EPIC Alert 24.04

1. EPIC Prevails in FOIA Lawsuit for FBI Privacy Assessments

EPIC recently prevailed in a Freedom of Information Act case regarding a request for Privacy Impact Assessments ("PIAs") and Privacy Threshold Analyses ("PTAs") prepared by the Federal Bureau of Investigation. EPIC initially requested these documents in 2014. The documents that were returned by the FBI were heavily redacted. EPIC subsequently challenged the adequacy of the FBI's search as well as the FBI's claim that documents could be withheld under a FOIA exemption that protects agency materials that concern law enforcement "techniques or procedures." However, the court concluded that the FBI had not done an adequate search or properly claimed the exemption. The court ordered the FBI to supplement the documents that had previously been produced with more complete versions.

PIAs and PTAs are products of the E-Government Act of 2002, which requires agencies to perform such assessments under certain circumstances and to make those assessments public if practicable to do so. Although the FBI had indicated that they intended to do a number of PIA's in 2014, none were made available to the public. However, members of the FBI testified before Congress that the agency was producing PIA's for programs involving facial recognition and drone use. Furthermore, EPIC received e-mails as the result of a separate FOIA request stating that a PIA had to be done for the FBI's license plate reader program. As a result, EPIC issued a FOIA request to have the documents released.

Upon receiving heavily redacted PIAs and PTAs, EPIC sued the FBI and ultimately moved for summary judgement regarding the adequacy of the FBI's search and seeking a stronger justification for the FBI's claim that the records were exempt for law enforcement purposes. The court determined that the FBI failed to sufficiently detail how it conducted its search for the requested documents. Furthermore, the court determined that the PIAs and PTAs were not created for law enforcement purposes because they were created pursuant to a federal statute. However, the court stopped short of ordering production of the requested documents and instead has given the FBI time to supplement the record to better detail its search procedures and the exemption that they have claimed.

EPIC routinely issues FOIA requests to various government agencies seeking information on government surveillance and privacy policy. EPIC currently has issued several complaints based off of FOIA requests, including requests against the FBI for a biometric data transfer agreement with the Department of Defense and for records detailing the FBI's response to foreign cyber attacks against democratic institutions in the United States. EPIC is also currently seeking the complete Office of the Director of National Intelligence assessment of Russian interference in the 2016 Presidential Election.

2. Supreme Court Hears Arguments in Internet Censorship Case, Quotes EPIC Amicus Brief

The U.S. Supreme Court heard oral arguments Monday in Packingham v. North Carolina, a case concerning internet censorship. At issue is a state law that bars people listed in a sex offender registry from accessing any commercial website that allows users under 18 to create profiles and communicate online. This ban reaches broadly, covering major news sites such as the New York Times and CNN.

The defendant, Lester Packingham, was convicted under the North Carolina law for posting "God is Good!" on Facebook after a traffic ticket was dismissed. A Durham police officer spotted Packingham's profile while searching through Facebook for potential violations. Packingham appealed his conviction, arguing that the law violates the First Amendment.

EPIC filed a "friend-of-the-court" brief in the case, joined by thirty-five technical experts, legal scholars, and civil liberties organizations. EPIC explained that the law violates the First Amendment right to receive information, censors vast amounts of speech unrelated to protecting minors, and will lead to widespread government monitoring of all internet users. "The state can no more criminalize what an individual chooses to read on a personal electronic device than it can restrict the contents of a home library: the privacy of both is sacrosanct," EPIC wrote.

Justice Ginsburg, quoting the opening line of EPIC's brief, noted at Monday's argument that "the First Amendment includes not only the right to speak, but the right to receive information."

EPIC regularly files amicus briefs with the US Supreme Court on emerging privacy and civil liberties issues. EPIC previously argued for First Amendment privacy protections in Doe v. Reed, Watchtower Bible v. Stratton, and Los Angeles v. Patel. A decision is expected in Packingham v. North Carolina this spring.

3. EPIC, Coalition Recommend 10 Steps for the FTC to Protect Consumers in 2017

EPIC and a coalition of consumer groups sent a letter to the Federal Trade Commission recommending 10 steps the agency should take to protect consumers and promote competition in 2017.

