« October 2017 | Main

November 2017 Archives

November 1, 2017

EPIC FOIA: EPIC Uncovers Report on "Predictive Policing" but DOJ Blocks Release

EPIC has just received new documents in a FOIA case against the Department of Justice, however the agency is refusing to release reports about the use of "risk assessment" tools in the criminal justice system. In 2014, the Attorney General called on the U.S. Sentencing Commission to review the use of "risk assessments" in criminal sentencing, expressing the concern about potential bias. EPIC requested that document and filed suit against the DOJ to obtain it, but the agency failed to release the report by a court-ordered deadline. EPIC did obtain emails confirming the existence of a 2014 DOJ report about "predictive policing" algorithms, but the agency also withheld that report. "Risk assessments" are secret techniques used to set bail, to determine criminal sentences, and even decide guilt or innocence. EPIC has pursued several FOIA cases to promote algorithmic transparency, including cases on passenger risk assessment, "future crime" prediction, and proprietary forensic analysis.

EPIC Sues Justice Department for Release of Report on 'Backdoor Searches'

EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice National Security Division for a report detailing the FBI's warrantless searches for information about U.S. citizens. Section 702 of the Foreign Intelligence Surveillance Act allows conduct warrantless searches of non-U.S. persons in foreign intelligence investigations. But there are concerns that the FBI uses this authority to conduct "backdoor searches" on Americans. In EPIC v. NSD, EPIC seeks the release of a report ordered by the Foreign Intelligence Surveillance Court detailing the FBI's use of section 702 data for domestic criminal purposes. EPIC also recently joined coalition of over 50 organizations calling on lawmakers to establish a warrant requirement before the government can search 702 databases for information about U.S. citizens and residents. The USA Rights Act, now pending in Congress, would end backdoor searches by all federal agencies.

White House Cancels Safety Rule for Connected Vehicles

The Trump administration has set aside a proposed rule by the National Highway Transit Safety Association to regulate vehicle-to-vehicle (V2V) technology for all new cars and light trucks. V2V technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA and safety advocates have touted V2V technology as life-saving, noting that traffic fatalities have surged over the past two years with the increased use of cellphones. The rule was also supported by automakers to establish baseline safety standards. EPIC commented on the proposed rule and urged NHTSA to adopt stronger privacy protections. EPIC also submitted comments to the FTC and NHTSA for a workshop on connected vehicles, recommending that the agencies do more to protect consumer data. Security researchers have provided numerous examples of remote hacking of vehicles. The administration has denied that it has made any final decision on the rule, but it was removed from an OMB list of upcoming regulatory actions.

November 3, 2017

EPIC Promotes 'Algorithmic Transparency' for Political Ads

In comments to the Federal Election Commission, EPIC urged new rules to require transparency for online political ads. EPIC said voters should "know as much about advertisers as advertisers know about voters." EPIC called for algorithmic transparency which would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment. The FEC reopened a comment period on proposed rules "in light of developments." This week representatives from Facebook, Twitter and Google testified at two Senate hearings on the role that social media played in Russian meddling in the 2016 election. Senators Klobuchar (D-MN), Warner (D-VA), and McCain (R-AZ) have also introduced a bipartisan bill that would require increased disclosures for online political advertisements. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack.

November 7, 2017

EPIC v. DOJ: Court Orders DOJ to Defend Withholding of FISA Reports

A federal court, ruling in an EPIC FOIA lawsuit, has ordered the Department of Justice to defend the agency's refusal to release portions of its Foreign Intelligence Surveillance Act (FISA) reports. The semiannual reports, prepared for Congressional oversight committees, summarize significant FISA Court decisions and include the total number of FISA applications filed by the government and the number of U.S. persons targeted for surveillance. Though the court ruled that the DOJ can withhold some of the material requested by EPIC, the court found multiple "inconsistencies in the redactions that the government must address." Previously, EPIC's FOIA request and lawsuit led to the release of secret documents about the government's use of pen registers to collect records of private communications.

