« August 2017 | Main | October 2017 »

September 2017 Archives

September 5, 2017

European Court of Human Rights Rules Employee Monitoring Violates Privacy Rights

The European Court of Human Rights has ruled that a company's dismissal of an employee based on monitored chat logs violates the fundamental right to privacy. In Barbulescu v. Romania, the Court found that the right to private life and correspondence in Article 8 of the European Convention on Human Rights protects workplace communications. As a result, employees are entitled to prior notice about the extent and type of monitoring their employer conducts. Last year, EPIC intervened in a case before the European Court of Human Rights challenging the activities of British and U.S. intelligence organizations. The casebook Privacy Law and Society (West 2016) explores a wide range of privacy issues, including recent decisions of the Court of Human Rights.

Medicare to Remove SSN from ID Cards

Earlier this year, the Center Medicare Services announced that the Social Security Number would be removed from the Medicare benefits card. Senators Susan Collins and Claire McCaskill led the effort in the Senate to remove the SSN, which contributed to identity theft and often targeted seniors. EPIC testified before their Senate Committee in 2015 on "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" EPIC explained that "there is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy." Since its founding, EPIC has sought to limit the use of the Social Security Number on identification documents.

September 6, 2017

EPIC Backs Public Comments to End Commission's Collection of Voter Data

The Presidential Election Commission is seeking public comments in advance of the Commission's September 12 meeting. EPIC encourages commenters to tell the Commission to end the collection of state voter data. "The Commission's actions have placed the privacy of voters at risk and undermined confidence in the integrity of voting in the United State," said EPIC. As EPIC has explained, the Commission failed to complete a required Privacy Impact Assessment and is violating the constitutional right to information privacy. The Commission was forced to suspend the data collection plan in response to EPIC's lawsuit, but it recently resumed activities. EPIC, and many other organizations, continue to contest the legality of the Commission's actions. Public comments, which are due by Friday, September 8 at 5 p.m., may be submitted at this link.

EPIC Urges Public Comments on FTC Settlement with Uber

EPIC is urging the public to comment on the proposed FTC settlement with Uber regarding consumer privacy. (Federal Register Notice). The FTC settlement follows EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. The proposed settlement requires regular privacy audits of Uber by third parties but fails to make substantial changes in the companies business practices or require the company to delete the personal data that was wrongfully obtained. The deadline to file a comment with the FTC is September 15, 2017. The FTC is required to consider public comments before finalizing a proposed settlement. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC also recently filed an FTC complaint to stop Google from tracking in-store purchases.

September 7, 2017

Houses Automated Vehicle Bill Lacks Privacy Standards, Would Preempt State Safeguards

The House of Representatives has passed the "SELF DRIVE Act" to encourage the deployment of "automated vehicles" in the United States. Responding to widespread privacy concerns, the bill requires manufacturers to create "privacy plans" and asks the FTC to prepare a privacy study on the automated vehicle industry. The bill supports the development of "Privacy Enhancing Techniques," such as anonymization. But the SELF DRIVE Act lacks essential privacy and safety standards and would preempt stronger state laws. EPIC has repeatedly urged Congress and federal agencies to establish strong public safety standards for automated vehicles. EPIC also backs state efforts to develop privacy and safety safeguards.

Call For Papers - CPDP 2018 "The Internet of Bodies"

Computers, Privacy, and Data Protection, the leading international conference devoted to privacy and data protection, has opened a call for papers ahead of the 2018 conference. The conference theme is "The Internet of Bodies" and will be held on 24-26 January 2018 in Brussels. The CPDP2018 call for papers is addressed to all researchers who wish to present papers at this year's conference. Papers will be reviewed by the CPDP Scientific Committee. EPIC is one of the founders of CPDP and an annual sponsor of the event. The EPIC International Champion of Freedom Award will be presented at CPDP.

Federal Commission Backs Evidence-Based Policies, Strong Privacy Safeguards

The Commission on Evidence-Based Policymaking, which was tasked with studying whether and how data across the federal government could be combined for policy research while protecting privacy, has issued its final report. The Commission backs evidence-based policy, recommends new privacy safeguards including Privacy Enhancing Techniques, encourage broader use of statistical data, and recommends the creation of a National Secure Data Service. In testimony before the Commission, EPIC President Marc Rotenberg promoted both innovative privacy safeguards and well informed public policy. EPIC also filed comments with the Commission urging adoption of Privacy Enhancing Techniques, such as anonymization, that minimize or eliminate the collection of personal data. The National Academies of Sciences released a report earlier this year that examined how disparate federal data sources can be used for policy research while protecting privacy.

