EPIC Alert 23.09
EPIC Alert 23.09 - May 16, 2016
- Court Rules EPIC Must Wait to Challenge Missing Drone Privacy Rules
- EPIC FOIA - Secret Drone Task Force Records Disclosed
- EPIC Sues TSA to Block Mandatory Body Scanners at US Airports
- EPIC Urges Senate to Back Comprehensive Communications Privacy Protection
- EPIC Urges California Supreme Court to Protect Open Records Law
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
The federal appeals court in Washington, DC has ruled that EPIC's suit against the Federal Aviation Administration must be set aside because the agency has not yet finalized the rules for drone operations in the United States. The ruling comes despite the fact that the FAA stated in its February 2015 small drone rulemaking that privacy "issues are beyond the scope of this rule making." The statement ran counter to the FAA's response to EPIC's petition in which the agency stated it would address privacy in the small drone rulemaking.
EPIC's lawsuit follows a Congressional directive requiring a comprehensive plan for the integration of drones into US airspace, and a 2012 EPIC- led petition for a public rulemaking on drone privacy safeguards. The 2012 petition argued that "drones present a unique threat to privacy" and "greatly increase the capacity for domestic surveillance."
The FAA has repeatedly acknowledged the need to address privacy in drone operations. In the agency's comprehensive plan for the integration of drones into the National Airspace, the agency stated that "issues, such as privacy and national security, need to be taken into consideration as [drones] are integrated into the [National Airspace]." So far, the FAA has refused to adopt any privacy rules.
In a related case, EPIC recently uncovered the minutes of a secret FAA drone task force meeting. According to one of the participants, the "[c]urrent state of non-regulation negatively affects the public perception of drones. There is no regulatory recourse for anyone who is negatively affected by a small [drone]." EPIC previously sought the disclosure of the participants in the task force in a letter to the agency. Shortly after EPIC's letter, the FAA announced the participants of the task force, none of which were consumer or privacy advocates.
The agency created the Task Force late last year to develop recommendations for registering commercial drones. Participants of the Task Force included industry groups such as GoogleX, Amazon, and Chinese technology company DJI, but no civil liberties organizations, privacy experts, or consumer advocates.
The documents shed light on the details of the secret meeting. Several participants warned about privacy risks in drone deployment. The minutes also warned that public perception of drones is harmed by the lack of regulation and legal recourse for individuals harmed by drone operations. The Task Force released a report on small drone registration requirements after the meeting.
EPIC submitted extensive comments to the Task Force concerning privacy, public safety, and the broadcasting of drone registration information, which were largely ignored by the Task Force. "There are ongoing concerns about how drones affect the privacy rights of the average citizen and how a reasonable expectation of privacy can be hindered by the presence of drones," EPIC argued.
In EPIC v. FAA, EPIC challenged the Federal Aviation Administration's failure to establish privacy regulations for drones. The federal appeals court in Washington, D.C. recently ruled that EPIC must wait to challenging the missing drone privacy rules.
EPIC has filed a lawsuit challenging the Transportation Security Administration's (TSA) regulation for airport body scanners. The TSA announcement came nearly five years after a federal appeals court ordered the agency to "promptly" solicit public comments on the controversial screening procedure. Public comments overwhelmingly favored less invasive security screenings. But the TSA decided it may now mandate body scanners at US airports. In 2011, EPIC challenged the intrusive and ineffective TSA screening procedure. EPIC's new lawsuit challenges the regulation because it "denies passengers the right to opt out" of body scanner screening. EPIC also challenged the effectiveness of airport body scanners and the TSA's failure to recommend less invasive security screening.
EPIC's 2011 lawsuit challenged the TSA's unlawful deployment of airport body scanners, after twice filing petitions urging the TSA to end its airport body scanner program. In EPIC v. DHS, EPIC argued that the TSA violated the Administrative Procedure Act (APA) by deploying body scanners without first seeking public comment. The APA requires federal agencies to provide notice and opportunity for comment when implementing a rule that affects the rights of the public.
In EPIC v. DHS, the D.C. Circuit Court of Appeals held that the TSA violated the law by implementing body scanners as a primary screening method without first undertaking public notice and comment rulemaking. Writing for a unanimous court, Judge Ginsburg found there was "no justification for having failed to conduct a notice-and-comment rulemaking," and said, "few if any regulatory procedures impose directly and significantly upon so many members of the public." EPIC also challenged the body scanners on Fourth Amendment grounds, but the court concluded that because "any passenger may opt-out if AIT [advanced imaging technology] screening in favor of a patdown" there was no violation of the Fourth Amendment. In other words, the search was lawful because it was not mandatory.
