EPIC Alert 25.01

1. Facing EPIC Lawsuit, Presidential Election Commission Disbands

The Presidential Election Commission, which unlawfully sought to collect state voter data on hundreds of millions of Americans, was disbanded earlier this month by President Trump. The Commission had faced an ongoing lawsuit by EPIC over its failure to conduct and publish a Privacy Impact Assessment before collecting personal data, as required by law.

EPIC's lawsuit led the Commission last year to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. Many states and over 150 members of Congress opposed the Commission's efforts to collect state voter data. The Government Accountability Office opened an investigation to determine whether the Commission engaged in unlawful action, and one Commission member even filed suit against the Commission.

In a statement about the Commission's demise, the President said he had asked the Department of Homeland Security "to determine next courses of action." Within days of the President's order, EPIC filed a lawsuit against the DHS to obtain communications between the agency and the Commission. EPIC also joined ten other civil rights and government oversight organizations in urging DHS Secretary Kirstjen Nielsen not to accept any personal data from the defunct Commission. On Monday, EPIC sent a statement to the Senate Judiciary Committee in advance of a DHS Oversight Hearing to seek assurances that "the DHS will not continue the activities" of the Commission.

Meanwhile, EPIC has asked the D.C. Circuit Court of Appeals to void last month's ruling in which the Court refused to order Commission to conduct a Privacy Impact Assessment. The Commission's sudden dissolution unfairly prevents EPIC from appealing the Court's legal reasoning because there is no "live" dispute left for a higher court to consider. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.).

2. EPIC Sues DHS Over Election Commission and Transfer of Voter Data

EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security for communications between the agency and the Presidential Election Commission regarding the transfer of personal voter data. The disbanded Commission unlawfully sought to collect detailed voter records from states and federal agencies, including the DHS.

EPIC filed a FOIA request with the DHS last year after the Commission tried to collect records from federal agencies to match against state voter records. In particular, the Commission appeared to be targeting DHS databases on immigration detentions and citizenship applications. But the DHS failed to respond to EPIC's FOIA request, and EPIC brought suit last week.

EPIC's lawsuit came just days after President Trump asked the DHS "to determine the next courses of action" in the Commission's aftermath. Immediately after the Commission was terminated, former Vice Chair Kris Kobach claimed that voter data collection activity would shift to the DHS. The DHS, however, said that Kobach was not advising the agency, and a White House technology official claimed that none of the Commission's data would be sent to the DHS. It remains unclear what Commission records and data may have been transmitted third parties prior to the Commission's dissolution.

In a separate lawsuit filed last year, EPIC forced the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. EPIC v. Commission is still pending in federal court.

3. EPIC v. NSD: EPIC Obtains Secret Report on 'Backdoor Searches,' FBI's Failure to Follow Procedures

As the result of a Freedom of Information Act lawsuit EPIC v. NSD, EPIC has obtained a report from the Department of Justice National Security Division detailing the FBI's use of foreign intelligence data for a domestic criminal investigation. Section 702 of the Foreign Intelligence Surveillance Act authorizes the surveillance of foreigners located abroad. However, the FBI can also use this data to investigate Americans without a warrant through a mechanism known as "backdoor searches."

In 2015, the FISC ordered the DOJ to report "each instance after December 4, 2015, in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information." EPIC filed a suit against the DOJ seeking public disclosure of that report, which the DOJ has now released to EPIC.

Among other details, the report shows that an FBI analyst ignored internal guidance to notify superiors when receiving and reviewing "raw" Section 702 data about U.S. persons. The revelation raises questions about whether the FBI is accurately reporting "backdoor searches."

Last week, the House of Representatives voted to reauthorize Section 702 and rejected the USA Rights Act that would have required a federal agency to obtain a warrant to search foreign surveillance data for information on Americans. The Senate will vote on the reauthorization this week.

4. EPIC FOIA: EPIC Obtains DHS Secretary Interview Notes on Border Security

Through a Freedom of Information Act request, EPIC has obtained former Secretary of Homeland Security John Kelly's notes for an interview with National Public Radio about border security. The notes include talking points about security along the southwest border and the construction of the southwest border wall.

During the interview, Mr. Kelly—now the White House Chief of Staff—described the DHS's plans to increase the vetting of potential immigrants to the United States. Mr. Kelly said that DHS was "considering" asking immigrants to "give us a list of websites that they visit and the passwords to get on those websites to see what they're looking at." Mr. Kelly also said that the DHS might examine "social media to see what they tweet; cell phones – cell phone conversations or cell phone contact books to where we can run them against databases, telephone numbers, people's names."

Mr. Kelly's interview notes also emphasize the DHS's goal of "achiev[ing] complete operational control of the southern border," including through the use of technology.

EPIC previously warned the House Oversight Committee that enhanced surveillance at the border will impact the rights of U.S. citizens by sweeping up personal data. As a result of an earlier FOIA lawsuit, EPIC found that the Customs and Borders Protection is already deploying drones with facial recognition technology near the border.

5. Senators Warren and Warner Introduce Bill to Hold Credit Reporting Agencies Accountable

Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced legislation to hold credit reporting agencies accountable for data breaches. The Data Breach Prevention and Compensation Act would impose strict liability for breaches involving consumer data; increase penalties for cases of "woefully inadequate cybersecurity or failure to notify" consumers; and use those penalties to compensate consumers affected by breaches. The bill would also establish an office of cybersecurity within the Federal Trade Commission, giving the FTC direct supervisory authority over the credit reporting industry.

EPIC President Marc Rotenberg stated that "Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers."

The proposed bill is one of several data breach bills proposed by lawmakers as a response to the Equifax data breach last year that exposed the sensitive personal information of over 145 million Americans. Senator Warren and Senator Brian Schatz (D-HI) introduced a bill last year that would allow consumers to freeze and unfreeze their credit for free and prevent credit reporting agencies from profiting off the use of consumers' information for the duration of their credit freeze. Senator Patrick Leahy (D-VT) has also introduced comprehensive legislation to protect consumers from data breach and identity theft.

EPIC has been outspoken about the need for reform of the credit reporting industry in the wake of the Equifax breach. Last year, EPIC testified before the Senate Banking Committee urging legislation to give consumers more control over their credit reports.

EPIC President Marc Rotenberg also proposed concrete steps for reforming the credit reporting industry in an article for Harvard Business Review last year. Among EPIC's recommendations are (1) limiting the use of the Social Security number by private companies; (2) immediately notifying consumers of a data breach; (3) giving consumers a default credit freeze that allows them to control when their credit report is released; and (4) mandating algorithmic transparency for companies that use secret scoring to determine creditworthiness.

News in Brief

EPIC Comments on Maryland 'Smart Meter' Privacy Bill

In response to request for comments from the Maryland legislature, EPIC submitted a statement in support of a bill to prohibit law enforcement from obtaining data recorded by a smart meter without a warrant. Smart meters collect personal data about the use of utility services that can reveal when a person is at home and what they are doing. EPIC stated that "the routine collection of this data, without adequate privacy safeguards, would enable ongoing surveillance of Maryland residents without regard to any criminal suspicion." EPIC said that HR 56 is a "model privacy law that enables innovation while safeguarding personal privacy." EPIC has testified in Congress and submitted comments to NIST and the state of California on smart grid privacy. EPIC has also submitted amicus briefs on Fourth Amendment cases before the Supreme Court, including Carpenter v. United States and Byrd v. United States.

DHS Secretary: No New Work on Voter Fraud

At a Senate hearing on Tuesday, DHS Secretary Kristjen Nielsen stated that DHS would not undertake a new investigation of voter fraud. EPIC submitted a statement in advance of the hearing, asking Senators to seek assurances that DHS would not pursue the work of the recently disbanded Presidential Advisory Commission on Election Integrity, as former Vice Chair Kris Kobach had suggested. In response to a question from Senator Kamala Harris, Nielsen answered that Kobach does not have any role at DHS. Although Nielsen stated that DHS would not pursue any new work, she indicated that the agency would continue to work with states pursuing voter fraud investigations. EPIC recently filed a FOIA lawsuit against DHS seeking communications with the Commission regarding the transfer of personal voter data. The Commission, facing a lawsuit by EPIC, was terminated earlier this month. EPIC's lawsuit led the Commission last year to suspend the collection of voter data.

EPIC Urges Senate to Seek Assurances from DHS on Privacy of Voter Data

EPIC sent a statement to the Senate Judiciary Committee in advance of a DHS Oversight Hearing, to seek assurances that "the DHS will not continue the activities of the Presidential Advisory Commission on Election Integrity." After the Commission was disbanded in the wake of EPIC's lawsuit, the former Vice Chair told reporters that he intended to continue the work of the Commission at the DHS. But EPIC told the Senate committee that the Commission has no authority to transfer the voter data and warned that the DHS would be subject to federal lawsuits if it assembled a database of voter information. EPIC also urged the Senate to confirm that the personal data provided by DACA applicants will not be misused by DHS, and that DHS biometric programs will not be expanded until transparency obligations are fulfilled and privacy safeguards are established. The EPIC letter follows a statement last week from civil rights and government oversight organizations to the DHS Secretary seeking assurance that there will be no transfer or collection of state voter data.

EPIC, Coalition Urge DHS Secretary to Block Collection of State Voter Data

EPIC and ten civil rights and government oversight organizations have sent a letter to DHS Secretary Nielsen, urging her not to accept any personal data from the now defunct Presidential Advisory Commission on Election Integrity. The groups explained that the Commission lacks legal authority to transfer personal data to the Commission. The groups also warned that the DHS would be subject to numerous federal laws if it were to acquire state voter data. EPIC and the organizations brought several lawsuits against the Commission. EPIC's lawsuit led the Commission to suspend the collection of voter data in July 2017. President Trump disbanded the Commission on January 3, 2018. However, former Vice Chair Kris Kobach told reporters that he intends to resume the work of the Commission at the Department of Homeland Security.

EPIC Moves to Vacate Circuit Court Opinion Following End of Voting Commission

EPIC has asked the D.C. Circuit Court of Appeals to void last month's ruling in which the Court refused to order the Presidential Election Commission to conduct a Privacy Impact Assessment. The Commission, which unlawfully sought to collect state voter data on hundreds of millions of Americans, was disbanded earlier this month by President Trump. The Commission's sudden demise unfairly prevents EPIC from appealing the Court's legal reasoning because there is no "live" dispute left for a higher court to consider. EPIC's lawsuit led the Commission to suspend the collection of voter data last year, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. EPIC's case against the Commission is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). EPIC filed a separate lawsuit last week for communications between the Department of Homeland Security and the Commission regarding the transfer of personal voter data.

EPIC Urges FBI to Limit Fingerprint-Based Background Checks

In response to a request for comments, EPIC has urged the FBI to expand its use of name-based — rather than fingerprint-based — background checks for noncriminal purposes, such as employment. The FBI currently uses fingerprints, stored in the Next Generation Identification (NGI) database, to conduct non-criminal background checks. "Names checks" were only conducted for individuals whose fingerprints failed the NGI matching requirements. EPIC told the FBI that the "name-based background check accomplishes the same purpose as the fingerprint-based background check without requiring the collection of sensitive biometric information." EPIC has opposed the expansion of the NGI system for non-law enforcement purposes. EPIC has also pursued a series of Freedom of Information Act requests to assess the reliability of the NGI system.

FTC Report on Connected Cars Lacks Privacy Recommendations

The Federal Trade Commission released a brief report summarizing a June 2017 workshop, co-hosted with the National Highway Traffic Safety Administration, on connected vehicles. While the report acknowledges consumer privacy interests, the report offers no concrete proposals for how the FTC will address the privacy and safety risks of connected cars. EPIC submitted comments to the FTC and NHTSA and gave a presentation at the FTC workshop, calling for national safety standards for connected cars. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data. The Senate is currently considering a bill on connected cars and the NHTSA recently released revised guidance for connected cars, but both lack mandatory safety standards and encourage industry self-regulation.

Supreme Court Hears Arguments in Rental Car Search Case

The Supreme Court heard arguments last week in Byrd v. United States, concerning the warrantless search of a rental vehicle. EPIC filed an amicus brief in the case urging the Supreme Court to recognize that a modern car collects vast troves of personal data. EPIC explained that cars today "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC pointed to the routine collection of cell phone contents with a Bluetooth connection, data which is stored in the car even after "deletion." EPIC also emphasized that the status of the driver has no bearing on Fourth Amendment privacy interests. EPIC's Natasha Babazadeh prepared an explainer video of the case.

Group Asks Supreme Court to Weigh In on Fairness of Google Tracking Settlement

The Center for Class Action Fairness has asked the U.S. Supreme Court to decide whether a settlement that awards funds to certain organizations and fails to compensate injured class members is fair. The settlement involved Google's tracking of Internet users in violation of users' privacy settings but resulted in no change in business practices or payment to class members. Some of the organizations that received class settlement funds are separately funded by Google. EPIC recently filed an amicus brief opposing a similar settlement in a related class action against Google. EPIC has also opposed settlements against Facebookand Google that failed to compensate class members or change business practices. EPIC President Marc Rotenberg has proposed an objective basis to evaluate settlement proposals. The Supreme Court has yet to address cy pres fairness, but Chief Justice John Roberts, in Marek v. Lane concerning Facebook's Beacon program, echoed the concerns of EPIC when he wrote that the "vast majority of Beacon's victims" got nothing.

FTC Finally Takes Action on Connected Toys, Settles With Company That Violated Children's Privacy Law

The Federal Trade Commission announced a settlement with VTech Electronics over charges that the company collected personal information from children without parental consent and failed to provide data security. In 2015, Senators Edward Markey (D-MA) and Joe Barton (R-TX) inquired about VTech's privacy practices after the toy company was hacked, exposing the personal information of millions of children. EPIC and a coalition of consumer organizations recently renewed their call to the FTC to take action on toys that spy, one year after the groups filed a complaint with the FTC regarding dangerous internet-connected toys. The Children's Online Privacy Act (COPPA) sets forth strict requirements for the collection of information from children. In a recent interview with NBC Nightly News, EPIC's Sam Lester highlighted the dangers these toys pose from hackers. EPIC has supported numerous efforts to oppose toys that spy, including a successful effort in 2017 to recall Mattel's Aristotle.

FTC Finalizes Settlement with Lenovo Over Adware

The Federal Trade Commission has given final approval to a settlement with Lenovo over its practice of pre-installing adware onto consumers' laptops. The complaint alleged that the adware transmitted consumers' personal information to third parties and made consumer' laptops vulnerable to cyberattacks. The settlement prohibits Lenovo from misrepresenting any pre-installed software, but imposes no fines and allows Lenovo to continue pre-installing adware onto consumers' laptops. EPIC has routinely urged the FTC to strengthen its privacy settlements, and recently emphasized the need for the FTC to step up its data protection in comments on the FTC's five-year strategic plan.

EPIC in the News

• China’s Total Information Awareness: Second-Order Challenges, Lawfare, January 16, 2018
• Feds Scramble to Jam Jail Cellphones, Cease Drone Deliveries to Inmates, Kaplan Herald, January 12, 2018
• White House says it will destroy Trump voter panel data, send no records to DHS, The Washington Post, January 10, 2018
• Proposed Law Would Levy Substantial Penalties on Breached Credit Reporting Agencies, SC Media, January 10, 2018
• You Might Soon Need a New State ID To Fly Domestic, Popular Mechanics, January 9, 2018
• Justice Dept. Scrambles to Jam Prison Cellphones, Stop Drone Deliveries to Inmates, The Washington Post, January 8, 2018
• Toymaker VTech Settles Charges of Violating Child Privacy Law, The New York Times, January 8, 2018
• How to Curb Silicon Valley Power—Even With Weak Antitrust Laws, Wired, January 5, 2018
• Donald Trump Shut Down His Election Fraud Commission, But He Hasn't Given up on Voter Suppression, Mother Jones, January 4, 2018
• Trump dissolves voter fraud commission, Newsline, January 4, 2018
• Trump Disbands His 'Voter Fraud' Commission, The Atlantic, January 3, 2018

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Privacy Camp
January 23, 2017
Eleni Kyriakides, International Counsel
Brussels Belgium

EPIC International Champion of Freedom Awards
Computers, Privacy and Data Protection (CPDP) Conference
January 24, 2018
Brussels, Belgium

'The Internet of Bodies'
Computers, Privacy and Data Protection (CPDP) Conference
January 24-26, 2018
Marc Rotenberg, EPIC President
Eleni Kyriakides, International Counsel
Brussels, Belgium

Free Speech and the Administrative State
Center for the Study of the Administrative State, George Mason University
January 26, 2018
Alan Butler, EPIC Senior Counsel
Arlington, VA

'UTmessan - Where everything connects'
February 2, 2018
Marc Rotenberg, EPIC President
Reykjavik, Iceland

Regulatory Reform, Transparency, and the American Economy
14th Annual Symposium of the Journal of Law, Economics & Policy
February 2, 2018
Alan Butler, EPIC Senior Counsel
Arlington, VA

19th Annual Privacy & Security Conference
February 8, 2018
Marc Rotenberg, EPIC President (keynote)
Victoria Conference Centre
Victoria, Canada

2018 EPIC Champions of Freedom Awards Dinner
June 6, 2018 Washington, DC