EPIC Alert 23.12

1. Supreme Court Weakens Fourth Amendment Protections During Police Stops

In a 5-3 decision, the U.S. Supreme Court held that an outstanding arrest warrant can attenuate “the connection between an unlawful stop and the evidence seized incident to arrest.” The case, Utah v. Strieff, involved the illegal stop of Edward Strieff by Officer Douglas Fackrell. The officer checked Strieff’s identity in a law enforcement database, discovered an outstanding arrest warrant for a traffic violation, arrested him, and then discovered drugs while searching Strieff incident to that arrest. The Utah Supreme Court suppressed the drug evidence as fruit of the initial illegal stop.

In overturning the Utah court’s decision, Justice Clarence Thomas concluded that the warrant “broke the causal chain between the unconstitutional stop and the discovery of evidence by compelling Officer Fackrell to arrest Strieff.” As a result, once the officer “was authorized to arrest Strieff, it was undisputedly lawful to search Strieff as an incident of his arrest,” and the resulting drug evidence was admissible in court. In dissent, Justice Sonia Sotomayor castigated the majority for failing to acknowledge that “unlawful police stops corrode all our civil liberties and threaten all our lives.” She warned that this decision “implies that you are not a citizen of a democracy but the subject of a carceral state, just waiting to be cataloged.”

Justice Elena Kagan also dissented, stating that “a circumstance counts as intervening only when it is unforeseeable - not when it can be seen coming from miles away.” She noted that even the police officer acknowledged that checking for outstanding warrants during a stop is the “normal” practice of the Salt Lake City police. Justice Sotomayor and Justice Kagan both noted the vast number of individuals in the United States with outstanding warrants for minor violations, such as traffic citations.

EPIC and 22 legal scholars and technical experts filed an amicus brief in Strieff, warning the Supreme Court that reversing the Utah court’s decision would allow vast amounts of personal data stored in government databases to provide post hoc justification for unlawful seizures. EPIC documented the numerous government databases that collect personal information about ordinary citizens, and detailed how these databases are inherently unreliable due to Privacy Act exemptions and documented inaccuracies. EPIC cautioned that overturning the Utah court’s decision would ultimately permit suspicionless identification in violation of prior Supreme Court decisions.

EPIC regularly files amicus briefs in U.S. Supreme Court cases addressing the Fourth Amendment.

2. In EPIC FOIA Case, Court Orders DEA to Explain Secrecy About Massive Telephone Data Program

A federal court in Washington, DC ruled that the Drug Enforcement Agency’s (DEA) explanation for withholding from EPIC information about a massive telephone-record collection program was legally insufficient. The Court ordered the DEA to release the information requested to EPIC or provide specific reasons for the withholding. The program, dubbed “Hemisphere,” is the largest telephone record collection program reported to date. EPIC filed its Freedom of Information Act lawsuit after the press reported on Hemisphere.

According to the N.Y. Times, the DEA allowed law enforcement personnel in multiple agencies to access billions of phone records of AT&T customers, as well as any non-customers whose communication is routed through an AT&T switch. And unlike the controversial NSA phone records collection program, Hemisphere also included location information.

According to the Department of Justice, the Hemisphere Project was terminated in 2013 and all the call data has been deleted

The DEA continues to keep secret the names of the companies involved in the Hemisphere program and the federal agencies given access to the telephone records of American consumers. EPIC expects to obtain more documents from the agency.

3. Court Misunderstands Internet Tracking in Video Privacy Case

Contrary to fact, the Third Circuit Court of Appeals has ruled that Internet Protocol (IP) addresses and media access control (MAC) addresses are not “personally identifiable information” (PII) under the Video Privacy Protection Act. The court’s decision in In re Nickelodeon dismissed privacy claims against Viacom and Google. The Court sustained state law claims for invasion of privacy.

The video privacy law bars companies from disclosing personally identifiable information about users of Internet video services. The Video Privacy Protection Act of 1988 was passed in reaction to the leak of US Supreme Court nominee Robert Bork's video rental records.

Viacom has created an elaborate tracking system for children who view video content on the Internet. Viacom operates the website Nick.com, which encourages children to provide personal information, such as gender, birthday and unique profile name. When children stream videos or play games on Nick.com, Viacom creates a record of their gender and birthday - called the "rugrat" code - and the name of the video played.

Viacom also places persistent identifiers on children computers and tracks IP addresses, device and browser settings, and browsing history. In collaboration with Google, Viacom also permits Google to place persistent identifiers on the computers of specific children.

EPIC filed an amicus brief in this case, arguing that the definition of “personally identifiable information” in the Video Privacy Protection Act is "purposefully broad to ensure that the underlying intent of the Act - to safeguard personal information against unlawful disclosure - is preserved as technology evolves," adding that Viacom's business practices are "clearly contrary to the intent of Congress and the purpose of the Act (to safeguard privacy) because the recipient of the customer's data in this case is Google, the single biggest aggregator of personal information in the world."

