« October 2017 | Main | December 2017 »

November 2017 Archives

November 1, 2017

EPIC FOIA: EPIC Uncovers Report on "Predictive Policing" but DOJ Blocks Release

EPIC has just received new documents in a FOIA case against the Department of Justice, however the agency is refusing to release reports about the use of "risk assessment" tools in the criminal justice system. In 2014, the Attorney General called on the U.S. Sentencing Commission to review the use of "risk assessments" in criminal sentencing, expressing the concern about potential bias. EPIC requested that document and filed suit against the DOJ to obtain it, but the agency failed to release the report by a court-ordered deadline. EPIC did obtain emails confirming the existence of a 2014 DOJ report about "predictive policing" algorithms, but the agency also withheld that report. "Risk assessments" are secret techniques used to set bail, to determine criminal sentences, and even decide guilt or innocence. EPIC has pursued several FOIA cases to promote algorithmic transparency, including cases on passenger risk assessment, "future crime" prediction, and proprietary forensic analysis.

EPIC Sues Justice Department for Release of Report on 'Backdoor Searches'

EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice National Security Division for a report detailing the FBI's warrantless searches for information about U.S. citizens. Section 702 of the Foreign Intelligence Surveillance Act allows conduct warrantless searches of non-U.S. persons in foreign intelligence investigations. But there are concerns that the FBI uses this authority to conduct "backdoor searches" on Americans. In EPIC v. NSD, EPIC seeks the release of a report ordered by the Foreign Intelligence Surveillance Court detailing the FBI's use of section 702 data for domestic criminal purposes. EPIC also recently joined coalition of over 50 organizations calling on lawmakers to establish a warrant requirement before the government can search 702 databases for information about U.S. citizens and residents. The USA Rights Act, now pending in Congress, would end backdoor searches by all federal agencies.

White House Cancels Safety Rule for Connected Vehicles

The Trump administration has set aside a proposed rule by the National Highway Transit Safety Association to regulate vehicle-to-vehicle (V2V) technology for all new cars and light trucks. V2V technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA and safety advocates have touted V2V technology as life-saving, noting that traffic fatalities have surged over the past two years with the increased use of cellphones. The rule was also supported by automakers to establish baseline safety standards. EPIC commented on the proposed rule and urged NHTSA to adopt stronger privacy protections. EPIC also submitted comments to the FTC and NHTSA for a workshop on connected vehicles, recommending that the agencies do more to protect consumer data. Security researchers have provided numerous examples of remote hacking of vehicles. The administration has denied that it has made any final decision on the rule, but it was removed from an OMB list of upcoming regulatory actions.

November 3, 2017

EPIC Promotes 'Algorithmic Transparency' for Political Ads

In comments to the Federal Election Commission, EPIC urged new rules to require transparency for online political ads. EPIC said voters should "know as much about advertisers as advertisers know about voters." EPIC called for algorithmic transparency which would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment. The FEC reopened a comment period on proposed rules "in light of developments." This week representatives from Facebook, Twitter and Google testified at two Senate hearings on the role that social media played in Russian meddling in the 2016 election. Senators Klobuchar (D-MN), Warner (D-VA), and McCain (R-AZ) have also introduced a bipartisan bill that would require increased disclosures for online political advertisements. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack.

November 7, 2017

EPIC v. DOJ: Court Orders DOJ to Defend Withholding of FISA Reports

A federal court, ruling in an EPIC FOIA lawsuit, has ordered the Department of Justice to defend the agency's refusal to release portions of its Foreign Intelligence Surveillance Act (FISA) reports. The semiannual reports, prepared for Congressional oversight committees, summarize significant FISA Court decisions and include the total number of FISA applications filed by the government and the number of U.S. persons targeted for surveillance. Though the court ruled that the DOJ can withhold some of the material requested by EPIC, the court found multiple "inconsistencies in the redactions that the government must address." Previously, EPIC's FOIA request and lawsuit led to the release of secret documents about the government's use of pen registers to collect records of private communications.

European Court of Human Rights Hears Key Surveillance Challenge

European Court of Human Rights has heard 10 Human Rights Organizations v. UK, a legal challenge which will impact surveillance practices around the world. The organizations who brought the case argue that surveillance by UK and US intelligence services violated their fundamental rights. In today's hearing, the groups' legal representative characterized the government's position as "trust us and we will keep you safe." Instead, she called for a "framework to ensure...public authorities are doing no more than is truly proportionate and are only using these very intrusive powers when they're necessary." EPIC filed a brief in the case explaining that the NSA's "technological capacities" enable "wide scale surveillance" and that U.S. statutes do not restrict surveillance of non-U.S. persons abroad. EPIC casebook Privacy Law and Society explores a wide range of privacy issues, including recent decisions of the European Court of Human Rights.

