EPIC Alert 24.20
EPIC Alert 24.20 - October 31, 2017
- At OECD, EPIC Renews Call for Algorithmic Transparency
- EPIC Urges Congress, GSA to Suspend Collection of State Voter Data
- EPIC Opposes Social Media Data Collection by CBP
- As Senators Back FISA Spying Reforms, EPIC and Coalition Call for Public Hearings
- Presidential Memo Promotes Local Drone Regulations, Drone Committee Meets in Secret
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
Speaking at the Organization for Economic Co-Operation and Development (OECD) conference ”AI: Intelligent Machines, Smart Policies,” EPIC President Marc Rotenberg urged support for Algorithmic Transparency, the principle that data processes impacting individuals must be made public. Held on October 26-27, 2017 in Paris, France, the OECD conference on artificial intelligence (AI) brought together policymakers, AI experts from industry and academia, and representatives from civil society to discuss AI developments, applications, and public policy considerations.
"We must establish this principle of accountability as the cornerstone of AI policy," Mr. Rotenberg told the conference’s closing session. Mr. Rotenberg emphasized the need to focus on the impact of AI on the public and public institutions, as AI-derived effects could lead down a unsustainable path of polarization and inequality. Mr. Rotenberg was one of several speakers to appear at the closing session along with Anna Byhovskaya (Policy Advisor, Trade Union Advisory Committee on the OECD), Nicole Primmer (Senior Policy Director, Business at OECD), and Clara Neppel (Senior Director, IEEE European Office, Internet Technical Advisory Committee Representative).
Mr. Rotenberg previously spoke in support of Algorithmic Transparency at the 2014 OECD Global Forum for the Knowledge Economy in Tokyo, explaining that companies are too secretive about what they collect and how they use personal data. EPIC is now working with OECD member states, NGOs, business groups, and technology exports on the development of an AI policy framework, similar to earlier OECD policy frameworks on privacy, cryptography, and critical infrastructure protection.
EPIC has promoted Algorithmic Transparency for many years and has litigated several cases related to AI. These include EPIC v. FAA, which EPIC filed against the Federal Aviation Administration for failing to establish privacy rules for commercial drones; EPIC v. CBP, in which EPIC successfully sued U.S. Customs and Border Protection for documents relating to its use of secret, analytic tools to assign “risk assessments” to travelers; and EPIC v. DHS, a suit to compel the Department of Homeland Security to produce documents related to a program that assesses “physiological and behavioral signals” to determine the probability that an individual might commit a crime.
In a letter to a Senate oversight committee, EPIC urged Congress and the incoming Administrator of the General Services Administration to block the Presidential Election Commission from collecting state voter data. As EPIC recently explained in a case before a federal judge in Washington, DC, the Commission is part of the GSA and must comply with that agency’s obligation to conduct a Privacy Impact Assessment prior to the collection of personal data.
“The very last thing that the Senate Committee or the incoming GSA Administrator should tolerate is a federal entity that seeks to avoid legal obligations to protect the privacy of Americans," EPIC wrote. EPIC also warned the Committee that “the Commission’s collection of voter data without the requisite Privacy Impact Assessment endangers the privacy of voters and jeopardizes the integrity of the U.S. election system.”
Meanwhile, the Government Accountability Office announced last week that it will conduct an investigation into the activities of the Commission. The decision follows a letter by three senators urging the GAO to launch a probe and warning that the Commission’s lack of transparency will “unnecessarily diminish confidence in our democratic process.” Among the issues raised in the letter from the Senators are: “The steps the PACEI has taken to protect any voter information that is has collected” and “The steps the PACEI took to adhere to regulations governing its activity.”
The Commission is even coming under increased scrutiny from its own members. Earlier this month, Commissioner Matthew Dunlap charged that the Commission had given him "utterly no information" about the Commission's activities. Dunlap invoked a public records statute to demand documents about the Commission he sits on.
EPIC sued the Commission in July for failing to conduct a Privacy Impact Assessment. The Commission was previously forced to suspend the collection of voter data in response to EPIC's lawsuit, but it later resumed that process. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.), and the related appeal is EPIC v. Commission, No. 17-5171 (D.C. Cir.). The argument before the D.C. Circuit Court of Appeals is scheduled for November 21, 2017.
