EPIC Alert 23.18
EPIC Alert 23.18 - October 4, 2016
- Worldwide Opposition to WhatsApp Privacy Change Mounts
- EPIC Files Suit to Block "Invasive and Ineffective" Airport Body Scanner Program
- Pew Survey Finds Support for New US Privacy Laws, Limits on Data Retention
- Massachusetts Court Upholds Privacy Rights of Cell Phone Users
- EPIC Urges Congress to Protect Voter Privacy
- EPIC Book Review: "Surveillance"
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
WhatsApp's plan to transfer user data to Facebook faces growing opposition from privacy regulators worldwide. Last month, WhatsApp announced it would begin transferring user data, including verified phone numbers, to Facebook in violation of previous privacy promises and without obtaining users' opt-in consent. The companies plan to use this information to provide "friend suggestions and more relevant ads on Facebook" and to allow businesses to send WhatsApp users marketing messages.
India's Deli High Court has ordered WhatsApp not to transfer to Facebook any user data that was collected prior to September 25, 2016, and to delete the data of users who opted out of WhatsApp's new data transfer policy prior to that date. The court issued its ruling after two Indian students filed suit over the privacy changes.
Germany also ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data already transferred. In a statement, German officials said that WhatsApp's new data transfer policy constitutes "an infringement of national data protection law." "Facebook has to ask for their permission in advance. This has not happened," said Commissioner Johannes Caspar.
In the United Kingdom, Information Commissioner Elizabeth Denham said her office is investigating the changes, noting that the new practices "will affect a lot of people" and users "may be concerned by the lack of control." And EU Competition Commissioner Margrethe Vestager has also opened an investigation into WhatsApp's privacy changes, which contradict previous commitments to users and regulators.
EPIC and the Center for Digital Democracy filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC's latest response to the consumer coalition emphasized "FTC staff's position that companies must obtain affirmative express (opt-in) consent before making material, retroactive changes to privacy promises." The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."
In 2012, EPIC and a coalition of consumer privacy organizations led a successful effort at the FTC after Facebook changed the privacy settings of its users, which resulted in the FTC's 20-year consent order with Facebook.
EPIC has filed the opening brief in EPIC v. TSA II with the federal appeals court in Washington, DC, challenging the Transportation Security Administration's continued use of body scanners in US airports. EPIC is urging the court to vacate the agency's new rule on body scanners because the TSA "has consistently failed to provide proper notice to the public concerning the use of body scanners, to properly justify the need to use invasive screening techniques, and to provide the public with an opportunity to respond to the denial of the passenger opt-out right."
EPIC first challenged the TSA's use of body scanners in 2011, after the agency introduced the controversial technology without giving the public appropriate notice or an opportunity to weigh in on the new policy, as required by federal law. In EPIC v. TSA I, the DC Circuit scolded the agency for bypassing these required steps with "no justification" and ordered officials to "promptly" solicit public feedback on the program. Five years after the court's decision--and nearly a decade after the TSA first deployed the technology--the agency finally released its body scanner rule in March of this year.
EPIC's opening brief explains that the TSA's new body scanner regulation is flawed in two ways. First, the agency's choice "relies on conclusory assertions regarding the necessity and relative effectiveness of body scanners, and is clearly the product of post-hoc rationalization from an agency that has already invested both monetary and political capital in these techniques over the last eight years."
For example, despite the significant invasion of privacy that body scanners impose on traveles, the agency chose the technology over a system of metal detectors and explosive detection swabs. But the TSA never bothered to do a direct comparison of these two options, even though the latter "was the only screening technique designed to detect explosives and that many commentators noted that it was a more effective and less intrusive screening technique."
Second, the TSA pulled an unlawful "switcheroo" by abruptly eliminating passengers' opt-out right - a central part of the earlier version of the rule. After declaring for years that travelers had the right to choose a pat-down in lieu of body scanner screening, the TSA announced in its final rule that the agency would mandate the use of body scanners "as warranted by security considerations." According to EPIC's brief, this policy "departs radically from [TSA's] earlier assurances of a right to opt out. Without the merest hint that the agency might jettison an essential privacy safeguard--one that it had trumpeted to the Court and to parties interested in its rulemaking--TSA did exactly that in its final rule."
