EPIC Alert 23.06

1.     EPIC Scrutinizes DHS “Insider Threat” Database

In comments to the Department of Homeland Security, EPIC criticized a proposed “Insider Threat” database that would gather vast amounts of personal data on a wide variety of individuals outside the federal agency. The database would include information from the Standard Form 86, which is a 127-page questionnaire for national security positions. The form includes Social Security Number, passport and driver license number, and medical reports among other sensitive data.

The DHS database will cover broad categories of individuals, including persons who are not under investigation. The database will contain records not only on current and former DHS employees and contractors, but also on family members, dependents, relatives, and personal associates of individuals who are under investigation.

EPIC urged DHS to narrow the scope of individuals included in the database and limit the amount of data collected. EPIC also urged DHS to significantly narrow the Privacy Act exemptions for its database and withdraw unnecessary proposed routine use disclosures. The Privacy Act exemptions DHS has proposed would allow the agency to ignore complying with a number of Privacy Act safeguards, including requirements to maintain accurate records and to limit collection to only that information necessary for the detection and prevention of insider threats. Moreover, DHS’s proposed routine uses would allow the agency to disclose database records to numerous entities for purposes unrelated to addressing “insider threats,” including hiring decisions and DHS public relations.

Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases.

In a “friend of the court” brief to the Supreme Court in NASA v. Nelson, EPIC similarly warned of the dangers of unnecessary collection of sensitive information by federal agencies. EPIC’s warning proved to be prophetic, as NASA experienced a significant data breach shortly after the case was decided. The breach compromised the personal information of about 10,000 employees including Robert Nelson, the scientist who sued NASA over its data collection practices.

2.     EPIC Intervenes in Privacy Case Before European Court of Human Rights

EPIC has filed a brief in the case 10 Human Rights Organizations and Others v. The United Kingdom, currently before the European Court of Human Rights (ECtHR). The case resulted from the consolidation of several challenges to government surveillance conducted by the National Security Agency (NSA) in the United States and the Government Communications Headquarters in the United Kingdom. Human rights organizations initially filed complaints in the UK’s Investigatory Powers Tribunal, claiming the surveillance violated their fundamental rights. The Tribunal eventually ruled that the governments’ interception of NGO communications satisfied the European Convention on Human Rights, and the organizations appealed to the ECtHR.

In its brief, EPIC explained that the NSA “has access to the majority of internet traffic and a nearly unbounded capacity to monitor and collect private communications.” The NSA also “has a long history of conducting surveillance in collaboration” with British intelligence organizations. EPIC detailed how US law “does not limit the NSA’s collection of non-US persons’ data,” and cautioned that “domestic surveillance reforms in the US do not provide meaningful privacy protections for non-US persons.” In addition, both the US and EU Members States are “moving toward laws and measures that further undermine privacy and security.” As a result, EPIC urged the Court to conclude that the interception violated the European Convention.

This is EPIC’s first brief to the European court in Strasbourg. EPIC’s third-party intervention brief is the European equivalent of amicus briefs that EPIC regularly files in US courts.

3.     EPIC Urges FCC to Broaden Scope, Substances of Draft Privacy Rules

EPIC has released a memo in response to Federal Communications Commission Chairman Tom Wheeler’s draft broadband privacy rules, urging the Commission to broaden the scope of its proposal and strengthen its substantive data protections.

The draft rules, previewed in a fact sheet on March 10, 2016, would “apply the privacy requirements of the Communications Act” to Internet service providers (ISPs) but not to email, search, or social media services. While ISPs are engaged in invasive consumer tracking and profiling practices, focusing only on these providers misses a vast amount of data collection activities by other service providers. EPIC explained that the proposal’s “framing of the communications privacy challenges facing US consumers is incomplete and fails to address the full range of activities that threaten online privacy.”

EPIC further explained that the proposal’s limited focus on “choice, transparency and security” will fail to safeguard consumer privacy. EPIC has repeatedly warned that a “notice and choice” approach to privacy protections fails to effectively protect consumer privacy. Research shows that consumers rarely read privacy policies; when they do, these complex legal documents are difficult to understand. Moreover, emphasizing notice or transparency favors the interests of businesses over consumers and fails to establish meaningful privacy safeguards.

EPIC urged the Commission to instead fully apply the Consumer Privacy Bill of Rights (CPBR) to communications data. Grounded in the Fair Information Practices, the CPBR grants consumers rights and places obligations on private companies collecting consumer information. EPIC emphasized the need to require Internet-based services to comply with data minimization and strict data security standards, including Privacy-Enhancing Techniques.

Earlier this year, EPIC submitted a letter to the FCC expressing similar views and asking the FCC to explore “the full range of communications privacy issues facing US consumers.” Separately, EPIC filed a petition with the FCC, joined by 29 organizations, to end the mandatory retention of consumer phone records. That petition is still pending before the Commission.