November 9, 2017

Nominee for DHS Secretary Favors Less Wall, More Surveillance Tech at Border

Today Congress considered the nomination of Kirstjen M. Nielsen as Secretary at the Department of Homeland Security. Ms. Nielsen opposes a border wall but suggested an expansion of border surveillance. "Technology, as you know, plays a key part, and we can't forget it," she said. EPIC is pursuing a FOIA request regarding the use of DHS drones for border surveillance. Earlier EPIC cases - including EPIC v. DHS which led to the removal of x-ray body scanners in US airports - revealed that technologies for border surveillance invariably impact the privacy rights of Americans. Ms. Nielsen views on the use of DACA applicant data for enforcement remains unclear. EPIC recently warned that 800,000 DACA applicants face privacy risks as a result of the decision to end the Deferred Action for Childhood Arrivals.

Equifax, Yahoo Testify Before Senate on Data Breaches

The Senate Commerce Committee heard testimony this week from Equifax, Yahoo, and Verizon executives in a hearing on "Protecting Consumers in the Era of Major Data Breaches." A witness for a company selling identification systems recommended an "identity framework," with fingerprints and facial recognition to replace the Social Security Number. EPIC President Marc Rotenberg recently warned against replacing the SSN with a national biometric identifier in testimony before the Senate Banking Committee. Rotenberg has detailed how the credit reporting industry is broken and the steps Congress should take to give consumers greater control over their personal data. EPIC has urged the Senate Judiciary Committee, the House Financial Services Committee, and the House Energy Committee to establish new safeguards for consumers following the Equifax data breach.

FTC Requests Public Comments on Strategic Plan

The FTC released a draft of the FTC 2018-2022 strategic plan for public comment. The plan broadly summarizes the FTC's role in protecting consumers and promoting competition. Federal agencies are required by law to publish a strategic plan every four years. EPIC has stated that the Commission needs to "step up its efforts to protect the privacy interests of American consumers." EPIC wrote to Senate Commerce Committee in advance of a recent hearing on reform proposals for the FTC, stating "the FTC must do more to safeguard American consumers." EPIC also urged the FTC to re-focus an upcoming "workshop on informational injury" on the unprecedented levels of data breach and identity theft in the United States. Earlier this year, EPIC and a coalition of consumer privacy organizations set out "10 Steps for the FTC to Protect Consumers." Comments on the Strategic Plan are due to the FTC by December 5, 2017.

Presidential Election Commission Sued by Commission Member

A member of the Presidential Election Commission has sued the Commission, arguing that the Commission has violated the Federal Advisory Committee Act. According to Maine Secretary of State Matthew Dunlap, the Commission violated FACA by "excluding certain members of the Commission from substantively participating in its work" and by "preventing certain members of the Commission from accessing documents made available to some Commission members." EPIC filed the first lawsuit against the Commission, charging that it had violated federal law when it failed to conduct and publish a Privacy Impact Assessment prior to the collection of state voter. EPIC v. Presidential Commission is now before the federal appeals court for the D.C. Circuit. Oral argument is scheduled for November 21, 2017.

House Bill Would Restore FAA's Drone Registration Rule

A defense authorization bill released today in the House would restore an FAA drone regulation that was struck down by a federal appeals court earlier this year. The D.C. Circuit had previously ruled that a regulation requiring hobbyists to register their drones violated the FAA Modernization Act, which forbids regulations for "model aircraft." EPIC strongly supports registration for commercial drones but recognizes an exception for hobbyists. EPIC submitted statements to the House Transportation Committee and the Senate Commerce Committee earlier this year emphasizing the unique privacy risks of commercial drones. EPIC is currently challenging the FAA's failure to protect the public from aerial surveillance by commercial drones in federal court. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals, with oral arguments scheduled for January 25, 2018.

