EPIC Alert 24.19

EPIC Alert logo

1. Consumer Groups Ask Safety Commission to Recall Google Home Mini

EPIC and a coalition of leading consumer groups wrote a letter to the Consumer Product Safety Commission last week asking it to recall the Google Home Mini “smart speaker.” The device contains a serious defect that causes it to spy on its users. The defect concerns the touchpad on the Google device, which is permanently set to “on” so that it records all conversations without a consumer’s knowledge or consent. 

Normally, a smart speaker is only supposed to be activated by a “wake word” such as “OK Google” or when the user presses the device’s button. But a security researcher discovered that the device was turning on automatically and recording all of his conversations. Google was unable to fix the problem, and so it sent out a software patch to permanently disable the touchpad.

EPIC and other consumer groups urged the CSPC to undertake a recall of the device, explaining that “[t]his is a classic manufacturing defect that places consumers at risk.” Although privacy concerns are different from traditional product defects, the coalition letter urged that “as new risks to consumers arise in consumer products, it is the responsibility of the Consumer Product Safety Commission to respond.” The consumer groups also asked the CPSC to enforce the “Duty to Report to CPSC” against manufacturers of “IoT” devices.

Home devices that have become increasingly connected to the internet pose a particular risk to consumers. Cybersecurity experts have warned of an “Internet of Broken Things” that is vulnerable to cyber-attacks. The coalition letter emphasized that “manufacturers—not consumers—must bear the responsibility to ensure the products that they offer for sale are safe for use by consumers.”

EPIC has devoted significant efforts to addressing the privacy and security risks raised by the “Internet of Things.” EPIC has urged the Federal Trade Commission and the Department of Justice to investigate “always on” devices, such as Amazon Echo and Siri, that may violate federal wiretap laws by recording and storing users’ private conversations. EPIC has filed a formal complaint with the FTC concerning Samsung TV, arguing that the recording of private communications in the home is an unfair and deceptive trade practice. EPIC and a coalition of consumer groups also pursued a complaint last year about My Friend Cayla, an Internet-connected toy that recorded the private conversations of young children. The Cayla complaint spurred a Congressional investigation, and toy stores across Europe removed the doll from their shelves.

2. EPIC Renews Lawsuit Against Presidential Election Commission to Protect Voter Data

EPIC has filed a revised complaint against the Presidential Election Commission, charging that the Commission has violated federal law by collecting state voter data without a required Privacy Impact Assessment and misrepresented its legal status.

The Commission has claimed that, unlike every other federal agency, it can collect sensitive personal data without a privacy assessment. But EPIC's new complaint, following revelations by the Commission itself, makes clear that the Commission is part of the General Services Administration (GSA), which must complete Privacy Impact Assessments. “These facts and admissions contradict prior representations by Defendants upon which this Court has relied,” EPIC wrote. “Defendants have at no time disclosed to the Court the existence of a GSA officer with authority over the Commission or otherwise acknowledged that the Commission is under the legal control of the GSA.”

EPIC also highlighted to the court misrepresentations made by the Commission in earlier proceedings. “[EPIC’s] proposed amendments would be unnecessary had Defendants been forthright and consistent about the Commission’s agency status from the beginning,” EPIC wrote. “Defendants have instead endeavored to avail themselves of agency status when it suits them, invoking agency legal protections and relying on agency legal frameworks, even as they deny that same status in order to evade judicial review in this case.”

EPIC's original lawsuit forced the Commission to suspend the collection of voter data in July. The case is EPIC v. Commission, No. 17-1320, and the related appeal is EPIC v. Commission, No. 17-5171. The argument before the D.C. Circuit Court of Appeals is scheduled for November 21, 2017.

3. EPIC Sues Department of Homeland Security for Release of Russian Interference Records

EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain records related to Russian interference in the 2016 U.S. Presidential Election. In March, EPIC submitted a FOIA request to the DHS seeking disclosure of the agency's "research, integration, analysis" related to the scope of Russian interference. EPIC’s suit challenges the DHS’s failure to make a timely decision concerning that request.

