EPIC Alert 23.13

1. President Obama Signs FOIA Reform Bill Into Law

Celebrating 50 years since the enactment of the Freedom of Information Act, President Obama signed into law the FOIA Improvements Act of 2016. The President's signing comes just days before the 50th anniversary of the Act, which was signed into law on July 4, 1966. The FOIA reform bill was introduced in Congress in 2015 and was passed earlier this June.

Acknowledging the significance of the bill's passage, Senator Patrick Leahy (D-Vt.), a champion of open government, stated, "Our founders had the revolutionary vision to create a government of, by, and for the people. Today we have helped strengthen that ideal." EPIC and many open government advocates urged the President to support these reforms.

The FOIA Improvements Act brings much needed improvements to the nation's open government law. For example, the Act requires the government to create a new one-stop portal for requesters. The Act also mandates the proactive disclosure to the public of records requested three or more times. Importantly, the new law strengthens the Office of Government Information Services by authorizing the FOIA watchdog to report to Congress directly and to propose legislative recommendations without prior approval from other agencies. The new law also codifies the "presumption of openness" in the processing of requests for information about the federal government.

Significantly, the FOIA Improvements Act places a 25-year limit on the application of Exemption 5 to "deliberative process" documents. The deliberative process privilege is the most commonly invoked Exemption 5 privilege and is designed to protect the decisionmaking processes of government agencies. By capping this exemption at 25 years, the Act ensures that the decisionmaking process of the federal government does not remain secret indefinitely.

EPIC has long been an advocate for greater transparency and openness in the government. EPIC frequently litigates in federal courts to obtain significant government records. EPIC is currently fighting to obtain records on surveillance oversight reports, DOJ watchdog reports, and passenger screening. EPIC has also established websites detailing our work, and compiled resources on the FOIA and FOIA reform.

2. European Commission Signs Off on Flawed "Privacy Shield"

The European Commission has approved the "Privacy Shield," which will allow companies to transfer personal data of Europeans to the US without legal protections.

European data protection authorities, the European Data Protection Supervisor, the European Parliament, and EU and US NGOs identified flaws with the non-binding framework.

The Privacy Shield aims to replace the Safe Harbor framework for commercial data flows between the EU and the US, which was struck down by the Court of Justice of the European Union in October 2015. Citing to that decision, leading EU privacy advocates Max Schrems and Jan-Philipp Albrecht predicted that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." The Privacy Shield agreement faces a similar legal landscape as its predecessor, and seeks to compensate for the lack of US data protection laws by reliance on government assurances rather than enforceable legislation.

"Sadly, for both privacy and for business, this agreement helps nobody at all," said Joe McNamee, executive director of European Digital Rights (EDRi). "We now have to wait until the Court again rules that the deal is illegal and then, maybe, the EU and US can negotiate a credible arrangement that actually respects the law, engenders trust and protects our fundamental rights."

EPIC and other consumer organizations previously urged the EU and US to strengthen safeguards for transborder data flows.

EPIC has advocated for the US to reform its domestic laws and international commitments to provide adequate safeguards for privacy and data protection rights of consumers on both sides of the Atlantic.

3. EPIC Scrutinizes FBI's Massive Biometrics Database

In comments to the FBI, EPIC criticized the Bureau's proposal to remove Privacy Act safeguards from a database containing biometric data on millions of people. Known as Next Generation Identification (NGI), the FBI's biometric database collects numerous biometric identifiers including fingerprints, facial scans, and iris scans. Biometric data is collected on arrestees and people with records, as well as individuals with no connection to the criminal justice system. The FBI keeps biometric data for decades beyond the need to fulfill the stated purpose for which the data was originally collected.

The FBI's proposal would exempt the NGI database from the Privacy Act requirements of accuracy, relevancy and necessity, accounting disclosures, individual access to records, and civil remedies. EPIC argued that such broad exemptions will "increase the secrecy of the database and erode agency accountability." A recent GAO report on the FBI's use of facial recognition has already found that the FBI has failed to update the public in a timely manner regarding the Bureau's expanding use of facial recognition. EPIC also warned the FBI of the potential for data breaches. In its comments, EPIC stated that "the over collection of detailed, sensitive information is problematic particularly in light of the rise of government data breaches."

