« March 2016 | Main | May 2016 »

April 2016 Archives

April 1, 2016

EPIC to FTC: Google's April Fool's Disaster Likely Violates Consent Order

Google's April Fool's joke — a change in the operation of Gmail without user consent — has backfired, spectacularly. Many Gmail users inadvertently enabled the "Mic Drop" button on important emails, allowing Google to insert a GIF into their reply and then irreversibly mute the conversation. Users were outraged and Google reversed the change. EPIC informed the FTC that Google's prank also likely violates the FTC's 2011 consent order with the company following the rollout of Google Buzz. EPIC has repeatedly urged the FTC to enforce this consent order against Google, which requires the company to obtain "express affirmative consent" before changing its business practices.

April 4, 2016

EPIC Sues Agency for Drone Task Force Meeting Records

EPIC has filed a FOIA lawsuit against the Department of Transportation for records of the closed-door meetings of the "Drone Registration Task Force". The agency created the Task Force late last year to develop recommendations for registering commercial drones. The Task Force--whose membership included no civil liberties organizations or privacy advocates--met in secret last November before releasing a report. EPIC submitted extensive comments to the Task Force. EPIC's lawsuit was filed just after the FAA's Aviation Rulemaking Committee of industry groups and agency officials recommended easing restrictions that prohibit businesses from flying unmanned aerial vehicles. In EPIC v. FAA, EPIC has also challenged the FAA's failure to establish privacy rules for drones.

April 6, 2016

DHS, Federal Agencies Publish 2016 FOIA Reports

Most federal agencies, including the Department of Homeland Security, have now published the 2016 FOIA Reports. These annual reports, required by former Attorney General Holder's 2009 FOIA Memo, describe each agency's compliance with the FOIA, including steps to taken to improve processing and promote openness. The federal FOIA ombudsman is currently investigating the practices of six DHS component agencies in response to a 2015 letter from EPIC and open government advocates. EPIC and other have recently urged the President to support bipartisan legislation aimed at improving the FOIA.

April 7, 2016

TACD Opposes "Privacy Shield," Urges Rejection by EU

The Transatlantic Consumer Dialogue has urged the European Commission to reject the "Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a coalition of NGOs have urged the US to adopt a robust data protection law and end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.

April 8, 2016

FAA Considers Removing Safety Rules for Small Drones, Also Ignores Privacy Concerns

The report of a secret FAA committee would relax safety rules for drones operating over populated areas. The report also makes no mention of  the privacy risks of aerial surveillance by small drones.  Like the FAA registration task force, the FAA small drones committee was composed of mostly industry members and did not include any privacy or consumer protection groups. The report recommends allowing drones to fly within 20' above a person or within 10' next to a person. EPIC previously sued the FAA for failing to establish privacy rules for commercial dronesEPIC v. FAA is pending before the D.C. Circuit. EPIC also filed a FOIA lawsuit against the FAA for the records of the secret drone task force meetings.

EPIC, Coalition Oppose NSA Data Transfer Plan

EPIC and over 30 organizations have urged the Obama Administration to halt proposed changes to Executive Order 12333 that would permit the NSA to transfer raw data collected to law enforcement agencies. The NSA’s vast data collection activities are traditionally limited to intelligence purposes. The proposal will permit use of NSA data by law enforcement and make personal data more widely available across the federal government. Last year, EPIC urged the Privacy and Civil Liberties Oversight Board to increase oversight of 12333.  EPIC called for: (1) new limits on data collection and disclosure; (2) audit trails for surveillance activities; and (3) published legal justifications for surveillance programs. The Board is currently reviewing surveillance under EO 12333.

President Obama: In Digital Age, People Have New Set of Privacy Expectations

In remarks at the University of Chicago Law School yesterday, President Obama named privacy as one of the constitutional issues that will be increasingly salient in the years to come. "In a society in which so much of your life is digitized, people have a whole new set of privacy expectations that are understandable,” said the President. Obama said the encryption debate was “just the tip of the iceberg of what we’re going to have to figure out.” In its brief in Apple v. FBI, EPIC recently argued that cell phone encryption was adopted to protect consumers from crime. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues.

April 12, 2016

EPIC Advises HHS to Safeguard Substance Abuse Patient Records

In comments to the Department of Health and Human Services, EPIC criticized the agency's proposed revisions to confidentiality rules for substance abuse patient records. The proposal would weaken consent requirements for disclosing patient records and allow linkage of substance abuse records to other databases. EPIC explained that patient privacy and public health policy require strong confidentiality protections. EPIC warned that the changes proposed by HHS would compromise record confidentiality and reduce the effectiveness of public health programs. EPIC consistently advocates for strong confidentiality protections for medical records.

