« November 2018 | Main | January 2019 »

December 2018 Archives

December 3, 2018

EPIC Supports Extension of Children's Privacy Reporting Requirements

EPIC submitted comments in support of the FTC's proposed extension of the information collection requirements for the Children's Online Privacy Protection Act. EPIC explained the importance of the law that protects the personal data of children who use Internet services, but added that the law "would be more effective if the FTC established new limits on how firms can collect and use children's data." EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. Earlier this year, the FTC unanimously voted to approve EPIC's recommendations to create new safeguards for children's data in the gaming industry.

December 5, 2018

EPIC Urges European Commission to Address Security Risks of Connected Cars

In comments to the European Commission, EPIC identified several key privacy and security concerns related to the development of connected cars. EPIC emphasized the need for comprehensive regulation to ensure the safety of connected vehicles and encouraged the Commission to require developers to build in safety measures, and not place new burdens on drivers. "Safety features should be under the hood, not on the dash board," EPIC wrote. EPIC has diligently advocated for stronger regulation of the Internet of Things , including connected vehicles. EPIC has highlighted the risks of connected cars in testimony before Congress, at the Federal Trade Commission, in comments to federal agencies, and in amicus briefs.

December 6, 2018

Senator Markey Insists on Privacy, Safety for Self-Driving Vehicles

In a statement this week, Senator Markey said he would not permit legislation on self-driving cars to proceed until the bill created meaningful "safety, cybersecurity, and privacy protections" for consumers. In January, EPIC wrote to the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has long supported baseline protections in self-driving vehicles. EPIC has appeared before Congress, written to federal agencies, and provided amicus briefs about the privacy and security risk of autonomous vehicles. In comments to the European Commission this week, EPIC identified several key concerns related to connected cars.

Facebook Documents Raise New Questions About Consent Order Compliance

This week a British parliamentary committee released internal Facebook emails and documents. The documents revealed that Facebook concealed its decision to collect record of calls and texts on Android devices, in violation of privacy policies. An employee said of this decision: "This is a pretty high risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it." The documents also show that Facebook examined user data to determine which companies posed a threat, deciding to either target or acquire those firms. Last month, UK regulators released a report on the misuse of personal data by Cambridge Analytica for the Brexit vote. In 2011 EPIC, and other consumer privacy organizations obtained a far-reaching consent order against Facebook but the FTC has failed to enforce the legal judgment. In March, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order.

EPIC Celebrates 70th Anniversary of UDHR

On December 10th, EPIC celebrates Human Rights Day, which commemorates the United Nations adoption of the Universal Declaration on Human Rights, the most widely translated text in the world. This year marks the 70th Anniversary of the UDHR, which was adopted on December 10, 1948. EPIC has called for the fundamental right to privacy (Article 12 of the UDHR) to be reaffirmed in the digital age. Article 12 states "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that promotes international instruments for privacy protection, identifies new challenges, and calls for concrete actions. The complete text of the UDHR can be found in the 2018 EPIC Privacy Law Sourcebook, available at the EPIC Bookstore.

EPIC to DHS Privacy Advisory Committee: End Facial Recognition

In response to a public notice by the Data Privacy and Integrity Advisory Committee, EPIC submitted comments urging the CBP to halt implementation of the biometric border program. EPIC stressed the need for federal regulation to safeguard privacy and prevent the misuse of facial recognition technology. EPIC called for a public rulemaking for the federal entry/exit program. EPIC also criticized the Committee's draft recommendations for facial recognition. EPIC said that the transfer of personal data from the State Department to the CBP was unlawful and that the opt-opt procedures were ignored in practice. Documents EPIC previously obtained in a FOIA lawsuit against CBP revealed that facial scanning did not perform operational matching at a "satisfactory" level.

December 7, 2018

In Facebook Case, Ninth Circuit Ignores Privacy Risks of Visits to Healthcare Websites

In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites' explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users' data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the "data show only that Plaintiffs searched and viewed publicly available health information..." EPIC filed an amicus brief in the case, arguing that "consent is not an acid rinse that dissolves common sense." In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations.

December 10, 2018

Equifax Breach "Entirely Preventable": House Oversight Committee

In a report released today, the House Committee on Oversight declared that the Equifax breach, which affected 148 million U.S. consumers, was "entirely preventable." The breach, one of the largest in U.S. history, compromised the authenticating details, including dates of birth and social security numbers, of more than half of American consumers. The House report concluded that Equifax "failed to fully appreciate and mitigate" the cybersecurity risks and placed corporate growth over data security. Despite several agencies, such as the CFPB and the FTC, pledging to take action against Equifax, none have done so. The House Committee recommended that Equifax "provide more transparency to consumers" about data use and security practices and reduce the use of social security numbers as identifiers, longstanding priorities of EPIC. Following the Equifax data breach in 2017, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft.