November 13, 2017

Missouri AG Cites EPIC's FTC Complaint in Announcing its Investigation into Google

Missouri Attorney General Josh Hawley has announced an investigation into Google's business practices concerning Internet privacy. The investigation also examines whether Google misappropriated content from competitors' websites and manipulated search results to preference Google sites. The Missouri AG stated, "when a company has access to as much consumer information as Google does, it's my duty to ensure they are using it appropriately." The announcement highlighted EPIC's recent FTC Complaint against Google regarding the company's tracking of in-store purchases as well as the record fine by the European Union for monopolistic search practices. Under the leadership of then Connecticut Attorney General Richard Blumenthal, the state Attorneys General previously investigated Google for the unlawful interception of private communications by means of the Google "Street View" vehicles. That state AGs fined Google $7,000,000 when it was found that the company "casually scooped up passwords, e-mail and other personal information from unsuspecting computer users."

Senators Urge FEC to Promote Transparency in Online Ads

A group of 15 Senators led by Mark Warner (D-VA), Amy Klobuchar, (D-MN) and Claire McCaskell, (D-MO) have urged the Federal Election Commission to improve transparency for online political ads. The Senators stated that, "the FEC can and should take immediate and decisive action to ensure parity between ads seen on the internet and those on television and radio." The Senators emphasized how "Russian operatives used advertisements on social media platforms to sow division and discord" during the 2016 election. EPIC provided comments to the FEC calling for "algorithmic transparency" and the disclosure of who paid for online ads. Senators Klobuchar, Warner, and McCain (R-AZ) have also introduced a bipartisan bill that would require the same disclosures for online political advertisements as for those on television and radio. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to promote election integrity and safeguard democratic institutions from various forms of cyber attack.

November 14, 2017

EPIC to House Judiciary: FBI Response to Russia Attack Must Be Examined

Following a hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the House Judiciary Committee. EPIC urged the Committee to explore whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election.

Senators Question Social Security Administration about Election Commission Request

A group of Senators has requested information from Social Security Administration about the Presidential Election Commission's controversial plan to compare state voter rolls to the SSA's master database. Vice Chair Kris Kobach announced at the Commission's first meeting that the Commission staff would seek personal data from numerous federal agencies, including the SSA. EPIC filed a FOIA request with the SSA in September seeking records of the Commission's attempts to collect SSA data. "The public must know whether, how, and for what purpose a federal Commission is seeking new personal data from SSA, and how the federal agency has responded to any attempt to collect this data," EPIC wrote. EPIC filed similar FOIA requests with the Department of Justice and Department of Homeland Security. EPIC's case challenging the Commission's collection of state voter data will be argued next Tuesday, November 21 at 9:30 a.m. before the U.S. Court of Appeals for the D.C. Circuit.

November 15, 2017

D.C. Circuit to Hear Arguments in EPIC Voter Privacy Case Concerning Presidential Commission

The U.S. Court of Appeals for the D.C. Circuit will hear arguments next week in EPIC’s case against the Presidential Election Commission concerning the unlawful collection of state voter data. EPIC filed suit to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the state voter data that was unlawfully obtained. Many states have opposed the Commission’s efforts to obtain state voter data. More than 150 members of Congress have urged the Commission to end the collection of voter data. The Government Accountability Office has opened an investigation to determine whether the Commission has engaged in unlawful action. And one Member of the Commission recently filed suit against the Commission. Arguments in EPIC v. Commission are set for next Tuesday, November 21 at 9:30 a.m. and will be streamed live through the D.C. Circuit’s website.

Senator Leahy Introduces Legislation To Protect Consumer Privacy

Senator Patrick Leahy (D-VT), joined by six other Senators, introduced comprehensive legislation to protect consumers from data breach and identity theft. The Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently testified before the Senate Banking Committee in the wake of Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the Harvard Business Review.

EPIC Warns that Weak Cybersecurity and Privacy Guidance Endangers Drivers

In comments to the National Highway Traffic Safety Administration, EPIC warned that the agency's proposed voluntary guidelines for autonomous vehicles would not protect auto passengers. EPIC explained that the privacy and security are paramount safety concerns and stated that "strong encryption in autonomous vehicles will be essential to driver safety." EPIC urged NHTSA to issue mandatory guidelines to protect consumers. EPIC also warned that the FTC lacks authority and expertise to protect driver privacy and security. EPIC made comments to NHTSA earlier this year, and has also brought this issue to attention of a House committee on consumer protection and the Senate Committee on Commerce.

European Court Adviser Says Facebook Privacy Class Action Barred

The opinion of a key adviser to the European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a "consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers," citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems received the EPIC International Champion of Freedom Award.

