Latest News - April 23, 2014
inBloom, a private company that acquired student information from school districts across the country, has shut down. The company said its work "has been stalled because of generalized public concerns about data misuse..." inBloom and other companies, including Google, acquired student data following revisions to the Family Educational Rights and Privacy Act by the Department of Education that significantly weakened the student privacy law. In 2012, EPIC sued the Education Department for removing student privacy protections. Last year, EPIC testified before the Colorado State Board of Education on student privacy issues concerning inBloom. Early this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy.
A national survey conducted by Pew Research Center and Smithsonian Magazine find the American public optimistic about revolutions in health science and transportation, and concerned about technologies of surveillance. According to the survey, 63% of Americans think it would be a change for the worse if "personal and commercial drones are given permission to fly through most U.S. airspace," while 22% think it would be a change for the better. And 65% expressed concern about increased dependence on robots. Similarly, 53% of Americans think it would be a change for the worse if most people wear implants or other devices that constantly show them information about the world around them. Women are especially wary of a future in which these devices are widespread. Google Glass, an example of such technology, has come under scrutiny from Data Protection authorities as well as Congress. EPIC, joined by 100 other organizations and experts, petitioned the Federal Aviation Administration to address public concerns about privacy and drones. For more information, see EPIC: Google Glass and Privacy and EPIC: Domestic Drones.
A federal court of appeals has ruled that the Department of Justice must release the legal analysis justifying the controversial "targeted killing" drone program. The government argued in New York Times v. Department of Justice that the analysis should be exempt from release as a privileged communication. But the ACLU and the New York Times, supported by EPIC and other open government organizations, argued that because the government relied on the legal reasoning to justify the drone program it cannot be kept secret. The Second Circuit agreed, ruling that the after "senior Government officials have assured the public" that the program is "lawful and that . . . advice establishes the legal boundaries," it can no longer claim that the document is exempt from FOIA. EPIC has pursued a similar case for more than seven years, seeking the disclosure of the OLC's legal analysis of the Warrantless Wiretapping program. And earlier this year EPIC wrote in the New York Times that if "the Justice Department expects others to follow its advice, the analysis that supports its conclusions should be made public." For more information, see EPIC: New York Times v. DOJ and EPIC: EPIC v. DOJ - Warrantless Wiretapping Program.
As the result of a Freedom of Information Act request, EPIC has received several hundred pages of documents related to the Federal Trade Commission's investigation of Facebook business practices. The documents include assessments by the FTC of Facebook's privacy changes and communications with the company. EPIC has repeatedly pressed the Commission to enforce the 2012 Consent Order which barred the company from future changes to privacy settings without user consent and committed Facebook to develop a "comprehensive privacy program." EPIC also recently filed a complaint with the FTC about Facebook's acquisition of Whatsapp, an instant messaging service. The EPIC complaint resulted in a stern warning from the FTC not to violate Whatsapp user privacy. For more information see: EPIC: Facebook Privacy.
In a letter to the White House, a coalition of US organizations urged the Administration to recognize the recent opinion by the Court of Justice, the highest court in Europe, that ended a European data retention mandate. The European law required telephone and internet companies to retain metadata on customers for national security purposes. The European Court of Justice ruled that this practice violates the fundamental right to privacy and is illegal. The US groups argue that the opinion "bears directly on the White House's review of the NSA Telephone Records Collection Program and also the White House study of Big Data and the Future of Privacy." The groups urged the White House to 1) recognize the Court's decision in its upcoming report on big data and privacy; and 2) end the NSA telephone record collection program. The letter states that the decision by European Court "is the most significant legal opinion from any court in the world on the risks of big data and the ongoing importance of privacy protection." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. More recently, EPIC submitted extensive comments warning the White House of the enormous risks of current big data practices. For more information, see EPIC: Data Retention and EPIC: Big Data and the Future of Privacy.
In a recently concluded Freedom of Information Act lawsuit, EPIC tried to obtain legal analysis concerning the controversial PRISM surveillance program. The Justice Department responded that "no responsive records" exist. An earlier FOIA case brought by EPIC revealed that the Office of Legal Counsel provided advice on the warrantless wiretapping program of President Bush. But apparently no similar memos exist on the legality of the mass collection of Internet traffic by the NSA. For more information, see EPIC v. DOJ (PRISM).
