EPIC Alert 23.19

EPIC Alert logo

1. EPIC Defends Consumers' Right to Sue Cable Providers for Illegal Data Retention

EPIC has filed an amicus brief in Gubala v. Time Warner urging a federal appeals court to preserve consumers' right to sue cable providers that illegally retain their data. The lower court ruling now on appeal "raises serious separation-of-powers concerns because the decision usurps the power of the legislature to define legal injuries and remedies," EPIC wrote.

Derek Gubala brought a lawsuit alleging that Time Warner held onto his personal information long after he had canceled his service. Retaining customer data when it is no longer needed violates the Cable Communications Policy Act. However, the lower court dismissed the suit, concluding that the plaintiffs had suffered no "injury."

In an amicus brief for the federal appeals court, EPIC explained that the relevant injury is the violation of federal law which provides the basis to bring the lawsuit. EPIC said that the lower court confused "legal injury" with consequential harm, which would be determined later in the case. When a company violates a federal privacy law, EPIC said, that is a "legal injury" and the court must hear the case.

"The lower court was presented with an injury that Congress made legally cognizable under the Cable Act--having one's personal information retained by a cable provider after it is no longer necessary--yet refused to acknowledge the legitimacy of the statutory prohibition," EPIC wrote. In doing so, the court "subverted the core premise of the standing doctrine, converting a shield against judicial overreach into a sword for eviscerating legal rights created by Congress."

"Post-Spokeo, courts must understand that injury-in-fact is a legal injury, distinct from consequential harm," the EPIC brief said. "If courts are allowed to graft a consequential harm requirement onto standing doctrine, they will slam the courthouse doors on litigants who Congress has expressly permitted to enter."

"Courts should not presume, as the lower court did in this case, to label certain rights as 'procedural' rather than 'substantive' where Congress has not done so," EPIC explained. "When a court demands that a plaintiff prove some form of harm beyond the injury that Congress has deemed actionable, it is rejecting Congress's determination of what constitutes a bona fide injury and impermissibly 'substitut[ing] its own judgment for that of the legislature.'"

EPIC has filed numerous amicus briefs in consumer privacy cases clarifying the relationship between "legal injury" and "harm," which have been the source of widespread confusion since the Supreme Court's decision in Spokeo v. Robins. In April, EPIC told the Third Circuit federal appeals court that data breach victims can sue companies when the companies fail to adequately safeguard customer data without having to wait for fraud or identity theft to occur. And in July, EPIC told the Eighth Circuit appeals court that plaintiffs need not prove consequential harm to sue companies that fail to protect their data.

2. White House Releases Reports on Future of Artificial Intelligence

The White House has released two new reports on the impact of Artificial Intelligence on the US economy and related policy concerns.

Preparing for the Future of Artificial Intelligence surveys the current state of AI, its applications, and emerging challenges for society and public policy. According to Ed Felten, Deputy US Chief Technology Officer and EPIC Advisory Board member, the report discusses "how to adapt regulations that affect AI technologies, such as automated vehicles, in a way that encourages innovation while protecting the public" and "how to ensure that AI applications are fair, safe, and governable." The report concludes that "practitioners must ensure that AI-enabled systems are governable; that they are open, transparent, and understandable; that they can work effectively with people; and that their operation will remain consistent with human values and aspirations."

The companion report, National Artificial Intelligence Research and Development Strategic Plan, proposes a strategic plan for federally-funded research and development in AI. The plan identifies seven priorities for federally-funded AI research, including strategies to "understand and address the ethical, legal, and societal implications of AI" and "ensure the safety and security of AI systems."

EPIC has promoted "Algorithmic Transparency" and is litigating several cases on the front lines of AI. EPIC successfully sued US Customs and Border Protection for documents about the use of secret, analytic tools to assign "risk assessments" to travelers, and sued to compel the Department of Homeland Security to produce documents about "physiological and behavioral signals" used by DHS to determine the probability that an individual might commit a crime. EPIC has open government requests in several states, seeking the release of a secret DNA forensic technique used to determine guilt or innocence.

3. EPIC Opposes DHS Plan to Collect Social Media Identifiers

EPIC recently urged to the Department of Homeland Security to drop a plan to review the social media accounts of individuals seeking to visit the United States. DHS plans to obtain social media identifiers from visitors' travel documents. DHS claims this information would help corroborate other information provided, such as country of origin, and would also provide greater clarity to "possible nefarious activity and connections."

