EPIC Alert 24.16

EPIC Alert logo

1. Following EPIC Complaint, Uber Agrees to Stop Tracking Riders

After an EPIC complaint concerning Uber's privacy practices, Uber has entered into a consent agreement with the Federal Trade Commission and ended a controversial program that tracked riders.

EPIC's complaint, filed in 2015, charged that Uber's system of tracking users and gathering contact details was an unlawful and deceptive trade practice that "far exceed[ed] what customers expect from the transportation service." The complaint also highlighted Uber's history of misusing customer data and urged the Commission to take action to protect consumers.

For example, Uber recorded the location of users before and after they were picked up and allowed Uber employees to access rider data. Uber had initially represented that users could opt-out of this location tracking, yet Uber customers with Android devices were unable to disable the feature. Uber's lax data protection practices also led the company to suffer a data breach in the spring of 2014, which it failed to notify users of until February 2015.

The new FTC consent agreement prohibits Uber from misrepresenting how it monitors access to customer data and how it secures that data; requires Uber to implement a comprehensive privacy program; and mandates that Uber undergo independent third-party audits certifying that the Uber privacy program meets the terms imposed by the FTC. Less than two weeks after the consent agreement was disclosed, Uber also announced that it would end its tracking of customers when they are not using the app.

But EPIC President Marc Rotenberg explained that the FTC settlement does not go far enough. "The FTC should have imposed stronger sanctions on Uber, required the company to disgorge the personal data it had unlawfully obtained, and required the company to restore the original privacy settings," Rotenberg said.

EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. Most recently, EPIC filed a complaint with the FTC to stop Google from tracking in-store purchases.

2. EPIC Appeals Voter Data Privacy Decision

EPIC has appealed a federal district court ruling that allowed the Presidential Election Commission to move forward with a controversial plan to gather state voter data in a White House database.

EPIC's appeal, which is being heard on an expedited basis, urges the U.S. Court of Appeals for the D.C. Circuit to reverse the district court's decision and to halt the Commission's nationwide collection of personal data. Though the Commission suspended collection of voter information in July in response to EPIC's lawsuit, the district court declined EPIC's request to block the Commission's plan indefinitely.

In an opening brief filed this month, EPIC told the appeals court that the Commission had an obligation to undertake a Privacy Impact Assessment before amassing voters' personal information. "Federal agencies are required to undertake extensive Privacy Impact Assessments prior to data collection to mitigate privacy risks," EPIC explained. "In some instances, a Privacy Impact Assessment may yield the conclusion that that the program proposed is simply too risky to pursue. In other instances, a PIA will lead to refinements and improvements."

"Yet despite the well documented dangers to the privacy of Americans, a government authority established by the President undertook to collect state voter records from state election officials across the country without first completing the required Privacy Impact Assessment," EPIC added. "This is an exercise of government authority, subject to the Administrative Procedure Act, that is contrary to law and must be enjoined."

EPIC has challenged the Commission's collection of voter data on multiple fronts. EPIC's lawsuit followed a letter from 50 voting experts and 20 privacy organizations urging state election officials to oppose the Commission's demand. And EPIC has submitted urgent FOIA requests to the General Services Administration, the Election Commission, and the Arkansas Secretary of State for information about the production of voter data to the federal Commission.

The Commission's response to EPIC's brief is due September 15, and oral argument is expected to be heard this fall. EPIC's appeal is EPIC v. Commission, No. 17-5171 (D.C. Cir. filed July 27, 2017). EPIC's original case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017).

3. EPIC Amicus - Ninth Circuit Upholds Consumers' Right to Sue for Privacy Violations

The Ninth Circuit U.S. Court of Appeals ruled this month that consumers have the right to file suit when companies report inaccurate credit information about them. The Ninth Circuit joins several other federal appeals courts in upholding consumers' ability to sue corporations for privacy violations.

Spokeo, the "people search" website, argued that it couldn't be sued for publishing false information because there was no "concrete" harm. The case went to the Supreme Court, where EPIC filed an amicus brief urging the Court not to "limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." On closer consideration, the Ninth Circuit concluded that companies can't duck the legal consequences when they violate laws that "protect consumers' concrete interests"--including their right to privacy.