Recently, EPIC and a coalition of 45 organizations urged Congress to hold a hearing on the FBI's NGI database and the Bureau's use of facial recognition. The letter stated that "[o]versight hearings promote transparency and accountability and help ensure that the FBI fulfills its mission while upholding American values and constitutional freedoms."

EPIC previously sued the FBI for details about NGI. In the EPIC v. FBI FOIA case, EPIC obtained thousands of pages of documents. According to the System Requirements for the NGI database obtained by EPIC, "NGI shall return an incorrect candidate a maximum of 20% of the time."

4. Wiretaps Increase Sharply in 2015, No Evidence of Government Surveillance "Going Dark"

According to the newly released 2015 Wiretap Report, federal and state courts issued a combined 4,148 orders for the interception of wire, oral, or electronic communications in 2015, representing a 17 percent increase from 2014. State judges authorized 2,745 wiretaps last year, and federal judges authorized 1,403. Wiretap orders in California alone accounted for 41 percent of all state authorizations. "No wiretap applications were reported as denied in 2015," the report states. In 2014, only one application was denied.

While government surveillance activity increased dramatically, the number of cases where investigators encountered encryption dropped significantly. Encryption was encountered in only 13 state and federal wiretaps in 2015, less than one percent of the total wiretaps authorized that year. The number of state wiretaps in which encryption was encountered decreased by 68 percent, from 22 in 2014 to 7 in 2015. Law enforcement claims of "going dark" due to new encryption technologies continue to be contradicted by surveillance reports.

Drug offenses were the most frequent type of criminal offense investigated using wiretaps in 2015: 79 percent of all applications for intercepts (3,292 wiretaps) cited illegal drugs as the most serious offense under investigation. Wiretaps were in operation for an average of 43 days in 2015, 9 days longer than the 34-day average in 2014. Wiretap surveillance led to the convictions of 590 individuals last year.

The annual Wiretap Report details government surveillance and provides insight into the debate over surveillance and the use of encryption. EPIC has repeatedly cited the Report as a model of transparency for government surveillance activities and maintains comprehensive charts about the reports. The Wiretap Report does not include data on interceptions regulated by the Foreign Intelligence Surveillance Act (FISA). In April of 2016, the Department of Justice reported to the Senate that 1,456 FISA surveillance applications were granted by the FISA Court (FISC) in 2015. The DOJ report also discloses that no applications were denied last year.

5. EPIC Sues for Release of Government Oversight Reports

EPIC has filed a Freedom of Information Act (FOIA) lawsuit against the Department of Justice to obtain the agency's secret oversight investigation reports. The stated mission of the DOJ's Office of the Inspector General is "to detect and deter waste, fraud, abuse, and misconduct in DOJ programs and personnel, and to promote economy and efficiency in those programs." The Inspector General conducts investigations, evaluations, and audits to help ensure the DOJ is being managed in an ethical and responsible manner. The results of these internal investigations offer an insight into the workings of the DOJ and allow the public to better understand how the Department functions and the measures being taken to increase the efficiency and effectiveness of the office. The OIG describes its findings and recommendations in reports, some of which are published on the agency's website. However, not all OIG reports are made public.

In November 2015, EPIC submitted a FOIA request seeking portions of certain non-public OIG reports. Specifically, EPIC sought the title pages, tables of contents, and executive summaries of certain final, non-public Inspector General reports created since January 1, 2005. Under the FOIA, the agency had twenty business days to make a determination about whether to grant or deny a FOIA request. The DOJ had not made a determination about EPIC's FOIA request in over 122 days at the time EPIC filed suit. EPIC's complaint alleges that the DOJ has failed to comply with statutory deadlines and unlawfully withheld agency records.

EPIC's Open Government project seeks to ensure that the public is fully informed about the activities of government. EPIC previously obtained oversight reports on the CIA surveillance of Muslims in New York, and CIA spying on Senate staff.

