EPIC Alert 24.17

1. 143 Million U.S. Consumers Suffer Massive Data Breach, Equifax at Fault

In one of the most serious data breaches in U.S. history, the credit records of more than 140 million consumers, maintained by Equifax, were compromised. Credit reports typically include social security numbers, drivers' license information, and other personal data that make identity theft and financial fraud possible. Senator Mark Warner (D-VA) said that the breach "represents a real threat to the economic security of Americans."

On Wednesday, the Atlanta-based company revealed the source of the breach: a vulnerability in a security application that hackers were able to exploit to gain access to Equifax's database of personal data. Experts say this disclosure reveals that Equifax in fact knew of this vulnerability in March--a full two months before hackers gained access--but failed to update its security system. Three Equifax executives also sold company stock after the breach was discovered but before it was disclosed to the public. Equifax generated considerable outrage when it posted a mandatory arbitration clause on its website immediately after the breach. This clause requires any consumers signing up for free credit monitoring services in the wake of the breach to waive their rights to sue Equifax in court.

Senator Markey (D-MA) and several other Senators have introduced legislation that would provide consumers with more control over their personal data. The Data Broker Accountability and Transparency Act would allow consumers to access and correct their personal data and stop data brokers from using, disclosing, or selling their information for marketing purposes. The bill also requires data brokers to develop comprehensive privacy and data security measures and provide "reasonable notice" in the event of a breach.

EPIC supports stronger data breach laws. For years, EPIC has urged Congress to strengthen privacy protections and to require Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. In 2011, EPIC testified before the House and the Senate on the unique risk of data breaches in the financial services sector. Specifically, EPIC emphasized the need for mandatory breach notification procedures and data minimization procedures that require companies collect less personal data and destroy the data they do collect as soon as possible. Last year, EPIC created www.dataprotection2016.org to promote the adoption of stronger privacy safeguards in the U.S.

In an interview with NPR Marketplace on Monday, EPIC President Marc Rotenberg warned of the dangers of allowing a national data breach law to preempt stronger state laws, explaining that "if that national standard operates at a lower level than the protections that the states are currently offering, or discourages states from developing new protections that Washington hasn't thought of, that would be a mistake."

2. EPIC Seeks Details of Election Commission's Attempts to Obtain Personal Data

EPIC has submitted a series of urgent Freedom of Information Act requests seeking details of the Presidential Election Commission's most recent attempts to obtain sensitive, personal data. These requests were directed to the Department of Homeland Security (DHS), the Executive Office for U.S. Attorneys (EOUSA), and the Social Security Administration (SSA).

Though the Presidential Election Commission was established solely to "study the registration and voting processes used in Federal Elections," the Commission undertook in June to collect detailed voter histories from all fifty states and the District of Columbia. In July, EPIC filed a lawsuit seeking an injunction to block the Commission's demand for millions of state voter records. EPIC also demanded that the Commission conduct and disclose a Privacy Impact Assessment as required by Federal law before aggregating any personal voter data. EPIC's suit, which led the Commission to temporarily suspend collection of voter information, is now on appeal to the D.C. Circuit Court of Appeals.

During the Commission's first meeting on July 19, Vice Chair Kris Kobach tasked the Commission staff with "trying to collect whatever data there is that's already in the possession of the federal government that might be helpful to us," including data stored in federal agency record systems and protected under the Privacy Act. In particular, Kobach called for the collection of data from the DHS, the EOUSA, and the SSA. In response, EPIC has filed these FOIA requests to obtain greater transparency regarding the data sought by the Commission to subsequently respond appropriately and ensure privacy protection.

EPIC has also advised state election officials not to provide voter data until the Privacy Impact Assessment is completed. The Commission conducted a second meeting this week, at which EPIC Advisory Board member Ron Rivest spoke about improving the security of election infrastructure and verifying election results.

