EPIC Alert 24.07
EPIC Alert 24.07 - April 18, 2017
- EPIC Sues for Release of Trump Tax Records
- EPIC Appeals Passenger Profiling Case to DC Circuit
- EPIC Obtains Documents About FBI Drone Program
- European Parliament Expresses Alarm Over Rollback of US Privacy Safeguards
- Privacy Poll: Users More Concerned about Google and Facebook than ISPs
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
EPIC has filed a Freedom of Information Act lawsuit against the IRS to obtain the tax records of President Donald J. Trump. The lawsuit was filed on April 15, 2017 in federal district court in Washington, DC.
In a press release dated April 15, 2017, EPIC President Marc Rotenberg stated, "There has never been a more compelling Freedom of Information Act request presented to the IRS. Because the agency failed to comply with the requirements of the Freedom of Information Act, we have filed this lawsuit to compel production of Donald J. Trump's tax returns."
Mr. Rotenberg continued, "There is a widespread concern that the President's private financial interests may conflict with the national interests of the United States. There is a related concern that candidate Trump may have business relations with the Russian government that aided his presidential campaign.
"And there are ongoing concerns about the fairness and integrity of tax administration, expressed by both President Trump and his critics. There is simply no way to resolve these disputes without the release of the tax records. The public has the right to know." said Mr. Rotenberg.
According to the EPIC complaint, "In the history of the United States, there has never been greater interest in the public release of an individual's tax records than those of Donald J. Trump."
EPIC Senior Counsel Alan Butler explained the basis of the legal action. "As a general matter, tax records are protected under federal privacy laws. However, EPIC uncovered a key provision in the IRS regulations that permits the release of tax records in certain circumstances to correct misstatements of fact."
The provision was enacted following the impeachment of President Richard M. Nixon. It allows the IRS to release tax returns "with respect to any specific taxpayer to the extent necessary for tax administration purposes to correct a misstatement of fact." President Trump has accused the IRS of targeting him for audits on religious and political grounds, while misinformation and uncertainty over the contents of Trump's returns have led protesters to threaten withholding their own taxes.
Regarding the provision cited by EPIC, Senator Chuck Grassley (R-IA), a member of the Joint Committee on Taxation, has said that certain "type[s] of factual misstatements should trigger disclosure of return information" depending on the "degree of seriousness." According to EPIC's Marc Rotenberg, "It is hard to imagine more serious misstatements of facts than the claims surrounding President Trump's tax returns. If ever there were circumstances that justified the public release of taxpayer returns, EPIC's FOIA request presents that case."
EPIC manages one of the most extensive open government litigation programs in the United States. Over the years, EPIC has prevailed in FOIA cases against many federal agencies. For example, EPIC obtained the public release of the NSA's domestic cybersecurity authority following a FOIA lawsuit. EPIC recently filed FOIA cases to determine the extent of Russian interference with the 2016 Presidential election. In EPIC v. FBI, EPIC obtained a court order requiring the production of documents beginning May 11, 2017. In EPIC v. ODNI, EPIC obtained a court order requiring the May 11, 2017 release of the report on Russian hacking prepared by the intelligence community.
EPIC has filed a notice of appeal in EPIC v. CBP, a case about the government passenger screening program that assigns a secret risk assessment to U.S. travelers based on personal data and a secret algorithm. EPIC filed a Freedom of Information Act lawsuit against the agency for failure to produce documents about the controversial program. EPIC successfully obtained documents about the "Analytic Framework for Intelligence" program but the CBP redacted substantial portions of some of the documents. A court ruled in favor of the agency, concluding that disclosure could reveal "techniques" and "procedures" of law enforcement investigation, an assessment that EPIC disputes because passenger screening is not "a law enforcement investigation" according to the relevant law. EPIC has therefore appealed the decision to DC Circuit Court of Appeals.
The case concerns the Analytic Framework for Intelligence. According to a Privacy Impact Assessment for the AFI, CBP maintains six categories of data, all of which contain personally identifiable information such as a person's full name, address, gender, race, social security number, vehicle information, and law enforcement records. CBP uses AFI to assign a "risk assessment" to individuals to travelers, including US citizens. Individuals are not informed about how the scores are derived, how they are used, or whether they are accurate. EPIC has routinely criticized secret decision making by federal agencies and widely promoted "Algorithmic Transparency."