April 13, 2016

Senate Examines FTC's Antitrust Enforcement

The Senate Judiciary Committee recently examined the scope and application of the FTC's Section 5 antitrust enforcement authority at the hearing "Section 5 and 'Unfair Methods of Competition': Protecting Competition or Increasing Uncertainty?" EPIC Advisory Board member Tim Wu testified in support of the agency's approach, which he called "an important protection for competition." EPIC has urged the FTC to use Section 5 authority to protect consumers, arguing against Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp. EPIC has also recommended a transparent process for evaluation of substantial changes in business practices by companies subject to FTC consent orders.

EU Officials Call for Changes in Privacy Agreement

European privacy officials announced today that there must be changes in the draft proposal for EU-US data transfers. The Article 29 Working Party has "strong concerns" that the current text fails to provide adequate protection against commercial misuse and bulk surveillance. The Working Party cited the complexity of the redress mechanism, the lack of independence of the ombudsman, as well as the broad uses of personal data that would be permitted under the agreement. Privacy and consumer organizations have urged the EU to oppose the Privacy Shield proposal.

April 14, 2016

House Moves Forward on Modest ECPA Updates

The House Judiciary Committee has voted 28-0 in favor of the Email Privacy Act, H.R. 699, a bill that would establish a warrant requirement for the disclosure of all electronic communications. The law would also require notice to customers whose communications have been collected. With 314 members of the House cosponsoring, the bill is slated to be considered by the House on April 25th. Senator Leahy, who has sponsored an identical bill in the Senate, said that "Congress has waited far too long to enact these reforms." But the bill stops short of several updates recommended by EPIC, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.

U.S. Government Sued Over Refusal to Notify Users of E-mail Searches

Microsoft has sued the Department of Justice, arguing that orders which prevent the company from notifying users about surveillance are unconstitutional. These secrecy orders, issued in connection with orders to disclose users’ private information, arise in thousands of cases each year. EPIC has supported similar challenges to “gag orders" and has opposed the expansion of “no notice” searches. EPIC has also recommended notice requirements for e-mail searches.

European Parliament Adopts Comprehensive Data Protection Regulation

The European Parliament finalized a historic reform of EU data protection legislation, which will have legal force in July 2018. "The new General Data Protection Regulation will enable people to regain control of their personal data in the digital age," said Parliament Member Jan Philipp Albrecht. The rules include data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. EPIC and EU and US consumer groups have supported the European law, stating that it provides "important new protections for the privacy and security of consumers."

April 19, 2016

EPIC Defends Right of Data Breach Victims to Bring Suit

EPIC has filed an amicus brief urging a federal appeals court to overturn a decision that limits the ability of data breach victims to sue. The plaintiffs sued a payroll company after their Social Security Numbers and other identifying information were exposed. A lower court dismissed the case because fraudulent transactions had not yet occurred. EPIC argued that data breach victims can sue without having to wait for specific damages. EPIC cataloged the epidemic of data breaches in the US, and explained why companies should be liable when they fail to protect the consumer data they collect. EPIC regularly files briefs defending consumer privacy.

April 20, 2016

Intelligence Court Orders Government to Report on PRISM Collection

Three decisions by the Foreign Intelligence Surveillance Court (FISC) were made public this week. The Court identified serious “compliance and implementation issues” related to the Section 702 ("PRISM") surveillance program. The FISC found that the NSA did not purge personal data as required by minimization procedures, and also that the FBI failed to exclude attorney-client communications. In 2012, EPIC testified before Congress and recommended the publication of FISC opinions to facilitate public oversight.

April 25, 2016

EPIC Urges FCC to Fully Enforce Cable Privacy, Extend Rules to All Set-Top Boxes

In comments filed with the FCC on a proposal to unlock the set-top box market to retail manufacturers, EPIC urged the Commission to apply the Cable Act's privacy rules directly to all companies with access to cable subscriber data. EPIC explained that the Cable Subscriber Privacy Rules are "an effective model for privacy rules in the commercial sector, particularly concerning the collection of data about cable programming." However,  the FCC must clarify and enhance enforcement of these rules to address current business practices. EPIC has defended consumer privacy at the FCC for almost 20 years.

