EPIC Alert 23.20

1. EPIC Promotes Algorithmic Transparency, Privacy Resolutions Adopted at Annual Meeting of Privacy Commissioners

At the 38th International Conference of the Data Protection and Privacy Commissioners (ICDPPC) in Marrakech, EPIC President Marc Rotenberg promoted EPIC’s work on algorithmic transparency and recent EPIC publications. The Conference also adopted several key privacy resolutions. Each year, the ICDPPC convenes privacy officials from around the globe.

EPIC President Marc Rotenberg presented EPIC’s work on “algorithmic transparency.” Highlighting the privacy risks of autonomous devices, he also argued for two amendments to Asimov’s Rules of Robotics: that a robot must always reveal the basis of its decision and a robot must reveal its actual identity. Rotenberg emphasized the growing need to address the challenge of drones, robots, and autonomous devices, warning that machines were gaining rights of privacy that should be preserved for humans.

The ICDPPC adopted several resolutions advancing data protection around the globe. Recognizing the importance of educating students about privacy in the digital age, the officials adopted An International Competency Framework on Privacy Education to help guide educators. Other resolutions addressed the development of new privacy metrics, human rights defenders, and international cooperation in enforcing privacy rights.

The next ICDPPC will be held in Hong Kong in September of 2017. EPIC regularly participates in international privacy conferences through the Public Voice, a project engaging both members of civil society and government in current internet policy issues. EPIC has organized more than a dozen Public Voice events in conjunction with the annual meetings of the Data Protection and Privacy Commissioners.

2. FCC Adopts Modest Privacy Rules for Broadband Services

The Federal Communications Commission has approved privacy rules governing the conditions under which broadband providers may use or disclose certain customer information.

According to a fact sheet on the broadband privacy rules, the FCC’s order requires ISPs to obtain consumers’ consent to use or disclose "sensitive" information, which includes precise geo-location, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and the content of communications. ISPs may use or disclose all other information, including information such as customers’ IP addresses and device identifiers, unless consumers take additional steps to opt out. A document obtained by EPIC under FOIA shows that Google lobbied for customers’ IP addresses to be excluded from privacy protections. ISPs may also use or disclose without customer consent any information from which identifiers have removed so that the information cannot be “reasonably linked to a specific individual or device.”

The rules also contain data security provisions. The FCC declined to prescribe specific security activities, however, instead requiring only “reasonable measures to protect consumer data.” ISPs must also notify customers when a breach of their personal information has occurred “unless the ISP determined that no harm is reasonably likely to occur.”

The FCC’s order applies only to broadband ISPs. So-called “edge providers” that provide social media, search, and e-mail services are not covered under the rule. The rules also permit companies to charge users additional fees for basic privacy protections and to require forced arbitration over privacy rights violations. Chairman Wheeler said that mandatory arbitration issue would be addressed in a separate rulemaking by February 2017.

The final rules are weaker than the FCC’s original proposal, which offered privacy protections for all consumer data. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records.

3. EPIC Urges Massachusetts High Court to Protect Email Privacy

EPIC has filed an amicus brief in a case before the Massachusetts Supreme Judicial Court regarding email privacy. At issue is Google's scanning of the email of non-Gmail users. EPIC argued that this practice is prohibited by the Massachusetts Wiretap Act.

EPIC argued that Google's scanning of private communications is far more invasive than the interception of a telephone call, which is clearly prohibited by Massachusetts wiretap law. EPIC said that the lower court was wrong to dismiss the case against Google.

"The lower court's decision flips this important privacy law entirely on its head and would completely eliminate the two-party consent requirement," EPIC said.

EPIC cited the history of the state wiretap law. “The potential for service provider eavesdropping was one of the primary concerns that drove the legislature to amend the law,” EPIC wrote. “It is simply absurd to suggest that the legislature expected the prohibition on wiretapping to be inapplicable in cases where a communications service provider announced in general terms that they would begin monitoring calls.”

EPIC also argued that Google does not avoid Massachusetts privacy laws simply because it locates servers in a different jurisdiction. Interpreting privacy statutes this way, EPIC said, would “eviscerate protections for electronic communications and incentivize a race to the bottom where companies locate their processing centers in states with the weakest privacy protections.”