4.     Senate Passes FOIA Reform Bill

The Senate passed by unanimous consent the Freedom of Information Improvement Act of 2015. The bill, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), requires federal agencies to operate under a “presumption of openness,” and places time limits on the FOIA’s Exemption 5. Exemption 5 is most commonly invoked to protect the “deliberative process privilege” of inter- and intra-agency memoranda. The FOIA currently places no time limit on the exemption, thus barring access to our nation’s history. The bill also seeks to strengthen the Office of Government Information Services (OGIS) and require new reporting on the use of exemptions and audits of agency FOIA processes.

In promoting the legislation, Senator Leahy said the bill “will help open the government to the 300 million Americans it serves and ensure that future administrations place an emphasis on openness and transparency.”

The House passed a similar bill in January 2016. Differences between the two versions must now be reconciled before President Obama can sign the bill into law.

EPIC and a coalition of open government advocates previously urged the President to support the bipartisan legislation, pressing the President to honor his commitment to an “unprecedented level of openness” in his administration by pushing Congress to update the FOIA.

The coalition identified six core ways the FOIA should be updated: (1) codify a presumption of disclosure; (2) require agencies seeking to withhold information to show foreseeable harm; (3) require agencies to weigh the public interest when withholding under Exemption 5; (4) exclude from Exemption 5 records older than 25 years; (5) waive fees when agencies miss statutory deadlines; and (6) expand the role of OGIS.

5.     President Obama Nominates Merrick Garland for Supreme Court

President Barack Obama has nominated D.C. Circuit Chief Judge Merrick Garland to fill the vacant seat on the U.S. Supreme Court created by the death of Justice Antonin Scalia. Justice Scalia served on the Supreme Court for nearly 30 years, and authored opinions in many important Fourth Amendment cases. Most notably, he wrote the majority opinions in Kyllo v. United States, which held that that the warrantless use of a thermal imaging device on a private residence constituted an unlawful search under the Fourth Amendment. More recently, Justice Scalia wrote the majority opinion in United States v. Jones, which held that the warrantless use of a GPS tracking device by the police violated the Fourth Amendment.

Judge Garland, formerly a prosecutor and then head of the Department of Justice's Criminal Division, has served on the D.C. Circuit for 19 years. He became Chief Judge of the D.C. Circuit in 2013. After graduating from Harvard Law School in 1977, Judge Garland served as law clerk to Judge Henry J. Friendly on the Second Circuit and then to Supreme Court Justice William J. Brennan, Jr. The Law Library of Congress has compiled materials by and about Judge Garland.

EPIC has routinely urged the Senate to hold hearings and explore the views of Supreme Court nominees. Past letters from EPIC to the Senate Judiciary Committee concerned the nominations of Justice Kagan, Justice Sotomayor, and Chief Justice Roberts. EPIC frequently files amicus briefs with the US Supreme Court, including Spokeo v. Robins and Utah v. Strieff in the current term.

News in Brief

EPIC’s Rotenberg Urges European Parliament to Condition “Privacy Shield” on End of 702 Surveillance

Speaking before the European Parliament on the “Privacy Shield,” EPIC President Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the “Section 702 program,” which permits bulk surveillance on Europeans by the US. EPIC and other NGOs have urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision.

EPIC Testifies Before Pennsylvania Senate on Domestic Drone Surveillance

EPIC Domestic Surveillance Project Director Jeramie Scott testified at a hearing before the Pennsylvania Senate Majority on unmanned aerial vehicles. The hearing addressed the private and public sector use of drones. In a prepared statement, EPIC’s Scott urged the Pennsylvania Senate to enact legislation to limit both law enforcement and commercial drone surveillance. EPIC stated, “The increased use of drones to conduct various forms of surveillance must be accompanied by increased privacy protections.” EPIC previously sued the FAA for failing to establish federal privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit.

EPIC Names New Advisory Board Members

EPIC has announced the 2016 members of the EPIC Advisory Board. They are Malavika Jayaram, Max Schrems, Katie Shilton, Stephen Vladeck, Anne L. Washington, and Shoshana Zuboff. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy, who contribute to EPIC's work on privacy and human rights issues. Joining the Board of Directors of EPIC in 2016 are Danielle Citron, author of “Hate Crimes in Cyberspace,” and Frank Pasquale, author of “The Black Box Society: The Secret Algorithms that Control Money and Society.” 

FTC Issues Warning on Cross-Device Tracking and Surveillance Apps 

The Federal Trade Commission has issued warnings to 12 Android app developers that use audio beacons to track consumers across their devices and monitor TV viewing habits. The smartphone apps contain Silverpush software that constantly listens for inaudible signals emitted by TV commercials and secretly collects and transmits viewing data. The announcement appears to be a response to two earlier complaints filed by EPIC with the Commission. EPIC previously urged the FTC to limit “cross-device tracking” technology that links consumers’ smartphone activity with what they see on their laptop or television. EPIC also urged the FTC and the Department of Justice to investigate “always-on” consumer devices for possible violations of the Wiretap Act, state privacy laws, or the FTC Act.

