EPIC Alert 24.08

1. EPIC Hosts International Meeting of Data Protection Experts

This week, EPIC hosted the International Working Group on Data Protection in Telecommunications in Washington, DC. Twice a year, the Berlin-based Working Group convenes data protection authorities and privacy experts from around the world to develop recommendations on emerging privacy challenges.

For this meeting, EPIC submitted the report detailing privacy developments in the United States. EPIC’s report discussed the revised immigration order and the executive order limiting Privacy Act protections; the congressional repeal of the FCC’s broadband privacy rules; the introduction of the Security and Privacy in Your Car Act of 2017; and the potential Department of Homeland Security requirement that foreign travelers turn over social media passwords. EPIC also updated the Working Group on the ongoing investigations into Russian interference with the 2016 Presidential Election.  EPIC has filed three Freedom of Information Act lawsuits to obtain information about Russian interference in the election.

EPIC’s country report also informed the Working Group of recent developments concerning recent data breaches and settlements, including the Yahoo data breach, in which more than one billion accounts were compromised; a breach at the Navy, where sensitive information on more than 130,000 sailors was compromised; and the FTC’s recent $2.2 million settlement against VIZIO, a smart TV manufacturer who had been tracking consumers viewing habits without their knowledge or consent.

The Working Group met for two days and discussed topics such as connected cars, privacy on e-learning platforms, security updates for connected devices, data retention and web tracking. The Group recently issued recommendations on topics including Biometrics in Online Authentication, Location Tracking, and Intelligent Video Analytics.  The IWG meeting was held at the Goethe-Institut, Germany's cultural institute. Through June 2016 the Institut is presenting the "Plurality of Privacy Project," a transatlantic theater project focused on the value of privacy. EPIC previously hosted a meeting of the IWG in Washington, DC, in 2004. The group will meet again in France in the fall.

2. EPIC, Coalition Urge FCC to Act on Petition to End Call Data Retention

EPIC and a coalition of leading civil society organizations have sent a letter to the Federal Communications Commission urging the Commission to act immediately on a nearly two-year-old petition to end the agency's rule requiring mass retention of phone records.  

The FCC rule requires phone companies to retain sensitive subscriber information for 18 months.  The records that must be retained include the name, address, telephone number, telephone number dialed, date, time, and call length for each call.  According to the rule, all records must be retained without limitation, regardless of whether the records will ever be relevant to an investigation. 

In August 2015, an EPIC-led coalition of civil society organizations, legal scholars, and technology experts filed a petition asking the FCC to repeal the rule.  The coalition explained that the “outdated and ineffective” data retention rule “violates the fundamental right to privacy” and “exposes consumers to data breaches, stifles innovation, and reduces market competition.”  The petition noted that because 90% of American adults have a cell phone, the data retention rule “equates to sensitive data being retained for nearly every American adult, even when they are under no suspicion of wrongdoing.”  The petition asked the FCC to open the rule to public comment "in light of its ineffectiveness and the corresponding privacy threats," or to repeal the program entirely.

Over a year and eight months later, the FCC has yet to act on the petition.

On April 24, 2017, EPIC and a coalition of 37 other public interest organizations sent a letter to the FCC asking the Commission to act on the August 2015 petition.  The letter noted that the FCC’s own rules require it to respond “promptly” to a petition for rulemaking by issuing a public notice for comment.  “Inaction for a year and eight months is beyond any reasonable definition of ‘prompt,’” said the coalition letter.  The coalition also cited two large breaches of sensitive call records since the coalition petition was filed.  The coalition letter states that "the time has come to give the public the opportunity to comment on whether the data retention mandate should continue” and asks the Commission to docket the petition and issue a notice for public comment by May 8, 2017.

3. U.S. Courts Release Revised Report on FISA

The Administrative Office of the U.S. Courts has issued the 2016 report on activities of the Foreign Intelligence Surveillance Court. The 2016 FISA report reveals that there were 1,752 FISA applications in 2016, of which 1,378 were granted, 339 were modified, 26 were denied in part, and 9 were denied in full. Scrutiny of FISA applications increased substantially in 2016. The FISA court denied more applications in 2016 than it had during the previous 36 years.

The 2016 report represents only the second such report and the first one that encompasses an entire year. The FISA reports and their publication are a requirement of the USA FREEEDOM Act, which was enacted June 2, 2015. The 2015 FISA report, which only covered June 8, 2015 through December 31, 2015, revealed that there were 1,499 applications during the 2015 reporting period. Of those applications, 1,457 included requests for authority to conduct electronic surveillance. None of the requests for electronic surveillance were denied in whole or in part by the Court.

EPIC testified before the House Judiciary Committee in 2012 on the need to reform the Surveillance Court. EPIC President Marc Rotenberg recommended improvements including public reporting procedures for FISA Court opinions, increased public reporting of the use of FISA authority to prevent abuse, and a provision for an increased web presence or other source of easily accessible data. Several of EPIC’s recommendations are reflected in the revised reporting requirements, following passage of the USA FREEDOM Act in June 2015.

EPIC’s testimony also argued the need to limit the scope of section 702 surveillance specifically, which is authorized by the Foreign Intelligence Surveillance Court. Section 702 was the basis for the NSA’s “PRISM” program and sunset at the end of the year if not renewed.

4. EPIC: Enhanced Surveillance at Border Will Sweep Up U.S. Citizens

In a statement to the House Oversight Committee last week, EPIC warned that enhanced surveillance at the border will impact citizens' rights. Enhanced surveillance techniques are likely be part of the Congressional debate over the proposed border wall. "The use of drones in border security will place U.S. citizens living on the border under ceaseless surveillance by the government." said EPIC. The statement was sent in advance of a Subcommittee hearing on border security.

EPIC noted that Customs and Border Protection is already deploying drones with facial recognition technology on U.S. communities. In 2013, EPIC obtained records under the Freedom of Information Act that revealed that CBP drones could also intercept electronic communications in the United States. Following the revelations about drone surveillance at the border, EPIC, joined by thirty organizations and more than a thousand individuals, petitioned CBP to suspend the domestic drone surveillance program, pending the establishment of concrete privacy regulations.

State laws in some border states prohibit warrantless aerial surveillance but the United States has failed to enact laws to limit drone surveillance. In 2015, EPIC argued before the New Mexico Supreme Court in a case in which the court ultimately ruled that the Fourth Amendment prohibits the warrantless aerial surveillance of, and interference with, a person's private property. Though the case involved surveillance by a low-flying helicopter, EPIC warned the court that "[d]rones will enable broader use of aerial surveillance by law enforcement" agencies.

In late 2015, the Department of Homeland Security (DHS) released a set of drone privacy best practices. The best practices reflect many of the recommendations made by EPIC in testimony to Congress, including limiting data collection, use, dissemination, and retention. The recommendations also propose a redress program so individuals can challenge inappropriate collection. But the best practices are only guidelines. EPIC urged the Subcommittee that any approval of increased surveillance at the border should include a codification of those best practices.

5. DHS Privacy Office Releases 2016 Report, Secret Profiling on the Rise

The Department of Homeland Security has released the 2016 Annual Data Mining Report. The report describes several of the agency's profiling systems that assign secret "risk assessments" to U.S. citizens.

According to the DHS report, one of those systems—the Analytical Framework for Intelligence—is accessible to multiple agency components, including Citizenship and Immigration Services, the Coast Guard, and the Transportation Security Administration. The report notes that AFI “indexes information from many different source data systems” and carries a “risk of . . . retaining incorrect, inaccurate, or untimely information.”

“The accuracy of DHS-owned data, other federal agency data, and data provided by commercial data aggregators is dependent on the original source,” the report warns. Nevertheless, DHS is proposing that AFI “projects be retained for up to 30 years, and finished intelligence products for 20 years.”

Through a Freedom of information Act lawsuit, EPIC previously obtained important records about the secretive scoring program. Those documents included dozens of references to Palantir, a prominent data-mining firm. EPIC is now appealing EPIC v. CBP to the D.C. Circuit Court of Appeals to compel the release of additional documents.