3. EPIC Obtains Final Report on "Face ePassport Air Entry Experiment"

EPIC has received a highly redacted final report on the use of facial recognition technology on travelers at the Washington Dulles International Airport. The report was obtained after EPIC first filed a Freedom of Information Act request and lawsuit against Customs and Border Protection (CBP) for documents about the agency's biometric entry/exit program, a program recently expedited by Executive Order 13769.

The report analyzes an experiment conducted at Dulles Airport in 2015. The report describes how travelers and CBP staff interacted with the facial recognition technology. The report does not address any of the privacy risks EPIC presented in its lawsuit.

EPIC has long argued that CBP's biometric entry/exit tracking system and techniques lack necessary privacy safeguards and maintains that the public should be fully informed about these systems. In a recent statement to the House Homeland Security Committee, EPIC warned that such "ubiquitous and near-effortless identification eliminates individuals' ability to control their identities." EPIC routinely highlights the risks of large, overbroad government databases and the privacy risks inherent in the collection of biometric information.

EPIC has also extensively litigated airport screening techniques, including EPIC v. TSA, a case concerning airport body screening. Earlier this year, EPIC urged the TSA to consider privacy enhancing alternatives to biometric identification in its TSA Pre-check program, which shares its biometric information with the Federal Bureau of Investigation's Next Generation Identification database and the Department of Homeland Security. And in 2012, EPIC sued the FBI to obtain the Bureau's Next Generation Identification database, which contains face prints, fingerprints, and other biometrics of millions of Americans. EPIC's lawsuit against the FBI revealed that biometric identification is often inaccurate.

4. FTC Accepts Privacy Shield Settlement but Imposes No Penalties on Three Companies

The Federal Trade Commission has announced a settlement with three companies that misrepresented their participation in the Privacy Shield arrangement. The FTC settlement prohibits the companies from making future false claims about compliance with Privacy Shield but does not impose any penalty.

The Privacy Shield framework allows companies to transfer the personal data of European consumers to the United States based on a system of industry self-certification. It replaces the Safe Harbor arrangement, which was struck down by the European Court of Justice in 2015. The three cases brought by the FTC are the first that the commission has pursued under the Privacy Shield.

Though the settlement requires the offending companies to comply with FTC reporting requirements, it does not penalize them for falsely claiming certification to participate in the Privacy Shield. The settlement also fails to provide any remedy to the EU consumers whose personal data was wrongfully obtained and does not require the companies to disgorge the data they fraudulently obtained.

EPIC and consumer organizations in the US and Europe have criticized Privacy Shield for failing to establish basic privacy protection and lacking effective remedies. EPIC and other NGOs have urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights, does not provide sufficient data protection, and does not reflect changes in US law as required by the Schrems decision. EPIC has previously filed a Freedom of Information request to obtain the text of the Privacy Shield when negotiators failed to publish it in February 2016. The Commerce Department responded to the request by stating that "the record [EPIC] requested does not exist."

The FTC has published the consent agreement packages with Decusoft, LLC, Tru Communication, Inc., and Md7, LLC and is soliciting public comments on the proposed settlements. The deadline to file a comment is October 10, 2017.

5. House, Senate Automated Vehicle Bills Lack Adequate Privacy Protections

Congress has seen a raft of activity in recent weeks around automated vehicle legislation. The House passed the SELF DRIVE Act, while the Senate Commerce Committee released a draft of the AV START Act and held a hearing on self-driving trucks. Yet neither of the bills under consideration provides adequate privacy protections, and both would preempt state and local regulators from enacting stronger privacy rules.

Responding to widespread privacy concerns, the House bill requires manufacturers to create "privacy plans" and asks the FTC to prepare a privacy study on the automated vehicle industry. The bill also supports the development of "Privacy Enhancing Techniques," such as anonymization. But the SELF DRIVE Act lacks essential privacy and safety standards and would preempt stronger state laws.