"American consumers today are at great risk of identity theft, financial fraud, and data breaches," the coalition wrote. "Sensitive personal information is collected by many companies that simply do not do enough to safeguard consumer privacy," the letter continues, and "proactive efforts to strengthen data protection will spur innovation and support business models that are sustainable over time."

The letter asks the FTC to:

1. enforce existing consent orders,
2. incorporate public comments on proposed settlement agreements,
3. mandate Fair Information Practices in privacy settlements,
4. promote transparency,
5. seek greater consumer protection authority,
6. pursue actions based on unfairness instead of relying on "notice and choice,"
7. oppose mergers that threaten privacy,
8. produce concrete outcomes from the FTC's workshops,
9. enforce Privacy Shield and COPPA, and
10. support establishment of a U.S. Data Protection Agency.

EPIC has consistently urged the FTC to exercise its full authority in protecting consumers. EPIC has also filed numerous comments and consumer privacy complaints with the FTC, including a recent complaint about "toys that spy" and comments addressing the security and privacy risks of the Internet of Things.

4. FBI Responds to EPIC FOIA Suit for Details of Russian Interference with 2016 Election

The FBI has filed an answer to EPIC's Freedom of Information Act lawsuit for records pertaining to the Russian interference with the 2016 Presidential election. EPIC filed suit against the FBI in federal district court after the agency failed to make a timely decision concerning EPIC's request for expedited processing of the FOIA request.

During the 2016 election season, Russia conducted numerous cyberattacks against U.S. political targets with the intent to interfere in the democratic processes of the United States. This interference is under investigation by the U.S. Intelligence community and is of widespread concern to the American public. EPIC filed suit against the FBI determine the agency's response to knowledge of the Russian interference with the 2016 Presidential election.

In the answer, the FBI acknowledged receipt of EPIC's FOIA request. The parties will next confer to set a schedule for production of documents and briefing, if necessary.

EPIC has also filed suit against the ODNI for public release of the Complete ODNI Assessment of the Russian interference in the 2016 election. EPIC also urged recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.

5. German Agency Tells Parents to Destroy "My Friend Cayla" Dolls

The German Federal Network Agency has told parents to destroy the "My Friend Cayla" doll, an internet-connected doll that spies on young children. The toy is illegal under German privacy law because it is a "concealed listening device," according to the agency. "Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy. This applies in particular to children's toys," said Jochen Homann, president of the German agency.

EPIC and several other consumer organizations filed a complaint in December of last year with the Federal Trade Commission alleging that the My Friend Cayla doll violates U.S. privacy law. "The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards," EPIC stated in the FTC complaint.

The EPIC complaint targets toy manufacturer Genesis Toys and speech recognition technology provider Nuance Communications, and describes how internet-connected toys pose ongoing privacy and safety threats to children. The complaint outlines numerous violations of both the Children's Online Privacy Protection Act and the FTC Act's prohibition on unfair and deceptive trade practices. EPIC's complaint also takes issue with Genesis' failure to take reasonable security measures to prevent unauthorized Bluetooth connections with the toys. The complaint further warns that children's voice recordings are sent to Nuance, a defense contractor that may use these recordings for its voice identification services offered to law enforcement, military, and intelligence agencies.

After filing the FTC complaint, EPIC sent letters to major U.S. retailers urging the companies to "to put the welfare of children first" and immediately discontinue sales of the doll and. As a result, Walmart, Toys "R" Us, Target, and stores across Europe have pulled the toy from their shelves. The Federal Trade Commission responded to EPIC's complaint, promising to "carefully review" the filing. EPIC's complaint has also spurred a congressional investigation by Sen. Edward Markey (D-MA) into the data practices of Genesis Toys and Nuance Communications.

EPIC's complaint, joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, is part of coordinated, international efforts led by the Norwegian Consumer Council to ban these toys from the marketplace.

EPIC has previously warned Congress about the risks of the Internet of Things, and filed complaints with the FTC about "always on" devices and smart TVs that place American consumers under constant surveillance.

