EPIC Alert 23.15
EPIC Alert 23.15 - August 16, 2016
- EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public
- Appeals Court Affirms Consumers May Sue for Violations of Federal Law
- FTC Finds Unauthorized Data Disclosure is "Substantial Injury" to Consumers
- White House Hosts Drone Workshop, FAA OKs Commercial Use, Ignores Privacy
- EPIC Book Review: “Windows into the Soul: Surveillance and Society in an Age of High Technology”
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
1. EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public
EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. Modern cars are equipped with complex computer systems that monitor and control the car’s functions. However, these “connected” car systems are vulnerable to third party hacking, and also collect a wealth of personal driving data. Because of these risks, the parties allege that Toyota and General Motors violated California law by selling cars that are unreasonably dangerous and an invasion of privacy. The lower court threw out the case for lack of standing because the parties failed to allege consequential harm. The court also concluded that the parties failed to state an invasion of privacy claim.
In its amicus brief, EPIC highlighted three key errors made by the lower court. First, EPIC explained that the lower court misunderstood the relevant standing caselaw. Standing doctrine requires a court to examine whether plaintiffs have alleged violations of law by the defendant. Instead, the lower court in this case focused incorrectly on whether the parties had suffered impending consequential harm, which improperly conflated two distinct legal elements. Second, EPIC explained that the lower court fundamentally misunderstood the security vulnerabilities created by connected cars. Finally, EPIC detailed the personal driving information collected by these cars, and argued that the lower court erred by concluding that the data is not sensitive or confidential.
The same week that EPIC filed its brief, researchers at Black Hat revealed new vulnerabilities in networked vehicles. Senators Blumenthal and Markey also urged the Federal Communications Commission to establish “robust safety, cybersecurity, and privacy protections before automakers deploy vehicle-2-vehicle . . . communication technologies.”
For more than a decade, EPIC has been concerned about the growing risks to public safety resulting from the increased collection and use of personal driving data. Most recently, EPIC testified before Congress about connected cars, and submitted comments to the National Telecommunications and Information Administration about the Internet of Things. EPIC regularly files amicus briefs in cases seeking to defend consumer privacy.
Earlier this summer, the U.S. Court of Appeals for the Eleventh Circuit ruled in favor of consumers’ rights to sue for violations of the Fair Debt Collections Practices Act and other similar consumer protection laws. While consumers’ ability to sue companies who violate their rights has long been considered a core function of our legal system, many defendants have disputed consumer claims following the Supreme Court’s decision in Spokeo v. Robins. In particular, defendants have argued that federal courts lack jurisdiction over claims when consumers have not alleged that they suffered some monetary harm as a result of the violation of their rights. This argument is based on a fundamental misreading of Article III of the Constitution, which provides that the power of federal courts extends to “Cases” and “Controversies.” The Eleventh Circuit’s decision reaffirms that an alleged violation of a consumer’s rights under a law enacted by Congress is a case or controversy that can be heard in federal court.
The court in Church v. Accretive Health, Inc. found that consumers could sue a health provider who sent hospital debt-collection letters that did not include the required FDCPA disclosures. The court relied, in part, on the Supreme Court’s holding in Spokeo that "'Congress may elevate to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.’” The court found that in the FDCPA, “Congress has created a new right—the right to receive the required disclosures.” As a result, the consumer can bring a lawsuit when a company fails to comply with the law.
Since the Supreme Court’s decision to hear Spokeo v. Robins, EPIC has filed several amicus briefs defending the right of consumers to sue for violations of federal privacy laws. First, EPIC filed an amicus brief and led a coalition of amici in Spokeo v. Robins. EPIC then filed an amicus brief in a Third Circuit case, Storm v. Paytime, concerning consumer standing to sue for data breaches. Then, just last month, EPIC filed the first post-Spokeo consumer privacy amicus in an Eighth Circuit case, In re SuperValu, concerning consumer standing to sue for a data breach. Finally, EPIC filed an amicus in an Eleventh Circuit case, Perry v. CNN, concerning consumers’ right to sue for disclosure of their video viewing data in violation of federal law.