European Court of Human Rights Hears Key Surveillance Challenge

European Court of Human Rights has heard 10 Human Rights Organizations v. UK, a legal challenge which will impact surveillance practices around the world. The organizations who brought the case argue that surveillance by UK and US intelligence services violated their fundamental rights. In today's hearing, the groups' legal representative characterized the government's position as "trust us and we will keep you safe." Instead, she called for a "framework to ensure...public authorities are doing no more than is truly proportionate and are only using these very intrusive powers when they're necessary." EPIC filed a brief in the case explaining that the NSA's "technological capacities" enable "wide scale surveillance" and that U.S. statutes do not restrict surveillance of non-U.S. persons abroad. EPIC casebook Privacy Law and Society explores a wide range of privacy issues, including recent decisions of the European Court of Human Rights.

November 9, 2017

Nominee for DHS Secretary Favors Less Wall, More Surveillance Tech at Border

Today Congress considered the nomination of Kirstjen M. Nielsen as Secretary at the Department of Homeland Security. Ms. Nielsen opposes a border wall but suggested an expansion of border surveillance. "Technology, as you know, plays a key part, and we can't forget it," she said. EPIC is pursuing a FOIA request regarding the use of DHS drones for border surveillance. Earlier EPIC cases - including EPIC v. DHS which led to the removal of x-ray body scanners in US airports - revealed that technologies for border surveillance invariably impact the privacy rights of Americans. Ms. Nielsen views on the use of DACA applicant data for enforcement remains unclear. EPIC recently warned that 800,000 DACA applicants face privacy risks as a result of the decision to end the Deferred Action for Childhood Arrivals.

Equifax, Yahoo Testify Before Senate on Data Breaches

The Senate Commerce Committee heard testimony this week from Equifax, Yahoo, and Verizon executives in a hearing on "Protecting Consumers in the Era of Major Data Breaches." A witness for a company selling identification systems recommended an "identity framework," with fingerprints and facial recognition to replace the Social Security Number. EPIC President Marc Rotenberg recently warned against replacing the SSN with a national biometric identifier in testimony before the Senate Banking Committee. Rotenberg has detailed how the credit reporting industry is broken and the steps Congress should take to give consumers greater control over their personal data. EPIC has urged the Senate Judiciary Committee, the House Financial Services Committee, and the House Energy Committee to establish new safeguards for consumers following the Equifax data breach.

FTC Requests Public Comments on Strategic Plan

The FTC released a draft of the FTC 2018-2022 strategic plan for public comment. The plan broadly summarizes the FTC's role in protecting consumers and promoting competition. Federal agencies are required by law to publish a strategic plan every four years. EPIC has stated that the Commission needs to "step up its efforts to protect the privacy interests of American consumers." EPIC wrote to Senate Commerce Committee in advance of a recent hearing on reform proposals for the FTC, stating "the FTC must do more to safeguard American consumers." EPIC also urged the FTC to re-focus an upcoming "workshop on informational injury" on the unprecedented levels of data breach and identity theft in the United States. Earlier this year, EPIC and a coalition of consumer privacy organizations set out "10 Steps for the FTC to Protect Consumers." Comments on the Strategic Plan are due to the FTC by December 5, 2017.

Presidential Election Commission Sued by Commission Member

A member of the Presidential Election Commission has sued the Commission, arguing that the Commission has violated the Federal Advisory Committee Act. According to Maine Secretary of State Matthew Dunlap, the Commission violated FACA by "excluding certain members of the Commission from substantively participating in its work" and by "preventing certain members of the Commission from accessing documents made available to some Commission members." EPIC filed the first lawsuit against the Commission, charging that it had violated federal law when it failed to conduct and publish a Privacy Impact Assessment prior to the collection of state voter. EPIC v. Presidential Commission is now before the federal appeals court for the D.C. Circuit. Oral argument is scheduled for November 21, 2017.

House Bill Would Restore FAA's Drone Registration Rule

A defense authorization bill released today in the House would restore an FAA drone regulation that was struck down by a federal appeals court earlier this year. The D.C. Circuit had previously ruled that a regulation requiring hobbyists to register their drones violated the FAA Modernization Act, which forbids regulations for "model aircraft." EPIC strongly supports registration for commercial drones but recognizes an exception for hobbyists. EPIC submitted statements to the House Transportation Committee and the Senate Commerce Committee earlier this year emphasizing the unique privacy risks of commercial drones. EPIC is currently challenging the FAA's failure to protect the public from aerial surveillance by commercial drones in federal court. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals, with oral arguments scheduled for January 25, 2018.

