You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

EPIC Alert 24.02

EPIC Alert logo

1. EPIC Sues FBI and ODNI for Details of Russian Hack of 2016 Election

EPIC has filed two Freedom of Information Act lawsuits, one against the Federal Bureau of Investigation and a second against the Office of the Director of National Intelligence, to obtain information about the extent of Russian interference with the 2016 Presidential election.  Both complaints challenge the respective agency's failure to make a timely decision concerning EPIC's request for expedited processing of each FOIA request. EPIC's chief concern in these suits is the use of cyber attacks to destabilize democratic institutions.

In EPIC v. FBI, EPIC seeks to uncover details of the FBI's response to the Russian interference after the press reported a lax response by the agency. EPIC is pursuing the records to help the "public.. evaluate the FBI response to the Russian interference, assess threats to American democratic institutions, and to ensure the accountability of the federal agency with the legal authority to safeguard the American people against foreign cyber attacks."

In EPIC v. ODNI, EPIC is seeking the release of the complete ODNI report on the Russian interference with the 2016 election. A limited, declassified version of the report was published in early January. As EPIC makes clear in the complaint, "there is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks in democratic institutions."

Both the FBI and the ODNI are now required to provide answers to the EPIC complaints. A federal judge will next set a scheduling order for the production of documents EPIC is seeking.

More information about the EPIC FOIA lawsuits concerning Russian interference with the 2016 Presidential election is available on the EPIC v. ODNI case page and the EPIC v. FBI case page. The US Congress has held several hearings on the Russian interference, and EPIC submitted a statement to the Senate Armed Services Committee. An investigation by the Senate Select Committee on Intelligence is also underway. EPIC will continue to press the FBI and ODNI for details of the Russian interference.

2. Pompeo Confirmed as CIA Director, Privacy Concerns Remain

On January 23rd, the U.S. Senate confirmed Rep. Mike Pompeo to be Director of the CIA by a vote of 66-32. EPIC sent a statement to the Senate Select Committee on Intelligence highlighting Pompeo's troubling statements on privacy and surveillance. EPIC warned the Senate Committee that the CIA Director must not "turn the enormous surveillance powers of the agency against the American people."

In a January 2016 op-ed, Mr. Pompeo wrote that "Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database. Legal and bureaucratic impediments to surveillance should be removed." EPIC told the Senate Committee that the proposal "poses a direct threat to the privacy and security of Americans. The CIA must not get into the business of profiling Americans, based on the posts they make to friends on social media or their 'lifestyles.'"

EPIC did, however, express support for Mr. Pompeo's view that that it would be a mistake for the U.S. government to promote weakened encryption. As Mr. Pompeo explains, "terrorists would simply switch to foreign or home-built encryption [and] new technologies can cloak messages in background noise, rendering them difficult to detect." In the recently encryption battle Apple v. FBI, EPIC argued in the amicus brief that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States.

The CIA has a long history of unlawful surveillance. EPIC has pursued Freedom of Information cases with the CIA concerning the agency's unlawful embedding of agents with the NYPD to spy on Muslims and persons of Arab descent, and the agency's unconstitutional spying on the staff members of the US Senate.

EPIC also submitted statements on the nomination of Jeff Sessions for Attorney General, Wilbur Ross for Commerce Secretary, Nikki Haley for UN Ambassador, Elaine Chao for Transportation Secretary, and Thomas Bossert for White House Homeland Security Advisor.

3. EPIC Urges Federal Appeals Court to Safeguard Donor Privacy

EPIC has filed a "friend-of-the-court" brief in Americans for Prosperity Foundation v. Harris, a donor privacy case before the Ninth Circuit Court of Appeals. EPIC is opposing a California law which requires nonprofit organizations to file tax forms each year with detailed information about individuals who donate to charitable causes.

EPIC said that this reporting requirement "infringes on several First Amendment interests, including the free exercise of religion, the freedom to express views without attribution, and the freedom to join in association with others without government monitoring." EPIC traced the history of anonymous giving in Christianity, Islam, and Judaism: "Since the days of Seneca and Maimonides, philosophers have recognized the importance of donation without recognition." 

EPIC also explained that California has "failed to implement basic data protection standards" for donor information.  The State mistakenly published more than a thousand donor lists from the Registry of Charitable Trusts online. Order at 9. This included the names and addresses of hundreds of donors to Planned Parenthood Affiliates of California--information with the potential to be "very damaging" to those donors. EPIC wrote that "the solution lies in a basic tenet of data protection: don't collect what you can't protect."