EPIC's petition is joined with another challenge to the TSA's body scanner rule by the Competitive Enterprise Institute. The TSA has until Nov. 22 to submit its response to the court.
A new Pew Research Center survey reveals broad interest among Americans to enhance and update US data protection laws, stemming from serious concerns about individuals' ability to control their personal information.
The survey showed "68% of internet users believe current laws are not good enough in protecting people's privacy online; and 64% believe the government should do more to regulate advertisers." Limits on the length of time their personal data can be stored also garnered support from Americans. 86% of internet users had already taken steps to "remove or mask their digital footprints," but 61% said they "would like to do more."
These trends emerged in the context of deep privacy concerns about how to control one's information, the study revealed. 91% of adults felt that "consumers have lost control of how personal information is collected and used by companies, and yet 74% of those polled found it "very important" have control over access to their personal information. Notably, privacy was a greater concern to young adults between 18-29, who were more likely to be aware of privacy issues and have taken steps to protect it.
EPIC's "Public Opinion on Privacy" website provides an extensive historical catalog of polls and research on public opinions concerning privacy issues. Comprehensive, enforceable privacy protection for consumers is a central aim of EPIC's work.
The Massachusetts Supreme Judicial Court ruled on September 28th that the Fourth Amendment prohibits law enforcement from seizing a cell phone based simply on an officer's suspicion that the phone may have been used in a crime. The court ruled that a warrant must be obtained prior to the seizure of the phone.
The case, Commonwealth v. White, involved the prosecution of Onyx White and a co-defendant for homicide while robbing a convenience store. During the investigation, police seized White's cell phone without a warrant from his high school, where it was stored pursuant to school policy. The police kept the phone for 68 days before finally obtaining a warrant to search the phone. White moved to have the evidence from the phone suppressed.
The Massachusetts high court ruled that even when police have good reason to suspect a person of having committed a crime, they may not search or seize his cell phone "unless they have information establishing the existence of particularized evidence likely to be found there." The court noted the "significant privacy interests at stake" in cell phones and said that it "cannot accept . . . a result" that would allow seizing and searching the phone of anyone charged with a crime.
EPIC filed an amicus brief in the case, arguing that "digital is different" and that the legal standard for warrantless searches of contraband in schools therefore does not apply to cell phones. EPIC also explained the significance of Riley v. California, the recent Supreme Court decision that established a warrant requirement for searches of cell phones. EPIC also filed an amicus brief with the Supreme Court in Riley. The EPIC State Policy Project coordinated the EPIC amicus brief in Massachusetts case.
On September 28th, EPIC sent a letter to the House Oversight Subcommittee on Information Technology in advance of a hearing on cybersecurity and ballot integrity, warning that casting votes online threatens voter privacy.
EPIC explained that the secret ballot is the cornerstone of the US election system. "Because of the documented history of voter intimidation, coercion, and fraud associated with third party knowledge of how individual voters cast their ballots, it is important not to underestimate the importance of voter privacy," EPIC told the Subcommittee.
EPIC, Common Cause, and Verified Voting recently published The Secret Ballot at Risk: Recommendations for Protecting Democracy. A state survey conducted by the authors found that the vast majority of states - 44 total - have constitutional provisions guaranteeing secrecy in voting, while the remaining states have statutory provisions referencing secrecy in voting. Despite this, 32 states and the District of Columbia are promoting internet voting, typically for overseas and military voters, and most of those states are asking online voters to sign a waiver of their right to a secret ballot. EPIC included a copy of the report with its letter to the Subcommittee, warning that such internet voting systems threaten voting freedom and election integrity.
The letter recommends measures that both state and the federal governments can take to protect voter privacy, including ensuring that ballot secrecy and voter privacy are core values within the context of voting technology standards. EPIC also recommended testing and certification of voting systems and prohibiting the use of internet voting in public elections. EPIC has a long history of working to protect voter privacy and election integrity.
