EPIC Alert 23.16

EPIC Alert logo

1. EPIC, CDD Charge WhatsApp Policy Change Unlawful, Urge FTC to Act

EPIC and the Center for Digital Democracy (CDD) have filed a complaint with the FTC concerning WhatsApp’s plan to transfer user data, including personal phone numbers, to Facebook. This reversal contradicts WhatsApp’s previous promises to users that their personal information would not be disclosed or used for marketing purposes, and constitutes an unfair and deceptive trade practice.

Facebook purchased WhatsApp in 2014, and the companies promised users of the privacy-protective messaging service that “nothing” will change for WhatsApp users’ privacy. Facebook CEO Mark Zuckerberg promised, “We are absolutely not going to change plans around WhatsApp and the way it uses user data.”

EPIC filed a complaint with the FTC over the 2014 deal, and the FTC responded by warning the two companies that they must honor their privacy promises to WhatsApp users. The letter explained that failure to obtain users’ opt-in consent before changing data practices would be an unfair and deceptive trade practice and would violate Facebook’s FTC Consent Order. The FTC has also previously said, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”

On August 25, 2015, WhatsApp announced plans to disclose user information to Facebook, including phone numbers and other user data, that will be connected with Facebook profiles. The companies plan to use this information to provide “friend suggestions and more relevant ads on Facebook” and to allow businesses to send WhatsApp users marketing messages. WhatsApp will provide users 30 days to opt-out of data transfers to Facebook.

According to EPIC’s complaint, “WhatsApp plans to transfer user data that was previously collected under the promise this data would not be used or disclosed for marketing purpose.”

“As of February 1, 2016, over one billion individuals provided their phone numbers and other personal information to WhatsApp with the understanding that their information would not be used or disclosed for marketing purposes,” EPIC further explained. EPIC said that WhatsApp’s proposed change in business practices is unlawful and that the FTC is obligated to act.

In 2012, EPIC and a coalition of consumer privacy organizations led a successful effort at the FTC after Facebook changed the privacy settings of its users, which resulted in the FTC’s 20-year consent order with Facebook.

2. EPIC Sues FAA, Challenges Failure to Establish Drone Privacy Safeguards

EPIC has filed a federal lawsuit against the Federal Aviation Administration (FAA) for failing to establish privacy rules for drones. After Congress ordered the FAA in 2012 to issue “comprehensive” rules for drone use, EPIC and more than 100 organizations, experts, and advocates petitioned the FAA to establish privacy rules before permitting widespread drone deployment.

In 2014, the FAA responded to EPIC’s petition, claiming that drone privacy implications “did not raise an immediate safety concern.” The agency further stated that “the FAA has begun a rulemaking addressing civil operation of small unmanned aircraft systems in the national airspace system. We will consider your comments and arguments as part of that project.” But in 2015, when the FAA announced a rulemaking on commercial drones, the agency purposefully ignored privacy concerns, claiming that privacy “issues are beyond the scope of this rulemaking.”

EPIC sued the agency, but a federal appeals court ruled that EPIC’s lawsuit was premature. The court reasoned that the FAA had not yet issued a final rule and that the agency might still consider the privacy concerns raised by EPIC and others.

This past June, the FAA issued final rules for small drones, but again, the agency failed to include any privacy safeguards. In the latest lawsuit, EPIC challenges the agency’s drone rules, noting that they are “a final order and reviewable.”

3. EPIC, Verified Voting, Common Cause Release Report on Ballot Secrecy

EPIC, Verified Voting, and Common Cause recently released The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. The secret ballot reduces the threat of coercion, vote buying and selling, and tampering. For individual voters, it provides the ability to exercise their right to vote without intimidation or retaliation. The secret ballot is a cornerstone of modern democracies.

A state survey conducted by the authors found that the vast majority of states - 44 total - have constitutional provisions guaranteeing secrecy in voting, while the remaining states have statutory provisions referencing secrecy in voting. Despite this, 32 states and DC are promoting Internet voting, typically for overseas and military voters, and most of those states are asking online voters to sign a waiver of their right to a secret ballot. That threatens voting freedom and election integrity.

Giving up the right to a secret ballot threatens the freedom to vote as one chooses. The report cites several examples of employers making political participation a condition of employment -- such as an Ohio coal mining company requiring its workers to attend a presidential candidate’s rally - and not paying them for their time.

The report recommends actions voters can take to protect the secrecy of their ballot, and encourages states to do more to safeguard voter privacy. EPIC has a long history of working to protect voter privacy and election integrity.

4. EPIC Launches EPIC Amicus Tracker to Assist Public Interest Litigators

EPIC has launched the EPIC Amicus Tracker, a public resource designed to help public interest litigators pursue significant privacy and civil liberties cases. The EPIC Amicus Tracker highlights cases with upcoming amicus opportunities in federal appellate and state supreme courts.

The Amicus Tracker is updated regularly and includes cases with upcoming briefing schedules. The Tracker provides useful information about current cases including court and docket information, along with a brief description of the case. EPIC will also link to the case docket where possible, or to the relevant lower court opinion. The Tracker will link to prior EPIC amicus briefs on similar topics.

The EPIC Amicus Tracker builds on EPIC’s extensive work participating in cases concerning emerging privacy and civil liberties issues. Over twenty years, EPIC has filed nearly 100 amicus briefs, often with the participation of technical experts and legal scholars, in federal and state cases concerning emerging privacy and civil liberties issues and EPIC is frequently cited in judicial opinions.