EPIC Successfully Obtains Boater Tracking Documents, Settles Case with Homeland Security 

After successfully obtaining nearly 2,500 pages of documents concerning a controversial boater tracking program, EPIC has settled a Freedom of Information Act lawsuit with the Department of Homeland Security about the Nationwide Automatic Identification Systems (“NAIS”). According to the documents released to EPIC, DHS believes that boaters have “no expectation of privacy with regard to any information transmitted” about the location of their boats. The documents also reveal that the agency fuses tracking data with other government data to develop detailed profiles on boaters. EPIC did not objet to the use of NAIS for marine safety; the concern is government surveillance. EPIC has also opposed a DHS plan to collect and maintain records on sea travelers

NGOs - “Privacy Shield” is Failed Approach for EU-US Data Protection

More than twenty civil society groups have urged European leaders to oppose adoption of the “Privacy Shield” for EU-US data flows. The NGOs state that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups said the US must make changes to domestic laws and international commitments to comply with that decision and permit transfers of personal data. EPIC has launched “Data Protection 2016,” a non-partisan campaign to support stronger privacy safeguards in the US.

Ninth Circuit Sends NSA Surveillance Case Back to Lower Court

A Federal Appeals court has remanded a case challenging the NSA’s bulk collection of telephone records. In Smith v. Obama, the Ninth Circuit Court of Appeals instructed the lower court to consider the impact of the USA Freedom Act, which ended the bulk data collection program. EPIC, joined by thirty-three technical experts and legal scholars, filed an amicus brief in the case, arguing that modern communications systems are “entirely unlike the telephone network of the 1970s” and that a 1977 case concerning “pen registers” no longer applied. EPIC also challenged the NSA bulk collection program in a petition to the Supreme Court.

Drone Privacy Safeguards Move Forward in Senate

A Senate committee has adopted several key privacy amendments concerning drone operations in the US. The amendments, sponsored by Senator Markey (D-Mass), limit the scope of drone surveillance and require more accountability for drone operators. Markey stated, “As more and more drones take flight in our skies, the need to protect Americans’ privacy is paramount.” EPIC urged Congress and the FAA to establish limits on drone surveillance and recommended that the FAA establish a database detailing drone surveillance capabilities. EPIC has sued the FAA for its failure to establish commercial drone privacy rules.

Senate to Consider FAA Funding but Drone Privacy Safeguards Missing

On March 16, 2016 the Senate will consider the FAA Reauthorization bill. Senator John Thune introduced the legislation to fund the operations of the the federal agency responsible for aviation safety. The bill requires drone operators to post privacy policies, but provides no meaningful privacy safeguards that would limit surveillance by drone operators. EPIC has urged Congress and the FAA to establish real limits on surveillance by drones. EPIC also recommended that the FAA to establish a national database detailing the surveillance capabilities of commercial drones. And after the agency failed to establish privacy rules mandated by Congress, EPIC filed a lawsuit, EPIC v. FAA, that is currently pending before the DC Circuit Court of Appeals.

EPIC in the News

• It’s How Hackers Help That Matters, New York Times (Opinion), March 30, 2016
• The recorder on the bus rolls on and on: Privacy advocates oppose MATBUS audio, video surveillance, WDAZ, March 29, 2016
• New Jersey Bill Would Criminalize Nude TSA Body Scanner Images, Tenth Amendment Center Blog, March 29, 2016
• Kansas congressman seeking change in email privacy, KSN-TV, March 28, 2016
• Feds tells app developers to warn consumers they spy, WND, March 26, 2016
• Influencers: FBI should disclose San Bernardino iPhone security hole to Apple, Christian Science Monitor: Passcode, March 25, 2016
• Restricting Your Cell Carrier’s Use of Your CPNI Data, TidBits, March 25, 2016
• As FCC considers new broadband privacy rules, report urges wider user data safeguards, TechCrunch, March 23, 2016
• Seen and Heard: Bus Surveillance Stirs Controversy, Government Technology, March 23, 2016
• Judge Delays Encryption Hearing After FBI Says It May Not Need Apple’s Help, E-Commerce Times, March 22, 2016
• Your iPhone and J. Edgar Hoover, Southern Poverty Law Center, March 22, 2016
• US Promises on Mass Data Collection Privacy Thrown Into Doubt, Sputnik International, March 22, 2016
• Privacy Group Pushes FCC For Tougher Restrictions On Online Data Collection, MediaPost, March 22, 2016
• They’re Right to Distrust U.S. Data Security, Wall Street Journal (Opinion), March 22, 2016
• No More Safe Harbor, Harvard Political Review, March 21, 2016
• 5 things to remember during Tuesday’s hearing pitting Apple against the FBI, CIO, March 21, 2016
• Senate floats drone control ideas, The Times Tribune, March 20, 2016
• Supreme Court wrestles with evidence from illegal police stops, Baltimore Sun, March 20, 2016
• Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist, New York Times, March 18, 2016
• Cracks emerge in EU US data ‘shield’, EU Observer, March 18, 2016
• Apple Channels Founding Fathers in Legal Brief, E-Commerce Times, March 18, 2016
• ‘Privacy Shield’ Data Transfer Deal Needs More Work, EU Told, Law360, March 17, 2016
• Big Hurdles Still Stand In Way of Future U.S.-EU Data-Sharing, Fortune, March 17, 2016
• Identity theft increasing at a staggering rate, News 4 San Antonio, March 17, 2016
• FBI’s push to unlock iPhone mirrors state, local fight for criminals’ data, cleveland.com, March 15, 2016
• People Are Going To Prison Thanks To DNA Software — But How It Works Is Secret, Buzzfeed News, March 12, 2016

