EPIC Alert 25.02

1. D.C. Circuit Hears Arguments in EPIC Drone Privacy Case

The U.S. Court of Appeals for the D.C. Circuit heard oral arguments last week in EPIC v. FAA, a lawsuit concerning the FAA's failure to establish privacy rules for commercial drones. EPIC's case is based on an Act of Congress that requires a "comprehensive plan" for drone deployment in the United States and a petition, backed by more than one hundred organizations and privacy experts, calling for privacy safeguards.

EPIC Senior Counsel Alan Butler argued the case. Mr. Butler told the Court that the FAA's failure to regulate drones injures EPIC, explaining how EPIC's members faced an increased risk of surveillance from delivery drones flying over their property. Mr. Butler also argued that EPIC was harmed as an organization because it would not be able to bring complaints before the FAA regarding privacy violations by drone users.

As to the FAA's privacy obligations, Mr. Butler argued that Congress required the agency to regulate all "hazards" from drones—including both privacy and cybersecurity threats. If a drone is hacked, for example, the pilot could lose control over the drone. But the FAA's rules inexplicably leave out cybersecurity safeguards to prevent the loss of control due to hacking. The FAA insisted that an operator could call 911 in the event of a drone hacking, but Chief Judge Merrick Garland noted that it would be "too late" to prevent a terrorist from causing harm with a hacked drone.

EPIC recently told Congress that the FAA must establish drone privacy safeguards and ID requirements. Last year, Congress restored the FAA's drone registration requirement that had been struck down by a federal appeals court. EPIC also submitted statements last year to the House Transportation Committee and the Senate Commerce Committee emphasizing the privacy risks of commercial drones.

2. EPIC Gives International Privacy Award to Gus Hosein, Artemi Rallo

EPIC presented the 2018 International Privacy Champion Award to Gus Hosein, director of Privacy International, and Professor Artemi Rallo, the former chair of the Spanish Data Protection Agency, at the annual conference on Computers, Privacy, and Data Protection in Brussels, Belgium. CPDP is the leading international conference devoted to privacy and data protection.

The EPIC award to Hosein recognized his work, "defending privacy in the UK and around the world." The award to Rallo described him as a "constitutional scholar, data protection advocate, friend of civil society."

This was the 10th year that EPIC has presented the International Privacy Champion Award. The past awardees are Alexander Dix (2017), Viviane Reding (2016), Peter Hustinx (2015), Member of European Parliament Jan Philipp Albrecht (2014), Max Schrems (2013), Jennifer Stoddart (2012), Sophie in't Veld (2011), Michael Kirby (2010), and Stefano Rodotà (2010).

The 2018 EPIC Champion of Freedom Awards will be presented at the National Press Club in Washington, DC on June 6, 2018.

3. In Supreme Court Brief, EPIC Backs International Privacy Standards

EPIC recently filed an amicus brief in United States v. Microsoft Corp., a case before the U.S. Supreme Court concerning law enforcement access to cross-border data. The Court will address whether the Stored Communications Act (SCA) authorizes a court in the United States to order companies to produce personal data stored in Ireland. The Court agreed to review the case after a lower court held that Congress did not intend the SCA to apply to data beyond U.S. borders.

In its brief, EPIC urged the Supreme Court to respect international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC emphasized that "a ruling for the government would undermine efforts to develop new procedures, based on international consensus, for cross border data access." EPIC also argued that the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC highlighted important cases from the European Court of Human Rights and the European Court of Justice.

EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC supported the Madrid Declaration, signed by over one hundred civil society organizations and privacy experts, which reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete action. EPIC also routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (warrantless searches of rental cars), and Dahda v. United States (wiretapping).

4. EPIC Opposes Nominee to Privacy and Civil Liberties Board

In advance of a hearing on the nomination of Adam Klein to the Privacy and Civil Liberties Oversight Board, EPIC urged the Senate to oppose the nomination. EPIC explained that "PCLOB plays a vital role safeguarding the privacy rights of Americans and ensuring oversight and accountability of the Intelligence community."

The PCLOB was established after the 9-11 Commission found that there was no government office with the responsibility of protecting civil liberties. In its oversight role, the PCLOB is required to continually review executive branch actions and information disclosure policies. In its advisory role, the PCLOB counsels the President and executive branch agencies on the privacy and civil liberties concerns of their proposed policies. The PCLOB reports twice a year to the President and Congress and makes these reports available to the public. These responsibilities are vital checks on the intelligence community.

EPIC said that Mr. Klein "does not appreciate the full extent of the privacy interests at stake in many of the most significant debates about the scope of government surveillance authority." The nominee severely understated the privacy concerns of Section 702 in an editorial he wrote last year. Though Mr. Klein claimed that "in 2016 only one FBI search for information about an American in a non-national-security criminal investigation led the FBI to review messages collected under 702," that figure does not include searches by other agencies, searches with warrants, or metadata searches. A related FOIA case by EPIC determined the FBI does not fully report the use of 702 authority as required by law.

EPIC also sought assurances that the PCLOB would remain bipartisan. The PCLOB was meant to be split 3-2 with members recommended by both parties, but if Klein is appointed, the board will consist solely of two Republicans. EPIC told Congress that "leaving the board understaffed with members of only one party will do little to promote trust or confidence in the activities of the Intelligence Community."

EPIC has a strong interest in the work of the PCLOB. In 2003, EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out priorities for the PCLOB and spoke at the first meeting of the board in 2013.

5. Daskal, Diffie, Lewis Join EPIC Board of Directors

Jennifer Daskal, Whitfield Diffie, and Harry Lewis have joined the EPIC Board of Directors. The members of the EPIC Board of Directors are chosen from the EPIC Advisory Board, who are distinguished experts in law, technology, and public policy.

Professor Daskal is an Associate Professor at American University Washington College of Law and a leading expert in criminal law, national security law, and constitutional law. She is also a 2016-2017 Open Society fellow, working on issues related to privacy, surveillance, and law enforcement access to data across borders. From 2009 to 2011, Professor Daskal was counsel to the Assistant Attorney General for National Security at the Department of Justice.

Dr. Diffie is an American cryptographer, one of the pioneers of public-key cryptography, and a recipient of the Turing Award, the most prestigious award in the field of computer science. Diffie and Martin Hellman's 1976 paper New Directions in Cryptography introduced a radically new method of distributing cryptographic keys that helped solve key distribution—a fundamental problem in cryptography.

Professor Lewis is a Gordon McKay Professor of Computer Science at Harvard University's John A. Paulson School of Engineering and Applied Sciences. He is a former dean of Harvard College. Lewis is known for his research in computational logic, textbooks in theoretical computer science, and writings on computing, higher education, and technology. Several of his books are available at the EPIC Bookstore.

Daskel, Diffie, and Lewis will serve for a three-year term on the EPIC Board of Directors beginning in 2018. The EPIC Board of Directors thanked outgoing directors Pamela Jones Harbour, Chip Pitts, and Peter Neumann. The EPIC Board of Directors also formalized the membership status of the EPIC Advisory Board with the adoption of a new bylaws provision for qualifications, dues, and governance.

News in Brief

EPIC Joins Consumer and Health Groups, Urges Facebook to Scrap 'Messenger Kids'

EPIC, the Center for Commercial Free Childhood, and others have urged Mark Zuckerberg to shutter Facebook's "Messenger Kids" app. The groups cited rising concern about social media among adolescents and wrote it is irresponsible to encourage preschoolers to use Facebook products. Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have questioned Facebook about the Messenger Kids app. EPIC recently backed a campaign that led Mattel to cancel a device that spies on young children. EPIC also led efforts to require Facebook to respect the privacy rights of WhatsApp users.

EPIC Advises Congress to Protect Student Privacy in Evidence-Based Policymaking

In advance of a hearing on "Protecting Privacy, Promoting Policy: Evidence-Based Policymaking and the Future of Education," EPIC wrote a statement to the House committee, expressing support for both evidence-based policy and student privacy. EPIC explained that privacy enhancing technologies are necessary to protect student data, because even where data has been de-identified it may still possible to extract personal data. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy. EPIC also testified before the Commission on Evidence-Based Policymaking, and recommended innovative privacy techniques to protect personal data that also enable informed public policy decisions.

EPIC Warns Senate of Dangers of Connected Cars

In advance of a hearing on self-driving cars, EPIC submitted a statement to the Senate on the privacy and security risks of autonomous vehicles. Researchers have been able to hack connected cars, and the vehicles have caused several accidents. EPIC told the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has worked extensively on the privacy and data security implications of connected cars, having testified on "The Internet of Cars" and submitted numerous comments to the National Highway and Transportation Safety Agency. In a recent amicus brief to the Supreme Court, EPIC underscored the privacy risks of modern vehicles, which collect vast troves of personal data.

EPIC Warns Congress of Risks of 'Internet of Things'

In advance of a hearing on Internet of Things, EPIC urged Congress to consider the privacy and safety risks of internet-connected devices. EPIC told Congress that the Internet of Things "poses risks to physical security and personal property" because data "flows over networks that are not always secure, leaving consumers vulnerable to malicious hackers." EPIC said that Congress should protect consumers. EPIC is a leader in the field of the Internet of Things and consumer protection. EPIC has advocated for strong standards to safeguard American consumers and testified before Congress on the "Internet of Cars."

European Court of Justice Grants Standing to Privacy Advocate But Bars Class Action under Austrian Law

The Court of Justice of the European Union, following an advisory opinion, has determined that Max Schrem's class action in Austria cannot proceed against Facebook, but individual privacy claims can. The Court granted Schrems standing, recognizing that "the activities of publishing books, giving lectures, operating websites," and similar activities does not entail the loss of "a user's status as a 'consumer.'" However, the Court found that "the consumer forum cannot be invoked" in "claims assigned by other consumers." The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges that Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. Max Schrems recently launched NYOB to pursue class actions under the General Data Protection Regulation. In 2013, Max Schrems received the EPIC International Champion of Freedom Award.

House Members Introduce Russian Election Meddling Bill

Rep. Ros-Lehtinen (R-FL) and Rep. Schneider (D-IL) introduced the Defending Elections from Threats by Establishing Redlines Act of 2018 to deter foreign interference in U.S. elections. The bipartisan legislation stipulates that if the Director of National Intelligence determines that the Russian government knowingly interfered in a U.S. election, the President is required to impose sanctions on Russia's aerospace, banking, defense, energy, intelligence and mining industries. The bill is a direct response to Russian interference in the 2016 Presidential election. EPIC is currently pursuing several related FOIA cases, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).

Data Breaches on the Rise

2017 marked the "worst year ever" for data breaches, according to a pair of reports by Thales and the Online Trust Alliance. Data breaches nearly doubled from 2016 to 2017, and 73% of all U.S. companies have now been breached. Noteworthy were the data security failures of Equifax and Uber. In testimony before the Senate Banking Committee following the Equifax breach last year, EPIC called on Congress to enact meaningful reforms, including default credit freezes and prompt data breach notification. Two years ago, EPIC launched the DataProtection2016 campaign to promote stronger privacy safeguards in the U.S.

Senate Holds Hearing on National Security Strategy

EPIC submitted a statement to the Senate Armed Services Committee in advance of a hearing on "Global Challenges and U.S. National Security Strategy." Last year, the White House released a National Security Strategy report that laid out the administration's goals. EPIC supports many of the goals stated in the report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the committee to seek assurances that those goals will remain priorities for this administration. EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."

Congress Renews Controversial Surveillance Measure, EU Impacted

In a decision that could jeopardize relations with Europe, Congress has renewed "Section 702" of the Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The FISA Amendment Reauthorization Act also permits government surveillance of Americans and restarts the controversial "about" collection program. Congress rejected updates, including limits on data collection, that would preserve a privacy agreement between Europe and the United States. The European Court of Justice will also soon decide whether to allow data transfers from Ireland to the United States. EPIC served as the US NGO amicus curiae in that case.

EPIC in the News

• Facebook to Launch Privacy Center Ahead of EU Regulations, USA Today, January 29, 2018
• Strava Map Fallout: How Much do you Know About Your Fitness App's Tracking?, USA Today, January 29, 2018
• Here's What You Can do to Stop Big Tech From Manipulating You Online, The Hill, January 22, 2018
• Twenty-Five Years Later: What Happened to Progressive Tech Policy?, The Washington Spectator, January 22, 2018
• A Google App That Matches Your Face to Artwork is Wildly Popular. It's Also Raising Privacy Concerns., Washington Post, January 17, 2018

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

'UTmessan - Where everything connects'
February 2, 2018
Marc Rotenberg, EPIC President (keynote)
Reykjavik, Iceland

Regulatory Reform, Transparency, and the American Economy
14th Annual Symposium of the Journal of Law, Economics & Policy
February 2, 2018
Alan Butler, EPIC Senior Counsel
Arlington, VA

19th Annual Privacy & Security Conference
February 8, 2018
Marc Rotenberg, EPIC President (keynote)
Victoria Conference Centre
Victoria, Canada

The Meaning of Privacy in the Age of Social Media
Renaissance Weekend
February 18, 2018
Marc Rotenberg, EPIC Presiden
Santa Monica, CA

RightsCon
May 16–18, 2018
Jeramie Scott, EPIC Domestic Surveillance Project Director
Toronto, Canada

Privacy and Surveillance in a Digital Era: Challenges for Transatlantic Cooperation and European Criminal Law
Annual Conference of the European Criminal Law Academic Network (ECLAN)
May 17–18, 2018
Marc Rotenberg, EPIC President (keynote)
School of Law of Queen Mary, University of London
London, England

2018 EPIC Champions of Freedom Awards Dinner
June 6, 2018
Washington, DC