EPIC Alert 23.11
EPIC Alert 23.11 - June 15, 2016
- EPIC, Coalition Petitions Education Department for Data Security Rules for Student Records
- EPIC Gives Awards to Gertner, Soltani, and Wolf
- EPIC FOIA: Secret Drone Task Force Ignored Privacy Concerns
- EPIC Proposes Privacy, Security Protections for "Internet of Things"
- EPIC Calls for Strong Communications Privacy Rules
- EPIC Book Review: "Louis D. Brandeis: American Prophet"
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
EPIC, legal scholars, technical experts, and many leading privacy organizations have petitioned the Education Department to establish a data security rule to protect student records. The Education Department previously implemented changes to the Family Educational Rights and Privacy Act (FERPA) in 2008 and 2011 that allowed for widespread disclosure of educational records. The experts and groups explained that data breaches now plague schools and colleges across the country since these changes.
The petition provided numerous examples of unauthorized disclosures over the past few years since the changes to FERPA. The signers of the petitioner argued that "weak or nonexistent data security procedures have directly led to the unauthorized disclosure of education records in violation of [the Act]." The petition calls for the establishment of rules for encryption, privacy enhancing techniques, and breach notification.
In 2011, EPIC opposed the Department of Education's proposed regulations to remove limitations on educational institutions and agencies disclosing student data without consent. When the agency went ahead with the proposed change, EPIC filed suit in federal court. Through a Freedom of Information Act request, EPIC also obtained documents from the Department of Education detailing parent and student complaints about the misuse of education records.
In 2014, EPIC called for a Student Privacy Bill of Rights. Based largely on the well-established Fair Information Practices (FIPs), the Student Privacy Bill of Rights provides an enforceable student privacy and data security framework.
EPIC submitted comments earlier this year to the Education Department objecting to the Department's recent proposal to gather detailed student information. The Department plans to collect student data, including discipline records, to assess "data-driven instruction professional development" and disclose the data to private contractors. EPIC urged the Department to collect aggregate data instead of personally identifiable student information, a step that would protect student privacy while still allowing research goals to be met.
EPIC's Lifetime Achievement Award recognizes individuals associated with EPIC, whose professional work and personal commitment have strengthened EPIC and advanced the cause of privacy. This year, EPIC honored Christopher Wolf, senior partner in the Privacy and Information Management practice of Hogan Lovells in Washington, DC. Wolf has helped shape EPIC's work on privacy from the very start. He won a key legal victory in the 1998 lawsuit McVeigh v. Cohen, preventing the U.S. Navy from using information obtained in violation of the Electronic Communications Privacy Act (ECPA) to discharge an officer under Don't Ask, Don't Tell. Since that case, Wolf has become one of the leading privacy experts in the world. He has mentored young lawyers, launched new organizations and new academic programs, and continued his support for EPIC, currently serving as a member of EPIC's Advisory Board. Previous recipients of the EPIC Lifetime Achievement Award include Bruce Schneier, Anita Allen, David Flaherty, Whitfield Diffie, and Willis Ware.
EPIC gives its Privacy Champion Award to a leading consumer advocate who has helped safeguard the right to privacy. This year, EPIC recognized Ashkan Soltani, an independent researcher and technologist specializing in privacy, security, and behavioral economics. Soltani served briefly as a Senior Advisor to the U.S. Chief Technology Officer in the White House Office of Science and Technology Policy. In 2015, he was the Chief Technologist for the Federal Trade Commission, where he helped create its Office of Technology Research and Investigation. Soltani was also a co-author of the Washington Post series about National Security Agency surveillance that received the 2014 Pulitzer Prize for Public Service, a 2014 Loeb Award, and a 2013 Polk Award for National Security Reporting. Previous recipients of the EPIC Privacy Champion Award include Phil Zimmerman, Evan Hendricks, Susan Grant, Christopher Soghoian, Jeff Chester, and Beth Givens.
