- EPIC v. DOJ (Pen Register Reports)
- EPIC v. DOJ (OLC Prism Memos)
- EPIC v. BBG (Tor Funding)
- EPIC v. CIA (Domestic Surveillance)
- EPIC v. ODNI (Revised Guidelines)
- EPIC v. FBI (Cell Site Simulation)
- EPIC v. DOJ (Wikileaks Supporters)
- EPIC v. DHS (Defense Contractor Monitoring)
- EPIC v. DHS (FOIA, Body Scanners)
- EPIC v. DHS (Body Scanner Radiation Risks)
- EPIC v. DHS (Mobile Body Scanners)
- EPIC v. DHS (Social Media Monitoring)
- EPIC v. DOD (TIA/Fee Waiver)
- EPIC v. DOJ (FOIA, Body Scanners)
- EPIC v. DOJ (IOB reports)
- EPIC v. DOJ (Warrantless Wiretapping)
- EPIC v. DOJ & FBI (Wikileaks)
- EPIC v. FTC (Conflict of Interest)
- EPIC v. NSA (Cybersecurity Authority)
- EPIC v. NSA (Google Relationship)
- EPIC v. TSA (Body Scanner Modifications)
- EPIC v. VSP (Fusion Centers)
Other Privacy Cases
EPIC also files consumer privacy complaints with the Federal Trade Commission and brings other cases to promote individual privacy rights. More information is available at:
- EPIC v. DHS (Emergency Stay, Body Scanners)
- EPIC FTC Complaint (Google)
- EPIC FTC Complaint (Phone Records)
- EPIC v. ED (Student Privacy)
- EPIC v. FTC (Google Consent Order)
- Gonzales v. ACLU (NSLs)
- In re Facebook (Settings)
- In re Facebook II (Settings)
- In re Google (Buzz)
- In re Google (Cloud Computing)
EPIC Amicus Briefs
EPIC frequently files amicus curiae, or "friend of the court", briefs in federal and state appellate cases concerning emerging privacy and civil liberties issues.
We work closely with technical experts and legal scholars, members of the EPIC Advisory Board, on these briefs. EPIC's amicus briefs assist judges in their analyses of novel privacy issues, often involving new technology. Many of these cases are complex and technical. Judges often acknowledge EPIC's briefs in their opinions, and have expressed gratitude for EPIC's participation in important cases. EPIC's decision to participate as amicus in a particular case typically follows an extensive review of matters pending before federal and state courts.
- Pending Cases with EPIC briefs
- In re National Security Letter (9th Cir. ___) (Whether the nondisclosure provision in the National Security Letter statute violates the First Amendment)
- Riley v. California (U.S. ___) (Whether a warrantless search of a cell phone during an arrest violates the Fourth Amendment)
- Fraley v. Facebook (9th Cir. ____) (Whether Facebook's proposed settlement of privacy claims arising from "Sponsored Stories" advertisements is fair and sufficient for class members)
- New York Times v. DOJ (2nd Cir. ____) (Whether FOIA Deliberative Process Privilege Exemption Applies to Final DOJ-OLC Opinions)
- Decided cases with EPIC briefs
- Gordon v. Softech Int'l Inc. (2nd Cir. 2013) (Driver Privacy Protection Act)
- Ben Joffe v. Google (9th Cir. 2013) (Wiretap Act)
- In re US Application for CSLI (5th Cir. 2013) (Cellphone Tracking)
- State v. Earls (N.J. 2013) (Cell Phone Location Privacy)
- Maracich v. Spears (U.S. 2013) (Scope of Litigation Exception to Driver's Privacy Protection Act)
- Maryland v. King (U.S. 2013) (Warrantless Collection of DNA From Arrestees)
- Jennings v. Broome (U.S. 2013) (Whether ECPA Prohibits Unauthorized Access to Cloud E-mail)
- McBurney v. Young (U.S. 2013) (State FOI Restrictions)
- CREW v. FEC (D.C. Cir. 2013) (Adequate Response to FOIA Request)
- Florida v. Harris (U.S. 2013) (Reliability of Investigative Techniques)
- Clapper v. Amnesty Int'l USA (U.S. 2013) (Standing to Challenge Broad Surveillance Programs)
- United States v. Hamilton (4th Cir. 2012) (Workplace Privacy)
- First American v. Edwards (U.S. 2012) (Standing)
- United States v. Jones (U.S. 2012) (GPS Tracking)
- FAA v. Cooper (U.S. 2011) (Privacy Act Damages)
- FCC v. AT&T (U.S. 2011) (FOIA)
- IMS Health v. Sorrell (U.S. 2011) (Medical Privacy)
- NASA v. Nelson (U.S. 2011) (Employee Privacy)
- Tolentino v. New York (U.S. 2011) (Police Searches)
- Chicago Tribune v. Univ. of Illinois (7th Cir. 2011) (FERPA)
- Doe v. Luzerne County (3rd Cir., 2011) (Informational Privacy)
- United States v. Pool (9th Cir., 2011) (DNA)
- G.D. v. Kenny (N.J. S.Ct., 2011) (Expungement)
- In re Google Street View (N.D. Cal. 2011) (Wiretap Act)
- Doe v. Reed (U.S. 2010) (Petition Signatures)
- City of Ontario v. Quon (U.S. 2010) (Workplace Privacy)
- Bunnell v. MPAA (9th Cir., 2010) (Wiretap)
- Harris v. Blockbuster (5th Cir., 2010) (Facebook Privacy)
- IMS Health v. Ayotte (1st Cir., 2010) (Medical privacy)
- Ostergren v. McDonnell (4th Cir., 2010) (Identity Theft)
- SEC v. Galleon (2nd Cir., 2010) (Wiretapping)
- Flores-Figueroa v. United States (U.S. 2009) (ID Theft)
- Herring v. United States (U.S. 2009) (Errors in databases)
- NCTA v. FCC (D.C. Cir., 2009) (Phone records privacy)
- Commonwealth v. Connolly (Mass. Sup. J. Ct., 2009) (GPS Tracking)
- ABA v. Brown (9th Cir., 2009) (Financial Privacy)
- Crawford v. Marion County (U.S. 2008) (Voter ID)
- Hepting v. AT&T (9th Cir., 2007) (Wiretap)
- Peterson v. NTIA (4th Cir., 2007) (WHOIS data)
- New Jersey v. Reid (N.J. S.Ct., 2007) (ISP subscriber privacy)
- In re Marriage of [Redacted] (D. Co., 2009) (Telephone Record Privacy)
- Gilmore v. Gonzales (9th Cir., 2006) (Secrecy)
- Kohler v. Englade (5th Cir., 2006) (DNA)
- Johnson v. Quander (U.S. Cert., 2006) (DNA)
- ACLU v. DOD (2nd Cir., 2005) (Secrecy)
- Gonzales v. Doe (2nd Cir., 2005) (Wiretap)
- United States v. Councilman (5th Cir., 2005) (Wiretap)
- Google Books Settlement (S.D.N.Y., 2005) (Copyright and Google Privacy)
- Forensic Advisors, Inc. v. Matrixx Initiatives, Inc. (Maryland Ct. App., 2005) (Subscriber List Privacy)
- Doe v. Chao (U.S. 2004) (Privacy Act)
- Hiibel v. Sixth Judicial Dist. Ct. of Nev., Humbolt County (U.S. 2004) (Anonymity)
- Kehoe v. Fidelity Bank (11th Cir., 2004) (Driver Privacy Protection Act)
- United States v. Kincade (9th Cir., 2004) (DNA)
- BATF v. Chicago (U.S. 2003) (FOIA)
- Smith v. Doe (U.S. 2003) (Megan's Law)
- RIAA v. Verizon (D.C. Cir., 2003) (Copyright Subpoena Privacy)
- Watchtower Bible v. Stratton (U.S. 2002) (Anonymity, First Amendment)
- Remsburg v. Docusearch (N.H. S.Ct., 2002) (Drivers’ Privacy Protection Act)
- In re Sealed Case (FISCR 2002) (Foreign Intelligence Surveillance – Criminal Investigations)
- United States v. Bach (8th Cir., 2002) (Warrant-by-Fax)
- Paramount Pictures v. ReplayTV (C.D. Cal., 2002) (TV-DVR User Privacy)
- US West v. FCC (U.S. Cert. 2000) (Telephone Subscriber Privacy)
- Junger v. Daley (N.D. Ohio, 1998) (Crypto – Export Controls)
- Reno v. Condon (U.S. 2000) (Driver Privacy Protection Act)
- Bernstein v. U.S. Dep’t of Commerce (9th Cir., 1999) (Crypto – Export Controls)
A selection of representative FOIA cases are described below:
EPIC v. Transportation Security Administration, Case No. 11-0290 (RWR)(D.D.C. filed Feb. 2, 2011)
After complaints about the privacy violations created by its body scanner technology, the Transportation Security Administration developed a software patch in an attempt to quell public concerns. The agency claims that this patch projects a gumby or stick figure onto the viewing screen of the machine. But the agency has failed to release any details or documents supporting its claims or clarifying the privacy implications of this new technology. EPIC filed a FOIA request seeking documents regarding this new "avatar" technology, including contracts and technical specifications.
