EPIC Alert 23.07
EPIC Alert 23.07 - April 15, 2016
- EU Officials Call for Changes in Privacy Agreement
- EPIC Advises HHS to Safeguard Substance Abuse Patient Records
- Privacy in the States: Data Breach Notification for Encrypted Data in TN, Drone Surveillance in OR
- EPIC Sues Agency for Drone Task Force Meeting Records
- EPIC to FTC: Google's April Fool's Disaster Likely Violates Consent Order
- EPIC Book Review: "Dark Matters"
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
The European Commission seeks to replace the Safe Harbor data transfer arrangement with the proposed Privacy Shield The framework, however, fails to provide adequate protections against commercial misuse of personal information and bulk surveillance, according to experts and consumer groups.
In its opinion, the Article 29 Working Party cited the complexity of the redress mechanism, the lack of independence of the ombudsman, and the broad uses of personal data that would be permitted under the proposed arrangement. According to the Working Party, the US does "not exclude massive and indiscriminate collection of personal data," the Ombudsperson "is not sufficiently independent," and the proposal "does not guarantee a satisfactory remedy". The Working Party has also concluded that "onward transfers of EU personal data are insufficiently framed." Isabelle Falque-Pierrotin, the chair of the Working Group, said "we have concerns and urgent need for clarification."
Representatives of the EU member states will take this analysis into account when they vote on the European Commission's proposal on whether to adopt the Privacy Shield. A report from the European Data Protection Supervisor on the Privacy Shield is also anticipated.
EPIC and other privacy and consumer organizations have urged the EU to oppose the Privacy Shield proposal because it fails to provide adequate protection for the transfer of personal information and will likely be rejected by the European Court of Justice following the decision in Schrems v. Data Protection Commissioner, which invalidated Safe Harbor.
In comments to the Department of Health and Human Services, EPIC criticized the agency's proposed revisions to confidentiality rules for substance abuse patient records. The proposal would weaken consent rules for disclosing patient records by no longer requiring that patients be informed of the specific recipients of their records. The proposal would also allow linkage of substance abuse records to other databases for research purposes. EPIC urged HHS to abandon these proposed revisions, which would compromise record confidentiality and reduce the effectiveness of public health programs.
EPIC's comments called upon the agency to "protect the privacy and autonomy of the countless Americans seeking treatment for substance abuse and mental health issues." Confidentiality is critical to ensuring successful treatment of substance abuse, given the stigma and fear of legal prosecution associated with these issues. EPIC explained that patient privacy and public health policy require strong confidentiality protections for these highly sensitive medical records. EPIC warned that the changes proposed to patient consent requirements would put at risk sensitive medical data.
EPIC also warned against linking substance abuse records to federal, state, and private databases, which would place these records at significant risk of compromise given the surge in government and healthcare data breaches. Citing numerous high-profile data breaches, EPIC cautioned that, "healthcare data repositories are also notoriously insecure." The 2015 data breach at the Office of Personnel Management compromised the personal information of 21.5 million individuals.
EPIC consistently advocates for strong confidentiality protections for medical records. Most recently, EPIC submitted comments to HHS regarding proposed changes to the Common Rule, ethical rules regarding biomedical and behavioral research involving human subjects.
Tennessee has become to the first state to expand data breach notification requirements to encrypted data. Public Chapter Number 692 requires any information holder to notify Tennessee residents of a data breach even if the data was encrypted. Information holders include anyone who conducts business in the state or state agencies that own or license personal information. The new law also requires that the notice be made within 45 days of discovering the breach.
Oregon further strengthened protections against drone surveillance last month when Governor Kate Brown signed HB 4066. Existing Oregon law already provided a civil action against drone operators who fly over private property after receiving notice from the property owner. The new legislation adds a provision to the state's criminal laws which would make the recording of photos, motion picture video, or other visual recording through the use of a drone an invasion of personal privacy, which is a Class A misdemeanor. The law also requires that any public body that operates a drone establish policies for the "use, storage, accessing, sharing and retention of data" resulting from the operation of drones.
