EPIC Alert 24.03

1. EPIC Launches Project on Cybersecurity and Democracy

EPIC has launched a new project on Democracy and Cybersecurity to address growing concerns about cyber attacks on democratic institutions.

"In the last several months, we have seen a dramatic increase in the risks to democratic institutions," said Marc Rotenberg, President of EPIC.

"There is now widespread concern about the Russian interference with the 2016 US Presidential Election. We need enhanced cybersecurity that is transparent and accountable," continued Mr. Rotenberg.

The new EPIC project will take a broad look at the relationship between democratic institutions and cybersecurity policy. The project will examine three key areas: election integrity, foreign interference with democratic decision-making, and cyber policy. The Project will build on EPIC's policy expertise, open government litigation, and collaboration with international organizations.

Beginning with the first Congressional hearing in 2017, EPIC asked political leaders in both parties to focus on cyber attacks concerning the US presidential election. EPIC has urged Congress to update federal data protection laws and to establish a data protection agency to address the growing risk of data breach and identity theft.

EPIC also filed two Freedom of Information Act lawsuits to obtain information about the extent of Russian interference with the 2016 Presidential Election. In EPIC v. FBI, EPIC is seeking to determine the FBI response to knowledge of the Russian interference with the Presidential election. In EPIC v. ODNI, EPIC is seeking to obtain the public release of the complete report concerning the Russian interference with the election. EPIC's Marc Rotenberg also met recently with former Director of National Intelligence James Clapper and former Presidential Cyber Security Advisory Lisa Monaco.

EPIC will be honoring former world chess champion and pro-democracy reformer Garry Kasparov on June 5, 2017 at the National Press Club. Kasparov is author of Winter is Coming: Why Vladimir Putin and the Enemies of the Free World Must be Stopped. Kasparov has warned repeatedly that the Russian government would seek to undermine democratic institutions in the United States and Europe.

2. EPIC Participates in Irish Case on Future of EU-US Data Transfers

Data Protection Commissioner v. Facebook, a high-profile case concerning privacy protection for transatlantic data transfers, continues this week in Ireland. EPIC is participating as amicus curiae.

The case follows a landmark decision invalidating an international arrangement for transferring data in light of the U.S. surveillance regime. In the challenge by privacy advocate Max Schrems, the Court of Justice of the European Union found insufficient legal protections for the transfer of European data to the United States.

In this related case, "standard contractual clauses," a second mechanism for transferring data, are also being challenged for their failure to protect privacy. Mr. Schrems contends that Facebook still cannot transfer his data due to U.S. surveillance practices. The Irish High Court designated EPIC as the US NGO amicus curiae in the case to offer a "counterbalancing perspective from the US Government" on US law.

EPIC is represented by FLAC (Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all.

3. EPIC Pursues FOIA Requests at DHS Concerning Aerial Surveillance, Social Media Monitoring, and ID Theft

EPIC has submitted an urgent FOIA request to the Department of Homeland Security concerning aerial surveillance, social media monitoring, and identity theft. The request follows up on statements made by DHS Secretary John Kelly during a recent Congressional hearing.

On February 7, Secretary Kelly told the House Committee on Homeland Security about the department's plans to expand the use of "aerostats" (surveillance blimps) and monitoring of social media.

"Say we want to ask [immigrants at the border] what websites do they visit and give us their password so that we can see what they do," Secretary Kelly told the committee. "If they really want to come to America, they will cooperate."

The Secretary also stated that he has been a victim of data breach. "I'm very sensitive to [cybersecurity] because I was one of the five million or so Americans who had all of their information stolen a couple of years ago, and all I got was, 'General Kelly, all of your data has been stolen, good luck.' So we've got to do better than that."

In the FOIA request, EPIC noted that Secretary Kelly's statements "establish an urgent need for immediate, regular DHS transparency in sensitive domestic security operations like aerial and social media surveillance."

EPIC's FOIA request follows earlier cases brought by EPIC which revealed efforts by the DHS to expand aerial surveillance within the United States, to develop techniques for "pre-crime" detection, to interrupt Internet service, and to impermissibly monitor social media services and news organizations.

4. FTC Reaches Settlement with VIZIO Over Smart TV Tracking

The Federal Trade Commission and the Office of the New Jersey Attorney General have reached a $2.2 million settlement with smart TV manufacturer VIZIO over the company's tracking of consumers' viewing habits without their knowledge or consent.