EPIC To Congress: Require Algorithmic Transparency For Google, Dominant Internet Firms

EPIC has sent a statement to the House Judiciary Committee in advance of a hearing on Google's business practices. EPIC said that "algorithmic transparency" should be required for Internet firms. EPIC explained that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. EPIC pointed out that Google's algorithm preferences YouTube's web pages over EPIC's in searches for videos concerning "privacy." Last year the European Commission found that Google rigged search results to preference its own online service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. The US Federal Trade Commission has failed to take similar action, after even receiving substantial complaints. EPIC also urged Congress to consider the Universal Guidelines for AI as a basis for federal legislation.

EPIC Urges Department of Transportation to Improve Framework on Connected Car Safety

In detailed comments to the Department of Transportation EPIC urged the agency to establish national privacy and safety standards for connected cars. The agency requested comment on its revised framework that establishes "voluntary guidance" for the development of autonomous vehicles. "A connected car is the ultimate Internet of Things device," EPIC explained, highlighting the risks of autonomous vehicles. EPIC has diligently advocated for stronger regulation of IoT. EPIC has called attention to the privacy and security risks of connected cars in comments to NTHSA, complaints to the CFPB, congressional testimony, FTC workshops, petitions to NHTSA and an amicus brief to Ninth Circuit.

EPIC Obtains DHS Pre-Election Assessment on Threats to US Election Infrastructure

As part of EPIC's Freedom of Information Act lawsuit against the Department of Homeland Security, the DHS Office of Intelligence and Analysis released to EPIC documents related to the Russian interference of the 2016 presidential election. One notable document is "Cyber Threats and Vulnerabilities to US Election Infrastructure." The report, issued before the presidential election, stated that the "DHS ha[d] no indication that adversaries or criminals are planning cyber operations against US election infrastructure that would change the outcome of the coming US election." The DHS report also stated that a successful widespread cyber operation against US voting machines would require "a multiyear effort with significant...resources available only to a nation state" but this level of level of effort "would make it nearly impossible to avoid detection." According to election experts, this assertion ignores the possibility that an adversary can change an election outcome without a widespread attacks. Launching targeted attacks on swing districts could compromise an election, especially when few states engage in post-election audits and the impossibility of a recount in states with paperless voting machines. EPIC is pursuing several other related FOIA cases about Russian interference with the 2016 election: EPIC v. FBI (response to Russian cyberattacks), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of Trump's tax returns), and EPIC v. IRS II (release of Trump's offers-in-compromise).

December 11, 2018

Irish Court Finds Data Retention Law Violates Human Rights

The Irish High Court has ruled that Ireland's retention of telephone data violates European Law and the European Convention on Human Rights. The Communications Act, which requires all service providers to retain data for two years, is "general and indiscriminate." The Court also found insufficient safeguards for access to data, noting that the law did not require prior judicial and had few guarantees against abuse.The Court will now issue a final order to determine how the case will proceed. EPIC is participating DPC v. Facebook - an Irish High Court Case recently referred to the top European Court of Justice to determine whether Facebook's transfer of data from Ireland to the United States violates EU data protection law. EPIC has also petitioned the FCC to end a similar data retention mandate, arguing that it is inconsistent with international law.

EPIC Urges Public Input on AI Policy

In a statement on AI policy to the House Armed Services Committee, EPIC urged the panel to ensure public input on AI policy. The statement from EPIC follows a petition to the White House, backed by EPIC and leading scientific organizations, to solicit public comments on US AI policy. EPIC also proposed the Universal Guidelines for Artificial Intelligence as the basis for AI legislation. The Universal Guidelines are intended to "maximize the benefits of AI, minimize the risk, and ensure the protection of human rights." More than 230 experts and 60 organizations, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines.

EPIC Urges European Commission to Regulate Connected Toys

In comments to the European Commission, EPIC highlighted the safety and security risks of IoT toys and wrote "There should be 'smart' regulations for 'smart' toys." The European Commission sought public comment on the EU Toy Directive, which establishes toy safety guidelines to protect children's health and safety but ignores connected toys. EPIC has repeatedly demonstrated the risks of IoT and smart toys before Congress, the Federal Trade Commission, and the Consumer Product Safety Commission in testimony, agency comments, petitions, and investigative complaints.

EPIC to Congress: Federal Agency Making Up the Rules for Facial Recognition Screening

EPIC has sent a statement to the Senate Judiciary Committee for an oversight hearing of Customs and Border Protection. EPIC cited frequent changes CBP has made to the opt-out procedures for the biometric entry/exit program. "Without legal authority or the opportunity for public comment, CBP is making up the rules as it rolls out the program," EPIC said. EPIC urged the Committee to suspend the screening program until privacy safeguards and meaningful opt-out procedures are established. Last week, EPIC warned Customs and Border Protection about facial recognition technology and urged the DHS Privacy committee to end the program.

