EPIC Alert 24.15

EPIC Alert logo

1. EPIC Urges Supreme Court to Apply Constitution to Cell Phone Data

EPIC has filed a "friend-of-the-court" brief in Carpenter v. United States, a major privacy case before the Supreme Court concerning the Fourth Amendment and location data.

In a brief joined by thirty-six technical experts and legal scholars, EPIC urged the Court to reject a 1970s case, Smith v. Maryland (1979), that allows for the warrantless collection of calling data. As EPIC told the Court, that case is "out of step with the current era" and was decided before cell phones and location tracking. "Cell phones are now as necessary to the life of Americans as they are ubiquitous," EPIC wrote. "Yet, despite these fundamental changes, lower courts still apply Fourth Amendment concepts that were established when rotary phones sat on desk tops, the receivers connected with coiled wire."

EPIC urged the Court to extend Constitutional protection to cell phone data. "Modern cell phone records include an entirely different category of information--location data--that can be used to map an individual's movements over time," EPIC explained. "The availability of increasingly precise location data underscores the need for a clear Fourth Amendment standard protecting against warrantless location tracking."

"This Court has never held that the government may search and seize records of where a person travels without triggering Fourth Amendment scrutiny," EPIC noted. "There is also no evidence that cell phone users expect to be subject to such routine tracking of their private lives--quite the contrary. We as a society are not prepared to accept pervasive, warrantless location tracking as objectively reasonable."

The case is set to be argued before the Court this fall. EPIC previously advocated against warrantless searches of location data in Riley v. California, United States v. Jones, State v. Earls, and Commonwealth v. Connolly.

2. EPIC Amicus - DC Circuit Upholds Rights of Data Breach Victims

A federal appeals court in Washington, D.C. has ruled that consumers may sue companies that fail to safeguard their personal data.

In June 2014, the health insurer CareFirst suffered a data breach that compromised the personal information of some 1.1 million policyholders. The purloined information included the policyholders' names, birth dates, email addresses, and subscriber identification numbers. According to CareFirst, more sensitive data, such as social security and credit card numbers, was not stolen. After CareFirst publicly acknowledged the breach in May 2015, a group of consumers sued the company and various affiliates on behalf of themselves and other policyholders, alleging that CareFirst violated a host of state laws and legal duties by failing to safeguard their personal information. The consumers also alleged that Social Security Numbers and credit card numbers were also stolen. The district court dismissed the case, ruling that the plaintiffs could sue only if they suffered actual identity theft. The consumers appealed.

EPIC filed an amicus brief in the appeal in support of the consumers. In the brief, EPIC explained that the court misunderstood the relevant law and confused the legal responsibility of companies to maintain good security with the harms that consumers eventually suffer. EPIC said courts should focus on whether companies have breached a legal obligation to safeguard personal data, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches."

The appeals court agreed with EPIC and reversed the district court's decision. The court noted that it has frequently allowed lawsuits "based on allegations of a 'substantial risk' of future injury." Because "an unauthorized party has already accessed personally identifying data on CareFirst's servers," the court said, it was not unreasonable to assume that the data thief planned to make use of that data. "No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm," the court wrote.

EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges. In briefs filed in In re SuperValu and Storm v. Paytime, EPIC argued for the right of consumers to sue after a data breach. In Gubala v. Time Warner Cable, EPIC argued that consumers can sue for violations of the Cable Communications Policy Act.

3. State Department Moves Forward Plan to Collect Social Media Identifiers of Visa Applicants

The State Department is seeking comment on the agency's plan to make permanent the collection of social media identifiers from individuals applying for visas to enter the United States.

In May, 2017, the State Department requested emergency OMB approval and brief public comment on a plan to ask visa applicants about their social media use. The Department proposed to collect information about the social media platforms and identifiers applicants had used in the last five years. The Department claimed that it would request this information from "a subset of visa applicants worldwide, in order to more rigorously evaluate applicants for terrorism or other national security-related visa ineligibilities." The Department provided few other details about how the social media identifiers the Department plans to collect would be used. The Department is now seeking comments on making its collection of social media information permanent.

The proposal continues a trend of increased collection of social media identifiers. Customs and Border Protection recently requested comment on using social media identifiers to help vet individuals entering the United States. And last year, the Department of Homeland Security proposed implementing an insider threat database that would store social media information on DHS officials, employees, contractors, and other individuals associated with DHS. In both cases, very little information was provided about how that information would be used.

EPIC opposed the State Department initiative. In comments earlier this year, EPIC urged the agency to drop the plan. EPIC argued that the proposal threatened privacy and First Amendment rights, risked abuse, and would disproportionately impact minority groups. EPIC has repeatedly called attention to the harm that can come from social media monitoring. In EPIC v. DHS, a Freedom of Information Act lawsuit, EPIC obtained nearly three hundred pages of documents detailing DHS monitoring of social media for stories and comments that "reflect adversely" on DHS or the U.S. government. EPIC also recently submitted a Freedom of Information Act request seeking information on plans to increase social media monitoring, including any potential plans to obtain passwords to social media accounts.

The public comment period is open until October 2, 2017.

4. FBI Issues Final Rule on Biometric Database, Exempts Itself From Privacy Act Protections

The FBI has released a final rule claiming several Privacy Act Exemptions for the Next Generation Identification System (NGI), a database that contains the biometric data of millions of Americans. The FBI's biometric database collects numerous biometric identifiers, including fingerprints, facial scans, and iris scans. Biometric data is collected on arrestees and people with records, as well as individuals with no connection to the criminal justice system. The FBI keeps biometric data for decades beyond the need to fulfill the stated purpose for which the data was originally collected.

EPIC had criticized the FBI's proposal to remove Privacy Act safeguards and urged the FBI to limit the scope of data collection and reduce the retention of data. The FBI's final rule would exempt the NGI database from the Privacy Act requirements of accuracy, relevancy and necessity, accounting disclosures, individual access to records, and civil remedies. EPIC argued that such broad exemptions will "increase the secrecy of the database and erode agency accountability." In issuing the final rule the FBI repeatedly stated that exemptions would be used responsibly and in accordance with FBI policies and procedures. However, a recent GAO report on the FBI's use of facial recognition has already found that the FBI has failed to update the public in a timely manner regarding the Bureau's expanding use of facial recognition.

EPIC previously sued the FBI for details about NGI. In the EPIC v. FBI FOIA case, EPIC obtained thousands of pages of documents that revealed that the NGI database contained an error rate of up to 20% on facial recognition searches. "Widespread deployment of facial recognition technology presents a number of significant privacy and security issues," EPIC wrote in its complaint. "Ubiquitous and near-effortless identification eliminates individuals' ability to control their identities, posing special risk to protestors engaging in lawful, anonymous free speech. The U.S. Supreme Court has repeatedly upheld the right to engage in political speech anonymously. For these reasons, it is vital that the deployment of facial recognition technology be done in a transparent way to ensure adequate public oversight."

EPIC has long warned about the privacy implications of facial recognition technology and fought to place safeguards on its use by governments and businesses. EPIC has identified several problems with the NGI database in statements to Congressional oversight committees, which have indicated strong concern about the FBI's facial recognition program.

5. International Privacy Experts Adopt Statements on E-Learning, Intelligence Gathering

The International Working Group on Data Protection in Telecommunications has adopted new recommendations to improve privacy and security standards for e-learning platforms and government intelligence gathering.

The Berlin-based Working Group includes Data Protection Authorities and experts from around the world who work together to address emerging privacy challenges. The Group has recently issued recommendations on issues ranging from mobile device location tracking to aerial surveillance.

The Working Paper on "E-Learning Platforms" highlights privacy risks of collecting student data in the classroom. The group cited concerns including use of students' data by private companies for non-academic purposes, and the potential "chilling effect" of tracking on children's' creativity and expression. The IWG recommended that platforms "embed tools that enable effective exercise of the right to be forgotten" and that information be collected, used, and disclosed only insofar as "consistent with the context in which students provide data."

"Towards International Principles or Instruments to Govern Intelligence Gathering" recommends that DPAs participate in developing an international instrument governing intelligence activities. The Working Paper encourages authorities promote principles concerning "Legitimacy," "Rule of Law," and "Oversight," and recommends they "support initiatives" for developing "identify, develop and share best practice governance and oversight" of intelligence activities.

In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. EPIC also previously hosted a meeting of the IWG in the spring of 2004.

EPIC Book Review: "Pinpoint"

Pinpoint: How GPS Is Changing Technology, Culture, and Our Minds, by Greg Milner

In Pinpoint, Greg Milner charts a course that takes us all the way from the Hawaiian Islands in the 1700s to a New York City street corner; from star charts to sophisticated satellites that have become both pervasive and indispensable. Milner's witty and clear narrative seamlessly weaves history, science, engineering, and culture into a fascinating tapestry that shows how deeply embedded the Global Positioning System ("GPS") has become in modern society. This book is especially relevant now that the U.S. Supreme Court is set to consider the Fourth Amendment privacy implications of location tracking in Carpenter v. United States.

The GPS system, like many modern innovations, was first developed for military applications. It is fascinating to follow Milner's tale of how GPS nearly died on the vine several times but survived through a mix of luck and deft leadership by some of its early proponents. The institutional forces that nearly shunted GPS before it was fully formed struggled to see any useful applications for the technology. That sentiment seems quaint halfway through the story, but by the end of Milner's book we realize how fundamentally short-sighted it was.

As Milner explains, GPS has not only developed into a robust global system for tracking time and position, it has become a "stealth utility." Milner tracks the role that GPS plays in nearly every segment of the modern economy, from farming to telecommunications to financial systems to transportation and even geology. And that ever-increasing dependence on GPS creates frightening new vulnerabilities. Milner makes a strong implicit case that GPS may have become a global critical infrastructure, which means that it will necessarily be a target.

Milner also explores the impact that this new universal mapping capability might be having on human psychology as well as human rights. Maps and spatial relationships are an important part of how our brains process and model the world around us, and Pinpoint explains that reliance on external positioning systems may very well change the way we see the world. The constant tracking of our movements also threatens autonomy and core constitutional and consumer privacy interests. Law enforcement agencies and private companies are increasingly deploying new methods to track and quantify our movements, and the fact that GPS is embedded into most modern systems means that tracking cannot simply be avoided.

Pinpoint is an enlightening read for anyone interested in the relationship between technology, policy, and culture. There is enough in this book to keep scientists, policymakers, and lawyers busy for many years. The book highlights the need for a more thoughtful approach to both infrastructure and the rights of citizens who use it. As Milner points out, tracking cannot be seen "purely as a social good," and its broader implications cannot be ignored.

-- Alan Butler

News in Brief

Pew Survey Explores the Future of Online Trust

The Pew Research Center has released a report of its survey of experts on "The Fate of Online Trust in the Next Decade." Although nearly half (48%) of the over 1,000 respondents said that they expected trust to increase, 24% predicted that trust would decrease. "Technology is far outpacing security, privacy and reliability," said EPIC President Marc Rotenberg in the survey. "The problem will intensify with the Internet of Things, as the internet connects more machines in the physical world." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.

House Releases Text of Automated Vehicle Bill, Would Preempt State Action

The House Committee on Energy & Commerce recently approved text for a bill on automated vehicles. The bill would prevent the states from issuing any rule or regulation that is not identical to a Federal Motor Vehicle Safety Standard, preventing states from issuing their own safety and privacy regulations to safeguard consumers. The bill also calls for automated vehicle manufacturers to have cybersecurity and privacy plans, however it does not address who owns the data collected by automated vehicles or how consumers can access or delete their data. EPIC has opposed federal preemption for automated vehicle regulation and has repeatedly urged federal agencies and Congress to allow states to craft their own privacy and security regulations to protect public safety. EPIC has also recommended that consumers control the personal information that is created and stored by the vehicles they operate, rent, and own.

UK Government Releases Statement of Intent Describing New Data Protection Bill

The UK has released a statement of intent describing a forthcoming bill that would make major revisions to the country's data protection law. The new rules would follow the EU's General Data Protection Regulation by strengthening rules for obtaining consent, making it easier for consumers to withdraw consent, and improving consumers' ability to access, move, and remove data about themselves. The bill would also expand the definition of "personal data" to include DNA and IP addresses and would make it a crime to re-identify individuals from anonymized data. EPIC supported the GDPR and the right to be forgotten, has explained that IP addresses are personal data, and has warned of the risks of improperly "de-identified" data. EPIC recently filed a complaint asking the FTC to investigate Google's use of a proprietary, secret algorithm Google claims can "de-identify" consumers while tracking their purchases.

Senators Introduce Legislation to Strengthen Cybersecurity for Internet of Things

A bipartisan group of Senators, including Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA) and Steve Daines (R-MT), have introduced legislation to improve the security of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require "Internet of Things" devices purchased by the U.S. government to meet minimum security standards. IoT device manufacturers who sell products to the federal government would be required to commit that their IoT devices: (1) are patchable; (2) do not contain known vulnerabilities; (3) rely on standard protocols; and (4) do not contain hard-coded passwords. "The proliferation of insecure Internet-connected devices presents an enormous security challenge," said EPIC Advisory Board member Bruce Schneier, "The risks are no longer solely about data; they affect flesh and steel." EPIC has been at the forefront of policy efforts to establish safeguards for IoT devices, connected cars, "smart homes," consumer products, and "always on" devices. A 2015 report from the Aspen Institute also explores "Policies for the Internet of Things."

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy--they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

September 25, 2017 - September 29, 2017
The 39th International Conference of Data Protection and Privacy Commissioners
Marc Rotenberg, EPIC President
Hong Kong

June 5, 2018
2017 EPIC Champions of Freedom Awards Dinner
Washington, DC

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security