White House Vulnerability Review Charter Provides Process for Disclosing Tech Flaws

The White House has released the "Vulnerabilities Equities Policy and Process," describing how the U.S. Government will make decisions regarding disclosure of "Zero-day vulnerabilities." At issue are vulnerabilities in software and consumer products that can be exploited by intelligence agencies and malicious hackers. If the VEP review board — comprised of agency representatives such as the DHS, ODNI, CIA, FBI, OMB, Commerce Department, and NSA — votes for disclosure, the tech company will be notified "when possible" within 7 business days. The charter requires the NSA, serving as the board's secretariat, to produce an annual public report on VEP decisions. In extensive comments on surveillance reform, EPIC supported the recommendations of the Obama Review Group, which included a recommendation for an interagency process to review "Zero-day vulnerabilities." In a letter to the Senate Committee on Homeland Security earlier this year, EPIC stated that "data protection and privacy should remain a central focus of the cyber security policy of the United States."

EPIC to House Committee: Privacy Safeguards Apply to Personal Data Sent to Government

In advance of a hearing on "Cyber Threat Information Sharing," EPIC has sent a statement to the House Homeland Security Committee. EPIC urged the Committee to determine whether there are sufficient protections for personal data sent to government agencies. Private companies now have legal authority to transfer data to government agencies outside traditional privacy procedures following passage of the Cybersecurity Information Sharing Act. EPIC and a broad coalition warned that the law will increase monitoring of Internet users and government secrecy. EPIC urged the Congressional committee to carefully examine the "scrubbing" techniques that are intended to remove personally identifiable information before data is transferred to federal agencies.

November 16, 2017

Consumer Bureau Proposes Policy Guidance for Data Aggregation Services

The Consumer Financial Protection Bureau recently set out guidance for financial services that aggregate consumer data. The Bureau outlined Consumer Protection Principles that "express the Bureau's vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value." The Consumer Protection Principles for aggregated consumer data services are: (1) consumer access to information, (2) usability and limited scope of access by third parties, (3) consumer control and informed consent, (4) authorizing payments, (5) security (6) access transparency, (7) accuracy, (8) ability to dispute and resolve unauthorized access, and (9) efficient and effective accountability mechanisms. EPIC has urged Congress to establish privacy and data security standards for consumer services and has championed algorithmic transparency. In testimony before Congress, EPIC Board member Professor Frank Pasquale explained that the use of secret algorithms often have adverse consequences for consumers.

EPIC, Coalition Oppose Government's 'Extreme Vetting' Proposal

EPIC and a coalition of civil rights organizations have sent a letter to the Acting Secretary of Homeland Security strongly opposing the Extreme Vetting Initiative. A similar letter was sent by technical experts. The government's 'Extreme Vetting' initiative uses opaque procedures, secret profiles, and obscure data including social media post, to review visa applicants and make final determinations. EPIC has warned against both the government's use of social media data and secret algorithms to profile individuals for decision making purposes. EPIC is also pursuing a FOIA request for details on the relationship between the Immigration and Customs Enforcement agency and Palantir, a company that provides software to analyze large amounts of data.

After Public Pressure, FEC To Begin Rulemaking On Online Ad Transparency

After receiving over 150,000 public comments, the Federal Election Commission voted unanimously to make new rules governing online political ad disclosures. EPIC, numerous other organizations, and lawmakers pressed the FEC to require transparency for online ads to combat foreign interference in U.S. elections. The FEC had solicited public comments on its internet disclosure rules three times in six years before finally taking action. A group of 15 Senators wrote, "The FEC must close loopholes that have allowed foreign adversaries to sow discord and misinform the American electorate." And a group of 18 members of Congress urged the FEC to "address head-on the topic of illicit foreign activity in U.S. elections." EPIC suggested the FEC go a step beyond simple disclosures and require "algorithmic transparency" for online platforms that deliver targeted ads to voters. Several senators have also introduced a bipartisan bill that would require the same disclosures for online ads as for television and radio. EPIC is fully engaged in protecting the integrity of elections with its Project on Democracy and Cybersecurity.

November 20, 2017

EPIC v. FBI: EPIC Pursues Release of Documents on Russian Meddling

In the Freedom of Information Act lawsuit EPIC v. FBI, EPIC has filed a motion contending the FBI must release records detailing the Russian interference in the 2016 election. EPIC explained that "a year after the election the full extent of Russian interference remains unknown to the public." EPIC also said the the FBI's failure to release documents "is contrary to law and leave at risk the security of future U.S. elections." The FBI must now file a reply to EPIC's motion. EPIC v. FBI is a part of the new EPIC Democracy and Cybersecurity Project focused on preserving democratic institutions. EPIC has filed related FOIA lawsuits against the DHS, ODNI, and IRS. EPIC also recently pressed the Federal Election Commission to establish transparency for online ads. The FEC voted unanimously to adopt new rules.

