Latest News - April 20, 2014
As the result of a Freedom of Information Act request, EPIC has received several hundred pages of documents related to the Federal Trade Commission's investigation of Facebook business practices. The documents include assessments by the FTC of Facebook's privacy changes and communications with the company. EPIC has repeatedly pressed the Commission to enforce the 2012 Consent Order which barred the company from future changes to privacy settings without user consent and committed Facebook to develop a "comprehensive privacy program." EPIC also recently filed a complaint with the FTC about Facebook's acquisition of Whatsapp, an instant messaging service. The EPIC complaint resulted in a stern warning from the FTC not to violate Whatsapp user privacy. For more information see: EPIC: Facebook Privacy.
In a letter to the White House, a coalition of US organizations urged the Administration to recognize the recent opinion by the Court of Justice, the highest court in Europe, that ended a European data retention mandate. The European law required telephone and internet companies to retain metadata on customers for national security purposes. The European Court of Justice ruled that this practice violates the fundamental right to privacy and is illegal. The US groups argue that the opinion "bears directly on the White House's review of the NSA Telephone Records Collection Program and also the White House study of Big Data and the Future of Privacy." The groups urged the White House to 1) recognize the Court's decision in its upcoming report on big data and privacy; and 2) end the NSA telephone record collection program. The letter states that the decision by European Court "is the most significant legal opinion from any court in the world on the risks of big data and the ongoing importance of privacy protection." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. More recently, EPIC submitted extensive comments warning the White House of the enormous risks of current big data practices. For more information, see EPIC: Data Retention and EPIC: Big Data and the Future of Privacy.
In a recently concluded Freedom of Information Act lawsuit, EPIC tried to obtain legal analysis concerning the controversial PRISM surveillance program. The Justice Department responded that "no responsive records" exist. An earlier FOIA case brought by EPIC revealed that the Office of Legal Counsel provided advice on the warrantless wiretapping program of President Bush. But apparently no similar memos exist on the legality of the mass collection of Internet traffic by the NSA. For more information, see EPIC v. DOJ (PRISM).
A federal judge has ruled that the Federal Trade Commission has the power to enforce data security standards. In the case FTC v. Wyndham, the Commission alleged that criminals stole hundreds of thousands of credit card numbers from hotel guests because Wyndham Hotels maintained lax data security. Wyndham responded that the FTC could not bring an enforcement action against the company without first publishing regulations. Judge Esther Salas held that the FTC's authority to investigate "unfair or deceptive" business practices included data protection. FTC Chairwoman Edith Ramirez stated earlier, "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." For more information, see EPIC: Federal Trade Commission, and EPIC: Big Data and the Future of Privacy.
The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act, a bipartisan bill that would provide privacy safeguards for event data recorders or "black boxes." Introduced by Senators John Hoeven (R-ND) and Amy Klobuchar (D-MN), the bill prohibits unauthorized access to data that records the activities of drivers. Under the Act, data could only be obtained with: (1) written consent of all of the car owners or lessees; (2) a court or administrative order; (3) a federal transportation safety investigation if personally identifiable information is redacted; (4) emergency car crash medical response; or (5) traffic safety research if personally identifiable information is redacted. Last year EPIC, consumer privacy organizations, and members of the public, urged the National Highway Traffic Safety Administration to protect driver privacy by establishing many of the proposed safeguards in the Driver Privacy Act. For more information, see EPIC: Event Data Recorders and Privacy.
The Federal Trade Commission has notified Facebook and WhatsApp that they must honor their privacy commitments to users. According to the letter from the Director of the FTC Bureau of Consumer Protection, "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter followed a detailed complaint from EPIC and CDD concerning the privacy implications of the $19B sale to Facebook. WhatsApp had assured users of strong privacy safeguards prior to the sale. The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." For more information, see EPIC: In re: WhatsApp, EPIC: In re: Facebook and EPIC: Federal Trade Commission.