EPIC hopes the EPIC Amicus Tracker will inspire other public interest litigators.

5. EPIC Opposes DHS Plan to Collect Social Media Identifiers

In comments to the Department of Homeland Security, EPIC urged the agency to drop a plan to review the social media accounts of people seeking to visit the U.S. The agency stated, “collecting social media data will enhance the existing investigative process and provide DHS greater clarity and visibility to possible nefarious activity and connections by providing an additional tool set which analysts and investigators may use to better analyze and investigate the case.”

EPIC argued that the proposal is “open for abuse, mission creep, and the disproportionate targeting of Muslim and Arab Americans among other marginalized groups.” EPIC also argued that the proposal would have a chilling effect on First Amendment protected activities.

EPIC previously sued DHS in a Freedom of Information Act lawsuit to obtain documents about another social media monitoring program. The FOIA documents revealed that Homeland Security contracted with General Dynamics to track criticism and dissent, stating that the contractor should monitor and summarize media stories that "reflect adversely" on DHS or the US government. DHS also stated that the agency was attempting to "capture public reaction to major government proposals." DHS instructed the contractor to generate "reports on DHS, Components, and other Federal Agencies: positive and negative reports on FEMA, CIA, CBP, ICE, etc. as well as organizations outside the DHS."

The documents obtained by EPIC led to a congressional hearing on DHS monitoring of social networks and media organizations. The hearing, held by the House subcommittee on Counterterrorism and Intelligence, revealed bipartisan opposition to the original DHS social media monitoring program. Chairman Meehan stated, “collecting, analyzing, and disseminating private citizens’ comments could have a chilling effect on individual privacy rights and people’s freedom of speech and dissent against their government.”

News in Brief

Facebook to Collect WhatsApp User Data, Violating FTC Order and Privacy Promises

WhatsApp has announced plans to disclose user information to Facebook, including phone numbers and other user data, that will be connected with Facebook profiles. Facebook purchased WhatsApp in 2014, and the companies promised users of the privacy-protective messaging service that “nothing” will change for WhatsApp users' privacy. EPIC filed a complaint with the FTC over the deal, and the FTC responded by warning the two companies that they must honor their privacy promises to WhatsApp users. The letter explained that failure to obtain users' opt-in consent before changing data practices would be an unfair and deceptive trade practice and violate Facebook’s FTC Consent Order. WhatsApp’s recent announcement indicates users will have 30 days to opt-out of data transfers to Facebook, in violation of the law and the FTC’s Order. In 2012, EPIC and a coalition of consumer privacy organizations also led a successful effort at the FTC after Facebook changed the privacy settings of its users. As a result, Facebook is subject to an FTC consent order.

EPIC Urges Wisconsin Legislature to Safeguard Student Privacy

In testimony for the Wisconsin legislature, EPIC urged state lawmakers to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Wisconsin adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy. EPIC's State Policy Project is monitoring privacy bills nationwide.

EPIC and Coalition Recommend Improvements to Health Agency’s Open Government Rules

In comments to the Department of Health and Human Services, EPIC and a coalition of open government advocates urged the agency to update its FOIA rules to keep in line with the FOIA Improvement Act of 2016. The coalition pressed the agency to “go further to ensure greater access to public interest information.” Signed into law by President Obama on the FOIA’s 50th anniversary, the FOIA Improvement Act creates a new portal for requesters, requires the proactive disclosure of frequently requested records, strengthens the FOIA ombudsman, and codifies the presumption of openness.

EPIC, Consumer Coalition Tell FCC to Protect Privacy, Security in Connected Cars

EPIC has joined a coalition of consumer groups in a letter to the FCC supporting safety rules for connected cars. The consumer groups endorsed a petition for rulemaking, filed earlier this year, that would establish safeguards for car communications networks. EPIC has testified before Congress on the risks of connected cars and recently filed an amicus brief in federal appeals court on vehicle-to-vehicle communications.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (Apr. 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec. 2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

September 13, 2016
"How We’ll Remember November"
Marc Rotenberg. EPIC President
Yale Washington CEO Caucus
Yale School of Management
Washington, DC

September 22, 2016
Disruption or protection? The impact of privacy, data protection and cybersecurity laws on the adoption and use of technology
Alan Butler, EPIC Senior Counsel
International Bar Association
Washington, DC

September 23, 2016
"Big Data and Privacy"
Marc Rotenberg, EPIC President
National Academies of Science
Woods Hole, MA

October 13, 2016
"The Misunderstood Right to Be Forgotten, and the Future of Free Expression and Privacy in the Online World"
Marc Rotenberg, EPIC President
2016 Davis, Market, Nickerson Lecture on Academic and Intellectual Freedom
Ann Arbor, MI

October 13, 2016
Fall Technology Series: Drones
Jeramie Scott, EPIC Domestic Security Counsel
Federal Trade Commission
Constitution Center
Washington, DC

October 19, 2016 - October 20, 2016
38th International Privacy Conference: Opening New Territories for Privacy
Marc Rotenberg, EPIC President
International Conference of Data Protection and Privacy Commissioners
Marrakech, Morocco

November 21, 2016 - November 23, 2016
59th Meeting of the International Working Group
Marc Rotenberg, EPIC President
International Working Group on Data Protection in Telecommunications
Berlin, Germany

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security