EPIC Alert 24.23
EPIC Alert 24.23 - December 18, 2017
- EPIC FOIA: EPIC Sues for Details of Palantir's Government Systems
- EPIC Amicus: EPIC Asks Supreme Court to Preserve Wiretap Remedy
- Presidential Election Commission Suspends Activities?
- EPIC Warns Congress About Privacy Risks of Mergers
- EPIC Offers 10 Recommendations for the FTC's Five-Year Strategic Plan
- EPIC Holiday Gift Guide
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
EPIC has filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir. Palantir, a secretive data mining software company founded by Peter Thiel, has previously been involved in the creation of controversial databases to collect information on the public.
ICE contracted with Palantir to establish two databases: the Investigative Case Management system and the FALCON system. Both databases contain vast amounts of personal information and use secret algorithms to make determinations about opportunities for employment, travel, and who is subject to criminal investigations. ICE has exempted both databases from many of the protections of the Privacy Act, including a requirement to maintain accurate, relevant, timely, and complete records. ICE also created numerous "routine uses" that allow the agency to disseminate the information in the databases broadly.
EPIC is seeking the government contracts with Palantir and any assessments of the two databases, including audits and reports on the effectiveness of the systems. EPIC is also seeking any agreements between ICE and other agencies related to the Investigative Case Management and FALCON systems. EPIC wrote in the complaint that "Palantir's 'big data' systems raise far-reaching privacy and civil liberties risks."
Both systems access databases across the federal government. The FALCON database, for example, accesses the Analytical Framework for Intelligence system, a Customs and Border Protection database that assigns "risk assessment" scores to travelers, including U.S. citizens. In an earlier lawsuit, EPIC v. CBP, EPIC uncovered Palantir's role in the Analytical Framework for Intelligence.
EPIC has warned Congress about the use of secret algorithms to make determinations and has advocated against initiatives like ICE's Extreme Vetting proposal that would implement secret automated decision-making.
EPIC has filed an amicus brief in Dahda v. United States, a Supreme Court case concerning the federal Wiretap Act and the suppression of evidence obtained on the basis of invalid wiretap order. The Court will decide whether the Wiretap Act requires courts to exclude evidence obtained under a wiretap order that is "facially insufficient" because the order exceeded the judge's territorial reach.
The Wiretap Act requires exclusion of evidence obtained as a result of an invalid order. In Dahda, a lower court in Kansas issued an order that was found facially invalid because it permitted interception of cell phone calls outside the court's territorial jurisdiction. However, the lower court denied suppression, and a federal appeals court affirmed the lower court's decision. The Supreme Court agreed in October to hear the case.
EPIC seeks to ensure that the statutory protections established by Congress to safeguard privacy are fully enforced by the courts. EPIC wrote in its amicus brief that "it is not for the courts to create atextual exceptions" to federal privacy laws. EPIC explained that Congress enacted broad and unambiguous privacy provisions in the Wiretap Act. "If the government wishes a different outcome," EPIC wrote, "then it should go to Congress to revise the statute."
EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Byrd v. United States (suspicionless searches of rental cards), Carpenter v. United States (warrantless searches of cellphone location records), and Riley v. California (warrantless searches of cellphones incident to arrest).
According to the New Hampshire Union-Leader, the Commission is ignoring inquiries from state election officials about the transfer of the sensitive voter data sought by the Commission. The Commission previously promised—in a filing from an EPIC lawsuit—that it would tell states how to "securely" submit voter data. But New Hampshire election officials say they have been unable to reach the Commission or obtain instructions for over a month.
Meanwhile, the Commission's Executive Director told a federal court in Washington, DC that "no action or analysis is currently being taken with respect to the state data submitted to the Commission." The same official admitted that the Commission will not hold a meeting in December as originally planned. Posts at the Commission website suggest the agency is no longer responding to email, and Vice Chair Kris Kobach said that the Commission's work was "stalled" for at least a month this fall.
EPIC filed suit in July to halt the Commission's collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC's initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the voter information that was unlawfully obtained. Many states and over 150 members of Congress have opposed the Commission's efforts to collect state voter data. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.).
In a statement to the Senate Judiciary committee, EPIC urged lawmakers to consider consumer privacy at a hearing on "The Consumer Welfare Standard in Antitrust." EPIC emphasized the privacy and security risks of mergers, stating that "when companies merge, they combine not only their products, services, and finances, but also their vast troves of personal data." EPIC reminded Congress that the United States is experiencing an epidemic of data breaches, and that these "risks are particularly pronounced when a company that lacks adequate cybersecurity obtains access to other companies' collections of personal data."
At the hearing, senators and witnesses discussed whether the consumer welfare standard—which is used by the Federal Trade Commission and Department of Justice to determine whether a merger violates antitrust law—is well-suited to promoting competition and protecting consumers in the 21st century economy. EPIC told Congress that "[j]ust as safeguards are put in place to ensure competition in the marketplace, safeguards must be implemented to protect consumer data."
As a leading advocate for consumer privacy, EPIC has a strong interest in how industry consolidation undermines consumer privacy and data security. Nearly two decades ago, EPIC and a coalition of consumer organizations warned the FTC of the privacy implications of the Time Warner/AOL merger. In 2000, EPIC opposed Doubleclick's acquisition of Abacus.
In 2007, EPIC testified before the Senate Judiciary about the growing risks to competition and privacy of mergers in the online advertising industry. That same year, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. And in 2014, EPIC urged the FTC to mandate privacy safeguards for Facebook's acquisition of WhatsApp.
EPIC has offered 10 recommendations for the Federal Trade Commission's "Draft Strategic Plan" for 2018-2022. EPIC explained how the FTC can protect consumers, promote competition, and encourage innovation. Among the proposals, EPIC urged the FTC to enforce consent orders, incorporate public comments into settlements, promote transparency, produce concrete outcomes, and endorse data protection legislation.
Federal agencies are required to put forth five-year strategic plans for public comment. The FTC's draft plan detailed the agency's strategic goals, objectives, strategies and performance benchmarks. The FTC specifically reached out to EPIC for feedback as an organization with a strong interest in the FTC's activities.
EPIC raised systemic concerns about how the FTC will accomplish its mission. EPIC emphasized that "American consumers today are at great risk of identity theft, financial fraud, and data breaches. Sensitive personal information is collected by many companies that simply do not do enough to safeguard consumer privacy."
First, EPIC noted that the FTC has routinely failed to enforce consent orders and urged the FTC to hold companies accountable when they violate consent decrees. EPIC previously sued the FTC for failing to enforce a consent decree against Google. Second, EPIC explained that the FTC has failed to incorporate public comments into settlements even though it has a statutory mandate to do so. EPIC routinely offers comments on how the FTC can improve settlements. Third, EPIC stated that the FTC should mandate Fair Information Practices in consumer privacy settlements.
EPIC also recommended that the FTC embrace transparency in handling complaints from consumer groups and that it publish the agency's privacy audits. And EPIC proposed that the FTC endorse data protection legislation, expand its "unfairness" authority, oppose mergers that threaten data security and consumer privacy, produce concrete outcomes from workshops, enforce Privacy Shield and the Children's Online Privacy Protection Act (COPPA), and support the establishment of a U.S. data protection agency.
Scratching your head over holiday gift ideas for the privacy buff in your life? Fear not: EPIC has you covered! Here are a few products to help safeguard the privacy and security of you and your loved ones.
1. Indoor Privacy Tent
The Constitution protects the right to read in private—and so will this indoor privacy tent! Enjoy your favorite books and movies under the warm, secluded bubble of a bed-top canopy with zippered walls.
2. ‘Mind the Cyber Things’ Poster
With tech companies marketing “always on” devices as holiday gifts, this poster offers a friendly counterpoint for privacy lovers: “Devices connected to the internet may betray you.”
3. Virtual Private Network Subscription
A virtual private network, or VPN, will protect your personal data while using public Wi-Fi networks and makes it harder for advertisers to track you online. PC Magazine breaks down the best VPN services of 2018 to help you choose the option that’s right for you and your loved ones.
4. ‘Internet Privacy’ Bumper Sticker
If you’re a supporter of internet privacy (and would just as soon not broadcast that fact on Facebook), this is the bumper sticker for you. We’re told that this item is especially liked by free people.
5. ‘Private’ Door Sign
A timeless classic, this “Private” door sign will let passers-by know that you’re not to be disturbed. If they don’t like it, they can talk to the iconographic hand.
6. ‘Today's Selfie Is Tomorrow’s Biometric Profile’ Mirror
From the New Museum, this little item will offer a daily reminder about the dangers of biometric profiling and the importance of data protection. As a bonus: it’ll show your reflection, too.
7. SkyWall Drone Catching Net
Tired of drones hovering above your home tracking your every move? The folks at SkyWall have a solution for that: a drone catching net complete with a gas-powered launcher.
8. A Good Book on Privacy
Visit the EPIC Bookstore for the best publications on privacy. Also, find such classics as 1984, Brave New World, The Handmaid’s Tale, The Origins of Totalitarianism, and The Trial. All sales support the work of EPIC.
9. Contribute to EPIC
Why not give the gift of privacy to a loved one? We’ll litigate, advocate, and educate on your behalf. Drop a little coin at epic.org/donate.
John Anderson, 1922-2017
Congressman and former Presidential candidate John Anderson has passed at age 95. Among his many activities, John Anderson helped launch the Electronic Privacy Information Center in 1994 and served on the EPIC Advisory Board for more than 20 years. John Anderson was one of the early advocates for the freedom to use encryption and drafted a privacy platform for the 2008 Presidential candidates. He joined EPIC's campaign to oppose secret watch lists and served as EPIC's first chair. He also wrote the forward to the Electronic Privacy Papers by Bruce Schneier and Dave Banisar.
EPIC FOIA: Report Reveals Failure of Border Biometric Matching Program
Through a Freedom of Information Act lawsuit, EPIC has obtained a report from Custom and Border Protection, which evaluated iris imaging and facial recognition scans for border control. The "Southwest Border Pedestrian Field Test" reveals that the agency program does not perform operational matching at a "satisfactory" level. In a statement to Congress earlier this year, EPIC warned that biometric identification techniques are unreliable and lack proper privacy safeguards. EPIC is pursuing related documents for the use of biometrics at airports. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA (concerning body scanner modifications) and EPIC v. DHS (concerning full body scanner radiation risks).
EPIC FOIA: Justice Department Admits Algorithmic Sentencing Report Doesn't Exist
The Justice Department, in response to an EPIC FOIA lawsuit, has admitted that the United States Sentencing Commission never produced an evaluation of "risk assessment" tools in criminal sentencing. In 2014, Attorney General Eric Holder expressed concern about bias in criminal sentencing "risk assessments" and called on the Sentencing Commission to study the problem and produce a report. But after EPIC requested that study and sued the DOJ to obtain it, the DOJ conceded that the report was never produced. EPIC did obtain emails confirming the existence of a 2014 DOJ report about "predictive policing" algorithms, but the agency also withheld that report. "Risk assessments" are secret techniques used to set bail, to determine criminal sentences, and even make decisions about guilt or innocence. EPIC has pursued several FOIA cases to promote "algorithmic transparency", including cases on passenger risk assessment, "future crime" prediction, and proprietary forensic analysis.
EPIC Urges House Judiciary to Examine FBI Response to Russian Cyber Attacks
EPIC sent two separate statements to the House Judiciary Committee this month ahead the committee's FBI oversight and DOJ oversight hearings. EPIC urged the Committee to question FBI Director Wray and Deputy Attorney General Rosenstein about the FBI's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).
EPIC Advises Congress to Regulate AI Techniques, Promotes 'Algorithmic Transparency'
In advance of a hearing on "Digital Decision-Making: The Building Blocks of Machine Learning and Artificial Intelligence," EPIC warned a Senate committee that many organizations now make decisions based on opaque techniques they don't understand. EPIC told Congress that algorithmic transparency is critical for democratic accountability. In 2015, EPIC launched an international a campaign in support of Algorithmic Transparency. At a speech to UNESCO in 2015, EPIC President Marc Rotenberg called knowledge of the algorithm "a fundamental human right." Earlier this year, EPIC filed a complaint with the FTC that challenged the secret scoring of athletes by Universal Tennis. EPIC said to the FTC that it "seeks to ensure that all rating systems concerning individuals are open, transparent and accountable."
FAA Drone Registration Requirement Flies Again
A defense authorization bill signed by the President this month restores the FAA's drone registration requirement. The registration requirement was struck down by a federal appeals court earlier this year. EPIC supports registration for commercial drones because of the unique privacy risks they pose. In 2015, EPIC submitted extensive comments to the FAA, proposing that commercial drones also routinely broadcast location, course, speed over ground, as well as owner identifying information, similar to the Automated Identification System for commercial vessels. Earlier this year, EPIC also submitted statements to the House Transportation Committee and the Senate Commerce Committee emphasizing the privacy risks of commercial drones. EPIC is currently challenging the FAA's failure to establish privacy safeguards. EPIC v. FAA is before the D.C. Circuit Court of Appeals, with oral arguments scheduled for January 25, 2018.
Support for Bills Establishing Oversight of AI Grows in Congress
Senators Maria Cantwell (D-WA) and Brian Schatz (D-HI) are planning legislation to establish new oversight committees for the use of AI. Cantwell's bill—Future of Artificial Intelligence Act of 2017—is cosponsored by Senators Ed Markey (D-MA) and Todd Young (R-IN) and would establish an AI committee at the Commerce Department. A companion bill in the House is sponsored by Representatives John Delaney (D-MD) and Pete Olson (R-TX), co-chairs of the Artificial Intelligence Caucus. Schatz has announced his intent to introduce a bill creating an independent AI commission. In 2015, EPIC launched an international campaign in support of Algorithmic Transparency and has warned Congress about the use of opaque technique in automated decision-making.
Senators Question Privacy and Safety of Facebook's 'Messenger Kids' App
Senators Edward Markey (D-Mass) and Richard Blumenthal (D-Conn) wrote to Facebook CEO Mark Zuckerberg with questions about Facebook's Messenger Kids app, aimed at children 6-12. The Senators said, "we remain concerned about where sensitive information collected through this app could end up and for what purpose it could be used." The Children's Online Privacy Protection Actspecifically limits the collection and use of data on children under the age of 13. Concerns about the misuse of children data remains high. EPIC and several consumer privacy organizations filed a complaint with the FTC in 2016 alleging that the Internet-connected doll Cayla spied on children. EPIC also backed a L6 recent campaign to recall Mattel's Aristotle, a device that collected data from young children. The campaign led Mattel to cancel the sale of Aristotle.
Federal Student Aid Office Not Protecting Student Privacy, GAO Audit Finds
The Federal Student Aid office (FSA) at the Department of Education is not doing enough to protect student privacy, according to an audit by the Government Accountability Office. The GAO found that FSA has failed to hold schools accountable for their lax data security practices that have resulted in numerous data breaches, and has not assessed the privacy risks for its own electronic records system. FSA collects personal information on students and their families to evaluate schools that receive federal student aid. The FSA claims that the FTC can manage privacy protection. EPIC has done extensive work to protect student privacy including a 2014 complaint to the FTC about a massive data breach that impacted students in Maricopa County. The FTC failed to act even though Maricopa county violated the FTC Safeguards Rule by failing to protect students' financial information. EPIC also urged Congress to strengthen student privacy protections following a FAFSA data breach. In 2012 EPIC sued the Department of Education for weakening student privacy protections. EPIC has proposed a Student Privacy Bill of Rights.
European Privacy Experts Call for New Review of EU-US Data Arrangement
The Article 29 Working Party, a group of European privacy experts, is calling for a reexamination of the Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a new report, the Working Party said that "significant concerns" should be resolved by May 25, 2018 when the GDPR goes into force. If not "the members of WP29 will take appropriate action," including litigation. The Working Party cited the US failure to appoint an Ombudsperson to review complaints, vacancies at the Privacy and Civil Liberties Oversight Board, and continued mass surveillance practices by U.S. intelligence agencies. The report follows an earlier review of the EU-US agreement which found "sufficient" protection of EU personal data to the United States. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice. In a related development, the Working Party also established a task force which will coordinate national investigations of the Uber data breach now underway in Europe.
- How many 'likes' does it take to build a dystopia? We're about to find out, NBC News, December 15, 2017
- Inside Track: Next Year’s Must-Watch Data Breach Case, Law.com, December 14, 2017
- Judge: Cruise line isn't an internet provider under surveillance law, POLITICO, December 13, 2017
- TSA Plans to Use Face Recognition at Airports, Top Secret Writers, December 12, 2017
- EPIC Asks 3rd Circ. To Scrap Google Tracking Deal, Law360, December 8, 2017
- ICE sued for info about use of mobile biometric devices in immigration raids, BiometricUpdate, December 8, 2017
- Hilton Introducing First Mobile-Controlled Hotel Rooms, ABC 7 (Washington DC), December 8, 2017
- Privacy Group Urges Court To Scuttle Google's 'Safari Hack' Settlement, MediaPost, December 7, 2017
- French Regulator Warns Toymaker To Address Privacy Risks, Law360, December 7, 2017
- The Internet of Toys: Legal and Privacy Issues with Connected Toys, Lexology, December 6, 2017
- Privacy vs Lower Car Insurance Prices, WFMY (North Carolina), December 6, 2017
- Facebook privacy activist launches NGO to fund data lawsuits, Financial Times, December 6, 2017
- ESPN Ruling Further Narrows Video Privacy Law's Reach, Law360, December 5, 2017
- Trump election fraud commission has gone dark, New Hampshire Union Leader, December 4, 2017
- Facebook launches messaging app for kids as young as six, Financial Times, December 4, 2017
- Creepy Cayla doll violates liberté publique, screams French data protection agency, The Register, December 4, 2017
- SCOTUS justices are ready to tackle privacy rights in the digital age, The Hill, December 2, 2017
- US politicos wake up to danger of black-box algorithms shaping all corners of American life, The Register, December 2, 2017
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC Publications
The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)
The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.
Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).
This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
EPIC International Champion of Freedom Awards
Computers, Privacy and Data Protection (CPDP) Conference
January 24, 2018
'The Internet of Bodies'
Computers, Privacy and Data Protection (CPDP) Conference
January 24-26, 2018
Marc Rotenberg, EPIC President
Eleni Kyriakides, EPIC International Law Fellow
'UTmessan - Where everything connects'
February 2, 2018
Marc Rotenberg, EPIC President
May 16-18, 2018
Jeramie Scott, EPIC Domestic Surveillance Project Director
2018 EPIC Champions of Freedom Awards Dinner
June 6, 2018 Washington, DC