September 8, 2017

143 Million US Consumers Suffer Massive Data Breach, Equifax at Fault

In one of the most serious data breaches in U.S. history, the credit records of more than 140 million consumers, maintained by Equifax, have been compromised. Credit reports typically include social security numbers, drivers license infomation, and other personal data that make possible identity theft and financial fraud. Senator Warner said the breach, “represents a real threat to the economic security of Americans." For years, EPIC has urged Congress to strengthen privacy laws and to require Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. In 2011, EPIC testified before the House and the Senate on the specific risk of data breaches in the financial services sector. Equifax has set up www.equifaxsecurity2017.com to help consumers. But last year EPIC created www.dataprotection2016.org to promote the adoption of stronger privacy safeguards in the U.S.

EPIC Obtains Final Report on "Face ePassport Air Entry Experiment"

As the result of a Freedom of Information Act request, EPIC has obtained a report on the use of face recognition on travelers entering the United States at Dulles Airport. The report was obtained after EPIC filed a lawsuit against Customs and Border Protection for documents about the agency's biometric entry/exit program, expedited by Executive Order 13769. As the report was heavily redacted, EPIC's FOIA lawsuit is ongoing. In a statement to the House Homeland Security Committee earlier this year, EPIC warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA, concerning airport body screening.

FTC Announces Privacy Shield Settlement but Imposes No Penalties

The Federal Trade Commission announced today a settlement with three companies that misrepresented their participation in the Privacy Shield arrangement. The Privacy Shield allows companies to transfer the personal data of European consumers to the United States based on a system of industry self-certification. The FTC settlement prohibits the companies from making future false claims about compliance with Privacy Shield, but does not impose any penalty. The FTC settlement also fails to provide any remedy to the EU consumers whose personal data was wrongfully obtained, nor does it require the companies to disgorge the data they fraudulently obtained. EPIC and consumer organizations in the US and Europe have criticized Privacy Shield for failing to establish basic privacy protection and lacking effective remedies. The FTC is now soliciting public comments on the proposed settlements, and the deadline to file a comment is October 10, 2017.

September 11, 2017

EPIC Seeks Details of Election Commission's Attempts to Obtain Personal Data

Ahead of the Presidential Election Commission's September 12 meeting, EPIC has submitted urgent Freedom of Information Act requests to the Department of Homeland Security, Executive Office for U.S. Attorneys, and Social Security Administration seeking details of the Commission's latest attempts to obtain sensitive, personal data. At the Commission's first meeting, Vice Chair Kobach tasked the Commission staff with "trying to collect whatever data there is that's already in the possession of the federal government that might be helpful to us," including data stored in federal agency record systems that is protected under the Privacy Act. Earlier this summer, the Commission suspended collection of state voter data in response to a lawsuit brought by EPIC. EPIC's case, which calls for the disclosure of a Privacy Impact Assessment prior to the collection, is now on appeal to the D.C. Circuit Court of Appeals. EPIC has also advised state election officials not to provide voter data until the Privacy Impact Assessment is completed.

EPIC Urges Senate To Establish Data Protection Standards For Financial Technologies

In advance of a hearing on financial technology, EPIC recommended that the Senate Committee establish privacy standards for financial companies that use social media and secret algorithms to make determinations about consumers. In light of the recent Equifax breach, EPIC proposed that the Committee make privacy and security its top priorities. Earlier this year, EPIC submitted a similar statement to the House Committee on Energy and Commerce. EPIC also recently filed a complaint with the CFPB regarding "starter interrupt devices" deployed by auto lenders to remotely disable cars when individuals are late on their payments. Testimony of Professor Frank Pasquale on "Exploring the Fintech Landscape."

September 12, 2017

Voting System Guidelines Under Review, Secret Ballot at Risk

The Election Assistance Commission technical committee is meeting today to review standards for voting equipment. Some members of theTechnical Guidelines Development Committee have raised questions about the value of the secret ballot. Last year, EPIC, Verified Voting, and Common Cause explained in "The Secret Ballot At Risk: Recommendations for Protecting Democracy" that the secret ballot — the inability to link particular voters to particular votes — is a cornerstone of modern democracies. Most states (44) have constitutional provisions guaranteeing secrecy in voting. The secret ballot also reduces the threat of coercion, vote buying and selling, and tampering. EPIC has a long history of working to protect voter privacy and election integrity. In a 2010 Supreme Court case, EPIC argued that disregard for voter privacy may unconstitutionally burden the right to vote. Also today, MIT Professor Ronald Rivest spoke in support of ballot secrecy and election integrity at a meeting of the Presidential Commission on Election Integrity.