EPIC v. Department of Justice, Case No. 10-1157 (D.D.C. filed Dec. 17, 2010)
EPIC filed a Freedom of Information Act (FOIA) request with the United States Marshals Service, a component of the Department of Justice, to obtain information about the agency's use of full body scanners for courthouse security. EPIC pursued the case in federal court, and has obtained acknowledgment by the agency that a single machine has stored "approximately 35,314 images" of the full body scans of courthouse visitors over a six month period. EPIC also obtained a representative sample of the images stored by the devices.
EPIC v. Department of Homeland Security, Case No. 1:10-cv-01922 (ESH) (D.D.C. filed Nov. 19, 2010) Recently, the Department of Homeland Security began to implement invasive body scanners as a primary screening mechanism for all airline travelers. In August 2010, many senators wrote the agency questioning the safety of the scanners. Several radiation experts also began questioning the safety of the scanners, especially in relation to children, pregnant women, and immunocompromised individuals. In September 2010, Ralph Nader also sent a letter to the Senate expressing concern about radiation exposure.
EPIC requested DHS to release all information about radiation emissions, including information about independent radiation testing of these machines.
EPIC v. National Security Agency, Case No.. 10:10-cv-01533 (RJL) (D.D.C. filed Sept. 13, 2010)
On January 12, 2010, Google announced that hackers originating from China had attacked Google’s corporate infrastructure.According to Google, evidence suggested “that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.” In response, Google made infrastructure and architectural changes and decided to stop censoring search results on the Chinese version of Google. On February 4, 2010, the press reported that Google and the NSA had entered into a “partnership” to help analyze the attack by permitting them to “share critical information.” The Washington Post reported that “Google and the NSA declined to comment on the partnership.” However, the NSA acknowledged that it has worked with the private sector on cyber security in the past: NSA spokeswoman Judi Emmel stated that “as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers.”
EPIC filed a FOIA request seeking documents related to the NSA/Google partnership on February 4, 2010.
EPIC v. National Security Agency, Case No. 1:10-cv-00196 (RMU)(D.D.C. filed Feb. 2, 2010)
In January 2008, President Bush issued National Security Presidential Directive 54 (NSPD-54), which grants the National Security Administration broad authority over the security of American computer networks. The Directive created the Comprehensive National Cybersecurity Initiative (CNCI), a "multi-agency, multi-year plan that lays out twelve steps to securing the federal government's cyber networks." This Directive was not released to the public.
In June 2009, EPIC submitted a FOIA request to the NSA asking for copies of the Directive, the Initiative and privacy policies related to either.
EPIC v. Department of Homeland Security, Case No. 1:09-cv-02084 (RMU)(D.D.C. filed Nov. 9, 2009)
In February 2007, the Transportation Security Administration, a component of the US Department of Homeland Security, began testing passenger imaging technology - called “whole body imaging,” "body scanners," and "advanced imaging technology" - to screen air travelers. Body scanners produce detailed, three-dimensional images of individuals. Security experts have described whole body scanners as the equivalent of "a physically invasive strip-search."
The case is the product of two consolidated lawsuits, one filed in November 2008 and the other filed in January 2009, seeking documents regarding the “digital strip search” devices. EPIC obtained thousands of pages of records in response to the lawsuit. Two categories of documents remain at issue: a set of 2,000 body scanner images and training materials concerning the devices.
EPIC v. the Virginia Department of State Police, et al., Case No. 08-01357 (Va. Gen. Dist. Ct.)
In January 2008, HB1007 was introduced before the Virginia General Assembly. If enacted, the bill would exempt the Virginia Fusion Intelligence Center (Virginia Fusion Center) – and other Commonwealth agencies assigned to the Virginia Fusion Center – from Virginia privacy and government transparency laws. The Virginia Fusion Center is an intelligence database that collects information on ordinary citizens. Shortly after HB 1007 was introduced, the Virginia Fusion Center’s administrative head implied that federal policies might have been the impetus for HB 1007, but did not provide further details.
EPIC filed Virginia FOIA requests with the Virginia Department of State Police (the VSP) for public records that directly relate to alleged federal government involvement with HB 1007. EPIC urged the VSP to provide the requested public records as soon as possible because of the public records’ relevance to the Virginia General Assembly’s consideration of HB 1007. The VSP refused to disclose any public records in response to EPIC's requests. On March 21, 2008, EPIC filed a lawsuit challenging the VSP's failure to disclose public records and failure to comply with the Virginia FOIA.
EPIC v. Department of Justice, Civ. No. 06-0096 (D.D.C. 2006 HHK)
In December 2005, the New York Times reported that President Bush secretly issued an executive order in 2002 authorizing the National Security Agency to conduct warrantless surveillance of international telephone and Internet communications on American soil. EPIC submitted FOIA requests to four Department of Justice components just hours after the existence of the warrantless surveillance program was first reported. Noting the extraordinary public interest in the program — and its potential illegality — EPIC asked the agency to expedite the processing of the requests. The DOJ agreed that EPIC's requests warranted priority treatment, but failed to comply with the FOIA's usual time limit of twenty working days. In January 2006, EPIC filed a lawsuit against the DOJ to compel the immediate disclosure of information concerning the NSA surveillance program, and asked the federal district court in Washington, DC to issue a preliminary injunction requiring the release of relevant documents within 20 days.
On February 16, 2006, U.S. District Judge Henry H. Kennedy ordered (pdf) the DOJ to process and release documents concerning the NSA program within 20 days, or by March 8, 2006. The day before it was required to disclose the documents, the Justice Department filed a motion asking Judge Kennedy for an additional four months to process some of the material responsive to EPIC's request, which Judge Kennedy granted. Once the DOJ completes its processing of the material, any decision to withhold the requested documents will be subject to judicial review, and Judge Kennedy will have the ability to order "in camera" production of the material and make an independent determination concerning public disclosure.