The Government Accountability Office has issued a report, warning that federal agencies "have not been consistent or fully effective in responding to data breaches." The GAO found that "the number of reported information security incidents involving personally identifiable information has more than doubled over the last several years." The report further states, "the increasing number of cyber incidents at federal agencies, many involving the compromise of personally identifiable information, highlights the need for focused agency action to ensure the security of the large amount of sensitive personal information collected by the federal government." EPIC recently warned the White House about the enormous risks to Americans of current "big data" practices. EPIC and more than 20 organizations have urged the Administrations to establish strong privacy safeguards and improve accountability across the government and private sector. For more information, see EPIC: Big Data and the Future of Privacy.
Through a Freedom of Information Act request, EPIC obtained the appointment calendar of FTC Commissioner Wright. The Commissioner's calendar reveals many meetings with corporate presentatives but no meetings with public interest organizations representing consumers. One of FTC's primary missions is to protect consumers from unfair and deceptive business practices. Commissioner Wright became an FTC Commissioner in January 2013. Since then he has met with representatives from Apple, Microsoft, Verizon, Qualcomm, the Network Advertising Initiative, and the Consumer Data Industry Association. He has attended industry conferences and given talks at trade association meetings. EPIC tried several times to arrange a meeting between Commissioner Wright and the Privacy Coalition—a nonpartisan coalition of consumer, civil liberties, educational, family, library, and technology organizations. The Privacy Coalition has hosted meetings with many FTC commissioners over the past decade. After repeatedly declining a meeting with the consumer privacy organizations, EPIC filed a FOIA request for the FTC Commissioner's appointment calendar. For more information, see EPIC: Federal Trade Commission.
Several open government organizations, including Public Citizen, the Sunlight Foundation, the Project on Government Oversight, Citizens for Responsibility and Ethics in Washington, the Center for Effective Government and Openthegovernment.org have filed an amicus brief supporting EPIC in EPIC v. NSA. EPIC is seeking to obtain a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act Request to the NSA for NSPD-54 and several related documents. After the agency refused to disclose the Directive, EPIC sued the NSA under the Freedom of Information Act. The NSA then disclosed several documents but argued it could withhold NSPD-54 under a narrow legal exemption. Suprisingly, a federal court ruled sue sponte that NSPD-54 was not an "agency record" and simply dismissed the case. The FOIA groups argued that the judge's decision was contrary to FOIA law because NSPD-54 is an agency record and also because courts cannot dismiss such cases particularly when the agency itself thought it was subject to the law. For more information see: EPIC v. NSA.
In a far-reaching and dramatic opinion, the European Court of Justice has ruled that the mass storage of telecommunications data violates the fundamental right to privacy and is illegal. The Data Retention Directive required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. According to the Court, the Directive imposed "a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary." The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the Charter of Rights. The Court also said to find a privacy violation, "it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. For more information, see EPIC - Data Retention, In re EPIC.
In response to a request from the White House, EPIC has submitted extensive comments on "Big Data and the Future of Privacy." EPIC warned the White House about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974 which responded to the challenges of "data banks." EPIC noted the dramatic increases in identity theft and security breaches. EPIC called for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. EPIC wrote "It is vitally important to update current privacy laws to minimize collection, secure the information that is collected, and prevent abuses of predictive analytics." EPIC and more than 20 organizations previously urged the White House to establish privacy protections for user data that is being gathered by large companies and government agencies. A report from the White House is expected on April 17. For more information, see EPIC: Big Data and the Future of Privacy.
After criticism by bloggers, consumers, and privacy advocates - including EPIC - Microsoft will change a troubling provision in its privacy policy. In March, Microsoft searched a blogger's private Hotmaill account to determine whether the subscriber to the Microsoft service received leaked versions of Windows 8. At the time, Microsoft claimed that the search was permissible under the Microsoft Online terms of service. This week Microsoft, announced it would no longer search customers' accounts itself if it suspected wrongdoing and would instead refer such matters over to law enforcement. According to Microsoft, Hotmail has 170 million active users. For more information see: EPIC: Consumer Privacy Bill of Rights.
Top News Archive
EPIC v. DOJ
Riley v. California
Facebook - WhatsApp