For years, EPIC has highlighted the problems inherent in passenger profiling systems like AFI through testimony and comments. EPIC also has a longstanding interest in algorithmic transparency and ending secret profiling of individuals. Recently, EPIC filed suit to obtain documents from the Department of Justice about its use of proprietary “risk assessment” algorithms.

EPIC Book Review: “Code Warriors”

“Code Warriors,” by Stephen Budiansky

“Get everything.”  Stephen Budiansky’s “Code Warriors: NSA's Codebreakers and the Secret Intelligence War Against the Soviet Union” is a reminder that this approach is nothing new for U.S. intelligence community. In fact, it goes back further than the NSA’s name itself.

“Code Warriors” details key decades in the NSA’s history. The work opens with a history of separate Navy and Army codebreaking operations during World War II, tracks the official establishment of the NSA in the mid twentieth century, and follows the agency’s development up to the fall of the Berlin wall. Budiansky’s history revolves around themes that will be familiar even to those who came of age in the Snowden era: turf wars between agencies and officials, the race between nations to stay one step ahead of others’ codebreakers, and profound secrecy (even at times, from the President himself). Looming in the background, ever present, is the specter of Russia. 

A long-time historian of the intelligence field and member of the editorial board of Cryptologia, Budiansky oscillates between rich descriptions of decryption technology, often topped off with a diagram, and historical moments and personalities. As a result, ”Code Warriors” has something for technologists, lawyers, historians, and casual observers alike.

Budiansky is at his best, however, when recounting the details that breathe life into history. For instance, he tells of Director Lieutenant General Ralph J. Canine’s takeover of NSA predecessor Armed Forces Security Agency (AFSA) during the Korean War, part of a shakeup of U.S. intelligence operations. An outsider to signals intelligence and cryptanalysis, one of Canine’s first orders was to “require that all of the furniture in each office…match.” The order quickly acquainted the agency’s employees with their new boss. Likewise, it is hard to resist Budiansky’s explanation of the differences between the NSA and CIA in the 1950s. While the CIA had an air of East Coast sophistication, he explains that the “NSAers were surely the squarest spies on earth”—down to an “annual Miss NSA beauty pageant.” Finally, he perfectly captures bureaucratic inefficiencies in the story of a 1970s internal investigation that revealed the delivery of a single box of paper clips by the NSA’s supply office took ten days.

“Code Warriors” is a meticulous, even handed account of critical moments in the NSA’s development. Those on all sides of the modern surveillance debate will be well served with Budiansky’s history in their repertoire.

— Eleni Kyriakides

News in Brief

European Data Protection Supervisor Backs “E-Privacy” Directive Updates

European Data Protection Supervisor Giovanni Buttarelli, one of Europe’s top privacy officials, published an opinion backing a key update to EU privacy law.  The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The EDPS welcomed the “ambitious attempt to provide for the comprehensive protection of electronic communications.” However, the EDPS opinion also emphasized the need to strengthen privacy protections, raising concern about the proposal’s complexity and failure to cover data processing beyond communications services providers. The EDPS’s statement follows a supportive opinion from the Article 29 Working Party, an expert group of European privacy officials. EPIC recently hosted Mr. Buttarelli in Washington, DC to speak before the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy issues between civil society organizations and policy leaders. 

Following EPIC Appeal, Justice Department Submits Trump Wiretap Claims for Declassification Review

Following EPIC’s appeal of a decision to “neither confirm nor deny” the existence of a FISA application to monitor Trump Tower, the Justice Department took the unusual step of submitting the matter for declassification review. After the President tweeted allegations that President Obama “had [his] wires tapped in Trump Tower,” EPIC filed an urgent FOIA request for any FISA applications concerning Trump Tower. The Justice denied the request, but on appeal stated it was referring this matter “so that it may determine if the existence or nonexistence of any responsive records should remain classified.” The Justice Departement issued a similar response to EPIC’s related request concerning alleged surveillance of the Trump team. EPIC had explained in the appeal that “the agency may not hide behind the ‘neither confirm nor deny’ response” after FBI Director James Comey stated before Congress that the FBI and the Justice Department had “no information” to support the President’s tweets.