Finally, EPIC gives its Champion of Freedom Award to outstanding individuals who have demonstrated a deep commitment to protecting privacy, open government, and democratic values. This year, EPIC honored Judge Nancy Gertner, now a member of the Harvard Law School faculty. Judge Gertner was nominated to the federal district court bench in 1994 by President Clinton and served for 17 years before retiring in 2011. Prior to her time on the bench, Judge Gertner was as a tireless advocate for civil rights, civil liberties, and women's rights in Boston, as detailed in her autobiography, In Defense of Women: Memoirs of an Unrepentant Advocate. Judge Gertner recently co-authored a Berkman Center report titled "Don't Panic: Making Progress on the 'Going Dark' Debate" with EPIC Advisory Board member Bruce Schneier. Previous EPIC Champion of Freedom recipients include Richard Clarke, Tim Cook, Kamala Harris, Edward Snowden, The Guardian, and Sen. Patrick Leahy.
A second batch of previously secret documents show that the government's secret drone task force ignored public concerns about drone surveillance. The newly released records stem from EPIC v. Department of Transportation, a lawsuit filed to uncover records relating to the private meetings held last November in Washington, DC between agency officials and industry representatives. Included in the documents are opening remarks by FAA Administrator Michael Huerta, who urged the task force to take into consideration "the interests of all stakeholders," but who declined to invite any privacy or consumer advocates to the closed door meetings.
Earlier this year, EPIC filed a FOIA lawsuit against the Department of Transportation for records of the closed-door meetings of the "Drone Registration Task Force." The agency created the Task Force late last year to develop recommendations for registering commercial drones. The Task Force--whose membership included no civil liberties organizations or privacy advocates--met in secret last November before releasing a report. EPIC's lawsuit was filed just after the FAA's Aviation Rulemaking Committee of industry groups and agency officials recommended easing restrictions that prohibit businesses from flying unmanned aerial vehicles.
The first set of documents that EPIC obtained in the case consisted of meeting minutes of the drone task force. The task force included industry groups such as GoogleX, Amazon, and DJI, but consumer groups and privacy advocates were excluded from the hastily created advisory committee. Several participants warned about privacy risks in drone deployment. The minutes also stated, "Current state of non-regulation negatively affects the public perception of drones. There is no regulatory recourse for anyone who is negatively affected by a small UAV [drones]." EPIC has urged the Department of Transportation to do more to safeguard the public, and in EPIC v. FAA, EPIC challenged the Administration's failure to establish privacy regulations for drones.
EPIC routinely uses the Freedom of Information Act to promote government oversight and agency accountability. This July 4th will mark the 50th anniversary of the FOIA's enactment. Appropriately, the U.S. Congress has passed a FOIA reform bill this week that would adopt many of EPIC's recommendations on improving the nation's premier open government law. Open government and transparency advocates have publicly supported the bill. The bill is now headed to President Obama who has indicated that he intends to sign the legislation into law.
EPIC has recommended new safeguards for the "Internet of Things" in response to a notice published by the Department of Commerce. The National Telecommunications and Information Administration (NTIA) has sought comments on "the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things".
In its comments, EPIC proposed laws requiring companies to adopt Privacy-Enhancing Technologies, promote data minimization, and ensure security in both design and operation of Internet-connected devices. EPIC also recommends a prohibition on tracking, profiling, and monitoring of consumers using IoT services.
As EPIC explained, "Protecting consumer privacy will become increasingly difficult as the Internet of Things becomes increasingly prevalent. The Internet of Things presents important implications for consumer privacy and security. The government must act now to ensure these technologies are implemented in a way that benefits consumers and respects important values."
EPIC has worked extensively on the risks of the Internet of Things, including connected cars and "smart homes." An EPIC complaint concerning "always on" devices, such as "smart TVs," is pending at the Federal Trade Commission. EPIC's Board Member, Jeff Jonas will talk about the privacy implications of the Internet of Things at the upcoming OECD Ministerial Meeting, which is held in conjunction with a Civil Society Forum.
EPIC has submitted comments to the Federal Communications Commission (FCC) in response to its notice of proposed rulemaking on "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services." The FCC's proposed privacy rules would regulate only Internet Service Providers (ISPs) and are based on a limited "transparency, choice, and security" framework.
EPIC's comments urged the FCC "to fully apply" Fair Information Practices (FIPs) and President Obama's Consumer Privacy Bill of Rights (CPBR) to all communications data. EPIC described the insufficiency of the Federal Trade Commission's (FTC) "notice and choice" approach to consumer privacy, which "falls well short of FIPs and the CPBR and shifts the responsibility for privacy protections from companies to individuals." EPIC also said the FCC should endorse data minimization requirements, promote Privacy-Enhancing Technologies, and require opt-in consent for the use and disclosure of consumer data.
Finally, EPIC urged the Commission to regulate all companies that gather consumer data generated by online communications services, including email providers, social networking sites, and search engines. "While ISPs are clearly engaged in invasive consumer tracking and profiling practices, they are not the only so-called gatekeepers to the Internet who have extensive and detailed views of consumers' online activities," EPIC said.
Earlier this week, the U.S. House Energy and Commerce Subcommittee on Communications and Technology held a hearing on "FCC Overreach: Examining the Proposed Privacy Rules." In advance of this meeting, EPIC sent a letter to the Committee that described the shortcomings of the "notice and choice" privacy framework and pointed to growing levels of public concern in the United States about Internet privacy. EPIC said that the FCC's proposed privacy rules are a modest first step and argued that the FCC can and should go much further to safeguard American consumers.
Throughout the FCC's rulemaking process, EPIC has actively engaged with the Commission and has urged it to use the full extent of its rulemaking authority to protect the privacy of online communications. The FCC is accepting reply comments on this rulemaking until June 27, 2016, and is expected to vote on a final rule by the fall.
"Louis D. Brandeis: American Prophet," by Jeffrey Rosen
In his insightful, condensed biography of Louis D. Brandeis, Jeffrey Rosen examines the career of the first Jewish member of the U.S. Supreme Court on the hundredth anniversary of his confirmation. "Louis D. Brandeis: American Prophet" chronicles the thought and character of "the most important American critic of what he called 'the curse of bigness' in government and business since Thomas Jefferson."
President and CEO of the National Constitution Center and law professor at the George Washington University Law School, Rosen offers an insightful reflection on Brandeis's career and philosophy, as well as its relevance to the modern age. Rosen explores what we can learn from Brandeis about important questions involving corporate and government power, monopolies, privacy, free speech, and translating the Constitution to meet the legal challenges of the twenty-first century. Rosen unequivocally considers Brandeis to be one of the "greatest constitutional philosophers of the twentieth century."
Rosen introduces the book with a broad discussion of Brandeis's enduring legacy and the Jeffersonian ideals that shaped his service on the Supreme Court from 1916 to 1939 as a progressive champion of federalism and state autonomy.
According to Rosen, Brandeis's judicial philosophy was founded on three key principles: judicial restraint; opposition to the "curse of bigness" in government and business; and commitment to translate the text of the Constitution and the intent of the framers to social and technological changes.
Rosen refers to Brandeis as "the Jewish Jefferson" for his crusade against the "curse of bigness" and his work to curb centralized power in both business and government. According to Rosen, Brandeis's legacy as an economic prophet was solidified when he published "Other People's Money and How the Bankers Use it," a book that warned against the dangers of financial oligarchies that leverage other people's money to control large companies for their own self-serving interests. Rosen observes that financial deregulation in the 1990s and the crash of 2008 confirmed Brandeis's fears about financial oligarchies.
Rosen also discusses Brandeis's commitment to the Jeffersonian notion of limited government. Brandeis believed strongly in deference to legislative experimentation and states' rights, coining the term "laboratories of democracy" to describe his notion of Federalism.
Brandeis was committed to judicial deference, curbing centralized power in both business and government, and interpreting the text of the Constitution and the intent of the framers in light of the full range of constitutional history. Rosen observes that this philosophy provides a balanced alternative to both rigid originalism and untethered "living constitutionalism" championed by other prominent justices.
Rosen also analyzes Brandeis's authorship of "the greatest defenses of privacy and free speech in the twentieth century." In the Internet age, "Brandeis is the most relevant figure, the prophet, not only of privacy but also of free speech," Rosen says.