EPIC, an organization dedicated to privacy protection, has itself taken measures to safeguard donor privacy. These include (1) encouraging anonymous contributions; (2) withholding the name of donors when requested; (3) not selling, transferring, trading, or otherwise disclosing the names of donors, except where required by law; and (4) promoting techniques that permit anonymous contributions.

EPIC said, "Anonymous charitable contributions are time-honored, widely recognized, and constitutionally protected. Yet the Attorney General's mandatory collection of sensitive donor information and inability to safeguard the information gathered impermissibly burdens First Amendment interests."

EPIC has argued for similar Constitutional privacy rights in amicus briefs before the Supreme Court in Packingham v. North Carolina, Doe v. Reed, Watchtower Bible v. Stratton, and Patel v. Los Angeles.  In Forensic Advisors, Inc. v. Matrixx Initiatives, Inc., EPIC argued that the First Amendment right to read anonymously meant that a reporter could not be compelled to disclose a list of subscribers.

EPIC has also filed or joined amicus briefs arguing that the First Amendment prohibits compelled disclosure of petition signatories (in Doe v. Reed), the issuance of National Security Letter gag orders (Gonzales v. Doe), and the blanket nondisclosure of information about NSLs (In re National Security Letter).

4. White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office

As one of the final acts of outgoing President Barack Obama, the White House released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." The report is no longer available on the White House website, but EPIC has preserved an archived version of the report available here.

Former President Obama penned a forward to "Privacy in our Digital Lives," emphasizing that "privacy has never been more at risk" than today. Obama also recognizes that "there remains much to be done to keep this priority at the forefront of national policymaking, and to ensure that the freedoms we cherish as Americans are preserved for future generations." The report outlines the current legal framework of privacy protections in the US, focusing on regulations, legislative initiatives, and multistakeholder processes developed under the Obama Administration. 

In 2008, President Obama announced "Change We Can Believe In" and said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America.

In 2012, President Obama proposed a Consumer Privacy Bill of Rights, which EPIC strongly supported. Obama stated that "even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever."

After Edward Snowden's 2013 revelations on the National Security Agency's surveillance activities, Congress enacted the Freedom Act and Obama reformed intelligence practices, but the US failed to limit data collection outside the US. The "Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place in early 2016 even after civil society groups urged comprehensive reforms in the US and the European Union. Between 2009 and 2016, the levels of data breachidentity theft, and financial fraud in the United States skyrocketed, even as Americans called for stronger protections. The 2016 Presidential election was marked by data breachesemail disclosures, and cyber-attack. The US is still one of the few democratic nations in the world without a data protection agency.

5. EPIC Defends Right of Data Breach Victims to Seek Legal Relief

EPIC has filed a "friend-of-the-court" brief urging the federal appeals court in Washington, DC to protect consumers' ability to sue the companies that fail to safeguard their personal information.

A group of consumers filed suit against health insurer CareFirst after the company's faulty security practices allowed hackers to obtain the personal information of approximately 1,100,000 customers. A lower court wrongly dismissed the case because the judge believed that consumers must suffer identity theft before a court can consider violations of legal obligations.

EPIC explained that the court misunderstood the relevant law and confused the legal responsibility of companies to maintain good security with the harms that consumers eventually suffer. EPIC said courts should focus on whether companies have breached a legal obligation to safeguard personal data.

"If a company fails to comply with its obligation to safeguard personal data that it chooses to collect and store, consumers should be able to seek redress," EPIC wrote. "Requiring consumers to demonstrate consequential harm . . . runs contrary to decades of well-established precedent."

EPIC also argued that the lower court wrongly "ignor[ed] the deterrent role that civil litigation can play in mitigating the risks posed by dangerous security practices."

"Data breaches, though prevalent, are not inevitable; reasonable data security measures can prevent many of the most common forms of criminal hacking," EPIC wrote. "But until data breach victims can hold companies legally accountable for their lax security, data breaches will continue to occur at an alarming pace."

EPIC has filed numerous amicus briefs in consumer privacy cases clarifying the issues of injury, harm, and standing, which have been the source of widespread confusion since the Supreme Court's decision in Spokeo v. Robins. In July, EPIC told the Eighth Circuit appeals court that plaintiffs need not prove consequential harm to sue companies that fail to protect their data. And in October, EPIC told the Seventh Circuit appeals court that consumers can sue corporations which allow customer data to be breached without having to wait for fraud or identity theft to occur.

News in Brief

Trump Order Threatens Consumer Protection, Public Safety 

The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance.