According to the complaint, VIZIO installed software on more than 11 million TVs to collect viewing data without consumers' knowledge or consent. VIZIO also combined this viewing data with specific demographic information about the viewers, including sex, age, income, marital status, household size, education, and home value. The company then sold this enhanced data to third parties for targeted advertising across consumer devices connected to the IP address shared by the smart TV. The complaint alleged that VIZIO's data tracking without consumers' informed consent was an unfair and deceptive trade practice in violation of the FTC Act and the New Jersey Consumer Fraud Act.

The settlement agreement requires VIZIO to delete all viewing data collected prior to March 1, 2016. The company is also required to notify consumers, "separate and apart from any 'privacy policy,' 'terms of use' page, or other similar document," the types of information collected, used, and disclosed to third parties, and the purposes for which that information is disclosed. VIZIO must obtain consumers' "affirmative express consent" to engage in data collection and allow consumers to revoke their consent at any time.

Acting FTC Chairman Maureen Ohlhausen issued a statement concurring with the settlement, noting that viewers "do not expect televisions to collect and share information about what they watch." Ohlhausen further explained that the FTC's action establishes television viewing data as "sensitive information" and that disclosing this data without consumers' consent causes substantial injury. In a blog post on the settlement, the FTC advised consumers that "[s]mart TVs should not track your shows without your O.K."

EPIC previously filed a complaint with the FTC over Samsung's smart TV data collection practices, including its "always on" voice recognition feature. EPIC's complaint explained that Samsung deceived consumers by not effectively disclosing the spying capabilities of its smart TV, leaving the majority of consumers unaware that their television is routinely intercepting and recording the private communications within their homes. EPIC has also defended the privacy of consumers' TV viewing habits in a federal court case involving the Video Privacy Protection Act.

5. EPIC Urges Congress to Examine "Connected Devices," Safeguard Consumer Privacy, and Protect Public Safety

EPIC sent a letter to the House Energy and Commerce Committee prior to a hearing on the reauthorization of the National Telecommunication and Information Administration. EPIC urged Congress to consider the substantial privacy and security risks that consumers face due to online tracking and Internet of Things surveillance. EPIC reminded the Committee that millions of individuals have been harmed by massive data breaches in recent years and that strong privacy and cybersecurity measures are needed. EPIC was also critical of the NTIA's multistakeholder processes, which tend to result in weak, voluntary self-regulation regimes that do little to protect consumer privacy.

This was the first reauthorization hearing of the NTIA since 1992 and many members of Congress recognized the need to modernize the agency. There were a number of questions about which agency should lead policy development in connected devices and whether too many agencies are involved in Internet of Things regulations. The hearing witnesses acknowledged that a number of agencies that historically would not deal with cybersecurity are now involved in that field because traditional products and services are increasingly connected to the internet. The witnesses also noted that the increase of connected devices across a number of industries required coordination among government agencies as well as strong cybersecurity and privacy protections. EPIC has long called for the creation of a U.S. data protection agency to address these concerns.

EPIC has continually warned of growing risks to consumer privacy and public safety. EPIC has testified before Congress, participated in court cases, and filed complaints with the FTC regarding connected cars, smart homes, consumer products, and "always on" devices.

News in Brief

EPIC Asks Congress To Examine Privacy and Safety Concerns for Connected Cars

EPIC has sent a letter to a House committee on Digital Commerce and Consumer Protection for a hearing on "Self-Driving Cars: Road to Deployment," urging the establishment of privacy and safety measures for connected cars. EPIC warned that connected vehicles raise substantial risks for consumers. EPIC explained that voluntary guidance and self-regulation do not provide meaningful protection. EPIC has testified before Congress and submitted detailed comments on the need for privacy and safety standards for connected vehicles.

EPIC Urges Senate Committees to Protect Democratic Institutions

EPIC has sent letters to two Senate Committees investigating Russian interference with the 2016 Presidential Election. In letters to the Senate Judiciary Committee and Senate Foreign Relations Committee EPIC described two Freedom of Information Act cases against the FBI and the ODNI to obtain records about the scope of activities aimed at undermining democratic institutions. EPIC explained that upcoming federal elections in Europe underscore the need to understand the cyber threat to democratic elections.