TSA Releases New Body Scanner Document to EPIC

In response to an EPIC FOIA request, the Transportation Security Administration has released a document describing the technical capabilities of the airport body scanners. EPIC previously obtained documents from TSA revealing that body scanners can record, store, and transmit digital strip search images of airline passengers. Last month, the TSA issued a regulation on airport body scanners, nearly five years after a federal appeals court ordered the agency to "promptly” undertake a rule making. In 2011, EPIC successfully challenged the TSA's unlawful deployment of airport body scanners. Despite public comments that overwhelmingly favor less invasive security screenings, the TSA plans to use invasive body scanners at US airports. The TSA also said it may mandate airport body scanners, even though the agency previously told the D.C. Circuit that the body scanner program was optional and the federal appeals court upheld the program, relying on the agency’s statements.

April 27, 2016

Google Wants User Data, Opposes FCC Privacy Rules

Google has opposed new privacy rules for consumer data even as it backed the FCC's proposal to open up the set-top box. Google described new privacy safeguards as “unnecessary." The FCC’s proposal would allow Google to gain access to the TV market and consumer viewing data. EPIC has urged the FCC to enforce strong privacy rules for all companies seeking access to user data.

FOIA Ombudsman Releases First Part of "Still Interested" Report

In response to a letter from EPIC and open government advocates, the FOIA ombudsman has issued the first part of a report on the use of "still interested" letters by federal agencies. The DHS and other agencies have sent these letters to prematurely terminate FOIA requests. In 2014, an EPIC-led coalition urged the Office of Government Information Services to investigate the pervasive use of such letters. In today's report, OGIS found that there is no "guidance or standard for reporting requests that agencies close" through "still interested" letters, and that it does not yet understand the impact such letters have on FOIA requesters.

House Passes Narrow ECPA Update

The Email Privacy Act of 2016 has passed the House 419-0 The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. Senator Leahy tweeted that "Long past time to protect American people's emails & info stored in the cloud from warrantless searches." EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.

FTC Increases Scrutiny of Google's Practices, Implicating Antitrust and Privacy Interests

The FTC has reportedly expanded its investigation into Google's use of the Android operating system to exclude or demote competing services. The Commission’s increased scrutiny comes shortly after the European Commission filed formal antitrust charges against Google. Last fall, the FTC began looking at whether Google unfairly prioritizes its own products after earlier ending a similar investigation in 2012 though staff recommended litigation. EPIC previously urged the Senate and the FTC to investigate Google's dominance of essential Internet services, warning that monopoly practices implicate privacy interests. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of Commissioner Pamela Harbor, who cited the connection between monopoly practices and privacy violations.

April 28, 2016

Supreme Court Approves Remote Computer Hacking by Police

The U.S. Supreme Court has voted to approve changes to Rule 41 of the Federal Rules of Criminal Procedure, which will allow judges to issue "remote access" warrants. These warrants authorize mass computer searches, even when the targets are outside the jurisdiction of the court. EPIC criticized the proposal in a statement last year, arguing that the procedure enables searches outside traditional Fourth Amendment requirements and would not provide adequate notice to those subject to search.  Congress can amend or reject the proposal. Senator Ron Wyden said today he would introduce legislation to reverse the proposal.

April 15, 2016

Privacy in the States: Data Breach Notification in TN, Drone Surveillance in OR

Tennessee has become to the first state to expand data breach notification requirements to encrypted data. Public Chapter Number 692 requires any information holder to notify Tennessee residents of a data breach even if the data was encrypted. Information holders include anyone who conducts business in the state or state agencies that own or license personal information. The new law also requires that the notice be made within 45 days of discovering the breach.

Oregon further strengthened protections against drone surveillance last month when Governor Kate Brown signed HB 4066. Existing Oregon law already provided a civil action against drone operators who fly over private property after receiving notice from the property owner. The new legislation adds a provision to the state's criminal laws which would make the recording of photos, motion picture video, or other visual recording through the use of a drone an invasion of personal privacy, which is a Class A misdemeanor. The law also requires that any public body that operates a drone establish policies for the "use, storage, accessing, sharing and retention of data" resulting from the operation of drones. EPIC's State Policy Project monitors state privacy issues nationwide.

About April 2016

This page contains all entries posted to epic.org in April 2016. They are listed from oldest to newest.

March 2016 is the previous archive.

May 2016 is the next archive.

Many more can be found on the main index page or by looking through the archives.