In EPIC Lawsuit, FAA Concedes Drone Privacy Risks

The Federal Aviation Administration has filed a brief in response to EPIC's lawsuit, EPIC v. FAA, concerning the FAA's failure to establish privacy rules for commercial drones. EPIC sued the FAA after Congress required a "comprehensive plan" for drone deployment in the United States and the FAA denied EPIC's petition calling for privacy safeguards. In the opposition brief, the FAA acknowledged "that cameras and other sensors attached to [drones] may pose a risk to privacy interests." The FAA claims that the agency is not ignoring drone privacy risks, but documents from a previous Freedom of Information Act request by EPIC showed the agency also failed to complete a drone privacy report required by Congress.

Senators Blumenthal and Udall Introduce Online Privacy Bill

Senators Richard Blumental (D-CT) and Tom Udall (D-NM) have introduced the Managing Your Data Against Telecom Abuses (MY DATA) Act. The MY DATA Act would grant the FTC jurisdiction over broadband providers, as well the authority to establish rules for privacy and data security online. "In the 21st century, internet access is a basic necessity. And signing up for a basic necessity should never mean you have to sign away your rights to privacy," said Senator Blumenthal. EPIC has previously told Congress that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. EPIC has also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud.

Appeals Court Rules in Video App Privacy Case

A Federal Court of Appeals has ruled in Perry v. CNN, a case concerning the disclosure of video viewing records. EPIC filed an amicus brief and explained that the Video Privacy Protection Act applies to all companies that collect video records, including app companies. The Appeals Court held that the plaintiff, a mobile app user, wasn't a "subscriber" under the video privacy law, following an earlier similar decision by the same court. However, the appeals court made clear that federal privacy laws, such as the Video Privacy Protection Act, provide a sufficient basis for a lawsuit without the need to show additional harm.

German Court Blocks Facebook's Efforts to Obtain WhatsApp User Data

A German court has upheld an order requiring Facebook to suspend the import of users' personal data from WhatsApp. Following Facebook's acquisition of WhatsApp, WhatsApp announced that it would transfer users' personal data to Facebook, violating the company's privacy promises. A Data Protection Commissioner in Germany ordered Facebook to halt the data transfer. This week a German court refused Facebook's attempt to block the order, ruling that Facebook had no legal basis for the transfer and no effective consent from WhatsApp users. The transfer is also under investigation by the Article 29 Working party, a group of European privacy officials. EPIC filed a complaint with the FTC in 2014, backed by over a dozen US consumer groups, urging the US agency to block the acquisition of WhatsApp if privacy safeguards were not established. As EPIC explained, "WhatsApp built a user base based on its commitment not to collect user data for advertising revenue. Acting in reliance on WhatsApp representations, Internet users provided detailed personal information to the company including private text to close friends."

EPIC to Congress: Examine TSA Secrecy

EPIC has sent a statement to the House Committee on Homeland Security for an oversight hearing on the Transportation Security Administration. EPIC has objected to the TSA's refusal to release information the agency designated as "sensitive security information" that is pertinent to EPIC's ongoing case against TSA regarding airport body scanners. EPIC said that the TSA is "seeking to hide its decision making behind this cloak of secrecy." Congress also criticized the TSA's use of the SSI designation in an extensive report on "Pseudo Classification." In the statement for the Committee, EPIC also objected to the eye scanning of US travelers at US airports.

EPIC Joins Coalition to Urge FOIA Compliance on Immigration Enforcement

EPIC joined a coalition of civil society organizations to urge the Immigration and Customs Enforcement to comply with the Freedom of Information Act. The letter to DHS Secretary Kelly calls upon the federal agency to "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." EPIC previously received documents through a Freedom of Information Act Request about DHS's immigration enforcement practices. The documents obtained by EPIC detail the "Priorities Enforcement Program," a controversial program that relied on biometric data collection for immigration enforcement.

EPIC, Privacy Coalition Meet with EU Data Protection Supervisor

European Data Protection Supervisor Giovanni Buttarelli spoke today to the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy between civil society organizations and policy leaders. Mr. Buttarelli addressed relations between the European Union and the United States, and discussed encryption policy, the E-Privacy Regulation, the Privacy Shield, the U.S. Privacy Act as it applies to foreigners among many other topics. Recent speakers at the Privacy Coalition have included FTC Chair Maureen Ohlhausen and FCC Senior Counsel Nick Degani.