The TSA solicited public comments on its body scanner program in 2013, nearly two years after the D.C. Circuit ordered the agency to "promptly" do so. In its comments, EPIC stated, "TSA's continued use and deployment of invasive nude body scanners is arbitrary and capricious and was executed without legally required procedures." EPIC urged TSA to adopt walk-through metal detectors and explore trace detection devices as less invasive screening alternatives to body scanners. More than 5,000 comments were submitted by the public to the agency, almost all in opposition to the agency's decision. Despite the public comments overwhelmingly in favor of less invasive security screenings, the agency announced that it will continue to use invasive body scanners at airports. The final rule also states that TSA "may require AIT use, without the opt-out alternative, as warranted by security considerations in order to safeguard transportation security."
EPIC's lawsuit challenges the TSA's final rule denying passengers the right to opt out of body scanners. EPIC also challenges TSA's failure to "establish the effectiveness of airport body scanners" and its failure to "adequately compare regulatory alternatives to airport body scanners." The case is EPIC v. TSA, Case No. 16-1139 (D.C. Cir. filed May 2, 2016).
Earlier this year, EPIC and 25 organizations urged Congress to hold a hearing on the TSA's unlawful determination that it has the authority to mandate body scanners.
EPIC sent a letter to leaders of the Senate Judiciary Committee in advance of its hearing on "Examining the Proposed FCC Privacy Rules" held on Wednesday, May 11, 2016. EPIC explained the urgent need for broad communications privacy protections in light of outdated laws and the Federal Trade Commission's failure to adequately safeguard consumer privacy.
EPIC pointed to growing public concerns about the loss of privacy and the need to update federal privacy laws. EPIC explained that neither the Federal Communications Commission nor the FTC has done enough to safeguard consumer privacy. EPIC warned that the "failure to modernize our privacy law is imposing an enormous cost on American consumers and businesses." The letter also underscored the important role of the FCC in protecting consumer privacy, which EPIC has supported on numerous occasions. EPIC urged the Committee to "develop rules to provide meaningful and much-needed protections for consumer privacy" based on the Consumer Privacy Bill of Rights.
The hearing, which was held by the Senate Judiciary Subcommittee on Privacy, Technology and the Law, featured testimony from Chairman Tom Wheeler and Commissioner Ajit Pai of the FCC, and Chairwoman Edith Ramirez and Commissioner Maureen Ohlhausen of the FTC. Chairman Jeff Flake and Ranking Member Al Franken both pressed the FCC with questions about its authority to regulate other Internet-based companies beyond Internet Service Providers (ISPs). Senator Franken acknowledged the need to provide consumers with a uniform expectation of privacy and expressed support for baseline privacy rules for all online companies. Pai also recognized the need to provide uniform protections for consumers in light of the invasive practices of all online online operators.
The hearing also addressed FTC enforcement of consumer privacy. EPIC has previously explained that the FTC is "simply not equipped to provide meaningful protections for consumer privacy." The Commission's "notice and choice" approach fails to effectively protect consumer privacy. Even when the FTC reaches a settlement agreement with a privacy-violating company, it rarely enforces the Consent Order terms.
EPIC has urged the California Supreme Court to reverse a lower court decision that blocked public release of records about automated license plate readers (ALPRs) operated by the state police. ALPRs are "high-speed cameras mounted on light poles and police cars that continuously scan the plates of every passing car." They collect not only the license plate number, "but also the time, date, and location of each plate scanned, along with a photograph of the vehicle and sometimes its occupants."
The American Civil Liberties Union of Southern California (ACLU) and the Electronic Frontier Foundation (EFF) each filed public records requests for information about how the Los Angeles Police Department and the Los Angeles Sheriff's Department use ALPRs. The ACLU and EFF also requested a week's worth of ALPR data. The agencies withheld the ALPR data under an exemption used for records of law enforcement investigations. The California trial court and appeals court agreed with the agencies, and the ACLU and EFF petitioned the California Supreme Court for review.
In its amicus brief, EPIC argued that the lower court's interpretation of investigatory records would undermine the purpose of California's Public Records Act. EPIC explained how open records laws enable public scrutiny of surveillance technologies such as cell-site simulators (or stingrays), police body-worn cameras, and fusion centers. Transparency is necessary to ensure accountability for technologies and methods that conduct indiscriminate public surveillance, particularly when the programs collect massive amounts of data.
EPIC routines files Freedom of Information requests and litigates Freedom of Information Act cases. EPIC has also filed several amicus briefs in state and federal cases involving open government cases.
Top EU Legal Advisor Says IP Addresses are PII
The Advocate General, top advisor to the European Court of Justice, has issued an opinion today about Internet anonymity. He found that dynamic IP addresses are personal data subject to data protection law. The opinion concerns the case of German pirate party politician and privacy activist Patrick Breyer who is suing the German government over logging visits to government websites. "Generation Internet has a right to access information on-line just as unmonitored and without inhibition as our parents read the paper," says Breyer. The opinion is not legally binding but "is usually a good indication of how the court will eventually rule". EPIC has supported Internet anonymity since the 1990s and brought a similar challenge to the US government tracking of users of government website.