These cases represent a fundamental dispute over whether Congress can provide remedies for consumers whose rights have been violated. Given the significance of this issue and the disagreement among lower courts, it is likely that the Supreme Court will weigh in on this issue again over the next few years.
The Federal Trade Commission unanimously reversed an administrative law judge's dismissal of the FTC's complaint against LabMD, finding that LabMD's poor data security practices are "unfair" under the FTC Act.
The FTC’s complaint alleged that LabMD’s failure to provide reasonable data security for personal information constituted an unfair trade practice in violation of Section 5 of the FTC Act. An administrative law judge dismissed the FTC’s charges, finding that the FTC's regulation of unfair trade practices requires a showing that consumer harm was "probable," not just "possible."
In reversing the initial decision, the Commission concluded that LabMD’s data security practices were unreasonable and constitute an unfair practice in violation of Section 5 of the FTC Act. The unanimous opinion, written by FTC Chairwoman Edith Ramirez, concluded that the administrative law judge had "applied the wrong legal standard for unfairness" and found that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”
Under Section 5 of the FTC Act, an act or practice is “unfair” if it “causes or is likely to cause substantial injury to consumers” which is not reasonably avoidable by consumers or outweighed by countervailing benefits to consumers or competition. The FTC concluded that "the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury." The Commission found that LabMD’s disclosure of this information for 9,300 consumers caused substantial injury, and that LabMD’s lax data security practices were “likely to cause substantial injury.”
The FTC's authority to enforce data security standards was upheld last year in FTC v. Wyndham. EPIC, joined by leading technical experts and legal scholars, filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which caused more than $500 million in damages in 2013 alone, are one of American consumers’ top concerns. EPIC also explained that “[t]he FTC’s authority to regulate business practices impacting consumer privacy is well established, the problem is obvious, and the agency has a clear record of success.”
The White House’s Office of Science and Technology Policy recently hosted a workshop on “Drones and the Future of Aviation.” The workshop included representatives from the government, industry, and academia, with the goal “to accelerate opportunities and address challenges” posed by drones, according to the organizers. However, the workshop failed to address privacy issues raised by ubiquitous drone use, and instead focused on drone collisions.
At the workshop, the FAA Administrator, Michael Huerta, announced that the agency will approve drone operations before the end of the year. The FAA also revealed an industry-led Drone Advisory Committee that will promote voluntary privacy best practices. Committee membership is still to be determined, but a recent drone taskforce convened by the Department of Transportation included no privacy or civil liberty organizations. Through a lawsuit against the agency, EPIC obtained documents from the FAA’s closed-door meetings with industry groups about drone policy last November. The documents, which summarize an extensive three-day meeting between the FAA and industry groups, are silent on privacy, despite public comments urging the agency to address privacy concerns.
In a related matter, EPIC challenged the FAA’s failure to establish drone privacy regulations in EPIC v. FAA. The legal challenge follows a petition endorsed by more than 100 experts and organizations. The FAA has repeatedly acknowledged the privacy risks of drones, but has refused to establish privacy safeguards.
“Windows into the Soul: Surveillance and Society in an Age of High Technology,” by Gary T. Marx
In Windows into the Soul, Gary T. Marx takes a critical social science approach to the study of surveillance and social control. Marx’s exploration of the field of surveillance studies is cumulative and inclusive, involving empirical, theoretical, ethical, and practical questions. References to literature, cinema, and pop culture are woven throughout the book, adding humor and illustration to Marx’s close study of a fascinating topic.
Part I of Windows offers a systematic analysis of surveillance, discussing in turn the structure, means, and goals of surveillance, the substance and nature of data collected. He defines new surveillance - the focus of Windows - as “scrutiny of individuals, groups, and contexts through the use of technical means.” While the means of surveillance have evolved, Marx proposes that the broad goals of surveillance - to “control, nurture, protect, discover rule violations and violators, verify identity and eligibility, maintain a competitive advantage, sell, entertain” - have not fundamentally changed.