In an excerpt noted in the Court’s opinion, EPIC stated, "It is nonsensical to say that Google is unable to identify a user based on a combination of IP address, MAC address, and other browser cookie data; that is precisely what Google does best. It would be like concluding the company that produces the phone book is unable to deduce the identity of an individual based on their telephone number." EPIC’s Senior Counsel Alan Butler argued as amicus before the Third Circuit .

The decision issued by the three-judge panel regarding the definition of personally identifiable information contradicts a First Circuit decision from earlier this year, which found that a unique Android ID and GPS coordinates constituted PII under the video privacy law. The circuit split increases the possibility of U.S. Supreme Court review.

4. EPIC Promotes Privacy, Data Protection at OECD Ministerial

Speaking at the OECD Ministerial Conference in Cancun, Mexico, EPIC President Marc Rotenberg emphasized the importance of trust for the digital economy and said there can be no trade-offs between innovation and human rights. The OECD Ministerial Meeting convened to guide the direction of future internet policy-making, and included panels on privacy and data protection, consumer rights, internet openness, and the Internet of Things.

Citing widespread public concerns, Rotenberg urged OECD member countries to address the challenges of privacy and security. "We cannot have a sustainable, inclusive economy if we cannot solve the problem of trust,” Rotenberg said. EPIC’s Board Member Jeff Jonas talked about the privacy implications of the Internet of Things at the Ministerial Meeting. 

EPIC collaborated with the Civil Society Information Society Advisory Council (CSISAC) to host a forum titled, "Toward an Inclusive, Equitable, and Accountable Digital Economy.”  CSISAC is the voice of civil society at the OECD. CSISAC facilitates the exchange of information between the OECD and civil society participants, leading to better-informed and more widely accepted policy frameworks. NGO leaders, academic experts, and government representatives from more than two dozen countries participated in the CSISAC event.

Rotenberg opened the CSISAC forum, together with Andrew Wyckoff, Director of the OECD’s Directorate for Science, Technology and Innovation. EPIC Advisory Board members gave keynote speeches at the Forum, with Shoshana Zuboff discussing surveillance capitalism and Bruce Schneier’s commenting on cyber security issues. Fanny Hidvegi, EPIC’s International Privacy Fellow, spoke on a panel that reviewed OECD’s work on privacy and data protection since the adoption of the Seoul Declaration. 

The OECD issued a Ministerial Declaration to summarize the outcomes of high-level meeting, focusing on innovation, growth, and social prosperity. CSISAC urged OECD ministers to protect human rights, the rule of law, and democratic institution. 

5. EPIC, Coalition Demand Congressional Oversight of FBI’s Vast Biometric Database

EPIC and a coalition of 45 organizations urged Congress to hold a hearing on the FBI’s massive biometric database and the Bureau’s use of facial recognition technology. The FBI’s biometric database, known as “Next Generation Identification,” contains biometric data on millions of civilians, including people who have no connection to the criminal justice system. The EPIC-led coalition argued that the FBI is “exposing millions of people to a potential data breach.”

The FBI has agreements with 16 states to submit photos for facial recognition searches of state photo repositories that consist largely of driver license photos. Through a Freedom of Information Act request, EPIC obtained a number of the agreements between the FBI and state motor vehicle departments. EPIC also obtained the Standard Operating Procedure for this program and a Privacy Threshold Analysis that indicated a Privacy Impact Assessment (PIA) must be performed. No PIA was completed prior to the implementation of the program, contrary to federal law. A recent Government Accountability Office report detailed the FBI’s failure to conduct a privacy audit of the agency’s use of facial recognition or adequately test the accuracy of the technology.

The coalition letter follows the FBI’s recent proposal to exempt the Next Generation Identification database from Privacy Act safeguards. The FBI wants broad exemptions for the biometric database to avoid the Privacy Act requirements of accuracy, relevancy and necessity, accounting disclosures, individual access to records, and civil remedies. According to the Systems of Records Notice for the database, the FBI will collect biometric data and other personal information for the purposes of employment, licensing, military service, volunteer service, background checks, immigration benefits, lawful detention, criminal inquiries, and civil violations.

EPIC previously sued the FBI for details about the Next Generation Identification. In the EPIC v. FBI FOIA case, EPIC obtained thousands of pages of documents. According to the System Requirements for the Next Generation Identification obtained by EPIC, "NGI shall return an incorrect candidate a maximum of 20% of the time." 

News in Brief

High Court Extends Fourth Amendment Protections to DUI Blood Tests

In Birchfield v. North Dakota, the U.S. Supreme Court today held that states cannot criminalize an individual’s refusal to submit to a warrantless blood test. The Court also found that the Fourth Amendment does not allow warrantless blood tests incident to arrest, but does permit warrantless breath tests. In the 2013 case Maryland v. King, EPIC urged the Supreme Court to protect genetic privacy by extending Fourth Amendment protections the collection of DNA from arrestees. In that case, the Supreme Court held that a cheek swab incident to an arrest was permissible.  