EPIC v. Department of Justice, Civ. No. 06-0029 (D.D.C. 2006 CKK)
In January 2006, EPIC filed suit in federal court against the Department of Justice for reports of possible misconduct submitted by the FBI to the Intelligence Oversight Board. Judge Colleen Kollar-Kotelly, the head of the Foreign Intelligence Surveillance Court, has been assigned to the case. EPIC had already obtained about twenty reports to the Intelligence Oversight Board through another Freedom of Information Act lawsuit that raise questions about compliance with federal law. Since EPIC filed suit, the FBI has released several sets of documents responsive to EPIC's request.
EPIC v. Department of Justice, Civ. No. 05-845 (D.D.C. 2005 ESH)
In a complaint filed in April 2005, EPIC asked a federal court to force the FBI to disclose information about its use of expanded investigative authority granted by sunsetting provisions of the USA PATRIOT Act. The agency agreed to quickly process EPIC's Freedom of Information Act request for the data, but did not comply with the timeline for even a standard FOIA request. The lawsuit, now pending, was filed amid numerous congressional hearings reviewing controversial sections of the USA PATRIOT Act. (Many of these provisions were slated to expire at the end of 2005 unless the administration made the case for renewal, but Congress extended the deadline for additional debate.) The FBI released a small number of documents in October 2005, after Congress had concluded its hearings and already drafted legislation to renew the sunsetting provisions. These documents included reports of intelligence misconduct from the FBI to an intelligence oversight board. In November 2005, Judge Gladys Kessler ordered the FBI to publicly release or account for 1,500 of pages responsive to the request every fifteen days. The DOJ's processing is now complete, and EPIC is considering next steps.
EPIC v. Department of Commerce et al., Civ. No. 04-1625 (D.D.C. 2004 PLF)
In July 2004, EPIC obtained heavily redacted documents through the FOIA revealing that the Census Bureau had provided the Department of Homeland Security's Bureau of Customs and Border Protection with statistical data on people who identified themselves on the 2000 census as being of Arab ancestry. The redacted information was withheld at the insistence of Customs. EPIC appealed the withholdings to both the Commerce Department (the parent agency of the Census Bureau) and Customs. Neither agency responded within the time frame required by law. EPIC filed suit in September 2004 to compel the agencies to release the redacted information. Commerce responded to EPIC's appeal, and EPIC dropped its suit against that agency. The case against Customs is pending.
EPIC v. Department of Homeland Security et al., Civ. No. 04-0944 (D.D.C. 2004 RMU)
The suit stems from four FOIA requests EPIC submitted to the Transportation Security Administration and Federal Bureau of Investigation asking the agencies for information about their roles in acquiring passenger data from JetBlue Airways, Northwest Airlines, American Airlines and others. Between September 2003 and May 2004, EPIC submitted three requests to TSA for information about its role in JetBlue's disclosure of passenger data to a defense contractor and American's disclosure of passenger data to TSA contractors. The agency granted expedited processing for all of the requests, but has failed to release the information within twenty days, as required by law. Further, EPIC submitted a FOIA request to the FBI in May 2004 asking for information about its collection of a year's worth of passenger information from numerous airlines after 9/11, and requested expedited processing as provided under the FOIA and Department of Justice regulations. The Bureau refused to expedite on the grounds that "the primary activity of EPIC does not appear to be information dissemination," despite the fact that two federal judges have determined otherwise. The FBI also justified its denial by stating that EPIC had not "demonstrated any particular urgency to inform the pubic about the subject matter of [its] request beyond the public's right to know generally." EPIC filed suit in June 2004, seeking the immediate release of the requested TSA records as well as a preliminary injunction requiring the Department of Justice, the FBI's parent agency, to process EPIC's request and release the requested documents as soon as possible. The FBI relented and agreed to grant expedited processing. Both the FBI and TSA have released heavily redacted documents in response to EPIC's request. EPIC is now litigating TSA's withholdings.
EPIC v. Department of the Treasury, Civ. No. 05-2256 (D.D.C. 2005 PLF)
In November 2005, EPIC filed a lawsuit asking a federal court to order the Internal Revenue Service to release documents about law enforcement and intelligence requests for taxpayer records since 9/11. EPIC submited two FOIA requests seeking the information in July 2004 and September 2005, but the IRS failed to disclose documents in response. The IRS released two sets of documents during the course of the lawsuit, which has been settled.
EPIC v. Department of Justice & Department of the Treasury, Civ. No. 02-0063 (D.D.C. 2002 CKK)
In 2001, the Wall Street Journal and other publications reported that federal law enforcement agencies were purchasing personal information from private-sector profiling corporations. To focus debate on private sector profiling, and the reliance of government upon these profiles, EPIC sent a series of FOIA requests to federal law enforcement agencies in July 2001. Documents received from the Internal Revenue Service showed that both ChoicePoint and Experian possess large contracts with the agency for desktop access to citizen's personal information. Other documents showed that INS and DOJ obtained citizen information on ten Latin American countries through ChoicePoint, which led to a series of front-page news items in the affected countries. EPIC challenged the government's substantial redactions in the documents, and settled the case in 2006.
EPIC v. Department of Justice, Civ. No. 04-1736 (D.D.C. 2004 HHK), 04-2164 (D.D.C. 2004 HHK)
In September 2004, the Transportation Security Administration announced plans to test Secure Flight, a new passenger prescreening system. The agency said that "Secure Flight will involve the comparison of information for domestic flights to names in the Terrorist Screening Database (TSDB) maintained by the Terrorist Screening Center (TSC), to include the expanded TSA No-Fly and Selectee Lists, in order to identify individuals known or reasonably suspected to be engaged in terrorist activity." EPIC submitted a FOIA request to the FBI asking for information about the database and its role in Secure Flight. EPIC asked that the information be released expeditously, noting the intense media interest surrounding the issue. The FBI denied EPIC's request for expedited processing on the grounds that there is no urgency to inform the public about the database and "the primary activity of the American Civil Liberties Union [sic] is not information dissemination, which is required for a requester to qualify for expedited processing under this standard." EPIC applied for an emergency court order on October 13 to compel the agency to release the records, arguing that information about the database should be made available before October 25, which was the deadline for public comments on TSA's plans for testing Secure Flight. The FBI granted expedited processing the next day, but did not released the documents. Judge Kennedy dismissed the case on November 24 because expedited processing was no longer at issue. However, EPIC filed a second suit and application for an emergency court order on December 15, arguing that the FBI had failed to meet the FOIA's deadline for processing even a standard, non-expedited request. EPIC agreed to dismiss its application for an emergency court order in exchange for the FBI's agreement to release the requested documents by March 1, 2005. After the documents were released, EPIC and the FBI settled the case.
EPIC v. Transportation Security Administration et al., Civ. No. 03-1846 (D.D.C. 2003 CKK)
In August 2003, EPIC requested from the Transportation Security Administration "Capital Asset Plan and Business Case" (Exhibit 300) materials that TSA had prepared on the controversial Computer Assisted Passenger Profiling System (CAPPS II), and any privacy impact assessments the TSA had conducted on CAPPS II. The Exhibit 300 is an assessment that the Office of Management and Budget requires of agencies seeking funding for projects and includes, among other things, an evaluation of privacy and security risks that a project might pose. Furthermore, the E-Government Act of 2002 requires agencies to prepare a privacy impact assessment before developing or procuring information technology that collects, maintains or disseminates identifiable information.
