« October 2015 | Main | December 2015 »

November 2015 Archives

November 2, 2015

EPIC Joins Call for Transparency on Number of Americans Caught in NSA Surveillance

EPIC, joined by over 30 other organizations, urged the Director of National Intelligence, James Clapper, to disclose data on how many Americans are caught up in NSA surveillance of foreign targets. Americans’ communications are incidentally collected under Section 702 of the Foreign Intelligence Surveillance Act, and the FBI searches this data without a warrant or judicial oversight. EPIC, in testimony before Congress and comments to the Privacy and Civil Liberties Oversight Board, has repeatedly called for greater oversight and transparency of surveillance authorities.

Not So Picture Perfect: Snapchat Will Store User Content Forever

Snapchat, a popular mobile app that promised "to vanish" user messages, photos, and videos, will now store user content forever, following changes to its terms and conditions. Snapchat now claims the right to "host, store, use, display, reproduce, modify, . . .and publicly display" users' content forever. This change may violate the 2014 consent order with the Federal Trade Commission, which prohibits Snapchat from making false claims about how the company protects user information. The FTC's 2014 consent order resulted from EPIC's complaint which stated that the company violated Section 5 because "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted."

As Meetings Begin, Drone Registration Task Force Fails to Include Privacy Groups

The FAA has released the membership list of the Drone Registration Task Force, which is charged with drafting recommendations for a federal drone registry. Notably, the Task Force does not include any privacy organization or privacy experts. EPIC filed an expedited FOIA request for the Task Force membership list and called on the FAA to publicly release the information. Earlier this year, EPIC sued the FAA for failing to establish privacy rules for commercial drones as mandated by Congress. The public may submit comments on the Drone Registration plan however the Task Force meeting location and agenda remains secret.

EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law

In testimony before the US Congress, EPIC's Marc Rotenberg is expected to say that the recent decision of the European Court confirmed what everyone already knows, US privacy law is not adequate. "Our country suffers from an epidemic of data breaches and identity theft. And all the data indicates these problems are getting worse." EPIC, consumer allies, and privacy experts are urging the Congress to enact the Consumer Privacy Bill of Rights, modernize the Privacy Act, create an independent privacy agency, and ratify the International Privacy Convention. "These changes will benefit consumers and businesses on both sides of the Atlantic."

November 4, 2015

Rep. Chaffetz Bill Would End Warrantless Stingray Surveillance

Rep. Jason Chaffetz has introduced a bill in the U.S. Congress that would prohibit government agencies from using cell-site simulators (or stingrays) without a warrant in most circumstances. The Cell-Site Simulator Act of 2015 would also explicitly exclude stingrays from the pen register statute currently used by law enforcement to conduct stingray operations with less than probable cause. The government would still be able to conduct warrantless stingray operations under the Foreign Intelligence Surveillance Act or in emergencies. An EPIC FOIA lawsuit in 2012 revealed that the FBI was using stingrays without a warrant. EPIC has also filed amicus briefs arguing that cell phone location data is protected by the Fourth Amendment.

Tech Funding Bills Could Upgrade Student Privacy

Congress may soon incorporate student privacy safeguards into legislation for digital learning in the classroom. Congress needs to merge two bills that provide technology funding for schools but require extensive student data collection -- the "Every Child Achieves Act of 2015" (S. 1177) and the "Student Success Act" (H.R. 5). Pending student privacy bills include the "Student Privacy Protection Act of 2015" (H.R. 3157)), the "Student Privacy Protection Act of 2015" (S. 1341), the "Student Digital Privacy and Parental Rights Act of 2015'' (H.R. 2092), and the "Protecting Student Privacy Act of 2015'' (S. 1322). EPIC supports establishment of a Student Privacy Bill of Rights.

EPIC Sues for Release of Secret EU-US "Umbrella Agreement"

EPIC has sued the Department of Justice to obtain a secret agreement between the United States and the European Union concerning the transfer of personal information. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret even as Congress was voting on provisions to implement the text. "The DOJ has withheld from the public the text of an Agreement that is central to legislation currently pending before Congress and critical to a related negotiation between the United States and the European Union that implicates the fundamental rights of Americans and Europeans" wrote EPIC in the FOIA lawsuit.