The Senate bill incorporates the National Highway Traffic Safety Administration (NHTSA)'s revised guidance for automated vehicles that encourages manufacturers to develop best practices to minimize cybersecurity risks. However, the NHTSA guidelines are voluntary and declare that the Federal Trade Commission is responsible for consumer privacy. Prior legislation such as the SPY CAR Act--introduced by Senator Blumenthal (D-CT) and Senator Markey (D-MA)--promulgated privacy rules rather than delegating all privacy matters to the FTC.

During the Commerce Committee's hearing on self-driving trucks, several Senators argued that the bill's security and privacy provisions were inadequate. The House bill does not apply to commercial vehicles, and the Senate is considering whether to make a similar carve-out in its own bill. Senator Blumenthal described the NHTSA guidelines "anemic" and a "giveaway to the industry," calling for mandatory and robust rules. Senator Markey asked the panelists whether they thought mandatory rules should be developed to protect automated vehicles from cyberthreats and to safeguard drivers' privacy.

EPIC has been active in responding to cybersecurity and privacy threats posed by autonomous vehicles as well as automobile event data recorders ("black boxes"). In comments submitted to NHTSA, EPIC recommended strong privacy and safety standards for autonomous vehicles, calling on the agency to make the rules mandatory and allow states to pass stricter privacy laws.

News in Brief

EPIC Urges FTC to Strengthen Privacy Settlement With Uber

In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a proposed settlement with Uber. The FTC's investigation and subsequent settlement was prompted by EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. EPIC recommended that the FTC require Uber to end collection of customer data beyond what is necessary to provide the service and to mandate that Uber implement stronger privacy safeguards. As EPIC highlighted in the original complaint, Uber has a history of abusing consumer privacy. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC is obligated to consider public comments before finalizing a proposed settlement.

EPIC Urges Senate to Establish Data Protection Standards For Financial Technologies

In advance of a hearing on financial technology, EPIC recommended that the Senate Committee establish privacy standards for financial companies that use social media and secret algorithms to make determinations about consumers. In light of the recent Equifax breach, EPIC proposed that the Committee make privacy and security its top priorities. Earlier this year, EPIC submitted a similar statement to the House Committee on Energy and Commerce. EPIC also recently filed a complaint with the CFPB regarding "starter interrupt devices" deployed by auto lenders to remotely disable cars when individuals are late on their payments. Testimony of Professor Frank Pasquale on "Exploring the Fintech Landscape."

EPIC, Groups Urge Greater Transparency for International Intelligence Arrangements

EPIC, Privacy International, and other groups called for increased transparency of U.S. intelligence arrangements. The groups explained that secret arrangements circumvent international human rights agreements and domestic law. The coalition asked the Senate and House IntelligenceCommittees and Judiciary Committees, as well as the Privacy and Civil Liberties Oversight Board for information about their review of these arrangements. Earlier this year, EPIC warned Congress about of secret US-UK agreement for law enforcement access to personal data otherwise protected by law. In 2016, EPIC obtained the "Umbrella Agreement," concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit.

EPIC Supports Continuation of CAN-SPAM Rule

EPIC has submitted comments to the Federal Trade Commission recommending the continued use of the CAN-SPAM Rule. The FTC Is reviewing the CAN-SPAM Rule, which regulates the transmission of commercial e-mail messages and prohibit certain unlawful practices, as part of a periodic review of Commission rules. EPIC expressed support for the continuation of the Rule and proposed strengthening the Rule by implementing a domain name based "Do Not E-mail" list and making it easier for consumers to opt-out of have their e-mails included in third-party e-mail lists. EPIC testified before the Senate in 2003 in support of the CAN-SPAM Act. EPIC regularly advocates for rules that protect consumers from harassing and annoying phone calls and e-mails.