 

EPIC Book Review: “The Future of Foreign Intelligence”

"The Future of Foreign Intelligence: Privacy and Surveillance in a Digital Age,” by Laura K. Donohue

http://amzn.to/25xcDnU

Laura Donohue’s new book on “The Future of Foreign Intelligence” should be required reading for anyone whose work or interests touch on issues of privacy and surveillance. Professor Donohue manages in 160 pages to take us back to the essential origins of the Fourth Amendment and tell a rich story of the evolution of our constitutional privacy rights through the post-9/11 shift towards broader surveillance. The narrative moves deftly from ongoing legal battles over NSA programs to historical cases that provide the basis for the laws and principles at issue. The reader comes away with a much richer understanding of the context and significance of the recent controversies, and a hope that history can provide a basis for reigning in government overreach.

Professor Donohue begins by introducing the role that foreign intelligence efforts have played in American history from the revolutionary period to the turn of the 21st century. In particular, she focuses on the abuses uncovered by the Church and Pike committees in the 1970s, which led to the enactment of the Foreign Intelligence Surveillance Act. She then explains how this system of checks and balances was thrown into disarray following the events of 9/11, including the executive branch power grab that led prominent officials within the Department of Justice to threaten resignation in 2004. She also documents the developments since that time, including the restructuring of intelligence-gathering authorities by Congress in 2008 and the ongoing telephone and Internet surveillance programs being conducted.

After establishing the legal and historical context, Professor Donohue goes on to analyze the NSA’s recent surveillance programs, concluding (1) that neither of the two bulk metadata programs “is legal, and neither passes constitutional muster” and (2) that the programs authorizing collection of communications content “raise troubling questions” where that information can be used for purposes other than foreign intelligence. She then returns to the historical roots of the Fourth Amendment and argues that opposition to “general warrants” was the primary driving force behind its adoption.

Having established a strong foundation based on close analysis of both historical underpinnings and current trends in surveillance law, Professor Donohue concludes with a series of concrete recommendations for reform. She stresses the need for robust, independent oversight of surveillance programs and recommends that the division between foreign intelligence surveillance and law enforcement activities be reestablished. She also argues that the existing distinctions between personally identifiable information, content, and business records are outmoded. By the time the reader reaches the concluding paragraphs, they will be well versed in the nuance and history of surveillance policy, ready to engage on these complex and important issues.

 —Alan Butler 

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).

http://www.privacylawandsociety.org/

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

https://epic.org/privacy-book/

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

March 31, 2016
“Civil society engagement towards the OECD Ministerial Meeting on Digital Economy in Mexico 2016”
Fanny Hidvegi, EPIC International Privacy Fellow
RightsCon
San Francisco, CA
 
March 31, 2016
Engaging a Community: Tech Demos and Lightning Talks
Fanny Hidvegi, EPIC International Privacy Fellow
RighsCon
San Francisco, CA
 
March 31, 2016
Data Détente: Exploring Challenges and Opportunities in Trans-Atlantic Data Flows
Fanny Hidvegi, EPIC International Privacy Fellow
RightsCon
San Francisco, CA
 
April 1-2, 2016
“We Robot”
University of Miami
Miami, FL
 
April 20-21, 2016
34^th Social Science Research Conference: “The Invasive Other”
EPIC President Marc Rotenberg
The New School
New York, NY
 
June 6, 2016
Data Protection 2016
National Press Club
Washington, DC
 
June 6, 2016
EPIC 2016 Champions of Freedom Awards Event
National Press Club
Washington, DC
Registration Now Open
 
June 21, 2016
CSISAC Forum
To be held in conjunction with OECD Ministerial Conference, June 21-23, 2016
Cancun, Mexico