EPIC Alert 25.05

EPIC Alert logo

1. EPIC Celebrates Sunshine Week With 2018 FOIA Gallery

In recognition of Sunshine Week, a national celebration of public access to information, EPIC has unveiled the 2018 FOIA Gallery. Since 2001, EPIC has released annual highlights of EPIC's most significant open government cases as well as documents obtained through the Freedom of Information Act.

EPIC's FOIA litigation over the past year has resulted in disclosure of critical information about the activities of the government. Through vigorous and effective litigation, EPIC bolstered its record as a champion for a more open and transparent government. EPIC's litigation has also generated case law that benefits the FOIA requesters and the open government community across the country, with improved rules for document processing and fee recovery. A 2017 report from the TRAC FOIA Project shows that EPIC is among the nation's leading FOIA litigators, ranking fifth among nonprofit and advocacy groups nationwide.

Last year EPIC filed eight FOIA lawsuits, including four leading open government cases concerning Russian interference with the 2016 Presidential election: EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. DHS (election cybersecurity), and EPIC v. IRS (release of Trump's tax returns). In one notable litigation success, EPIC was awarded substantial attorney's fees after securing a victory against the Department of Homeland Security in a case concerning Internet surveillance. The Court issued a final order granting EPIC nearly $100,000 in fees—the largest award in EPIC's history.

In 2017, EPIC obtained formerly secret records from government agencies—including Customs and Border Protection, the Department of Homeland Security, the Department of Justice, the Federal Bureau of Investigation, and the Internal Revenue Service—and prevailed in multiple FOIA cases. Among its successes, EPIC obtained the "victim notification procedures" that the FBI did not follow after the Russian cyberattacks during the 2016 Presidential election. EPIC also revealed that the FBI also failed to follow internal guidance for using intelligence data for criminal investigations, forced the DOJ to admit that an algorithmic sentencing report does not exist, and uncovered problems with the border security biometric matching program. Most recently, EPIC obtained records revealing federal voting rights officials discussing ways to "clean" state voter rolls.

2. EPIC FOIA: Federal Voting Rights Officials Sought to 'Clean' State Voter Rolls

Officials from four different federal agencies discussed joint plans to "clean" state voter rolls last year, according to documents obtained by EPIC through a Freedom of Information Act request. The records show that the Election Assistance Commission, the now-defunct Presidential Election Commission, the Department of Justice, and the Department of Homeland Security explored ways to cooperate on "cleaning" and "maintenance" of state voter registration databases.

Notably, these interagency discussions took place during the same period of 2017 that the Presidential Election Commission and the DOJ both issued sweeping requests for vast amounts of election data from state election officials. Many states refused to provide the state voter data, citing the privacy rights of their voters and the states' power to administer their own elections. After EPIC brought suit against the Commission last year, the Commission suspended the data collection, discontinued the use of an unsafe computer server, and deleted voter information that was illegally obtained. The Commission was ultimately disbanded earlier this year.

At the same time that EPIC was pursuing legal action against the Commission, EPIC also sought records under the Freedom of Information Act from the DOJ. EPIC noted an urgent public need for the records and emphasized that the "coincidental request by the PACEI for similar information from the states raises substantial concerns that the DOJ request was part of a coordinated undertaking."

One email obtained by EPIC shows that the PACEI and the DOJ's Voting Section discussed "election integrity" just two weeks before the agencies sent out their simultaneous requests for voter information. Another set of emails shows that Christy McCormick—an Election Assistance Commissioner and member of the Presidential Election Commission—collaborated with a DOJ voting rights attorney on voting roll "maintenance." Officials from the EAC, the DOJ, and the DHS appear to have conducted two meetings in February 2017 to discuss possible coordination between the agencies.

EPIC has a long history of working on voter privacy and democratic institutions. EPIC is currently pursuing several FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).

3. EPIC Urges Appeals Court to Uphold Fourth Amendment Protections for Searches of Students' Cell Phones

EPIC has filed an amicus brief with the Eleventh Circuit Court of Appeals in Jackson v. McCurry, arguing that teachers may not search a student's cell phone unless they have followed an explicit school policy that complies with Fourth Amendment requirements.

In Jackson, two administrators searched a student's cell phone without a warrant or the student's consent during their investigation of alleged threats made against the student. The student's parents sued the school, but a lower court ruled that it was not clearly established that the administrators who searched the student's cell phone violated the Fourth Amendment.

Citing the recent Supreme Court opinion Riley v. California, EPIC explained that "after Riley, searches of students' cell phones require heightened privacy protections." Noting that "most teenagers today could not survive without a cell phone," EPIC argued that searches of cell phones should be "limited to those circumstances where it is strictly necessary." EPIC also emphasized that "in the rare case where it is necessary to search a student's cell phone," the search must "be limited in scope and duration to what is strictly required under the circumstances."