Call For Papers - CPDP 2018 "The Internet of Bodies"

Computers, Privacy, and Data Protection, the leading international conference devoted to privacy and data protection, has opened a call for papers ahead of the 2018 conference. The conference theme is "The Internet of Bodies" and will be held on 24-26 January 2018 in Brussels. The CPDP2018 call for papers is addressed to all researchers who wish to present papers at this year's conference. Papers will be reviewed by the CPDP Scientific Committee. EPIC is one of the founders of CPDP and an annual sponsor of the event. The EPIC International Champion of Freedom Award will be presented at CPDP.

European Court of Human Rights Rules Employee Monitoring Violates Privacy Rights

The European Court of Human Rights has ruled that a company's dismissal of an employee based on monitored chat logs violates the fundamental right to privacy. In Barbulescu v. Romania, the Court found that the right to private life and correspondence in Article 8 of the European Convention on Human Rights protects workplace communications. As a result, employees are entitled to prior notice about the extent and type of monitoring their employer conducts. Last year, EPIC intervened in a case before the European Court of Human Rights challenging the activities of British and U.S. intelligence organizations. The casebook Privacy Law and Society (West 2016) explores a wide range of privacy issues, including recent decisions of the Court of Human Rights.

Court Rules California Police Can't Avoid Public Scrutiny of License Plate Reader Program

The California Supreme Court has ruled that the mass, indiscriminate collection of license plate data by California police cannot be shielded from public scrutiny. In response to an open records request by EFF and the ACLU of Southern California, Los Angeles area law enforcement attempted to prevent disclosure by claiming all license plate data were "investigative records." The court ruled that the license plate data of millions of law-abiding citizens was not an "investigative record." The Court stated: "It is hard to imagine that the Legislature intended for the records of investigations exemption to reach the large volume of data that plate scanners and other similar technologies now enable agencies to collect indiscriminately." EPIC filed an amicus brief in the public records case, arguing that "public scrutiny is essential to counter the unique threats posed by these programs of broad-scale surveillance." Documents obtained by EPIC about the FBI's use of license plate readers showed the agency failed to address the system's privacy implications.

Voting System Guidelines Under Review, Secret Ballot at Risk

The Election Assistance Commission technical committee is met this week to review standards for voting equipment. Some members of theTechnical Guidelines Development Committee have raised questions about the value of the secret ballot. Last year, EPIC, Verified Voting, and Common Cause explained in "The Secret Ballot At Risk: Recommendations for Protecting Democracy" that the secret ballot--the inability to link particular voters to particular votes--is a cornerstone of modern democracies. Most states (44) have constitutional provisions guaranteeing secrecy in voting. The secret ballot also reduces the threat of coercion, vote buying and selling, and tampering. EPIC has a long history of working to protect voter privacy and election integrity. In a 2010 Supreme Court case, EPIC argued that disregard for voter privacy may unconstitutionally burden the right to vote. MIT Professor Ronald Rivest also spoke this week in support of ballot secrecy and election integrity at a meeting of the Presidential Commission on Election Integrity.

Federal Commission Backs Evidence-Based Policies, Strong Privacy Safeguards

The Commission on Evidence-Based Policymaking, which was tasked with studying whether and how data across the federal government could be combined for policy research while protecting privacy, has issued its final report. The Commission backs evidence-based policy, recommends new privacy safeguards including Privacy Enhancing Techniques, encourage broader use of statistical data, and recommends the creation of a National Secure Data Service. In testimony before the Commission, EPIC President Marc Rotenberg promoted both innovative privacy safeguards and well informed public policy. EPIC also filed comments with the Commission urging adoption of Privacy Enhancing Techniques, such as anonymization, that minimize or eliminate the collection of personal data. The National Academies of Sciences released a report earlier this year that examined how disparate federal data sources can be used for policy research while protecting privacy.

Medicare to Remove SSN from ID Cards

Earlier this year, the Center Medicare Services announced that the Social Security Number would be removed from the Medicare benefits card. Senators Susan Collins and Claire McCaskill led the effort in the Senate to remove the SSN, which contributed to identity theft and often targeted seniors. EPIC testified before their Senate Committee in 2015 on "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" EPIC explained that "there is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy." Since its founding, EPIC has sought to limit the use of the Social Security Number on identification documents.