The U.S. Intelligence Community has concluded that Russia carried out a multi-pronged campaign to interfere in the 2016 U.S. Presidential Election to “undermine public faith in the U.S. democratic process,” demonstrating “significant escalation” in Russian activities. Earlier this year, the DHS designated state election systems as critical infrastructure and published a Joint Analysis Report with the Federal Bureau of Investigations acknowledging Russian interference with U.S. election systems.

In June, during an open hearing before the Senate Select Committee on Intelligence, a DHS cybersecurity official confirmed for the first time that “election-related systems in 21 states were targeted” by Russian cyber actors during the 2016 election cycle. In September, the DHS directed its departments and agencies to stop using software made by the Russian cybersecurity firm Kaspersky Lab, stating, “the risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

The DHS has had a key role in the federal response to Russian interference, yet the DHS has not provided any significant new information to the American public about the extent of that interference. H.Res. 235, a bill sponsored by Rep. Bennie Thompson (D-MS), would have directed the DHS to provide the same information sought by EPIC’s FOIA request to Congress. The bill, however, was blocked by the House Homeland Security Committee.

EPIC has filed several FOIA lawsuits to determine the scope of Russian interference. The cases include EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records).

4. EPIC Defends Privacy in Case Concerning hiQ Labs "Scraping" of Personal Data

EPIC has filed an amicus brief in hiQ Labs, Inc. v. LinkedIn Corp., a case about whether a court can compel a professional networking platform to give a third-party data mining company access to users’ profile information. HiQ Labs is a company that collects (or “scrapes”) data from LinkedIn users’ profiles. From this data, hiQ creates profiles of those users and sells the data to employers, including predictions of employee recruitment and summaries of employee skills.

After LinkedIn sent HiQ a letter claiming that the company’s data collection violated the Computer Fraud and Abuse Act, hiQ filed a preemptive lawsuit and sought an injunction that would ensure access to the LinkedIn profile data. The lower court granted the injunction, ordering LinkedIn to provide HiQ access to users’ “public” profile data.

EPIC filed an amicus brief to defend LinkedIn users’ privacy interests, which were inadequately represented and considered in the case. EPIC argued that “the lower court has undermined the fiduciary relationship between LinkedIn and its users.” EPIC also said that the order is “contrary to the interests of individual LinkedIn users” and contrary to the public interest “because it undermines the principles of modern privacy and data protection law.” The central purpose of modern privacy law is to ensure the ability of individuals to control the collection and use of their personal data held by others. 

EPIC routinely participates as amicus curiae in cases concerning consumer privacy before the United States Supreme Court and federal circuit courts. EPIC recently filed an amicus brief in Smith v. Facebook arguing that Facebook users do not consent to Facebook’s collection of medical data from third-party websites. In In re Nickelodeon Consumer Privacy Litigation, EPIC argued that unique persistent identifiers are “personally identifiable information” under the Video Privacy Protection Act.

5. EPIC, Open Government Groups Call for Release of Trump's Tax Returns

EPIC and a coalition of leading open government organizations have urged the Joint Committee on Taxation and the IRS Commissioner to release Donald Trump's tax returns to correct numerous misstatements of fact concerning the President's taxes and financial ties to Russia.

Though the Internal Revenue Code establishes as a “general rule” that tax “[r]eturns and return information shall be confidential,” the Code sets out numerous exceptions under which disclosure of tax records is appropriate. One of those exceptions is 26 U.S.C. § 6103(k)(3), which gives the Joint Committee on Taxation and the IRS Commissioner the authority to release tax records to “correct misstatements of fact” and to ensure the integrity and fairness of the tax administration system. At one point the IRS used this authority ten times in a single year.

Donald Trump has made many statements about the contents of his tax returns that have been directly contradicted by his attorneys, members of his family, and leading news organization. He has repeatedly denyied financial ties to Russia, stating for example: "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." But in 2008, Donald Trump, Jr. stated that “Russians make up a pretty disproportionate cross-section of a lot of our assets. . . . We see a lot of money pouring in from Russia.” The Washington Post reported last year that “[s]ince the 1980s, Trump and his family members have made numerous trips to Moscow in search of business opportunities, and they have relied on Russian investors to buy their properties around the world.” 