Senator Leahy Calls for FISA Reforms
The Senate Judiciary Committee held a hearing on the FISA Amendments Act, a law that grants the government broad surveillance powers over Internet communications. The Act, commonly referred to as "Section 702," is the basis for the NSA's "PRISM" program. EPIC testified before the House Judiciary Committee in 2012 on the need to limit the scope of Section 702 surveillance and to improve transparency of the Foreign Intelligence Surveillance Court. US and EU NGOs have since called for the end of Section 702. This week Senator Patrick Leahy (D-VT) stated that "additional reforms are needed to protect Americans' privacy, and restore global trust in the U.S. technology industry."
Federal Court Upholds Photo Tagging Suit Against Facebook
A federal judge has rejected Facebook's argument that the company did not violate an Illinois law that requires companies to obtain consent from consumers before collecting biometric data such as a "faceprint." Describing the biometric privacy law, the court said that Facebook's position was "antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology." In 2011, EPIC filed a complaint with the Federal Trade Commission, arguing that the facial identification of users was an unfair and deceptive trade practice. In 2012, EPIC urged the FTC to suspend facial recognition "until adequate safeguards and privacy standards are established." Canada and Europe have since required Facebook to suspend the use of photo tagging.
White House Report Points to Risks with Big Data
A new White House report "Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights" points to risks with big data analytics. According to the authors, "[t]he algorithmic systems that turn data into information are not infallible--they rely on the imperfect inputs, logic, probability, and people who design them." An earlier White House report warned of "the potential of encoding discrimination in automated decisions." EPIC launched a campaign on "Algorithmic Transparency" after warning about the risks of secretive decision making coupled with "big data."
FAA Announces Drone "Advisory Committee"
Yesterday Federal Aviation Administration chief Michael Huerta announced that the FAA will establish a Drone Advisory Committee. According to Administrator Huerta, the committee "will help identify and prioritize integration challenges and improvements." Intel CEO Brian Krzanich will chair the committee. The Federal Advisory Committee Act requires federal agencies to ensure that advisory committees are "objective and accessible to the public." EPIC previously criticized the FAA Drone Registration Task Force, which met in secret and includes no consumer groups. EPIC successfully sued the FAA for the secret meeting records of the Registration Task Force. EPIC also previously sued the FAA for failing to establish privacy rules for commercial drones.
NY Attorney General Reports 40% Increase in Data Breaches
New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.
Intelligence Court Skeptical of Some FISA Applications
The Department of Justice has published the 2015 FISA report, which summarizes the use of the Foreign Intelligence Surveillance Act. The report also details the number of applications rejected or modified by the FISA Court (FISC). Overall, the Government's applications for FISA warrants has declined since 2003 but there was a slight uptick this year with 1,456 orders granted. A significant number of orders were modified by the FISC. The FISC modified 80 orders and the Government even withdrew one application. Prior to the USA FREEDOM Act, which limited bulk collection under Section 215, the FISC modified many of those orders.
- Federal law has major privacy loophole, WGRZ.com, May 13, 2016
- Zuckerberg called out to face reports, Boston Herald, May 11, 2016
- DC Circ. Won't Review FAA Drone Privacy Challenge, Law360, May 11, 2016
- EPIC Loses Round in D.C. Circuit, Courthouse News Service, May 11, 2016
- DOT opens documents from secret drone registration meetings, FierceGovernmentIT, May 10, 2016
- FBI Seeks to Exempt Its Massive Biometric Database From Federal Privacy Law, The New American, May 10, 2016
- Court Denies Challenge to Lack of Drone Privacy Rules, Broadcasting & Cable, May 10, 2016
- A Tale of Shields & Swords or Are Data Transfers between the EU and the US legal once again?,JDSupra, May 6, 2016
- FBI Wants to Exempt Its Massive Biometric Database from Some Federal Privacy Rules,Nextgov.com, May 5, 2016
- Eyes everywhere: Is Orwell's fictional '1984' becoming reality?, The Log, May 5, 2016
- TSA Hit With 2 Suits Over Airport Body Scanner Rule, Law 360, May 3, 2016
- Google, Europe and Privacy, New York Times (Opinion), May 2, 2016
- EU Disdains U.S. Surveillance, but Seeks Easier Access, Bloomberg BNA, May 2, 2016
- Court Orders Suspect To Unlock iPhone with Finger, Top Tech News, May 2, 2016
- Here's Why You Should Take All Your Photos Off the Internet Now, Observer, May 2, 2016
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC publications:
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
May 17, 2016
Goethe Institute Screening, "Democracy"
Landmark's E Street Cinema
May 18, 2016
Women in Government Advanced Technology & Innovations Summit 2016
Caitriona Fitzgerald, EPIC State Policy Coordinator
June 3, 2016
Jeffrey Rosen, "Louis D. Brandeis: American Prophet"
Politics and Prose
June 5, 2016
EPIC Screening, "Democracy"
June 6, 2016
EPIC, Data Protection 2016
National Press Club
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.