TSA agreed to process the documents, but failed to respond to EPIC's request for expedited processing. On September 8, 2003, EPIC applied for an emergency court order requiring TSA to immediately release the requested documents. TSA relented and agreed to complete processing the material by September 25, five days before public comments were due on TSA's proposed Privacy Act notice for the controversial system. TSA then refused to release the documents on September 25, claiming that they were exempt from disclosure under the Freedom of Information Act. In June 2004, Judge Colleen Kollar-Kotelly ordered TSA to review the documents for material that is factual and thus must be released under the FOIA.
EPIC v. Department of Defense, Civ. No. 04-1219 (D.D.C. 2004 CKK)
In May 2004, EPIC sent a FOIA request to the Defense Intelligence Agency asking for records about the agency's use of Verity K2 Enterprise, a program that reportedly mines data from the intelligence community and Internet searches to identify foreign terrorists and U.S. citizens connected to foreign terrorism activities. The agency denied EPIC's request for expedited processing of the requested material, explaining that EPIC had failed to demonstrate an urgency to inform the public about the data mining program. EPIC filed suit in July 2004 seeking the immediate release of the records. Judge Colleen Kollar-Kotelly ruled on December 12 that EPIC was not entitled to expedited processing because it had failed to show an urgency to inform the public about Verity K2 Enterprise specifically rather than defense data mining generally. The Defense Intelligence Agency released responsive documents in April 2005, and EPIC agreed to dismiss the case.
EPIC v. National Aeronautics and Space Administration (N.D. Cal. 2004)
Through an October 2003 FOIA request to NASA, EPIC obtained documents revealing that the Northwest Airlines disclosed millions of passenger records to NASA for use in data mining and passenger profiling research. The agency withheld some documents that are responsive to EPIC's request. EPIC filed suit in January 2004 to obtain additional documents about the Northwest disclosure. Through negotiation, EPIC obtained hundreds of additional records from NASA that were originally withheld by the agency.
ACLU and EPIC v. Department of Justice, 321 F. Supp. 2d 24 (D.D.C. 2004 ESH)
In October 2003, EPIC, the ACLU and allied library and booksellers' organizations submitted a FOIA request to the FBI seeking information about the agency's enforcement of Section 215 of the USA PATRIOT Act. When FBI denied expedited processing, EPIC and the ACLU filed suit in federal court seeking the immediate release of the requested records. On May 10, 2004, U.S. District Judge Ellen Huvelle ordered the FBI to expeditiously process the request. Judge Huvelle also determined that "EPIC is indeed 'primarily engaged in disseminating information' for the purposes of expediting [a FOIA] request." Some responsive records were released in June 2004, and more documents were released in July.
EPIC v. Department of Justice, Civ. No. 03-02078 (D.D.C. 2003 JR)
In September 2003 EPIC asked the Department of Justice for documents related to a memorandum sent to federal prosecutors on August 14. The memorandum urged all prosecutors to contact members of the House of Representatives who had voted to deny funding for the execution of "sneak and peek" warrants authorized by the Patriot Act. The DOJ refused to expedite processing of EPIC's request on the grounds that the memorandum is not a subject of exceptional media interest, and raises no questions about the government's integrity that might affect public confidence. The DOJ further determined that there is no urgency to inform the public about the issues raised by the memorandum. On October 14, EPIC filed suit in federal court and asked that the DOJ be ordered to release immediately the requested material. EPIC filed for partial summary judgment to resolve the issue of expedited processing in October. The DOJ opposed EPIC's motion and filed a cross motion for summary judgment in November. Judge James Robertson heard oral argument on December 8. On December 19, Robertson held that EPIC properly filed suit without first asking the DOJ to reconsider its decision not to process EPIC's request expeditiously, but that EPIC's request was not entitled to expedited processing. EPIC appealed the decision to the DC Circuit, and the DOJ cross appealed. However, the parties agreed to dismiss their appeals when the DOJ released the documents EPIC had requested, and the issue of expedited processing became moot.
ACLU and EPIC v. Department of Justice, 2003 U.S. Dist. LEXIS 8363 (D.D.C. 2003 ESH)
In September 2002, the House Judiciary Committee released the Justice Department's response to the committee's June 13 letter seeking information about implementation of the USA PATRIOT Act. The response shed some light on the use of the new law, but DOJ classified a large amount of important information required for proper public oversight.
EPIC, joined by the ACLU and library and booksellers' organizations, filed suit under FOIA seeking the disclosure of some part of the information classified as "confidential." The lawsuit covers some of the information the Justice Department withheld from the House Judiciary Committee.
In late November 2002, Judge Huvelle ordered the Justice Department to complete its processing of the EPIC/ACLU information request by January 15, 2003. The Department withheld most of the responsive material and moved for summary judgment; EPIC/ACLU filed an opposition and a cross-motion for summary judgment. In a decision issued on May 19, 2003, the court held that all of the withheld material is properly classified.
EPIC v. Department of Defense, 241 F. Supp. 2d 5 (D.D.C. 2002 JDB)
This case grows out of an FOIA request EPIC submitted to the Defense Department in February 2002 concerning DOD's new Information Awareness Office and its director, retired Admiral John Poindexter. In response to the request, DOD denied EPIC's request for "news media" fee status, thus imposing a substantial financial barrier to EPIC's effort to obtain responsive documents. Noting that DOD's action was the first denial of an EPIC request for preferred fee status in the 8-year life of the organization, EPIC filed suit against the agency and moved for a preliminary injunction. Oral argument was held before Judge Bates on July 19, 2002. On January 16, Judge Bates today issued a decision rejecting the Defense Department's denial. Judge Bates ruled that EPIC is entitled to "preferred fee status" under the FOIA and ordered the Pentagon to "expeditiously" process EPIC's almost year-old request for information concerning Admiral John Poindexter and the Information Awareness Office. The DOD agreed to pay EPIC's $24,000 attorney's fees and continue to process EPIC's request for responsive documents. The case was settled in 2003.
Center for National Security Studies, et al. v. Department of Justice, Civ. No. 01-2500 (D.D.C. 2001 GK)
This case, in which EPIC was plaintiff and acted as co-counsel, sought disclosure of information concerning more than one thousand individuals who, according to the government, were "detained" in the wake of the September 11th terrorist attacks. The government has continually refused to disclose the data in response to Freedom of Information Act requests submitted by a broad coalition of civil liberties and human rights groups, resulting in unprecedented secrecy surrounding the status of the individuals.
Members of Congress, the news media and civil liberties groups have all raised questions as to whether those jailed since September 11 are being accorded applicable constitutional protections. The FOIA lawsuit asserted that the requested information involves a matter of extraordinary public interest and that the secrecy surrounding the detentions is at odds with longstanding principles of open judicial proceedings. Under a court-approved schedule to expeditiously litigate the case, briefing began in mid-January 2002 and the court heard oral argument at the end of May 2002.
