EPIC Alert 23.14

1. EPIC Explains to Federal Appeals Court that Mobile App Users Protected by Video Privacy Law

EPIC has filed an amicus brief defending the privacy rights of users of mobile video apps. In Perry v. CNN, a case before a US Court of Appeals for the Eleventh Circuit, a CNN mobile app user challenged the disclosure of his video viewing history and personal information as a violation of a federal privacy law.

In the case, the app user alleged that CNN disclosed his personal information to a data analytics firm, which associates app data with preexisting datasets to "identify and track specific users across multiple electronic devices, applications, and services" - all without users' consent.

In its brief, EPIC explained that that the privacy protections in the Video Privacy Protection Act (VPPA) apply to mobile apps that provide video service. EPIC said that the video privacy law covers the personal information collected by mobile apps, including the unique identifiers of the user's device, and also that the privacy obligations apply to all companies that collect the viewing records of Internet users.

The VPPA prohibits video providers from knowingly disclosing "personally identifiable information" concerning any "consumer" of the provider's service. The Act's definition of personally identifiable information "includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider."

Congress passed the VPPA in 1988 in response to a newspaper article leaking Supreme Court nominee Robert Bork's video rental records. The VPPA "protect[s] certain personal information of an individual who rents video materials from disclosure." The Act "allows consumers to maintain control over personal information divulged and generated in exchange for receiving services from video tape service providers."

In 2015, EPIC filed an amicus brief in In re Nickelodeon, urging the Third Circuit Court of Appeals to support a robust understanding of personally identifiable information and the VPPA, given the crucial nature of unique identifiers in data transmission, and the difficulty of anonymizing transactional information. In the case, users of a Viacom website sued over its practice of profiling the video history, gender and age of child users, and sharing it with Google. The Third Circuit recently dismissed the plaintiffs' VPPA claims against Nickelodeon, holding that IP and MAC addresses are not "personally identifiable information."

2. EPIC Asks FTC to Investigate Privacy Risks of Pokemon GO

EPIC has urged the Federal Trade Commission to launch an investigation of Pokemon GO and the app's developer, Niantic.

When the popular augmented-reality app was first released, Niantic granted itself "full access" to users' Google accounts in violation of federal privacy law. Full account access allowed the company to view users' contacts; view and send e-mail; view and delete Google Drive documents; access search and map navigation history; and view private photos stored in Google Photos. Following public outcry, Niantic admitted this mistake and worked with Google to reduce the app's access to basic account information.

Even after recent changes, the company continues to collect and store detailed location history and has access to smartphone cameras. Senator Al Franken recently sent a letter to the company asking for clarification on the scope and purpose of its excessive data collection practices.

EPIC explained in its letter to the FTC that Pokemon GO "raises complex and novel privacy issues that require close FTC scrutiny." EPIC urged the FTC to investigate whether Niantic's data collection and retention practices are consistent with Fair Information Practices (FIPs) and to prohibit any policies that are inconsistent with FIPs as unfair or deceptive trade practices. EPIC also asked the FTC to investigate whether Naintic's data collection practices violate the data minimization requirements under the Children's Online Privacy Protection Act.

EPIC's letter also highlighted the close ties between Niantic and Google. Niantic's founder and CEO oversaw Google's controversial Street View project, which was found to collect private WiFi data transmissions. "History suggests Niantic will continue to disregard consumer privacy and security, which increases the need for close FTC scrutiny as Niantic's popularity - and trove of sensitive user data - continues to grow," EPIC warned.

3. EPIC Defends Right of Data Breach Victims to Seek Legal Relief

EPIC has filed an amicus brief urging a federal appeals court to protect the ability of consumers to sue companies that fail to protect their personal information. The case, In re SuperValu Consumer Data Security Breach Litigation, came after hackers attacked a retail grocery chain and obtained troves of customer credit card information. SuperValu customers brought suit, arguing that the company violated state laws by failing to adequately secure their data or notify them of the breach. The lower court dismissed the case because the customers had not yet suffered identity theft or financial fraud.

