obtains Secret Attorney General Reports on Electronic Surveillance. As a result of an FOIA lawsuit, EPIC has obtained copies of the Attorney General Reports on the government's electronic surveillance activities. These reports have been submitted to Congress every six months since 2001 but have never before been disclosed to the public. These reports include new details about government collection of telephone and Internet records. The reports include the number of US persons targeted for "Pen Register" surveillance under the Foreign Intelligence Surveillance Act. The reports also contain noncompliance incidents and significant foreign intelligence court opinions, but those details have been withheld by the Justice Department. The documents obtained by EPIC also show that the Justice Department told Congress that the collection of telephone subscriber information would decrease, even after the section 215 bulk collection program began. The case is EPIC v. Dept. of Justice, No. 13-961. For more information, see EPIC v. DOJ - FISA Pen Registers and EPIC: FISA Stats. (Mar. 19, 2014)
- WhatsApp Founder Responds to EPIC Privacy Complaint. Following Facebook's announced plan to purchase WhatsApp, a popular pro-privacy messaging services, EPIC urged the FTC to block the acquisition. EPIC explained to the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. WhatsApp founder Jan Koum has now published a blog post in response to the EPIC Complaint. Koum wrote, "Above all else, I want to make sure you understand how deeply I value the principle of private communication. For me, this is very personal." He added, "Make no mistake: our future partnership with Facebook will not compromise the vision that brought us to this point." For more information, see EPIC: In re WhatsApp, EPIC: Federal Trade Commission, and EPIC: In re Facebook. (Mar. 18, 2014)
- The Future of FOIA Reform.
EPIC FOIA Project Director
US Congress(Mar. 19, 2014)
March 19, 2014
- Drones, Privacy & You.
Jeramie D. Scott
EPIC National Security Counsel
Russell Senate Office Building(Mar. 18, 2014)
Washington, DC 20002
March 18, 2014
- EPIC Publishes 2014 FOIA Gallery, Highlights Documents Obtained Under Open Government Law. In celebration of Sunshine Week, EPIC has published the 2014 EPIC FOIA Gallery. The gallery highlights documents obtained by EPIC in the past year, such as previously secret records about government surveillance of telephone calls, FBI facial recognition technologies, DHS drones that identify human targets on the ground, the CIA's collaboration with the New York Police Department, and student debt-collectors' lax data security systems. In many of these cases, EPIC "substantially prevailed" and obtained attorneys fees. EPIC routinely pursues Freedom of Information Act matters to promote government accountability. EPIC published the first FOIA Gallery in 2001. EPIC also publishes an authoritative FOIA litigation manual. For more information, see EPIC: Open Government and EPIC Bookstore: FOIA. (Mar. 17, 2014)
- European Parliament: Suspend Safe Harbor, Data Transfers to United States. The European Parliament has voted to halt the Safe Harbor program, which allowed US companies to process data on EU citizens outside of European legal protections. The resolution also recommends that Europe exclude EU-US data transfers from trade negotiations and establish legal remedies for EU citizens who face privacy violations. The resolution would protect whistleblowers, and proposes an independent European data cloud. The resolution follows a six-month investigation, led by MEP Claude Moraes, on the Mass Surveillance of EU Citizens. The report condemned programs of the US and the EU member states. EPIC had urged the Federal Trade Commission to enforce the Safe Harbor, and has recommended the US and EU exclude data transfers in trade negotiations. For more information, see EPIC: EU Data Protection Directive. (Mar. 12, 2014)
- With Overwhelming Support, European Parliament Backs New Data Protection Law. In a near-unanimous vote, the European Parliament has voted in favor of a comprehensive data protection regulation. The new law will make several changes to European data privacy law, give citizens better access to their data, restrict the ways it can be used outside the European Union, and punish companies that breach the regulation with significant fines. The regulation will be the first update to European privacy legislation since the EU passed the 1995 Data Protection Directive. EU Justice Commissioner Viviane Reding stated, "The message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible." In 2012 and 2013, EPIC and over twenty other US consumer, privacy, and civil liberties groups sent letters to the European Parliament in support of this reform. The European Consumer Organization (BEUC) supports the regulation. EPIC has also spoken before the European Parliament in support of the regulation. For more information, see EPIC: EU Data Protection Directive. (Mar. 12, 2014)
- Pew Internet Report Identifies Privacy Concerns, New Challenges. According to the Pew Research Report "Digital Life in 2025", experts predict the Internet will become 'like electricity' - less visible, yet more deeply embedded in people's lives for good and ill. Several respondents identified the loss of privacy, and the stratification of privacy rights, as a key concern. The Pew report, conducted with Elon University, asked experts to make predictions about the state of digital life in 2025. EPIC President Marc Rotenberg posed the question - "will the Internet of 2025 be a network of freedom and opportunity or the infrastructure of social control?" For more, see EPIC - Public Opinions on Privacy. (Mar. 12, 2014)
- Seventh Annual Freedom of Information Day Celebration.
EPIC Administrative Law Counsel
EPIC Appellate Advocacy Counsel
Director, EPIC Open Government Program
American University Washington College of Law(Mar. 18, 2014)
March 18, 2014
- Federal Judge Rules Commercial Drones Legal. A federal judge has ruled that commercial drones are legal, stating that the Federal Aviation Administration has not issued an enforceable regulatory rule that governs commercial drone operation. The FAA plans to appeal the decision. In 2012, Congress told the Agency to implement a plan to integrate drones into the National Airspace by 2015. Shortly after, EPIC joined by over 100 other organizations, experts, and members of the public petitioned the FAA to address privacy as part of the integration. As a result, the Agency published a notice with proposed privacy requirements for drone operators. EPIC submitted comments in response to the notice, urging the Agency to mandate minimum privacy standards for drone operators. After considering numerous public comments on the privacy impact of aerial drones, the FAA proposed a regulation that requires test site operators to develop privacy policies but does not require any specific baseline privacy protections. Several states have passed drone privacy laws and bills are also pending in Congress. For more information, see EPIC: Domestic Drones. (Mar. 10, 2014)
- EPIC Asks Supreme Court to Protect Cellphone Privacy. EPIC, joined by twenty-four technical experts and legal scholars, has filed a "friend of the court" brief in a Supreme Court case concerning the warrantless search of a cell phone. In Riley v. California, the Court will determine whether the search of a phone following an arrest violates the Fourth Amendment if no warrant is obtained. Lower courts are currently divided on this issue. EPIC's amicus brief explains that "modern cell phone technology provides access to an extraordinary amount of personal data . . . Allowing police officers to search a person's cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment." EPIC's brief describes the vast amount of personal information available on the phone and from the phone. "From a cellphone," EPIC explains "users can even see into their homes and control devices and appliances." EPIC points out that "there is no need to allow warrantless searches when currently available techniques allow law enforcement to secure the cell phone data pending a judicial determination of probable cause." EPIC routinely participates in privacy cases before the US Supreme Court. For more information, see EPIC: Riley v. California, EPIC: EPIC Amicus Curiae Briefs. (Mar. 7, 2014)
- "An Analysis of the Review Group Recommendations for Intelligence Reform".