FOIA Ombudsman Recommends Changes to Use of “Still Interested” Letters

The FOIA ombudsman has issued the third part of a report on the use of "still interested" letters (part 1, part 2). Such letters are used by federal agencies to prematurely terminate FOIA requests. In 2014, an EPIC-led coalition urged the Office of Government Information Services to investigate the pervasive use of such letters. Today’s report recognizes that this agency practice is "not addressed in the FOIA statute or in agency regulations,” and that reporting on the practice is inconsistent. The FOIA ombudsman  urged agencies to provide additional guidance on the use of such letters, and to document the practice in annual reporting. Congress recently passed legislation to strengthen the FOIA, which the President is expected to sign.

FAA Approves Commercial Drones Without Privacy Safeguards

The FAA released the final rule on commercial drones today. Despite nearly 180 comments regarding the privacy risks of drones, the FAA failed to address the privacy risks of deploying commercial drones into the national airspace. EPIC previously filed suit against the FAA after more than 100 groups and experts petitioned the agency to conduct a rulemaking on drone privacy. EPIC also recommended the FAA implement a national database detailing the surveillance capabilities of commercial drones. The FAA has repeatedly acknowledged the privacy risks of drone deployment, but has so far refused to adopt any privacy safeguards.

States Adopt New Student Privacy Safeguards

Several states have recently enacted new student privacy laws. Colorado and Connecticut’s laws impose strict requirements on those who collect student data. Connecticut also requires that parents are notified each time a school district enters into a contract that involves student data.  North Carolina enacted a student privacy law modeled after California's Student Online Personal Information Protection Act. The National Association of State Boards of Education reported that 38 states considered student privacy legislation in 2016. Ten of those states passed student privacy laws. EPIC has urged the enactment of a comprehensive student privacy bill of rights. EPIC's State Policy Project is monitoring privacy bills nationwide.

EPIC Scrutinizes DoD “Insider Threat” Database

In comments to the Department of Defense, EPIC criticized a proposed “Insider Threat” database that would gather virtually unlimited amounts of personal data on individuals based on broad and ambiguous standards. EPIC urged DoD to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DoD data practices pose a risk to federal employees. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases, and recently filed comments on a similarly flawed DHS database.

EPIC, NGOs Host Civil Society Forum at OECD Ministerial

EPIC, in coordination with civil society organizations from around the world, is hosting "Toward an Inclusive, Equitable, and Accountable Digital Economy." The forum is organized under the auspices of the Civil Society Information Society Advisory Council (CSISAC), "the voice of civil society at the OECD," in conjunction with the OECD Ministerial on the Digital Economy. The CSISAC Forum features NGO leaders, technology experts and government decision makers. The Forum is an out growth of the Public Voice campaign to promote civil society participation in decisions concerning the future of the Internet. Similar NGO meetings were held in Ottawa in 1998 and Seoul in 2008.

EPIC's Rotenberg Outlines Need for International Privacy Framework

Speaking at the Council of Europe in Strasbourg, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from European consumer groups, NGOs, privacy officials, and the EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts endorsed the Council of Europe Privacy Convention. In 2010 members of the EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.

GAO Report: FBI’s Use of Face Recognition Fails on Privacy and Accuracy

The Government Accountability Office released a report today detailing the FBI’s failure to conduct a privacy audit of the agency’s use of facial recognition or adequately test the accuracy of the technology. EPIC and a coalition of public interest groups recently urged the Justice Department to extend the public comment period for the FBI’s Next Generation Identification database, which includes facial recognition capabilities. Previous Freedom of Information Act requests by EPIC showed that the agency had numerous agreements with states to access driver license photos for facial recognition searches and that technical specifications allowed for a 20% search error rate.

EPIC in the News

• Feds Ordered to Release Info on Phone Spying, Courthouse News Service, June 29, 2016
• Heinrich blocks intelligence authorization bill over privacy concerns, The NM Political Report, June 28, 2016
• Advocates Seek To Address Spokeo In 3rd Circ. Data Row, Law 360, June 24, 2016
• FAA Issues New Rules for Commercial Drones, Law Street, June 23, 2016
• Commercial drone industry gets new relaxed rules, Naked Security, June 23, 2016
• Long-Awaited Domestic Drone Rules Won’t Stop Peeping Drones, The Intercept, June 21, 2016
• F.A.A. Issues Commercial Drone Rules, New York Times, June 21, 2016
• FAA gives commercial drones takeoff clearance, Consumer Affairs, June 21, 2016
• We’ve Needed Commercial Drone Rules For Years. The FAA _Just_ Released a First Step, Slate, June 21, 2016
• DOJ Seeks Privacy Act Exemptions for FBI's Extensive Biometric Database, TruthOut, June 17, 2016
• State, local agencies turn to curbing surveillance technology, AMI Newswire, June 15, 2016

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).

http://www.privacylawandsociety.org/

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

https://epic.org/privacy-book/

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

August 5, 2016
ABA Annual Conference: "Emerging Issues in National Security and Law Enforcement"
James Comey, FBI Director
Marc Rotenberg, EPIC President
San Francisco, CA