Last month, EPIC Domestic Surveillance Project Director Jeramie Scott testified at a hearing before the Pennsylvania Senate on unmanned aerial vehicles. The hearing addressed the private and public sector use of drones. In a prepared statement, EPIC's Scott urged the Pennsylvania Senate to enact legislation to limit both law enforcement and commercial drone surveillance.
EPIC's State Policy Project monitors state privacy issues nationwide.
EPIC has filed a Freedom of Information Act lawsuit against the Department of Transportation for records of the closed-door meetings of the "Drone Registration Task Force". The agency created the Task Force late last year to develop recommendations for registering commercial drones. The Task Force - whose membership included no civil liberties organizations, privacy experts, or consumer advocates - met in secret last November before releasing a report on small drone registration requirements.
On October 19, 2015, U.S. Transportation Secretary Anthony Foxx and Federal Aviation Administration Administrator Michael Huerta announced the implementation of a federal drone registry for civilian drones weighing under 55 pounds. The same day, Secretary Foxx and Administrator Huerta announced the creation of a Drone Registration Task Force to develop recommendations for the drone registration process. The Task Force was convened to "advise the Department on which aircraft should be exempt from registration due to a low safety risk" and "explore options for a streamlined system that would make registration less burdensome for commercial UAS operators." According to Secretary Foxx, the proposed registration requirement will facilitate safer UAS operations by increasing operator accountability.
The Drone Registration Task Force was charged with: (1) developing and recommending minimum requirements for drones that would need to be registered, (2) developing and recommending registration processes, and (3) developing and recommending methods for proving registration and marking. The Task Force report was released on November 23, 2015, following a series of closed-door meetings that excluded the public and the media.
EPIC submitted extensive comments to the Task Force concerning privacy, public safety, and the broadcasting of drone registration information, which were largely ignored by the Task Force.
EPIC's lawsuit was filed just after the FAA's Aviation Rulemaking Committee of industry groups and agency officials recommended easing restrictions that prohibit businesses from flying unmanned aerial vehicles. In EPIC v. FAA, EPIC has also challenged the FAA's failure to establish privacy rules for drones.
EPIC has written a letter to the Federal Trade Commission alerting the agency that Google's failed April Fool's prank likely violated its 2011 FTC consent order. Google implemented "Gmail Mic Drop" on April 1, 2016. The feature purported to allow Gmail users to insert a GIF into an email, then mute the conversation. The prank backfired, as users inadvertently enabled the Mic Drop feature on important emails.
The FTC entered a 2011 consent order with Google after the company introduced Google Buzz in 2010. Google Buzz was an opt-out service that compiled a Gmail user's social networking list based on address book entries and G-chat contacts. Google automatically activated the service without user consent, and made these contact lists publicly viewable and often publicly indexed by search engines. EPIC filed a complaint with the FTC, arguing that Buzz transformed an email service into a social networking service without giving Gmail users meaningful control over their information. Google ultimately agreed to the consent order, which states in part that Google must obtain "express affirmative consent" from Google users before "any new or additional sharing" of users' information with third parties.
In its letter to the FTC regarding Google's Mic Drop prank, EPIC explained that information can be personally identifiable when "an authorship relationship connects the individual to the information." Google's "change" in the "service" modified information concerning individual Google users, constituting "new or additional sharing . . . of the Google user's identified information" under the 2011 FTC consent order.
EPIC has repeatedly urged the FTC to enforce this consent order. In 2012, EPIC filed a lawsuit in federal court to compel the FTC to enforce the order after Google announced changes in its terms of services. The court ultimately dismissed the lawsuit for lack of jurisdiction, but acknowledged serious concerns with Google's changes.
"Dark Matters: On the Surveillance of Blackness," by Simone Browne
Simone Browne, Associate Professor of African and African Diaspora Studies at the University of Texas at Austin, has written an insightful book on the surveillance of blackness. Browne thoroughly describes how the conditions of blackness should illuminate our understanding of surveillance and inform any theory of the topic.