EPIC Executive Director
NYU Security Research Seminar(Mar. 11, 2014)
New York, NY
March 11, 2014
- "Civil Liberties Dead Zone: Do First and Fourth Amendment Rights Not Apply at the Border?".
EPIC Executive Director
Freedom of the Press Committee(Mar. 20, 2014)
National Press Club
March 20, 2014
- "Enhancing Trust and Boosting Innovation in the Digital Ecosystem".
EPIC Executive Director
OECD(Mar. 10, 2014)
Microsoft Policy Center
March 10, 2014
- After Weakening Privacy Law, Education Department Proposes "Best Practices" for Student Data. The Education Department has issued recommendations for schools that transfer student records to online educational service providers. Following the Department's changes to a federal student privacy law, private companies and government agencies have access to student records without obtaining student consent. In the recommendations, the agency explained that the current regulations do not require written agreements for schools to disclose student information to private companies. The Education Department recommended that schools establish policies for approving online educational services, create written contracts with private companies for the use of student data, and explain to parents and students how schools collect, use, and disclose student information. The agency warned that student data held by private companies may not be protected under federal privacy laws. EPIC had earlier sued the Education Department for weakening the privacy rule that prevented companies from getting access to student data. On March 13, 2014, the Education Department will hold a webinar on its student privacy best practices. For more information, see: EPIC: Student Privacy and EPIC: EPIC v. Dept. of Education. (Mar. 7, 2014)
- EPIC Urges FTC Investigation of WhatsApp Sale to Facebook. EPIC has filed a complaint to the Federal Trade Commission concerning Facebook's proposed purchase of WhatsApp. WhatsApp is a messaging service that gained popularity based on its strong pro-privacy approach to user data. WhatsApp currently has 450 million active users, many of whom have objected to the proposed acquisition. Facebook regularly incorporates data from companies it has acquired.The Federal Trade Commission has previously responded favorably to EPIC complaints concerning Google Buzz, Microsoft Passport, Changes in Facebook Privacy Settings, and Choicepoint security practices. However, the FTC approved Google's acquisition of Doubleclick over EPIC's objection. Facebook is currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy and to comply with the US-EU Safe Harbor guidelines. For more information, see EPIC: In re Google Buzz, EPIC: Microsoft Passport, EPIC: In re Facebook, and Privacy? Proposed Google/DoubleClick Merger. (Mar. 6, 2014)
- EPIC Presents 2014 Domestic Privacy Champion Award to Evan Hendricks. EPIC has presented the 2014 Domestic Privacy Champion Award to Evan Hendricks, the publisher of Privacy Times. Hendricks received the award in recognition of his work in consumer privacy protection and for his work in publishing Privacy Times, a significant resource in the privacy world. In 2013, EPIC presented the Domestic Privacy Champion Award to Susan Grant. On January 28, EPIC awarded Jan Philipp Albrecht with the International Privacy Champion Award as part of International Privacy Day. (Mar. 5, 2014)
- Citron, Felten, Lewis, Lysyanskaya, Marwick, McDonald, Moglen, and Vladeck Join EPIC Advisory Board. EPIC has announced the 2014 members of the EPIC Advisory Board. They are Danielle Citron, Professor at University of Maryland School of Law, Edward Felten, Professor of Computer Science and Public Affairs at Princeton University, Harry R. Lewis, Professor of Computer Science at Harvard University, Anna Lysyanskaya, Professor of Computer Science at Brown University, Alice E. Marwick, Assistant Professor of Media Studies at Fordham University, Aleecia M. McDonald, Director of Privacy at the Stanford Center for Internet & Society, Eben Moglen, Professor of Law and Legal History at Columbia Law School, and David Vladeck, Professor of Law at Georgetown University Law Center. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy. Press Release For more information, see EPIC: EPIC Advisory Board. (Mar. 5, 2014)
- White House to Accept Public Comments on Big Data and Privacy Review. The White House is requesting public comments on the Obama Administration's "Big Data and the Future of Privacy" review. EPIC, joined by 24 consumer privacy, public interest, scientific, and educational organizations petitioned the Office of Science and Technology Policy last month to accept public comments. The petition stated, "The public should be given the opportunity to contribute to the OSTP's review of 'Big Data and the Future of Privacy' since it is their information that is being collected and their privacy and their future that is at stake." The letter sets out several important questions, including whether current laws are adequate and whether it is possible to maximize the benefits of big data while minimizing the risks to privacy. Comments are due by March 31, 2014. For more information, see EPIC: Big Data and the Future of Privacy. (Mar. 5, 2014)