A federal court in California recently ruled that non-Gmail users may sue Google for violation of the state wiretap law.

EPIC has filed many amicus briefs in federal and state courts and participated in the successful litigation of a cellphone privacy case before the Massachusetts Judicial Court. The EPIC State Policy Project is based in Somerville, Massachusetts.

4. EPIC FOIA - FAA Defies Congress, Fails to Complete Drone Privacy Report

Through a Freedom of Information Act request, EPIC has obtained documents revealing that the FAA never finished a report ordered by Congress on the privacy implications of “unmanned aircraft systems” - better known as drones.

The Appropriations Act of 2014 required the FAA to inform Congress on “how the FAA can address the impact of widespread use of [drones] on individual privacy.” In the Explanatory Statement accompanying the Act, Congress recognized that “expanded use of UAS and their integration into the national airspace raise a host of concerns with respect to the privacy of individuals.” Mindful that the FAA plays a “unique role” in civil aviation, Congress called for the agency to conduct a study on the implications of UAS integration into the national airspace on individual privacy.”

Congress explained that the FAA’s study should “address the application of existing privacy law to UAS integration; identify gaps in existing law, especially with regard to the use and retention of personally identifiable information and imagery; and recommend next steps for how the FAA can address the impact of widespread use of UAS on individual privacy as it prepares to facilitate the integration of UAS into the national airspace.”

Congress ordered the FAA to submit the study to the House and Senate Committees on Appropriations “no later than eighteen months after enactment [of the Consolidated Appropriations Act],” and “well in advance of the FAA’s schedule for developing final regulations on the integration of UAS into the national airspace.” This means that the agency was to have submitted the study by July 15, 2015.

But internal emails obtained by EPIC show that the agency never finished the study. “I think there was some initial work done on this, however it wasn’t an official report to Congress that the Administrator would send to the Hill,” writes an FAA official. Instead, the FAA appears to maintain that a separate study conducted by the National Telecommunications and Information Administration was an acceptable substitute.

Now, as the end of 2016 approaches, the FAA has moved forward with regulations for commercial drones that lack privacy safeguards, and the drone privacy report remains unfinished. EPIC is currently suing the FAA for the agency’s failure to establish drone privacy rules.

5. EPIC Scrutinizes FBI Insider Threat Database; DOD Exempts Database from Privacy Act Safeguards

EPIC has submitted comments to the Federal Bureau of Investigation scrutinizing its proposed Insider Threat database. Under the proposal, the FBI would collect information on various individuals who had access to FBI facilities, information systems, or classified information. The FBI could disclose this information to the media, agencies of foreign governments, and licensing agencies.

EPIC’s comments to the FBI addressed several concerns with the Bureau’s proposal. The database would contain vast amounts of personal information, including personnel files, payroll files, polygraph reports, and facility access files. In particular, EPIC raised concerns that the database would contain information found on the SF-86 form. This document is used to conduct background checks for sensitive federal employment positions and was the subject of last year’s massive data breaches at the Office of Personnel Management. EPIC’s comments also raised concern over the numerous Privacy Act exemptions the agency proposed, which includes dispensing with the requirement that records are accurate and relevant.

Earlier this year, EPIC submitted comments to the Department of Defense on a related program. The DOD final rule on the Insider Threat database addressed EPIC’s comments but failed to limit the Privacy Act exemptions. The DOD explained that it did not intend to utilize those exemptions in every case. This presents a risk that Privacy Act exemptions could be applied in an arbitrary or discriminatory manner. In response to EPIC’s concern that the database would include vast amounts of information unrelated to insider threats, DOD claimed it is “logically required” to retain irrelevant information to detect anomalies. The Department did not indicate whether it considered any methods of detecting anomalies other than the mass collection of information on DOD employees and contractors.

Several other federal agencies have established similar programs pursuant to Executive Order 13587. The Executive Order requires federal agencies to develop threat detection and prevention programs to protect classified information. These programs have led to vast data collection on individuals who work for federal agencies, family members of employees, federal contractors, and even visitors to federal facilities. Information contained in these databases are also frequently disclosed to other federal agencies, foreign entities, and privacy parties for purposes unrelated to insider threat detection and prevention. Earlier this year, EPIC submitted comments in response to the Department of Homeland Security’s proposed Insider Threat database. EPIC urged DHS to narrow the broad scope of the database and limit the Privacy Act exemptions claimed for this massive system of records.

Final rules to implement the FBI and DHS’s Insider Threat database are pending. EPIC continues to raise concern over the vast amounts of personal data the federal government collects, particularly after the massive hacks targeting government data. EPIC has long advocated the use of Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. Additionally, EPIC has launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

News in Brief

European Privacy Officials Pursue Investigation of WhatsApp & Yahoo

The Article 29 Working Party, an expert group of European privacy officials, is pursuing investigations of WhatsApp and Yahoo. In a letter to Facebook, the Working Party stated that the decision to transfer confidential user data from WhatsApp to Facebook has raised "serious concerns," and urged WhatApp to halt data transfers pending completion of the investigation. Separately, the group urged Yahoo to provide information about the 2014 data breach which compromised 500 million accounts. The Article 29 also pressed the company to explain why it scanned customer emails for US intelligence agencies. EPIC recently filed a complaint with the FTC regarding WhatApp, arguing that it violated a 2014 and agreement and urging the Commission to block the transfer. EPIC has also testified before Congress about the need to adopt data breach legislation and launched the Data Protection 2016 campaign.

Privacy Advocates Challenge EU-US Data Transfer Agreement

An Irish privacy organization is challenging the EU-US framework for transferring personal data, the "Privacy Shield," in the European high court. This challenge follows a decision last year invalidating the previous framework, "Safe Harbor." In that case, the Court of Justice for the European Union concluded Personal data transferred to the United States lacks adequate legal protection. EPIC is participating as amicus curiae in a related case brought by privacy advocate Max Schrems. EPIC also recently submitted a brief to the European Court of Human Rights in a challenge to UK surveillance.

UN Report Cites Threats to Freedom of Expression

A top United Nations official on the freedom of expression released a report citing "severe" threats to freedom of expression worldwide. The report flagged governments cracking down on encryption, blocking websites, suspending communications services, and over-classifying information as key concerns. EPIC described the importance of strong encryption in an amicus brief earlier this year and regularly litigates Freedom of Information Act cases to improve transparency about government surveillance. A new EPIC publication — The Privacy Law Sourcebook 2016 — provides an overview of legal instruments for privacy protection, as well as information about privacy agencies, organizations, and publications.

Google "Quietly" Changes Privacy Policy, Matches Tracking Data and User ID

Ars Technica reported this week that Google "quietly" changed its privacy policy this summer to combine tracking data and user ID - data it had previously promised to keep separated. The revised policy now says that "your activity on other sites and apps may be associated with your personal information" for ad delivery. In 2007, EPIC urged the FTC to block Google's proposed acquisition of Doubleclick, warning that Google would eventually link the Google user profile with the Doubleclick data despite the company's representations. When the FTC approved the merger without conditions, EPIC responded that the FTC "had reason to act and authority to act, and failed to do so." Currently before the FTC is a complaint from EPIC concerning WhatsApp plan to transfer user data to Facebook, breaking a privacy promise made by the company at the time of the 2014 acquisition to act "independently and autonomously."

EPIC Testifies Before Maryland House of Delegates on Cell Site Simulators

EPIC Senior Counsel Alan Butler recently testified before the Maryland House of Delegates concerning "Cell Site Simulator Technology, Historical Location Information, and Aerial Surveillance by Police." The hearing follows a recent complaint to the FCC regarding the use of "Stingrays," fake cell phone towers, by the Baltimore Police Department to intercept private communication. In a 2013 Freedom of Information Act suit against the FBI, EPIC uncovered plans involving federal and state law enforcement agencies to keep the use of Stingrays secret. EPIC has since argued in amicus briefs that cell phone location data is protected by the Fourth Amendment. Baltimore Police used Stingrays to track more than 1,700 individuals between 2007 and 2014.

DC Appeals Court Hears Arguments in Telemarketing Privacy Case

The federal appeals court in Washington, D.C. heard oral arguments Wednesday in a case with major implications for telephone privacy. The suit, ACA International v. FCC, was brought against the Federal Communications Commission by telemarketing companies and others challenging rules adopted under the Telephone Consumer Protection Act that prohibit automated calls made to cell phones without their consent. EPIC and six consumer privacy groups filed an amicus brief in the case, stressing the importance of privacy protections for cell phone users. EPIC also challenged a claim made by the telemarketers that "37 million" numbers were reassigned each year, making it difficult, the companies claimed, to comply with the privacy law. During the argument, one of the judges pressed the telemarketers' attorney on the point (audio), citing research in the EPIC amicus brief. EPIC frequently participates as amicus curiae in cases that raises novel privacy issues.

EPIC and Coalition Urge Presidential Candidates to Adopt Good Government Policies

In letters to Hilary Clinton and Donald Trump, EPIC and a coalition of NGOs urged the presidential candidates to adopt good-government policies in the next administration. In the first letter, the coalition called on the nominees to adopt a rigorous code of ethics for their presidential transition teams. Citing then-Senator Obama's 2008 transition code of ethics, the coalition urged the candidates to prohibit individuals with lobbying ties and financial conflicts of interest from working in the administration. EPIC also joined a second letter calling on the next president to adopt stronger policies on government record keeping. The next president, wrote the coalition, "can demonstrate commitment to strengthening records accountability within the federal government" by directing agencies to comply with the Office of Management and Budget's 2012 government records directive, implement agency-wide record keeping training, develop open records plans, and abide by strict reporting deadlines. EPIC and other open government groups previously pushed the Obama administration to improve its implementation of the Freedom of Information Act.

EPIC, Consumer Coalition Tells FCC to Limit Health Care Robocalls

EPIC and a coalition of consumer privacy advocates have urged the Federal Communications Commission to reject a request by health insurance companies to make unlimited health-related robocalls to consumers under the Telephone Consumer Protection Act. The insurance companies asked the FCC to amend the TCPA so that once a consumer provides her phone number to her doctor, she has "consented" to receiving telemarketing calls from other health care providers on anything medically related. The coalition comments, led by the National Consumer Law Center, urge the FCC to limit the scope of consumers' consent to medical robocalls by exclude telemarketing calls and allowing only calls related to the original reason the consumer provided her phone number. EPIC supports robust telephone privacy protections and filed an amicus brief in support of the FCC's 2015 order that strengthened consumer protections under the TCPA.

New Study Shows Public Does Not Trust Social Media Privacy, Supports Stronger Privacy Laws

A new survey supported by the Craig Newmark Foundation shows that while 80% of Americans use social media daily, 96% do not trust social networks to protect their privacy. The survey found that only 7% of millennials trust these sites to protect their data. A majority of Americans surveyed also expressed concern about the lack of safety online, including fears over identity theft, email hacking, and non-consensual online tracking. Many Americans think privacy laws are too weak. Among all groups, millennials are increasingly aware of the need for stronger privacy laws. EPIC maintains a webpage devoted to Privacy and Public Opinion and has launched the Data Protection 2016 campaign to highlight privacy protection in the 2016 election.

European High Court Rules that Dynamic IP Addresses are Personal Data

The Court of Justice for the European Union has ruled that dynamic IP addresses are personal data subject to protection under data protection law. The Court said that user's identity can still be revealed through use of legal process, even though the numeric address may not be unique to the user. The Court also said that the collection of IP addresses must be limited to the purposes for which they were collected. The Court noted that personal data can be lawfully collected if it is necessary to protect cybersecurity. The European Court of Justice opinion is aligned with EPIC's recommendation for Privacy Enhancing Technologies that minimize or eliminate the collection of personally identifiable information. Internet services that do not retain IP addresses or adopt techniques that are unable to link IP addresses to a particular user may not be subject to the decision, which is binding across Europe. EPIC has made similar arguments about the scope of personal information to US courts as amicus curiae. EPIC argued in the Nickelodeon case that IP addresses and unique devices IDs are personally identifiable information subject to protection under US privacy law. Federal courts are now split on the issue and the US Supreme Court may soon resolve the matter.

FTC's Data Protection Authority Under Attack in LabMD Case

A medical testing lab has petitioned a federal appeals court to reject the authority of the Federal Trade Commission to enforce data security standards. The commission recently found that LabMD's poor data security practices, which led to a breach of personal medical data, were "unfair" under the FTC Act and ordered the company to take corrective measures. "[T]he privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury," the commission explained. EPIC previously filed an amicus brief in FTC v. Wyndham, a similar case in which another appeals court upheld the FTC's data protection authority. The court in that case stated, "A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business."

EPIC in the News

• EU Regulators Warn WhatsApp, Yahoo Over Privacy Missteps, Law360, October 31, 2016
• Editorial: Selfies sacrifice sanctity of democracy’s secret ballot, Albuquerque Journal, October 28, 2016
• ISPs must get permission to share Internet users' private browsing history: FCC, Washington Times, October 28, 2016
• EPIC Urges Mass. High Court To Revive Gmail Suit, Law360, October 28, 2016
• New FCC rules impose privacy boost for ISP customers, Naked Security, October 28, 2016
• How to Nudge Your Customers Without Pushing Them Away, Harvard Business Review, October 28, 2016
• Artificial Intelligence Poses Data Privacy Challenges, Bloomberg BNA, October 27, 2016
• Facebook says users can't stop it from using biometric data, Crain's Chicago Business, October 27, 2016
• Is Facebook's Facial-Scanning Technology Invading Your Privacy Rights?, Bloomberg BNA, October 26, 2016
• Mega Mergers Like AT&T-Time Warner are Becoming a Problem for Privacy Regulation, InsideSources, October 26, 2016
• What is the FTC Doing About Privacy and Drones?, JDSupra, October 26, 2016
• AT&T Is Spying on Americans for Profit, New Documents Reveal, The Daily Beast, October 25, 2016
• Rep. Pallone Aide Pushes FCC Privacy Rules As Good Step, Law360, October 25, 2016
• Consumer Groups Back FTC For 9th Circ. AT&T Data Win Review, Law360, October 25, 2016
• Most Americans distrust Facebook and Twitter, use them anyway, The Daily Dot, October 25, 2016
• Top Pallone Aide Stumps For Strong FCC Privacy Rules, Multichannel, October 24, 2016
• Données personnelles La Silicon Valley défend son business modèle, L'Economiste, October 24, 2016
• Clinton and Trump transitions must follow strict ethics rules, groups say, Washington Post, October 19, 2016
• DOD Exempts 'Insider Threat' Records From Privacy Act, Law360, October 18, 2016
• 5 Reasons to Use a Mobile Wallet, Consumer Reports, October 16, 2016

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (Sept. 2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (Apr. 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

November 14, 2016
Global Internet and Jurisdiction Conference 2016
Marc Rotenberg, EPIC President
Paris, France

November 15 - 16, 2016
Working Party on Communication Infrastructures and Services Policy
OECD

Marc Rotenberg, EPIC President
Paris, France

November 21 - 23, 2016
59th Meeting of the International Working Group
Marc Rotenberg, EPIC President
International Working Group on Data Protection in Telecommunications
Berlin, Germany

December 7, 2016
Fall Technology Series: Smart TV
Claire Gartland, Director, EPIC Consumer Privacy Project
Federal Trade Commission
Constitution Center
Washington, DC

December 7 - 8, 2016
Internet Governance Forum 2016
“Encryption and Safety of Journalists in the Digital Age”
“Reporting on the OECD Digital Economy Ministerial”
Marc Rotenberg, EPIC President
Zapopan, Jalisco, México

December 12 - 13, 2016
National Academies of Science
“Big data and privacy”
Marc Rotenberg, EPIC President
Washington, DC

January 25 - 27, 2017
Computers, Privacy & Data Protection 2017
Brussels, Belgium

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
National Press Club
Washington, DC