In comments to Custom and Border Protection, EPIC opposed the federal agency's proposal to collect social media information for a new intelligence database. EPIC’s comments were in response to the Department of Homeland Security’s proposal to establish a new system of records called the “CBP Intelligence Records System (CIRS).” This new database will collect vast amounts of personal data such as Social Security numbers, passport information, immigrant benefit data, public-source data (including social media information), reports of suspicious activities, and metadata.
EPIC argued that “the scope of the information to be contained in the database [is] both broad and ambiguous.” EPIC also warned that “[g]iven the recent surge in government data breaches, the sensitive information contained in the CIRS database faces significant risk of compromise.” EPIC has argued to the Supreme Court that the Federal government should not be allowed to collect this level of personal, sensitive data.
The CIRS database applies broadly to “individuals associated with CBP investigations (e.g. witnesses), individuals identified in classified or unclassified intelligence reports, individuals identified in immigration benefit data, and individuals identified in public news reports.” EPIC argued that this sweeping data collection scheme covers individuals who are not under investigation and may frustrate CBP’s operations by deterring individuals from coming forward with information about crimes.
CBP also proposed to exempt the database from protections of the Privacy Act of 1974 by creating numerous “routine uses” for the information. Under the Privacy Act, federal agencies must follow certain guidelines when establishing a new public database. One of those guidelines mandates that an agency may only disclose personal data under certain conditions, including for a “routine use” that is “compatible with the purpose for which [the data] was collected.” But the CIRS proposal identifies a vast range of “routine uses,” including government hiring and retention; the issuance of any license, contract, grant, security clearance or other benefit; and disclosure to the news media and public. EPIC argued that this proposal would allow CBP to disclose information for uses incompatible with its original purpose.
In a FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. EPIC is currently
Eleven senators have introduced bipartisan legislation to reauthorize the Foreign Intelligence Surveillance Act (FISA) and add significant new civil liberties protections to the law. The FISA authorizes the surveillance of foreigners located abroad and implicates the privacy of U.S. persons’ communications.
Among other reforms, the USA Rights Act codifies the ban on collecting "about" communications, prohibits collection of domestic communications, expands the powers of the Civil Liberties Oversight Board, and requires independent amicus review during the Foreign Intelligence Surveillance Court's annual authorization. The bill does not establish certain protections sought by Europeans during the recent Privacy Shield review.
The Senate is also considering legislation that would expand surveillance authorities under Section 702 of the FISA. Senate Intelligence Committee Chairman Richard Burr (R-NC) and Vice Chairman Mark Warner (D-VA) introduced a bill this month that would codify permission for the intelligence community to resume the “about” collection surveillance program, defining an “about communication” as any communication that has a “reference to, but is not to or from, a facility, a place, premises or property at which an acquisition authorized” is directed or conducted. The bill would also enhance penalties for leakers of classified information.
EPIC recently joined a coalition of privacy and civil liberties organizations urging the Senate Intelligence Committee to open to the public any markup hearing on proposals to reauthorize Section 702. In a letter to the Committee, the coalition urged that to “the greatest degree possible, the consideration of legislation pertaining to Section 702 ... [s]hould take place in public.” Prior markup hearings on proposals to reauthorize Section 702 have not been opened to the public.
Although the Committee’s jurisdiction includes classified matters, the Committee’s consideration of Section 702 can be accomplished based upon unclassified information that is already public. To the extent that discussion of classified information is necessary, only those small portions of the markup need to be held in a closed setting. EPIC has previously called for open public hearings on important legislation, including consideration of the Cyber Intelligence Sharing and Protection Act of 2013.
A Presidential Memorandum for the Secretary of Transportation on “Unmanned Aircraft Systems Integration Pilot Program” is seeking to promote local and state involvement in “development and enforcement” of Federal regulations. The Memorandum also aims to “inform the development of future Federal guidelines and regulatory decisions” on drone operations nationwide.