News in Brief

Congressman Pallone Asks Government Accounting Office to Study Costs of Eliminating Privacy Rules

Congressman Frank Pallone (D-NJ) has asked the US Government Accounting Office to study the harms of eliminating rules that protect consumer privacy. "With the near universal use of the internet, and the rapid expansion of connected devices, corporations now have more information about American consumers than ever before," Pallone wrote in his letter. "It is, therefore, more important than ever that Americans' privacy and security be protected online." Pallone asked the GAO to report on whether the "notice and choice" approach to privacy regulation works, what challenges consumers face in protecting their information, and how the FCC, FTC, and other agencies approach privacy regulation. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" is insufficient to protect consumer privacy.

Yahoo Responds to Senators About Data Breach

Yahoo has responded to a letter from Senators John Thune (R-SD) and Jerry Moran (R-KS) inquiring into data breaches that exposed over a billion user records in 2013 and 2014. Yahoo said in its response that it has notified users affected by the breaches, required users who had not changed their passwords since 2014 to do so, and encouraged all users to review their passwords and security questions. Yahoo's letter also discussed the steps the company has taken to improve its security program. EPIC testified in support of strong data breach notification laws in 2009 and 2011, launched "Data Protection 2016" to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.

EPIC, Coalition Back Improved Government Transparency

In comments to Office of Government Information Services, EPIC and a coalition of open government groups urged greater transparency for dispute resolutions. The coalition wrote that a proposed rule "would impose restrictive confidentiality requirements." The coalition proposed revisions that "do not place restrictive confidentiality requirements on requesters" who use dispute resolution services. EPIC routinely advocates on behalf of open government and transparency. Earlier this month, EPIC and a coalition called on the Office of Management and Budget to preserve public access to online government information. EPIC also recently prevailed in EPIC v. FBI, a Freedom of Information Act lawsuit for public release of the FBI's privacy assessments.

Privacy Commissioners Announce Global Data Protection Awards

The International Conference of Data Protection & Privacy Commissioners is seeking submissions by April 21, 2017 for the inaugural Global Privacy and Data Protection Awards. Entries are invited for research, dispute resolution, education and advocacy, and use of online tools. Winning entries will be announced at the 39th annual Privacy Commissioners conference in Hong Kong in September 2017. EPIC has organized more than a dozen Public Voice events in conjunction with the annual meetings of the Privacy Commissioners to encourage civil society participation in decisions concerning the future of the Internet. EPIC also gives out the Champion of Freedom Awards at the Computers, Privacy and Data Protection Conference in Brussels and the EPIC Awards Dinner in Washington, DC.

EPIC Obtains Documents About DHS Immigration Enforcement Priorities

As a result of a Freedom of Information Act request, EPIC has obtained over 650 pages about DHS's immigration enforcement priorities. The documents detail the "Priorities Enforcement Program," a controversial program that relied on biometric data collection for immigration enforcement. EPIC recently submitted two new urgent FOIA requests to DHS, the first about DHS plans to step up social media monitoring and a second to reveal the agency's compliance with recent immigration court orders. This week, EPIC also prevailed in a FOIA lawsuit for public release of privacy assessments the FBI is required to prepare.

European Privacy Officials Raise Concerns About US Immigration Executive Order

The Article 29 Working Party, an expert group of European privacy officials, has raised concerns over a provision in the immigration Executive Order that would limit Privacy Act protections. The Working Party is seeking assurance from the US that the change will not threaten the privacy rights of non-US citizens established in the "Privacy Shield" and the Umbrella Agreement. EPIC is currently participating in Data Protection Commissioner v. Facebook, a case following a landmark decision that found insufficient legal protections for the transfer of European consumer data to the US.

Sen. Wyden Challenges Digital Border Searches

Sen. Ron Wyden (D-OR) has asked the Department of Homeland Security to explain reports of Customs and Border Patrol agents demanding access to Americans' locked phones at U.S. borders. Wyden said that "These digital dragnet border search practices weaken our national and economic security." EPIC awarded Sen. Wyden the EPIC Champion of Freedom Award in 2013. EPIC's 2017 awards dinner will be held on June 5, 2017, honoring Carrie Goldberg, Garry Kasparov, and Judge Patricia Wald. EPIC has also submitted FOIA requests to the DHS regarding the agency's policies for searches of social media.

Coalition Urges UN to Investigate US Social Media Monitoring

A coalition of human rights groups is urging the UN to investigate reports that the US is demanding entrants provide access to their cell phones and social media accounts. "These practices persist in violation of the United States human rights treaty obligations and your action is needed to hold the government accountable," the group stated in a letter to the the UN High Commissioner on Human rights and other UN offices. EPIC recently submitted an urgent request for disclosure of DHS plans to step up social media monitoring, and previously prevailed in a lawsuit against the agency to reveal records of its monitoring programs. EPIC's Privacy Law Sourcebook 2016, available in the EPIC bookstore, provides an overview of privacy frameworks around the world and tracks emerging privacy challenges.

EPIC in the News

• FBI Conspiracy, Courthouse News Service, February 27, 2017
• Your privacy: Verizon's takeover of Yahoo is all about user data, Los Angeles Times, February 24, 2017
• Smart toys are a minefield, for both toymakers and parents, CNET, February 24, 2017
• 'My Friend Cayla' Doll Records Children's Speech, Is Vulnerable to Hackers, Snopes, February 24, 2017
• Want to breeze through airport security? Hand over some money, and an iris scan, Minnesota Public Radio, February 23, 2017
• "Creepy . . . but impressive" facial recognition software is going to the next level, Salon, February 23, 2017
• Judge Calls Strike One on Heavy FBI Redactions, Courthouse News Service, February 23, 2017
• EPIC notches win over FBI in FOIA fight, POLITICO, February 22, 2017
• Facebook case told of US obstacles to privacy redress for EU citizens, Irish Times, February 22, 2017
• Email Lists Revealing Students' Private Information Remained Public for Years, The Harvard Crimson, February 21, 2017
• German talking doll accused of spying, Fox Baltimore, February 21, 2017
• Flynn leaks ignite surveillance debate, The Hill, February 19, 2017
• Your Shareable Google Maps Lists May Be Really Interesting To Advertisers, NPR, February 18, 2017
• The Bright-Eyed Talking Doll That Just Might Be a Spy, New York Times, February 18, 2017
• Microsoft Seeks Global Cybersecurity Accord, E-Commerce Times, February 18, 2017
• Banned In Germany: Kids' Doll Is Labeled An Espionage Device, NPR, February 17, 2017
• Facebook Now Shares Exactly Which Brands Know Your Intimate Details, Vocativ, February 17, 2017
• My Friend Cayla dolls could actually be spies, New York Post, February 17, 2017
• That smart doll could be a spy. Parents, smash!, CNET, February 17, 2017
• German Officials Tell Parents To Destroy Doll That Records Conversations, Consumerist, February 17, 2017
• Germans, do you own a Cayla doll? Kill it with fire, The INQUIRER, February 17, 2017
• FTC urged to step up privacy protection for consumers, Consumer Affairs, February 17, 2017
• Facebook warns of 'enormous' crisis if private data transfers blocked, Irish Times, February 17, 2017
• Consumer Groups Propose 10 Steps FTC Must Take to Ensure Consumer Protection, PR Newswire, February 16, 2017

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

March 3, 2017
"Regulating Disruption: Responding to Emerging Technologies"
Marc Rotenberg, EPIC President
Stanford Technology Law Review
Stanford, CA

March 8, 2017
"Fostering Digital Transformation: The OECD's Role"
Marc Rotenberg, EPIC President
Washington, DC

March 14, 2017
Yale Washington CEO Caucus
Marc Rotenberg, EPIC President
Washington, DC

March 17, 2017
"Privacy, Security, and the Social Contract in Democratic Society"
Marc Rotenberg, EPIC President
58^th Air Force Academy Assembly
Colorado Springs, CO

March 31 - April 1, 2017
WeRobot 2017
Yale Law School
New Haven, CT

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
Awardees: Garry Kasparov, Judge Patricia Wald, Carrie Goldberg
National Press Club
Washington, DC