EPIC Alert 24.10

1. Senator Warner Asks FTC To Take Action On Toys That Spy

Senator Mark Warner (D-VA) recently sent a letter to the Federal Trade Commission expressing his concern about connected toys that spy on children.

The letter comes a year after Senator Warren's May 2016 letter to the FTC expressing his alarm at "the growth of connected devices marketed toward children, such as internet-connected dolls and toy cars, given security vulnerabilities researchers have identified in a number of these products." In his recent letter, Senator Warner notes that the companies selling these toys also collect and store massive amounts of data about children--information that these companies are unable to protect and may not legally be allowed to retain. According to media reports, for example, CloudPets, a connected stuffed animal marketed as "a message you can hug," exposed more than 800,000 customer credentials and 2 million voice recordings between parents and children. CloudPets had stored the voice recordings in an insecure online database available to anyone on the Internet.

"I worry that protections for children are not keeping pace with consumer and technology trends shaping the market for these products," Senator Warner said in the letter. The Senator also wrote that Acting Chairwoman Ohlhausen's recent comments, calling for the FTC to "focus on cases with objective, concrete harms such as monetary injury and unwarranted health and safety risks" instead of what she called "speculative" types of harm, "only deepen [his] concerns." Senator Warner asked FTC Acting Chairwoman Maureen Ohlhausen to respond to several questions, including whether the FTC has "taken any action with respect to 'My Friend Cayla' or other products manufactured by Genesis Toys."

EPIC filed a complaint with the FTC in December, 2016, alleging that toys My Friend Cayla and i-Que Intelligent Robot violate federal privacy laws. The complaint spurred international efforts to ban the toys from the marketplace and a congressional investigation into the toy makers' data practices. Senator Edward Markey (D-MA) sent letters to the manufacturers of My Friend Cayla requesting information on the companies' data collection practices. Senator Markey joined with Representative Joe Barton (R-TX), Representative Bobby Rush (D-IL), and Senator Mark Kirk (R-IL) to introduce the Do Not Track Kids Act, comprehensive children's online privacy legislation that updates the law to protect children's personal information.

2. EPIC to House Committee: IRS Must Release Trump Tax Records

In a statement to the House Appropriations Committee last week, EPIC alerted the Committee to EPIC v. IRS, EPIC's Freedom of Information Act lawsuit against the IRS to obtain Donald Trump's tax records. EPIC filed the lawsuit on April 15, 2017, in federal district court in Washington, DC. EPIC's statement was sent in advance of an IRS Oversight hearing. According to EPIC, "There has never been a more compelling FOIA request presented to the IRS."

As a general matter, tax records are protected under federal privacy laws. But in the request to the IRS, EPIC noted a key provision in the Internal Revenue Code that permits the release of tax records in certain circumstances to correct misstatements of fact. The provision was enacted to ensure the "integrity and fairness [of the IRS] in administering the tax laws" following the impeachment proceedings against President Richard M. Nixon. It allows the IRS to release tax records "with respect to any specific taxpayer to the extent necessary for tax administration purposes to correct a misstatement of fact." President Trump has accused the IRS of targeting him for audits on religious and political grounds, while misinformation and uncertainty over the contents of Trump's returns have led protesters to threaten withholding their own taxes.

The IRS has the authority to release the President's tax returns with the approval of the Joint Committee on Taxation. EPIC urged the House Appropriations Committee to support the release, saying that "[t]he public has a right to know about the extent of Russian interference with the 2016 Presidential election."

EPIC manages one of the most extensive open government litigation programs in the United States. EPIC is currently pursuing several high level FOIA cases, including EPIC v. FBI and EPIC v. ODNI, to determine the scope of Russian interference with the 2016 Presidential election.

3. EPIC FOIA: EPIC Seeks Memos of Trump Conversations with FBI Director

EPIC has filed an urgent Freedom of Information Act request with the Federal Bureau of Investigation for former Director James Comey's memos regarding his communications with President Donald Trump.

On May 16, the New York Times reported that Mr. Comey had documented "every phone call and meeting he had with the president." The memos tracked "what he perceived as the president's improper efforts to influence a continuing investigation," the Times wrote.

The following day, EPIC submitted a FOIA request for the public release of all of Director Comey's memos--including one that describes a February 14 meeting with President Trump about the resignation of National Security Advisor Michael Flynn. Leaders of the Senate Intelligence Committee and House Oversight Committee have also asked the FBI to turn over Comey's memos to Congress.

