« September 2016 | Main | November 2016 »

October 2016 Archives

October 4, 2016

EPIC FOIA: Google Secretly Attempted to Narrow FCC Privacy Protections, Exclude Customer IP Addresses

In response to a Freedom of Information Act request filed by EPIC, the Federal Communications Commission has released communications about the FCC’s broadband privacy rulemaking. One of the key proposals for the privacy rules concerns the scope of consumer data covered by the rule, such as a customer’s IP address. An email exchange between Google’s Vinton Cerf and FCC Chairman Tom Wheeler reveals Google’s backdoor efforts to narrow the scope of the proposed rules to exclude privacy protections for customers’ IP addresses. While EPIC has repeatedly argued that the FCC’s rules can and should go further, the current proposal would safeguard some consumer data, including IP addresses.

Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails

Reuters reported today that Yahoo scanned the private email of Yahoo users pursuant to a secret directive issued by the FBI. The email scanning technique, based on a search for key terms, recalled a similar FBI program “Carnivore” that was found to capture far more information than authorized, according to documents obtained by EPIC under the Freedom of Information Act. The news report also renews concerns about the scope of US Internet surveillance.  The European Court of Justice struck down an EU-US data transfer deal last year, following revelations that US Internet firms collaborated with the NSA to enable mass surveillance.  A related case, Irish Data Protection Commissioner v. Facebook, is now pending. The Irish High Court has selected EPIC as "a friend of the court" to "counterbalance" the submission of the United States intelligence community.

Continue reading "Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails" »

Supreme Court Won't Review Privacy Violations by Facebook, Google

The U.S. Supreme Court has declined to review two important consumer privacy cases: K.D. v. Facebook, a suit challenging Facebook’s use of young childrens’ names and images in advertising without consent, and Gourley v. Google, a suit opposing Google’s covert use of web cookies to track browsing habits. In K.D., consumers urged the Supreme Court to review a Ninth Circuit opinion, which upheld a controversial settlement. EPIC filed an amicus brief in a companion case, Fraley v. Facebook, explaining that a settlement is unfair that allows a company to continue to engage in privacy violations. In Gourley, consumers asked the Court to overrule a Third Circuit decision holding that Google's exploitation of browser privacy loopholes did not violate the Wiretap Act or Stored Communications Act.

October 6, 2016

FCC Releases Revised Broadband Privacy Plan

The Federal Communications Commission has released a fact sheet outlining a revised proposal for broadband privacy rules. The revised rules will require ISPs to obtain consumers consent only for use of "sensitive" information. The original proposal offered privacy protections for all consumer data. ISPs will also be permitted to charge higher prices for basic privacy protections, subject to FCC review. EPIC has said that the FCC should go further to safeguard consumer privacy. The Commission plans to vote on the proposal on October 27th.

CPDP2017, Leading Data Protection Conference, Extends Paper Deadline

Computers, Privacy, and Data Protection, the international conference devoted to privacy and data protection, will now accept papers until October 22, 2016. The theme of CPDP2017 is "The Age of Intelligent Machines." CPDP2017 will be held on 25-27 January 2017 in Brussels. The CPDP2017 Call for Papers is addressed to all researchers who wish to present papers. All submitted papers will be peer reviewed by members of the CPDP 2017 Scientific Committee (and other independent reviewers where necessary) and will be commented upon by distinguished scholars. EPIC is one of many organizations sponsoring the event. The 2017 EPIC International Champion of Freedom Award will be presented at CPDP.

October 13, 2016

EPIC Defends Consumers' Right to Sue Cable Providers for Illegal Data Retention

EPIC has filed an amicus brief urging a federal appeals court to preserve consumers' right to sue cable providers that illegally retain their data. A former Time Warner Cable subscriber brought a privacy lawsuit alleging that Time Warner held onto his personal information long after he had canceled the service, a clear violation of a provision in a federal privacy law. But a lower court wrongly dismissed the suit, concluding that there had been no "injury." In the amicus brief, EPIC said that the lower court confused "injury" with "harm." When a company violates a federal law, EPIC explained, that is a "legal injury" and the reason that the court must hear the case. EPIC filed an amicus brief in a similar case in July and regularly files briefs defending consumer privacy.