NHTSA Revised Automated Vehicle Policy Lacks Privacy Safeguards, Senate Considers Draft Bill

The National Highway Traffic Safety Administration released revised guidance for automated vehicles. The modified guidance encourages manufacturers to develop best practices to minimize cybersecurity risks. However, the NHTSA guidance lacks mandatory standards and fails to safeguard privacy stating that the Federal Trade Commission is responsible for consumer privacy. Previous NHTSA guidance established privacy standards and required developers to minimize data collection. The Senate Commerce Committee is now considering the "AV START Act" concerning automated vehicles. The draft bill proposes voluntary cybersecurity and also lacks consumer privacy standards. Today the NSTB also released findings that Tesla's autopilot feature contributed to a highway fatality earlier this year. EPIC has long advocated for privacy and cybersecurity safeguards to be a central component of automated vehicle development.

September 14, 2017

EPIC, Groups Urge Greater Transparency for International Intelligence Arrangements

EPIC, Privacy International, and other groups called for increased transparency of U.S. intelligence arrangements. The groups explained that secret arrangements circumvent international human rights agreements and domestic law. The coalition asked the Senate and House Intelligence Committees and Judiciary Committees, as well as the Privacy and Civil Liberties Oversight Board for information about their review of these arrangements. Earlier this year, EPIC warned Congress about of secret US-UK agreement for law enforcement access to personal data otherwise protected by law. In 2016, EPIC obtained the "Umbrella Agreement," concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit.

September 15, 2017

Justice Department Exempts "Insider Threat" Database from Privacy Act Safeguards

The Department of Justice has issued a final rule on the "Insider Threat" database, a program that allows federal agencies to gather virtually unlimited amounts of personal data on individuals based on broad and ambiguous standards. The Department of Justice exempted itself from Privacy Act safeguards that would limit the collection of personal data, and allow individuals access to their information maintained by the federal agency. In detailed comments, EPIC opposed the exemptions sought by the Justice Department. EPIC also questioned whether that information would be adequately protected. The Justice Department responded to EPIC and acknowledged increases in data breaches in both the public and private sectors but stated that the agency had proper safeguards in place to guard against "anticipated threats."

Senators Introduce Data Breach Legislation In The Wake Of Equifax Breach

Senator Markey (D-MA) and several other Senators have introduced legislation that would provide consumers with more control over their personal data. The Data Broker Accountability and Transparency Act would allow consumers to access and correct their personal data and stop data brokers from using, disclosing, or selling their information for marketing purposes. The bill also requires data brokers to develop comprehensive privacy and data security measures and provide "reasonable notice" in the event of a breach. For years, EPIC has supported stronger data breach notification laws, and EPIC has testified before the Senate and House in support of a federal law. EPIC supports consumer control over personal data, and EPIC recommends mandatory breach notification procedures to ensure the consumers are aware when their personal data is wrongly obtained by others. Additionally, last year EPIC created http://www.dataprotection2016.org/ to promote the adoption of stronger privacy safeguards in the U.S.

EPIC Urges FTC To Strengthen Privacy Settlement With Uber

In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a proposed settlement with Uber. The FTC's investigation and subsequent settlement was prompted by EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. EPIC recommended that the FTC require Uber to end collection of customer data beyond what is necessary to provide the service and to mandate that Uber implement stronger privacy safeguards. As EPIC highlighted in the original complaint, Uber has a history of abusing consumer privacy. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC is obligated to consider public comments before finalizing a proposed settlement.

September 18, 2017

EPIC, Global Coalition Recommend Human Rights Protections for Cybercrime Proposal

EPIC joined European Digital Rights (EDRI) and a coalition of organizations to advise the Council of Europe about protecting human rights during trans-national criminal investigations. The "Global Civil Submission" states that a proposed update to the Convention on Cybercrime should include compliance with human rights principles and data protection standards for transnational data transfers. Several years ago, EPIC opposed the U.S. ratification of the Convention on Cybercrime, citing its sweeping expansion of law enforcement authority. However, EPIC and the U.S. Privacy Coalition have long campaigned for the United States ratification "Convention 108," the International Privacy Convention.

September 19, 2017

NGOs to Meet with Privacy Commissioners at Public Voice Event in Hong Kong

The Public Voice will host an event with NGOs and Privacy Commissioners at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. "Emerging Privacy Issues: A Dialogue Between NGOs & DPAs" will address emerging privacy issues, including biometric identification, Algorithmic transparency, border surveillance, the India privacy decision, and implementation of the GDPR. Speakers include Chairman Isabelle Falque-Pterrotin of the CNIL and Article 29 Working Party, Commissioner John Edwards of New Zealand, and Director Eduardo Bertoni of Argentina. Also participating will be representatives of Access Now, EPIC, GP Digital, Privacy International, and the World Privacy Forum. The Public Voice, established in 1996, facilitates public participation in decisions concerning the future of the Internet.

September 20, 2017

End of DACA Program Poses Privacy Risks to Dreamers

The recent Department of Homeland Security memo rescinding the Deferred Action for Childhood Arrivals program creates new privacy risks for at least 800,000 individuals. At issue is the personal data provided to DHS by DACA applicants. In the 2012 Privacy Impact Assessment, the DHS stated that personal data would be "protected from disclosure to ICE and CBP for the purpose of immigration enforcement proceedings." Now that the program is set to expire, the personal data provided by DACA applicants is at risk of use for unauthorized purposes, implicating the federal Privacy Act. EPIC has long supported vigorous enforcement of the federal Privacy Act and opposed efforts that target individuals in immigrant communities.

Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million

A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to "informational privacy" and to ensure Privacy Act damages for non-economic harm.

September 22, 2017

DC Court: Warrantless Tracking with "Stingray" Violates Fourth Amendment

The D.C. Court of Appeals has ruled that warrantless use of a cell-site simulator or "stingray" violates the Fourth Amendment. The court found that Stingray devices enable "officers who possess a person's telephone number to discover that person's precise location remotely and at will." The court held that the use of a Stingray invaded a reasonable expectation of privacy and thus, was a Fourth Amendment search. EPIC recently filed a brief in a U.S. Supreme Court case arguing that warrantless location tracking violates the Fourth Amendment. EPIC has also promoted oversight of Stingrays by law enforcement agencies. An EPIC FOIA lawsuit in 2012 revealed that the FBI was using stingrays without a warrant, and that the FBI provided Stingrays to other law enforcement agencies. EPIC has also filed amicus briefs in federal and states courts arguing that cell phone location data is protected by the Fourth Amendment.

CBP Plans to Exempt Social Media Data from Legal Protections

Customs and Border Protection has published a system of records notice for the "Intelligence Records System." The agency proposes to exempt the database from many Privacy Act safeguards. The database contains detailed personal data from social media and commercial data services. CBP will use the "Analytical Framework for Intelligence" to secretly profile and evaluate social media users. In the FOIA lawsuit EPIC v. CBP, EPIC uncovered Palantir's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to U.S. travelers. EPIC is now pursuing a FOIA request to Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir.

September 26, 2017

EPIC Backs Commission on Evidence-Based Policymaking, Urges Congress to Take Steps to Preserve Privacy

In a statement to Congress, EPIC expressed support for the findings of the Commission on Evidence-Based Policymaking. Congress established the Commission to study how data across the federal government could be combined to improve public policy while protecting privacy. The Commission's report recommends new privacy safeguards and encourages broader use of statistical data. EPIC submitted comments to the Commission urging the adoption of Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. Several of EPIC's recommendations were incorporated in the Commission report. A report from the National Academies of Science earlier this year examined federal data sources and privacy.

EPIC Urges Court to Protect Facebook Users' Privacy, Disputes "Consent" in Medical Data Case

EPIC has filed a “friend of the court” brief with the Ninth Circuit in Smith v. Facebook concerning Facebook’s tracking of users when they visit healthcare websites, including cancer.net. The lower court dismissed the case, ruling that Facebook users consented to the disclosure of their personal data, based on Facebook's terms and conditions, even when the medical sites said specifically that data would not be disclosed. EPIC argued that, “consent is not an acid rinse that dissolves common sense.” Facebook previously settled charges with the FTC that it routinely changed its privacy settings without user consent. The settlement resulted from complaints brought by several consumer organizations, including EPIC.