In a decision issued on August 2, 2002, U.S. District Judge Gladys Kessler directed the Justice Department to disclose, within 15 days, the identities of individuals detained in connection with its September 11 terrorist investigation. Detainees desiring confidentiality of their identities can file statements requesting non-disclosure. The government appealed the ruling, and Judge Kessler granted a stay pending the appeal. Oral argument was held before the D.C. Circuit Court of Appeals on November 18, 2002. The Court of Appeals issued a divided opinion on June 17, 2003, endorsing the Justice Department's efforts to keep secret the identities of hundreds of individuals detained after the September 2001 terrorist attacks. The plaintiffs filed a petition for writ of certiorari with the Supreme Court on September 29, 2003. The Supreme Court denied the petition on January 12, 2004.
EPIC v. Department of Homeland Security et al., Civ. No. 03-1255 (D.D.C. 2003)
In March 2003, EPIC requested from the Transportation Security Administration any privacy assessments of the Computer Assisted Passenger Prescreening System (CAPPS II), and from Department of Defense information concerning Pentagon involvement in the controversial airline passenger screening system. Neither agency completed processing the requests, despite their agreement to "expedite" the process. EPIC filed suit on June 11, 2003, alleging that the Department of Homeland Security (as the parent department of TSA), TSA, and DOD failed to comply with the disclosure requirements of the Freedom of Information Act, and asking a federal judge to order the disclosure of information concerning the development of CAPPS II. DHS filed a motion for summary judgment in October 2003, and EPIC responded with a cross motion for summary judgment. In November EPIC agreed to settle the suit.
EPIC v. Department of Defense, C.A. No. 02-2478 (D.D.C. 2002)
Following a FOIA request for information about the DOD's Total Information Awareness project, the DOD denied EPIC's request for expedited processing. EPIC brought suit on December 17, 2002 challenging this denial. Because the issue is related to our "news media" status at issue in our earlier case against DOD, proceedings in this case were stayed pending that decision and were resolved by the same decision.
EPIC v. Transportation Security Administration, Civ. No. 02-2437 (D.D.C. 2002)
The Aviation Security and Transportation Act, passed in the wake of the September 11, 2001, terrorist attacks, authorizes the Transportation Security Administration (TSA) to maintain watchlists and notify law-enforcement, aviation and airline officials of the names of people suspected of posing "a risk of air piracy or terrorism or a threat to airline or passenger safety." In a FOIA request submitted to TSA in early October 2002, EPIC requested information about the number of names on all aviation-security watchlists, procedures for posting and removing names and all complaints from people who claim to have mistakenly been included on the lists. TSA failed to respond to the request within the legal time limit, prompting EPIC's lawsuit, which was filed on December 11, 2002. EPIC voluntarily dismissed the case in April 2003.
EPIC v. Office of Homeland Security, et al., Civ. No. 02-0620 (D.D.C. 2002)
In December 2002, U.S. District Judge Colleen Kollar-Kotelly issued a decision permitting EPIC to pursue discovery concerning the "nature of the authority" delegated to the Office of Homeland Security (OHS) and its Director, Tom Ridge. The ruling was in response to a Freedom of Information Act lawsuit filed by EPIC after OHS took the position that it is not subject to the open government law. As part of its "Watching the Watchers" project, EPIC is pursuing various FOIA requests relating to governmental security and investigative activities undertaken in the wake of the September 11 terrorist attacks. The work of OHS and its director, Governor Tom Ridge, is central to those issues. After EPIC filed suit, seeking the disclosure of OHS documents concerning proposed national identification systems, the government moved to dismiss the case on the ground that OHS is not an "agency" subject to FOIA. Discovery is now proceeding. Following the court's discovery ruling, EPIC obtained a substantial amount of information concerning the functions of the Office, most of which indicated that OHS did not exercise agency-like authority. EPIC agreed to a voluntary dismissal of the case in April 2003.
EPIC v. Department of Transportation, et al., Civ. No. 02-0475 (D.D.C. 2002)
In this lawsuit, part of the "Watching the Watchers" project, EPIC sought disclosure of information concerning the new Transportation Security Administration's consideration of air travel security systems. The litigation was initiated when TSA failed to respond to EPIC's request for expedited processing of responsive documents. The agency agreed to complete its processing by mid-June 2002, at which time the suit was settled. Material released as a result of this lawsuit led to the filing of a second FOIA request, which became the subject of EPIC v. Transportation Security Administration, Civ. No. 02-2437, described above.
EPIC v. Department of Justice & Federal Bureau of Investigation, Civ. No. 00-1849 (D.D.C. 2002)
On July 11, 2000, the existence of an FBI Internet monitoring system called "Carnivore" was widely reported. Although the public details were sketchy, reports indicated that the Carnivore system is installed at the facilities of an Internet Service Provider (ISP) and can monitor all traffic moving through that ISP. The FBI claims that Carnivore "filters" data traffic and delivers to investigators only those "packets" that they are lawfully authorized to obtain. Because the details remain secret, the public is left to trust the FBI's characterization of the system and -- more significantly -- the FBI's compliance with legal requirements.
In order to make public the details of Carnivore, EPIC immediately submitted an FOIA request to the FBI and requested expedited treatment. When the Bureau and DOJ failed to respond in a timely manner, EPIC filed suit seeking expedited processing of Carnivore documents. Under pressure from the court, the FBI began releasing material in periodic installments and completed the processing in January 2001. The released documents have already brought critical information to the public, and the litigation is continuing to determine whether the FBI has improperly withheld relevant information. The Bureau submitted an index describing withheld information in early May 2001, and EPIC challenged the adequacy of the FBI's document search. In an order issued in March 2002, the court agreed with EPIC and directed the Bureau to initiate a new search for responsive documents.
The new search uncovered more documents, including those indicating that an FBI anti-terrorism investigation possibly involving Usama bin Laden was hampered by technical flaws in the Bureau's controversial Carnivore Internet surveillance system. The Carnivore "software was turned on and did not work correctly." The surveillance system captured not only the electronic communications of the court-authorized target, "but also picked up E-Mails on non-covered" individuals (a violation of federal wiretap law), resulting in the destruction of the lawfully obtained material. The documents describe the incident as part of a "pattern" indicating "an inability on the part of the FBI to manage" its foreign intelligence surveillance activities. EPIC voluntarily dismissed the case and the Justice Department agreed to settle EPIC's claim for attorneys fees with a payment of $10,000.
EPIC v. National Security Agency, Civ. No. 99-3197 (D.D.C. 1999)
In a significant case reported on by the New York Times and other publications, EPIC asked a federal court to order the release of controversial documents concerning potential government surveillance of American citizens. EPIC's lawsuit sought the public disclosure of internal National Security Agency (NSA) documents discussing the legality of the agency's intelligence activities. NSA refused to provide the documents to the House Intelligence Committee, resulting in an unusual public reprimand of the secretive spy agency. Rep. Porter J. Goss, chairman of the oversight panel, wrote in a committee report in May 1999 that NSA's rationale for withholding the legal memoranda was "unpersuasive and dubious." He noted that if NSA lawyers "construed the Agency's authorities too permissively, then the privacy interests of the citizens of the United States could be at risk." Soon after the release of the Intelligence Committee report, EPIC submitted a Freedom of Information Act (FOIA) request to NSA for the documents.
After EPIC filed suit for the release of the material, NSA released approximately 100 documents reflecting the agency's interpretation of the legal restrictions on surveillance of "U.S. persons." This material has been incorporated into several media reports on Project Echelon and is a significant contribution to the public body of information on national security surveillance and the rights of Americans.