The FAA has failed to establish national standards for privacy. Many local governments, however, have passed laws to regulate the use of drones. According to the National Conference on Site Legislation, at least 38 states are considering legislation related to drones in the 2017 legislative session. Of these states, seventeen states passed 23 pieces of legislation and three states have adopted resolutions addressing UAS this year. In 2016, EPIC renewed its suit against the FAA, arguing that the agency failed to protect the public from aerial surveillance and calling for more comprehensive national privacy regulations. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals. Oral arguments will likely take place this fall.
Meanwhile, the Washington Post recently reported that the Federal Aviation Administration’s Drone Advisory Committee hosted secret meetings and asked participants to sign confidentiality agreements. The participants included industry insiders with a “financial stake in the outcome,” and the meeting was “co-chaired by a lobbyist for DJI, a Chinese drone maker that dominates the U.S. market.”
Documents obtained earlier by EPIC uncovered similar secret meetings leading to the Federal Aviation Administration (“FAA”) policy on drones that ignored privacy safeguards. The closed-door meetings appear to violate the Federal Advisory Committee Act, a statute governing the behavior of federal advisory committees and ensuring open meetings, chartering and reporting. EPIC sued the FAA last year to obtain the meeting documents of the FAA’s Drone Registration Task Force.
EPIC Assesses Progress on Government's Commitments to Transparency
In comments filed with the Open Government Partnership's Independent Reporting Mechanism, EPIC assessed the government's progress toward the transparency commitments it made in the National Action Plan on Open Government. EPIC advised the government to incorporate findings of the Commission on Evidence Based Policymaking including the use of Privacy Enhancing Techniques, called for the Privacy and Civil Liberties Oversight Board (PCLOB) be restored to full strength, and warned about the federal government's ongoing failure to create Privacy Impact Assessments required by law. EPIC and a coalition of civil society groups had issued recommendations for the Third National Action Plan, and, in response, the administration pledged to modernize implementation of the FOIA, streamline record declassification, and increase transparency of the intelligence community. The Plan is an initiative pursued by countries and NGOs participating in the Open Government Partnership.
EPIC Calls on House to Protect Privacy at U.S. Seaports
EPIC submitted a statement to the House Homeland Security Committee in advance of a hearing on "Examining Physical Security and Cybersecurity at Our Nation's Ports." The Committee recently reported favorably "The Border Security for America Act," which would dramatically expand U.S. border surveillance, including a biometric exit data system at U.S. seaports. EPIC has expertise regarding maritime surveillance. EPIC pursued a Freedom of Information Act lawsuit against the Department of Homeland Security concerning the Nationwide Automatic Identification System, a system designed with the support the U.S. Coast Guard to promote boating safety that the DHS has transformed into a surveillance surveillance for monitoring vessels, including recreational vessels operated by U.S. citizens. In the letter to the House Committee, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens."
EPIC Asks Senate to Probe Customs & Border Protection Nominee on Facial Recognition, Drones
EPIC has sent a letter to the Senate Finance Committee with questions for the next Commissioner of U.S. Customs and Border Protection. The Committee considered the nomination of Kevin McAleenan to head the CBP at a hearing last week. EPIC raised questions regarding (1) whether Kevin McAleenan would use DACA data for purposes unrelated to DACA eligibility; (2) CBP's use of facial recognition technology; (3) CBP's collection of social media information; (4) CBP's proposed exemption of Privacy Act safeguards for a new agency database; and (5) CBP's use of drones to conduct aerial surveillance on American citizens. EPIC asked "How will CBP ensure that the collection and use of biometric data will not expand beyond the original purpose?" and "Will CBP link images collected by drones with facial biometrics in CBP or DHS databases?" EPIC has submitted comments to DHS and CBP concerning their collection of social media information. EPIC has also filed a FOIA lawsuit seeking documents on CBP's biometric tracking programs and EPIC's Jeramie Scott has written an op-ed for The Hill about CBP's use of facial recognition technology.
EPIC Opposes DHS Plan for Social Media Surveillance
In comments to Custom and Border Protection, EPIC opposed the federal agency's proposal to collect social media information, including metadata, for a new intelligence database. CBP also proposed to exempt the database from protections of the Privacy Act and to create numerous "routine uses" for the information. EPIC said that CBP should narrow the Privacy Act exemptions and limit the number of routine uses. In a FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. EPIC is currently pursuing a FOIA request about a revised DHS plan to require disclosure of social media passwords before allowing entry into the country.
European Privacy Experts Press WhatsApp on Data Practices
The Article 29 Working Party, a group of European privacy experts, warned WhatsApp that it is still not complying with data protection law. Following Facebook's acquisition of WhatsApp, WhatsApp transferred users' personal data to Facebook, violating past privacy promises. In a letter to WhatsApp, Article 29 said "the information presented to users was seriously deficient as a means to inform their consent," and a WhatsApp must promptly establish "clear, comprehensive resolution." Backed by over a dozen US consumer groups, in 2016 EPIC filed a complaint with the FTC urging the agency to block Facebook's acquisition of WhatsApp if privacy safeguards were not put in place. The FTC wrote to both companies, explaining that their failure to honor privacy obligations could violate U.S. law.
Senate Restores Forced Arbitration, Undermines Data Protection
The Senate voted 51-50 (with Vice President Pence breaking the tie) to repeal the CFPB rule that prevented financial companies from forcing consumers into individual arbitration. Fine-print arbitration clauses in consumer contracts have proliferated ever since a pair of Supreme Courtrulings held that courts must enforce these clauses. Equifax generated public outrage after its breach when it lured consumers into signing away their rights to sue the company. As the CFPB found, arbitration clauses that ban class actions inhibit consumers from obtaining meaningful relief and holding financial institutions like Equifax and Wells Fargo accountable when they break the law. Senators Franken (D-MN) and Leahy (D-VT) have introduced legislation that would prohibit companies from denying individuals their right to go to court. EPIC President recently testifiedbefore the Senate Banking Committee on the Equifax data breach. Rotenberg said, the "company tried to trick consumer into an arbitration agreement, guaranteeing that there would be few legal remedies for consumers following the breach."
European Court Adviser Says Local Regulators Can Enforce Privacy Laws Against Facebook
The opinion of a key adviser to the European Court of Justice holds that local European data protection authorities can directly enforce privacy laws against Facebook. The case involves a German data protection authority's order to deactivate a local Facebook fan page for illegally tracking users. The opinion from Advocate General Bot said regional data protection authorities can intervene to stop unlawful data practices. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights.
FTC Provides Guidance on Voice Recordings and Kids
The Federal Trade Commission has clarified how the Children's Online Privacy Protection Actapplies to toys that make voice recordings of children. The Commission's enforcement policy statement stated that an audio file may only be used "as a replacement for written words," and may only be maintained "for the brief time necessary for that purpose." Additionally, "the operator may not make any other use of the audio file in the brief period before the file is destroyed — for example, for behavioral targeting or profiling purposes." EPIC has supported efforts by consumer groups to warn of the risks smart toys pose to childhood development. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of children. The complaint spurred a Congressional investigation and the toy was recalled in Europe.
Communications Privacy Directive Moves Forward in European Parliament
The European Parliament Committee on Civil Liberties, Justice and Home Affairs - or LIBE Committee - has approved an update to EU communications privacy law in a key step toward finalizing the regulation. The proposed e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Members recommended "privacy by default" settings be standardized, strong encryption by providers, and that users' consent obtained before the use of any personal data. In the U.S., EPIC has urged the Federal Communication Commission to bring U.S. law up to date with a similar, comprehensive approach to communications privacy.
Report: Body Cameras Failed to Improve Police Behavior
In the largest study to date of police body cameras, a new report concluded that the cameras had no impact on police use of force and civilian complaints. The report is a result of a project in Washington, D.C. to assess the benefits of the body cameras worn by the Metropolitan Police Department. EPIC previously testified before the D.C. City Council, warning of the risks of mass public surveillance and arguing that police body cameras were "an intrusive and ineffective technology that does not address underlying problems with police accountability."
Pew Survey Examines "Future of Truth and Misinformation Online"
The Pew Research Center released a report on how to address the spread of digital misinformation in the coming decade. The report's respondents were evenly divided on whether technological advances in the coming decade will fix the problem of misinformation, or only compound it. EPIC President Marc Rotenberg told Pew, "The problem with online news is structural: There are too few gatekeepers, and the internet business model does not sustain quality journalism. The reason is simply that advertising revenue has been untethered from news production." The prevalence of "fake news" was one of the most significant issues in the 2016 presidential election. EPIC's Democracy and Cybersecurity Project seeks to restore integrity in democratic elections. EPIC is also pursuing details of the Russian election interference in FOIA cases against the FBI, the Office of Director in National Intelligence, and the IRS. Several senators have introduced bipartisan legislation to strengthen disclosure requirements for online political ads.
Senate Bill to Improve Transparency and Accountability for Online Political Ads
Several senators announced a bipartisan bill to make online political advertisements more transparent. The Honest Ads Act is a direct response to Russian interference in the 2016 election, which included political ads on Facebook, Google and Twitter. The bill, co-sponsored by Senators Klobuchar (D-MN), Warner (D-VA), and McCain (R-AZ), would impose the same disclosure requirements for online ads as for TV and radio ads. "First and foremost this is an issue of national security — Russia attacked us and will continue to use different tactics to undermine our democracy," Senator Klobuchar said. The FEC also announced on October 10 that "in light of developments" it would reopen for public comment its disclosure rules for online political ads. EPIC is fully engaged in the challenge of protecting democracy by promoting cybersecurity and election integrity. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference. The cases include: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records).
EU Approves Data Transfer Arrangement, But Seeks Stronger U.S. Privacy Protections
Following the first annual review of the pact, the European Commission has approved the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. However, the Commission urged the U.S. to appoint a permanent Ombudsperson to review complaints, to restore the Privacy and Civil Liberties Oversight Board, and to pass the Obama-era Presidential Policy Directive-28 into law. In a recent letter to Congress, EPIC emphasized the need to update U.S. privacy laws. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice.
- Bill To Shield Cybersecurity Plans From FOIA Advances, Law360, October 26, 2017
- The Future of Online Retailing is Bright, The Economist, October 26, 2017
- When an Algorithm Helps Send You to Prison, New York TImes, October 26, 2017
- How Much Does the Government Really Need to Know About College Students in America?, The Atlantic, October 24, 2017
- DHS Plan to Collect Immigrants' Social Media Gets Roasted in the Comments, FCW, October 24, 2017
- Devices Can Collect Kids' Commands Without Consent: FTC, Law 360, October 24, 2017
- Political Ad Disclosure Bill To Test Online Giants' Might, Law360, October 19, 2017
- The Future of Truth and Misinformation Online, Pew Research Center, October 19, 2017
- FTC Urged To Investigate Smartwatches For Kids, MediaPost, October 18, 2017
- Report: Smart Watches Can Put Hackers in Touch With Your Kids, 10TV, October 18, 2017
- Senators Back More Oversight Of Credit Bureau Cybersecurity, Law360, October 17, 2017
- Senators Bear Down on Credit Reporting Industry Over Data Security, The Hill, October 17, 2017
- "OK, Google. Send a Letter to the CPSC.": Privacy Groups Request Recall of Google Home Mini, Ad Law Access, October 17, 2017
- Privacy Groups Want Recall On 'Spying' Google Speaker, Law360, October 16, 2017
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC publications:
The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)
The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.
Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).
This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
“The Convergence of Man and Machine”
November 6, 2017
Marc Rotenberg, EPIC President
Techonomy, Half Moon Bay, California
62nd Meeting of the International Working Group on Data Protection in Telecommunications
November 27-28, 2017
Eleni Kyriakides, EPIC Fellow
Where Are We With Location Privacy? Reactions to the Supreme Court’s Oral Argument in Carpenter v. United States
November 30, 2017
Alan Butler, EPIC Senior Counsel
American Bar Association — Section on Civil Rights and Social Justice
“Tech Triumph or Bloated Bubble: Innovation, Investors & Industrial Transformation”
December 14, 2017
Marc Rotenberg, EPIC President
Yale CEO Summit, New York, NY
2018 EPIC Champions of Freedom Awards Dinner
June 5, 2018