EPIC Alert 23.22

1.     EPIC Prevails in Internet Surveillance Case

A federal judge in Washington, DC has granted EPIC substantial attorney's fees in a long-running case against the Department of Homeland Security.

In 2012, EPIC sued DHS for information about the "Cyber Pilot" program, a secret collaboration between DHS, the Department of Defense, and businesses to allow government monitoring of private internet networks. The program applied originally to defense contractors, but a 2012 Executive Order dramatically expanded its scope, raising concerns about violations of federal wiretap law.

EPICs lawsuit secured the release of several thousand pages on the program, including a presentation in which DOD advised private industry on how to best circumvent federal wiretap law.

In an extensive opinion, Judge Gladys Kessler concluded that EPIC "substantially prevailed in this litigation” and credited EPIC with “generating useful new information” about a matter of public concern. “Obviously, issues of national security and privacy are of enormous public importance,” Judge Kessler wrote. “EPIC has shown that its lawsuit ‘add[ed] to the fund of information that citizens may use in making vital political choices.’”

Judge Kessler rejected DHS’s argument that it would have produced the requested documents even without litigation, concluding that “EPIC'S lawsuit caused DHS to release responsive records. . . . Indeed, given these facts, it is hard to believe that DHS would ever have gotten the job done without the Court's supervision.”

EPIC makes frequent use of the Freedom of Information Act to obtain information from the government about privacy and surveillance. In 2014, EPIC won a five-year legal battle to obtain NSPD-54, the foundational legal document for U.S. cybersecurity policy that was cited in DHS’s released “Cyber Pilot” documents.

2. DHS Releases Revised FOIA Regulations, Agrees and Disagrees with EPIC's Suggestions

The Department of Homeland Security has released revised Freedom of Information Act regulations.  The regulations implement several changes to the Department’s rules for obtaining documents according to open government laws, including updates required by the FOIA Improvement Act of 2016. 

DHS issued its proposed rules in July 2015.  In September 2015, EPIC submitted extensive comments on the proposed changes to the agency's open government practices. DHS’s final rules incorporate some of EPIC’s recommendations. The agency maintained a broad definition of "educational institutions" so that individual researchers will be able to access government records at minimal cost and clarified steps that could be taken to delay "administrative closure," a controversial agency practice to terminate processing of FOIA requests.  But the agency disagreed with EPIC about agency referrals, the definition of "commercial interest," and the routine release of public information to the general public. 

Among other changes, the new rules include an extension of the appeals period from 60 to 90 days and restrictions on the circumstances under which DHS may charge fees for an untimely response.  Both changes were required for compliance with the FOIA Improvement Act of 2016. 

EPIC makes frequent use of FOIA to obtain information from the government about surveillance and privacy policy. EPIC recently obtained nonpublic reports through a FOIA lawsuit against the Department of Justice's Inspector General.  EPIC also recently sued the Federal Bureau of Investigation to obtain information on the massive "Next Generation Identification" biometrics database.

3. EPIC Recommends Privacy and Safety Standards for Autonomous Vehicles

EPIC has submitted comments to the National Highway Traffic Safety Administration concerning the recently released Federal Automated Vehicles Policy.  The Policy serves as voluntary guidance for the automated vehicle industry and backs the deployment of driverless cars in the United States.

The NHTSA Policy acknowledges privacy concerns raised by automated vehicles and endorses the Consumer Privacy Bill of Rights, which EPIC supports. However, the policy offers only voluntary guidelines, but no mandatory requirements, that car manufacturers should follow to protect driver privacy, safety, and security. The voluntary framework also lacks enforcement mechanisms and proposes to preempt existing state regulations that may provide stronger protections. 

EPIC’s comments urged NHTSA to revise the Policy to require mandatory compliance with the Consumer Privacy Bill of Rights, include more effective oversight and enforcement mechanisms, and abandon efforts to preempt state law. EPIC explained that connected cars already collect massive amounts of driver data, and the potential for consumer surveillance only increases as automated vehicles become more technologically sophisticated. EPIC also warned of physical safety and security issues in automated vehicles, including instances of remotely hacking to take over various driving functions of connected cars. EPIC noted that several states have already adopted laws concerning automated vehicles and urged NHTSA to allow states to continue to craft strong privacy protections in this field.

EPIC has previously submitted comments and testified before Congress on the privacy and security implications of connected cars, as well as the broader Internet of Things.

4. EPIC FOIA: EPIC Obtains Secret Inspector General Reports

Through a Freedom of Information Act lawsuit, EPIC has obtained nonpublic reports from the Department of Justice's Inspector General. The documents include audits of drug control funds, audits of grant programs, and information security audits conducted since 2005. EPIC also obtained an review of a state lab's DNA database.

The DOJ IG conducts investigations, evaluations, and audits for the agency, which facilitate transparency and public understanding of the measures taken to increase the efficiency and effectiveness of the DOJ. IG reports are critical to agency accountability. For example, the IG issued a 2010 report on the Federal Bureau of Investigation’s use of “exigent letters” and other means to obtain telephone records from three unnamed phone companies. The 300-page report concluded that many of the FBI's practices “violated FBI guidelines, Department policy,” and the Electronic Communications Privacy Act. The report established that “the FBI’s initial attempts at corrective action were seriously deficient, ill-conceived, and poorly executed,” and proposed recommendations for improvement.

This IG report led to increased public scrutiny of the FBI’s practices, including a hearing before the U.S. House of Representatives Committee on the Judiciary. These internal agency investigations help to ensure that DOJ is managed in an ethical and responsible manner, and promotes public confidence in the operations of the federal agency.

Despite their importance, not all IG reports are made public. However, the success of EPIC’s lawsuit has ensured that the DOJ IG lives up to the same principles of transparency that it ensures in other agencies.

5. FBI to Monitor Twitter

Contracting documents show the Federal Bureau of Investigation plans to conduct custom searches of all 500 million plus daily Tweets in real-time. EPIC previously warned such overbroad techniques will implicate speech protected under the First Amendment. 

By hiring Dataminr to provide custom Twitter searches, the FBI gains special access to review the entire Twitter “firehose.” As the FBI explained, Dataminr is the only Twitter partner with “direct proprietary access” to “the entire universe of Tweets.” Dataminr also offers the FBI customized data analytics and full technical support. Together, these features allow the FBI to conduct flexible, custom searches of all publicly posted Tweets in real-time.

In a 2012 lawsuit, EPIC successfully obtained documents detailing the social media monitoring program of the Department of Homeland Security. The documents revealed DHS instructed a private contractor to monitor the agency’s critics. EPIC’s work under the Freedom of Information Act led to a Congressional hearing on social media monitoring and government surveillance.

EPIC also forced the disclosure of several contracts between the Government Services Administration and social media companies in 2009. Despite the fact that the data collection practices of federal agency contractors are regularly subject to the Privacy Act, these contracts omitted the privacy obligations of the companies.

News in Brief

Congress to Examine Artificial Intelligence

The Senate Commerce Committee recently held a hearing on "The Dawn of Artificial Intelligence." Experts from industry and academia will provide "a broad overview of the state of artificial intelligence, including policy implications and effects on commerce." In a prepared statement, EPIC urged the Committee to support "Algorithmic Transparency," an essential public policy strategy to make AI accountable. The hearing follows two White House reports -Preparing for the Future of Artificial Intelligence and the National Artificial Intelligence Research and Development Strategic Plan. EPIC is currently litigating several "AI" cases including EPIC v. FAA (drone surveillance), Cahen v. Toyota (autonomous vehicles), EPIC v. CPB (U.S. traveler "risk assessments"), and Secret DNA Forensic Source Code.

Congress Passes Consumer Review Fairness Act, Bans Gag Clauses  

Congress has passed the Consumer Review Fairness Act, a law protecting consumers' right to post negative reviews without fear of retaliation. The bipartisan measure would make it illegal for companies to include non-disparagement clauses in consumer contracts, or to impose penalties or fees for critical reviews. The Federal Trade Commission will enforce the new law, which now awaits President Obama's signature. "By ending gag clauses, this legislation supports consumer rights and the integrity of critical feedback about products and services sold online." said Senate Commerce Committee Chairman John Thune. EPIC has long supported free speech and access to information online.