Part II discusses the cultural, organizational, and behavioral processes of surveillance. Marx proposes that new surveillance in modern society is continually softening, characterized by “minimal visibility and invasiveness as well as passive, often automated data collection.” He also observes a trend toward surveillance techniques that require neither meaningful consent nor even awareness.
Part III provides the reader with four fictional case studies that explore surveillance by employers, parents, voyeurs, and government. Marx questions the claimed benefits of workplace surveillance. He notes that little analysis or concrete evidence supports these claims, and asks whether the negative impacts on workers may actually negate perceived increased efficiency. He also warns that automated, computerized assessments of employee performance may value quantifiable factors over more important, but less easily measured, considerations.
Part IV explores questions of ethics and public policy. A central point of Windows is Marx’s perspective that “surveillance is neither good nor bad but context and comportment make it so.” He emphasizes a situational, fact-specific approach to analyzing surveillance that considers a broad range of factors.
Marx offers a framework for assessing the ethics of surveillance based on a series of questions that explore the conditions, policies, means, and goals of the surveillance; the collection, analysis, and protection of the data; the rights of the subjects; and the consequences of the surveillance for both the subjects and agents. Several of Marx’s questions articulate Fair Information Practices, such as whether data are used for a defined purpose; whether collection and use of data is limited to that necessary to fulfill its specified goal; and whether subjects have the right to inspect and correct their data.
Marx also suggests factors that are relevant to commercial surveillance and the behavioral advertising industry. An ethical analysis of surveillance should examine whether the surveillance is “used to gain manipulative advantage in persuading or influencing a subject” and whether the surveillance “only profit[s] the agent but not the subject whose data are being marketed.”
Windows closes with an exploration of broad questions about where society is heading, how to think about emerging trends and topics, and what unresolved and emerging issues exist for the study and regulation of surveillance.
Marx concludes that the ideal is “a positive information society based on fairness, dignity, care, openness, trust, security, autonomy/participation, and communality, rather than a negative surveillance society based on unfairness, commodification, coercion, secrecy, suspicion, insecurity, domination/repression, and atomization.”
The author describes himself as neither technophobe nor technophile. Marx is both “a citizen concerned with calling public attention to the unequal playing fields of social control technology” and “a social scientist partial to the interpretive approach and the need for empirical grounding.”
Data Protection Experts Recommend New Protections for Internet Communications
The International Working Group on Data Protection in Telecommunications adopted new recommendations to improve the privacy and security of Internet Telephony technologies. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. "Privacy and Security Issues in Internet Telephony (VoIP)" focuses on the gap in "the legal protection and confidentiality of communications." The experts urge service provide to adopt "similar privacy and data protection" safeguards to all services. EPIC presented a comprehensive country report at the last meeting of the Working Group outlining recent developments in the United States. EPIC will host the 60th meeting of the International Working Group in Washington DC in April 2017.
Privacy Shield Sign-Ons Begin
The European Commission announced that the EU-U.S. Privacy Shield data transfer arrangement is "fully operational" and U.S. "companies are able to sign up with the Department of Commerce." The framework was adopted by the European Commissioner objection by European data protection authorities, the European Data Protection Supervisor, the European Parliament, and EU and US NGOs. The deal will be subject to future legal scrutiny and experts predict that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC has urged the EU and US to strengthen safeguards for transborder data flows including redress mechanisms.
EPIC’s Rotenberg Debates FBI Director at ABA Conference
EPIC President Marc Rotenberg and FBI Director James Comey debated "Emerging Issues in National Security and Law Enforcement" at a plenary session of the ABA annual conference in San Francisco. Comey stated that Americans have "never had absolute privacy." Rotenberg replied that the Fifth Amendment grants absolute privacy as a Constitutional right. In response to the Director's comments that the FBI has 650 phones it can not decrypt, Rotenberg pointed out that in 2013, more than 3.1 million cell phones were stolen. "Crime would be much higher in United States if cell phone users did not have strong encryption," said Rotenberg. The EPIC amicus brief in Apple v. FBI highlighted the risk of weak encryption, and noted that stolen cell phones are tied to identity theft and financial fraud.