November 5, 2015

US Releases Updated Open Government Plan

The United States has released its Third Open Government National Action Plan, an initiative pursued by countries and NGOs participating in the Open Government Partnership. In response to recommendations proposed by EPIC and a coalition of civil society groups, the administration pledged to modernize implementation of the FOIA, streamline record declassification, and increase transparency of the intelligence community. The White House, however, failed to incorporate other recommendations such as publishing FISC opinions and pledging to limit the use of the FOIA's b(5) Exemption. EPIC and others previously called on President Obama to address weaknesses in open government administration and push for meaningful FOIA reform.

In EPIC Lawsuit, FAA Concedes Drone Privacy Risks

The Federal Aviation Administration has filed a brief in response to EPIC's lawsuit, EPIC v. FAA, charging that the agency failed to establish privacy rules for commercial drones as required by law. EPIC sued the agency after Congress required a "comprehensive plan" for drone deployment and a petition, backed by more than one hundred organizations and privacy experts, called for privacy safeguards. In its response to EPIC, the FAA acknowledged that the comprehensive plan "recognizes the privacy issues that may be heightened" by drone surveillance. The FAA also conceded that drones, "because of their size and capabilities, may enhance privacy concerns," but the agency has still not begun the process of developing regulations to safeguard privacy.

Privacy Groups Urge Ninth Circuit to Find NSA Metadata Program Illegal

EPIC and other privacy groups have filed a friend of the court brief in United States v. Moalin, the first criminal case challenging the NSA's warrantless surveillance of Americans' telephone records. The lower court refused to reopen the case after it was revealed that data acquired by the NSA provided the primary evidence for the criminal conviction. EPIC and other groups argued in their brief that metadata is protected under the Fourth Amendment. EPIC previously argued in Smith v. Obama that "changes in technology and the Supreme Court's recent decision in Riley v. California favor a new legal rule that recognizes the privacy interest inherent in modern communications records." In In re EPIC, EPIC petitioned the Supreme Court to end the NSA's bulk telephone record collection program, which occurred with passage of the USA Freedom Act.

November 6, 2015

European Commission Issues Guidance on Data Transfers Post-Schrems

The European Commission has published guidelines for EU-US data transfer after the invalidation of the Safe Harbor framework. The Commission explained that the Safe Harbor case "underlined the importance of fundamental right to data protection." The Commission also emphasized the ongoing role of the independent data protection agencies and the Article 29 Working Party. Negotiators are attempting to create a revised arrangement. NGOs have said that fundamental rights must be protected in all data transfers. In testimony before Congress, EPIC recommended several updates to US privacy law. EPIC's Marc Rotenberg said "these changes will benefit consumers and businesses on both sides of the Atlantic."

November 10, 2015

Court Suspends NSA Phone Record Collection Program

A federal court in Washington D.C. has ordered the National Security Administration to halt the bulk collection of domestic telephone records, ruling that the indiscriminate collection violates the Fourth Amendment. Following the USA Freedom Act, the telephone records program will expire at the end of the month. The government has moved to stay the judge's order. In 2013, EPIC brought the first challenge to the NSA surveillance program in the Supreme Court. EPIC has also testified before Congress on the need to reform the Foreign Intelligence Surveillance Court, and led a broad coalition urging the President to end the NSA surveillance program.

EPIC Obtains Documents on Secret DNA Forensic Source Code

In response to EPIC's state public records requests, Virginia and Pennsylvania have both released documents about "TrueAllele," a proprietary technique used in DNA forensic analysis. Virginia released to EPIC a validation study and validation summary prepared by the Virginia Department of Forensic Science. Pennsylvania produced purchase and service contracts, technical specifications, and user manuals for TrueAllele. Agencies in California, Louisiana, Pennsylvania, and Virginia have stated that they do not have access to the TrueAllele source code that they are using to produce evidence against defendants. EPIC's open government requests cited the importance of algorithmic transparency in the criminal justice system.

November 11, 2015

EPIC Supports Drone Registration Proposal

In comments to the FAA, EPIC urged the agency to require all drone operators to register in a federal drone registry. An FAA task force, lacking any privacy experts, is developing a plan for a national registry. EPIC said registration is critical for public safety and privacy protection. EPIC recommended that the FAA require drones to broadcast identification information and that the registration database detail a drone's surveillance capabilities. EPIC also urged the agency to provide privacy protections for the personal information of hobbyists. Earlier this year, EPIC sued the FAA for failing to establish privacy rules for commercial drones as mandated by Congress.