In April, 2014, EPIC submitted a Freedom of Information Act request for documents about the AFI program. When the agency failed to respond, EPIC filed a Freedom of Information Act lawsuit. The agency then produced many documents about AFI to EPIC that were responsive to the request. The CBP withheld some documents from EPIC, claiming that the documents would reveal "techniques and methods" for "law enforcement investigations." EPIC challenged that determination. In February 2106, a federal district court ruled in favor of EPIC and held that CBP had not properly justified its use of the FOIA exemption. The court ruled, "The defendant has therefore failed to establish that it has complied with the FOIA's requirements, and consequently, its motion for summary judgment must be denied." In March 2017, CBP tried again and provided more information in support of its decision to withheld the records subject to FOIA. The court then ruled in favor of CBP. EPIC has now appealed and hopes to obtain more complete records about the AFI and how it is being used on US citizens.
EPIC routinely pursued FOIA requests to federal agencies seeking information on government surveillance practices. EPIC recently prevailed in a similar FOIA case against the FBI for the release of privacy impact assessments. EPIC also filed a FOIA lawsuit against the Justice Department for their use of risk assessment tools.
As a result of a Freedom of Information Act request, EPIC has obtained the FBI's first annual summary report on drone operations. The annual reports are required by an Obama Presidential Memorandum regarding the domestic use of drones by federal agencies. The Memorandum is intended to limit the collection and use of personally identifiable information and will require agencies to adopt transparency and accountability procedures, including an annual report summarizing the drone operations from the previous.
The Memorandum specifies privacy protections in the following areas: 1) Collection, use, retention, and dissemination of personally identifiable information; 2) Protection of civil liberties; 3) Government accountability; and 4) Transparency. EPIC previously testified before Congress and called for privacy safeguards related to the use of drones by federal agencies, including use and data retention limitations as well as transparency and public accountability measures.
EPIC also obtained related documents about FBI drone operations that were heavily redacted. In addition to the annual drone operations summary report, EPIC requested the FBI's drone policies and procedures related to privacy, civil liberties, and civil rights. The FBI has not yet released these documents to EPIC. EPIC will appeal the FBI's failure to release these documents and will also challenge the redactions in the documents that were released.
EPIC is seeking similar documents from other federal agencies, including the Bureau of Alcohol, Tobacco, Firearms and Explosives, the Drug Enforcement Agency, and the Department of Homeland Security. EPIC is also currently suing the Federal Aviation Administration over the agency's final rule concerning small drones. In EPIC v. FAA, EPIC is challenging the failure of the agency's final rule to protect the public from drone surveillance.
In a resolution passed today, the European Parliament expressed alarm over the rollback of U.S. privacy safeguards necessary for Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States.
The Parliament raised concerns about a host of recent legal changes in the US. The resolution cited the roll back of legal protection, including recent procedures that allow the NSA to disseminate raw data across the US government and the repeal of an FCC privacy rule. The Parliament also questioned US privacy oversight and enforcement, highlighting vacancies at both the Federal Trade Commission and the Privacy and Civil Liberties Oversight Board and the absence of effective redress for violations of Privacy Shield.
The Parliament called on the European Commission to rigorously analyze these matters and to "take all necessary measures" to ensure the agreement respects EU privacy rights. The first annual review to evaluate the Privacy Shield's protections is scheduled for this summer.
Following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US, EPIC's Marc Rotenberg testified before Congress to urge the US to update and strengthen privacy protections. EPIC recently participated in a follow up case, Data Protection Commissioner v. Facebook, as a "counterbalance" to the views offered by the US government.
According to a POLITICO / Morning Consult poll, Americans trust Facebook, Google, and Twitter less than ISPs to protect personal data.
Only 43% of respondents said that they trusted broadband companies "a great deal" or "a fair amount." Trust in internet companies was even lower: 31% said they trust Facebook, 21% trust Twitter, 39% trust Google, and 35% trust other websites they visit regularly. A substantial majority (73%) said that they assume that web sites track their online behavior. Concern for privacy crossed party lines. For most questions, the answers of Democrats and Republicans were within the margin of error or very close to it.
The poll also shows public opposition to web tracking, with 70% of respondents saying they were "somewhat uncomfortable" or "very uncomfortable" with companies tracking the web sites people visit and 77% saying they were uncomfortable with companies selling people's data for advertising purposes. Respondents were somewhat less uncomfortable with internet companies using personal data for research purposes: 57% said they were uncomfortable with that use.
The poll of 1,995 registered voters has a margin of error of plus or minus two percentage points.
European Privacy Officials Back "E-Privacy" Directive Updates
The Article 29 Working Party, an expert group of European privacy officials, has issued an opinion supporting a key proposal to modernize EU privacy law for electronic communications. The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Working Party welcomed the harmonization of privacy standards across the European Union but cautioned that the Privacy Directive must offer protections at least as strong as the recently adopted General Data Protection Regulation. EPIC had urged the US Federal Communication Commission to adopt a similar, comprehensive approach to communications privacy. A narrow FCC rule covering only ISPs was recently rescinded by Congress, folding under attacks that it unreasonably singled out a sector of the communications industry.