November 13, 2017

Missouri AG Cites EPIC's FTC Complaint in Announcing its Investigation into Google

Missouri Attorney General Josh Hawley has announced an investigation into Google's business practices concerning Internet privacy. The investigation also examines whether Google misappropriated content from competitors' websites and manipulated search results to preference Google sites. The Missouri AG stated, "when a company has access to as much consumer information as Google does, it's my duty to ensure they are using it appropriately." The announcement highlighted EPIC's recent FTC Complaint against Google regarding the company's tracking of in-store purchases as well as the record fine by the European Union for monopolistic search practices. Under the leadership of then Connecticut Attorney General Richard Blumenthal, the state Attorneys General previously investigated Google for the unlawful interception of private communications by means of the Google "Street View" vehicles. That state AGs fined Google $7,000,000 when it was found that the company "casually scooped up passwords, e-mail and other personal information from unsuspecting computer users."

Senators Urge FEC to Promote Transparency in Online Ads

A group of 15 Senators led by Mark Warner (D-VA), Amy Klobuchar, (D-MN) and Claire McCaskell, (D-MO) have urged the Federal Election Commission to improve transparency for online political ads. The Senators stated that, "the FEC can and should take immediate and decisive action to ensure parity between ads seen on the internet and those on television and radio." The Senators emphasized how "Russian operatives used advertisements on social media platforms to sow division and discord" during the 2016 election. EPIC provided comments to the FEC calling for "algorithmic transparency" and the disclosure of who paid for online ads. Senators Klobuchar, Warner, and McCain (R-AZ) have also introduced a bipartisan bill that would require the same disclosures for online political advertisements as for those on television and radio. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to promote election integrity and safeguard democratic institutions from various forms of cyber attack.

November 14, 2017

EPIC to House Judiciary: FBI Response to Russia Attack Must Be Examined

Following a hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the House Judiciary Committee. EPIC urged the Committee to explore whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election.

Senators Question Social Security Administration about Election Commission Request

A group of Senators has requested information from Social Security Administration about the Presidential Election Commission's controversial plan to compare state voter rolls to the SSA's master database. Vice Chair Kris Kobach announced at the Commission's first meeting that the Commission staff would seek personal data from numerous federal agencies, including the SSA. EPIC filed a FOIA request with the SSA in September seeking records of the Commission's attempts to collect SSA data. "The public must know whether, how, and for what purpose a federal Commission is seeking new personal data from SSA, and how the federal agency has responded to any attempt to collect this data," EPIC wrote. EPIC filed similar FOIA requests with the Department of Justice and Department of Homeland Security. EPIC's case challenging the Commission's collection of state voter data will be argued next Tuesday, November 21 at 9:30 a.m. before the U.S. Court of Appeals for the D.C. Circuit.

November 15, 2017

D.C. Circuit to Hear Arguments in EPIC Voter Privacy Case Concerning Presidential Commission

The U.S. Court of Appeals for the D.C. Circuit will hear arguments next week in EPIC’s case against the Presidential Election Commission concerning the unlawful collection of state voter data. EPIC filed suit to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the state voter data that was unlawfully obtained. Many states have opposed the Commission’s efforts to obtain state voter data. More than 150 members of Congress have urged the Commission to end the collection of voter data. The Government Accountability Office has opened an investigation to determine whether the Commission has engaged in unlawful action. And one Member of the Commission recently filed suit against the Commission. Arguments in EPIC v. Commission are set for next Tuesday, November 21 at 9:30 a.m. and will be streamed live through the D.C. Circuit’s website.

Senator Leahy Introduces Legislation To Protect Consumer Privacy

Senator Patrick Leahy (D-VT), joined by six other Senators, introduced comprehensive legislation to protect consumers from data breach and identity theft. The Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently testified before the Senate Banking Committee in the wake of Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the Harvard Business Review.