November 12, 2015

Federal Appeals Court Revives Google Cookie Tracking Suit

A federal appeals court has reinstated a class action alleging that Google and internet advertising companies unlawfully placed tracking cookies on users' web browsers. A reasonable jury could conclude that Google's "deceitful override of the plaintiffs' cookie blockers" constitutes a "serious invasion of privacy" under California law. The appeals court also held that tracked URLs could constitute "content" under the federal Wiretap Act, though it ultimately upheld the dismissal of all federal law claims for other reasons. EPIC filed an amicus brief in a similar case, arguing that Viacom's disclosure of IP addresses and unique device identifiers to Google violated the Video Privacy Protection Act.

NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights

Leading human rights and consumer organizations have issued a letter to urge the US and the EU to protect the fundamental right to privacy. After the Schrems decision the parties are now renegotiating the invalidated Safe Harbor arrangement. The groups warned that without significant changes to "domestic law" and "international commitments," a Safe Harbor 2.0 will almost certainly fail. NGO leaders call for a comprehensive privacy framework in the US, commitment to strong encryption and ending mass surveillance on both sides of the Atlantic.

November 17, 2015

EPIC to Testify on Car Privacy and Data Security

EPIC Associate Director Khaliah Barnes will testify at a hearing on "The Internet of Cars" before the House Oversight and Government Reform on Wednesday, November 18, 2015. The hearing will address the safety and privacy issues confronting drivers in vehicles connected to the Internet. EPIC's prepared statement urges Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. EPIC states, "New vehicle technologies raise serious safety and privacy concerns that Congress needs to address." EPIC has previously examined the privacy and data security implications of the Internet of Things and the "Internet of Cars", and recommended strong safeguards for consumers.

November 18, 2015

EPIC Warns ICANN about Lack of Privacy for WHOIS Data

In comments to ICANN, EPIC urged the Internet policy organization to comply with privacy law and privacy standards. ICANN manages the Whois database, a publicly accessible repository of domain name registrants' contact information. EPIC has long criticized ICANN for exposing personal data to spammers, stalkers, and criminal investigators. Internet privacy expert Stephanie Perrin recently stated, "The existing policy and trigger mechanisms reflect at best a basic failure to comprehend the way data protection law works, at worst a determination to be as difficult and intransigent as possible." In the latest comments, EPIC warned ICANN that failure to comply with legal standards could leave the organization subject to enforcement action, following the Schrems decision in Europe. ICANN's final report is due December 1.

November 19, 2015

In Court: EPIC Pursues Drone Privacy Safeguards

EPIC has filed an additional brief in EPIC v. FAA. The case follows from an act of Congress requiring a "comprehensive plan" for drone deployment and EPIC's petition, joined by more than 100 hundred experts, that urged the agency to establish drone privacy rules. In the most recent court filing, EPIC challenged the agency's rationale for dismissing the petition. EPIC also argued the FAA improperly ignored privacy concerns in a recent rulemaking on small drones. The FAA conceded that drones, "because of their size and capabilities, may enhance privacy concerns," but still did not propose privacy safeguards. The United States Court of Appeals for the DC Circuit is expected to hear argument in the case early next year.

Congress Explores Risk of Student Record Data Breach

A Congressional Committee held a hearing on the Education Department's information security program. In 2014, the Department's Inspector General found that the "information systems continue to be vulnerable to serious security threats." The hearing revealed that the Education Department maintains at least 139 million Social security numbers in one of its databases. The Department has 184 information systems and 120 of those systems are managed by outside parties. For years, EPIC has warned of growing student privacy and security risks. EPIC has urged congress to enact the Student Privacy Bill of Rights to protect student data.

November 20, 2015

Congress Examines (Lack of) Drone Privacy and Safety

This week a House Committee examined "The Fast-Evolving Uses and Economic Impacts of Drones." Chairman Burgess, echoing comments from other committee members, stated, "there are important questions around privacy laws and safety." The FAA Modernization and Reform Act of 2012 required the FAA to develop a "comprehensive plan" to integrate drones into national airspace by September 30, 2015. Despite missing the deadline, the FAA has granted over 2,220 exemptions for commercial drones even as safety and privacy concerns increase. More than 100 privacy experts and organizations petitioned the FAA to establish privacy safeguards prior to the deployment of drones. EPIC has sued the agency, EPIC v. FAA, to establish privacy rules for commercial drones.