Many legal scholars know Brandeis as the co-author of the seminal article "Right to Privacy" - "one of the most famous law review articles in American legal history," Rosen proposes. Published in the Harvard Law Review in 1980 with co-author Samuel Warren, this piece of scholarship provides one of the earliest and greatest defenses of privacy ever written. Brandeis and Warren proposed an entirely new legal right, which they termed "the right to be let alone."
Brandeis's understanding of privacy evolved as he came to champion free speech, recognizing potential conflict between privacy and transparency. Rosen discusses Brandeis's "visionary" dissent in the 1928 case Olmstead v. United States, where the Supreme Court first considered the constitutionality of electronic searches. According to Rosen, Brandeis's dissenting opinion articulated a theory of "intellectual privacy" that recognizes "the importance of anonymity and freedom of thought as preconditions for self-governance." Rosen identifies the Olmstead dissent as a turning point in the Justice's understanding of privacy as more than just the "right to be let alone." "Brandeis came to believe that we don't need to chose between privacy and free speech because far from clashing with democratic values of public debate, intellectual privacy is essential to it," Rosen says.
Rosen also discusses Brandeis's invention of the famous Brandeis brief, a legal brief that relies on empirical studies and scientific evidence over legal citations to prove its argument. In Muller v. Oregon, Brandeis persuaded the Supreme Court to uphold a state labor law setting maximum hours for women through a groundbreaking brief that used sociological data to prove the negative effects of excessive labor.
Rosen concludes his biographical narrative with a discussion of Brandeis's Jewish identity and his leadership of the Zionist movement in America. Rosen describes Brandeis's construction of Zionism based on the belief that "American Jews could not develop an individual identity without also cultivating and participating in a group identity, because individual happiness and development are dependent on the groups that define us."
In the epilogue to "Brandeis," Rosen reflects on the Justice's enduring legacy among current members of the Supreme Court and his influence on their own jurisprudence. Brandeis's commitment to judicial restraint, his invention of the Brandeis brief, and his vision of intellectual privacy continue to influence modern American law and policy. Rosen also speculates on how Brandeis would approach privacy in the digital age, concluding that he would actively engage in "the project of constitutional translation in order to preserve the framers' values in a startlingly different technological world."
Rosen's reflections on Brandeis's career and legal philosophy offer significant relevance to modern-day issues involving corporate power, financial monopolies, free speech, and privacy in the digital age. He quotes extensively from Brandeis's work and other biographies of the Justice, which adds richness to Rosen's own insights on the lessons to be learned from Brandeis's philosophy and character. This book is a must-read for lawyers and non-lawyers alike who seek to understand the historic and evolving values of privacy, free speech, and civil liberties important in today's world.- Claire Gartland
EPIC Tells Congress FCC is "Under Reaching" on Privacy
EPIC has sent a letter to the House Energy and Commerce Committee in advance of a hearing on "FCC Overreach: Examining the Proposed Privacy Rules." EPIC described the shortcomings of the "notice and choice" privacy framework and pointed to growing levels of public concern in the United States about Internet privacy. EPIC said that the FCC's proposed privacy rules are a modest first step and that the Communications Communication has legal authority to go much further to safeguard American consumers. EPIC has repeatedly urged the Commission to broaden the scope of the proposed privacy rules.
House to Consider Overdue FOIA Reform Bill
Congress is poised to take up a FOIA reform bill next Monday. The bill would require federal agencies to operate under a "presumption of openness" and places time limits on agency responses, improvements that EPIC has long supported. EPIC routinely uses the Freedom of Information Act to promote government oversight and agency accountability. July 4, 2016 will mark the 50th anniversary of the enactment of the FOIA.
EPIC Presses House Leaders on "Data Protection"
At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016.
EPIC Hosts Policy Forum at National Press Club
EPIC brought together privacy, security, and policy experts for a panel discussion at the National Press Club around the theme "Data Protection 2016."Panelists explored voter privacy issues, including voter ID and online voting, and also privacy issues that could arise in the 2016 election cycle. Participants included members of the EPIC Advisory Board, representatives of the Brennan Center and Verified Voting, and the UN Rapporteur on the Right to Privacy.
EPIC, Coalition Seeks Time to Review FBI Biometric Database
EPIC and a coalition of civil rights, privacy, and transparency groups urged the Department of Justice to extend the public comment period for the FBI's Next Generation Identification database. The FBI database contains biometric data, such as fingerprint and retinal scans, on millions of Americans and raises significant privacy risks. The FBI is proposing to exempt the database from Privacy Act obligations, including legal requirements to maintain accurate records, permit individual access, and provide civil remedies. Errors plague the NGI database. In a FOIA case, EPIC v. FBI, EPIC obtained documents, which showed that the FBI accepted a 20% error rate for facial recognition matches.
Top European Privacy Official Rejects EU-US "Privacy Shield"
The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli. The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection.
Federal Court Leaves Digital Search Law Unresolved
A federal appeals court ruled today that the government did not violate the Fourth Amendment by keeping a copy of files for more than two years after an investigation because it acted in "good faith." EPIC argued that the government must adopt data minimization practices and that the use of evidence was unlawful. In a dissenting opinion, Judge Chin wrote that the search violated the Fourth Amendment.
Amendment Would Overturn Model Facial Recognition Privacy Law
The Illinois Biometric Information Privacy Act is one of the strongest facial recognition laws in the country. Enacted in 2008, the law prohibits the use of biometric recognition technologies without consent and provides for meaningful enforcement. But a proposed amendment would undercut legal protections, exempting facial recognition software from the law. A pending lawsuit against Facebook alleges that the company violates the law by amassing a database of users' faceprints "without even informing its users -- let alone obtaining their informed written consent." EPIC has urged a moratorium for such surveillance techniques, pending the enactment of strong privacy laws such as those in Illinois. In much of the world, facial recognition software is illegal.
- Maryland universities to use data to predict student success -- or failure, Baltimore Sun, June 13, 2016
- Warnings About IoT Given to Department of Commerce, Security Intelligence, June 10, 2016
- Advocacy groups back FCC plan for online privacy rules, FedScoop, June 9, 2016
- Singapore unveils drastic move that puts government in pre-internet era, ZDNet, June 8, 2016
- Privacy advocates accuse Obama administration of failing to properly protect student data, Washington Post, June 7, 2016
- U.S. gets warnings and advice about the Internet of Things, Computerworld, June 7, 2016
- Facial Recognition Software: Technology to Make Big Brother Drool, The Tenth Amendment Center, June 7, 2016
- Hey Siri! At Apple WWDC 2016, Tim Cook needs to make big data, AI pivot, ZDNet, June 6, 2016
- Apps track emails, receipts to spot potential price-match refunds, Indiana Gazette, June 6, 2016
- Is Facebook eavesdropping on us?, CSMonitor.com, June 5, 2016
- Privacy Groups -- and Uber -- Challenge FBI's Attempt to Bypass Privacy Act, Nextgov.com, June 3, 2016
- FBI wants biometric database kept secret, WND, June 3, 2016
- FBI pushes for more power to crush your privacy, InfoWorld, June 3, 2016
- FBI pushes for more power to crush your privacy, InfoWorld, June 3, 2016
- Silicon Valley Says Broadband Privacy Rules Shouldn't Apply To Web Companies, MediaPost, June 3, 2016
- Spokeo Gives Workers Standing In Data Suit, 3rd Circ. Hears, Law360, June 2, 2016
- The FBI Is Letting Tech Companies Off the Leash--But Only a Little Bit, Gizmodo, June 1, 2016
- The FBI Wants to Exempt Massive Biometric Database From the Privacy Act, The Intercept, June 1, 2016
- How the EU General Data Protection Regulation Was Won--The Movie, Bloomberg BNA, May 31, 2016
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC publications:
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
June 17, 2016
"Convention 108: From a European Reality to a Global Instrument"
Council of Europe
Marc Rotenberg, EPIC President