"Surveillance," by Reece Hirsch
In a post-Edward Snowden world, the government has found a way to effectively manage its mass surveillance program: kill anyone who finds out about it. Or at least that is the premise in Reece Hirsch's latest fictional novel, Surveillance. The book follows Chris Bruen, an attorney who opens shop in San Francisco working on computer crimes with his girlfriend Zoey, a former hacker. However, when Chris's first client walks through the door, he gets far more than expected. After discovering a secret government agency, Ian Ayres is in trouble and turns to Chris for help. Chris, Zoey, and Ian quickly learn the great lengths the US government is willing to go to keep its mass surveillance program secret.
The ensuing game of cat-and-mouse spans more than three countries and keeps readers at the edge of their seats. Chris and Ian struggle to stay out of sight in San Francisco - a task made nearly impossible due to the amount of cameras - while Zoey enlists the help of a notorious hacker who is hiding out "off the grid."
Readers are drawn in to Hirsch's gripping tale by the high-stakes, fast-paced action set in an eerily realistic society. At certain points, the story feels like a slightly dramatized version of the journey Edward Snowden embarked on three years ago. While cheering on Chris, Zoey, and Ian as they attempt to outrun the government, readers can't help but wonder how many times a day they appear on camera and whether their communications and finances are as secure as they are led to believe. The book highlights just how hard it would be to run from someone, be it the government or an experienced hacker, who wants to find them in today's always-on, constantly connected world. Readers realize there are very few places left where they are truly hidden from all forms of surveillance.
This a book that will quickly engage anyone who reads it. A quick, enjoyable, and thought-provoking read is in store for those who are ready for an exciting adventure.
-- Kim Miller
EPIC Publishes "Privacy Law Sourcebook 2016"
EPIC proudly announces the 2016 edition of the Privacy Law Sourcebook, the definitive reference guide to US and international privacy law. The Privacy Law Sourcebook is an edited collection of the primary legal instruments for privacy protection in the modern age, including United States law, International law, and recent developments. The Sourcebook includes recent US law, such as the FREEDOM Act, and the EU General Data Protection Regulation, the UN Resolution on the Right to Privacy in the Modern Age, and regional privacy agreements. The Privacy Law Sourcebook 2016 is available for purchase from the EPIC Bookstore. EPIC will make the Privacy Law Sourcebook freely available to NGOs and human rights organizations.
Nickelodeon Plaintiffs Ask Supreme Court to Hear Video Privacy Case
The plaintiffs in the In re Nickelodeon class action recently asked the Supreme Court to hear their case. In June, a federal appeals court rejected claims that Viacom and Google violated the Video Privacy Protection Act, holding that static IP and MAC addresses are not "personally identifiable information." The opinion contradicted a ruling from a different federal appeals court which held that unique IDs are personally identifiable under the video privacy law. EPIC filed an amicus brief in the Nickelodeon case, explaining that Congress defined personal information broadly "to ensure that the underlying intent of the Act--to safeguard personal information against unlawful disclosure--is preserved as technology evolves." The petition is C.A.F. v. Viacom, case number 16-346.
EPIC Celebrates International Access to Information Day
September 28, 2016 marked the first annual International Day for Universal Access to Information. This day celebrating the right to information--September 28th of every year--was established by the UN Education, Scientific, and Cultural Organization in a resolution last year. Freedom of information, declared UNESCO, "is an integral part of the fundamental right to freedom of expression," and is established as a right in the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights. International efforts to promote the right to information have also produced the Open Government Partnership, a multilateral initiative to secure transparency commitments from governments. EPIC, as part of a coalition of transparency groups, has proposed recommendations to the US open government plan, as well as plans from US agencies.
Senators Seek Answers About Yahoo's Massive Data Breach
Led by Senator Patrick Leahy, several senators sent a letter to Yahoo's CEO, Marissa Mayer, seeking answers about the massive data breach that compromised the sensitive data of 500 million accounts. The Senators were troubled by the delay in breach notification, stating "We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week." EPIC testified in support of strong data breach notification laws in 2009 and 2011 and urged Congress to ensure that users are "notified promptly" when personal information is wrongfully disclosed. EPIC launched "Data Protection 2016" to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
Secret Ballot At Risk in Maryland After Election Board Vote
The Maryland State Board of Elections has voted to certify Maryland's online ballot-marking system for general use, threatening voter privacy. Voters using the online-ballot marking system would receive and fill out their ballot online, risking third party access their vote. Previously online ballot-marking was permitted only to enable participation by voters with disabilities. EPIC, Verified Voting, and Common Cause recently released The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. EPIC has a long history of working to protect voter privacy and election integrity.
EPIC Tells Congress FTC Must Do More for Consumer Privacy
EPIC has sent a letter to the Senate Commerce Committee in advance of an oversight hearing on the Federal Trade Commission. EPIC explained that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. "The FTC's failure to act in the face of mounting threats to consumer privacy and security could be catastrophic," EPIC warned. EPIC also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud. Public opinion polls show broad public support for new US privacy laws.
Data Protection 2016: 500 Million Yahoo Users Victims of Massive Data Breach
Yahoo has announced that the personal data of at least 500 million users was breached in late 2014. The breach included users' names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. This year EPIC launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election, calling it "the most important, least well understood issue" of this election.
Federal Judge Unseals Secret Surveillance Records
A federal judge has ordered the public release of 235 sealed records of government surveillance in response to a request from a journalist. EPIC has urged greater transparency of these "pen register and trap and trace" orders. As a result of a Freedom of Information Act lawsuit against the Justice Department, EPIC v. DOJ, EPIC made public formerly secret documents about the government's use of pen registers to collect the records of private communications.
EPIC Advises Congress on Modernizing Telemarketing Rules to Protect Consumers
EPIC has sent a letter to the House Energy and Commerce Committee in advance of the hearing on "Modernizing the Telephone Consumer Protection Act." The telemarketing law bars telemarketers and robocallers from contacting consumers by phone fax, or text without prior consent. EPIC urged the Committee to ensure that an update to the law "protects consumers from unwanted commercial communications." EPIC said legal rights should be "robust, enforceable and minimally burdensome for consumers." Earlier this year, EPIC filed an amicus brief in support of strengthening TCPA protections for consumers. EPIC has also testified before Congress about the telemarketing law and submitted many comments concerning its implementation.
US Proposes Voluntary Guidelines for "Automated Vehicles," Privacy and Safety Issues Remain a Challenge
The Department of Transportation has released federal guidelines for the automated vehicle industry. The Federal Automated Vehicles Policy backs the deployment of self-driving cars in the United States. The agency acknowledges privacy concerns and endorses the Consumer Privacy Bill of Rights, which EPIC supports, however the framework lacks compliance obligations and enforcement mechanisms. The agency also proposes to preempt existing state regulations that may provide stronger protections. Last year in testimony before Congress, EPIC warned of public safety risks associated with automated vehicles. And yesterday Secretary of Commerce Penny Pritzker warned the Commission on Enhancing National Cybersecurity that "as cars go driverless . . . the cyberthreats we face will only grow more widespread." The Transportation Department seeks public comments on the Guidelines for Automated Vehicles. The deadline is November 22, 2016.
Policy Commission Seeks Public Comment
The Commission on Evidence-Based Policymaking has issued a request for comments on "strategies to increase the availability and use of government data." Congress established the Commission to study whether and how data across the federal government could be combined for policy research while protecting privacy. The Commission seeks comment on several issues including privacy risks, access to data, and whether a single clearinghouse should be created. In testimony before the Commission, EPIC President Marc Rotenberg emphasized safeguards for personally identifiable information, following EPIC's work on Re-identification and The Census and Privacy. Comments to the Commission are due on November 14, 2016.
FAA Drone Advisory Committee to Address Privacy
In its inaugural meeting, the FAA's newly assembled Drone Advisory Committee decided to address privacy concerns posed by the increasing deployment of drones in the United States. The FAA Committee, lacking consumer and privacy representatives, was assembled to make recommendations to the FAA on drone policy. According to the National Conference on State Legislatures, at least 38 states have considered drone legislation so far this year. EPIC and leading experts previously urged the FAA to adopt privacy rules for drones, and when the agency refused, EPIC sued. EPIC v. FAA is currently pending before the DC Circuit Court of Appeals.