Government Argues for PRISM Reauthorization in New Report.

The Office of the Director of National Intelligence has released a report on the controversial Section 702 "PRISM" program, which is set to expire on December 31, 2017. The report argues for renewal, but significant questions remain about the PRISM program. Despite repeated requests from Congress, the ODNI has refused to reveal the number of U.S. persons who are swept up in PRISM surveillance every year. EPIC sent a letter to the House Judiciary Committee urging public reporting of the Government's surveillance activities. EPIC also warned that the Section 702 legal controversy could block international data transfers.

DHS Privacy Office Releases 2016 Report, Secret Profiling on the Rise

The Department of Homeland Security has released the 2016 Annual Data Mining Report. The report describes several of the agency's profiling systems that assign secret "risk assessments" to U.S. citizens. According to the DHS report, the Analytical Framework for Intelligence is accessible to several agency components, including the Citizenship and Immigration Services, the Coast Guard, and the Transportation Security Administration. Through a Freedom of information Act lawsuit, EPIC previously obtained important documents about the secretive scoring program. EPIC is now appealing EPIC v. CBP to the D.C. Circuit Court of Appeals to compel the release of additional documents.

EPIC, Coalition Urge DHS Secretary to Reject Social Media Password Requirement

EPIC has joined the Fly Don't Spy! campaign to urge DHS Secretary Kelly to reject plans to require travelers to hand over passwords to the federal government. Such a requirement would undermine privacy and human rights, chill freedom of speech and association, and create greater security risks for travelers. Earlier this year, Secretary Kelly testified before Congress about collecting social media passwords. In response, EPIC immediately filed a Freedom of Information Act request regarding all DHS plans to use individuals' internet and social media information to vet potential entrants to the U.S.

EPIC in the News

• Sent to Prison by a Software Program’s Secret Algorithms, The New York Times, May 1, 2017
• Tech Groups Push FCC to Undo Phone Call Record Retention Regulation, Morning Consult, April 26, 2017
• The temptation of a "virtual wall" of drones at the Mexican border, Le Monde, April 26, 2017
• Advocacy Groups Urge FCC to End Data Retention Mandate, The National Law Review, April 26, 2017
• Privacy Groups Urge FCC To End Call Data Retention Rule, Law360, April 25, 2017
• Crime victims: Alabama is wrong to post personal info online, Sacramento Bee, April 24, 2017
• After tricking govt regulators, Uber got caught breaking Apple's iOS App Store rules, Apple Insider, April 24, 2017
• US Officials increasing electronic device searches at airports, border, Komo News, April 21, 2017
• Editorial: Time for President Trump to release tax returns, Daily Hampshire Gazette, April 21, 2017
• Urgent Mandate, Unhurried Response: An Evaluation of the UN Special Rapporteur on the Right to Privacy, European Data Protection Law Review, April 21, 2017
• United States of America _ Whither Privacy Shield in the Trump Era?, European Data Protection Law Review, April 21, 2017
• Five Years Out: Jeramie Scott ’12 discusses his career in privacy and national security law, NYU Law, April 20, 2017
• Stop asking people for their passwords, rights warriors yell at US Homeland Security, The Register, April 19, 2017
• EPIC Sues IRS for Trump's Tax Returns, Law360, April 18, 2017
• Russian Ties Inspire Suit to Obtain Trump Tax Returns, Courthouse News Service, April 18, 2017

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology do not simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
Awardees: Garry Kasparov, Judge Patricia Wald, Carrie Goldberg
National Press Club
Washington, DC

June 8, 2017 - June 9, 2017
"Fortifying or Forgetting Forecasting: Can We Ever Plan Accurately?"
Marc Rotenberg, EPIC President
Yale CEO Conference
New York, NY

August 16, 2017 - August 19, 2017
"The Digital Economy"
Marc Rotenberg, EPIC President
OECD
Paris, France

August 6, 2017 - August 8, 2017
Aspen Institute Roundtable on Artificial Intelligence
Marc Rotenberg, EPIC President
Aspen Institute
Aspen, CO