News in Brief

US Government Loses on Overseas Data Searches

A federal appeals court has ruled that the US government cannot seize user data in foreign data centers under the Stored Communications Act. The decision reverses a lower court opinion that would have required Microsoft to hand over the contents of an email account stored in Ireland. The appeals court concluded that the purpose of the Act was to protect "users' privacy interests in stored communications" not the creation of law enforcement powers that could reach overseas. The decision will likely bolster efforts to keep data in jurisdictions with stronger privacy safeguards. EPIC has recommended US ratification of the International Privacy Convention to preserve transborder data flows.

EPIC FOIA: Transportation Department Releases New Drone Meeting Documents

In response to an EPIC Freedom of Information Act lawsuit, the Department of Transportation has released to EPIC another set of documents from the agency's secret meetings with industry groups about drone policy. The newly released documents, which summarize an extensive three-day meeting between the FAA and industry groups, is conspicuously silent on privacy, despite public comments urging the agency to address privacy concerns. In a related development, the FAA final rule on commercial drones failed to address the privacy risks of deploying drones in the United States.

FAA Reauthorization Grounds Drone Privacy Safeguards

Shortly before adjourning, Congress passed the FAA Extension, Safety and Security Act of 2016 without drone privacy provisions authored by Senator Markey, included in the original legislation. "Now is the time to prevent these eyes in the skies from becoming spies in the skies," Senator Markey said. EPIC urged Congress and the FAA to establish limits on drone surveillance. In EPIC v. FAA, EPIC challenged the FAA's failure to establish drone privacy regulations following a petition endorsed by more than 100 experts and organizations. EPIC's proposal to require remote identification of drones was incorporated in the legislation enacted by Congress.

Trade Agreements Undermine Data Protection, New Study Shows

A new report "Trade and Privacy" argues that trade agreements are at odds with EU laws that protect privacy and data protection. The study concludes "current measures used by the EU to safeguard its data protection laws in trade agreements are not sufficient." The report recommends a comprehensive exemption for data protection rules in all trade agreements, based on GATS Article XIV. EU NGOs previously recommended that consumer privacy and data policy be excluded from the Transatlantic Trade and Investment Partnership negotiations. The study was authored by scholars at the Institute for Information Law at the University of Amsterdam and commissioned by BEUC, TACD, EDRi and CDD. EPIC's Marc Rotenberg will speak about trade agreements, privacy and the internet at IGF USA 2016.

EPIC Tells FCC to Reject "Notice and Choice" Approach to Privacy

EPIC has filed reply comments with the Federal Communications Commission on the proposed broadband privacy rules. EPIC said that the proposed rules are a modest first step and that the FCC has legal authority to do more to safeguard American consumers. EPIC also responded to erroneous statements from industry groups that the FTC's "notice and choice" framework safeguards consumer privacy. EPIC described numerous shortcomings, including lack of enforcement, frequent changes in privacy policies, and data breaches. "Notice and choice" is "directly at odds with baseline privacy standards," EPIC said. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data.

Coalition Urges President to Nominate New Member for Oversight Board

EPIC and many privacy and civil liberties organizations have urged President Obama to promptly nominate a new member to the Privacy and Civil Liberties Oversight Board with a strong civil liberties background. The coalition argued that the Oversight Board's "role is too important to allow it to slip back into dormancy, even for a few months." The previous Chair David Medine recently stepped down, leaving a vacancy on the five-member panel, responsible for overseeing privacy protection. EPIC has urged the Board to review surveillance under Executive Order 12333 and recommended the Board ensure Privacy Act compliance across the federal government.

EPIC Sues for Release of Government Oversight Reports

EPIC has filed a FOIA lawsuit against the Department of Justice to obtain the agency's secret watchdog reports. The mission of the Office of the Inspector General is "to detect and deter waste, fraud, abuse, and misconduct." However, many of the reports are kept secret. Those reports, EPIC explained in the complaint, "are critical for the public to understand the measures taken to increase the efficiency and effectiveness of the DOJ, and as a mechanism to hold the agency accountable." EPIC previously obtained oversight reports on the CIA surveillance of Muslims in New York, and CIA spying on Senate staff.