- In FOIA Lawsuit, EPIC Obtains Secret Reports on Data Collection. In a Freedom of Information Act lawsuit, EPIC has obtained reports that detail the number of times the Surveillance Court authorized the use of techniques that gather the telephone numbers and metadata of phone customers and Internet users. The previously secret reports obtained by EPIC cover the period between 2000 and 2013. The reports reveal a dramatic increase in the use of these techniques in 2004 and then a significant reduction in 2008, likely the consequence of a shift to other investigative techniques. The documents show that nearly all applications to the Surveillance Court were approved without modifications. In 2013, EPIC petitioned the Supreme Court to end the bulk telephone record collection program. Former members of the Church Committee and dozens of legal scholars supported the EPIC petition. For more information see: EPIC v. Department of Justice - Pen Register Reports, EPIC: Foreign Intelligence Surveillance Court Orders 1979-2012, and In re EPIC. (Mar. 3, 2014)
- House Passes FOIA Reform Bill. The House of Representatives has passed the FOIA Oversight and Implementation Act of 2014. The bill would strengthen the Office of Government Information Services, require agencies to update their FOIA regulations, and mandate the use of a single, free website for submitting FOIA requests and appeals and receiving information about the status of the FOIA request. The bill would also require that agencies seeking to withhold information under one of the FOIA's exemptions demonstrate that there would be a "specific identifiable harm," tied to the purpose of the exemption, if disclosure occurred. The bill does not address several key transparency community proposals, including recommendations to limit the use of exemptions and to make it easier to track legislative proposals for new FOIA exemptions. The Senate is currently considering a similar bill. For more information see: EPIC: Open Government. (Feb. 28, 2014)
- EPIC Files FOIA Lawsuit for Information About Massive Telco Database "Hemisphere". EPIC has filed a Freedom of Information Act lawsuit for records about "Hemisphere," a massive telephone record collection program operated by the Drug Enforcement Agency in cooperation with AT&T. Under the program, law enforcement agencies access billions of detailed customer phone records, including location data, dating back to 1987 in routine criminal matters unrelated to national security. EPIC filed the complaint after the federal agency failed to respond to EPIC's FOIA request for information about the operation and legal authority for the program. EPIC has previously challenged the NSA's bulk collection of telephone records in a petition to the US Supreme Court. For more information, see EPIC: In re EPIC (NSA Telephone Record Surveillance), EPIC: Hemisphere and EPIC v. DEA (Hemisphere FOIA). (Feb. 28, 2014)
- Techno-Snooping: Privacy, Technology and the Evolving Rule of Law.
Techno-Snooping: Privacy, Technology and the Evolving Rule of Law
EPIC Associate Director
Colby College(Apr. 6, 2014)
April 6, 2014
- "Cloud Computing and the Law".
EPIC Executive Director
Ottawa Law Review(Feb. 27, 2014)
University of Ottawa
27 February 2014
- Supreme Court Allows Warrantless Search of Home. In a case that narrows the warrant requirement for searches of homes, the Supreme Court upheld the warrantless search of a suspect's home by the LAPD after the person objected. In Fernandez v. California, the officers returned to the apartment of the resident after he had been arrested, and obtained consent from a roommate to conduct a search. Justice Alito, writing for the 6-3 majority, found that the roommate's consent was sufficient once the defendant was no longer present. Justice Ginsburg, writing in a dissent joined by Justices Sotomayor and Kagan, argued that the decision "tells the police they may dodge" the warrant requirement and is contrary to a prior a decision of the Court. In Georgia v. Randolph, the Supreme Court previously ruled that when one occupant refuses to consent to a search, the other's consent is not sufficient to permit a search. EPIC has previously filed amicus briefs in a number of important Supreme Court Fourth Amendment cases. For more information, see EPIC: United States v. Jones, EPIC: Maryland v. King, EPIC: Amicus Curiae Briefs. (Feb. 26, 2014)
- White House and MIT to Host Conference on Big Data and Privacy. On March 3, 2014, the White House and MIT will cohost "Big Data Privacy: Advancing the State of the Art in Technology and Practice." The conference is part of the White House's Big Data and the Future of Privacy initiative and will feature keynotes from Counselor to the President John Podesta and Secretary of Commerce Penny Pritzker. Scholars, privacy advocates, government representatives and private sector leaders will explore the opportunities and challenges of big data and examine the use of Privacy Enhancing Techniques. President Obama has called for a "comprehensive review of big data and the future of privacy." In response, EPIC and a coalition of consumer and scientific organizations outlined key questions for the White House to explore, and also asked the Office of Science and Technology Policy to encourage public participation. For more information see EPIC: Big Data and the Future of Privacy, EPIC: Privacy and Consumer Profiling, and EPIC: Privacy Tools. (Feb. 24, 2014)
- Consumer Privacy, Data Security, and Cyber Liability.
"Consumer Privacy, Data Security, and Cyber Liability"
EPIC National Security Appellate Advocacy Fellow
Washington D.C. Bar Association
February 26, 2014
(Feb. 26, 2014)
- School Privacy Zone Summit: Protecting Student Data from the Classroom to the Cloud.