In its brief, EPIC explained to the US Court of Appeals for the Eighth Circuit that courts across the nation routinely confuse standing--a constitutional doctrine necessary to bring a lawsuit--with consequential harm. EPIC clarified that standing requires the plaintiff to allege a concrete, particularized, and actual or imminent invasion of a legally protected right. But many courts, including the lower court in SuperValu, are requiring plaintiffs in privacy cases to allege concrete, particularized, and imminent consequential harm, such as identity theft or financial fraud. In a data breach lawsuit, EPIC said the court should instead focus on whether the company violated its legal obligations to safeguard personal data.

EPIC has filed several amicus briefs in cases involving companies seeking to limit the right of consumers to sue for violations of privacy laws. In Storm v. Paytime, EPIC argued that victims of a data breach do not have to suffer identity theft or financial fraud in order to file suit over the company's failure to adequately safeguard their data. And in the US Supreme Court case Spokeo v. Robins, EPIC defended the right of consumers to sue for violation of federal privacy laws.

4. Irish Court Approves EPIC as Amicus in Schrems Case

=

The High Court of Ireland has accepted EPIC's application to participate as amicus curiae in a lawsuit against Facebook concerning the use of model contract clauses to transfer data from the EU to the US. EPIC is the only US privacy watchdog the court approved as amicus.

Austrian privacy activist Max Schrems filed the complaint in this lawsuit to the Irish Data Protection Commissioner following the European Court of Justice's decision to strike down the Safe Harbor arrangement. The suit challenges Facebook's use of model contract clauses, after Safe Harbor's demise, to continue transferring data from the EU to the US.

EPIC will provide expertise on US surveillance law to the Irish High Court. The court said that EPIC is "in a position to offer a counterbalancing perspective from the US Government". If the court later refers the case to the Court of Justice of the European Union, EPIC will also be able to participate in that procedure.

EPIC also recently joined a case before the European Court of Human Rights concerning the activities of British and US intelligence organizations. EPIC has appeared as a "friend of the court" in almost 100 cases in the US concerning emerging privacy and civil liberties issues.

5. Federal Appeals Court Strikes Down Texas Voter ID Law

The US Court of Appeals for the Fifth Circuit has ruled that a Texas voter ID law violates the Voting Rights Act.

Senate Bill 14 requires voters to obtain government-issued photo IDs and is one of the strictest voter ID laws in the country. SB 14 requires all Texas voters to show one of six forms of photo ID in order to vote, places strict limitations on who is exempt from the ID requirements, and requires voters to disclose substantial amounts of personal information to obtain a voter ID.

In a fractured opinion, the court held that SB 14 had a "discriminatory effect" on minorities' voting rights, and remanded the case to the lower court. The Fifth Circuit instructed the district court to provide interim relief for individuals as soon as possible, which could include suspending the voter ID requirement for the November 2016 election or including an indigency exception similar to Indiana's voter ID law. The appeals court further instructed the district court to wait until after this year's election to reevaluate the evidence and "determine anew whether the Legislature acted with a discriminatory intent in enacting SB14."

EPIC filed an amicus brief in the case, arguing that the photo ID requirements "not only infringe individuals' right to vote, they are also an unlawful burden on constitutional privacy rights." The right to informational privacy--recognized by both the US Supreme Court and the Texas Supreme Court--protects the individual interest in avoiding disclosure of personal matters. EPIC explained that the voter ID law requires Texas voters to disclose substantial amounts of private information and obtain a government-issued photo ID in order to vote. Because Texas has not demonstrated a sufficient interest to justify the burden on voters' privacy rights, EPIC said the law is unconstitutional.

EPIC has previously filed several amicus briefs defending the right to informational privacy and voter privacy.

News in Brief

European Data Protection Supervisor Calls for Stronger Protections for Electronic Communications

The top European data protection official, the European Data Protection Supervisor, has called for strong privacy protections in the "ePrivacy Directive", an updated framework to safeguard personal information. "The scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used." The Data Protection Supervisor also said the legislation should "allow users to use end-to- end encryption without back doors". NGOs and data protection officials have also called for the reform of the European legislation after the adoption of the General Data Protection Regulation. EPIC has urged the FCC to establish a comprehensive framework for communications privacy, noting the work now underway in Europe to update privacy laws.