As EPIC has argued, the release of President Trump’s tax records is necessary to determine the extent of Russian interference with the 2016 Presidential election and to ensure that the U.S. government takes necessary steps to safeguard political institutions against future attack. EPIC is pursuing a lawsuit against the IRS after the agency failed to release Trump's tax records in response to a FOIA request. EPIC v. IRS is now pending before the D.C. Circuit Court of Appeals.

Book Review: “The Poverty of Privacy Rights”

The Poverty of Privacy Rights,” by Khiara M. Bridges

In The Poverty of Privacy Rights, Kiara M. Bridges uses the stories of poor mothers to demonstrate how the law deprives them of privacy rights. Through a step-by-step analysis, Bridges argues that poor mothers have been deprived of effective privacy rights—and indeed that poor mothers are not the bearers of privacy rights at all. Bridges highlights the legal and morally constructed cultural norms that enable disparate enforcement of privacy protections in the United States, challenging readers to question the constitutional standing of privacy as a right and what the maldistribution of privacy protections says about our democracy. 

The Poverty of Privacy Rights completely dismantles the notion that poor mothers “trade” privacy for public benefits. Bridges describes in detail how poor mothers—caught between public benefit organizations (like Medicaid and WIC) and enforcement agencies (like Child Protective Services)—are deprived of any choice as to whether they will disclose intimate personal information to the state or whether they will deny the state access to their bodies and homes without risk of losing their children.

By dismantling the idea that poor mothers willingly trade their privacy for public benefits, Bridges opens space for a deeper understanding of the morally condemning and racially informed ways in which poor mothers are deprived of privacy rights. In that space, Bridges draws compelling parallels between the denial of poor mothers’ agency in the privacy sphere and the “informal disenfranchisement” of Black Americans’ voting rights during in the Jim Crow era. Bridges also explains how this contemporary denial represents a rights void similar to what existed in the LGBT community before the Obergefell v. Hodges established that the constitutional right to marry extends to same-sex couples.

The Poverty of Privacy Rights highlights gaps in the privacy community’s understanding of rights and illustrates a fundamental denial of autonomy to a large group of women on the basis of their class and reproductive status. Bridges artfully incorporates narrative and research informed by her previous ethnographic work Reproducing Race. The Poverty of Privacy Rights shifts the rights narrative to highlight the reality that there is still a long way to go to ensure that privacy is realized as a right for all to enjoy.

—Siri Nelson

News in Brief

In Senate Testimony, EPIC Calls for Reform of Credit Reporting Industry

EPIC's President Marc Rotenberg will testify this week before the Senate Banking Committee on reform of the credit reporting industry following the Equifax breach. The hearing, "Consumer Data Security and the Credit Bureaus," follows several Congressional hearings with Equifax CEO Richard Smith. Rotenberg will emphasize the need to limit the use of the Social Security number in the private sector and to give consumers control over their personal data. EPIC will recommend a national credit "freeze" and free life-term credit monitoring services for all U.S. consumers. Rotenberg detailed how the credit reporting industry is broken in a recent article in the Harvard Business Review. He also warned that the failure to update U.S. privacy law has placed the digital economy at risk and may lead to the suspension of trans-border data flows. EPIC has previously testified before the House and Senate on the need for Congress to address data breach and identity theft.

Supreme Court to Review Two Cases on Communications Privacy

The Supreme Court has agreed to review United States v. Microsoft, a landmark case about whether the U.S. government can force email providers to turn over users’ private messages that are stored outside of the United States. The government claims that the Electronic Communications Privacy Actallows investigators to demand emails from all over the world, in violation of national privacy laws. A federal appeals court rejected the government’s arguments last year and ruled that Microsoft was not required to hand over emails that the company stores in Ireland. The Supreme Court has also agreed to review Dahda v. United States, a related case about whether the Fourth Amendment allows the government to use evidence obtained through an unlawful court order. Both cases are expected to be argued in early 2018. EPIC regularly files amicus briefs in privacy cases before the Supreme Court, including recently in Carpenter v. United StatesPackingham v. North Carolina, and Utah v. Strieff.