White House Updates Guidance on Federal Agency Privacy Practices
The Office of Management of Budget released a memorandum that requires the head of each agency to "assess the management, structure, and operation of the agency's privacy program." The OMB memo provides updated guidance, requiring the designation of a Senior Agency Official for Privacy with appropriate authority to implement the agency's privacy program, including ensuring compliance with the Privacy Act. In 2015, a breach of records at the OMB, impacted more than 22 million federal employees, family members and associates. EPIC has filed numerous comments with agencies across the federal government criticizing their lack of compliance with the Privacy Act. EPIC has also submitted amicus briefs to the US Supreme Court concerning the federal Privacy Act.
- GM Urges 9th Circ. To Put Brakes On Car Data Hack Suit, Law360, September 30, 2016
- Groups Blast 'Intrusive' TSA Body Scanner Rule At DC Circ., Law360, September 28, 2016
- Facebook Can't Collect WhatsApp Data: German Regulator, Law360, September 28, 2016
- A Former Verizon Employee Just Admitted to Selling Private Phone Records, Fortune, September 28, 2016
- Germany Orders Facebook to Stop Collecting Data on WhatsApp Users, Threatpost, September 28, 2016
- Driverless Car Privacy, Data Security Vital, Feds Say, Bloomberg BNA, September 28, 2016
- Police must have 'particularized evidence' of crime before seizing cellphones, SJC rules, The Boston Globe, September 28, 2016
- More might die on the road rather than submit to a TSA body scan?, The Washington Post, September 28, 2016
- Germany orders Facebook to stop sharing and delete WhatsApp user data, Ars Technica, September 27, 2016
- Germany orders Facebook to stop collecting WhatsApp data, Engadget, September 27, 2016
- Germany orders Facebook to delete records of 35 million WhatsApp users over privacy law violation, Washington Times, September 27, 2016
- Germany Orders Facebook To Stop Collecting WhatsApp User Data, Forbes, September 27, 2016
- Facebook Ordered To Stop Collecting WhatsApp Users' Data In Germany, Tech Times, September 27, 2016
- Committee passes bill to prohibit use of drones over certain facilities in PA, Berks-Mont News, September 27, 2016
- What did Yahoo know about the huge security breach -- and when?, Consumer Affairs, September 26, 2016
- Ex-Verizon worker accused of selling customer phone records, The Sacramento Bee, September 26, 2016
- Law Enforcement Uses StingRays To Spy On Americans And Lies About It, Huffington Post, September 26, 2016
- Online Services Want Your Birthdate, Creating Security Risk, ABC News, September 24, 2016
- What's Up With WhatsApp?, Dissent Newswire, September 23, 2016
- FTC chair pressed on Facebook-WhatsApp data practices, POLITICO Pro, September 22, 2016
- Google's new Allo raises privacy concerns, USA TODAY, September 21, 2016
- Google Retreats on Some Allo Privacy Promises, Threatpost, September 21, 2016
- The dark side of the Census, Australian Broadcasting Corporation, September 18, 2016
- Does it matter that Pokemon knows where you go - and much more about you?, Minnepolis Star Tribune, September 17, 2016
- Harvard Economist: US Should Phase-Out All Currency Larger Than $10 Bills, CNS News, September 17, 2016
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC publications:
Privacy Law Sourcebook 2016: United States Law, International Law, and Recent Developments, edited by Marc Rotenberg. EPIC (September 2016).
The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
October 12, 2016
Trade and Privacy: Complicated Bedfellows?
October 13, 2016
The Misunderstood Right to Be Forgotten: The Future of Free Expression and Privacy in the Online World
Marc Rotenberg, EPIC President
Ann Arbor, MI
October 13, 2016
Fall Technology Series: Drones
Jeramie Scott, EPIC Domestic Security Counsel
October 19 - 20, 2016
38th International Privacy Conference: Opening New Territories for Privacy
Marc Rotenberg, EPIC President
International Conference of Data Protection and Privacy Commissioners
November 21 - 23, 2016
59th Meeting of the International Working Group
Marc Rotenberg, EPIC President
International Working Group on Data Protection in Telecommunications
January 25 - 27, 2017
Computers, Privacy & Data Protection 2017