"Dark Matters" draws the connection between the present day study of surveillance and the history of surveillance that arose during the transatlantic slavery trade and its aftermath, shining a focused light on the connection between race and surveillance. In the opening chapter, Browne provides the reader with some of the theories and analytical tools traditionally used to understand surveillance--most notably, Jeremy Bentham's Panopticon. This background lays the groundwork to challenge the traditional perspectives on surveillance in some cases, and in other cases to argue for new ways to interpret contemporary surveillance. This new perspective "racializes" surveillance through an analysis of slave surveillance practices that, the author argues, should influence of our understanding of surveillance today.
In the proceeding chapters, Browne provides abundant examples of the surveillance of blackness that largely began with the surveillance of slaves. The "lantern laws," as the author describes them, required "negroes and slaves" to carry a lamp at night when not escorted by a white person. The Book of Negroes was a ledger that named thousands of slaves who escaped to British lines during the Revolutionary War and who were to be evacuated by the British by ship to Canada. Browne argues that the Book of Negroes was the first government document to incorporate biometric markers to regulate migration between the US and Canada. These and other examples provide a means to contextualize the surveillance of blackness through history and in modern times.
"Dark Matters" can appear to speed along from one reference or example to the next, leaving the reader at a loss trying connect everything together. Fortunately, the author provides helpful guideposts at the beginning of each chapter to explain the objective of each section. "Dark Matters" provides an invaluable perspective on surveillance and reminds us that the history of the surveillance of blackness has a unique and important roll to play in our understanding and analysis of contemporary surveillance. As the author suggests, it "is not the entire story of surveillance, but it is a part that often escapes notice."
--Jeramie D. Scott
U.S. Government Sued Over Refusal to Notify Users of E-Mail Searches
Microsoft has sued the Department of Justice, arguing that orders which prevent the company from notifying users about surveillance are unconstitutional. These secrecy orders, issued in connection with orders to disclose users' private information, arise in thousands of cases each year. EPIC has supported similar challenges to "gag orders" and has opposed the expansion of "no notice" searches. EPIC has also recommended notice requirements for e-mail searches.
House Moves Forward on Modest ECPA Updates
The House Judiciary Committee has voted 28-0 in favor of the Email Privacy Act, H.R. 699, a bill that would establish a warrant requirement for the disclosure of all electronic communications. The law would also require notice to customers whose communications have been collected. The bill has 314 cosponsors in the House, and is slated to be considered by the chamber on April 25th. Senator Leahy, who has sponsored an identical bill in the Senate, said that "Congress has waited far too long to enact these reforms." But the bill stops short of several updates recommended by EPIC, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.
Senate Examines FTC's Antitrust Enforcement
The Senate Judiciary Committee recently examined the scope and application of the FTC's Section 5 antitrust enforcement authority at the hearing "Section 5 and 'Unfair Methods of Competition': Protecting Competition or Increasing Uncertainty?" EPIC Advisory Board member Tim Wu testified in support of the agency's approach, which he called "an important protection for competition." EPIC has urged the FTC to use Section 5 authority to protect consumers, arguing against Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp. EPIC has also recommended a transparent process for evaluation of substantial changes in business practices of companies subject to FTC consent orders.
President Obama: In Digital Age, People Have New Set of Privacy Expectations
In remarks at the University of Chicago Law School, President Obama named privacy as one of the constitutional issues that will be increasingly salient in the years to come. "In a society in which so much of your life is digitized, people have a whole new set of privacy expectations that are understandable," said the President. Obama said the encryption debate was "just the tip of the iceberg of what we're going to have to figure out." In its brief in Apple v. FBI, EPIC argued that cell phone encryption was adopted to protect consumers from crime. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues.
EPIC, Coalition Oppose NSA Data Transfer Plan
EPIC and over 30 organizations have urged the Obama Administration to halt proposed changes to Executive Order 12333 that would permit the NSA to transfer raw data collected to law enforcement agencies. The NSA's vast data collection activities are traditionally limited to intelligence purposes. The proposal will permit use of NSA data by law enforcement and make personal data more widely available across the federal government. Last year, EPIC urged the Privacy and Civil Liberties Oversight Board to increase oversight of 12333. EPIC called for: (1) new limits on data collection and disclosure; (2) audit trails for surveillance activities; and (3) published legal justifications for surveillance programs. The Board is currently reviewing surveillance under EO 12333.