EPIC, Coalition Urge OMB to Preserve Access to Public Information

EPIC and a coalition of over sixty organizations urged the Office of Management and Budget to preserve access to government information online. In a letter, the coalition called on OMB to ensure agencies give the public notice required by law before removing information. The coalition warned that agencies have begun removing information on topics "such as animal welfare, individuals with disabilities, climate change, and more from their websites." EPIC routinely advocates on behalf of open government and transparency. EPIC is currently pursuing two Freedom of Information Act lawsuits for records related to the Russian interference in the 2016 Presidential election.

EPIC Urges Congress to Protect Consumers, Democratic Institutions with Strong Cyber Security Measures

In advance of a hearing on "Strengthening U.S. Cybersecurity Capabilities," EPIC has sent a letter to the House Science Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency.

States Recognize Data Privacy Day

Several states across the U.S., including Michigan, Montana, North Carolina, and Ohio, recognized international Data Privacy Day, held annually on January 28 to commemorate the first international treaty for privacy and data protection. State efforts to raise awareness about privacy and other consumer protection issues are published monthly in The State Center Consumer Protection Report. The Report also noted that Mississippi is pursuing legal action against Google over student data collected from public schools. The lawsuit accuses Google of collecting students' personal information and search history for its own business interests in violation of the Mississippi Consumer Protection Act.

Senators Calls for Answers from Secretary Kelly on Privacy Act Exclusion

In a letter to DHS Secretary Kelly, Senator Markey (D-MA) and five other Senators pressed DHS about the impact of an Executive Order limiting federal Privacy Act protections. "These Privacy Act exclusions could have a devastating impact on immigrant communities and would be inconsistent with the commitments made when the government collected much of this information," the Senators contended. The Senators also called on Secretary Kelly to explain the Order's impact on international commitments that permit U.S. firms to obtain access to the data of European consumers. EPIC is participating in Data Protection Commissioner v. Facebook, a case which follows a landmark decision that found insufficient legal protections for the transfer of European consumer data to the United States.

Pew Research Center Releases Report on Algorithms

The Pew Research Center has released a report, "Code-Dependent: Pros and Cons of the Algorithm Age." The Pew report discusses the impact that experts expect algorithms to have on individuals and society. Among the themes in the report are the biases and lack of human judgment in algorithmic decision-making and the need for "algorithmic literacy, transparency, and oversight." EPIC has promoted "Algorithmic Transparency" for many years and has proposed two amendments to Asimov's Laws of Robotics that would require autonomous devices to reveal the basis of their decisions and their actual identity.

Acting FTC Chair Outlines Consumer Protection Priorities

In a recent speech, Acting Federal Trade Commission Chairwoman Maureen Ohlhausen outlined her priorities for consumer protection. Ohlhausen recognized that "a notice-and-choice approach to privacy may not adequately protect consumers" but advocated a market-focused "harms-based approach" to privacy. She pointed to recent settlements with Ashley Madison and Eli Lilly as cases involving significant non-financial harm to consumers. Ohlhausen also proposed making the results of all FTC data security investigations public, not only those that result in enforcement actions. EPIC supports increased transparency in FTC actions but has explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" and "harms based" approaches are insufficient to protect consumer privacy.

EPIC FOIA: EPIC Seeks Information About Immigration Executive Order

EPIC has filed an urgent FOIA request with the Department for Homeland Security for further information about a DHS press release on "Compliance With Court Orders And The President's Executive Order." The DHS Press Release follows an Executive Order on entry to the United States and a series of court decisions suspending the Order. EPIC is now seeking details about the DHS's activities, including communications with other agencies, communications with airlines, and legal memos supporting the agency's actions. The Inspector General of DHS also announced an investigation to review "allegations of individual misconduct on the part of DHS personnel." EPIC cited both an "urgency to inform the public" and "exceptional media interest" in questions about the "government's integrity" in support of the request for expedited processing. EPIC will continue to press the DHS for prompt release of the documents sought. More information about EPIC's FOIA work is available on the FOIA Case page.

House to Consider Narrow Update for Communications Privacy Law

Congress is scheduled to consider the "Email Privacy Act" (H.R. 387) next week. The bill passed the House 419-0 last session. The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the Act would have required notice of email searches to the user, with some exceptions. EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.