September 28, 2017

Privacy Officials from Around the World Adopt Resolutions on Connected Vehicles, Collaboration, and Enforcement

The International Conference of Data Protection and Privacy Commissioners, meeting in Hong Kong, has adopted three resolutions on emerging privacy issues. The resolution on Data Protection in Automated and Connected Vehicles urges all parties to "fully respect the users' rights to the protection of their personal data and privacy." The resolution on Collaboration between Data Protection and Consumer Protection Authorities calls for joint efforts at the international level to "protect citizens and consumers in the digital economy." And the resolution on "Future Options for International Enforcement" builds on the OECD Recommendations for Cross-Border Cooperation. EPIC and other NGOs convened a Public Voice event in Hong Kong to promote a dialogue on emerging privacy issues with data protection officials and seek progress on the Madrid Privacy Declaration.

EPIC Calls for Greater FTC Enforcement

In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders.

Supreme Court to Hear Two Fourth Amendment Cases

The Supreme Court has agreed to review two Fourth Amendment car search cases. In Collins v. Virginia, the Court will decide whether police can search a vehicle parked in the driveway of a private home without first obtaining a warrant. In Byrd v. United States, the Court will decide whether a person driving a rental car loses their expectation of privacy in the vehicle solely because they are not the official driver on the rental agreement. The Court is already set to hear Carpenter v. United States this fall, a major Fourth Amendment case about warrantless searches of cell phone location data. EPIC filed a "friend-of-the-court" brief in that case urging the Court to extend Constitutional protection to cell phone data. EPIC regularly files briefs with the Supreme Court arguing for greater Fourth Amendment protections, including in Utah v. Strieff, Los Angeles v. Patel, and Riley v. California.

EPIC Urges Senate to Block Biometric Collection At US Airports

EPIC has sent a statement to the Senate Commerce Committee following a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing and regulated use of biometrics in US airports, often targeting US citizens. EPIC previous pursued a significant lawsuit against the TSA to limit the use of body scanners. EPIC is currently seeking records from Customs and Border Protection concerning the agency's use of facial recognition for a biometric entry/exit program at airports. EPIC has also objected to a proposal to increase the collection of biometric data for the TSA Pre-Check program.

EPIC Files Appeal to DC Circuit, Seeks Release of Trump Tax Returns

EPIC has appealed the decision of a federal district court which ruled that the IRS can withhold President Trump's tax records sought by EPIC under the Freedom of Information Act. EPIC had argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning the President's financial ties to Russia, such as "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." In response to a FOIA request from EPIC, the IRS recently acknowledged that it has used this authority 10 times in one year. But the district court said the power was a "rare bird" and concluded that "until President Trump or Congress authorizes release of the tax returns, EPIC (and the rest of the American public) will remain in the dark." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI's response to the attack.

EPIC to Ninth Circuit: Don't Turn the Channel on Video Privacy Case

EPIC has filed a letter brief in a video privacy case concerning ESPN’s collection of viewer data. The court in Eichenberger v. ESPN, Inc. is trying to determine whether consumers can bring lawsuits based on a violation of federal privacy law after the Supreme Court’s decision in Spokeo v. Robins, a case about “standing” to sue. EPIC filed a brief in support of Eichenberger, arguing that "the history and judgement of Congress leaves little doubt that Congress believed a violation of the Act would be a concrete injury." EPIC also explained "a court is not empowered to override congressional judgments as to which injuries should be legally protected.” EPIC testified before the Senate about the history and purpose of the Video Privacy Protection Act. EPIC has also filed several amicus briefs on standing to sue in consumer privacy cases.

September 29, 2017

Court Rules New York "Ballot Selfie" Ban is Constitutional

A federal court has ruled that a New York state ban on the posting of "ballot selfies" is constitutional. "New York has a compelling interest in preventing vote buying and voter coercion," the court wrote. "The State's interest in the integrity of its elections is paramount." Ballot selfies allow campaigns, employers, unions, and others to find out how an individual voted. But as EPIC explained in "The Secret Ballot At Risk: Recommendations for Protecting Democracy," the secret ballot—the inability to link particular voters to particular votes—is a cornerstone of modern democracies. The secret ballot reduces the threat of coercion, vote buying and selling, and tampering. EPIC has a long history of working to protect voter privacy and election integrity. In a 2010 Supreme Court case, EPIC argued that disregard for voter privacy may unconstitutionally burden the right to vote.

About September 2017

This page contains all entries posted to epic.org in September 2017. They are listed from oldest to newest.

August 2017 is the previous archive.

October 2017 is the next archive.

Many more can be found on the main index page or by looking through the archives.