December 12, 2018

EPIC Urges Antitrust Agencies to Raise their Game

In a statement to the House Judiciary committee, EPIC urged lawmakers press the FTC and the Department of Justice at a hearing on "Oversight of the Antitrust Enforcement Agencies." EPIC emphasized the risks of mergers to American consumers, stating that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. Consumer organizations in the US and the European Union recently urged antitrust authorities on both sides of the Atlantic to subject mergers to greater scrutiny.

EPIC Investigates Airport Facial Recognition Opt-Out Procedures

In an urgent FOIA request, EPICis seeking documents from CBP about the procedures for travelers to opt-out of biometric entry/exit program. EPIC found that CBP frequently changes the program without any formal procedures. One consequence is that it is now more difficult for travelers to opt-out of the screening procedure EPIC wrote that "CBP is modifying rules as it is implementing the program," contrary to federal law. Earlier this week, EPIC urged Congress to suspend the program until privacy safeguards and meaningful opt-out procedures are established. In comments to the DHS Data Privacy and Integrity Advisory Committee, EPIC explained the substantial privacy risks of CBP's use of facial recognition technology.

EPIC Makes Final Arguments to Supreme Court in Voter Data Privacy Case

EPIC has filed a reply brief in EPIC v. Commission, urging the Supreme Court to review a decision that wrongly denied EPIC access to a required privacy impact assessment for state voter data. EPIC filed suit against the Presidential Election Commission last year to halt the collection of state voter data pending the completion of the assessment. As a result of EPIC's case, the Commission suspended data collection, discontinued the use of an unsafe computer server, and deleted the state voter data it wrongly acquired. The Commission was terminated in January of this year. EPIC told the Supreme Court that "there is, quite literally, no organization other than the 'Electronic Privacy Information Center' that suffers a greater concrete harm when a federal agency fails to comply with a publication requirement for privacy impact assessments." EPIC's case in the Supreme Court is EPIC v. Commission, No. 18-267.

December 14, 2018

National Archives Moves Forward EPIC's Request for Kavanaugh White House Records

The National Archives has announced its intent to release dozens of undisclosed emails concerning Justice Kavanaugh's role in controversial White House surveillance programs. The announcement comes in response to EPIC’s Freedom of Information Act lawsuit, which previously led the agency to discover hundreds of Kavanaugh email exchanges about warrantless wiretapping and passenger profiling. Prior to Kavanaugh’s confirmation hearing, EPIC warned that Kavanaugh—both as a White House legal advisor and then as a federal appellate judge—showed little regard for the constitutional privacy rights of Americans. The Kavanaugh emails are set to be released to EPIC in March.

December 18, 2018

EPIC Amicus: Unlawful Collection of Biometric Data Establishes Standing

EPIC has filed an amicus brief in a case concerning Facebook's collection of facial images in violation of the Illinois Biometric Information Privacy Act. In Patel v. Facebook, EPIC argued that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC said that that the legal doctrine of standing "simply requires plaintiffs to demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Earlier in 2018, EPIC filed an amicus brief in Rosenbach v. Six Flags, another case about the Illinois biometric privacy law. EPIC routinely submits briefs in support of standing in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software.

Appeals Court: IRS 'Misunderstands' FOIA Obligations in EPIC Case, but Trump's Tax Returns Still Withheld

The D.C. Circuit ruled today that the IRS "misunderstands its FOIA disclosure obligations" in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. EPIC argued that the IRS has the authority, under a legal provision known as "(k)(3)," to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump falsely tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." Although the D.C. Circuit ruled that EPIC could not compel the IRS to use "(k)(3)," the Court rebuked the IRS for "disregard[ing] the plain statutory text" of FOIA and held that EPIC's request was wrongly "met with a closed door." The Court also emphasized that the law at issue in EPIC v. IRS II—EPIC's separate FOIA suit for President Trump's business tax records—"does allow the public to inspect certain return information." EPIC will continue to pursue the release of the President's tax records, which will reveal whether and how the President's private financial interests conflict with the national interests of the United States.

Senate Reports Detail Russian Russian Interference in 2016 Election

In a pair of reports released this week, the Senate Intelligence Committee provided fresh details on the extent of Russian interference in the 2016 election. Committee Chairman Richard Burr explained: "This newly released data demonstrates how aggressively Russia sought to divide Americans by race, religion and ideology, and how the IRA actively worked to erode trust in our democratic institutions. Most troublingly, it shows that these activities have not stopped." Shortly after the 2016 presidential election, EPIC filed a series of Freedom of Information Act lawsuits to determine the extent of Russian interference: EPIC v. FBI, EPIC v. ODNI, EPIC v. IRS I, and EPIC v. DHS. As EPIC President Marc Rotenberg explained in an op-ed in March 2017: "The public has a right to know the details when a foreign government attempts to influence the outcome of a U.S. presidential election. And the public has a right to know what steps have been taken to prevent future attacks."