EPIC Urges Supreme Court to Steer Clear of Warrantless Vehicle Searches

EPIC has filed an amicus brief in Byrd v. United States, a case about warrantless searches of rental vehicles. EPIC urged the Supreme Court to recognize that a modern car collects vast troves of personal data. EPIC explained cars today "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC pointed to the routine collection of cell phone contents with a Bluetooth connection, data which is stored in the car even after "deletion." EPIC also emphasized that the status of the driver has no bearing on Fourth Amendment privacy interests. The lower court held that because the driver was not an authorized renter, he was not entitled to privacy protection. EPIC has filed extensive comments with the National Highway Traffic Safety Administration, the Federal Trade Commission and the Department of Transportation, and testified before the U.S. Congress regarding the privacy and consumer safety risks posed by connected vehicles. EPIC also routinely participates as amicus curiae in cases before the Supreme Court, such as in United States v. Jones, Riley v. California, and Florida v. Harris.

Senators Leahy and Lee Introduce USA Liberty Act, Reform for FISA Spying

Senator Patrick Leahy (D-VT) and Senator Mike Lee (R-UT) have introduced the USA Liberty Act to reform surveillance under Section 702 of the Foreign Intelligence Surveillance Act. The Leahy-Lee bill would close the "backdoor search" loophole by requiring a probable cause court order before the government can review the contents of Americans' communications. The Leahy-Lee bill also codifies the ban on collecting "about" communications, mandates the appointment of amicus curiae for review of the surveillance programs, and establishes new reporting requirements. In a Freedom of Information Act lawsuit, EPIC v. NSD, EPIC is seeking the release of a Foreign Intelligence Surveillance Court report detailing the FBI’s use of section 702 data for domestic criminal purposes.

November 21, 2017

Live Audio: D.C. Circuit Hears Arguments in EPIC Voter Privacy Case Concerning Presidential Commission

The U.S. Court of Appeals for the D.C. Circuit hears arguments today in EPIC’s case against the Presidential Election Commission concerning the unlawful collection of state voter data. Live audio of the arguments will be streamed from this link beginning at 9:30 a.m. ET. EPIC filed suit to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the state voter data that was unlawfully obtained. Many states have opposed the Commission’s efforts to obtain state voter data. More than 150 members of Congress have urged the Commission to end the collection of voter data. The Government Accountability Office has opened an investigation to determine whether the Commission has engaged in unlawful action. And one Member of the Commission recently filed suit against the Commission. EPIC’s case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.).

Uber Hid Massive Data Breach For Over A Year And Paid Hackers

Uber just admitted that hackers stole the personal data of 57 million Uber customers and drivers in October 2016. The data included names, e-mail addresses, phone numbers, and the license numbers of 600,000 drivers. Rather than disclose the data breach to the public, as required by law, Uber paid the hackers $100,000 to delete the information. Uber has a well-documented history of abusing consumer privacy. EPIC recently testified in the Senate for strong data breach legislation that would require companies to immediately notify affected consumers of data breaches. EPIC filed a complaint with the FTC in 2015 regarding Uber's egregious misuse of personal data. That complaint led to an FTC settlement with Uber in August, 2017. In 2015, EPIC also proposed a privacy law for Uber and other ride-sharing companies.

November 22, 2017

EPIC Challenges Google Cookie Tracking Settlement as Unfair to Class Members

EPIC filed an amicus with a federal appeals court urging the court to reject a proposed class action settlement in a consumer privacy case. The case involved Google tracking internet users in violation of the users' privacy settings. EPIC said the settlement resulted in no change in business practices and wrongly awarded cy pres funds to organizations that Google would otherwise support. The settlement was also opposed by the Attorneys General of thirteen states. EPIC, the Center for Digital Democracy, and US PIRG were the groups that warned the FTC in 2007 that the Google-DoubleClick merger would lead to the internet tracking practices at issue in the settlement. EPIC's 2010 FTC complaint regarding Google Buzz also led to the FTC's Consent Order with Google that enabled the Commission to pursue related charges against Google. EPIC has proposed an objective basis for courts to make determinations in consumer privacy cases that protect the interests of class members and avoid the risk of collusion between the parties in settlement.