EPIC Warns that Weak Cybersecurity and Privacy Guidance Endangers Drivers

In comments to the National Highway Traffic Safety Administration, EPIC warned that the agency's proposed voluntary guidelines for autonomous vehicles would not protect auto passengers. EPIC explained that the privacy and security are paramount safety concerns and stated that "strong encryption in autonomous vehicles will be essential to driver safety." EPIC urged NHTSA to issue mandatory guidelines to protect consumers. EPIC also warned that the FTC lacks authority and expertise to protect driver privacy and security. EPIC made comments to NHTSA earlier this year, and has also brought this issue to attention of a House committee on consumer protection and the Senate Committee on Commerce.

European Court Adviser Says Facebook Privacy Class Action Barred

The opinion of a key adviser to the European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a "consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers," citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems received the EPIC International Champion of Freedom Award.

White House Vulnerability Review Charter Provides Process for Disclosing Tech Flaws

The White House has released the "Vulnerabilities Equities Policy and Process," describing how the U.S. Government will make decisions regarding disclosure of "Zero-day vulnerabilities." At issue are vulnerabilities in software and consumer products that can be exploited by intelligence agencies and malicious hackers. If the VEP review board — comprised of agency representatives such as the DHS, ODNI, CIA, FBI, OMB, Commerce Department, and NSA — votes for disclosure, the tech company will be notified "when possible" within 7 business days. The charter requires the NSA, serving as the board's secretariat, to produce an annual public report on VEP decisions. In extensive comments on surveillance reform, EPIC supported the recommendations of the Obama Review Group, which included a recommendation for an interagency process to review "Zero-day vulnerabilities." In a letter to the Senate Committee on Homeland Security earlier this year, EPIC stated that "data protection and privacy should remain a central focus of the cyber security policy of the United States."

EPIC to House Committee: Privacy Safeguards Apply to Personal Data Sent to Government

In advance of a hearing on "Cyber Threat Information Sharing," EPIC has sent a statement to the House Homeland Security Committee. EPIC urged the Committee to determine whether there are sufficient protections for personal data sent to government agencies. Private companies now have legal authority to transfer data to government agencies outside traditional privacy procedures following passage of the Cybersecurity Information Sharing Act. EPIC and a broad coalition warned that the law will increase monitoring of Internet users and government secrecy. EPIC urged the Congressional committee to carefully examine the "scrubbing" techniques that are intended to remove personally identifiable information before data is transferred to federal agencies.

November 16, 2017

Consumer Bureau Proposes Policy Guidance for Data Aggregation Services

The Consumer Financial Protection Bureau recently set out guidance for financial services that aggregate consumer data. The Bureau outlined Consumer Protection Principles that "express the Bureau's vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value." The Consumer Protection Principles for aggregated consumer data services are: (1) consumer access to information, (2) usability and limited scope of access by third parties, (3) consumer control and informed consent, (4) authorizing payments, (5) security (6) access transparency, (7) accuracy, (8) ability to dispute and resolve unauthorized access, and (9) efficient and effective accountability mechanisms. EPIC has urged Congress to establish privacy and data security standards for consumer services and has championed algorithmic transparency. In testimony before Congress, EPIC Board member Professor Frank Pasquale explained that the use of secret algorithms often have adverse consequences for consumers.

EPIC, Coalition Oppose Government's 'Extreme Vetting' Proposal

EPIC and a coalition of civil rights organizations have sent a letter to the Acting Secretary of Homeland Security strongly opposing the Extreme Vetting Initiative. A similar letter was sent by technical experts. The government's 'Extreme Vetting' initiative uses opaque procedures, secret profiles, and obscure data including social media post, to review visa applicants and make final determinations. EPIC has warned against both the government's use of social media data and secret algorithms to profile individuals for decision making purposes. EPIC is also pursuing a FOIA request for details on the relationship between the Immigration and Customs Enforcement agency and Palantir, a company that provides software to analyze large amounts of data.