"[G]iven the ubiquity and importance of consumer reports in modern life--in employment decisions, in loan applications, in home purchases, and much more--the real-world implications of material inaccuracies in those reports seem patent on their face," the Court wrote. "[I]t makes sense that Congress might choose to protect against such harms without requiring any additional showing of injury. The threat to a consumer's livelihood is caused by the very existence of inaccurate information in his credit report and the likelihood that such information will be important to one of the many entities who make use of such reports."

"Courts have long entertained causes of action to vindicate intangible harms caused by certain untruthful disclosures about individuals, and we respect Congress's judgment that a similar harm would result from inaccurate credit reporting," the Court added.

EPIC regularly files amicus briefs defending consumer privacy and filed several amicus briefs after the Spokeo decision, including in Attias v. CarefirstGubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.

4. Supreme Court of India Rules Privacy is a Fundamental Right

India's Supreme Court has ruled that privacy is a fundamental right under the Indian Constitution. In a unanimous decision, the Court explained the "right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution." The Court also recognized that "informational privacy is a facet of the right to privacy" and that modern privacy risks are caused by both the public and private sector.

The ruling may impact significant cases pending in India, including a challenge to Aadhaar (India's massive biometric identification system) and a suit over changes to WhatsApp's privacy policy. Aadhaar is the world's largest biometric database with over a billion people enrolled. The biometric information in the database includes fingerprints, facial images, and iris scans. The centralized collection of biometric information by the Indian government raises numerous threats to privacy including profiling, self-censorship, and data breaches.

WhatsApp's ability to share user information with Facebook, which bought the company back in 2014, is currently being challenged in the Indian Supreme Court. Ironically, the government argues in the case that WhatsApp's sharing of subscriber information with Facebook is a privacy violation. India's Supreme Court ruling that privacy is a fundamental right is not only expected to impact challenges to Aadhaar and WhatApp's privacy policy change, but also laws that currently infringe on an individual's freedom of choice and expression.

In 2009, NGOs and privacy experts set out the Madrid Privacy Declaration, which affirmed privacy as a fundamental human right. In 2010, EPIC urged the U.S. Supreme Court to recognize the right of "informational privacy." EPIC explained that the Whalen decision and a famous German census case "influenced international privacy jurisprudence, resulting in the widespread recognition of the right to informational privacy." EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world.

5. Privacy in the States: Consumer Protection in N.J., Geolocation Privacy in Illinois

The New Jersey Personal Information and Privacy Protection Act was signed into law last month. The Act protects consumer information by limiting the purposes for which a merchant may scan a consumer's government-issued identification card and sets data retention rules for data obtained via an ID scan. If a merchant scans a card to verify identity or age, it may not retain the card data. If a card is scanned for another permitted purpose, such as opening a credit account, the merchant may retain the data, but it must be "securely stored." Merchants are prohibited from disclosing any information obtained via an ID card scan with third parties. The law also creates a private right of action: merchants are subject to penalties of up to $2,500 for the first offense and $5,000 for subsequent offenses.

In Illinois, the Legislature has sent the Illinois Geolocation Privacy Protection Act to Governor Rauner's desk. If signed, it would be the first state geolocation privacy protection law in the country. The Act prohibits private entities from collecting, using, storing, or disclosing geolocation information without obtaining "affirmative express consent" after providing individuals with notice that: (1) informs the person that his or her geolocation information will be collected, used, or disclosed; (2) informs the person in writing of the specific purposes for which his or her geolocation information will be collected, used, or disclosed; and (3) provides the person a hyperlink or easily accessible means to access their data. There is no private right of action in the bill, but the Act would be enforced by the Illinois Attorney General.

After Congress rescinded the FCC's broadband privacy rules, several state and local governments have stepped forward with legislation to protect broadband users. Many of the proposed laws would require internet service providers to obtain affirmative consent before the ISPs would be allowed to collect, use, or disclose their subscribers' personal information. The National Conference of State Legislatures is tracking developments on related legislation.

EPIC's State Policy Project monitors state privacy issues nationwide.