Data Protection 2016: California Hotels Breached
Sheraton, Hyatt, Westin, and Marriott hotels in 10 states and Washington, D.C. have announced that hotel payment records were breached beginning as early as March 2015. Malware discovered in at least 20 hotels across the country collected customers’ names and payment card numbers, card expiration dates, and verification codes. Surprisingly, the hotels said that they will not notify individual customers of the breach. Almost every state in the country has a mandatory breach notification law. Hyatt announced another payment card breach earlier this year at 250 hotels in approximately 50 countries. EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.
- Will Smart Machines Be Less Biased Than Humans?, Brink, August 15, 2016
- Pokemon hunt leads to glory for Google-born Niantic, Daily Nation, August 15, 2016
- Warning issued over computer hacks that can injure motorists, WND, August 12, 2016
- US vote fraud allegations prompt calls for transparency, Al Jazeera, August 10, 2016
- Pokemon GO CEO linked to Google 'Wi-Spy' privacy scandal, SC Magazine, August 10, 2016
- Bias by Computer, New York Times (Opinion), August 10, 2016
- EPIC Asks 9th Circ. To Revive Car Data Hack Suit, Law360, August 9, 2016
- Privacy Scandal Haunts Pokemon Go’s CEO, The Intercept, August 9, 2016
- FBI chief Comey: “We have never had absolute privacy”, Ars Technica, August 9, 2016
- Pokemon App Developer Sued for Failed Privacy Protections, JD Supra, August 5, 2016
- Commercial Court Affirms Legal Principles on Admission of an Amicus Curiae, Lexology, August 3, 2016
- Pokémon Go et la CIA, histoire d'une paranoïa, Le Monde, August 2, 2016
- Pokémon GO - Next Stop: Regulation & Litigation, Lexology, August 1, 2016
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC publications:
Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (Apr. 2016).
This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec. 2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
August 16, 2016
Wisconsin Legislative Council Study Committee on School Data
Caitriona Fitzgerald, EPIC State Policy Coordinator
Wisconsin State Legislature
August 17, 2016 - August 19, 2016
"On the Record, All the Time," National Forum on Audiovisual Evidence
Jeramie D. Scott National Security Counsel
UCLA Department of Information Studies
August 18, 2016
EPIC Boston: Report from Washington
Marc Rotenberg, EPIC President
Caitriona Fitzgerald, EPIC State Policy Coordinator
EPIC Boston @ Canopy
212 Elm St., 3rd Floor
September 13, 2016
"How We’ll Remember November"
Marc Rotenberg. EPIC President
Yale Washington CEO Caucus
Yale School of Management
September 22, 2016
Disruption or protection? The impact of privacy, data protection and cybersecurity laws on the adoption and use of technology
Alan Butler, EPIC Senior Counsel
International Bar Association
September 23, 2016
"Big Data and Privacy"
Marc Rotenberg, EPIC President
National Academies of Science
Woods Hole, MA
October 13, 2016
"The Misunderstood Right to Be Forgotten, and the Future of Free Expression and Privacy in the Online World"
Marc Rotenberg, EPIC President
2016 Davis, Market, Nickerson Lecture on Academic and Intellectual Freedom
Ann Arbor, MI
October 13, 2016
Fall Technology Series: Drones
Jeramie Scott, EPIC Domestic Security Counsel
Federal Trade Commission
October 19, 2016 - October 20, 2016
38th International Privacy Conference: Opening New Territories for Privacy
Marc Rotenberg, EPIC President
International Conference of Data Protection and Privacy Commissioners
November 21, 2016 - November 23, 2016
59th Meeting of the International Working Group
Marc Rotenberg, EPIC President
International Working Group on Data Protection in Telecommunications
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Privacy in the Modern Age