EPIC said this would have a chilling effect on the speech of individuals seeking to visit the US. DHS has a history of monitoring social media for dissent and criticism of the agency, and it is unclear whether criticism of US policy could be grounds for denying entry. "Government programs that potentially scrutinize online comments, dissent, and criticism for the purpose of vetting alien visitors prior to entry into the U.S. send a chilling message to all users of social media--which increasingly provides important forums to share ideas, engage in debates, and explore new ideas," EPIC warned. While DHS currently proposes to make this request voluntary, EPIC noted that failure to provide social media identifiers would also raise suspicion.

This latest DHS proposal targets foreign visitors, but US citizens have also been subject to social media surveillance. In 2011, EPIC obtained documents in that revealed DHS gathered social media activity of individuals who expressed criticism of the agency and the US government. The program also targeted people who used such terms as "cloud," "exercise," and "Mexico." This revelation led to a Congressional hearing in 2012 that revealed bipartisan opposition to the DHS social media monitoring program.

4. FCC Releases Revised Broadband Privacy Plan

The Federal Communications Commission has released a fact sheet outlining a revised proposal for broadband privacy rules. The new draft is a scaled-back version of the FCC's original proposal, and includes numerous industry-requested revisions that would reduce privacy protections for consumers.

The FCC first proposed a set of regulations on "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services" in March of this year. The FCC's proposed privacy rules - both the original and revised versions - would regulate only Internet Service Providers and are based on a limited "transparency, choice, and security" framework. Industry groups have argued that the FCC should further limit the rules by adopting the approach taken by the Federal Trade Commission based largely on "notice and choice." EPIC and other privacy advocates cautioned against further weakening the FCC's modest original plan.

The revised proposal for broadband privacy rules differs from the original plan on several key provisions. The new plan will require ISPs to obtain consumers' opt-in consent only for non-service-related uses of "sensitive" information, which includes web browsing history, app usage, and geolocation. However, information the FCC defines as "non-sensitive" would not be protected unless consumers opt out. The FCC's original proposal required ISPs to obtain opt-in consent before using any consumer data, regardless of sensitivity, for non-service-related purposes like advertising.

The FCC introduced an exception for de-identified customer data in the new rules, which would allow ISPs to use and disclose de-identified data without having to obtain consumers' consent or allowing them to opt-out. The fact sheet does not include oversight or independent verification mechanisms to ensure the adequacy of ISPs' de-identification techniques. ISPs will also be permitted to charge higher prices for basic privacy protections, subject to FCC review.

EPIC has called the FCC's original privacy proposal a "modest first step" and repeatedly argued that the Commission can and should go further to "address the full range of communications privacy issues facing US consumers." In comments on the FCC's proposed rulemaking, EPIC has urged the Commission "to fully apply" Fair Information Practices (FIPs) and President Obama's Consumer Privacy Bill of Rights (CPBR) to all communications data. The Commission plans to vote on the proposal on October 27th.

5. Supreme Court Won't Review Privacy Violations by Facebook, Google

The Supreme Court decided not to review two significant consumer privacy cases: K.D. v. Facebook and Grouley v. Google.

In K.D. v. Facebook, consumers filed a class action over Facebook's use of young children's names and images for behavioral advertising without consent. That practice is currently prohibited in seven states. The plaintiffs asked the Supreme Court to step in after the Ninth Circuit upheld a controversial settlement of the case, which failed to resolve the key privacy concerns raised in the case. In an amicus brief to the Ninth Circuit, EPIC urged the appeals court to overturn the deal, explaining that the settlement is unfair to class members and authorizes continued privacy violations.

Grouley v. Google involved multiple legal challenges in the Third Circuit to Google's tracking of browsing habits that persisted after consumers attempted to block the practice and in spite of the company's own assurances about consumers' ability to opt-out. Consumers called on the Supreme Court to revive their allegations that Google's practices violated the Wiretap Act or Stored Communications Act, which the Third Circuit struck down.

EPIC consistently files amicus briefs in consumer privacy cases to promote enforcement of privacy laws and to defend consumers' ability to seek redress when a violation of law occurs.