EPIC Gives 2017 International Privacy Award to Alexander Dix  

EPIC has awarded the 2017 International Privacy Champion Award to German Privacy expert and open government advocate Alexander Dix. Dr. Dix served as Commissioner for Data Protection and Access to Information in Berlin, as well as Chair of the International Working Group on Data Protection. The EPIC award was presented at the annual conference on Computer, Privacy, and Data Protection in Brussels. The EPIC Champion of Freedom Awards will be presented on June 5, 2017 at the National Press Club in Washington, DC. Press Release.

EPIC FOIA: EPIC Obtains FBI-DoD Biometric Data Plans

Through a Freedom of Information Act lawsuit, EPIC has obtained several memorandum of understanding regarding the transfer of biometric identifiers between the Federal Bureau of Investigation and the Department of Defense. One of the agreements, which includes the State Department, calls for "a direct conduit for the parties to access databases storing biometric information." Last year, EPIC filed extensive comments scrutinizing the FBI's proposal to remove Privacy Act safeguards from the Bureau's massive biometric database known as "Next Generation Identification." EPIC also lead a coalition effort urging Congress to hold an oversight hearing on the FBI database. The case is EPIC v. FBI, No. 16-2237 (D.D.C. filed Nov. 10, 2016) (Biometric Data Transfer Agreements).

Aspen Institute Report Explores Artificial Intelligence

The Aspen institute released a report on the Artificial Intelligence workshop on connected cars, healthcare, and journalism. "Artificial Intelligence Comes of Age" explored issues at "the intersection of AI technologies, society, economy, ethics and regulation." The Aspen report notes that "malicious hacks are likely to be an ongoing risk of self-driving cars" and that "because self-driving cars will generate and store vast quantities of data about driving behavior, control over this data will become a major issue." The Aspen report discusses the tension between privacy and diagnostic benefits in healthcare AI and describes "some of the alarming possible uses of AI in news media." EPIC has promoted Algorithmic Transparency and has been at the forefront of vehicle privacy through testimony before Congress, amicus briefs, and comments to the NHTSA.

EPIC Celebrates International Privacy Day

On January 28, EPIC celebrates International Privacy Day, which commemorates Convention 108, the first international treaty for privacy and data protection. EPIC and consumer organizations have urged the United States to ratify the International Privacy Convention. NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions. The complete text of the Privacy Convention is contained in the Privacy Law Sourcebook, available at the EPIC Bookstore.

EPIC Seeks Public Release of Secret Directive on Cybersecurity

EPIC has filed an urgent FOIA request with the DHS, the Department of Justice, and the NSA, seeking the expedited release of NSPD-1. The National Security Presidential Directive sets out procedures for cybersecurity "policy coordination, guidance, dispute resolution, and periodic in-progress review." EPIC has previously litigated, and successfully obtained, NSPD-54, a Presidential Directive concerning the NSA's authority to conduct surveillance within the United States.

Federal Agencies Issue New Common Rule Regs, Delay Privacy Safeguards

The Department of Health and Human Services, along with fifteen other federal agencies, released a final revision for the Common Rule which establishes privacy rights for personal information collected from human subjects in federally funded research. EPIC submitted extensive comments, urging the agencies to adopt strong privacy protections for personal data for the revised Common Rule. However, the federal agency deferred new safeguards, as well as privacy guidance for internal review boards, claiming that current privacy laws were adequate.

Pew Survey Finds Majority of Americans Are Data Breach Victims

According to a new public opinion study from the Pew Research Center, 64% of Americans have personally experienced a major data breach, and 49% feel that their personal information is less secure than it was 5 years ago. Pew also found that 41% of Americans have dealt with fraudulent charges on their credit card, and 15% have received notice that their Social Security number had been compromised. Pew found that a substantial majority (70%) of Americans anticipate major cyberattacks in the next five years on our nation's public infrastructure. The EPIC Data Protection campaign highlights the need to improve privacy safeguards in the United States.

FTC Issues Report on Cross-Device Tracking

The Federal Trade Commission has issued Cross-Device Tracking: An FTC Staff Report, which describes online tracking technology used to link a consumer's activity across smartphones, laptops, tablets, and other internet-connected devices. The report follows from an FTC workshop on this emerging practice. EPIC filed comments with the Commission urging limits on cross-device tracking, which presents significant privacy challenges due to the "lack of transparency and control in this undetectable online tracking scheme." EPIC explained how "notice and choice" fails to protect consumers from this surreptitious activity. The FTC's report recommends continued industry-self regulation and application of the unworkable "notice and choice" approach to this new practice.