Director, EPIC Student Privacy Project
Common Sense Media and the Annenberg Retreat at Sunnylands(Feb. 24, 2014)
Pew D.C. Conference Center
February 24, 2014
- EPIC, Coalition Urge President Obama to Advance Privacy Bill of Rights. EPIC along with a coalition of over 40 public interest organizations has urged the President to implement the Consumer Privacy Bill of Rights, a comprehensive framework for privacy protection. The letter comes on the two-year anniversary of the Administration's introduction of the Privacy Bill of Rights, which includes baseline privacy principles, such as individual control and transparency, respect for context and focused collectionm and better access, accuracy, and accountability. The President called the Privacy Bill of Rights a "blueprint for privacy in the information age" and said his Administration "will work to advance these principles and work with Congress to put them into the law." The letter from the organizations states, "We urge you to work with those in Congress who favor the privacy rights of Americans, who support updates to privacy law, and who understand why this issue is so critical to so many Americans. And let those who stand in the way explain to their constituents why they believe that it is not necessary for Congress to do anything further to protect the fundamental rights of Americans." For more information, See EPIC: White House: Consumer Privacy Bill of Rights. (Feb. 24, 2014)
- EPIC Files Amicus Brief in Facebook Consumer Privacy Case, Urges Rejection of Settlement. EPIC has filed a amicus brief urging a federal appeals court to overturn a controversial consumer privacy settlement. If the Fraley v. Facebook settlement is approved, Facebook will display the images of Facebook users, including young children, for commercial endorsement without consent. Facebook users opposed "Sponsored Stories" and several have formally objected to the settlement, including a children's advocacy organization which said that the "settlement is actually worse than no settlement." The MacArthur Foundation also withdrew stating it should not have been designated to receive funds. EPIC's amicus brief in support of the objectors explains that the settlement is unfair to Facebook users and should be rejected. EPIC also notes that Chief Justice Roberts expressed concerns about a similar privacy settlement involving Facebook. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook. (Feb. 21, 2014)
- EPIC Urges FTC to Strengthen Safe Harbor Settlements. EPIC has submitted comments to the Federal Trade Commission, urging the agency to improve pending settlements in several Safe Harbor enforcement actions. According to the FTC, twelve companies misrepresented compliance with the EU-US privacy arrangement. EPIC recommended that the Commission revise the proposed orders to: (1) require the companies to comply with the Consumer Privacy Bill of Rights; (2) publish the companies' consent order compliance reports as they are submitted; and (3) strengthen the sanctions against a DNA testing firm, whose misrepresentations puts genetic information at risk. EPIC also noted that the Commission's ongoing failure to modify consent orders in response to public comments is "contrary to the interests of American consumers." For more information, see EPIC: EU Data Protection Directive and EPIC: Federal Trade Commission. (Feb. 21, 2014)
- DHS Open Government Report Reveals Increased Backlog and Use of Law Enforcement Exemptions. The Department of Homeland Security has released the 2013 Freedom of Information Act Report detailing the agencies attempts to comply with the federal open government law. The FOIA requires each agency to provide the numbers of requests received and processed, the time taken to respond, the outcome of each request, and other statistics. In 2013, the DHS reported a significant increase in its FOIA backlog, which rose from 28,553 unanswered requests in 2012 to 53,598 unanswered requests in 2013. Of the nine exemptions that an agency can invoke to withhold documents, DHS relied most heavily on exemption 7(C) (law enforcement records that if released would constitute an invasion of personal privacy) and 7(E) (law enforcement records that if released would disclose law enforcement techniques or procedures, which is significant because the DHS is not a law enforcement agency. DHS reported granting about 7% of requests for expedited processing. EPIC has prevailed in several FOIA lawsuits against DHS, and has also worked to reform the agency's FOIA processing practices for other requesters. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal, EPIC v. DHS - Social Media Monitoring, and EPIC v. DHS - SOP 303. (Feb. 21, 2014)
- Massachusetts Court Upholds Privacy Protection for Location Records. In Commonwealth v. Augustine, the Massachusetts Supreme Judicial Court ruled that an individual has a reasonable expectation of privacy in cell phone location records held by a company. Article 14 of the Massachusetts Constitution, similar to the Fourth Amendment, provides that individuals should be free from "unreasonable searches, and seizures." The court held that obtaining two weeks of phone location records was a search, requiring a warrant. EPIC filed "friend of the court" briefs in Commonwealth v. Connolly, a similar case in Massachusetts concerning warrantless GPS tracking, and State v. Earls, a case in which the New Jersey Supreme Court held that location data is protected under the state constitution. EPIC also filed a brief in In re U.S. Application for Historical Cell Site Data, where an appeals court held that users have no reasonable expectation of privacy in location records under the Fourth Amendment. The Massachusetts Supreme Court considered all three cases. For more information, see EPIC: Location Privacy. (Feb. 20, 2014)
- Children's Advocacy Group Withdraws from Facebook Settlement. The Campaign for Commercial-Free Childhood has turned down $290,000 from a controversial consumer privacy settlement concerning Facebook's Sponsored Stories. The children's advocacy group said, "We now believe that this settlement is actually worse than no settlement. It harms vulnerable teenagers and their families under the guise of helping them...we cannot benefit from a settlement which we now realize is harmful to children and will impede future efforts to protect minors' privacy on Facebook." The MacArthur Foundation withdrew from the Fraley settlement last year, suggesting the funds be redirected to "other non-profit organizations engaged in the underlying issues." And in a related case, Chief Justice Roberts suggested that the Supreme Court will need to address "fundamental concerns surrounding the use of such remedies in class action litigation." EPIC has worked closely with consumer privacy organizations and federal courts to improve class action settlements, arguing that settlements in consumer privacy cases should improve consumer privacy and that awards should be allocated to organizations aligned with the interests of class members. For more information, see EPIC: Fraley v. Facebook. (Feb. 20, 2014)
- DHS Cancels Nationwide License Plate Tracking System. The Department of Homeland Security has cancelled a plan to build a national license plate tracking database. The database would have included the license plate records of car owners across the country, obtained from private companies and law enforcement agencies. The request for bids lacked any consideration of privacy protections. EPIC, through various Freedom of Information Act requests, had obtained extensive documents on the current programs operated by the Customs and Border Protection and the Federal Bureau of Investigation. The documents uncovered by EPIC show that both agencies failed to adequately address the privacy implications of license plate readers. For more information, see EPIC: License Plate Recognition Systems. (Feb. 20, 2014)
- "Privacy and Public Good: Reporting on Student Data".