In its request, EPIC underscored the extraordinary value of Director Comey's memos to the public. "Few public documents could be more 'meaningfully informative' than memos detailing what FBI Director reportedly viewed as a President's efforts to end an investigation into his associate," EPIC wrote.

EPIC has filed multiple FOIA lawsuits for records pertaining to Russian interference with the 2016 Presidential Election. In January, EPIC sued the FBI for records of the bureau's response to foreign cyber attacks on American democratic institutions leading up to the election. More recently, EPIC filed an emergency motion to preserve records in the case.

4. EPIC Asks FTC to Stop System for Secret Scoring of Young Athletes

EPIC has filed a complaint with the Federal Trade Commission to stop the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating", a secret and proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. "The UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens," according to EPIC.

According to the complaint, Universal Tennis collects match results from high school, college, international, and U.S. Tennis Association junior and adult tournaments. Universal Tennis uses this data to generate the Universal Tennis Rating, a number between 1 and 16 derived from a player's recent match results. Scores are generated dynamically and recalculated daily. Universal Tennis publishes UTR scores online for commercial gain. Although Universal Tennis makes basic information about their scoring method available online, the company does not reveal the algorithm it uses to generate scores. Players or their parents have no way to opt out of the data collection or scoring.

The complaint calls out UTR's proprietary nature as an anomaly in competitive activities. EPIC points to the "readily accessible Scoring Tables and Scoring Calculators" used for USA Track and Field and the "points scored per game, rebounds scored per game, assists per game, and steals per game" commonly reported for basketball. EPIC's complaint notes that there is already a well-established alternative to UTR: the Elo rating system, which is used to calculate relative skill levels in competitive games such as chess. In contrast to the secret, proprietary, and for-profit UTR rating, the Elo system's formulas are open, the ratings of players under the Elo system are transparent, and the results of Elo ratings are freely available, the complaint says.

EPIC urged the FTC to "find that a secret, unprovable, proprietary algorithm to evaluate children is an unfair and deceptive trade practice." The complaint also asks the FTC to halt Universal Tennis's scoring of children without parental consent, require Universal Tennis to make its algorithm public, and to require Universal Tennis to establish formal procedures by which scores can be corrected.

In 2015, EPIC launched a campaign on "Algorithmic Transparency" and has pursued several cases, including one for rating travelers and another for assessing guilt or innocence, that draw attention to the social risks of secret algorithms.

5. EPIC v. FBI: Agency Cyber Hack Notification Procedures Fall Short

In the Freedom of Information Act lawsuit EPIC v. FBI, EPIC has obtained the FBI notification procedures that would have applied to the Russian cyberattacks during the 2016 Presidential election.

The documents obtained by EPIC establish that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." In the event of an intrusion investigation, the Cyber Division will, under certain circumstances, notify the "individual, organization, or corporation that is the owner or operator of the computer at the point of compromise or intrusion," according to the documents. The analysis to determine whether or not to notify the victim; as well as FBI procedures for approval or deferral of notification, the timing of notification, the method of notification, and more; were all redacted by the agency. The FBI also produced certain procedures under the Foreign Intelligence Surveillance Act and notification procedures for threats to life or serious bodily injury.

The FBI's response raises questions about whether the agency fulfilled the obligation to properly notify the victims of the Russian cyberattacks. The Intelligence Community assessed that both major US political parties were attacked. On May 26, the FBI also refused to provide EPIC with FBI communications with political organizations and federal agencies concerning the Russian interference. EPIC intends to challenge the FBI's withholdings.

Next in the case, EPIC anticipates the release on July 25 of memos, reports, and other records of the FBI investigation of Russian cyber attacks on political organizations. EPIC recently filed a reply to the FBI's attempt to block an emergency motion by EPIC to preserve records following the firing of FBI Director James Comey.

News in Brief

DC Circuit Rules in Second EPIC Airport Body Scanner Case

In a cursory per curium opinion, the D.C. Circuit denied EPIC's petition for review of the TSA's final rule mandating body scanners in U.S. airports. EPIC argued in EPIC v. DHS II that the TSA had failed to justify body scanners as compared with less invasive, more effective screening techniques, such as magnometers combined with explosive trace detection. Public comments overwhelmingly favored EPIC's recommendations to the federal agency. EPIC also argued that the TSA's decision to end the opt-out was contrary to the DC Circuit's earlier opinion in EPIC v. DHS I, which held that passengers could opt-out of the invasive screening technique. As Judge Ginsburg explained in the earlier case, "Despite the precautions taken by the TSA, it is clear that by producing an image of the unclothed passenger, an AIT scanner intrudes upon his or her personal privacy in a way a magnetometer does not." Judge Ginsburg further said, "any passenger may opt-out of AIT screening in favor of a patdown, which allows him to decide which of the two options for detecting a concealed, nonmetallic weapon or explosive is least invasive."

EPIC Tells Congress: Limit Use of Social Security Numbers

EPIC has sent a statement to the House Ways & Means Committee and House Committee on Oversight and Government Reform in advance of a hearing on "Protecting Americans' Identities: Examining Efforts to Limit the Use of Social Security Numbers." EPIC warned about the danger of SSN-related identity theft. "Given the growing risk of identity theft coupled to the SSN and the ease of alternative systems, there is simply no excuse for the use of SSNs in either the public or private sector," said EPIC. EPIC has long urged Congress and state legislators to limit use of the SSN.

FBI Opposes EPIC Preservation Order in FBI Russian Interference FOIA Case

The FBI is opposing EPIC's emergency motion to preserve records in a Freedom of Information Act case for records of the Russian Interference with the 2016 Presidential Election. Following Donald Trump's abrupt firing of FBI Director James Comey, EPIC asked a federal court to issue a preservation order for records at issue in EPIC v. FBI and to impose sanctions if the order is violated. EPIC cited irregular circumstances surrounding the firing of the FBI Director, as well as concerns expressed by members of Congress and Senators regarding the possible destruction of FBI records. In the filing today, the FBI suggested that EPIC would have to provide actual evidence of destruction of records before a court could issue a preservation order to prevent destruction of records.

Rep. Blackburn Proposes Online Privacy Bill, Would Preempt Stronger State Protections

Rep. Marsha Blackburn (R-TN) has introduced the The Browser Act, H.R. 2520, aimed at protecting online privacy. The Browser Act would apply to Internet ISPs as well as Internet companies such as Google and Facebook and would generally require "opt-in" consent before sensitive information could be collected or disclosed. However, the bill lacks a private right of action or a remedy for violations. The bill gives enforcement authority to the FTC, which has mostly failed to protect consumers' online privacy. The bill lacks a data breach notification requirement and would overwrite stronger state privacy laws that protect consumers. In comments to the FCC and elsewhere, EPIC has set out a comprehensive framework for online privacy.

Court Strikes Down FAA Registration Requirement for Hobbyist Drones

A federal appeals court has struck down the FAA's rule requiring hobbyists to register their drones. The D.C. Circuit ruled that a registration requirement violated the FAA Modernization Act, which forbade regulations for "model aircraft," including unmanned drones "flown for hobby or recreational purposes." EPIC is currently challenging the FAA's failure to establish privacy rules for "small, commercial" drones. Congress required a "comprehensive plan" for drone deployment in the United States, and more than 100 experts and organizations petitioned the agency for privacy safeguards. EPIC v. FAA is fully briefed and arguments before the D.C. Circuit are anticipated this fall.

EPIC Opposes State Department Plan to Collect Social Media Identifiers for Visa Applicants

In comments to the State Department, EPIC urged the agency to drop a plan to obtain the social media identifiers of individuals applying for visas to enter the U.S. EPIC argued that the proposal threatens important First Amendment rights, risks abuse, and would disproportionately impact certain minority groups. EPIC has previously opposed DHS proposals to collect social media information and recently submitted a FOIA request following statements made by the Homeland Security Secretary indicating that the DHS planned to ask individuals for social media passwords before allowing entry into the U.S.

Facebook Fined $122 Million for Misleading Europe on Privacy Risks of WhatsApp Merger

The EU has fined Facebook $122 million for misleading the European Commission during the investigation of the Facebook-WhatsApp Merger. Following Facebook's acquisition of WhatsApp, WhatsApp transferred users' personal data to Facebook and violated the company's privacy promises. Facebook had downplayed the risks of the merger, saying that WhatsApp users' personal data could not be linked with their Facebook accounts. "U.S. antitrust law has failed to keep up with the digital economy and the emergence of monopoly services," EPIC president Marc Rotenberg told the New York Times. "There is far too much 'lock in' with a dominant provider, and far too much consolidation of personal data." The head of BEUC, the European consumer association, said, "It is very disappointing that the Commission decided not to revise its original decision on the Facebook merger with WhatsApp." EPIC recently urged the Senate Judiciary Committee to consider the role of consumer privacy and data protection in merger reviews and highlighted the FTC's failure to block the Facebook-WhatsApp merger.

Court of Appeals Grants Rehearing in FTC v. AT&T Mobility

The Ninth Circuit Court of Appeals has granted rehearing of a decision that stripped the FTC of its authority over companies engaged in "common carrier" activities. The grant of rehearing vacates the court's earlier holding that the common carrier exemption to FTC authority is status-based, not activity-based. EPIC and a coalition of consumer advocates had filed a friend-of-the-court brief urging reconsideration of the court's decision, warning that the decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." EPIC previously filed an amicus brief in FTC v. Wyndham to defend the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."

EPIC in the News

• JetBlue will test facial-recognition system for boarding at Logan, Boston Globe, May 31, 2017
• Google wants AdWords to track you both on and offline, Wired UK, May 31, 2017
• Security experts warn about doll susceptible to hackers, Boston 25 News, May 30, 2017
• Senator: Regs not protecting kids from spying toys, WND, May 27, 2017
• 9 Investigates lack of drone privacy rules, WSOCTV (North Carolina), May 26, 2017
• DC Circ. Rejects Challenges To TSA Body Scanner Rule, Law360, May 26, 2017
• Senator wants feds to follow up on spying toys, Consumer Affairs, May 25, 2017
• Google Is Secretly Monitoring Your Real-World Purchases, Too, Vanity Fair, May 25, 2017
• Data Driven (LTE), The Economist, May 25, 2017
• Google plans to track credit card spending, BBC News, May 24, 2017
• Google now knows when its users go to the store and buy stuff, Washington Post, May 23, 2017
• DEA Used Malware Without Laying Out Privacy Risks, Motherboard, May 23, 2017
• Lieberman pick for FBI would spell trouble for Julian Assange, POLITICO, May 20, 2017
• Facebook trying to introduce ‘Trojan horse’ in data case, court told, Irish Times, May 20, 2017
• DC Circ. Says FAA Drone Rule Can't Apply To Model Aircraft, Law360, May 20, 2017
• State Dept.'s Queries For Visa Applicants Draw Criticism, Law360, May 20, 2017
• What Twitter's privacy changes mean for you, Tampa Bay Times, May 19, 2017
• E.U. Fines Facebook $122 Million Over Disclosures in WhatsApp Deal, New York Times, May 18, 2017
• Facebook Fined $122 Million For Misleading EU About WhatsApp Data, MediaPost, May 18, 2017
• US asks Irish court to consider 'significant' development before ruling on Facebook case, Irish Examiner, May 17, 2017
• EPIC Challenges Secret Tennis Scoring System, Law360, May 17, 2017
• Are your kid’s toys spying on them?, Wink news, May 16, 2017
• Meet Aristotle, the robot nanny that can raise (and spy on) your child, Treehugger, May 16, 2017
• Amazon's Alexa will be inside TVs for the first time, USA TODAY, May 16, 2017

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy--they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

June 2, 2017
Eighth Annual Prescriptions for Criminal Justice Forensics
Jeramie Scott, EPIC National Security Counsel
New York, NY

June 5, 2017
Democracy and Cybersecurity; The EPIC FOIA Cases Concerning Russian Interference with the 2016 Presidential
Election
With Steve Aftergood, Jen Daskel, and Bruce Schneier
National Press Club
Washington, DC

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
Awardees: Garry Kasparov, Judge Patricia Wald, Carrie Goldberg, and Ron Rivest
National Press Club
Washington, DC

June 8, 2017 - June 9, 2017
"Fortifying or Forgetting Forecasting: Can We Ever Plan Accurately?"
Marc Rotenberg, EPIC President
Yale CEO Conference
New York, NY

June 28, 2017
"Privacy, Security Issues Related to Connected, Automated Vehicles"
Marc Rotenberg, EPIC President
FTC / NHTSA
Washington, DC

August 6, 2017 - August 8, 2017
Aspen Institute Roundtable on Artificial Intelligence
Marc Rotenberg, EPIC President
Aspen Institute
Aspen, CO

September 25, 2017 - September 29, 2017
The 39th International Conference of Data Protection and Privacy Commissioners
Marc Rotenberg, EPIC President
Hong Kong