December 19, 2018

EPIC Asks Congress to Nominate AI Commission Members Who Support the Universal Guidelines

EPIC has urged members of Congress responsible for a new National Commission on AI to nominate experts and public interest representatives who have endorsed the Universal Guidelines for Artificial Intelligence. EPIC told Congress "it is vitally important that the National Security Commission include members who can represent the interests of the American public on AI." Leading computer scientists and scientific societies, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines. According to the 2019 National Defense Authorization Act, the National Security Commission on AI will be composed of 15 members, conduct an extensive review of AI, and prepare an initial public report in 2019.

EU-U.S. Privacy Shield Renewed, Privacy Commitments Ignored

The European Commission has renewed the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. Oddly, the Commission cited the FTC investigation into the Cambridge Analytica scandal (which has produced no outcome) and the appointment of three members to the PCLOB as support for renewal. The report also overlooked the failure of the FTC to enforce the 2011 Consent Order against Facebook, which ultimately compromised the personal data of several hundred million Europeans. And the Commission had little concerns with passage of the CLOUD Act, renewal of Section 702 of FISA (permitting bulk surveillance of Europeans), and other shortcomings cited by EPIC comments and the European Parliament. The Commission did recommend an Ombudsperson for Privacy Shield (which was required in the original agreement), and encouraged the U.S. to ratify the International Privacy Convention.

EPIC Urges Congress to Obtain and Publish President Trump's Tax Returns

EPIC has asked Congress to obtain the public release of President Trump's tax returns. As EPIC explained, "By custom and tradition, candidates for the Presidency have routinely made available to the public their personal tax returns to ensure that there are no conflicts of interest that might jeopardize the public trust." EPIC's request to Congress follows the decision in EPIC v. IRS, a Freedom of Information Act case for the release of the tax returns. EPIC filed the case after President Trump falsely tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." EPIC continues to seek the President's business tax records in EPIC v. IRS II.

December 20, 2018

Facebook Gave Personal Data to Third Parties Without Consent in Violation of FTC Consent Order

A New York Times investigation revealed that Facebook had deals with companies giving them access to personal data without meaningful user consent. These companies include Amazon, Sony, Microsoft, Yahoo, Spotify, and Netflix, as well as two companies considered security threats to the U.S.: Chinese smartphone manufacturer Huawei and Russian search engine Yandex. The deals Facebook made gave companies broad access to user data, including the the ability to read users’ private messages and access friend lists. EPIC and several consumer privacy organizations helped establish the 2011 consent order against Facebook, following a public campaign, and extensive complaints in 2009 and 2010. In March 2018, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Several related EPIC complaints regarding Facebook are also pending at the FTC, including facial recognition.

D.C. Attorney General Sues Facebook

The D.C. Attorney General filed a complaint against Facebook under the D.C. Consumer Protection Procedures Act, making D.C. the first U.S. jurisdiction to take action against the company for the mishandling of user data that led to Cambridge Analytica. The AG's complaint alleges that Facebook failed to monitor third-party use of personal data and failed to ensure users’ data was deleted. The D.C. lawsuit seeks financial penalties, and an injunction to ensure Facebook puts in place protocols and safeguards to protect users’ data and easier for users to control their privacy settings. AG Karl Racine said: “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.” EPIC filed a D.C. Consumer Protection Procedures Act lawsuitchallenging the unlawful collection, use, and disclosure of personal location data by AccuWeather through its mobile iOS app.

December 26, 2018

Congress Passes Foundations for Evidence-Based Policymaking Act of 2018

Congress has passed the Foundations for Evidence-Based Policymaking Act of 2018. The legislation, championed by House Speaker Paul Ryan (R-WI) and Senator Patty Murray (D-WA), includes new requirements for federal agencies to establish senior leaders for program evaluation and data coordination to help agencies produce and use evidence, strengthens privacy protections for confidential data, and directs government to make secure access to data more available to generate evidence. In a statement to Congress last year, EPIC expressed support for the findings of the Commission on Evidence-Based Policymaking — Congress established the Commission to study how data across the federal government could be combined to improve public policy while protecting privacy. EPIC filed comments with the Commission urging adoption of Privacy Enhancing Techniques, such as anonymization, that minimize or eliminate the collection of personal data. The National Academies of Sciences released a report last year that examined how disparate federal data sources can be used for policy research while protecting privacy.

About December 2018

This page contains all entries posted to epic.org in December 2018. They are listed from oldest to newest.

November 2018 is the previous archive.

January 2019 is the next archive.

Many more can be found on the main index page or by looking through the archives.