Director, EPIC Student Privacy Project
SXSWedu(Mar. 4, 2014)
March 4, 2014
- Senators Rockefeller and Markey Propose Data Broker Legislation. Senators Rockefeller and Markey have introduced the The Data Broker Accountability and Transparency Act of 2014 (DATA Act). The proposed Act imposes transparency and accountability requirements on data brokers and other companies that profit from the collection and sale of consumer information. Under the DATA Act, consumers would be able to access their personal information, make corrections, and opt out of marketing schemes. The DATA Act would empower the FTC to impose civil penalties on violators, and would prohibit data brokers from collecting consumer data in deceptive ways. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: Federal Trade Commission, EPIC: Choicepoint and EPIC: Privacy and Consumer Profiling. (Feb. 13, 2014)
- Senate Hears from Privacy Oversight Board, NSA "Metadata" Program is Ineffective. At a Senate Judiciary Committee hearing today, members of the Privacy and Civil Liberties Oversight Board discussed their review of the Section 215 program, concerning the collection of telephone records on US telephone customers. The Privacy Civil Liberties Board 238 page report found that the program was not effective and had not prevented any terrorist incidents. Recent reports also indicate that only 30% of phone records are actually collected, calling into question the value of the "metadata" program. Senate Judiciary Chairman Patrick Leahy stated that "the administration has not demonstrated" that the program "is uniquely valuable to justify the massive intrusion upon American's privacy." The President recently announced that the current bulk collection program would end and announced a transition process, requiring judicial approval of queries, prior to the expiration of the current authority on March 28. For more information, see EPIC: NSA Verizon Phone Record Monitoring. (Feb. 12, 2014)
- Court Denies EPIC Injunction in FOIA Case for Surveillance Reports. A federal judge has denied EPIC's motion for a preliminary injunction that would have required the Department of Justice to complete processing of EPIC's Freedom of Information Act Request for FISA "Pen Register" reports within 20 days. In EPIC v. DOJ, EPIC sought public disclosure of the reports that describe the collection of the bulk Internet metadata from 2004 to 2011. The Justice Department granted EPIC's request for expedited processing in November 2013, but has not yet disclosed any responsive records. After EPIC filed suit and moved for a preliminary injunction, the Justice Department notified EPIC that it intends to complete processing of the reports by February 28, 2014. For more information, see EPIC v. DOJ (FISA Pen Register Reports). (Feb. 11, 2014)
- EPIC Accepts NSA's Settlement Offer, Receives Attorneys Fees. EPIC has accepted the NSA's offer to settle a Freedom of Information Act case EPIC v. NSA. EPIC sought both National Security Presidential Directive 54, a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States, as well as documents related to NSPD 54. EPIC received some of the documents as a result of the lawsuit, "substantially prevailing" under the FOIA, and prompting the NSA to make a settlement offer to EPIC. As a consequence, EPIC will receive attorneys fees from the NSA. EPIC is simultaneously appealing the lower court's determination that NSPD-54 is not an "agency record" subject to the FOIA. It was the first time a federal court has ruled that a Presidential Directive is not subject to the Freedom of Information Act. For the appeal, EPIC has already filed a Statement of the Issue, and the parties are waiting for the D.C. Circuit Court of Appeals to set a briefing schedule. For more information, see EPIC v. NSA - Cybersecurity Authority. (Feb. 11, 2014)
- "On the Heels of the Week: Privacy, Fashion, and the Internet".
EPIC Administrative Law Counsel
New York State Bar Association(Feb. 10, 2014)
New York, NY
February 11, 2014
- EPIC, Coalition Urge White House to Listen to Public on "Big Data and Privacy". EPIC, joined by 24 consumer privacy, public interest, scientific, and educational organizations petitioned the White House's Office of Science and Technology Policy to accept public comments on the Big Data and The Future of Privacy study now underway. The Office's primary function is to advise the President on scientific and technological issues. The President announced the Big Data review during a recent speech on NSA reform. The petition calls on the Office of Science and Technology Policy to incorporate the concerns and opinions of the public and lays out a number of important questions to consider, including whether current laws are adequate and also whether it is possible to maximize the benefits of big data while minimizing the risks to privacy. For more information, see EPIC: Privacy and Consumer Profiling. (Feb. 10, 2014)
- Homeland Security Revised Traveler Screening Violates Federal Privacy Act. The Transportation Security Administration and Customs and Border Protection, components of the Department of Homeland Security, have announced plans for agency record disclosures without Privacy Act notifications. The agencies Common Operating Picture ("COP") program would permit TSA and CBP to exchange personal information held by the agencies to place travelers on federal watch lists. Although TSA and CBP have proposed new uses for personal data, the agencies have declined to solicit public comments as required by the Privacy Act. Currently, the agencies use the Automated Targeting System to perform "risk assessments." EPIC has called for DHS to suspend "risk-based" passenger profiling and to make public the algorithms that are used to assess travelers. For more information, see EPIC: Secure Flight, EPIC: Passenger Profiling, and EPIC: Air Travel Privacy. (Feb. 10, 2014)
- New Limits on NSA Telephone Record Program Established, Authority Expires March 28. The Foreign Intelligence Surveillance Court has granted the government’s motion to limit access by the NSA to the bulk telephone records provided by US telephone companies. Under the new rules, the government cannot "query" the telephone metadata until after the court finds that there is a "reasonable, articulable suspicion that the selection term is associated with" a terrorist organization. The new rules also limit query results to telephone numbers within "two hops" of the selector. President Obama announced the new legal requirement during his recent speech on surveillance reform, when he committed to end the NSA’s bulk record collection program. The NSA's authority to force US telephone companies to turn over records on all their customers will expire on March 28th. The President has recommended that the Intelligence Community and the Attorney General propose an alternative to the bulk collection program prior to that deadline. For more information, see EPIC: FISC and EPIC: NSA Verizon Phone Record Monitoring. (Feb. 7, 2014)
- EPIC Recommends Safeguards For Facial Recognition Technology. In a letter to the Department of Commerce, EPIC called on the agency to develop a facial recognition framework based on the Fair Information Practices ("FIPs"). The National Telecommunications and Information Administration is meeting to address the commercial use of facial recognition, which has seen a backlash. Google banned facial recognition apps and services and Europe required Facebook to discontinue the use of facial recognition for photo tagging. Today Senator Al Franken raised concerns about NameTag. Senator Franken, in a letter to the app developer, called for the delay of the apps release until best practices are established. In comments to the Federal Trade Commission, EPIC previously recommended the suspension of facial recognition technology until adequate safeguards are established. For more information, see EPIC: Face Recognition. (Feb. 5, 2014)
- FTC Chair Ramirez Urges Senate to Act on Data Security Legislation. The Senate Judiciary Committee hearing on "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime" followed a series of major data breaches at Target, Neiman Marcus, and Michaels, which compromised the personal data of tens of millions of consumers. Senator Leahy, who has introduced important data privacy legislation, said "In the digital age, Americans face threats to their privacy and security unlike any time before in our Nation's history." FTC Chair Edith Ramirez expressed strong support for federal data security legislation. (2h18m). In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights, which is supported by consumer privacy organizations. For more information, see EPIC: Privacy Legislation, EPIC: Identity Theft, and EPIC: Federal Trade Commission. (Feb. 5, 2014)
- EPIC Launches Privacy Rights Blog. EPIC has launched a new Privacy Rights Blog, where staff members and guests will write longer-form posts about current issues, including student privacy, domestic surveillance technology, the Fourth Amendment, FOIA law, national security oversight, and consumer privacy. These posts will provide the EPIC staff with a new way to engage our readers, and we look forward to addressing important emerging issues. If you have comments or suggestions for future blog topics, please contact us at blog [at] epic [dot] org. For more information, see Privacy Rights Blog @ EPIC.org. (Feb. 5, 2014)
- "Big Surveillance Demands Big Privacy - Enter Privacy-Protective Surveillance".