European High Court to Consider Future of Personal Data Transfers to US

The European Court of Justice will now hear a second case on legal protections for personal data sent from Europe to the United States. Data Protection Commissioner v. Facebook considers whether Facebook’s transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The Irish High Court ruled earlier this month that there are “well-founded concerns that there is an absence of an effective legal remedy in U.S. law” and referred the matter to the high court of Europe. The case in Ireland follows the landmark 2015 decision Schrems v. DPC, which found insufficient legal protections for the transfer of data to the United States. In the Irish case, Max Schrems, an Austrian privacy advocate, challenged Facebook’s transfer of personal data to the U.S. under “standard contractual clauses.” EPIC was designated the U.S. NGO amicus curiae in DPC v. Facebook, and provided a detailed assessment of U.S. privacy law. EPIC was represented before the Irish court by FLAC (Free Advice Legal Centres), an independent human rights organization, based in Dublin.

EPIC Urges Congress To Hold Equifax Accountable, Update Data Protection Law

EPIC has sent statements to Congress ahead of hearings in the House and Senate on the Equifax data breach. EPIC underscored the risk to American consumers of data breaches which are increasingly severe. EPIC urged Congress to require prompt data breach notification, data minimization, and privacy enhancing techniques. In 2011 EPIC testified in the House and Senate on data breaches in the financial services sector. EPIC President Marc Rotenberg recently outlined in the Harvard Business Review steps Congress should now take to protect American consumers. 

EPIC, Coalition Call for End to Warrantless Section 702 Searches of Americans' Data

EPIC and a coalition of over 50 organizations called on lawmakers to require federal agencies to obtain a probable cause warrant before searching foreign intelligence databases for information about U.S. citizens and residents. Section 702 of the Foreign Intelligence Surveillance Act allows agencies - without a warrant and in a broad range of circumstances - to search for information about Americans among communications collected for foreign intelligence purposes. In a letter to leaders of the House Judiciary Committee, the groups explained that this practice "undermine[s] constitutional protections create an unacceptable loophole to access Americans' communications in criminal and foreign intelligence investigations alike." EPIC and a coalition also recently urgedDirector of National Intelligence Dan Coates to uphold a promise to give a public estimate of how many Americans are caught up in NSA surveillance of foreign targets. EPIC is currently pursuing a Freedom of Information Act request for a government report to the Foreign Intelligence Surveillance Court about FBI search of Section 702 data for domestic criminal investigations.

EPIC Asks Senate to Enforce Privacy Safeguards for “Dreamers"

EPIC warned the Senate Judiciary Committee that 800,000 DACA applicants face privacy risks as a result of the decision to end the Deferred Action for Childhood Arrivals. According to EPIC, the Department of Homeland Security has failed to ensure that DACA applicant's information will be used exclusively for the purpose it was disclosed, as set out in the 2012 privacy impact assessment. EPIC urged the Committee to uphold Privacy Act safeguards for DACA applicants.

EPIC Urges House to Strengthen U.S. Privacy Laws for Cross Border Data Flows

EPIC sent a letter to a House committee on Digital Commerce and Consumer Protection for the hearing "21st Century Trade Barriers: Protectionist Cross Border Data Flow Policy's Impact on U.S. Jobs." EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take four steps to update U.S. privacy law: (1) enact the Consumer Privacy Bill of Rights, (2) modernize the Privacy Act, (3) establish an independent data protection agency, and (4) ratify the International Privacy Convention. EPIC also noted that the Schrems II decision calls into question the viability of "Privacy Shield," the current data transfer scheme between the U.S. and EU.

EPIC Recommends Measures to Protect Seniors from Robocalls

EPIC sent a letter to the Senate Committee on Aging in advance of a hearing on robocalls and fraud against seniors. EPIC explained that "criminals target senior citizens, believing they are wealthy and will be unable to detect crime or report that a crime has occurred." In comments to the FCC earlier this year, EPIC expressed support for regulations that would allow block unsolicited calls from invalid numbers. EPIC told the Committee that the FCC rule could protect seniors and other consumers from predatory robocalls.