White House Releases Reports on Future of Artificial Intelligence

The White House has released two new reports on the impact of Artificial Intelligence on the US economy and related policy concerns. Preparing for the Future of Artificial Intelligence surveys the current state of AI, applications, and emerging challenges for society and public policy. The report concludes "practitioners must ensure that AI-enabled systems are governable; that they are open, transparent, and understandable; that they can work effectively with people; and that their operation will remain consistent with human values and aspirations." A companion report National Artificial Intelligence Research and Development Strategic Plan proposes a strategic plan for Federally-funded research and development in AI. President Obama will discuss these issues on October 13 at the White House Frontiers Conference in Pittsburgh. #FutureofAI EPIC has promoted Algorithmic Transparency for many years and is currently litigating several cases on the front lines of AI, including EPIC v. FAA (drones), and Cahen v. Toyota (autonomous vehicles).

FTC Hosts Event on Drones and Privacy

Today the Federal Trade Commission will host a panel discussion on drones and privacy as part of the agency's Fall Technology Series. The Director of EPIC's Domestic Surveillance Project, Jeramie Scott, will participate in the panel. Mr. Scott previously testified before the Pennsylvania Senate on domestic drone surveillance and submitted a statement for record regarding a Maryland bill to limit drone surveillance. EPIC and leading experts previously urged the FAA to adopt privacy rules for drones, and when the agency refused, EPIC sued. EPIC v. FAA is currently pending before the D.C. Circuit Court of Appeals.

October 14, 2016

WhatsApp Privacy Update: Spain Investigating Broken Privacy Promises

Spain is the latest country to investigate WhatsApp's transfer of user data, including the verified user phone number, to Facebook. The Spanish Data Protection Agency joins privacy regulators in Germany, India, Italy, and the U.K. that have taken action against WhatsApp's changes to privacy practices that contradict previous promises. EPIC filed a complaint with the Federal Trade Commission over the policy change in August, and more than a dozen consumer groups have backed these efforts. The Commission said it will "carefully review" EPIC's complaint. The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."

October 18, 2016

FTC's Data Protection Authority Under Attack in LabMD Case

A medical testing lab has petitioned a federal appeals court to reject the authority of the Federal Trade Commission to enforce data security standards. The commission recently found that LabMD's poor data security practices, which led to a breach of personal medical data, were "unfair" under the FTC Act and ordered the company to take corrective measures. "[T]he privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury," the commission explained. EPIC previously filed an amicus brief in FTC v. Wyndham, a similar case in which another appeals court upheld the FTC's data protection authority. The court in that case stated, "A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business."

Report: Facial Recognition is Expansive, Unregulated; Coalition Calls for DOJ Review

EPIC and a coalition of civil liberties organizations urged the Justice Department to review the disparate impact of facial recognition. The letter follows a report on law enforcement use of the technology. The report builds on work pursued by EPIC and others. Freedom of Information Act documents obtained by EPIC showed that the DHS system lacked privacy safeguards, the FBI accepts a 20% error rate for its Next Generation Identification system and has agreements to run facial recognition searches on DMV databases. In 2012, EPIC urged the Federal Trade Commission to suspend the use of facial recognition techniques pending the establishment of legal safeguards. And the 2009 Madrid Privacy Declaration, authored by NGOs and privacy experts, calls for a moratorium on the face scanning technology.

DoD Exempts "Insider Threat" Database from Privacy Act Safeguards

The Department of Defense has issued a final rule on the "Insider Threat" database, a program that allows the federal agency to gather virtually unlimited amounts of personal data on individuals based on broad and ambiguous standards. The Defense Department exempted itself from Privacy Act safeguards that would limit collection of personally identifiable information, and allow individuals access to their information maintained by the federal agency. In detailed comments, EPIC opposed the exemptions sought by the agency. EPIC also questioned whether that information would be adequately protected. Military officials described the 2015 data breach as an "absolute calamity."

October 19, 2016

Privacy Commissioners Adopt Resolutions on Student Privacy, Privacy Metrics

At the 38th International Conference of Data Protection and Privacy Commissioners, held in Marrakech, Morocco, privacy officials from around the world adopted resolutions to strengthen data protection rights. The primary resolution — An International Competency Framework on Privacy Education — addressed one of the most serious challenges to digital society, the education of students about privacy risks. Others resolutions adopted concerned Privacy Metrics, Human Rights Defenders, and International Enforcement Cooperation. EPIC has actively participated in many of the conferences through the Public Voice coalition, which sponsored NGO events at more than a dozen of the annual meetings. The Madrid Privacy Declaration was adopted by NGOs at the 2009 Public Voice meeting, held in connection with the Privacy Commissioners conference. #icdppc2016

European High Court Rules that Dynamic IP Addresses are Personal Data

The Court of Justice for the European Union has ruled that dynamic IP addresses are personal data subject to protection under data protection law. The Court said that user's identity can still be revealed through use of legal process, even though the numeric address may not be unique to the user. The Court also said that the collection of IP addresses must be limited to the purposes for which they were collected. The Court noted that personal data can be lawfully collected if it is necessary to protect cybersecurity. The European Court of Justice opinion is aligned with EPIC's recommendation for Privacy Enhancing Technologies that minimize or eliminate the collection of personally identifiable information. Internet services that do not retain IP addresses or adopt techniques that are unable to link IP addresses to a particular user may not be subject to the decision, which is binding across Europe. EPIC has made similar arguments about the scope of personal information to US courts as amicus curiae. EPIC argued in the Nickelodeon case that IP addresses and unique devices IDs are personally identifiable information subject to protection under US privacy law. Federal courts are now split on the issue and the US Supreme Court may soon resolve the matter.

New Study Shows Public Does Not Trust Social Media Privacy, Supports Stronger Privacy Laws

A new survey supported by the Craig Newmark Foundation shows that while 80% of Americans use social media daily, 96% do not trust social networks to protect their privacy. The survey found that only 7% of millennials trust these sites to protect their data. A majority of Americans surveyed also expressed concern about the lack of safety online, including fears over identity theft, email hacking, and non-consensual online tracking. Many Americans think privacy laws are too weak. Among all groups, millennials are increasingly aware of the need for stronger privacy laws. EPIC maintains a webpage devoted to Privacy and Public Opinion and has launched the Data Protection 2016 campaign to highlight privacy protection in the 2016 election.

EPIC, Consumer Coalition Tells FCC to Limit Health Care Robocalls

EPIC and a coalition of consumer privacy advocates have urged the Federal Communications Commission to reject a request by health insurance companies to make unlimited health-related robocalls to consumers under the Telephone Consumer Protection Act. The insurance companies asked the FCC to amend the TCPA so that once a consumer provides her phone number to her doctor, she has "consented" to receiving telemarketing calls from other health care providers on anything medically related. The coalition comments, led by the National Consumer Law Center, urge the FCC to limit the scope of consumers' consent to medical robocalls by exclude telemarketing calls and allowing only calls related to the original reason the consumer provided her phone number. EPIC supports robust telephone privacy protections and filed an amicus brief in support of the FCC's 2015 order that strengthened consumer protections under the TCPA.

EPIC and Coalition Urge Presidential Candidates to Adopt Good Government Policies

In letters to Hilary Clinton and Donald Trump, EPIC and a coalition of NGOs urged the presidential candidates to adopt good-government policies in the next administration. In the first letter, the coalition called on the nominees to adopt a rigorous code of ethics for their presidential transition teams. Citing then-Senator Obama's 2008 transition code of ethics, the coalition urged the candidates to prohibit individuals with lobbying ties and financial conflicts of interest from working in the administration. EPIC also joined a second letter calling on the next president to adopt stronger policies on government record keeping. The next president, wrote the coalition, "can demonstrate commitment to strengthening records accountability within the federal government" by directing agencies to comply with the Office of Management and Budget's 2012 government records directive, implement agency-wide record keeping training, develop open records plans, and abide by strict reporting deadlines. EPIC and other open government groups previously pushed the Obama administration to improve its implementation of the Freedom of Information Act.