EPIC FOIA: EPIC Obtains Details of U.S. Government-Industry Meeting to Combat ISIL Online

As a result of a Freedom of Information Act request, EPIC obtained documents detailing a DOJ and White House meeting with top industry representatives to help combat ISIL's online influence. The February 2016 meeting, called the "Madison Valleywood Project," convened a range of industry members to "collaborate in generating and amplifying compelling content that would undermine ISIL's online messaging and recruitment efforts." A series of slides set the stage for the project, proposing counter strategies like "disrupting their digital landscape" and encouraging use of data metrics to track success. EPIC routinely pursues FOIA requests and lawsuits to improve government oversight and accountability. In 2012, EPIC prevailed in a lawsuit against DHS revealing the agency's social media monitoring policies, including instructions to analysts to monitor criticism of the agency. More information about EPIC's FOIA work is available on the FOIA Case page.

EPIC in the News

• Uber's new tracking policy raising privacy concerns, Fox Baltimore, February 15, 2017
• Pew, Elon examine the 'Age of Algorithms', IAPP Daily Dashboard, February 14, 2017
• Cyber attacks threaten democracy, privacy advocates warn, Consumer Affairs, February 14, 2017
• Surveillance in Silicon Valley is hard to avoid , Mercury News, February 9, 2017
• Secure All The Things: AT&T, IBM, Others Form IoT Cybersecurity Alliance, Tom's Hardware, February 9, 2017
• Why is the FBI outsourcing some of its high-tech work to an Israeli company?, Fort Worth Star Telegram, February 8, 2017
• Ramirez Leaves FTC Urging Continued Tech Focus, Bloomberg BNA, February 8, 2017
• http://www.jdsupra.com/legalnews/ftc-will-consider-spying-toy-privacy-37847/, JDSupra, February 8, 2017
• US warns of 'sweeping' ramifications from Schrems-Facebook case, Irish Times, February 7, 2017
• VIZIO Smart TVs Caught Spying On Customers, VIZIO Selling Viewer Data, Inquisitr, February 7, 2017
• Why the Facebook case matters to you, Irish Times, February 7, 2017
• Neural face recognition network tuned with 650,000 pornstar images, Naked Security, February 6, 2017
• All you need to know in the Max Schrems-Facebook case, Irish Times, February 6, 2017
• How app makers increasingly track your every move, Christian Science Monitor, February 6, 2017
• Vizio to pay $2.2M on smart TV data gathering, USA TODAY, February 6, 2017
• Major privacy case to open before High Court in Dublin, Irish Times, February 5, 2017
• 4 Tech Devices That Will Creep You Out, The Merkle, February 5, 2017
• The FBI Is Building A National Watchlist That Gives Companies Real Time Updates on Employees, The Intercept, February 4, 2017
• Uber is making ride-booking data publicly available. Is this a privacy Pandora's box?, WUNC, February 4, 2017
• EPIC Asks Congress To Secure The Internet Of Things, Tom's Hardware, February 2, 2017
• Disclosure Push Threatens Non-Profit Donors' First Amendment Protections, The Daily Caller, February 1, 2017
• Trump Cyber Executive Order Calls for 60-Day Review, Threatpost, February 1, 2017

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

February 16, 2017
"Holding Government Accountable: The Basics of FOIA III"
Marc Rotenberg, EPIC President
EPICFOIA.ORG

February 23, 2017
"Holding Government Accountable: The Basics of FOIA IV"
Marc Rotenberg, EPIC President
EPICFOIA.ORG

March 3, 2017
"Disruptive Technologies"
Marc Rotenberg, EPIC President
Stanford Technology Law Review
Stanford, CA

March 8, 2017
"Fostering Digital Transformation: The OECD's Role"
Marc Rotenberg, EPIC President
Washington, DC

March 14, 2017
Yale Washington CEO Caucus
Marc Rotenberg, EPIC President
Washington, DC

March 17, 2017
"Privacy, Security, and the Social Contract in Democratic Society"
Marc Rotenberg, EPIC President
58^th Air Force Academy Assembly
Colorado Springs, CO

March 31 - April 1, 2017
WeRobot 2017
Yale Law School
New Haven, CT

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
Awardees: Garry Kasparov, Judge Patricia Wald, Carrie Goldberg
National Press Club
Washington, DC