News in Brief

EPIC v. IRS: District Court Rules IRS May Withhold Trump Tax Records

A federal court in Washington, DC has ruled that the IRS may withhold President Trump's tax records sought by EPIC under the Freedom of Information Act. EPIC had argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning the President's financial ties to Russia. The President, for example, tweeted: "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING!" However, the Court ruled that "until President Trump or Congress authorizes release of the tax returns, EPIC (and the rest of the American public) will remain in the dark." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI's response to the attack. EPIC will continue to pursue the release of President's Trump's tax records and related evidence of financial relations with the Russian government.

EPIC FOIA: EPIC Seeks Details of ICE, Palantir Deal

EPIC has submitted a Freedom of Information Act request to Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir. The federal agency contracted with the Peter Thiel company to establish vast databases of personal information, and develop new capabilities for searching, tracking, and profiling. EPIC is seeking the ICE contracts with Palantir, as well as training materials, reports, analysis, and other documents. The ICE Investigative Case Management System and the FALCON system now connect personal data across federal government, oftentimes in violation of the federal Privacy Act. The Intercept reported that FALCON "will eventually give agents access to more than 4 billion 'individual data records.'" In FOIA lawsuit EPIC v. CBP, EPIC uncovered Planter's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to travelers. EPIC continues to advocate for greater transparency in computer-based decision making.

Federal Appeals Court Rules Data Breach Case May Proceed

A federal appeals court has ruled that a major data breach case concerning Supervalu can move forward, rejecting the grocery chain's attempt to have the lawsuit dismissed. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The appeals court agreed with EPIC that the lower court was wrong to dismiss the case. However, the court held that only a consumer who could demonstrate actual financial fraud could proceed with legal claims. EPIC regularly files amicus briefs defending consumers' right to sue companies that violate their privacy, including in Attias v. CarefirstGubala v. Time Warner Cable, and Spokeo v. Robins.

Court Criticizes Presidential Election Commission for Withholding Documents from the Public

A federal judge in Washington, DC expressed disbelief this week at the Presidential Election Commission's failure to disclose documents from the July 19 inaugural public meeting. The Commission failed to make available to the public the meeting agenda and a 381-page "voter fraud" report prepared by a special interest group that was circulated privately to Commission members. Speaking at a court hearing, the federal judge overseeing the case criticized the Commission for failing "to live up to the government's representations," about transparency. The Commission is attempting to assemble a nationwide database of voter data over the objections of state election officials. But earlier this summer, the Commission suspended collection of voter data in response to a lawsuit brought by EPIC. EPIC's case, which calls for the disclosure of a Privacy Impact Assessment prior to the collection, is now on appeal to the D.C. Circuit Court of Appeals.

Appeals Court Rules in Case that Aligns Privacy and Freedom of Information

A federal appeals court has ruled in an open government case with implications for informational privacy. The court concluded that "there may be a basis for redaction" of personal information in government records "where disclosure would likely result in threats, harassment, and violence." EPIC filed an amicus brief in the case arguing that withholding personal information safeguards open government and is constitutionally required. "Open government laws and privacy laws are complimentary: the aim is to maximize both the public's access to information about the government and to safeguard personal privacy to the greatest extent feasible," EPIC wrote. EPIC has argued for similar privacy protections in ATF v. ChicagoChicago Tribune v. University of IllinoisOstergren v. CuccinelliNASA v. Nelson, and FCC v. AT&T.

Trump Nominee to Head Privacy Board Favors Warrantless Surveillance

Donald Trump has nominated Adam Klein to head the Privacy & Civil Liberties Oversight Board (PCLOB). Klein, a senior fellow at the Center for a New American Security, recently testified that Congress should not require agencies to obtain a court order to query data collected under Section 702 of the Foreign Intelligence Surveillance Act, facilitating warrantless surveillance. As Judge Patricia Wald recently stated in remarks at the EPIC Champions of Freedom Dinner, "an agency dedicated to protecting privacy and civil liberties inside the intelligence community with access to classified material is a uniquely valuable asset in the ever difficult search for the right balance between national security and democratic values." EPIC recently urged the Senate Judiciary Committee to restore PCLOB to full strength.