U.N. Passes Resolution Condemning Internet Shutdowns

The United Nations Human Rights Council passed a resolution to support human rights online. The resolution condemns internet shutdowns that have become more common around the world. In accordance with the Universal Declaration of Human Rights, the resolution reaffirms the U.N.'s stance that "the same rights people have offline must also be protected online." EPIC joined an international coalition of civil society organizations to reject disruption of Internet access. EPIC previously sued the Department of Homeland Security to obtain public release of the US shutdown policy following the suspension of cell phone service during a peaceful protest at a BART transit station in San Francisco. Portions of the government policy "Standard Operating Procedure 303" were eventually released to EPIC.

White House Releases Flawed Privacy Research Agenda

The White House has announced the National Privacy Research Strategy, which the authors state "will enable the U.S. to benefit from innovative data use while protecting privacy." The National Strategy focuses on measuring the "privacy desires" of users rather than the extent of the problem or goals to safeguard privacy, such as coding Fair Information Practices, developing genuine Privacy Enhancing Techniques, or complying with Privacy Act obligations. The "National Strategy" follows from a similar report in 2014that embraced big data without considering actual privacy risks in data collection. In 2015, the federal government lost 21.5 million records of federal employees and their families. A recent book from EPIC "Privacy in the Modern Age: The Search for Solutions" outlines several new approaches for privacy protection, and builds on earlier work by members of the EPIC Advisory Board.

Privacy Shield Revisions Fail to Satisfy Legal Requirements

A revised draft of the Privacy Shield included some modifications on the scope of US bulk data collection, the role of the "ombudsperson," and data erasure but fails to resolve flaws previously identified by European data protection authorities and the European Data Protection Supervisor. EPIC and an international coalition of NGOs previously called for substantial changes in the Privacy Shield to respect the fundamental rights to privacy and data protection.

EPIC in the News

• FAA compromise bill drops key drone privacy provisions, Computerworld, July 14, 2016
• How Private Are Health-Tracking Apps on Your Phone?, US News & World Report, July 13, 2016
• Secretive Internet 'Kill Switch' And Apple Patent Could Stop You From Filming Police & Protests, MintPress News, July 13, 2016
• The FBI has quietly gathered 400,000 iris scans, Mashable, July 13, 2016
• Mich. Court Further Curbs Streaming Privacy Laws In Pandora, Law 360, July 12, 2016
• After Spokeo decision, still much confusion on standing for privacy suits, Legal News Line, July 12, 2016
• 'Pokemon Go' Creator Closes Privacy Hole But Still Collects User Data, Wall Street Journal, July 12, 2016
• Pokemon-Chasing Investors Send Nintendo Shares Soaring, Wall Street Journal, July 11, 2016
• Microsoft Backs Emerging European Privacy Shield Agreement, Redmond Magazine, July 11, 2016
• White House Releases Privacy Research Plan; Not Everyone Pleased, Bloomberg BNA, July 8, 2016
• The Morning Risk Report: White House releases privacy strategy, Wall Street Journal, July 8, 2016
• Irish data challenge could cost businesses billions, claims Facebook, ComputerWeekly.com, July 8, 2016
• Court hears of D PC case against Facebook , RTE News, July 7, 2016
• Ruling against data transfer regime may cost Europe [euro]143bn a year, says Facebook, The Irish Times, July 7, 2016
• Court wiretap requests up 17% with 100% approval rate - report, mo4ch news, July 7, 2016
• As Drones Fill the Skies, Privacy Worries Grow, The Fiscal Times, July 7, 2016
• Biometrics Are a Grave Threat to Privacy, New York Times (Opinion), July 5, 2016
• FCC's Internet Privacy Proposal Sparks Congressional Action, E-Commerce Times, July 5, 2016
• Justice Wants Drones to Try Reconstructing Car Crashes, Nextgov.com, July 5, 2016
• Unlawful stops legitimized after the fact?, San Francisco Daily Journal, July 5, 2016
• Data, Drones and Apps: States Debate Privacy Protections as Technology Speeds Ahead, Stateline, July 1, 2016
• How drones raised privacy concerns across cyberspace, PBS Newshour, July 1, 2016

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).

http://www.privacylawandsociety.org/

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

https://epic.org/privacy-book/

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

July 19, 2016
"Privacy and Personality"
New York University
New York, NY

August 5, 2016
ABA Annual Conference: "Emerging Issues in National Security and Law Enforcement"
James Comey, FBI Director
Marc Rotenberg, EP