EPIC Alert 25.04
EPIC Alert 25.04 - February 28, 2018
- EPIC Amicus: Supreme Court Hears Arguments in International Data Privacy Case
- EPIC Urges Congress to Suspend Facial Recognition at U.S. Airports
- EPIC v. IRS: EPIC Urges D.C. Circuit to Green-Light Release of President Trump's Tax Returns
- EPIC Amicus: Supreme Court Hears Arguments in Wiretap Act Case
- Court of Appeals Restores FTC's Authority Over Common Carriers
- Supreme Court Leaves Data Breach Decision in Place
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
The Supreme Court heard arguments this week in United States v. Microsoft Corp., a case concerning U.S. law enforcement access to personal data stored in Ireland. The case raises the question of whether the Stored Communications Act authorizes a court in the United States to order a service provider to produce personal data stored abroad.
The warrant under review was issued to Microsoft in 2013, but the company challenged the warrant on the grounds that the e-mails sought were stored on its servers in Dublin, Ireland. The lower court held that Congress did not intend the Act’s warrant provision to apply to data stored outside the United States. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution.
In an amicus brief, EPIC urged the Supreme Court to respect international privacy standards and to follow the presumption against the extraterritorial application of U.S. law. EPIC wrote, "the Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms.” EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC also warned that “a ruling for the government would also invite other countries to disregard sovereign authority.”
EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping).
EPIC has sent a statement to the House Homeland Security Committee urging the Committee to limit the collection of biometric data at U.S. airports. Ranking Member Bonnie Watson Coleman entered EPIC's statement into the record during the hearing, which concerned oversight of the Transportation Security Administration.
EPIC described the growing use of facial recognition that captures the images of U.S. travelers. Facial recognition poses significant threats to privacy and civil liberties. It can be done covertly, remotely, and on a mass scale. There is a lack of well-defined federal regulations controlling the collection, use, dissemination, and retention of biometric identifiers. EPIC told the committee that the ubiquitous and effortless use of facial recognition technology "poses a specific risk to the First Amendment rights of free association and free expression."
The inaccuracy of biometric identification also puts civil liberties at risk. EPIC previously obtained documents from the FBI showing how the Next Generation Identification database gathers facial scans, fingerprints, and other biometrics from millions of Americans. The documents revealed that biometric identification is often inaccurate.
EPIC also pointed the committee to a recent study that found racial disparities with facial recognition. That study found that the error rate in facial recognition software for dark-skinned females was 20.8%−34.7%, while the error rate for light-skinned males was 0.0%-0.3%. EPIC said that the committee should investigate the civil rights implications of using facial recognition for identification.
EPIC is a leader in issues of traveler screening and surveillance. EPIC previously pursued a significant lawsuit against the TSA that led to the removal of certain X-ray body scanners from US airports. EPIC is currently seeking records from Customs and Border Protection to assess the accuracy of facial recognition and to determine if there are proper privacy safeguards in place for the collection of biometric information at US airports.
EPIC has filed the opening brief in its Freedom of Information Act case to obtain President Trump's tax returns. EPIC explained to the D.C. Circuit Court of Appeals that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS."
EPIC filed suit last April 15 after the IRS refused to process EPIC's FOIA request for President Trump's tax records. Though a lower court dismissed the case, EPIC brought an appeal before the D.C. Circuit arguing that a special provision of the tax code gives EPIC a right to seek the President's tax records without his consent. "If the IRS is unable to even process a FOIA request in these circumstances, then the agency has placed itself beyond the reach of the Freedom of Information Act," EPIC wrote. "That is a result Congress never intended and this Court should not permit."
EPIC also highlighted the many misstatements of fact about the President's tax returns that make it necessary for the IRS to release them. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners."
A recent Quinnipiac poll confirms that the public overwhelmingly (67%) supports the release of the President's returns. More than 1 million people have signed a petition urging the federal government to "[i]mmediately release Donald Trump's full tax returns, with all information needed to verify emoluments clause compliance.
EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). Press Release.
The Supreme Court heard arguments last week in Dahda v. United States, a case concerning the federal Wiretap Act and the suppression of evidence obtained following an invalid wiretap order. EPIC filed amicus brief in the case urging that "it is not for the courts to create atextual exceptions" to federal privacy laws.
The Wiretap Act requires exclusion of evidence obtained as a result of an invalid order, but a lower court denied suppression in the case even though the order was unlawfully broad. Dahda, the petitioner, told the Supreme Court that the lower court's decision "cannot be justified under traditional principles of statutory interpretation or by resort to the Court's earlier decisions."
EPIC, in its amicus brief, explained that Congress enacted strict and unambiguous privacy provisions in the Wiretap Act. Congress has made clear that wiretap orders cannot authorize surveillance beyond a court's jurisdictional boundary. Any order that does so is invalid and triggers the suppression of evidence under the plain text of the Act. "If the government wishes a different outcome," EPIC wrote, "then it should go to Congress to revise the statute.
EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in U.S. v. Microsoft Corp. (law enforcement access to data stored abroad), Byrd v. United States (suspicionless searches of rental cars) and Carpenter v. United States (warrantless searches of cellphone location records).
The Ninth Circuit Court of Appeals held this week that the Federal Trade Commission may regulate telephone and internet companies that engage in "non-common-carrier activity." The case, FTC v. AT&T, arose from an FTC action against AT&T for throttling user data without regard to actual network congestion.
Eleven judges of the Ninth Circuit reversed an earlier decision by a three-judge panel that had stripped the FTC of all its authority over common carriers. The larger—or "en banc"—panel ruled that the "common carrier exemption" in the FTC Act is activity-based rather than status-based. This means that the FTC may regulate the conduct of mobile carriers that would otherwise fall under the FTC's jurisdiction.
The en banc panel acknowledged that in 2015 the FCC reclassified mobile data service from a non-common-carriage service to a common carriage service. But the panel found that "the prospective reclassification order did not rob the FTC of its jurisdiction or authority over conduct occurring before the order."
The result is one urged by EPIC and a coalition of consumer advocates in an amicus brief filed in the case. The consumer groups warned that the three-judge panel's decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." The groups urged the en banc court to correct the "substantial regulatory gap" created by the panel's decision.
EPIC has played a leading role in developing the FTC's authority to protect consumers. EPIC helped establish the FTC's authority over consumer privacy in 1995. EPIC has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also vigorously defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards" in an amicus brief in FTC v. Wyndham. EPIC recently offered 10 recommendations for the future of the FTC in advance of a hearing on four nominees to lead the Commission.
The Supreme Court has denied a petition for a writ of certiorari in CareFirst, Inc. v. Attias, a case concerning consumers' standing to sue in data breach cases. EPIC filed an amicus brief in the D.C. Circuit Court of Appeals backing the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches."
In June 2014, health insurer CareFirst suffered a data breach that compromised the personal information of some 1.1 million policyholders. The information included the policyholders' names, birth dates, email addresses, and subscriber identification numbers. A group of consumers sued the company alleging that CareFirst broke the law by failing to safeguard their personal information. But the district court wrongly dismissed the case, ruling that the plaintiffs could sue only if they suffered actual identity theft.
On appeal, EPIC's amicus brief explained that the lower court misunderstood the relevant law and confused the legal responsibility of companies to maintain good security with the harms that consumers eventually suffer. EPIC said courts should focus on whether companies have breached a legal obligation to safeguard personal data. In August, the D.C. Circuit agreed with EPIC and held that consumers may sue companies that fail to safeguard their personal data. CareFirst appealed the decision, but the Supreme Court chose not to take the case.
EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN, where the Ninth Circuit also held for consumers, as well as Gubala v. Time Warner Cable and In re SuperValu Customer Data Security Breach Litigation.
EPIC Presses Department of Defense on Privacy of Cyber Threat Information
In a statement to Congress in advance of a hearing on the Department of Defense's cyber operations, EPIC urged lawmakers to consider the privacy impact of cyber policies. The Cybersecurity Information Sharing Act of 2015 allowed the federal government to obtain cyber threat information from the private sector—much of which concerns the activities of individual Internet users—without privacy safeguards. EPIC urged Congress to ask Michael Rogers, the Commander of U.S. Cyber Command, about the steps the Defense Department will take to reduce privacy risks. EPIC previously sued the federal government for information regarding a Department of Homeland Security program that allowed the NSA to monitor the Internet traffic of defense contractors.
Court Rules Users Have Standing to Sue Facebook About Facial Recognition
The Northern District of California has ruled that Facebook users have standing to pursue a class action challenging Facebook's use of facial recognition software. The court said that the Illinois Biometric Information Privacy Act requires plaintiffs only to show that Facebook has unlawfully collected their biometric data without their consent. Facebook sought to dismiss the suit by arguing that the Supreme Court's decision in Spokeo v. Robins required the plaintiffs to show additional harm. EPIC submitted a friend-of-the-court brief in Spokeo, arguing that courts should not second-guess privacy laws. The Ninth Circuit Court of Appeals recently agreed with EPIC that internet users have standing when a company has disclosed their personal information in violation of the Video Privacy Protection Act.
Axios Poll: Public Wants Big Tech Regulated
A new Axios-SurveyMonkey poll found that 55% of Americans believe the government should do more to regulate tech companies such as Google and Facebook. The poll showed bipartisan support for increased regulation, with 45% of Republicans, 64% of Democrats, and 57% of independents saying they are “more concerned” that the government will not go far enough to regulate tech. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook’s acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google’s acquisition of Nest Labs.
Republican DACA Bill Would Expand Use of Drones, Biometrics
The Secure and Succeed Act (S. Amdt. 1959 to H.R. 2579), sponsored by several Republican Senators, would link DACA with hi-tech border surveillance. Customs and Border Protection would use facial recognition and other biometric technologies to inspect travelers, both US citizens and non-citizens, at airports. The bill also establishes "Operation Phalanx" that instructs the Department of Defense—a military agency—to use drones for domestic surveillance. EPIC has pursued many FOIA cases on border surveillance involving biometrics, drones, and airport body scanners, In a statement to Congress, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens."
House Draft Data Security Bill Preempts Stronger State Safeguards
Rep. Luetkemeyer (R-MO) and Rep. Maloney (D-NY) circulated a draft bill, the "Data Acquisition and Technology Accountability and Security Act," that would set federal requirements for companies collecting personal data and require prompt breach notification. The Federal Trade Commission, which has often failed to pursue important data breach cases, and state Attorneys General would both be responsible for enforcing the law. The law would only trigger liability if the personal data breached is "reasonably likely to result in identity theft, fraud, or economic loss" and would preempt stronger state data breach laws. Earlier this week, EPIC President Marc Rotenberg testifiedbefore the House, calling for comprehensive data privacy legislation that would preserve stronger state laws. Last fall, EPIC testified at a Senate hearing on the Equifax breach, calling it one of the worst in U.S. history.
Mueller Indicts Russian Nationals, Entities for Election Interference
Special Counsel Robert Mueller has indicted thirteen Russian nationals and three Russian entities for interfering in the 2016 U.S. presidential election. "Beginning as early as 2014" the defendants began operations "to interfere with the U.S. political system" and "sow discord," the indictment explains. They also posed as U.S. persons online, reaching "significant numbers of Americans" on social media. EPIC first sought details of the Russians' "multifaceted" influence campaign in January 2017, pursuing release of the complete Intelligence Community assessment on Russian meddling. EPIC President Marc Rotenberg recently highlighted the role of the Russian Internet Research Agency, named in the Mueller indictment, explaining, "Facebook sold advertising to Russian troll farms working to undermine the American political process." EPIC launched a new project on Democracy an Cybersecurity in early 2017 to help preserve democratic institutions.
- Government battles Microsoft in email privacy case before Supreme Court, WRCB (NBC), February 28, 2018
- Supreme Court to hear Microsoft case: A question of law and borders, Washington Post, February 25, 2018
- An EPIC Experience, Northeastern Law Magazine, February 20, 2018
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC Publications
The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)
The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.
Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).
This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
Piloting around Partisan Divides in Immigration, Infrastructure, and Industry
Yale CEO Summit
March 13, 2018
Marc Rotenberg, EPIC President
The EU at a Crossroads: From Technocracy to High Politics?
March 23-24, 2018
Marc Rotenberg, EPIC President
George Washington University Law School
International Working Group on Data Protection in Telecommunications
April 9-10, 2018
Eleni Kyriakides, EPIC International Counsel
May 16-18, 2018
Jeramie Scott, EPIC Domestic Surveillance Project Director
Privacy and Surveillance in a Digital Era: Challenges for Transatlantic Cooperation and European Criminal Law
Annual Conference of the European Criminal Law Academic Network (ECLAN)
May 17-18, 2018
Marc Rotenberg, EPIC President (keynote)
School of Law of Queen Mary, University of London
2018 EPIC Champions of Freedom Awards Dinner
June 6, 2018