Court Rules That Texas Voter ID Law Intentionally Discriminates
A federal district court has ruled that a Texas voter ID law violates the Voting Rights Act because the state legislature intended the law to be discriminatory. The ruling effectively halts enforcement of the law, which poses a significant threat to voter privacy and could discourage legal voters. Last summer, the Fifth Circuit Court Appeals held that the Texas law had a "discriminatory effect" on minorities' voting rights and sent the case back to the district court to reexamine whether the law was passed with "discriminatory purpose." EPIC filed an amicus brief with the appeals court arguing that that the Texas law places an unconstitutional burden on voters' rights to informational privacy because of the excessive collection of personal data. Such bills "disenfranchise individuals who seek to protect their personal information from data breach, cybercrime, and commercial exploitation," EPIC wrote. The Supreme Court recently declined to review the Fifth Circuit's ruling.
NY Court Backs Move to Destroy IDNYC Applications
A judge ruled this week that New York City may destroy the application materials of those who applied for an NYC identification card. The IDNYC program allows any New York City resident, regardless of immigration status, to obtain an identity document to access city services and to open a bank account. The IDNYC program was intended to assist vulnerable populations, including the homeless, victims of domestic violence, and undocumented immigrants. More than one million cards were issued and fewer than 2% of applications were denied. Under initial implementation, the application documentation was to be retained for two years, but critics of the program sought to obtain the personal information of applicants with the state FOI law. The judge rejected the claim. EPIC has long warned that the retention of identity document enrollment materials pose a significant privacy risk.
Senators Markey and Hatch Propose Student Privacy Act
Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have reintroduced the "Protecting Student Privacy Act." The Act would strengthen the Family Educational Rights and Privacy Act, a federal student privacy law. The Student Privacy Act would also implement several of the recommendations EPIC set out in the Student Privacy Bill of Rights, including data security safeguards, student access to personal information held by companies, prohibiting the use of personal data for marketing purposes, and minimizing the personal information schools transfer to third parties.
Senate Confirms Neil Gorsuch to U.S. Supreme Court
The Senate has confirmed Neil Gorsuch as the next Associate Justice of the U.S. Supreme Court. The final vote was 54 yeas to 45 nays. During Justice Gorsuch's confirmation hearing, EPIC urged the Senate Judiciary Committee to scrutinize Gorsuch's positions on a wide range of privacy, First Amendment, open government, and consumer protection issues. Gorsuch's views on these subjects could have "far-reaching implications" for "the future of privacy in the digital era," EPIC wrote. Committee members ultimately questioned Gorsuch extensively on the constitutional right to privacy, the application of the Fourth Amendment to new technologies, and the right to anonymous speech. EPIC regularly shares its views with the Senate concerning nominees to the Supreme Court, including Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts.
Reuters Poll: Most Americans Would Not Sacrifice Privacy to Foil Terror Plots
A recent Reuters survey found that a majority of Americans are not willing to give up their privacy even to help the government fight terrorism. About 3 in 4 participants in the online survey answered that they would not give up the privacy of their e-mail, text messages, or phone records to help the US fight foreign or domestic terrorism plots or counter hacking of US networks by foreign powers. The poll of 3,307 people showed strong support for privacy among both Democrats and Republicans. EPIC has advocated for strong encryption since its founding and published the first comprehensive survey of encryption use around the world. EPIC also maintains a page on Privacy and Public Opinion.
EPIC Recommends Adoption of Privacy-Enhancing Technologies in Health Care Sector
EPIC has sent a letter to the House Energy and Commerce Committee about cybersecurity in the health care sector. EPIC noted that in 2016, approximately 300 health care sector data breaches compromised the health data of over 4 million patients. EPIC recommended specific privacy-enhancing technologies that should be required to be implemented in health care IT systems, including secure e-mail communications systems and the ability for patients to hold back sensitive information.
EPIC Brings Attention to Auto "Starter Interrupt Devices"
In a letter to the House Financial Services committee about the Consumer Financial Protection Bureau, EPIC highlighted its complaint about automobile "starter interrupt devices." EPIC alleges that companies use these devices to monitor borrowers' location and disable vehicles in violation of the Consumer Financial Protection Act. EPIC has asked the Bureau "to enjoin their unfair and abusive practices." In testimony, detailed comments, and letters, EPIC has urged Congress to establish safety standards for connected vehicles. EPIC has also submitted comments to the CFPB on debt collection practices and publication of consumer complaint narratives.