FAA Considers Removing Safety Rules for Small Drones, Also Ignores Privacy Concerns
The report issued by a secret FAA committee would relax safety rules for drones operating over populated areas. The report also makes no mention of the privacy risks of aerial surveillance by small drones. Like the FAA registration task force, the FAA small drones committee was composed of mostly industry members and did not include any privacy or consumer protection groups. The report recommends allowing drones to fly within 20 feet above a person or within 10 feet next to a person. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit. EPIC also filed a FOIA lawsuit against the FAA for the records of the secret drone task force meetings.
TACD Opposes "Privacy Shield," Urges Rejection by EU
The Transatlantic Consumer Dialogue has urged the European Commission to reject the "Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that the Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a coalition of NGOs have urged the US to adopt a robust data protection law and end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.
DHS, Federal Agencies Publish 2016 FOIA Reports
Most federal agencies, including the Department of Homeland Security, have now published the 2016 FOIA Reports. These annual reports, required by former Attorney General Holder's 2009 FOIA Memo, describe each agency's compliance with the FOIA, including steps taken to improve processing and promote openness. The federal FOIA ombudsman is currently investigating the practices of six DHS component agencies in response to a 2015 letter from EPIC and open government advocates. EPIC and others have recently urged the President to support bipartisan legislation aimed at improving the FOIA.
FCC Moves Forward With Narrow Privacy Rules
The Federal Communications Commission has voted to adopt a Notice of Proposed Rulemaking on consumer privacy regulations. The proposal follows Chairman Wheeler's earlier draft proposal, which EPIC explained was too limited to safeguard online privacy. During the vote, Commissioner Ajit Pai echoed EPIC's view that the rulemaking should not focus solely on ISPs. EPIC has argued that the FCC proposal ignores invasive practices by Internet firms, including search companies and social media firms that track and profile Internet users. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data.
- Privacy safeguards for unmanned aircraft systems operations, Lexology, April 13, 2016
- EU privacy advocates complain data-sharing pact not good enough, Christian Science Monitor, April 13, 2016
- EU Regulators Challenge EU-US Data Protection Deal, Newsfactor, April 13, 2016
- Researchers are studying your Google searches to improve public health, Stat, April 10, 2016
- Where Are The Panama Papers? Governments May Pester Amazon, But Good Luck Getting In, International Business Times, April 7, 2016
- EPIC Sues For Drone Task Force Meeting Records, Law360, April 6, 2016
- The FBI Now Has The Largest Biometric Database In The World. Will It Lead To More Surveillance?, International Business Times, April 5, 2016
- FBI May Help Local Law Enforcement Agencies Crack Encrypted iPhones, E-Commerce Times, April 5, 2016
- Boating? Feds new spy program has eye on you, WND, April 4, 2016
- How much privacy are drivers willing to give up for better car insurance rates?, ABA Journal, April 4, 2016
- Experts Question The FBI's Thinking In Keeping iPhone Hack A Secret, BuzzFeed News, March 31, 2016
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC publications:
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
April 20-21, 2016
34th Social Science Research Conference: "The Invasive Other"
Marc Rotenberg, EPIC President
The New School
New York, NY
April 20, 2016
Speaker's Trust Event
Claire Gartland, EPIC Consumer Protection Counsel
Penn State University, Dickinson Law
April 26-27, 2016
Marc Rotenberg, EPIC President
Fanny Hidvegi, EPIC International Law
International Working Group on Data Protection
May 17, 2016
Goethe Institute Screening, "Democracy"
Landmark's E Street Cinema
May 18, 2016
Women in Government Advanced Technology & Innovations Summit 2016
Caitriona Fitzgerald, EPIC State Policy Coordinator
June 3, 2016
Jeffrey Rosen, "Louis D. Brandeis: American Prophet"
Politics and Prose
June 6, 2016
EPIC, Data Protection 2016
National Press Club
June 6, 2016
EPIC 2016 Champions of Freedom Awards Event
National Press Club
Registration Now Open
June 21, 2016
To be held in conjunction with OECD Ministerial Conference, June 21-23, 2016