EPIC v. Federal Trade Commission, Civ. No. 99-2689 (D.D.C. 1999)
EPIC filed suit in federal district court in Washington seeking the disclosure of records about privacy complaints received by the Federal Trade Commission. It is EPIC's contention that the FTC has failed to take action on the many privacy complaints that the agency has received from consumers. In order to evaluate the effectiveness of the current privacy system in the United States, EPIC believes it is critical to look at how the FTC responds to complaints from the public. EPIC filed the initial information request in June 1999. In a letter to the Commission, EPIC requested "copies of all records concerning the FTC's investigation of privacy complaints." The request included letters, electronic mail, web submissions, fax transmissions, and formal complaints. EPIC told the Commission it was interested in "records regarding alleged privacy violations by a specific company or organization and requests for general assistance in a privacy matter, whether or not a specific company or organization is indicated." At a Senate hearing in July 1999, EPIC criticized a report from the FTC on Internet privacy, saying that it failed to provide any actual information about consumer privacy complaints or the effectiveness of industry programs to protect privacy. We noted that EPIC had filed a Freedom of Information Act (FOIA) request regarding the handling of complaints and said that information would be provided to the Senate Committee once a response from the FTC was received.
Since the initiation of the lawsuit, the FTC released several hundred pages of responsive material. These documents have contributed to EPIC's oversight of the Commission's handling of privacy complaints.
EPIC participates in a variety of precedent-setting cases involving privacy issues as plaintiff, co-counsel and/or friend-of-the-court (amicus curiae). These cases include proceedings concerning communications privacy, encryption and consumer privacy.
Kohler v. Englade, Case No. 05-30541 (5th Cir. 2005)
This case inolves the question of whether the police may coerce a person to provide a DNA sample. In 2002, police initiated a DNA dragnet in Baton Rouge, Louisiana. Police targeted men in southern Louisiana and asked each of them to provide a DNA sample for analysis in order to determine if he was the serial rapist-murderer that authorities were seeking. At least 15 men, including Shannon Kohler, declined to let police take a DNA sample. In November 2002, the Baton Rouge Police Department obtained a seizure warrant to force Mr. Kohler to submit his DNA sample for the investigation. Mr. Kohler was identified by the police and news media as a suspect in the highly publicized search for a serial rapist-murderer. The police later cleared Mr. Kohler as a suspect in the investigation.
In February 2005, the District Court dismissed Mr. Kohler's claim that seizure warrant used to obtain his DNA lacked the required probable cause. The District Court found that police had probable cause based on two anonymous tips and the fact that Mr. Kohler met "certain elements of an FBI profile," which the Court characterized as "so broad and vague that it cast a net of suspicion over thousands of citizens." The Court rejected Mr. Kohler's request for a new trial on the issues. Mr. Kohler has filed an appeal with the Fifth Circuit Court of Appeals. In October 2005, EPIC filed an amicus brief arguing that the constitution protects a person's privacy interest in his DNA and explained that such dragnets have failed repeatedly to identify perpetrators.
Gonzales v. Doe, Case No. 05-0570 (2d Cir. 2005)
This lawsuit concerns the FBI's authority to issue national security letters to businesses for certain customer records without judicial approval. This investigative power, which is part of the Electronic Communications Privacy Act, also imposes a permanent nondisclosure order prohibiting the recipient from ever telling anyone he has received a national security letter.
In 2004, an anonymous Internet service provider and the American Civil Liberties Union challenged the constitutionality of this broad authority, arguing that it violates the First and Fourth Amendments because the law fails to provide adequate checks on the FBI's power to force companies to turn over sensitive customer information. They also argued that the "gag" provision violates the First Amendment because it completely and permanently forbids every recipient from disclosing the fact that he received a national security letter — regardless of whether such a sweeping ban is actually necessary. A federal court in New York found the power unconstitutional on First Amendment grounds in September 2004. The government challenged that ruling in the Second Circuit Court of Appeals.
EPIC co-authored an amicus brief with the National Security Archive arguing that the courts must provide meaningful oversight of the government's investigative activity, and that the FBI's national security letter power undermines government accountability. Other organizations supporting the brief include the Project on Government Secrecy of the Federation of American Scientists and the National Whistleblower Coalition.
In re: Sealed Case No. 02-001, 310 F.3d 717 (F.I.S.C.R. 2002)
In March 2002, the Attorney General submitted a memorandum to the Foreign Intelligence Surveillance (FISA) Court, requesting approval of newly created information sharing (minimization procedures) and other proposals, to be implemented upon approval at the Department of Justice. The Attorney General's proposed minimization procedures significantly curtailed the information screening walls. In a May 17 opinion, the FISC granted some of the Administration's newly requested powers, but refused to grant the Justice Department heightened information sharing powers proposed by the Attorney General. The FISA Court sharply criticized the DOJ and FBI for providing the tribunal misleading information in 75 cases, and limited the request of the DOJ to share intelligence information for criminal prosecutions. The government appealed the decision to the never before convened Foreign Intelligence Surveillance Court of Review, which heard oral arguments in a closed session on September 10, 2002.
EPIC joined with a coalition of civil liberties groups to file an amicus brief with the Foreign Intelligence Surveillance Court of Review. The brief stated that expanding the national security surveillance powers would jeopardize fundamental constitutional interests.
The Court's decision, released in November, permits the government to remove the separation that has long existed between officials conducting surveillance on suspected foreign agents and criminal prosecutors investigating crimes. The Court of Review concluded that the FISC read into FISA limitations on the Act's scope of FISA that never existed and appear nowhere in the statute. The court concluded that the changes to FISA under the USA PATRIOT Act are constitutional, although just barely. The opinion was the first issued by the Court of Review since FISA's inception in 1978. FISA contains no provision for appeal of this decision. The coalition is currently considering any further approaches to address these issues.
Nelson v. Salem State College, Case No. SJC-09519 (Mass. 2005)
In June of 1995, officers of the Salem State College police force, with the knowledge of college administrators, installed a hidden video camera and VCR in the college’s off-campus Small Business Development Center. The video camera was used to investigate possible illegal entries in the center after normal business hours and was set to record twenty-four hours a day. During the summer of 1995, Gail Nelson, a secretary at the Small Business Development Center, often brought a change of clothes to work and changed in a cubicle. Ms. Nelson later learned about the covert surveillance from a co-worker.
Ms. Nelson filed suit against the college and officials, arguing that they had violated the Fourth Amendment, Article 14 of the Massachusetts Declaration of Rights, and state law by secretly videotaping her in a cubicle. The claims were dismissed by the trial court, which found that the Ms. Nelson had no reasonable expectation of privacy in a cubicle. Ms. Nelson appealed to the Massachusetts Appeals Court. Before the court reached a decision, the Supreme Judicial Court decided to take the case. EPIC filed an amicus brief arguing that society is prepared to recognize an expectation of privacy in the workplace as reasonable. In April 2006, the court ruled in favor of the college.
Gilmore v. Gonzales, 2006 U.S. App. LEXIS 1856 (9th Cir. 2006)
This case challenged the government's unpublished law or regulation requiring passengers to present identification to fly on commercial airlines. John Gilmore argues that the requirement violates numerous constitutional protections, including the rights to travel, petition and freely assemble, be free from unreasonable search and seizure, and have access to due process of law. In March 2004, the U.S. District Court for the District of Northern California dismissed Gilmore's case. In that proceeding, the government not only refused to provide the court with the text of the law or regulation requiring airline passengers to show identification, but declined even to acknowledge whether the requirement exists. Furthermore, the district court judge accepted the government's assurance that the court did not have jurisdiction to review the law or regulation, failing to independently determine the legal basis for that claim. In August 2004, EPIC filed an amicus brief arguing that the district court's failure to examine the government's authority to enforce the law or regulation allows the government to impose secret law upon the public, thus avoiding meaningful review by courts as required by the Constitution. In January 2006, the 9th Circuit ruled in the government's favor, upholding the identification requirement.