Director, EPIC Domestic Surveillance Project
Toronto, Canada(Jan. 28, 2014)
January 28, 2014
- "I will reform our surveillance programs," President Obama Tells Nation. Stating that "America must move off a permanent war footing," President Obama announced (video) at the State of the Union that "working with this Congress, I will reform our surveillance programs." (50:30) The President continued, (text) "because the vital work of intelligence community depends on public confidence, here and abroad, that the privacy of ordinary people is not being violated." Citing the need to close the prison in Guantanamo, the President also said "we counter terrorism not just through intelligence and military action but by remaining true to our constitutional ideals and setting an example for the rest of the world." EPIC and other consumer privacy organizations have urged the President to move forward the Consumer Privacy Bill of Rights and to support the International Privacy Convention. (Jan. 29, 2014)
- "Assessing the Impact of PPD 28 on NSA Oversight".
Jeramie D. Scott,
EPIC National Security Counsel
Georgetown University’s Center for Security Studies(Jan. 30, 2014)
January 30, 2014
- EPIC Gives 2014 International Award to European Parliament Member Jan Albrecht. EPIC has given the 2014 International Champion of Freedom Award to European Parliament Member Jan Philipp Albrecht for "modernizing and defending the law of data protection." As a rapporteur for the Committee on Civl Liberties, Justice and Home Affairs, Albrecht has led the effort in the European Parliament to update European privacy law. He is also an outspoken defender of privacy rights and has promoted the investigation of the NSA program of mass surveillance. Albrecht received the award from EPIC at the annual Computers, Privacy, and Data Protection conference in Brussels. Previous award recipients include privacy activist Max Schrems, Canadian Privacy Commissioner Jennifer Stoddart, European Parliamentarian Sophie In't Veld, Australian Jurist Michael Kirby, and Constitutional Law Scholar Stefano Rodotà. The award is given by EPIC annually in recognition of January 28, International Privacy Day. (Jan. 27, 2014)
- 2014 CPDP Conference.
- "Freedom of Speech and Privacy".
Free Speech Dialogues(Feb. 6, 2014)
University of Texas
February 6, 2014
- "The Future of Information Privacy Protection".
Georgetown University Law Center(Feb. 4, 2014)
February 4, 2014
- Oversight Board Calls for End of NSA Telephone Records Program. Today the Privacy and Civil Liberties Oversight Board called for the end of the section 215 program that allows the NSA to collect the telephone records of all Americans. In a comprehensive report, the Oversight Board unanimously found that "the NSA's Section 215 program has not proven useful in identifying unknown terrorists or terrorist plots" and that "telephone calling records, when collected in bulk and subjected to powerful analytic tools, can reveal highly sensitive personal information." A majority of the board also concluded that Section 215 did not permit the routine collection of all telephone records on all Americans. The report set out 12 recommendations discussing additional privacy safeguards, greater transparency, and improvements to the Foreign Intelligence Surveillance Court. The members of the Oversight Board unanimously supported almost all of the recommendations. EPIC urged the Board last year at a public workshop to (1) find that section 215 does not permit the collection of all telephone records by the NSA; (2) improve reporting of FISA activities; (3) establish new safeguards for transparency and accountability; and (4) reconsider the Constitutional basis of metadata collection in light of the scope of the government's activities and recent Supreme Court opinions. EPIC had earlier petitioned the Supreme Court to find the 215 program unlawful. Former members of the Church Committee and dozens of legal scholars supported the EPIC petition. For more information, see EPIC: In re EPIC - NSA Telephone Record Surveillance. (Jan. 23, 2014)
- White House Announces Review of "Big Data and the Future of Privacy". Following the President's speech on reform of the intelligence collection programs, White House counselor John Podesta has announced "a comprehensive review of the way that 'big data will affect the way we live and work; the relationship between government and citizens; and how public and private sectors can spur innovation and maximize the opportunities and free flow of this information while minimizing the risks to privacy." This is the first major privacy initiative announced by the White House since the release of the Consumer Privacy Bill of Rights in 2012. The undertaking will involve key officials across the federal government, including the President’s Science Advisor and the President's Council of Advisors on Science and Technology. EPIC has participated in several workshops and studies concerning the intersection of privcy and "big data." (Jan. 23, 2014)
- EPIC, Amnesty International Urge President Obama to Support Privacy in Annual State of the Union. EPIC President Marc Rotenberg, Amnesty International Secretary General Salil Shetty, and members of the EPIC Advisory Board have asked President Obama to support privacy and the international privacy convention in the annual State of the Union speech next week. The State of the Union falls this year on January 28, which is also International Privacy Day. EPIC and Amnesty are urging the President to express support for privacy as a fundamental human right and to begin the process of ratification of the international Privacy Convention, supported by more than forty countries around the world. In 2013, many members of the US Congress, including Senator Patrick Leahy, expressed support for International Privacy Day. Members of the EPIC Advisory Board also wrote to then Secretary of State Hillary Clinton about the Privacy Convention, urging US support. For more information, EPIC - Council of Europe Privacy Convention, EPIC - Letter to Secretary Clinton (2010). (Jan. 23, 2014)
- Internet Data Privacy Colloquium, 2014 Governmental Information Collection Session.