EPIC previously participated as amicus curiae in Riley v. California, arguing that the search of a cellphone requires a warrant, and Commonwealth v. White, arguing that a warrant is required before a school may turn over a student's cell phone to the police. Both cases produced favorable outcomes.

EPIC has proposed a Student Privacy Bill of Rights to safeguard student data and security and obtained documents regarding the misuse of education records through the Freedom of Information Act. EPIC also sued the Department of Education regarding changes in an agency regulation that diminished the safeguards set out in the Family Educational Rights and Privacy Act.

4. EPIC FOIA: EPIC Sues DHS for Drone Reports

EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain the public release of information about the use of drones for domestic surveillance. EPIC's lawsuit charges that the DHS has failed to comply with a Presidential Memorandum concerning government drone use because the DHS has not released mandatory public reports on the agency's drone activities.

EPIC filed a FOIA request in 2016 with DHS for all policies, procedures, and reports relating to the agency's use of drones. EPIC's lawsuit alleges that DHS has unlawfully withheld these records. DHS components that deploy drones for domestic surveillance include Customs and Border Protection, Immigration and Customs Enforcement, the United States Coast Guard, and the United States Secret Service.

The use of drones by the federal government raises substantial privacy and civil liberties concerns. Due to the altitudes at which drones can fly, they are often beyond the range of sight for most people. In addition, drones can also be designed to be very small and maneuverable. This means drone surveillance often occurs without the knowledge of the individual being monitored. Drones are designed to undertake constant, persistent surveillance to a degree that former methods of video surveillance were unable to achieve.

In a previous lawsuit against the DHS, EPIC obtained records which revealed that DHS drones had the capability to intercept electronic communications and to identify humans at a distance. EPIC has also brought a lawsuit against the Federal Aviation Administration to establish drone privacy regulations in the United States. That case is now pending before the D.C. Circuit Court of Appeals.

5. EPIC Names New Advisory Board Members

EPIC has announced the newest members of the EPIC Advisory Board. Professor Woodrow Hartzog, Dr. Rush D. Holt, Len Kennedy and Roger McNamee join a distinguished group of experts in law, technology, and public policy who contribute to EPIC's work on privacy and civil liberties.

Woodrow Hartzog is a Professor of Law and Computer Science at Northeastern University School of Law and the College of Computer and Information Science. His research focuses on privacy, contracts, media, and robotics. His book, Privacy's Blueprint: The Battle to Control the Design of New Technologies, was published in 2018 by Harvard University Press.

Rush D. Holt is the chief executive officer of the American Association for the Advancement of Science (AAAS) and executive publisher of the Science family of journals. Over his career, Dr. Holt has held positions as a teacher, scientist, administrator, and policymaker. Before coming to AAAS, Dr. Holt served for 16 years as a member of the U.S. House of Representatives. He served on the National Commission on the Teaching of Mathematics and Science, founded the Congressional Research and Development Caucus, and served as a co-chair of the Biomedical Research Caucus.

Len Kennedy was the first general counsel of the Consumer Financial Protection Bureau and general counsel of Neustar, Inc., where he addressed data security, privacy, cyber incidents, and web protection concerns. Mr. Kennedy successfully advocated business and regulatory policies to federal agencies and the Congress that fostered the development of cellular and Internet communications markets and services.

Roger McNamee is the cofounder of Elevation Partners, a musician, an early investor in Facebook, and now one of the leading voices calling for reform of the Internet industry. Mr. McNamee also serves on the board of directors for the Rock and Roll Hall of Fame Museum and helped establish the Wikimedia Foundation.

The publications of the EPIC Advisory Board members are available at the EPIC Bookstore. Earlier this year, Whitfield Diffie, Harry Lewis, and Jennifer Daskal were elected to the EPIC Board of Directors. The 2018 EPIC Champion of Freedom Awards will be presented on June 6, 2018 at the National Press Club, where EPIC will honor Supreme Court Justice Ruth Bader Ginsburg, Maine Secretary of State Matthew Dunlap, California Secretary of State Alex Padilla, and Dr. Peter G. Neumann.

News in Brief

U.K. Blocks WhatsApp From Transferring Data to Facebook

U.K. privacy officials have blocked WhatApp from transferring personal data to Facebook until the company complies with the GDPR, the new European privacy law. The Information Commissioner's Office found that WhatsApp's proposed data transfer would have violated the U.K. Data Protection Act. "People have a right to have their personal data kept safe," explained Commissioner Elizabeth Denham in a blog post. EPIC has twice urged the FTC to block WhatsApp's transfer of personal data to Facebook, but the FTC has failed to act. The FTC approved Facebook's acquisition of WhatsApp in 2014 after both companies assured the Commission and the public that they would protect users' privacy, but in 2016 WhatsApp announced that it would begin transferring the names and phone numbers of its users to Facebook. France blocked the data transfer and the EU fined Facebook $122 million for misleading European authorities about the data transfer.

EPIC to File Brief in D.C. Circuit on Right to Information Privacy

EPIC has informed the D.C. Circuit Court of Appeals that it will file an amicus brief in the OPM Data Security Breach case. The case concerns a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies.

EPIC to Senate Intelligence: Ask NSA Director Nominee About Russian Election Interference

In advance of the hearing on the nomination of Lieutenant General Paul M. Nakasone to be the Director of the National Security Agency, EPIC has sent a statement to the Senate Intelligence Committee. EPIC urged the Committee to ask the nominee whether he agrees with the January 2017 assessment of the Intelligence Community that the Russians interfered with the 2016 Presidential election and whether he believes that the United States has taken sufficient steps to prevent Russian meddling in the mid-term elections. In the latest FOIA gallery, EPIC highlighted four new EPIC FOIA lawsuits to uncover details of the Russian interference in the 2016 Presidential election. One EPIC's FOIA cases, EPIC v. FBI, revealed that the Bureau failed to warn the DNC and the RNC that they were targeted by a Russian cyber attack.

EPIC Supports Senate's Open Government Work

In advance of the Senate hearing on the Freedom of Information Act (FOIA), EPIC submitted a statement highlighting recent FOIA cases. EPIC told the committee about documents EPIC has obtained through FOIA requests and litigation, including documents obtained last week that show federal voting rights officials sought to "clean up" state voter rolls. EPIC also discussed its case against the IRS seeking the release of President Trump's tax returns. Since 2001, EPIC has produced an annual FOIA gallery in honor of Sunshine Week to feature EPIC's FOIA work over the past year.

EPIC to Congress: Examine 'Connected Devices,' Safeguard Consumer Privacy

EPIC sent a statement to a House Committee on Energy and Commerce in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.

EPIC, Coalition Seek Details of 'Extreme Vetting' Initiative

EPIC and a broad coalition of civil rights organizations have submitted a Freedom of Information Act request seeking details related to ICE's "Extreme Vetting" Initiative, including the collection and use of social media information. The federal is agency is making deportations and visa decisions based on vague and ambiguous criteria. The FOIA request seeks to make public the specific procedures and policies for Extreme Vetting. Last year, EPIC and a coalition of civil rights organizations sent a joint statement to the Acting Secretary of Homeland Security to oppose the Extreme Vetting Initiative. EPIC previously opposed a proposal to collect social media information for use in visa determinations.

FEC Proposes Regulation of Internet Political Ads

The Federal Election Commission voted unanimously this week at a public meeting to publish a proposed rule concerning transparency requirements for online political ads. The FEC noted EPIC's comments—arguing that internet companies should be held to the same standard as broadcast companies—in its proposal. The FEC will publish the proposal in the Federal Register, accept comments from the public, and then hold a public hearing on June 27, 2018. After Russian interference in the 2016 election, EPIC launched the Democracy and Cybersecurity Project to preserve the integrity of elections and democratic institutions. In comments to the FEC in November 2017, EPIC explained the "need to protect democratic institutions from foreign adversaries has never been greater...To help ensure the integrity of U.S. elections, the Federal Election Commission should not exempt technology companies from notification requirements for Internet communications."

Appeals Court Revives Data Breach Suit Against Zappos

A federal appeals court has ruled that consumers affected by a Zappos.com data breach have the right to sue the online retailer. The 2012 breach exposed the personal data of more than 24 million Zappos customers. A lower court previously held that the consumers lacked "standing" to bring a lawsuit against Zappos because their injuries were merely "conjectural." But the Ninth Circuit Court of Appeals reversed that decision and allowed the case to continue. "With each new hack comes a new hacker, each of whom independently could choose to use the data to commit identity theft," the court wrote. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN (where the Ninth Circuit also held for consumers), Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.

International Privacy Experts Adopt Privacy Recommendations for Web Registration

The International Working Group on Data Protection has adopted new recommendations to enhance the privacy of website registration data. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The "Working Paper on Privacy and Data Protection Issues with Regard to Registrant data and the WHOIS Directory" highlights privacy risks of the current registration system. When registering a new website with ICANN, the personal data of website owners is published in a widely accessible database. The Working Group recommends limitations on disclosure consistent with the purpose of registration - to provide limited contact information to resolve technical concerns. Registration data is also subject to the GDPR. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

Senators Ask Director of National Intelligence About Russian Meddling

The Senate Armed Services Committee held a hearing last week that addressed concerns about Russian interference in upcoming elections. In his opening statement, the Director of National Intelligence Daniel Coats stated that Russia views its influence on the 2016 election as successful and emphasized the threat that Russian cyberattacks pose to U.S. democracy. Coats testified that the U.S.'s response has not been sufficient to deter Russia from interfering in the 2018 midterm elections, agreeing with the earlier testimony of Admiral Michael Rogers, head of U.S. Cyber Command. Coats called the U.S.'s strategy to combat Russian interference a "whole government approach," but it concerned some Senators that there was no lead agency in charge of this effort, including Senator Mazie Hirono (D-HI) who said that it caused her to conclude that it is "not a top priority" for the President. EPIC launched a project on Democracy and Cybersecurity in response to Russian interference in the 2016 presidential election.

Senators Introduce Bill to Limit Device Searches at the Border

Senators Patrick Leahy (D-VT) and Steve Daines (R-MT) have introduced a bill that would place restrictions on searches and seizures of electronic devices at the border. The bill sets out detailed procedures for seizing electronic devices, including a warrant requirement prior to inspection of the device, data minimization, and exclusion of evidence that is obtained in violation of the Act. The bill also establishes reporting requirements to determine the scope and frequency of device searches. Senator Leahy stated that "no American should have to relinquish all of their privacy rights to their cell phones, laptops and other electronic devices, simply because they are coming home from a trip abroad." The bill would also require a warrant to use software to analyze seized electronic devices. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact citizens' rights.

SEC Issues Guidance on Cybersecurity Disclosures

The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security.

Rep. Lieu Introduces Two Consumer Data Protection Bills

Rep. Lieu (D-CA) recently introduced two bills to safeguard consumer data: the "Protecting Consumer Information Act of 2018" and the "Ending Forced Arbitration for Victims of Data Breaches Act." The first bill will expand the Federal Trade Commission's enforcement authority over credit reporting agencies, while allowing state attorneys general to also bring enforcement actions. The second bill will prohibit entities from enforcing mandatory arbitrary clauses—which prohibit consumers from filing lawsuits—in data breach cases. In a press release announcing the legislation, Rep. Lieu said, "these bills forge a path forward that can both prevent future breaches and ensure victims can seek due process when they occur." Rep. Lieu's announcement came the same day that Equifax disclosed an addition 2.4 million people were impacted by last year's data breach, bringing the total to approximately 148 million people. EPIC President Marc Rotenberg recently testified before Congress to call for comprehensive privacy legislation and the creation of a federal data protection agency.

FTC Report: ID Theft Complaints Rank High

Identity theft ranked second among all complaints submitted to the Federal Trade Commission in 2017. Although the total number of complaints dropped, consumers reported losing $63 million more to identity theft and fraud in 2017 than in 2016. EPIC has warned that "the FTC's failure to act against the growing threats to consumer privacy and security could be catastrophic." 2017 marked a record year for data breaches. EPIC urged the FTC to enforce data security standards as part of its 10 recommendations for the FTC's five-year strategic plan. EPIC President Marc Rotenberg also testified before the Senate and the House following the Equifax breach, calling for comprehensive data protection legislation.

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Digital Privacy and the Constitution: How Civil Liberties and New Technologies Intersect in the Supreme Court
March 21, 2018
Alan Butler, EPIC Senior Counsel
Marquette Democracy Project
Milwaukee, WI

The EU at a Crossroads: From Technocracy to High Politics?
March 23-24, 2018
Marc Rotenberg, EPIC President
George Washington University Law School
Washington, DC

International Working Group on Data Protection in Telecommunications
April 9-10, 2018
Eleni Kyriakides, EPIC International Counsel
Budapest, Hungary

"Fourth Amendment Cases at the Supreme Court"
April 12, 2018
Marc Rotenberg, EPIC President
Washington College of Law
Washington, DC

Election Security War Game: Testing Critical Infrastructure Designation
April 12, 2018
John Davisson, EPIC Counsel
Election Law Program
William & Mary Law School
Williamsburg, VA

Techonomy NYC
May 8-9, 2018
Marc Rotenberg, EPIC President
New York, NY

May 16-18, 2018
Jeramie Scott, EPIC Domestic Surveillance Project Director
Toronto, Canada

OECD Global Forum on Digital Security for Prosperity
May 15-16, 2018
Marc Rotenberg, EPIC President
OECD Directorate for Science, Technology and Innovation
Paris, France

Privacy and Surveillance in a Digital Era: Challenges for Transatlantic Cooperation and European Criminal Law
Annual Conference of the European Criminal Law Academic Network (ECLAN)
May 17–18, 2018
Marc Rotenberg, EPIC President (keynote)
School of Law of Queen Mary, University of London
London, England

2018 EPIC Champions of Freedom Awards Dinner
Honoring Supreme Court Justice Ruth Bader Ginsburg, Maine Secretary of State Matthew Dunlap, California Secretary of State Alex Padilla, and Dr. Peter G. Neumann
June 6, 2018
National Press Club
Washington, DC

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security