November 21, 2015

Administrative Decision Tosses LabMD Data Security Case

An administrative law judge has dismissed an FTC complaint alleging that LabMD failed to provide reasonable data security for personal information. The admin judge found that the FTC's regulation of unfair trade practices requires a showing that consumer harm was "probable," not just "possible." The decision--which is not binding on federal or state courts--leaves in place the decision in FTC v. Wyndham, which held that the FTC can enforce data security standards. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."

November 23, 2015

EPIC Opposes NSA Plan to Expand Operations Database, Demands Privacy Act Compliance

EPIC submitted comments to the NSA objecting to the agency's proposal to expand its "Operations Records" database. This database is already largely exempt from Privacy Act safeguards, and the proposal would vastly expand the types of information collected in the database and define new routine uses for this information. EPIC's comments addressed the privacy issues raised by the Operations Records database and NSA's proposed changes, opposed further expansion of NSA's information collection activities, and demanded that NSA narrow the Privacy Act exemptions for the system if the proposal goes forward. EPIC has previously urged NSA to conduct information collection activities in compliance with the Privacy Act.

EPIC to FAA: Proposed Registration Requirements Fall Short

The FAA Drone Task Force Final Report fails to ensure the safe operation of drones in the United States. The committee proposed only that drone operators (1) register online, (2) receive a universal registration number, and (3) mark the number on drones prior to operation. In comments to the agency, EPIC recommended that drones broadcast registration numbers, and that registration include drone surveillance capabilities and contact information for operators, such as phone numbers. The FAA's former top drone official told the Associated Press that drone surveillance capabilities will contribute to safety risks. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. That case is pending before the D.C. Circuit Court of Appeals.

In Court: EPIC Urges Massachusetts to Protect Student Privacy

EPIC has filed an amicus brief in the Massachusetts Supreme Judicial Court regarding a student privacy case. EPIC said that the police should obtain a warrant before seizing a student's cell phone. Citing a recent Supreme Court case, EPIC explained "Modern cell phones . . . implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. In Riley v. California, a unanimous Supreme Court held that a search of cell phone required a warrant. EPIC previously filed an amicus brief in Commonwealth v. Connolly, a Massachusetts case concerning GPS tracking. The EPIC State Policy Project is based in Cambridge, Massachusetts.

November 24, 2015

EPIC to Receive More Documents in Boater Surveillance Case

This morning a federal judge in Washington, D.C. ordered the U.S. Coast Guard to release to EPIC, within sixty days, additional documents on the "National Automated Identification System,' a controversial boater tracking program that EPIC is investigating. According to documents previously obtained by EPIC, the Department of Homeland Security believes that boaters have "no expectation of privacy with regard to any information transmitted" on the Automated Identification System. The documents also reveal that the DHS fuses AIS data with other government data to develop detailed profiles on boaters. EPIC has previously expressed support for AIS to promote maritime safety, but warned that the NAIS system exceeds this purpose. In January, EPIC expects to receive contracts and privacy impact assessments that were previously withheld.

TSA Continues Delay of Legal Authority for Airport Body Scanners

The Transportation Security Administration is expected to issue a final rule on airport body scanners by March 3, 2016, nearly five years after the D.C. Circuit Court of Appeals ordered the agency to "promptly" solicit pubic comments on the controversial scanners. In 2011, EPIC successful challenged the TSA's unlawful deployment of airport body scanners. Following EPIC's lawsuit, backscatter x-ray devices were removed from U.S. airports. Still, the agency continues to ignore public comments that overwhelmingly favor less invasive security screenings.

November 30, 2015

Freedom Act Goes Into Effect, NSA Bulk Data Collection Ends

The Director of National Intelligence has announced that the NSA's bulk collection of domestic telephone records under "Section 215" ended yesterday when the USA Freedom Act took effect. The Freedom Act ended the NSA's 215 Program and established new transparency and accountability rules for the Foreign Intelligence Surveillance Court. In 2012, EPIC testified before the House Judiciary Committee on the need to reform the Surveillance Court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program.

About November 2015

This page contains all entries posted to epic.org in November 2015. They are listed from oldest to newest.

October 2015 is the previous archive.

December 2015 is the next archive.

Many more can be found on the main index page or by looking through the archives.