The D.C. Circuit has ruled that it lacks jurisdiction to hear the appeal of CareFirst customers whose data was stolen in a 2014 data breach. The lower court in Attias v. CareFirst dismissed most of the plaintiffs and claims in the case for failure to allege damages and certified the dismissed claims for appeal. The D.C. Circuit determined that some of the claims could not be appealed until the remaining claims were resolved by the lower court, and it was not clear whether the district court judge intended to certify the claims of the dismissed plaintiffs alone. The decision comes over a year after the parties briefed the substantive questions on appeal. EPIC filed an amicus brief that urged the court to impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data they collect. EPIC also filed an amicus brief in the case the last time it was in the D.C. Circuit on a challenge to consumer standing. The D.C. Circuit held that the CareFirst consumers had standing to sue for the data breach.
Through a Public Information Act request to the Texas Department of Public Safety, EPIC obtained records about the department's use of two Pilatus surveillance planes, including videos recorded during the George Floyd protests. Reports have indicated that these planes, purchased by the state for border operations, were used to surveil cities hundreds of miles from the border. EPIC obtained flight logs from January 1, 2018 to June 15, 2020, plane technical specifications and the department's video retention policy. The flight logs revealed that the surveillance planes flew an average of one flight per day between May 25 to June 15, 2020, with a total of 103 hours of total flight time. In over ninety percent of these flights, the planes recorded no video. The planes reportedly cost an average of $474 an hour to fly, and the Texas DPS spent roughly $49,000 to record three videos over the three-week span. The Texas DPS withheld three videos recorded between May 25 to June 15, 2020, during the height of the George Floyd protests, despite its video retention policy stating that "all retained video copies...will be subject to open records requests." EPIC has long highlighted the privacy and civil liberties implications of aerial surveillance technology and has called on Congress to "establish drone privacy safeguards that limit the risk of public surveillance."
The New Jersey Supreme Court ruled today in State v. Andrews that an exception to the Fifth Amendment privilege against self-incrimination allows the government to compel decryption of a cell phone if the government has a valid search warrant and knows the identity of the phone’s owner. The court determined that compelled disclosure of a passcode is a testimonial act, but found that the foregone conclusion exception can apply to force decryption under certain circumstances. Importantly, the court stressed that, because the scope of the search in this case was very narrow, the decision did not license a “fishing expedition.” The court also signaled that it would apply the same restrictions to biometric passcodes as alphanumeric passcodes, stating that applying different standards to the two types of passcodes would be “problematic.” EPIC filed an amicus brief and presented oral argument in the case. Citing Riley v. California and Carpenter v. United States, EPIC argued that the vast troves of personal data stored in cell phones “justifies strong constitutional protections.” During oral argument, EPIC urged the court to adopt one rule for biometric and alphanumeric passcodes.