Justice Department Exempts "Insider Threat" Database from Privacy Act Safeguards

The Department of Justice has issued a final rule on the "Insider Threat" database, a program that allows federal agencies to gather virtually unlimited amounts of personal data on individuals based on broad and ambiguous standards. The Department of Justice exempted itself from Privacy Actsafeguards that would limit the collection of personal data, and allow individuals access to their information maintained by the federal agency. In detailed comments, EPIC opposed the exemptions sought by the Justice Department. EPIC also questioned whether that information would be adequately protected. The Justice Department responded to EPIC and acknowledged increases in data breaches in both the public and private sectors but stated that the agency had proper safeguards in place to guard against "anticipated threats."

EPIC in the News

• Why does your identity depend on one number? Security experts push to replace SSN, Denver Post, September 15, 2017
• Net Neutrality Comments: The Case For Title II, Law360, September 15, 2017
• How Apple is bringing us into the age of facial recognition whether we're ready or not, Washington Post, September 13, 2017
• We Asked 6 Privacy and Legal Experts About Apple's New Face ID, Motherboard, September 13, 2017
• Why do companies wait so long to tell us we've been hacked?, NPR Marketplace, September 12, 2017
• Self-Driving Car Riders' Privacy 'Unsafe at Any Speed' in New House Legislation, Observer, September 9, 2017
• The Equifax Breach Exposes America's Identity Crisis, WIRED, September 9, 2017
• More Like Social Insecurity Number, Amirite?, Motherboard, September 8, 2017
• Please Step Aside, Sir, Slate, September 8, 2017
• Panel pushes Trump, Congress for better use of confidential evidence in policymaking, Washington Post, September 8, 2017
• Vivaldi CEO Claims Google Retaliated for Privacy Criticism, E-Commerce Times, September 7, 2017
• Appellate court ruling sets the stage for CareFirst to take its data breach case to the Supreme Court, FierceHealthcare, September 7, 2017

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy--they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

"Nine Months of the New Business Voice in DC: Corporate Expectations and Economic Realities"
September 19, 2017
Marc Rotenberg, EPIC President
Yale CEO Summit, Washington, DC

Emerging Privacy Issues: A Dialogue Between NGOs & DPAs
September 25, 2017
Eleni Kyriakides, EPIC International Law Fellow
Public Voice, Hong Kong

"Defining Internet Universality Indicators"
September 27, 2017
Marc Rotenberg, EPIC President
UNESCO, Hong Kong

The 39th International Conference of Data Protection and Privacy Commissioners
September 28, 2017
Marc Rotenberg, EPIC President
ICDPPC, Hong Kong

"Human Rights and Encryption"
September 29, 2017
Marc Rotenberg, EPIC President
UNESCO, Hong Kong

Film and Performances "Digital Eye" October 16-17, 2017
Marc Rotenberg, EPIC President
Blind Whino
Washington, DC
Nordic Privacy Arena
October 23, 2017
Marc Rotenberg, EPIC President
Data Protection Forum, Stockholm, Sweden

"AI: Intelligent Machines, Smart Policies"
October 27, 2017
Marc Rotenberg, EPIC President
OECD, Paris, France

"The Convergence of Man and Machine"
November 6, 2017
Marc Rotenberg, EPIC President
Techonomy, Half Moon Bay, California

"Going Digital"
November 20, 2017
Marc Rotenberg, EPIC President
OECD, Paris, France

"Tech Triumph or Bloated Bubble: Innovation, Investors & Industrial Transformation"
December 14, 2017
Marc Rotenberg, EPIC President
Yale CEO Summit, New York, NY

2018 EPIC Champions of Freedom Awards Dinner
June 5, 2018
Washington, DC