American Bankers Association v. Lockyer, 2005 U.S. Dist. LEXIS 22437 (E.D.Cal. 2005)
In 2003, California enacted the California Financial Information Privacy Act, commonly known as "SB1." SB1 provides the strongest financial privacy protection in the nation. It allows customers to "opt-out" of information-sharing practices between affiliated institutions, companies that have common ownership. SB 1 also bars financial institutions from sharing information about consumers with nonaffiliated third parties unless an individual gives his or her express "opt in" consent. In April 2004, the American Bankers Association (ABA), the Financial Services Roundtable and the Consumer Bankers Association filed suit, arguing that SB 1 is preempted or superceded by the federal Fair Credit Reporting Act (FCRA). As interpreted by the banking industry, the FCRA imposes a preemptive ceiling on state privacy statutes, thereby preventing any state or local regulation concerning affiliate sharing of consumer information.
EPIC participates in the agency rule-making process as an advocate of the public interest. Such proceedings address issues like location privacy, public access to electronic court records and communications security. EPIC typically works in close association with privacy and consumer organizations, technical experts, and legal scholars.
Air Travel Privacy
In the Matter of Interim Rule Concerning the United States Visitor and Immigrant Status Indicator Technology Program, Docket No. DHS-2007-0002 (comments filed with the Department of Homeland Security Border and Transportation Security Doctorate)
In November 2004 comments, EPIC urged the Department of Homeland Security to consider privacy implications as it expands the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program. In August 2004, the agency announced that it would expand US-VISIT to the 50 busiest land border points of entry by the end of that year. It also expanded the category of individuals who are subject to US-VISIT to include visa waiver travelers and Mexican citizens traveling to and from the U.S. EPIC's comments emphasized the potential for mission creep within the program, and noted the importance of safeguarding the accuracy and security of the information collected through US-VISIT.
In the Matter of Privacy Act System of Records Notice and Privacy Impact Assessment, Secure Flight Test Records; Notice of Emergency Clearance Request, Secure light Test Records, Docket No. TSA-2004-19160 (comments filed with the Transportation Security Administration and Office of Management and Budget)
In October 2004, EPIC called upon the Transportation Security Administration to suspend the test phase of Secure Flight until the program's significant privacy issues were resolved and the government was willing to be more forthcoming about the program's details. EPIC also urged the Office of Management and Budget not to permit TSA to collect a month's worth of passenger information for Secure Flight testing purposes until the program's privacy and transparency issues were addressed.
In the Matter of Privacy Act System of Records Notice, Transportation Security Threat Assessment System and Transportation Worker Identification Credentialing System, Docket No. TSA-2004-19166 (comments filed with the Transportation Security Administration)
EPIC urged the Transportation Security Administration in October 2004 comments to tightly safeguard personal information in two data collection programs. The Transportation Workers Identification Credentialing System (TWIC) and the Transportation Security Threat Assessment System (T-STAS) compile data on a variety of people directly and indirectly related to the transportation industry. EPIC's comments noted the dangers of identity theft, misappropriation and mission creep if the data collected for these programs are not properly protected.
In the Matter of Privacy Act System of Records Notice, Registered Traveler Operations Files, Docket No. TSA-2004-17982 (comments filed with the Transportation Security Administration)
In July 2004, EPIC urged the Transportation Security Administration not to deploy the final phase of the Registered Traveler program until it conducted a full evaluation of the program's privacy implications. Citing the agency's record of secrecy and little regard for individual privacy interests in the development of programs such as CAPPS II, EPIC recommended that TSA revise its information collection and maintenance practices to comply fully with the intent of the Privacy Act.
In the Matter of Interim Final Rule and Notice Concerning the Implementation of US-VISIT, Docket No. BTS 03-01 (comments filed with the Department of Homeland Security Border and Transportation Security Doctorate)
These comments were submitted February 5, 2004 in response to a notice announcing the implementation of the United States Visitor and Immigrant Status Technology (US-VISIT). EPIC urged DHS to define how Privacy Act obligations affect US-VISIT, to consider the significance of international privacy standards in the collection and use of personal information by the agency on non-U.S. citizens, and to prohibit the expansion of US-VISIT uses outside the program's defined mission.
In the Matter of Privacy Act System of Records Notice Concerning the Arrival Departure Information System, Docket No. DHS/ICE-CBP-001 (comments filed with the Department of Homeland Security Bureau of Immigration and Customs Enforcement and Bureau of Customs and Border Protection)
EPIC filed these comments on January 12, 2004 in response to DHS's announcement that the Arrival Departure Information System (ADIS) would begin to collect biometric and biographic data for use by the United States Visitor and Immigrant Status Technology (US-VISIT). EPIC argued that ADIS should not be exempt from Privacy Act requirements, and urged DHS to reduce ADIS's proposed 100-year data retention period and comply with international privacy standards.
In the Matter of Manifest Requirements Under Section 231 of the Immigration and Nationality Act, INS No. 2182-01 (comments filed with the Immigration and Naturalization Service)
On February 3, 2003, EPIC filed comments in response to a proposed rule that would require commercial airline carriers transporting passengers to or from the United States to submit passenger manifest information electronically to the Immigration and Naturalization Service. EPIC argued that the collection of such information, particularly that of United States citizens and lawful permanent residents, raises significant issues under both the Privacy Act and the Constitution. A final rule has not been issued.
In the Matter of Fair Credit Reporting Medical Information Regulations, Docket No. 04-09; RIN 1557-AC85; Regulation V, Docket No. R-1188; RIN 3064-AC81; No. 2004-16; RIN 1550-AB88 (comments to the Office of the Comptroller of the Currency, Office of Thrift Supervision, Federal Deposit Insurance Corporation, National Credit Union Administration, and Board of Governors of the Federal Reserve System)
In May 2004, EPIC and a coalition of privacy advocacy organizations filed comments with five federal agencies which issued a proposed regulation under the Fair and Accurate Credit Transactions Act. The coalition supported the regulation's general prohibition on creditors obtaining or using medical information about a consumer in connection with deciding whether the consumer is eligible for credit. The comments urged that financial institutions not be permitted to routinely request consent to obtain medical information and that affiliate sharing be limited.
In the Matter of Interagency Proposal to Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliliey Act, FTC FIle No. 034815 (comments filed with the Federal Trade Commission)
In comments filed with the Federal Trade Commission on March 29, 2004, EPIC submitted comments in response to this rulemaking designed to simplify privacy notices issued under the Gramm-Leach-Bliley Act. EPIC supported the creation of short privacy notices that start with a "call to action," an unambiguous statement that the individual must take affirmative action in order to protect their financial privacy. EPIC noted that such notices, if designed properly, will assist individuals in understanding their rights and opt-out methods. EPIC also suggested that a checkbox format for the notices would be favorable, as that would allow individuals to score or compare privacy policies across different companies.