EPIC Administrative Law Counsel
Dialogue on Diversity(Jan. 22, 2014)
January 22, 2014
- EPIC Files Appeal, Challenging Secrecy of Presidential Directives . EPIC has filed a Statement of the Issue Presented with the D.C. Circuit Court of Appeals. EPIC is appealing a lower court decision that NSPD 54 -- a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States -- is not subject to disclosure under the Freedom of Information Act. EPIC sought the Presidential Directive, signed by President Bush in January 2008, from the National Security Agency after the White House disclosed the existence of the Directive but not the substance. After the agency failed to respond to EPIC's FOIA request, EPIC filed an administrative appeal, and then a lawsuit. The lower court ruled in EPIC v. NSA that the Presidential Directive is not subject to the FOIA because it was not under "the control" of the NSA. It was the first time a federal court has ruled that an Presidential Directive is not subject to the Freedom of Information Act. EPIC is now asking the Court of Appeals to determine, "Whether the district court erred in holding that a Presidential Directive in the possession of a federal agency is not an agency record subject to the FOIA." For more information, see EPIC v. NSA: Cybersecurity Authority. (Jan. 22, 2014)
- "Civil Liberties Dead Zone: US Border Searches".
Former Secretary DHS
Freedom of the Press Committee(Feb. 13, 2014)
National Press Club
February 13, 2014
- Surveillance Seminar.
EPIC Appelate Advocacy Counsel
Close Up Foundation(Jan. 21, 2014)
January 21, 2014
- Obama Announces End of NSA Telephone Record Collection Program. In a widely anticipated speech (video) on reform of the NSA, President Obama announced he would end the NSA telephone record collection program, first requiring a court order for all queries and then ending the NSA massive record request prior to the next renewal. EPIC, legal scholars, the President’s Review Group, and sponsors of the USA FREEDOM Act, including Senator Patrick Leahy and Senator Ron Wyden had urged the President to take this step. The President also said that the Administration would move to implement “a majority of the recommendations” made by the Review Group. The President announced several other reform measures, including a public advocate for the Foreign Intelligence Surveillance Court, new privacy rights for non-US citizens, more transparency for data collection, a narrowed focus on foreign data collection, greater oversight of signals intelligence, a new Privacy Coordinator at the White House, and a new panel to look closely at privacy and “Big Data.” Still, the President may not have gone far enough to address the scope of NSA programs, the privacy rights of those outside the US, and the need to ensure stronger technical safeguards for Internet stability and reliability. The President also did not indicate whether the U.S. would move to ratify the Council of Europe Privacy Convention or seek legislation to enact the Consumer Privacy Bill of Rights. For more information, see White House Fact Sheet (Jan. 18, 2014)
- Supreme Court to Rule on Cellphone Privacy. Today the U.S. Supreme Court granted certiorari in Riley v. California and United States v. Wurie, two cases involving the warrantless search of an individual's cell phone incident to arrest. The Court will need to determine whether the Fourth Amendment limits a law enforcement officer from searching through the troves of data that are stored on an individual's cell phone when that individual is arrested. Courts have previously held that officers can search an individual's person and effects when they place them under arrest. But modern cell phones enable access to a wealth of personal data, which is unrelated to the Government’s reason for securing an arrestee. For more information, see EPIC: Riley v. California and EPIC: Amicus Curiae Briefs. (Jan. 17, 2014)
- Supreme Court Lets Stand Fourth Amendment Protections At the Border. This week the Supreme Court declined to review the decision of the Ninth Circuit in United States v. Cotterman, leaving in place expanded Fourth Amendment protections for searches occurring at the U.S. border. In Cotterman, the federal appeals court held that the Fourth Amendment requires a border agent to have reasonable suspicion before using forensic tools to search laptops, cameras, and other digital devices. The court emphasized that the "comprehensive and intrusive nature of the forensic examination" is the key factor in triggering greater Fourth Amendment scrutiny. EPIC has previously argued that advanced traveler screening methods should only be employed subject to privacy protections. For more information, see EPIC: Traveler Privacy, EPIC: Florida v. Jardines, and EPIC: Amicus Curiae briefs. (Jan. 15, 2014)
- Review Group to Senate: NSA Program Has Not Prevented Threats. Members of the President's Review Group presented their recommendations for NSA reform a Senate Judiciary Committee hearing. EPIC participated in the work of the Review Group. The export panel set out 46 recommendations on a range of issues from reforming intelligence surveillance directed at United States persons to promoting prosperity, security, and openness in the networked world. The Members stated the the NSA's bulk collection of metadata had not prevented threats against the United States and recommend that the it be ended. Acknowledging privacy concerns, former CIA Deputy Director Michael Morrell also stated that "there is quite a bit of content in metadata." Last year, EPIC filed a petition in the Supreme Court challenging the legality of the NSA's telephone record collection program. Legal scholars and former members of the Church Committee supported the EPIC petition. The Supreme Court dismissed the petition without ruling on the merits. For more information, see In re EPIC.