EPIC Obtains Documents about DARPA's "Brandeis” Program

EPIC has received documents about the Defense Advanced Research Projects Agency's (DARPA) Brandeis Program, following a 2015 FOIA request. According to the agency, the program is intended to "research and develop tools for online privacy." EPIC obtained over 1,100 pages of documents about the Program. The documents include email communications (parts 123), budget appropriation justifications for fiscal year’s 2015 (parts 12) and 2016 (parts 12), as well as the names of contract awardees. According to the documents obtained by EPIC, the $75 million program provided $75 million over 4.5 years. Contract recipients include UC Berkley, UC Irvine, MIT, Carnegie Mellon University, Raytheon, SRI International, Stealth Software Technologies, and Galois. 

Connected Vehicles Bill Moves Forward in Senate, Privacy Reporting Added

The Senate Commerce Committee has favorably reported the "AV START Act," a bill that aims to facilitate the deployment of connected vehicles. The Committee adopted Senator Edward Markey's(D-MA) amendment that directs the National Highway Traffic Safety Administration to create a publicly accessible database to determine the personal data collected by connected cars, how that information is used, data minimization and retention practices, security measures, and privacy policies of car manufacturers. EPIC has long supported privacy protections for automated vehicles.

House Bill Expands Drone, Biometric, Communications Tracking at Border

The House Homeland Security Committee passed H.R. 4548, the "Border Security for America Act," which would dramatically expand surveillance capabilities along the northern and southern borders of the U.S. The bill seeks “to achieve situational awareness and operational control of the border,” with unmanned aerial vehicles (drones), radar surveillance systems, license plate readers, and biometric databases. The Border Security Act would establish a biometric exit data system at U.S. airports, seaports, and land ports. Biometric data would be combined with other Federal databases. The Privacy Act normally limits the government’s ability to collect personal data, but this bill would exempt the Department of Homeland Security from compliance with the Privacy Act. Previous EPIC FOIA lawsuits have revealed that border surveillance by drones would capture imagery, data, and wifi data of U.S. citizens.

Mattel Cancels "Aristotle," an Internet Device that Targeted Children

Mattel will scrap its plans to sell Aristotle, an Amazon Echo-type device that collects and stores data from young children. The Campaign for a Commercial-Free Childhood sent a letter and 15,000 petition signatures to the toymaker, warning of privacy and childhood development concerns. CFCC said that "young children shouldn't be encouraged to form bonds and friendships with data-collecting devices." Senator Markey (D-MA) and Representative Barton (R-TX) also chimed in, demanding to know how Mattel would protect families' privacy. EPIC backed the CFCC campaignand urged the FTC in 2015 to regulate "always-on" Internet devices. A pending EPIC complaint at the FTC concerns the secret scoring of young athletes.

No Plans to Target Dreamers Using DACA Data

A Department of Homeland Security official told the Senate Judiciary Committee earlier this month that the agency has no "plans to target any Dreamers based on any information [they] have received." James McCament Acting Director of Immigration Services said that DHS will adhere to the 2012 Privacy Impact Assessment, which limits the use of personal data obtained from DACA applicants. EPIC earlier recommended that DHS comply with the Privacy Impact Assessment and the federal Privacy Act.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Film and Performances "Digital Eye"
October 16-17, 2017
Marc Rotenberg, EPIC President
Blind Whino
Washington, DC

Nordic Privacy Arena
October 23, 2017
Marc Rotenberg, EPIC President
Data Protection Forum, Stockholm, Sweden

AI: Intelligent Machines, Smart Policies
October 27, 2017
Marc Rotenberg, EPIC President
OECD, Paris, France

The Convergence of Man and Machine
November 6, 2017
Marc Rotenberg, EPIC President
Techonomy, Half Moon Bay, California

Going Digital
November 20, 2017
Marc Rotenberg, EPIC President
OECD, Paris, France

Tech Triumph or Bloated Bubble: Innovation, Investors & Industrial Transformation
December 14, 2017
Marc Rotenberg, EPIC President
Yale CEO Summit, New York, NY

2018 EPIC Champions of Freedom Awards Dinner
June 5, 2018
Washington, DC

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security