In the Matter of Free Annual File Disclosures, FTC File No. R411005 (comments filed with the Federal Trade Commission)
In passing the Fair and Accurate Credit Transactions Act of 2003, Congress directed the Federal Trade Commission to implement a centralized source where individuals could obtain a free credit report annually from each of the three nationwide credit reporting agencies. In comments to the FTC filed on April 16, 2004, Professor Daniel Solove joined EPIC in arguing that individuals should be able to use the source to obtain credit reports without allowing credit reporting agencies to resell their personal information. The comments also attempt to limit the credit reporting agencies' ability to claim that there are too many requests, thus justifying a delay in delivery of the credit report. Already under the law, the credit reporting agencies have a full fifteen days to comply with a request for a report. The comments argue that no more delay is necessary, as the credit reporting agencies regularly provide reports to retailers and other creditors within seconds of making a request.
In the Matter of FACT Act Biometric Study, File No. R411005 (comments filed with the Department of the Treasury)
On April 1, 2004, EPIC submitted comments in response to the Department of Treasury's call for public response on the use of biometrics and similar technologies to combat identity theft. EPIC argued that increased use of biometrics will not combat identity theft in an effective or cost-efficient manner. In fact, such technologies could worsen the identity theft situation for some members of the public and impose a new nationwide system of identity for virtually all Americans. Furthermore, less invasive and less costly alternatives could be implemented to effectively combat identity theft. EPIC argued that it is not necessary to implement a nationwide system of biometrics to curb identity theft. Instead, we could address identity theft in a more cost-effective and privacy-friendly manner by changing aspects of the credit granting system.
In the Matter of Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, OCC File No. 03-18, BOG File No. OP-1155, OTS File No. 03-35 (comments filed with the Department of the Treasury)
On October 14, 2003, EPIC and the U.S. Public Interest Research Group urged the Department of Treasury to strengthen proposed guidance on security notices to bank customers. The proposed guidelines specified when a financial institution must give notice to a customer when their personal information has been accessed without authorization. The comments urged the agency to expand the definition of "sensitive consumer information," and to require financial institutions to report statistical information on all security events to federal regulators. The Treasury Department is now considering whether to modify the proposed guidance.
In the Matter of Experian (complaint filed with the Federal Trade Commission)
On September 16, 2003, EPIC urged the Federal Trade Commission to investigate the marketing practices of credit reporting agency Experian. The complaint alleged that the company broadly disseminates advertising offers for "free" credit reports, but actually provides an expensive credit monitoring service that individuals must cancel within thirty days. EPIC also argued that Experian's advertising is not only misleading, but also stokes fears of inaccuracy in credit reports in order to drive up sales of the company's products.
In the Matter of Rules, Policies, and Procedures for Corporate Activities and Bank Activities, Docket No. 03-02 (comments filed with the Office of the Comptroller of the Currency)
In February 2003, the Office of the Comptroller of the Currency (OCC) issued a proposed interpretation of its "visitorial powers" that would effectively prevent the application of state consumer protection laws to national banks. Such a broad reading would negate state efforts to pass opt-in or other financial privacy laws.
EPIC and U.S. PIRG filed comments with the OCC on April 4, 2003, urging the agency to reject a the proposed rule, as federal privacy law generally operates as a regulatory baseline and allows states to enact greater protections if they so choose. EPIC argued that its proposal would undermine the effectiveness of these laws and well-established principles of federalism, and urged the agency to reject the proposal. The agency has not announced its final rule.
In the Matter of Privacy Act System of Records Notice, The Homeland Security Operations Center Database, Docket No. DHS-2005-0029 (comments to the Department of Homeland Security)
The Department of Homeland Security has proposed to exempt a vast database from legal requirements that protect privacy and promote government accountability. The agency's plan leaves individuals without the ability to correct inaccurate information and without protection against possible abuse of the database. In May 2005, more than forty organizations opposed the plan in comments filed with the agency.
In the Matter of Deployment of Internet Protocol, Version 6, Docket No. 040107006-4006-1 (comments filed with the Department of Commerce National Institute of Standards and Technology National Telecommunications and Information Administration)
In comments filed March 8, 2004, EPIC urged the deployment and use of strong privacy protecting technologies in IPv6, the protocol designed to replace the current network protocol used on the Internet. EPIC recommended that all IPv6 vendors make privacy and security enhancing features such as encryption standard. EPIC also said that the privacy and security features within IPv6 should not be compromised with vulnerabilities by the application of the Communications Assistance to Law Enforcement Act, which would threaten both the security of network communications and the stability of the network architecture.
In the Matter of Event Data Recorders, Docket No. HTSA-2004-18029 (comments to the National Highway Traffic Safety Administration)
In August 13, 2004 comments, EPIC urged the National Highway Transportation Security Administration to create privacy protections for "Event Data Recorders," black boxes in vehicles that record crash data. EPIC noted that the boxes can become platforms for broader surveillance and that information collected by them should be subject to fair information practices.
In the Matter of Release of Customer Information During 9-1-1 Emergencies, RM-10715 (comments filed with the Federal Communications Commission)
On August 15, 2003, EPIC submitted comments in response to a petition asking the Federal Communications Commission to clarify the legal preconditions to the release of customer-specific information in emergency situations. EPIC voiced its support for the petition, arguing that a rulemaking would provide useful guidance to the emergency services industry and set expectations for consumer privacy in emergency situations. On November 14, 2003 the FCC issued a Second Further Notice of Proposed Rulemaking revising the FCC's E911 rules and clarifying which technologies and services are required to transmit consumers' location information to public safety answering points.
In the Matter of Privacy Act System of Records Notice, Postal Service Distribution Quality Improvement, Docket No. (comments to the United States Postal Service)
EPIC and Privacy Rights Clearinghouse filed comments in August 2004 suggesting privacy improvements to a Postal Service system that will employ commercial databases to improve delivery rates. The comments call upon the Postal Service to require the commercial database vendor to abide by a strong set of fair information practices.
In the Matter of Privacy and Court Records (comments filed with the Florida Supreme Court)
In October 2004 comments to a committee formed by the Florida Supreme Court, EPIC recommended protections for personal information that appears in public records. EPIC advised that personal data in public records are being commodified for purposes unrelated to government oversight.
Radio Frequency Identification (RFID)
In the Matter of Proposed Rule Concerning Electronic Passports, RIN 1400-AB93 (comments to the Department of State)
In April 2005, EPIC and other civil liberties groups filed comments to urge the State Department to scrap its plans to require RFID passports for all American travelers. The proposal was flawed because the Department lacks legal authority to require RFID travel documents. The State Department had also failed to show the benefits of the passports. Furthermore, it had failed to conduct a meaningful assessment of RFID technology or to consider more reliable technologies.
RFID Workshop Comment P049106 (comments presented at Federal Trade Commission workshop)
In July 2004, EPIC filed detailed comments at a Federal Trade Commission Workshop calling for the adoption of strong Privacy Guidelines for RFID Technology to protect consumers against potential abuses of the tracking technology.
In the Matter of the Social Security Administration's Proposed Rule Change Regarding a New Routine Use for Social Security Administration System Records Entitled Mater Files of the Social Security Number Holders and SSN Applications, Docket No. 60-0058 (comments to the Social Security Administration)
In September 2004 comments to the Social Security Administration, EPIC urged the agency not to create a new routine use of the Social Security Number for state voter registration purposes. EPIC asked the agency not to implement this routine use until state election administrations agree not to require voters to present their Social Security cards in order to vote in federal elections.