EPIC Alert 23.10
EPIC Alert 23.10 - May 31, 2016
- Supreme Court Remands Consumer Privacy Case for Further Consideration
- Federal Court Strikes Down Obstacle to Student FOIA Requests
- EPIC Urges Appeals Court to Strike Down Voter ID Law
- Senators Introduce Bill to Block Broad Remote Hacking Rules
- European Parliament Requires Changes to Privacy Shield
- News in Brief
- EPIC in the News
- EPIC Book Review: "In Defense of Women: Memoirs of an Unrepentant Advocate"
- EPIC Bookstore
- Upcoming Conferences and Events
The Supreme Court has issued an opinion in Spokeo v. Robins a case about the ability of consumers to sue companies that violate federal privacy laws. Mr. Robbins sued Spokeo, a large data broker, after the company sold inaccurate personal information about him in violation of the Fair Credit Reporting Act. Spokeo responded that no court had authority to hear the case because even if they violated the law, Robins had not also shown he suffered specific harm from the inaccurate information.
The Supreme Court said it was necessary to determine whether plaintiffs injuries were sufficiently "concrete." Justice Ginsburg, in a dissenting opinion, wrote that such an inquiry was unnecessary was unnecessary, "Spokeo's misinformation 'cause[s] actual harm to [his] employment prospects.'"
Congress passed the Fair Credit Reporting Act in 1970 to "protect consumers against arbitrary, erroneous, and malicious credit information" by "applying the principle of due process in the credit reporting business." Almost fifty years later, the law remains one of the most important privacy laws in the United States. In support of Robins, EPIC submitted a "friend of the court" brief, signed by 32 technical experts and legal scholars, arguing that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Citing the national epidemic of data breaches, EPIC also warned that "now is not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress."
The case will now be sent back to the lower court for further consideration.
A federal appeals court has ruled that government agencies must give favorable fee treatment to students pursuing Freedom of Information Act requests. Student requesters can only be charged fees associated with duplicating records, which are often waived. This means that in many cases, students can now avoid prohibitive fees in furtherance of their research.
The FOIA allows agencies to charge requesters three types of processing fees: search, review, and duplication. But the Act gives preferential treatment to certain categories of requesters allowing them to avoid some fees. Educational institutions and teachers, for example, can only be charged duplication fees. But until this ruling from the U.S. Court of Appeals for the D.C. Circuit, students were charged both duplication and search fees.
In Sack v. Department of Defense, a federal agency charged a Ph.D. student $900 to process a FOIA request. The Defense Department contended that a student requester "carrying out an individual research goal" is not entitled to the favorable fee standards for educational institutions and teachers. The D.C. Circuit disagreed, writing "this statute, as we read it, does not empower the Government to pursue fiscal balance or provide relief for the FOIA bureaucracy on the backs of students. The statutory text and context lead us to this simple conclusion: If teachers can qualify for reduced fees, so can students." "Students who make FOIA requests to further their coursework or other school-sponsored activities are eligible for reduced fees under FOIA because students, like teachers, are part of an educational institution."
In 2011, EPIC criticized the agency practice of charging higher fees to student FOIA requesters, calling the government's position "absurd." As EPIC explained, to deny favorable fee status to students was antithetical to the FOIA's purpose of providing "greater public understanding of the operation of government."
EPIC has urged the U.S. Court of Appeals for the Fifth Circuit to overturn Texas Senate Bill 14, which requires voters to obtain government-issued photo IDs. SB 14 requires all Texas voters to show one of six forms of photo ID in order to vote, places strict limitations on who is exempt from the ID requirements, and requires voters to disclose substantial amounts of personal information to obtain a the voter ID.
In a consolidated lawsuit, plaintiffs challenged the Texas state law for posing an unconstitutional burden on the right to vote, violating the Voting Rights Act's prohibition on laws with discriminatory purpose or effect, and constituting an unconstitutional poll tax. The lower court struck down the law on all four grounds, and Texas appealed. A Fifth Circuit panel opinion affirmed the lower court's holding that SB 14 had a discriminatory effect, but vacated or dismissed the other claims. The Fifth Circuit then granted en banc rehearing.
As a friend of the court, EPIC argued that the photo ID requirements "not only infringe individuals' right to vote, they are also an unlawful burden on constitutional privacy rights." The right to informational privacy--recognized by both the U.S. Supreme Court and the Texas Supreme Court--protects the individual interest in avoiding disclosure of personal matters. EPIC explained that the voter ID law requires Texas voters to disclose substantial amounts of private information and obtain a government-issued photo ID in order to vote. Because Texas has not demonstrated a sufficient interest to justify the burden on voters' privacy rights, EPIC said the law is unconstitutional.
EPIC has previously filed several amicus briefs defending the right to informational privacy and voter privacy.
Senators Wyden, Paul, Baldwin, Daines, and Tester have introduced the Stop Mass Hacking Act of 2016. The law would block amendments to Rule 41 of the Federal Rules of Criminal Procedure that were recently issued by the Supreme Court.
The amendments authorized judges to issue "remote access" warrants to search computers even when the targets are outside the jurisdiction of the court. A single remote warrant would permit law enforcement officers to seize or copy files stored on thousands of remote computers, including the computers owned by individuals who were merely a victim of malware. The Senators who introduced the Stop Mass Hacking Act asserted that "The public doesn't know nearly enough about how law enforcement executes these hacks, how (or whether) a victim would be notified of the search, and what risks these types of searches will pose."
In November 2014, EPIC criticized the Rule 41 change in a statement to the Judicial Conference Advisory Committee on Criminal Rules. Alan Butler, EPIC Senior Counsel, wrote that "the proposed amendments to Rule 41 would authorize searches beyond the scope permissible under the Fourth Amendment." Specifically, Butler stated that remote access warrants are equivalent to "covert entry" warrants, and should only be permitted when the methods are necessary to effectuate the search, and notice is given to the target within a reasonable time after the search is conducted. Butler noted that the US Supreme Court has found "illegitimate and unconstitutional practices get their first footing . . . by silent approaches and slight deviations from legal modes of procedures."
Unless Congress takes action to block the Rule 41 amendments by December 1, the government's surveillance authority will be expanded significantly.
The European Parliament issued a resolution to call for changes in the draft arrangement to permit data transfers between the EU and the U.S. The Parliament's resolution is not legally binding but it does put pressure on the European Commission to reopen the negotiations with their American counterparts before adopting a data transfer arrangement. The Parliament said that officials must "fully implement" privacy recommendations made by the Article 29 Working Party, a group consisting of European privacy officials, and negotiate further changes to the "Privacy Shield."
The European Data Protection Supervisor has also determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli.
EPIC to OPM "If You Can't Protect It, Don't Collect It"
In comments to the Office of Personnel Management, EPIC urged the federal agency to limit the personal data it collects from job applicants. OPM currently gathers detailed personal information, including biometric data, Social Security numbers, educational history, medical records, foreign travel, drug use, and financial records. In 2015, OPM lost the personal data of 21.5 million people in a massive data breach. The OPM Director and CIO were forced to resign. OPM now proposes to collect even more personal data on more people, including distant relatives of job applicants. EPIC has previously urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.
House Passes Narrow ECPA Update
The Email Privacy Act of 2016 has passed the House 419-0 The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. Senator Leahy tweeted that "Long past time to protect American people's emails & info stored in the cloud from warrantless searches." EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.
FTC Increases Scrutiny of Google's Practices, Implicating Antitrust and Privacy Interests
The FTC has reportedly expanded its investigation into Google's use of the Android operating system to exclude or demote competing services. The Commission's increased scrutiny comes shortly after the European Commission filed formal antitrust charges against Google. Last fall, the FTC began looking at whether Google unfairly prioritizes its own products after earlier ending a similar investigation in 2012 though staff recommended litigation. EPIC previously urged the Senate and the FTC to investigate Google's dominance of essential Internet services, warning that monopoly practices implicate privacy interests. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of Commissioner Pamela Harbor, who cited the connection between monopoly practices and privacy violations
Supreme Court Approves Remote Computer Hacking by Police
The U.S. Supreme Court has voted to approve changes to Rule 41 of the Federal Rules of Criminal Procedure, which will allow judges to issue "remote access" warrants. These warrants authorize mass computer searches, even when the targets are outside the jurisdiction of the court. EPIC criticized the proposal in a statement last year, arguing that the procedure enables searches outside traditional Fourth Amendment requirements and would not provide adequate notice to those subject to search. Congress can amend or reject the proposal. Senator Ron Wyden said today he would introduce legislation to reverse the proposal.
White House Report Points to Risks with Big Data
A new White House report "Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights" points to risks with big data analytics. According to the authors, "[t]he algorithmic systems that turn data into information are not infallible--they rely on the imperfect inputs, logic, probability, and people who design them." An earlier White House report warned of "the potential of encoding discrimination in automated decisions." EPIC launched a campaign on "Algorithmic Transparency" after warning about the risks of secretive decision making coupled with "big data."
EPIC FOIA - Secret Drone Task Force Records Disclosed
In response to EPIC's FOIA lawsuit , the Department of Transportation has released the minutes of a secret meeting of the FAA drone task force. The task force included industry groups such as GoogleX, Amazon, and DJI, but consumer groups and privacy advocates were excluded from the hastily created advisory committee. The documents shed light on the secret meetings held last November. Several participants warned about privacy risks in drone deployment. The minutes also stated, "Current state of non-regulation negatively affects the public perception of drones. There is no regulatory recourse for anyone who is negatively affected by a small UAV [drones]." EPIC has urged the agency to do more to safeguard the public, and in EPIC v. FAA , challenged the FAA's failure to establish privacy regulations for drones.
Senate Examines "Do Not Call" Law
The Senate Commerce Committee held a hearing yesterday on the Telephone Consumer Protection Act . The "TCPA" bars telemarketers and robocallers from contacting consumers by phone or fax without prior express consent. In January, EPIC filed an amicus brief to provide greater TCPA protections for consumers. EPIC said that widespread use of cellphones "has amplified the nuisance and privacy invasion caused by unwanted calls and text messages." EPIC has testified before Congress about the TCPA and submitted many comments concerning the implementation of the consumer privacy law.
Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey
A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. "In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online," NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched " Data Protection 2016 ," a non-partisan campaign to make data protection an issue in the 2016 election.
- Tech Companies Take Their Legislative Concerns to the States,The New York Times, May 28, 2016
- EPIC Blasts Gov't's Job Applicant Data Policies , Law360, May 27, 2016
- Illinois senator's plan to weaken biometric privacy law put on hold ,Ars Technica, May 27, 2016
- Virtual assistants such as Amazon's Echo break US child privacy law, experts say ,The Guardian, May 26, 2016
- Concerns about what the Uber app mines from phones , KOB.com, May 26, 2016
- Horizon Weighs In For Paytime In 3rd Circ. Data Dispute , Law360, May 26, 2016
- EPIC to OPM: Stop collecting sensitive job applicant information if you can't secure the data , FierceGovernmentIT, May 26, 2016
- Google, Amazon and Apple assistants may break federal child-protection law: report ,Silicon Beat (The Mercury News), May 26, 2016
- Apps track emails, receipts to spot potential price-match refunds ,Chicago Tribune, May 25, 2016
- Faception can allegedly tell if you're a terrorist just by analyzing your face ,Computerworld, May 25, 2016
- Students should get the same FOIA fees break as teachers, judge rules ,FierceGovernmentIT, May 23, 2016
- No, the FBI's Huge Biometrics Database Should Not Be Exempt From Privacy Rules ,Dissent NewsWire, May 20, 2016
- Drone Stakeholder Group Finalizes Best Practices , Law360, May 19, 2016
- Illinois announces new enhanced security driver license , Examiner.com, May 18, 2016
- Facebook to meet with conservative leaders amid reports of bias ,KCBY, May 17, 2016
- Paytime Urges 3rd Circ. To Reject Workers' Stolen-Data Claims, Law360, May 17, 2016
Before Judge Nancy Gertner was a federal judge in the U.S. District Court for the District of Massachusetts, she was an ardent champion of civil liberties and women's rights. Written before she retired from the bench and joined the Harvard Law School faculty in 2011, In Defense of Women offers a powerful reflection on the trials and victories of the first 20 years of her career. Judge Gertner's memoirs are an inspiration for any lawyer, old or young, who seeks to use the law for good.
Judge Gertner began her legal career in the early 1970s, when few women graduated from law school and even fewer practiced criminal trial law. She opens her memoirs with the case that launched her into the public spotlight: the defense of Susan E. Saxe, a lesbian anti-Vietnam War activist charged with first degree felony murder. Saxe had helped rob a bank to raise money for the anti-Vietnam War effort, but one of the other robbers had shot and killed a security guard. With almost no experience in criminal trial work, Judge Gertner spearheaded an exceptional defense, supported by a team of predominately women. Drawing on her intuitive skill in the courtroom, Judge Gertner beat the odds, achieving a hung jury from what everyone expected to be an easy conviction.
In Dense of Women goes on to recount two decades of unwavering defense work and civil rights advocacy. Much of Judge Gertner's work--as the title of her memoirs suggests--has been in defense of women: women facing discrimination or harassment based on sex, women who were sexually assaulted and abused, women who were being denied the right to an abortion, battered women who killed abusers. Throughout it all, Judge Gertner displayed boundless energy and fierce dedication to her clients. In 1981, for example, she helped the women of Massachusetts win the right to choose abortion under the state constitution. In 1989, she successfully used the battered-woman defense to mitigate a first-degree murder charge into manslaughter.
Throughout the book, Judge Gertner openly struggles with the contradictions of legal advocacy. What is "the truth"? How does a clever procedural victory or an impeached witness vindicate "the truth"? What happens when you successfully represent a rape defendant on personal belief of his innocence, but a court establishes a broad procedural rule that will harm rape victims in the process? Is litigation sometimes inadvisable, even when the client has clearly suffered a cognizable injury? But in spite of these doubts--or, perhaps, because of them--Judge Gertner remains steadfastly committed to helping every person achieve justice.
The memoir closes with Judge Gertner's appointment to the federal bench by President Clinton in 1994--a position she would hold until 2011. While on the bench, Judge Gertner authored significant opinions about the use of DNA evidence for criminal exoneration. Most recently, she co-authored a Berkman Center report titled "Don't Panic: Making Progress on the 'Going Dark' Debate" with EPIC Advisory Board member Bruce Schneier.
In recognition of her lifelong dedication to civil liberties, EPIC will award Judge Gertner its Champion of Freedom award in June 2016.
--Aimee Thomson, EPIC Appellate Advocacy Counsel
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC publications:
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
June 3, 2016
Jeffrey Rosen, "Louis D. Brandeis: American Prophet"
Politics and Prose
June 5, 2016
EPIC Screening, "Democracy"
June 6, 2016
EPIC, Data Protection 2016
National Press Club
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.