October 20, 2016

DC Appeals Court Hears Arguments in Telemarketing Privacy Case

The federal appeals court in Washington, D.C. heard oral arguments Wednesday in a case with major implications for telephone privacy. The suit, ACA International v. FCC, was brought against the Federal Communications Commission by telemarketing companies and others challenging rules adopted under the Telephone Consumer Protection Act that prohibit automated calls made to cell phones without their consent. EPIC and six consumer privacy groups filed an amicus brief in the case, stressing the importance of privacy protections for cell phone users. EPIC also challenged a claim made by the telemarketers that "37 million" numbers were reassigned each year, making it difficult, the companies claimed, to comply with the privacy law. During the argument, one of the judges pressed the telemarketers' attorney on the point (audio), citing research in the EPIC amicus brief. EPIC frequently participates as amicus curiae in cases that raises novel privacy issues.

EPIC Promotes "Algorithmic Transparency" at Annual Meeting of Privacy Commissioners

Speaking at the 38th International Conference of the Data Protection and Privacy Commissioners in Marrakech, EPIC President Marc Rotenberg highlighted EPIC's recent work on algorithmic transparency and also proposed two amendments to Asimov's Rules of Robotics. Rotenberg cautioned that autonomous devices, such as drones, were gaining the rights of privacy - control over identity and secrecy of thought - that should be available only for people. Rotenberg also highlighted EPIC's recent publication "Privacy in the Modern Age", the Data Protection 2016 campaign, and the various publications available at the EPIC Bookstore. The 2017 Privacy Commissioners conference will be held in Hong Kong.

EPIC Scrutinizes FBI "Insider Threat" Database

In comments to the FBI, EPIC criticized a proposed "Insider Threat" database that would gather virtually unlimited amounts of personal data outside the protections of the federal Privacy Act. EPIC urged the FBI to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that FBI data practices pose a risk to federal employees. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. Earlier this year, EPIC filed comments with DOD and DHS regarding similarly flawed proposals to expand data collection without adequate privacy safeguards.

October 24, 2016

EPIC FOIA - FAA Defies Congress, Fails to Complete Drone Privacy Report

Through an EPIC Freedom of Information Act request, EPIC obtained documents revealing that the FAA never finished a drone privacy report required by Congress. The Appropriations Act of 2014, which provided funding for the agency, required the FAA to inform Congress on "how the FAA can address the impact of widespread use of [drones] on individual privacy." The FAA drone privacy report was to be completed before the end of 2015 and prior to any drone regulations were issued. Now, as the end of 2016 approaches, the FAA has moved forward with regulations lacking privacy safeguards, and the drone privacy report still unfinished. EPIC is currently suing the FAA for the agency's failure to establish drone privacy rules.

EPIC Urges Massachusetts High Court to Protect Email Privacy

EPIC has filed an amicus brief in the Massachusetts Supreme Judicial Court regarding email privacy. At issue is Google's scanning of the email of non-Gmail users. EPIC argued that this is prohibited by the Massachusetts Wiretap Act. EPIC described Google's complex scanning and analysis of private communications, concluding that it was far more invasive than the interception of a telephone communications, prohibited by state law. A federal court in California recently ruled that non-Gmail users may sue Google for violation of the state wiretap law. EPIC has filed many amicus briefs in federal and state courts and participated in the successful litigation of a cellphone privacy case before the Massachusetts Judicial Court. The EPIC State Policy Project is based in Somerville, Massachusetts.

October 25, 2016

EPIC to Testify Before Maryland House of Delegates on Cell Site Simulators

EPIC Senior Counsel Alan Butler will testify today before the Maryland House of Delegates concerning "Cell Site Simulator Technology, Historical Location Information, and Aerial Surveillance by Police." The hearing follows a recent complaint to the FCC regarding the use of "Stingrays," fake cell phone towers, by the Baltimore Police Department to intercept private communication. In a 2013 Freedom of Information Act suit against the FBI, EPIC uncovered plans involving federal and state law enforcement agencies to keep the use of Stingrays secret. EPIC has since argued in amicus briefs that cell phone location data is protected by the Fourth Amendment. Baltimore Police used Stingrays to track more than 1,700 individuals between 2007 and 2014.

Google "Quietly" Changes Privacy Policy, Matches Tracking Data and User ID

Ars Technica reported this week that Google "quietly" changed its privacy policy this summer to combine tracking data and user ID - data it had previously promised to keep separated. The revised policy now says that "your activity on other sites and apps may be associated with your personal information" for ad delivery. In 2007, EPIC urged the FTC to block Google's proposed acquisition of Doubleclick, warning that Google would eventually link the Google user profile with the Doubleclick data despite the company's representations. When the FTC approved the merger without conditions, EPIC responded that the FTC "had reason to act and authority to act, and failed to do so." Currently before the FTC is a complaint from EPIC concerning WhatsApp plan to transfer user data to Facebook, breaking a privacy promise made by the company at the time of the 2014 acquisition to act "independently and autonomously."

UN Report Cites Threats to Freedom of Expression

A top United Nations official on the freedom of expression released a report citing "severe" threats to freedom of expression worldwide. The report flagged governments cracking down on encryption, blocking websites, suspending communications services, and over-classifying information as key concerns. EPIC described the importance of strong encryption in an amicus brief earlier this year and regularly litigates Freedom of Information Act cases to improve transparency about government surveillance. A new EPIC publication — The Privacy Law Sourcebook 2016 — provides an overview of legal instruments for privacy protection, as well as information about privacy agencies, organizations, and publications.

October 27, 2016

Privacy Advocates Challenge EU-US Data Transfer Agreement

An Irish privacy organization is challenging the EU-US framework for transferring personal data, the "Privacy Shield," in the European high court. This challenge follows a decision last year invalidating the previous framework, "Safe Harbor." In that case, the Court of Justice for the European Union concluded Personal data transferred to the United States lacks adequate legal protection. EPIC is participating as amicus curiae in a related case brought by privacy advocate Max Schrems. EPIC also recently submitted a brief to the European Court of Human Rights in a challenge to UK surveillance.

FCC Adopts Modest Privacy Rules for Broadband Services

The Federal Communications Commission today approved privacy regulations for broadband services. The rules require ISPs to obtain consumers’ consent for "sensitive" information, which includes web browsing history and app usage, but excludes IP and MAC addresses which are also used to track Internet users. (A document obtained by EPIC under the FOIA indicates that Google lobbied for this exception.) The rules establish data breach notification requirements but permit companies to charge users for privacy protection and permit arbitration when violations of privacy rights occur. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records.

October 28, 2016

European Privacy Officials Pursue Investigation of WhatsApp & Yahoo

The Article 29 Working Party, an expert group of European privacy officials, is pursuing investigations of WhatsApp and Yahoo. In a letter to Facebook, the Working Party stated that the decision to transfer confidential user data from WhatsApp to Facebook has raised "serious concerns," and urged WhatApp to halt data transfers pending completion of the investigation. Separately, the group urged Yahoo to provide information about the 2014 data breach which compromised 500 million accounts. The Article 29 also pressed the company to explain why it scanned customer emails for US intelligence agencies. EPIC recently filed a complaint with the FTC regarding WhatApp, arguing that it violated a 2014 and agreement and urging the Commission to block the transfer. EPIC has also testified before Congress about the need to adopt data breach legislation and launched the Data Protection 2016 campaign.

About October 2016

This page contains all entries posted to epic.org in October 2016. They are listed from oldest to newest.

September 2016 is the previous archive.

November 2016 is the next archive.

Many more can be found on the main index page or by looking through the archives.