EPIC Recommends Scrutiny of DEA Surveillance Programs
In a letter to the House Judiciary Committee for an oversight hearing, EPIC highlighted civil liberties problems with DEA programs. In 2014, EPIC sued the DEA for information about the agency's Hemisphere program, a massive telephone record database. More recently, EPIC prevailed in a FOIA lawsuit that revealed the DEA's failure to conduct privacy assessments for the agency's license plate scanning program. In the letter, EPIC urged the Committee to investigate the Hemisphere program and determine whether the agency will complete privacy impact statements for agency programs as required by law.
Trump Repeals Broadband Privacy Safeguards
Donald Trump signed a congressional resolution rescinding the FCC's broadband privacy rules. The rules required internet service providers to obtain consumers' consent before accessing sensitive information and to notify consumers of data breaches. The resolution nullifies the FCC's rules and blocks the FCC from enacting similar rules in the future. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy and has explained to Congress that the FTC does not effectively safeguard consumer privacy. EPIC also has a petition pending before the FCC to end the mandatory retention of private customer telephone records.
EPIC Seeks Information on Sessions-Jourova Encryption Discussion
EPIC has filed an urgent Freedom of Information Act request for documents concerning a recent meeting between Attorney General Jeff Sessions and EU Commissioner V_ra Jourova. The two reportedly discussed "a proposal [on] how to 'solve this problem'" of encryption. EPIC said in the FOIA request that "strong encryption is the cornerstone of the modern internet economy" and that encryption "is critical to preserving human rights and information security around the world." A proposal on encryption policy may be taken up at a June 2017 meeting between the United States and the European Union. EPIC has advocated for strong encryption since its founding and published the first comprehensive survey of encryption use around the world. In the FOIA request, EPIC also noted the growing risk to users of Internet-connected devices.
- EPIC Sues IRS For Release of Trump's Tax Returns (Audio), KPFA, Evening News, April 17, 2017
- EPIC sues IRS over Trump's tax returns, POLITICO, April 15, 2017
- EPIC sues IRS for not disclosing Trump's taxes, The Hill, April 15, 2017
- Protesters Use April 15 To Demand Trump's Tax Returns, NPR, April 15, 2017
- The Tax March: Protesters around the country call on Trump to release his taxes, Washington Post, April 15, 2017
- Improve your internet privacy, with or without help from the government, Computerworld, April 14, 2017
- ID theft case reveals vulnerability of state's court website, Associated Press, April 13, 2017
- Sorting Out US Surveillance Methods, Laws, VOA, April 13, 2017
- Burger King's Scheme to Turn On Google Home: Outrageous But Not Illegal, Fortune, April 13, 2017
- As tensions rise with Russia, U.S. colleges still pay for Snowden speeches, Yahoo Finance, April 11, 2017
- The U.S. government has withdrawn its request ordering Twitter to identify a Trump critic, Washington Post, April 8, 2017
- Legislation creates task force to study surveillance tactics, News Observer , April 8, 2017
- Trump Doesn't Care About Your Privacy (Just His Own), New Republic, April 7, 2017
- Trump's Repeal of Internet Privacy Rules Shifts Regulatory Powers to FTC, Morning Consult, April 5, 2017
- How Aadhaar compares to other biometric national identification systems around the world, Tech2, April 5, 2017
- Massachusetts Drone Regulations Still Up In The Air, WHDH Boston, April 5, 2017
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC publications:
The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)
The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.
Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).
This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
April 19, 2017
"Privacy: Thinking Local, Acting Global"
Giovanni Buttarelli, European Data Protection Supervisor
April 19, 2017
What Do Online Consumers Need to Know? The Implications of Repealing the FCC Privacy Rules on Internet Use
Alan Butler, EPIC Senior Counsel
ABA CRSJ Committee on Privacy and Information Protection
April 21, 2017
Giovanni Buttarelli, European Data Protection Supervisor
June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
Awardees: Garry Kasparov, Judge Patricia Wald, Carrie Goldberg
National Press Club
June 8, 2017 - June 9, 2017
"Fortifying or Forgetting Forecasting: Can We Ever Plan Accurately?"
Marc Rotenberg, EPIC President
Yale CEO Conference
New York, NY
August 16, 2017 - August 19, 2017
"The Digital Economy"
Marc Rotenberg, EPIC President
August 6, 2017 - August 8, 2017
Aspen Institute Roundtable on Artificial Intelligence
Marc Rotenberg, EPIC President