Justice Department Withdraws Demand for Disruptj20 Visitor Logs

Facing public outrage, the Department of Justice has rescinded a demand for over 1.3 million IP logs associated with Inauguration Day protests. DreamHost challenged the warrant, which required the web hosting service to turn over practically all records about disruptj20.org, a protest website. The Justice Department warrant could have identified protestors, threatened First Amendment protections, and violated the Fourth Amendment. After widespread opposition, the DOJ narrowed the demand to exclude visitor logs and unpublished content, such as posts and emails. EPIC opposed the DOJ's demand as it had in an earlier case involving Google search histories. EPIC also recently an amicus brief in the Supreme Court urging the Court to safeguard the First Amendment right to access information online free of government surveillance.

2018 Intelligence Authorization Reflects Concerns About Russian Hacking

In the proposed intelligence reauthorization for 2018, the Senate has included provisions reflecting widespread concern about the Russian interference in the 2016 election. Among other requirements, S. 1761 mandates a report to Congress detailing the past cyberattacks on election infrastructure and the risk of future attacks, as well as a report assessing the intelligence community response to the attacks. The bill also gives the intelligence community 90 days to develop a strategy to counter the threat of future Russian cyberattacks. And the bill requires the Director of National Intelligence to submit to Congress a report assessing the "threat of Russian money laundering to the United States." EPIC raised similar concerns in a series of leading open government cases concerning the Russian interference. In EPIC v. FBI, EPIC is seeking information about the FBI's response to the attacks and has obtained the FBI Notification Procedures that should have been followed after a cyberattack. In EPIC v. ODNI, EPIC is seeking the release of the complete intelligence report on the scope of the Russian attack. And in EPIC v. IRS, EPIC is seeking to obtain the public release of Donald Trump's tax returns.

Appeals Court OKs Collusive Google Privacy Settlement

A divided federal appeals court has upheld a decision that allows Google to continue consumer privacy violations by means of a collusive settlement. Though the case concerns Google's illegal disclosure of personal data from 129 million consumers, the settlement fails to compensate those consumers, does nothing to change Google's business practices, and diverts funds to organizations that don't protect consumer privacy. The dissenting judge wrote that the settlement "raises a red flag" because "47% of the settlement fund is being donated to the alma maters of class counsel." EPIC twice urged the lower court to reject the settlement, arguing that it did nothing for class members and would allow Google to "continue to engage in the privacy-invading practice." EPIC has long urged courts to reject collusive settlements and has proposed objective criteria for courts to follow in class action cases.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy--they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

"Nine Months of the New Business Voice in DC: Corporate Expectations and Economic Realities"
September 19, 2017
Marc Rotenberg, EPIC President
Yale CEO Summit, Washington, DC

Emerging Privacy Issues: A Dialogue Between NGOs & DPAs
September 25, 2017
Marc Rotenberg, EPIC President 
Public Voice, Hong Kong 

"Defining Internet Universality Indicators"
September 27, 2017
Marc Rotenberg, EPIC President
UNESCO, Hong Kong

The 39th International Conference of Data Protection and Privacy Commissioners
September 28, 2017
Marc Rotenberg, EPIC President
ICDPPC, Hong Kong

"Human Rights and Encryption"
September 29, 2017
Marc Rotenberg, EPIC President
UNESCO, Hong Kong

Nordic Privacy Arena
October 23, 2017
Marc Rotenberg, EPIC President
Data Protection Forum, Stockholm, Sweden

"AI: Intelligent Machines, Smart Policies"
October 27, 2017
Marc Rotenberg, EPIC President
OECD, Paris, France

"The Convergence of Man and Machine"
November 6, 2017
Marc Rotenberg, EPIC President
Techonomy, Half Moon Bay, California

"Going Digital"
November 20, 2017
Marc Rotenberg, EPIC President
OECD, Paris, France

"Tech Triumph or Bloated Bubble: Innovation, Investors & Industrial Transformation"
December 14, 2017
Marc Rotenberg, EPIC President
Yale CEO Summit, New York, NY

2018 EPIC Champions of Freedom Awards Dinner
June 5, 2018
Washington, DC

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy