EPIC Alert 24.01

1. EPIC Seeks Expedited Release of Report on Russian Interference in 2016 Election

EPIC has submitted an urgent Freedom of Information Act request to the Office of the Director of National Intelligence (ODNI) seeking the complete report on the Russian interference in the 2016 Presidential Election.

On January 6, the ODNI released a public summary on the Russian interference, but withheld important information. It stated the report "not include the full supporting information on key elements of the influence campaign."

EPIC is seeking expedited release of the complete, unreacted report. EPIC stated that the Senate Armed Services Committee "recently held a hearing... on the contents of this report," "[f]uture hearings in Congress are scheduled, and legislation is anticipated." The full report is "urgently needed to inform the public debate over imminent Congressional action," EPIC concluded.

EPIC is also seeking records from the FBI about the agency's lax response to the foreign cyber threat. EPIC submitted a statement to the Senate Armed Services Committee ahead of the hearing last week on "Foreign Cyber Threats to the United States" to alert Senators to the request. In a recent letter to the Senate Committee on Homeland Security, EPIC and leading experts also urged Congress to keep a close eye on the White House Homeland Security Advisor.

2. EPIC, Technology Experts Urge Senate Committee to Monitor President's Homeland Security Advisor

In a letter to the Senate Committee on Homeland Security, EPIC and distinguished experts in cyber security, information technology, encryption, and human rights law urged Congress to keep a close eye on the White House Homeland Security Advisor, Thomas Bossert. EPIC explained that the position, equal in power to the National Security Advisor, carries "significant implications for the safety and security of the American people" as the Homeland Security Advisor will be providing advice to the President on homeland security, including cybersecurity, and counterterrorism issues.

EPIC said that the Homeland Security Advisor should ensure "the Russian government poses no further threats to the United States electoral system or to other democratic governments." EPIC also said that "data protection and privacy should remain a central focus" of U.S. cyber security policy.

The EPIC letter called upon the Homeland Security Advisor to make clear his support for strong encryption and technical measures to safeguard personal data and work with Congress to strengthen the federal Privacy Act. The EPIC letter also urged the government to respect privacy obligations and ensure transparency and accountability regarding the Cybersecurity Information Sharing Act.

EPIC has advocated for strong encryption without backdoors since the inception of the organization, including last year during the Apple v. FBI case. EPIC has also raised privacy concerns with the Cybersecurity Information Sharing Act that gives companies free rein to disclose user data to the government.

3. EPIC Urges TSA to Drop REAL ID Data Collection Plan

EPIC recently submitted comments to the Transportation Security Administration urging the agency to reject a proposed information collection plan under the REAL ID Act. The REAL ID Act is a federal law that creates a de facto national identification card by imposing federal standards on state driver's licenses and identification cards. Many states have opposed REAL ID. Under the proposed information collection plan, the TSA now seeks to subject American travelers without a TSA "compliant" ID to broad information collection requirements.

The REAL ID Act was enacted in 2005 as an amendment to a bill that provided tsunami relief and military appropriations, and was passed with little debate and no hearings. EPIC, supported by a broad coalition, opposed the passage of REAL ID because the proposal compromised privacy and enabled government surveillance. When the Department of Homeland Security issued draft regulations implementing the Act in 2007, EPIC provided detailed comments on the many privacy and security threats posed by the legislation and DHS's proposed rules. EPIC subsequently issued a report that examined the costs of implementing REAL ID. EPIC's report found that implementation would be expensive for states while providing little added security or public safety benefits.

Many states also opposed the REAL ID Act on the grounds that it created an unfunded mandate. Others expressed concerns that the government had effectively created a national identification card, something that had been consistently rejected in United States. Several states have passed laws prohibiting the implementation of REAL ID. The TSA plans to refuse acceptance of driver's licenses from these states beginning in January 2018.

Under the TSA's new proposal, the agency plans to introduce a new identity verification process for travelers who do not possess a state driver's license that complies with REAL ID requirements. This process would require an individual to provide personal information and answer a series of questions based on information maintained on that individual in various commercial and government databases.

In comments opposing the TSA proposal, EPIC stated that REAL ID creates a national identification system and poses significant privacy risks to millions of individuals. EPIC further explained that TSA's new information collection plan "will unduly burden millions of people in several states that have rightly chosen not to comply with the REAL ID Act."

4. Senate to Consider Nomination of Senator Sessions for Attorney General

The Senate Judiciary Committee held hearings last week on the nomination of Senator Jeff Sessions for Attorney General.

EPIC submitted a statement to the Committee, stating that "Senator Sessions' record regarding the privacy rights of Americans raises serious questions about his selection as Attorney General." EPIC pointed to Sessions' support for warrantless surveillance of the American people and opposition to government oversight. EPIC's statement noted that Senator Sessions voted against the widely supported USA FREEDOM Act, which ended the NSA's bulk collection of the domestic telephone records of American telephone customers. Sessions also "promoted measures that would make it easier to track Americans in the United States," and "has favored methods of mass surveillance that have since been discredited."

The EPIC statement highlights Senator Sessions' disregard for privacy and free speech rights, quoting his statements during 2005 hearings that mocked the concerns of librarians who opposed government access to library borrower records. Senator Sessions called their views "almost amusing" and compared them to "Woodstock myths." Sessions also opposed Apple in its dispute with the FBI over the availability of strong encryption, and he failed to support efforts to modernize the Electronic Communications Privacy Act, widely favored by Democrats and Republicans.

In Tuesday's hearing, Senator Patrick Leahy questioned Sessions about the nominee's vote against the USA FREEDOM Act. Leahy observed that Sessions was "one of a very, very small minority" that voted against the Act and pressed Sessions to commit not to allow "bulk collection of America's records in violation of the USA FREEDOM ACT."

EPIC has worked extensively on domestic surveillance issues including reform of the Foreign Intelligence Surveillance Act and ending the NSA's bulk data collection.

The Lawyers for Good Government (L4GG) also raised concerns about Senator Sessions' support for the Privacy Act and the Freedom of Information Act, as well as his independence to "prosecute all criminal acts including those that may implicate the President of the United States." The L4GG is "committed to civil liberties, human rights, and a government that protects the life, liberty, and happiness of all Americans."

5. National Academies Releases Privacy Report

The National Academies of Sciences has released a new report that examines how disparate federal data sources can be used for policy research while protecting privacy.

The NAS Statistics and Privacy Report states that privacy must be a "core value" of any use of government data and recommends that federal statistical agencies "adopt modern database, cryptography, privacy-preserving, and privacy-enhancing technologies" and "engage in collaborative research with academia and industry to continuously develop new techniques to address potential breaches of the confidentiality of their data."

"Threats from data breaches and the growing availability of other sources of data that might be used to re-identify individuals or entities require statistical agencies to reconsider how they can maintain data confidentiality," the report notes. "The publication of statistics covering various groups and subgroups requires careful consideration of how to safely release statistical products and of the potential privacy losses that might occur."

The report goes on to warn that "there are fundamental mathematical limits on 'how much' can be computed while maintaining any reasonable notion of privacy: extremely detailed estimates of too many statistics can effectively result in a complete loss of privacy."

EPIC President Marc Rotenberg and EPIC Advisory Board member Cynthia Dwork served on the committee that developed the report. Mr. Rotenberg testified before the Commission on Evidence-Based Policymaking, which is working on increasing access to government data for policy analysis. EPIC also filed comments with the Commission urging it to promote Privacy Enhancing Techniques.

News in Brief

Senate Intelligence Committee Presses FBI to Reveal Russia Investigation

Senator Richard Burr (R-NC) and Senator Mark Warner (D-VA), the Chairman and Ranking Member of the Senate Intelligence Committee, have announced a bipartisan inquiry into the Russian interference with the 2016 Presidential Election. Democratic members of the House Judiciary Committee have also pressed the FBI to confirm its investigation of President-elect Trump's ties to Russia. In a letter to FBI Director James Comey, Committee Members requested "all documentation relevant to this investigation" be provided to the Committee "as soon as possible." EPIC has filed two urgent Freedom of Information Act requests concerning Russian interference: one for records about the FBI's lax response to the foreign cyber threat, the other for the report "Russian Activities and Intentions in Recent US Elections". This week EPIC also urged the Senate Armed Services Committee to pursue an investigation.

Europe to Update Consumer Privacy Rules

The European Commission has released its proposal to update EU law on privacy and security safeguards for electronic communications. The revamped e-Privacy Regulation would extend important new safeguards to users of all online communications services, including email, instant messaging, and social media. The proposal would also protect both communications content and metadata, and would limit tracking of internet users. In the US, the FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation, and must next be adopted by the European Parliament and European Council.

EPIC Urges Senate Committee to Press Transportation Nominee on Drones, Connected Cars

EPIC has sent a statement to the Senate Commerce Committee, highlighting two significant privacy issues: drones and autonomous vehicles. The Senate Committee met this week to consider the nomination of Elaine Chao for Secretary of Transportation. EPIC sued the FAA, an agency subject to the Committee's oversight, for its failure to establish drone privacy rules, as required by Congress. EPIC also testified last year before the Committee on the risks of connected cars, EPIC has recently submitted comments on federal automated vehicles policy and filed an amicus brief in federal appeals court on the risks to consumers of connected vehicles.

Intelligence Director Removes Key Privacy Safeguards for Raw Intelligence

The Director of National Intelligence has announced new rules that permit intelligence agencies to disseminate "raw" signals intelligence without first removing or "minimizing" personal information. EPIC and other civil liberties groups opposed these changes in a letter last year to the Director, explaining that the changes would "fatally weaken existing restrictions on access to the phone calls, emails, and other data the NSA collects." The Director said that the new rules would "prohibit recipient elements from querying raw [intelligence] for a law enforcement purpose." But EPIC previously highlighted the risks of consolidating personal data in a FOIA lawsuit, EPIC v. ODNI, against the Director of National Intelligence.

FTC Sues D-Link Over Poor Security in Internet Routers and Cameras

The Federal Trade Commission has filed a lawsuit against Internet of Things device maker D-Link. The complaint alleges that D-Link failed to use adequate security in its internet cameras and routers despite promises that the devices were "easy to secure" and used "advanced network security." The poor security practices alleged by the FTC include using easily-guessed default passwords, mishandling code-signing keys, and storing usernames and passwords in plaintext. EPIC has worked extensively on the risks of the Internet of Things, recommending safeguards for connected cars, "smart homes," and "always on" devices. In 2013, EPIC submitted comments to the FTC addressing the security and privacy risks of IoT devices.

EPIC Calls on FCC to Prohibit Forced Arbitration

EPIC and a coalition of privacy advocates have submitted comments asking the FCC to prohibit forced arbitration clauses in communications contracts. Arbitration clauses require consumers to settle complaints in private proceedings out of court, often in inconvenient locations and before arbitrators of the company's choosing. The comments note that forced arbitration clauses allow corporations to "escape accountability for systemic harms" such as overbilling. The FCC's broadband privacy rules, adopted in October 2016, did not address forced arbitration clauses, but Chairman Wheeler announced at the FCC's October meeting that the agency had begun an internal process for rulemaking on that issue. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records.

FTC Responds to EPIC, Consumer Groups About Toys That Spy

The Federal Trade Commission has responded to EPIC's complaint about toys that spy, promising to "carefully review" the filing. EPIC's complaint, filed last month and joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, alleges that the internet-connected children's toys My Friend Cayla and i-Que Intelligent Robot violate federal privacy laws. The complaint is part of coordinated, international efforts to ban these toys from the marketplace. Walmart, Toys "R" Us, and stores across Europe have already pulled the toys from their shelves. EPIC's complaint has also spurred a congressional investigation by Sen. Edward Markey (D-MA) into the data practices of toymaker Genesis Toys and speech technology developer Nuance Communications.

Supreme Court Declines to Review Video Privacy Violations by Google, Viacom

The U.S. Supreme Court declined today to review In re Nickelodeon, a class action suit concerning privacy protections for Internet users under the Video Privacy Protection Act. Last year, a federal appeals court rejected claims that Google and Viacom had violated the statute, holding that static IP and MAC addresses are not "personally identifiable information." That opinion contradicted a previous ruling from a different federal appeals court, which held that unique IDs are personally identifiable under the video privacy law. EPIC filed an amicus brief in the Nickelodeon case, explaining that Congress defined personal information broadly "to ensure that the underlying intent of the Act-to safeguard personal information against unlawful disclosure-is preserved as technology evolves."

White House Issues Data Breach Guidance for Federal Agencies

The White House Office of Management and Budget has released guidance establishing common standards and practices for how federal agencies manage data breaches. The Data Breach Memorandum sets out a risk-based framework for evaluating data breaches and requires each agency to develop a data breach response plan. Not all breaches will trigger individual notification under the guidance. The new guidance comes four months after a House Government and Oversight Committee report criticized the Office of Personnel Management about the 2015 data breaches that compromised the records of 22 million federal employees and family members. EPIC testified in 2009 and 2011 in support of strong data breach notification laws, filed comments with the Office of Personal Management recommending limits on data collection, and has urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.

Senate Armed Services Committee to Examine Foreign Cyber Threats

The Senate Armed Services Committee will hold a hearing on "Foreign Cyber Threats to the United States" on January 5, 2016. EPIC submitted a statement to the Committee to alert Senators about a pending Freedom of Information Act request. The EPIC FOIA request concerns the lax response of the FBI to the Russian interference with the 2016 Presidential election. EPIC wrote "we believe that the information that we are seeking from the FBI will also be helpful to the Senate Armed Services Committee as you investigate foreign cyber threats to the United States." "Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are scheduled to testify.

EPIC in the News

• FTC To Look Into Toys That Spy, Law360, January 13, 2017
• Privacy Groups Want FCC To Ban Mandatory Arbitration, Law360, January 13, 2017
• Amazon Echo murder case raises IoT privacy questions for enterprise users, TechRepublic, January 12, 2017
• Can robots keep us safe?, Cosmos, January 12, 2017
• Alexa, what other devices are listening to me?, CNN, January 12, 2017
• Intel report on Russians 'fails to provide critical evidence', WND, January 11, 2017
• Groups Ask DC Circ. To Weigh TSA Body Scanner Incidents, Law360, January 6, 2017
• Obama Exit Memos Feature Cybersecurity; Trump Take Unclear, Bloomberg BNA, January 6, 2017
• Amazon Echo Warrant, Trump Administration Nominees, Spook Digital Privacy Advocates, International Business Times, January 5, 2017
• Privacy Advocates Warn of Potential Surveillance Through Listening Devices Like Amazon Echo, Google Home, Democracy Now, January 4, 2017
• The Watchers, Harvard Magazine, January 3, 2017

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

January 24, 2017
"CPDP 2017 Launch Event: The New Passenger Name Records Directive"
Marc Rotenberg, EPIC President
The Brussels Privacy Hub and Privacy Salon
Brussels, Belgium

January 25 - 27, 2017
Computers, Privacy & Data Protection 2017
Brussels, Belgium

January 25, 2017
"Algorithms: Too Intelligent to be Intelligible?"
Marc Rotenberg, EPIC President
"The Age of Intelligent Machines"
10th International Conference, Computers, Privacy, and Data Protection 2017
Brussels, Belgium

January 25, 2017
EPIC International Champion of Freedom Award Ceremony
Brussels, Belgium

January 25 - 27, 2017
Computers, Privacy & Data Protection 2017
Brussels, Belgium

January 27, 2017
10^th National Symposium on Tech Crime and Electronic Evidence
Alan Butler, EPIC Senior Counsel
Toronto, ON Canada

February 10, 2017
The State of Cyberlaw: Security and Privacy in the Digital Age
Jeramie D. Scott, EPIC National Security Counsel
University of Maryland School of Law
Baltimore, MD

March 3, 2017
"Disruptive Technologies"
Marc Rotenberg, EPIC President
Stanford Technology Law Review
Stanford, CA

March 31 - April 1, 2017
WeRobot 2017
Yale Law School
New Haven, CT

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
National Press Club
Washington, DC