Government Breaches Continue, Hacker Compromises more than 130,000 Navy Records

In the latest government data breach, the Navy reported that a hacker gathered the personal data of more than 130,000 current and former sailors from a laptop that belonged to a government contractor. Government security vulnerabilities are on the rise. In 2015, the records of more than 21 million federal workers, friends and family members were breached. In 2016, EPIC urged candidates for office to focus on "data protection." EPIC has warned that inaccurate, insecure, and overbroad government databases pose a risks to the safety of Americans. Earlier this year, EPIC urged the Dept. of Defense and Dept. of Homeland Security to drop proposals to expand government databases that lacked adequate privacy safeguards.

New Study Shows Global Increase in Comprehensive Privacy Protections

An updated study by David Banisar of the human rights organization Article 19 finds that over 100 countries now have data protection laws. Another 40 countries are considering new laws, and most countries have established a data protection authority to enforce privacy protections. Two EPIC publications - The Privacy Law Sourcebook 2016 and Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide an overview of privacy frameworks around the world and track emerging privacy challenges. EPIC has urged the US Congress to establish a federal privacy agency and to enact comprehensive privacy legislation.

EPIC Asks FTC to Continue "Disposal Rule"

In comments to the FTC, EPIC continued support for the FTC's Disposal Rule, which requires that businesses to take reasonable steps to protect consumer information against unauthorized access or use. EPIC told the FTC that the Rule protects consumers from identity theft. EPIC backed the initial Disposal Rule. In the 2016 comments, EPIC explained that information that can identify an individual should be covered by the rule.

EPIC in the News

• Tech Under Trump, WNYC, November 30, 2016
• FBI Sued Over Mass Gathering Of Biometric Data, Mintpress, November 30, 2016
• How To Stop Uber From Collecting Your Location Data On iOS And Android Devices, International Business Times, November 30, 2016
• Uber begins background collection of rider location data, TechCrunch, November 29, 2016
• Trump Proposes an Advocate of Mass Public Surveillance as CIA Chief, Scientific American, November 23, 2016
• Body Scanners Balance Security, Privacy, DC Circ. Told, Law360, November 23, 2016
• Autonomous Cars Need Strong Privacy Rules, Says EPIC, Law360, November 23, 2016
• Facebook Fake News Problem Puts Spotlight on Company's Outsize Power, Inc.com, November 17, 2016

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (Sept. 2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (Apr. 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

December 6, 2016
Public Policy Forum on Cybersecurity
The Maryland Cybersecurity Council
Claire Gartland, Director, EPIC Consumer Privacy Project
Adelphi, Maryland

December 7, 2016
Fall Technology Series: Smart TV
Claire Gartland, Director, EPIC Consumer Privacy Project
Federal Trade Commission
Constitution Center
Washington, DC

December 7 - 8, 2016
Internet Governance Forum 2016
“Encryption and Safety of Journalists in the Digital Age”
“Reporting on the OECD Digital Economy Ministerial”
Marc Rotenberg, EPIC President
Zapopan, Jalisco, México

December 12 - 13, 2016
National Academies of Science
“Big data and privacy”
Marc Rotenberg, EPIC President
Washington, DC

December 14, 2016
2016 Cato Surveillance Conference
Alan Butler, EPIC Senior Counsel
Washington, DC

January 25, 2017
EPIC International Champion of Freedom Award Ceremony
Brussels, Belgium

January 25 - 27, 2017
Computers, Privacy & Data Protection 2017
Brussels, Belgium

January 27, 2017
10^th National Symposium on Tech Crime and Electronic Evidence
Alan Butler, EPIC Senior Counsel
Toronto, ON Canada

March 3, 2017
“Disruptive Technologies”
Marc Rotenberg, EPIC President
Stanford Technology Law Review
Stanford, CA

March 31 - April 1, 2017
WeRobot 2017
Yale Law School
New Haven, CT

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
National Press Club
Washington, DC