After Public Pressure, FEC To Begin Rulemaking On Online Ad Transparency

After receiving over 150,000 public comments, the Federal Election Commission voted unanimously to make new rules governing online political ad disclosures. EPIC, numerous other organizations, and lawmakers pressed the FEC to require transparency for online ads to combat foreign interference in U.S. elections. The FEC had solicited public comments on its internet disclosure rules three times in six years before finally taking action. A group of 15 Senators wrote, "The FEC must close loopholes that have allowed foreign adversaries to sow discord and misinform the American electorate." And a group of 18 members of Congress urged the FEC to "address head-on the topic of illicit foreign activity in U.S. elections." EPIC suggested the FEC go a step beyond simple disclosures and require "algorithmic transparency" for online platforms that deliver targeted ads to voters. Several senators have also introduced a bipartisan bill that would require the same disclosures for online ads as for television and radio. EPIC is fully engaged in protecting the integrity of elections with its Project on Democracy and Cybersecurity.

November 20, 2017

EPIC v. FBI: EPIC Pursues Release of Documents on Russian Meddling

In the Freedom of Information Act lawsuit EPIC v. FBI, EPIC has filed a motion contending the FBI must release records detailing the Russian interference in the 2016 election. EPIC explained that "a year after the election the full extent of Russian interference remains unknown to the public." EPIC also said the the FBI's failure to release documents "is contrary to law and leave at risk the security of future U.S. elections." The FBI must now file a reply to EPIC's motion. EPIC v. FBI is a part of the new EPIC Democracy and Cybersecurity Project focused on preserving democratic institutions. EPIC has filed related FOIA lawsuits against the DHS, ODNI, and IRS. EPIC also recently pressed the Federal Election Commission to establish transparency for online ads. The FEC voted unanimously to adopt new rules.

EPIC Urges Supreme Court to Steer Clear of Warrantless Vehicle Searches

EPIC has filed an amicus brief in Byrd v. United States, a case about warrantless searches of rental vehicles. EPIC urged the Supreme Court to recognize that a modern car collects vast troves of personal data. EPIC explained cars today "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC pointed to the routine collection of cell phone contents with a blue tooth connection, and storage in the car even after "deletion." EPIC also emphasized that the status of the driver has no bearing on Fourth Amendment privacy interests. The lower court held that because the driver was not an authorized renter, he was not entitled to privacy protection. EPIC has filed extensive comments with the National Highway Traffic Safety Administration, the Federal Trade Commission and the Department of Transportation, and testified before the U.S. Congress regarding the privacy and consumer safety risks posed by connected vehicles. EPIC also routinely participates as amicus curiae in cases before the Supreme Court, such as in United States v. Jones, Riley v. California, and Florida v. Harris.

Senators Leahy and Lee Introduce USA Liberty Act, Reform for FISA Spying

Senator Patrick Leahy (D-VT) and Senator Mike Lee (R-UT) have introduced the USA Liberty Act to reform surveillance under Section 702 of the Foreign Intelligence Surveillance Act. The Leahy-Lee bill would close the "backdoor search" loophole by requiring a probable cause court order before the government can review the contents of Americans' communications. The Leahy-Lee bill also codifies the ban on collecting "about" communications, mandates the appointment of amicus curiae for review of the surveillance programs, and establishes new reporting requirements. In a Freedom of Information Act lawsuit, EPIC v. NSD, EPIC is seeking the release of a Foreign Intelligence Surveillance Court report detailing the FBI’s use of section 702 data for domestic criminal purposes.

November 21, 2017

Live Audio: D.C. Circuit Hears Arguments in EPIC Voter Privacy Case Concerning Presidential Commission

The U.S. Court of Appeals for the D.C. Circuit hears arguments today in EPIC’s case against the Presidential Election Commission concerning the unlawful collection of state voter data. Live audio of the arguments will be streamed from this link beginning at 9:30 a.m. ET. EPIC filed suit to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the state voter data that was unlawfully obtained. Many states have opposed the Commission’s efforts to obtain state voter data. More than 150 members of Congress have urged the Commission to end the collection of voter data. The Government Accountability Office has opened an investigation to determine whether the Commission has engaged in unlawful action. And one Member of the Commission recently filed suit against the Commission. EPIC’s case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.).

About November 2017

This page contains all entries posted to epic.org in November 2017. They are listed from oldest to newest.

October 2017 is the previous archive.

Many more can be found on the main index page or by looking through the archives.