"there is quite a bit of content in metadata" - Morrell, former CIA Deputy Director (Jan. 15, 2014)
- Senator Markey Outlines New Student Privacy Legislation at EPIC Event. At a briefing on Capitol Hill hosted by EPIC, Senator Ed Markey announced plans to introduce legislation protecting student data. Senator Markey set out four principles his bill would cover: (1) student information may never be used to market products to children; (2) parents must have the right to access and amend student information held by private companies; (3) schools and private companies must safeguard student information; and (4) companies must delete student information after it is no longer needed for educational purposes. Senator Markey made the remarks at EPIC event "Failing Grade: Education Records and Student Privacy," which included leading experts in technology, student privacy, and the Chief Privacy Officer at the Department of Education. Last year, Senator Markey sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on privacy. The Education Department provided a response, suggesting that when schools outsource to private companies, they should ensure that the companies protect student data. For more information, see EPIC: Student Privacy. (Jan. 14, 2014)
- DHS Appeals Ruling in EPIC's "Internet" Kill Switch Case. The Department of Homeland Security has appealed a ruling for EPIC in a Freedom of Information Case involving Standard Operating Procedure 303, a protocol which describes the government's plan for deactivating wireless communications networks. Seeking information about the First Amendment and public safety implications of the protocol, EPIC filed a FOIA lawsuit against the agency. A federal court ruled that the protocol could not be withheld under the FOIA because it was not an investigative technique and DHS had not established that releasing the document would cause harm to any individual. Therefore, the court concluded, the documents EPIC sought should be turned over. The Department of Justice has now appealed that decision to the D.C. Circuit Court of Appeals. For more information, see EPIC: EPIC v. DHS (SOP 303) and EPIC: FOIA. (Jan. 13, 2014)
- EPIC Settles FOIA Case, Obtains Body Scanner Radiation Fact Sheets. EPIC has received the documents that were the subject of EPIC's Freedom of Information Act appeal to the D.C. Circuit in EPIC v. DHS (Body Scanner FOIA Appeal). The agency had previously withheld test results, fact sheets, and estimates regarding the radiation risks of body scanners used to screen passengers at airports. EPIC challenged the lower court's determination that the factual material was "deliberative" and therefore exempt from the FOIA. After filing an opening brief to the D.C. Circuit, EPIC participated in a new appellate mediation program. As a result of the mediation, EPIC obtained not only the records sought, but also attorneys' fees. The fact sheets show that the agency did not perform a "quantitative analysis" of risks and benefits before implementing the body scanner program. EPIC addressed that concern in the 2011 lawsuit EPIC v. DHS (Suspension of Body Scanner Program). That EPIC case also had a favorable outcome, and ultimately resulted in the removal of backscatter x-ray scanners from US airports. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal and EPIC v. DHS - Suspension of Body Scanner Program. (Jan. 10, 2014)
- Senator Leahy Proposes Consumer Privacy Legislation. Senator Leahy has introduced the Personal Data Privacy and Security Act of 2014. The Act would strengthen privacy and data security by establishing a national standard for data breach notification, and requiring companies to create a data privacy and security program to protect and secure sensitive data. The bill follows a massive data breach at Target that compromised the personal data of more than 40 million consumers. Senator Leahy stated that the bill "aims to better protect Americans from the growing threats of data breaches and identity theft" and said there would be a hearing in the Judiciary Committee later this year. In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights. For more information, see EPIC: Privacy Legislation and EPIC: Identity Theft. (Jan. 9, 2014)
- Federal Communications Commission Seeks Public Comment to Protect Phone Record Privacy. The Federal Communications Commission has invited public comments on a petition requesting the FCC to rule that the sale of consumer phone records to the government is a violation of the federal Communications Act. EPIC joined the petition, which was organized by Public Knowledge. In 2013, EPIC urged the FCC to determine whether AT&T violated the Communications Act when it sold private consumer call detail information to the Drug Enforcement Administration and Central Intelligence Agency. In 2013 EPIC also wrote to the FCC to explain that Verizon had likely violated the Communications Act when it disclosed telephone records to the NSA. Public comments on the petition are due January 17, 2014 and reply comments are due February 3, 2014. For more information, see EPIC: CPNI (Customer Proprietary Network Information), and EPIC: Foreign Intelligence Surveillance Act. (Jan. 7, 2014)
- Department of Defense Proposes Autonomous Drones, Expanded Surveillance Mission. A new Department of Defense report "Unmanned Systems Integrated Roadmap" sets out "a technological vision for the next 25 years" of drone deployment. The DOD report suggests that budgets cuts are increasing the need for autonomous drones with onboard intelligence. One documentary describes the role of the the Department of Defense developing sophisticated surveillance technologies. The new DOD report states that surveillance is one of the primary purposes for pursuing drone technology, particularly for "surveillance missions that involve prolonged observation." An EPIC FOIA request revealed that domestic drones deployed by the Department of Homeland Security can be deployed with the ability to intercept electronic communications and to recognize individuals on the ground. EPIC has recommended privacy safeguards to limit drone surveillance in the United States. For more information, see EPIC: Domestic Unmanned Aerial Vehicles and Drones. (Jan. 7, 2014)
- Federal Appeals Court Rules that Legal Policy Memos Can Be Withheld From the Public. The Court of Appeals for the D.C. Circuit has ruled that the FBI may withhold a memo prepared by the Office of Legal Counsel concerning the law governing "exigent letter" requests to telephone companies for call records. The decision affirmed an earlier opinion that the memo was privileged advice, and exempt from disclosure under the Freedom information Act. The Electronic Frontier Foundation argued that the memo was "working law" and not simply advice from government lawyers. However, the Court of Appeals found that the FBI had not itself adopted the advice of government lawyers. In a different case where the Department of State followed the guidance of Justice Department lawyers, EPIC filed a "friend" of the court brief in support of the New York Times and the ACLU and argued for the release of opinions of the Office of Legal Counsel. For more information, see EPIC v. NSA: Cybersecurity Authority and EPIC: New York Times v. DOJ. (Jan. 3, 2014)
- "Reforming the NSA".
"Reforming the NSA"
Diane Rehm Show(Jan. 6, 2014)
January 6, 2014
- Snapchat Data Breach Exposes 4.6 Million Usernames. A data breach has exposed the usernames and partial phone numbers of 4.6 million users of Snapchat, a popular photo- and video-sharing app. The breach was accomplished by exploiting a flaw that was previously brought to company's attention by security researchers. Last year, EPIC filed a complaint with the Federal Trade Commission regarding Snapchat's deceptive claim that photos would "disappear forever" after a set period of time. The Federal Trade Commission has thus far failed to take action on the EPIC complaint. For more information, see EPIC: Federal Trade Commission. (Jan. 2, 2014)
- "Big Data and Security in Europe: Challenges and Opportunities".
Research Councils UK(Jan. 21, 2014)
January 21, 2014
- "Privacy in the Networked World".
EPIC Appellate Advocacy Counsel
Alaska Telephone Association(Jan. 26, 2014)
January 26, 2014