Trump Administration Limits Scope of Privacy Act

Less than one week in office, the Trump Administration has published an Executive Order that limits the application of the federal Privacy Act. The Order states that "Agencies shall . . . ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act . . ." Few U.S. privacy laws distinguish between U.S. and non-U.S. citizens. The Privacy Act is an exception. Some efforts were made in the last few years to update the Privacy Act, a law adopted in 1974, as the federal government now collects detailed personal information on non-U.S. citizens. The reforms were also considered legally necessary to permit U.S. firms to obtain access to the data of European consumers.

Supreme Court Won't Review Decision That Struck Down Texas Voter ID Law

The U.S. Supreme Court has declined to review a ruling by the Fifth Circuit Court of Appeals that a Texas voter ID law violates the Voting Right Act. The decision means that Texas won't be able to enforce the law, which poses a significant threat to voter privacy and could discourage legal voters. Last summer, the appeals court held that the Texas Law had a "discriminatory effect" on minorities' voting rights and remanded the case to the lower court. Texas petitioned the Supreme Court to review the decision, but the court refused to do so Monday. EPIC filed an amicus brief arguing that that the Texas law places an unconstitutional burden on voters' rights to informational privacy because of the excessive collection of personal data. Such bills "disenfranchise individuals who seek to protect their personal information from data breach, cybercrime, and commercial exploitation," EPIC told the court.

Intelligence Director Releases Report on Signals Intelligence Reform

The Director of National Intelligence released a final progress report from the Obama administration on signals intelligence reform. The DNI report detailed the agency's efforts under Presidential Policy Directive 28 to increase transparency and accountability. Clapper also highlighted the Privacy and Civil Liberties Oversight Board's oversight role and stated that transparency is "difficult, but also, in my view, essential." The DNI stated, "The IC routinely provides the Board with the information and access it requests to carry out its oversight duties." The report also notes implementation of the Freedom Act, which prohibits the bulk collection of domestic telephone records. EPIC has supported enhanced transparency for the Intelligence Community and filed a Supreme Court petition to end the bulk data collection program.

EPIC Urges Senate Committee to Safeguard Consumer Privacy in Internet of Things and Telemarketing Bills

EPIC sent a letter to the Senate Commerce Committee on Monday about privacy and security concerns in two pending bills. The DIGIT Act would "encourage the growth" of the Internet of Things and "help identify barriers to its advancement." The Spoofing Prevention Act would extend the laws prohibiting Caller ID spoofing to text messages, international calls, and Voice-over-IP calls. EPIC pointed out the "significant privacy and security risks" to American consumers of the Internet of Things. EPIC also argued for "a requirement that any automated calls reveal (1) the actual identity of the caller and (2) the purpose of the call." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars"smart homes," consumer products, and "always on" devices. EPIC also supports robust telephone privacy protections and recently advised Congress on modernizing telemarketing rules.

US Designates Countries Covered Under the Judicial Redress Act

During the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.

EPIC Urges Senate Committee to Ensure UN Ambassador Supports International Privacy Convention

EPIC has sent a statement to the Senate Foreign Relations Committee urging that the next UN Ambassador to advocate for human rights, particularly the right to privacy and the right to freedom of expression as set out in the Universal Declaration of Human Rights. EPIC also wrote that the UN Ambassador should support US ratification of the Council of Europe Privacy Convention, which is critical to the continued flow of personal data around the world. EPIC and consumer organizations have called on the United States to ratify the Privacy Convention. Next week, many countries around the world will recognize January 28, International Privacy Day, which celebrates the International Privacy Convention.

EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield

EPIC has sent a letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC urged the Committee to ensure the nominee "make clear his commitment to a comprehensive approach to data protection, based in law." EPIC warned about the inadequacy of the Privacy Shield, a non-legal framework that permits the flow of European consumers' personal data to the United States, outside of European privacy law.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

February 3, 2017
The Freedom of Information Act: A Tool for Transparency, Knowledge, and Litigation
Alan Butler, EPIC Senior Counsel
The Catholic University Law Review
Washington, DC

February 10, 2017
The State of Cyberlaw: Security and Privacy in the Digital Age
Jeramie D. Scott, EPIC National Security Counsel
University of Maryland School of Law
Baltimore, MD

March 3, 2017
"Disruptive Technologies"
Marc Rotenberg, EPIC President
Stanford Technology Law Review
Stanford, CA

March 31 - April 1, 2017
WeRobot 2017
Yale Law School
New Haven, CT

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
National Press Club
Washington, DC

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security