EPIC, Consumer Coalition Oppose Robocalls by Government Contractors

EPIC and a coalition of consumer groups have petitioned the FCC to reverse its recent decision to exempt federal contractors from restrictions on telemarketing and robocalls. The FCC incorrectly determined that the Telephone Consumer Protection Act (TCPA) "does not apply to calls made by or on behalf of the federal government in the conduct of official government business." The petition, led by the National Consumer Law Center, warns of significant increases in unwanted robocalls from government contractors that consumers would be powerless to stop. EPIC supports robust telephone privacy protections and filed an amicus brief in support of the FCC's 2015 order that strengthened consumer protections under the TCPA.

Wisconsin Supreme Court Upholds Use of Sentencing Algorithms, But Recognizes Risks

The Wisconsin Supreme Court this week rejected a challenge to the use of a risk-assessment algorithm in a sentencing proceeding. These algorithms score an individual's risk of committing future crime. The Court sanctioned the use of such algorithms, provided they are not the exclusive determining factor of a sentence, and judges receive written warnings about the algorithm's shortcomings. Professor Danielle Citron warned that the court's faith in the secret techniques is "unwarranted" particularly because "human beings have a tendency to rely on automated decisions even when they suspect system malfunction." EPIC has advocated for algorithmic transparency and maintains a website describing the use of algorithms in the criminal justice system.

EPIC in the News

• Watchdog takes bizarre legal route in data privacy case, Irish Times, July 28, 2016
• The Early Edition, Just Security, July 28, 2016
• Tech Brief: Federal Workers Can Now Expense Uber, Lyft, Morning Consult, July 28, 2016
• Pokemon Go Gamer Sues App Developer Over Privacy Policy, Law 360, July 28, 2016
• Trump Tries to Walk Back Comments on Clinton Emails, TechNewsWorld, July 28, 2016
• In Secret Battle, Surveillance Court Reined in FBI Use of Information Obtained from Phone Calls,The Intercept, July 27, 2016
• EPIC urges FTC to take a closer look at Pokemon Go, EdScoop, July 27, 2016
• 'Pokemon Go' Data Risks Need FTC Probe, EPIC Says, Law360, July 26, 2016
• EPIC Sides Against CNN, Argues MAC Addresses Are 'Personally Identifiable', MediaPost, July 26, 2016
• EPIC Wants the FTC to Investigate 'Pokemon Go', Inverse, July 26, 2016
• Democratic Platform Echoes Obama Cybersecurity Goals, Bloomberg BNA, July 25, 2016
• Schrems and Facebook privacy case: next round set for February, Irish Times, July 25, 2016
• Police Request For 3D-Printed Fingers To Unlock A Murder Victim's Smartphone, Tech Times, July 22, 2016
• French Agency Cites Windows 10 Privacy Concerns, Redmond Magazine, July 22, 2016
• White House Releases National Privacy Research Strategy, JDSupra, July 21, 2016
• Spokeo Saves SuperValu Data Breach MDL, 8th Circ. Told, Law360, July 21, 2016
• Facebook judge makes 'friends' with US but 'unfriends' Ibec, Irish Independent, July 20, 2016
• US Joins Case Over Facebook Data Transfers From EU, Law360, July 20, 2016
• US govt can join legal action over data transfers - High Court, RTE News, July 19, 2016
• US government joins legal challenge of EU-US data transfers, Computer Weekly, July 19, 2016
• US to join Irish Facebook case, The Hill, July 19, 2016
• Was that recording of Kanye West and Taylor Swift illegal?, The Washington Post, July 18, 2016
• Sixth Circuit limits access to federal mug shots, Reporters Committee for Freedom of the Press, July 16, 2016
• Clinton and Trump and Robocalls, Oh My, Bloomberg BNA, July 15, 2016

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).

http://www.privacylawandsociety.org/

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

https://epic.org/privacy-book/

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

August 5, 2016
ABA Annual Conference: "Emerging Issues in National Security and Law Enforcement"
James Comey, FBI Director
Marc Rotenberg, EPIC President
San Francisco, CA

EPIC Boston: An Update from Washington
August 18, 2016
5:00 - 7:00 pm
EPIC Boston @ Canopy
212 Elm St., 3rd Floor
Somerville, MA 02144
https://epic.org/events/boston/