November 27, 2017

EPIC Provides U.S. Report for Privacy Experts Meeting

EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy to the International Working Group on Data Protection in Telecommunications. The Berlin-based Working Group includes Data Protection Authorities and experts, from around the world, who work together to address emerging privacy challenges. The EPIC report details legislative proposals to address privacy and security risks of automated vehicles, pending Supreme Court case concerning cell phone location tracking Carpenter v. United States, U.S. investigation of the Russian interference in the 2016 election, the Equifax data breach, and more. The 62nd meeting to the IWG will take place in Paris, France on November 27-28. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

November 28, 2017

Senator Warner Questions Uber CEO On Why It Hid Data Breach

Senator Mark Warner sent a letter to the Uber CEO, Dara Khosrowshahi, questioning him about why the company covered up a data breach that affected 57 million consumers last year. Uber recently admitted that it hid a massive data breach from the public and paid the hackers $100,000 to delete the data. The stolen data included names, e-mail addresses, phone numbers, and drivers' licenses. Senator Warner told the Uber CEO that he had "grave concerns about your handling of a breach," including the fact that the company disclosed the breach to investors but not the public. Senator Warner has co-sponsored bipartisan legislation that would provide consumers with one free credit freeze per year and protect the credit ratings of veterans wrongly penalized by medical bills. EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other ride-sharing companies.

EPIC Promotes 'Algorithmic Transparency,' Urges Congress to Regulate AI Techniques

In advance of a hearing on "Algorithms: How Companies' Decisions About Data and Content Impact Consumers," EPIC warned a Congressional committee that many organizations now make decisions based on opaque techniques they don't understand. EPIC told Congress that algorithmic transparency is critical for democratic accountability. In 2015, EPIC launched an international a campaign in support of Algorithmic Transparency. At a speech to UNESCO in 2015, EPIC President Marc Rotenberg called knowledge of the algorithm "a fundamental human right." Earlier this year, EPIC filed a complaint with the FTC that challenged the secret scoring of athletes by Universal Tennis. EPIC said to the FTC that it "seeks to ensure that all rating systems concerning individuals are open, transparent and accountable."

EPIC FOIA - Rep. Ted Lieu Asks FBI to Explain Failure to Notify Russian Hacking Victims

In a letter to FBI director Christopher Wray, Rep. Ted Lieu (D-CA) asked the FBI to brief Congress on the agency's failure to notify victims targeted by the Russian hacking group Fancy Bear. Lieu's letter follows an Associated Press's (AP) investigation which found that the FBI did not notify U.S. officials that their accounts were compromised even though the FBI knew of the targeted cyber attacks and had primary responsibility in the federal government for notification. EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit (EPIC v. FBI) filed earlier this year. The FBI policy calls for notifying victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).

EPIC to Congress: FAA Must Establish Drone Privacy Safeguards and ID Requirements

EPIC sent a statement to a House Committee on Transportation ahead of a hearing on drone deployment in the United States. EPIC said that "privacy rules and identification requirements" are vital for the safe integration of commercial drones in the national air space. EPIC explained that the FAA has failed to establish necessary safeguards and has purposefully ignored privacy and public safety risks. In 2015, EPIC sued the FAA, arguing that the agency failed to comply with a Congressional mandate and a petition from leading experts. EPIC also told Congress that the FAA has excluded privacy experts from the agency task force on drone policy. In October 2017, CNN reported the first drone strike on a commercial aircraft.

November 29, 2017

EPIC Amicus - Ninth Circuit Holds Violation of Video Privacy Law Establishes 'Standing'

The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.

European Court Holds Camera Surveillance of University Lecture Halls Violates Privacy

In the case of Antović and Mirković v. Montenegro, the European Court of Human Rights held that camera surveillance in lecture halls at the University of Montenegro's School of Mathematics violated Article 8 of the European Convention on Human Rights (the right to respect one's "private and family life"). The decision follows earlier cases of the Court which recognize privacy rights in the workplace. Some U.S. law schools have deemed all classrooms and meetings rooms as "recordable spaces" and state that voluntary participation therefore constitutes a waiver of legal claims. EPIC has protected the human right to privacy through third-party intervention in the European Court of Human Rights as well as documented the spread of CCTV surveillance technology across American cities. EPIC's Privacy Law Sourcebook provides background on US and international privacy law. The Privacy Law and Society website provides more information about international privacy law.

About November 2017

This page contains all entries posted to epic.org in November 2017. They are listed from oldest to newest.

October 2017 is the previous archive.

December 2017 is the next archive.

Many more can be found on the main index page or by looking through the archives.