A federal judge has ruled that the Federal Trade Commission has the power to enforce data security standards. In the case FTC v. Wyndham, the Commission alleged that criminals stole hundreds of thousands of credit card numbers from hotel guests because Wyndham Hotels maintained lax data security. Wyndham responded that the FTC could not bring an enforcement action against the company without first publishing regulations. Judge Esther Salas held that the FTC's authority to investigate "unfair or deceptive" business practices included data protection. FTC Chairwoman Edith Ramirez stated earlier, "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." For more information, see EPIC: Federal Trade Commission, and EPIC: Big Data and the Future of Privacy.
The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act, a bipartisan bill that would provide privacy safeguards for event data recorders or "black boxes." Introduced by Senators John Hoeven (R-ND) and Amy Klobuchar (D-MN), the bill prohibits unauthorized access to data that records the activities of drivers. Under the Act, data could only be obtained with: (1) written consent of all of the car owners or lessees; (2) a court or administrative order; (3) a federal transportation safety investigation if personally identifiable information is redacted; (4) emergency car crash medical response; or (5) traffic safety research if personally identifiable information is redacted. Last year EPIC, consumer privacy organizations, and members of the public, urged the National Highway Traffic Safety Administration to protect driver privacy by establishing many of the proposed safeguards in the Driver Privacy Act. For more information, see EPIC: Event Data Recorders and Privacy.
The Federal Trade Commission has notified Facebook and WhatsApp that they must honor their privacy commitments to users. According to the letter from the Director of the FTC Bureau of Consumer Protection, "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter followed a detailed complaint from EPIC and CDD concerning the privacy implications of the $19B sale to Facebook. WhatsApp had assured users of strong privacy safeguards prior to the sale. The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." For more information, see EPIC: In re: WhatsApp, EPIC: In re: Facebook and EPIC: Federal Trade Commission.
The Government Accountability Office has issued a report, warning that federal agencies "have not been consistent or fully effective in responding to data breaches." The GAO found that "the number of reported information security incidents involving personally identifiable information has more than doubled over the last several years." The report further states, "the increasing number of cyber incidents at federal agencies, many involving the compromise of personally identifiable information, highlights the need for focused agency action to ensure the security of the large amount of sensitive personal information collected by the federal government." EPIC recently warned the White House about the enormous risks to Americans of current "big data" practices. EPIC and more than 20 organizations have urged the Administrations to establish strong privacy safeguards and improve accountability across the government and private sector. For more information, see EPIC: Big Data and the Future of Privacy.
Through a Freedom of Information Act request, EPIC obtained the appointment calendar of FTC Commissioner Wright. The Commissioner's calendar reveals many meetings with corporate presentatives but no meetings with public interest organizations representing consumers. One of FTC's primary missions is to protect consumers from unfair and deceptive business practices. Commissioner Wright became an FTC Commissioner in January 2013. Since then he has met with representatives from Apple, Microsoft, Verizon, Qualcomm, the Network Advertising Initiative, and the Consumer Data Industry Association. He has attended industry conferences and given talks at trade association meetings. EPIC tried several times to arrange a meeting between Commissioner Wright and the Privacy Coalition—a nonpartisan coalition of consumer, civil liberties, educational, family, library, and technology organizations. The Privacy Coalition has hosted meetings with many FTC commissioners over the past decade. After repeatedly declining a meeting with the consumer privacy organizations, EPIC filed a FOIA request for the FTC Commissioner's appointment calendar. For more information, see EPIC: Federal Trade Commission.
Several open government organizations, including Public Citizen, the Sunlight Foundation, the Project on Government Oversight, Citizens for Responsibility and Ethics in Washington, the Center for Effective Government and Openthegovernment.org have filed an amicus brief supporting EPIC in EPIC v. NSA. EPIC is seeking to obtain a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act Request to the NSA for NSPD-54 and several related documents. After the agency refused to disclose the Directive, EPIC sued the NSA under the Freedom of Information Act. The NSA then disclosed several documents but argued it could withhold NSPD-54 under a narrow legal exemption. Suprisingly, a federal court ruled sue sponte that NSPD-54 was not an "agency record" and simply dismissed the case. The FOIA groups argued that the judge's decision was contrary to FOIA law because NSPD-54 is an agency record and also because courts cannot dismiss such cases particularly when the agency itself thought it was subject to the law. For more information see: EPIC v. NSA.
Top News Archive
EPIC v. DOJ
Riley v. California
Facebook - WhatsApp