EPIC Alert 23.21

1. EPIC Sues FBI Over Biometric Data Program

EPIC has filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation for information about the agency's plans to transfer biometric data to the Department of Defense. The FBI maintains one of the world's largest biometric databases—known as the "Next Generation Identification" system—containing digitized fingerprints, facial scans, and iris images of millions of Americans. The FBI has resisted and removed privacy safeguards, even as it has expanded the system.

The Bureau previously proposed to exempt the database from many of the safeguards in the federal Privacy Act, a move which EPIC opposed. Then EPIC, following an earlier FOIA lawsuit, obtained documents that revealed an error rate as high as 20 percent for facial recognition searches in the FBI database. In its new FOIA lawsuit, EPIC is seeking to obtain a secret memorandum of understanding that details the transfer of personal data in the FBI system to the Department of Defense.

“Widespread deployment of facial recognition technology presents a number of significant privacy and security issues,” EPIC wrote in its complaint. “Ubiquitous and near-effortless identification eliminates individuals’ ability to control their identities, posing special risk to protestors engaging in lawful, anonymous free speech. The U.S. Supreme Court has repeatedly upheld the right to engage in political speech anonymously. For these reasons, it is vital that the deployment of facial recognition technology be done in a transparent way to ensure adequate public oversight.”

EPIC originally filed a FOIA request for the secret memorandum in April 2015. The FBI acknowledged receipt of that request and later stated that it had found 35 pages of responsive records, but the agency has failed to provide any documents to date. More than a year has passed since the last response to EPIC from the FBI.

EPIC has long warned about the privacy implications of facial recognition technology and fought to place safeguards on its use by governments and businesses. EPIC also makes frequent use of FOIA requests and litigation to obtain information from the government about surveillance and privacy policies.

2. EPIC Urges FTC to Strengthen “Safeguards Rule”

EPIC has submitted comments to the Federal Trade Commission on its Standards for Safeguarding Customer Information, often referred to as the “Safeguards Rule.” The Rule currently only applies to financial institutions and requires them to take reasonable measures to protect their customer’s data. EPIC urged the FTC to strengthen the rule by expanding its scope to include all companies and organizations that collect consumer data, clarifying that compliance with the FTC’s guidelines on the Rule is mandatory, and establishing a data minimization requirement for organizations that are subject to the Rule.

The FTC implemented the Safeguards Rule in 2003 and is conducting the first major regulatory review of the Rule since that time. While the rule currently only covers financial institutions, massive data breaches over the past 13 years have affected a number of companies that the Commission states are involved in “incidental” financial activities, such as educational institutions and commercial businesses. In its comments, EPIC noted that Americans are currently facing a data breach epidemic that has resulted in increased identity theft and financial fraud.

In its recommendations the FTC, EPIC urged the Commission to use its enforcement powers to ensure that covered entities are in compliance with the rule and that civil penalties are imposed for violations. The FTC’s request for comments on the Safeguards Rule specifically asked whether the scope of the Rule should be modified to include entities that engage in “incidental” financial activities. EPIC supports such an expansion. Entities that are involved in incidental financial activities collect a substantial amount of personal information from their customers and should not be excused from the requirements of the Safeguards Rule simply because their primary purpose is not to supply financial products and services. Finally, EPIC argued that the Commission should implement data minimization requirements to strengthen the Rule. By limiting the amount of data collected, entities reduce the incentive for hackers break into their systems and decrease the amount of harm done to consumers in the event of a breach.

EPIC frequently submits comments to the FTC on a range of consumer protection issues. EPIC has previously petitioned the FTC to look into data breaches at educational institutions and has testified before Congress concerning the behavior of data brokers and their use of individuals’ personal information. EPIC also has a long argued that data minimization is the best way to prevent loss of personal information and encouraged entities not to collect or store more data than they need.

3. UK Information Commissioner Suspends WhatsApp Data Transfer to Facebook

Facebook has agreed to suspend targeted advertising for WhatsApp users in the United Kingdom. The decision follows an investigation by UK Information Commissioner Elizabeth Denham, and is the latest development in mounting worldwide opposition to WhatsApp’s changes to its data practices.

On August 25, 2015, WhatsApp announced plans to disclose user information to Facebook, including phone numbers and other user data, that will be connected with Facebook profiles. The companies plan to use this information to provide "friend suggestions and more relevant ads on Facebook" and to allow businesses to send WhatsApp users marketing messages. WhatsApp will provide users 30 days to opt-out of data transfers to Facebook.

WhatsApp and Facebook's plan contradicts previous promises to WhatsApp users that their personal information would not be disclosed or used for marketing purposes, and constitutes an unfair and deceptive trade practice. When Facebook purchased WhatsApp in 2014, the companies promised users of the privacy-protective messaging service that "nothing" will change for WhatsApp users' privacy. Facebook CEO Mark Zuckerberg promised, "We are absolutely not going to change plans around WhatsApp and the way it uses user data."

According to Commissioner Denham, “I don’t think users have been given enough information about what Facebook plans to do with their information, and I don’t think WhatsApp has got valid consent from users to share the information.”

WhatsApp's plan to transfer user data to Facebook faces growing opposition from privacy regulators worldwide. The Article 29 Working Party, an expert group of European privacy officials, is pursuing investigations of WhatsApp. In a letter to Facebook, the Working Party stated that the decision to transfer confidential user data from WhatsApp to Facebook has raised "serious concerns," and urged WhatsApp to halt data transfers pending completion of the investigation. Privacy officials in Spain, Germany, India, and Italy have also taken action in response to WhatsApp’s privacy U-turn.

EPIC and the Center for Digital Democracy filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC's latest response to the consumer coalition emphasized "FTC staff's position that companies must obtain affirmative express (opt-in) consent before making material, retroactive changes to privacy promises." The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."

In 2012, EPIC and a coalition of consumer privacy organizations led a successful effort at the FTC after Facebook changed the privacy settings of its users, which resulted in the FTC's 20-year consent order with Facebook.

4. EPIC Urges OMB to Strengthen Privacy Act Safeguards

EPIC submitted comments on Circular A-108, new Privacy Act guidelines for federal agencies proposed by the Office of Management and Budget. EPIC urged the OMB to “increase its oversight and strengthen its guidance” regarding the commonly misused “routine use” Privacy Act exception.

The Privacy Act of 1974 established key requirements for federal agencies maintaining information and records about individuals, and the OMB issues corresponding guidelines and conducts oversight of agency implementation of the Act. The Act’s obligations are subject to several exceptions. These include a “routine use” exemption, which permits an agency to disclose records without individual consent in a manner consistent with the purpose for which it was originally gathered.

However, as EPIC detailed in its comments to the OMB, agencies frequently misuse the “routine use” exemption to circumvent Privacy Act safeguards required by law. Agencies regularly claim overly broad routine uses. Agencies also claim the exemption for disclosures designed to preserve agency reputation or to transfer personal information to third parties not subject to the Act. EPIC recommended specific language to strengthen the OMB guidelines for federal agencies and address misuse of the exemption.

EPIC frequently submits comments recommending stronger federal agency privacy protection, and has urged Congress to modernize the Privacy Act’s remedies and safeguards.

5. EPIC FOIA - Missing Privacy Assessment at DEA

Through a Freedom of Information Act lawsuit, EPIC has learned that the Drug Enforcement Administration never completed privacy assessments of the agency’s largest surveillance programs, including a massive license plate reader program and a telecommunications records database. Through the E-Government Act of 2002, Congress requires agencies to perform Privacy Impact Assessments of new information technologies that collect personally identifiable information. As the Department of Justice notes in its guidance to DOJ components, the PIA "helps promote trust between the public and the Department increasing transparency of the Department’s systems and missions."

Last year, EPIC submitted a FOIA request with the Drug Enforcement Administration for all its Privacy Impact Assessments that are not currently publicly available. EPIC also requested all the Initial Privacy Assessment and Privacy Threshold Analysis documents since January 2007. The latter reports are used to determine whether a more thorough Privacy Impact Assessment is required. Through the lawsuit, EPIC uncovered memos from the DOJ ordering the DEA to prepare Privacy Impact Assessments for particular programs. But despite a federal judge’s order for the DEA to search for those assessments, the agency reported that it had found none.

As the result of news media reports, several DEA programs that ought to have triggered the production of privacy analyses have been revealed. The Hemisphere program, over which EPIC filed a related lawsuit, gave law enforcement direct access to an AT&T database of telephone call records since 2007. However, no privacy assessments of Hemisphere are publicly available.

The DEA also has a license plate reader program that should have triggered privacy analysis. In May 2012, DEA agent Douglas W. Coleman indicated in a prepared statement for a Congressional hearing that the DEA had launched a National License Plate Reader Program in 2008 in response to the smuggling of illicit drug monies out of the United States. According the Mr. Coleman’s statement, the DEA’s LPR program monitors and targets vehicles, uses existing database technology, and promotes information sharing. Senators Charles Grassley and Patrick Leahy sent a letter to Attorney General Eric Holder describing their privacy concerns related to the government’s use of LPRs. Similarly, no privacy assessments of DEA’s LPR program are publicly available.

The outcome of EPIC v. DEA raises questions about the privacy review of agency systems funded by Congress. EPIC is currently litigating a similar lawsuit against the FBI.

EPIC Book Review: “The Attention Merchants: The Epic Scramble to Get Inside Our Heads”

“The Attention Merchants: The Epic Scramble to Get Inside Our Heads,” by Tim Wu

Tim Wu, Columbia University professor and author of the award-winning The Master Switch, offers a compelling and comprehensive examination of powerful commercial efforts to capture and monetize every sliver of our attention. Wu helps readers understand how the current state of affairs came to be, and offers insights on what we can do to reclaim our private lives from the “Attention Merchants.”

The treatise begins by describing a troubling new development: the prospect of opening schools to corporate advertising. “Advertisers have long coveted direct access to the young, who are impressionable and easier to influence,” Wu explains. Many schools across the United States, mostly in poor and middle-class areas, have already begun to rely on selling their students’ attention to advertisers as an essential revenue source. Ads are plastered across student lockers, hallway floors, and even report cards.

Wu expresses surprise at how little controversy has met the introduction of ads in public schools. This is the starting point for his thoughtful treatise, which seeks to explore how our current state of affairs came to be. “Over the last century,” Wu explains, “we have come to accept a very different way of being, whereby nearly every bit of our lives is commercially exploited to the extent it can be.” With this premise, Wu embarks on a details survey of the development and impressive rise of one of today’s most powerful industries: The Attention Merchants. From the penny press newspapers of New York City to the advent of radio and television to the modern online ecosystem of digital trackers, the Attention Merchants have methodically taken over and monetized more and more of our waking moments.

Wu also describes the symbiosis between the attention merchants and other twentieth century industries whose viability relied on advertising revenue. “Beginning with radio, each new medium would attain its commercial viability through the resale of what attention it could capture in exchange for its ‘free’ content,” the author argues.

The chapters on the first Attention Merchants are devoted to the early days of advertising. A young New Yorker, Benjamin Day, decided to publish a newspaper and sell it for a penny, well below the expensive 6 cent daily papers already in circulation. Day sold his papers at a loss, instead relying on revenue from reselling the attention of his audience. The first edition of the New York Sun was printed on September 3, 1833. The Sun featured sordid tales of court proceedings, as well as detailed coverage of the state’s slave trade. Within the first year, Day was selling thousands of papers a day and the revenue from paid advertisers eventually exceeded printing costs. Day struck it rich and the Sun became the leading newspaper in the city, all thanks to advertising revenue.

“Once a commons that fostered the amateur eccentric in every area of interest, the web, by 2015, was thoroughly overrun by commercial junk,” Wu writes. In his chapters on the internet, Wu takes aim at clickbait, listicles, celebrity nonstories, and other meaningless content generated to keep users clicking and viewing ads. Wu also laments the extraordinary surveillance methods used by online attention merchants. “Online tracking technologies evolved to a point that would have made a Soviet-era spy blush,” he writes.

Wu describes a speech given by Apple CEO Tim Cook at EPIC’s 2015 awards dinner. Cook tore into attention merchants during the speech. “They’re gobbling up everything they can learn about you and trying to monetize it. We thing that’s wrong,” Cook said.

While the majority of Attention Merchants reads as a historical survey, Wu offers his perspectives on the current state of affairs. He is less concerned with debating whether advertising is good or bad, and believes the more important question is “not how the attention merchant should conduct business, but where and when.” He pushes back on the encroachment of advertising into every bit of time and space we occupy - facilitated significantly by advances in technology - and urges the reader to contemplate what times and spaces are simply too valuable, personal, and sacrosanct for commercial exploitation. Wu calls for a “human reclamation project” to reclaim some of our private lives from the reach of attention merchants.

In closing, Wu references the work of philosopher William James, who “held that our life experience would ultimately amount to whatever we had paid attention to.” Wu calls on his readers to recognize the preciousness of their attention, to reclaim ownership of that attention, and this regain ownership of our life experiences.

-Claire Gartland

News in Brief

As Voters Go To Polls, EPIC Backs "Data Protection 2016," Secret Ballot

With voters heading to the polls for the 2016 Presidential election, EPIC has urged national focus on "data protection," calling it "the most important, least well understood issue" of this election season. Together with Common Cause and Verified Voting, EPIC also published a report on the importance of the secret ballot for democratic decision making. And EPIC's Freedom of Information Act litigation has uncovered flaws in online voting reported by the Department of Defense in a 2011 report. EPIC is non-partisan, educational organization and does not endorse candidates for public office.

European Parliament Explores Algorithmic Transparency

A hearing today in the European Parliament brought together technologists, ethicists, and policymakers to examine "Algorithmic Accountability and Transparency in the Digital Economy." Recently German Chancellor Angela Merkel spoke against secret algorithms, warning that that there must be more transparency and accountability. EPIC has promoted Algorithmic Transparency for many years and is currently litigating several cases on the front lines of AI, including EPIC v. FAA (drones), Cahen v. Toyota (autonomous vehicles), and algorithms in criminal justice. EPIC has also proposed two amendments to Asimov's Rules of Robotics, requiring autonomous devices to reveal the basis of their decisions and to reveal their actual identity.

EPIC, Consumer Coalition Defend FTC Authority Over Common Carriers

EPIC joined a coalition of consumer advocates to challenge a recent federal court decision that would limit the Federal Trade Commission's authority over companies engaged in "common carrier" activities. In an amicus brief filed with the Ninth Circuit Court of Appeals, the consumer coalition urged reconsideration of the court's decision that the common carrier exemption to FTC authority is status-based, not activity-based. The brief warned the decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." Internet companies such as Google that offer some broadband service could be entirely exempt from consumer protection regulation. EPIC previously filed an amicus brief in FTC v. Wyndham to defend the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."

House Members Urge FTC to Examine Internet-of-Things

In the wake of October's massive distributed denial of service attack, two members of Congress have sent a letter to Federal Trade Commission Chairwoman Edith Ramirez urging the FTC to protect consumers from insecure Internet of Things devices. Rep. Frank Pallone, Jr. and Rep. Jan Schakowsky, senior members of the House Energy and Commerce Committee, wrote that the FTC should "immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures." EPIC is at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," 'consumer products, and "always on" devices. EPIC recently urgedthe federal government to establish legal requirements to promote Privacy Enhancing Technologies, limit user tracking, minimize data collection, and "ensure security in both design and operation of Internet-connected devices."

Second Legal Challenge Launched Against "Privacy Shield"

La Quadrature du Net, a French privacy organization, has launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a comprehensive framework for data protection and said that Privacy Shield was not adequate. EPIC also testified before Congress on the need to update US privacy law. EPIC is currently participating as amicus curiae in related case brought by privacy advocate Max Schrems.

EPIC in the News

• EPIC Wants FBI To Disclose Biometric Data-Sharing, Law360, November 16, 2016
• EPIC Sues FBI Over Biometric Database Records, On the Wire, November 15, 2016
• UK Watchdog: Facebook To Suspend Use Of WhatsApp Data For Ad Targeting, MediaPost, November 7, 2016
• Where Traditional DNA Testing Fails, Algorithms Take Over, ProPublica, November 4, 2016
• Louisville Police Have Quietly Built A Massive Online Monitoring Operation, WFPL Louisville, November 4, 2016
• Digital advertisers battle over online privacy, The Economist, November 3, 2016
• United States: What Is The FTC Doing About Privacy And Drones?, Mondaq, November 3, 2016
• Security Risks Still Plague Online Voting, Vocativ, November 2, 2016
• WhatsApp Blasted by EU Data Protection Group Over Facebook Sharing, Threatpost, November 1, 2016
• Facebook claims it can collect user biometric data without consent, BiometricUpdate, November 1, 2016
• How computers get out the vote, Science News for Students, November 1, 2016

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (Sept. 2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (Apr. 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

November 21 - 23, 2016
59th Meeting of the International Working Group
Marc Rotenberg, EPIC President
International Working Group on Data Protection in Telecommunications
Berlin, Germany

December 7, 2016
Fall Technology Series: Smart TV
Claire Gartland, Director, EPIC Consumer Privacy Project
Federal Trade Commission
Constitution Center
Washington, DC

December 7 - 8, 2016
Internet Governance Forum 2016
“Encryption and Safety of Journalists in the Digital Age”
“Reporting on the OECD Digital Economy Ministerial”
Marc Rotenberg, EPIC President
Zapopan, Jalisco, México

December 12 - 13, 2016
National Academies of Science
“Big data and privacy”
Marc Rotenberg, EPIC President
Washington, DC

December 14, 2016
2016 Cato Surveillance Conference
Alan Butler, EPIC Senior Counsel
Washington, DC

January 25 - 27, 2017
Computers, Privacy & Data Protection 2017
Brussels, Belgium

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
National Press Club
Washington, DC