News in Brief

WhatsApp Privacy Update: Spain Investigating Broken Privacy Promises

Spain is the latest country to investigate WhatsApp's transfer of user data, including verified user phone numbers, to Facebook. The Spanish Data Protection Agency joins privacy regulators in Germany, India, Italy, and the U.K. that have taken action against WhatsApp's changes to privacy practices that contradict previous promises. EPIC filed a complaint with the Federal Trade Commission over the policy change in August, and more than a dozen consumer groups have backed these efforts. The Commission said it will "carefully review" EPIC's complaint. The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."

FTC Hosts Event on Drones and Privacy

Text Today the Federal Trade Commission will host a panel discussion on drones and privacy as part of the agency's Fall Technology Series. The Director of EPIC's Domestic Surveillance Project, Jeramie Scott, will participate in the panel. Mr. Scott previously testified before the Pennsylvania Senate on domestic drone surveillance and submitted a statement for record regarding a Maryland bill to limit drone surveillance. EPIC and leading experts previously urged the FAA to adopt privacy rules for drones, and when the agency refused, EPIC sued. EPIC v. FAA is currently pending before the D.C. Circuit Court of Appeals.

CPDP2017, Leading Data Protection Conference, Extends Paper Deadline

Computers, Privacy, and Data Protection, the international conference devoted to privacy and data protection, will now accept papers until October 22, 2016. The theme of CPDP2017 is "The Age of Intelligent Machines." CPDP2017 will be held on 25-27 January 2017 in Brussels. The CPDP2017 Call for Papers is addressed to all researchers who wish to present papers. All submitted papers will be peer reviewed by members of the CPDP 2017 Scientific Committee (and other independent reviewers where necessary) and will be commented upon by distinguished scholars. EPIC is one of many organizations sponsoring the event. The 2017 EPIC International Champion of Freedom Award will be presented at CPDP.

Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails

Reuters reported today that Yahoo scanned the private email of Yahoo users pursuant to a secret directive issued by the FBI. The email scanning technique, based on a search for key terms, recalled a similar FBI program "Carnivore" that was found to capture far more information than authorized, according to documents obtained by EPIC under the Freedom of Information Act. The news report also renews concerns about the scope of US Internet surveillance. The European Court of Justice struck down an EU-US data transfer deal last year, following revelations that US Internet firms collaborated with the NSA to enable mass surveillance. A related case, Irish Data Protection Commissioner v. Facebook, is now pending. The Irish High Court has selected EPIC as "a friend of the court" to "counterbalance" the submission of the United States intelligence community.

EPIC FOIA: Google Secretly Attempted to Narrow FCC Privacy Protections, Exclude Customer IP Addresses

In response to a Freedom of Information Act request filed by EPIC, the Federal Communications Commission has released communications about the FCC's broadband privacy rulemaking. One of the key proposals for the privacy rules concerns the scope of consumer data covered by the rule, such as a customer's IP address. An email exchange between Google's Vinton Cerf and FCC Chairman Tom Wheeler reveals Google's backdoor efforts to narrow the scope of the proposed rules to exclude privacy protections for customers' IP addresses. While EPIC has repeatedly argued that the FCC's rules can and should go further, the current proposal would safeguard some consumer data, including IP addresses.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (Sept. 2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (Apr. 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

October 19 - 20, 2016
38th International Privacy Conference: Opening New Territories for Privacy
Marc Rotenberg, EPIC President
International Conference of Data Protection and Privacy Commissioners
Marrakech, Morocco

November 14, 2016
Global Internet and Jurisdiction Conference 2016
Marc Rotenberg, EPIC President
Paris, France

November 15-16, 2016
Working Party on Communication Infrastructures and Services Policy
OECD
Marc Rotenberg, EPIC President
Paris, France

November 21 - 23, 2016
59th Meeting of the International Working Group
Marc Rotenberg, EPIC President
International Working Group on Data Protection in Telecommunications
Berlin, Germany

December 7-8, 2016
Internet Governance Forum 2016
"Encryption and Safety of Journalists in the Digital Age"
"Reporting on the OECD Digital Economy Ministerial"
Marc Rotenberg, EPIC President
Zapopan, Jalisco, Mexico

December 12-13, 2016
National Academies of Science
"Big data and privacy"
Marc Rotenberg, EPIC President
Washington, DC

January 25 - 27, 2017
Computers, Privacy & Data Protection 2017
Brussels, Belgium

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
National Press Club
Washington, DC

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy