EPIC Alert 25.06

EPIC Alert logo

1. FTC Heeds EPIC's Call to Investigate Facebook, Apply 2011 Consent Order

The Federal Trade Commission announced last week that it has opened an investigation into Facebook's failure to protect the privacy of its users. The announcement follows an EPIC-led coalition letter urging the FTC to probe whether Facebook violated a 2011 Consent Order by allowing Cambridge Analytica to harvest the personal data of 50 million Americans. "Facebook's admission that it disclosed data to third parties without users' consent suggests a clear violation of the 2011 Facebook Order," the groups wrote.

EPIC and a coalition of consumer organizations previously filed a Complaint with the FTC in 2009 that chronicled Facebook's extensive privacy misrepresentations. That complaint led to the FTC's 2011 Consent Order with Facebook. The FTC stated in its announcement of the Order that the work of EPIC and other organizations had brought Facebook's privacy violations to light.

In fact, EPIC warned the FTC in 2009 of the exact problem highlighted by the Cambridge Analytica story. EPIC explained that "when a Facebook user adds an application, by default that application gains access to everything on Facebook that the user can see." EPIC President Marc Rotenberg also testified before Congress in 2008 that Facebook grants third party applications "much of the information about that user's friends."

Following the FTC's announcement of its settlement with Facebook in 2011, EPIC urged the FTC to strengthen the settlement by requiring Facebook to restore prior privacy settings and to make the company's privacy assessments public. Last week, EPIC submitted an urgent FOIA request to the FTC to obtain all the privacy assessments required by the Order.

EPIC reiterated last week that the Facebook/Cambridge Analytica episode could have been avoided had the FTC heeded EPIC's warnings and enforced its Consent Order. In Techonomy, Rotenberg wrote that "the transfer of 50 million user records to the controversial data mining and political consulting firm could have been avoided." And on CBS Evening News, EPIC's Sam Lester said that "Facebook users had no idea that Cambridge Analytica was accessing this data. It's a clear violation of the 2011 Consent Order."

EPIC is also calling on Congress to hold hearings to determine why the FTC failed to provide effective oversight of Facebook, warning that "the FTC's failure to act imperils not only privacy but democracy as well."

2. EPIC FOIAs Commerce Department about Citizenship Question on 2020 Census

The Department of Commerce has announced that the 2020 census will include a question on citizenship status. The decennial census has not included a citizenship question since 1950. The U.S. Constitution requires the Government to conduct a census of all individuals in the country—regardless of citizenship status—every 10 years.

Although the stated purpose of the new question is to improve enforcement of the Voting Rights Act, critics argue that the question will result in unreliable data collection and skew census results in regions with large immigrant populations. Former Census Bureau directors representing both Republican and Democratic administrations, including EPIC advisory board member Robert Groves, object to the inclusion of the citizenship question. At least 60 members of Congress, 161 Republican and Democratic mayors, 19 state attorneys general, and 170 civil rights organizations also oppose the question.

Democratic senators have introduced the Every Person Counts Act of 2018 (S. 2580), a bill that would prohibit the census from including a question on citizenship or immigration status. The attorneys general of at least 12 states have said that they will sue to block the question.

EPIC submitted a Freedom of Information Act request seeking documents on the Department's consideration of the question after Secretary Wilbur Ross stated during a hearing that "there are probably 15 or 20 different very complicated issues involved in the request." EPIC specifically requested information about these issues.

The census raises significant privacy risks and has been used to discriminate. During World War II, the Census Bureau disclosed aggregate data on Japanese-American communities to the U.S. War Department that led to their internment. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11.

3. CLOUD Act Enacted, Allows Law Enforcement Access to Data Stored Abroad

President Trump has signed the CLOUD Act, a law requiring internet companies to hand over personal data to U.S. law enforcement agencies no matter where that data is stored. The Act also allows the executive branch to create agreements with foreign countries to provide direct access to personal data stored in the United States.

The CLOUD Act was passed largely in response to United States v. Microsoft Corp., a pending Supreme Court case in which the government is challenging longstanding legal restrictions on its ability to access remote data. EPIC submitted an amicus brief in that case, arguing that law enforcement access to data abroad should be resolved by international consensus and comply with human rights norms. EPIC cited key cases from the European Court of Human Rights and the European Court of Justice.

EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC also participated in the development of a Common Position on Standards for data protection and personal privacy in cross-border data requests for law enforcement purposes.

EPIC also joined the European Digital Rights Initiative (EDRI) in a statement to the Council of Europe recommending revisions to the Budapest Convention on Cybercrime to safeguard human rights. Many organizations and privacy experts have endorsed the Madrid Privacy Declaration, which would establish international protections for personal data.

4. EPIC Urges FTC to Modify Venmo Consent Order

In detailed comments filed last week, EPIC advised the Federal Trade Commission to strengthen a proposed FTC settlement with PayPal concerning Venmo, a mobile app for peer-to-peer payments. The FTC recently found that Venmo made misrepresentations about the app's privacy and security practices.

In its comments, EPIC set out recommendations that would establish stronger data protection safeguards for consumers. Specifically, EPIC urged the FTC to require PayPal to (1) change the default setting to private, (2) require affirmative consent for subsequent changes, (3) make the privacy assessments public, (4) require multi-factor authentication, and (5) comply with Fair Information Practices.

As EPIC explained, "financial information has traditionally been considered among the most private and sensitive personal information; Venmo has subverted that norm by combining a payment app with social media. Venmo transactions can reveal a surprising amount of information and lead to inferences that may or may not be accurate." EPIC also criticized Venmo's use of user transaction data as part of a "social network," noting that consumers perceive Venmo as a payment application.

EPIC also noted that the FTC's proposed settlement with Venmo does not prohibit privacy changes made without meaningful user consent—unlike the 2011 Facebook Order that EPIC helped obtain. "There is no reason why the proposed Order should not impose at least the same requirements as the Facebook Order," EPIC wrote.

The FTC is obligated to consider public comments before finalizing a proposed settlement and must provide a "reasoned response" if it fails to modify an order. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat.

5. EPIC FOIA: EPIC Obtains FBI Policy for Disseminating Biometric Info

EPIC, through a Freedom of Information Act request, has obtained the Federal Bureau of Investigation's "Policy for Biometric Information Sharing with Domestic and International Agencies." The policy identifies when and how the FBI may transfer biometric data to domestic and foreign agencies. The documents obtained by EPIC also contain details of a U.S. agreement with Iraq to exchange biometric data—including an agreement to not subject the data to either country's restrictions on dissemination.

The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification" system, which includes facial IDs gathered from international conflicts. The system contains fingerprints, iris scans, palm prints, photos, and voice data. These records are frequently connected with other identifying data such as criminal histories and physical characteristics of the individual.

Despite maintaining one of the world's largest biometric databases, the FBI has resisted maintaining privacy safeguards. The FBI previously proposed to exempt the database from many of the safeguards in the federal Privacy Act, which EPIC opposed.

In 2007, EPIC, Privacy International, and Human Rights Watch warned the Secretary of Defense that the "system of biometric identification contravenes international privacy standards and could lead to further reprisals and killings." At the time, U.S. troops were using mobile scanners to capture fingerprints, eye scans, and DNA and to build secret profiles on hundreds of thousands of Iraqi citizens in Iraq.

EPIC noted in 2010 that "President Obama's address on the end of the combat mission in Iraq has left open the question of what will happen to the massive biometric databases on Iraqis, assembled by the United States, during the course of the conflict." In 2011, the U.S. confirmed that it would retain the biometric database, which contains information on three million Iraqis.

News in Brief

EPIC, Coalition Call on Facebook to Stop Electioneering

EPIC joined Consumer Watchdog and a coalition of consumer organizations to urge Facebook to cease all campaign contributions and electioneering activity. The groups also recommended that Facebook retain Jimmy Carter and the Carter Center to audit Facebook's use of personal information for election advertisements. Last month, EPIC and a coalition of consumer groups called on the Federal Trade Commission to investigate Facebook. EPIC has also urged the Federal Election Commission to provide transparency for online political ads. EPIC is fully engaged in protecting the integrity of elections with its Project on Democracy and Cybersecurity.

EPIC FOIA: CFPB Raise Further Questions About Equifax Investigation

Through a Freedom of Information Act request, EPIC obtained records of email communications between Consumer Financial Protection Bureau staff members regarding the Equifax data breach investigation. The emails reveal that the CFPB was contacted by a Reuters reporter days before the article alleging the CFPB halted the Equifax investigation was published to confirm certain facts about the story. At that time, the CFPB did not correct the allegations in the article but instead provided the reporter a brief official statement stating they will not comment to ongoing investigations but the CFPB has the "desire, expertise, and know-how, in-house, to vigorously hypothetically pursue matters such as these." In the aftermath of the Reuters Equifax article, the CFPB exchanged emails about how to respond to the story and one staffer stated, "no more specific reaction than 'reports are incorrect.'" Acting Director Mick Mulvaney has since publicly confirmed that the CFPB's Equifax investigation is still ongoing.

EPIC FOIAs FTC, Seeks Facebook's Privacy Assessments

EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission, seeking the privacy assessments required by the FTC's 2012 Consent Order. Facebook is required to produce independent privacy assessments every two years for the next 20 years. Each assessment should "identify Facebook's privacy controls maintained during the reporting period, explain the appropriateness of these controlsin relation to Facebook's activities and sensitivity of information, as well as explain how these controls meet or exceed the protections" required in the 2012 Consent Order. Facebook is also required to identify an independent privacy auditor, approved by the FTC. EPIC previously obtained the 2012 Initial Compliance Report as well as the 2013 Initial Assessment through an earlier FOIA request. EPIC is now seeking the 2015 and 2017 reports which cover the period for the data transfers to Cambridge Analytica.

EPIC, Consumer Groups Urge FTC To Investigate Facebook

EPIC and a coalition of consumer groups have called on the Federal Trade Commission to determine whether Facebook violated a 2011 Consent Order when it facilitated the transfer of personal data of 50 million Facebook users to the data mining firm Cambridge Analytica. In the past, he groups had repeatedly urged the FTC to enforce its own legal judgements. EPIC even sued the agency in 2012 for its failure to enforce a consent order against Google. "The FTC's failure to act imperils not only privacy but democracy as well," the groups warned. Between 2009 and 2011 EPIC and other consumer groups undertook extensive work to document Facebook's privacy abuses that led to the consent order in 2011.

EPIC Tells House to Probe Commerce Secretary on Data Protection, Privacy Shield

EPIC has sent a statement to the House Appropriations Committee outlining the key privacy issues facing the Secretary of Commerce. The statement preceded a Committee hearing concerning the FY19 budget for the Commerce Department. EPIC stated that data protection may be "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC said the FTC is simply not doing enough to safeguard the personal data of American consumers, as evidenced by last month's report on Facebook and Cambridge Analytica. EPIC also warned that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency.

EPIC to UNESCO: Algorithmic Transparency is an Internet Universality Indicator

EPIC has provided comments to UNESCO on a proposed framework for Internet Universality Indicators. The UNESCO framework emphasizes Rights, Openness, Accessibility, and Multistakeholder participation. UNESCO said that the framework will help guide protections for fundamental rights. EPIC also proposed "Algorithmic Transparency" as a key indicator of Internet Universality. EPIC highlighted the risk of secret profiling, content filtering, the skewing of search results, and adverse decisionmaking, based on opaque algorithms. EPIC has worked closely with UNESCO for over 20 years on Internet policy issues. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a fundamental human right.

State Department to Require Social Media IDs of Visa Applicants

In a Federal Register notice released today, the State Department is proposing that all visa applicants submit social media identifiers to the federal government. EPIC previously opposed the agency's plan, warning that "this proposal leaves the door open for abuse, mission creep, and the disproportionate targeting of Muslim and Arab Americans." Earlier this year, EPIC and a broad coalition of civil rights organizations submitted a Freedom of Information Act request seeking details of the Trump Administration's "extreme vetting" initiative, including the collection and use of social media information.

FBI Concealed Crypto Capabilities

An internal investigation has revealed the FBI was not transparent about its technical capabilities before suing Apple to unlock an encrypted iPhone. Department of Justice Inspector General reports that FBI personnel failed to communicate to agency leadership that the FBI was very close to opening the phone. Investigating the 2015 mass shooting San Bernardino, the FBI filed suit to force Apple to create custom technology to decrypt an iPhone. The Agency's case relied on the fact that it "cannot access" that phone's content. EPIC filed an amicus brief in Apple v. FBI arguing that the "security features in dispute in this case were adopted to protect consumers from crime."

2020 US Census to Include Citizenship Question, Senators Introduce Bill to Block

The Department of Commerce announced that the 2020 census will include a question on citizenship status. The decennial census has not included a citizenship question since 1950. Critics argue that the question will result in unreliable data collection and skew census results. Senator Menendez (D-NJ) has introduced S. 2580, a bill that would prohibit the census from including a citizenship question. Last month EPIC submitted a Freedom of Information Act request seeking documents on the Department's consideration of the many complicated issues related to the question. The census raises significant privacy risks. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11.

D.C. Circuit Sets Briefing Schedule in Information Privacy Case

The D.C. Circuit has set the briefing schedule for the OPM Data Security Breach case, concerning a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC recently informed the Court that it will file an amicus brief, which will now be due on May 17, 2018. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies.

State AGs Launch Facebook Investigation

A bipartisan group of 37 State Attorneys General is investigating Facebook's business practices and lack of privacy protections. "Businesses like Facebook must comply with the law when it comes to how they use their customers' personal data," Pennsylvania Attorney General Josh Shapiro said. "State Attorneys General have an important role to play in holding them accountable." The Federal Trade Commission has also announced that it is investigating Facebook. Senate Judiciary Chairman Grassley has also said there will be hearings on the Facebook matter when Congress returns.

House Bill Would Create Commission on AI

Congresswoman Elise Stefanik (R-NY) has introduced a bill (H.R. 5356) that would create the National Security Commission on Artificial Intelligence (AI).Congresswoman Stefanik said, "It is critical to our national security but also to the development of our broader economy that the United States becomes the global leader in further developing this cutting edge technology." The Commission would conduct a comprehensive review of AI technologies, assess the risks to national security, identity actionable items, and provide recommendations to the President and Congress. The Commission's recommendations would also address: data and privacy, international law and ethics, competitiveness, technological advantages, cooperation and competition, investments and research, and workforce and education. In 2015, EPIC launched an international campaign for Algorithmic Transparency. EPIC has also warned Congress about the use of opaque technique in automated decision-making.

Senator Feinstein Calls for Transparency on Russian Election Interference

At a Senate Intelligence Committee hearing on Election Security last month, Senator Diane Feinstein said "America is the victim and America has to know what's wrong. And if there are states that have been attacked, America should know that." In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents state that "[b]ecause timely victim notification has the potential to completely mitigate ongoing and future intrusions and can mitigate the damage of past attacks while increasing the potential for the collection of actionable intelligence, CyD's policy regarding victim notification is designed to strongly favor victim notification." However, the FBI did not follow this procedure following cyber attacks on the DNC and RNC during the 2016 Presidential Election. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several additional FOIA cases concerning Russian interference with the 2016 election, EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).

D.C. Circuit Affirms 'Consent' Protection in FCC Robocall Rule

A federal appeals court recently ruled in a closely watched case concerning robocalls. The rule under review in ACA International v. FCC concerned the FCC's regulations for the Telephone Consumer Protection Act. EPIC filed a friend of the court brief in the case in support of the FCC regulations. EPIC said that companies "seeking to engage in privacy-invading business practices" bear "the burden of proving consent." The court agreed that consumers could withdraw consent by all "reasonable means." However, the court vacated other aspects of the rule, including the definition of automated telephone dialing system and proposed procedures for calls to reassigned numbers.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

International Working Group on Data Protection in Telecommunications
April 9-10, 2018
Eleni Kyriakides, EPIC International Counsel
Budapest, Hungary

'Fourth Amendment Cases at the Supreme Court'
April 12, 2018
Marc Rotenberg, EPIC President
Washington College of Law
Washington, DC

Election Security War Game: Testing Critical Infrastructure Designation
April 12, 2018
John Davisson, EPIC Counsel
Election Law Program
William & Mary Law School
Williamsburg, VA

Techonomy NYC
May 8-9, 2018
Marc Rotenberg, EPIC President
New York, NY

May 16-18, 2018
Jeramie Scott, EPIC Domestic Surveillance Project Director
Toronto, Canada

OECD Global Forum on Digital Security for Prosperity
May 15-16, 2018
Marc Rotenberg, EPIC President
OECD Directorate for Science, Technology and Innovation
Paris, France

Privacy and Surveillance in a Digital Era: Challenges for Transatlantic Cooperation and European Criminal Law
Annual Conference of the European Criminal Law Academic Network (ECLAN)
May 17–18, 2018
Marc Rotenberg, EPIC President (keynote)
School of Law of Queen Mary, University of London
London, England

2018 EPIC Champions of Freedom Awards Dinner
Honoring Supreme Court Justice Ruth Bader Ginsburg, Maine Secretary of State Matthew Dunlap, California Secretary of State Alex Padilla, and Dr. Peter G. Neumann
June 6, 2018
National Press Club
Washington, DC

The American Colossus: The Best of Times and the Worst of Times?
Yale CEO Conference
June 13, 2018
Marc Rotenberg, EPIC President
New York Public Library
New York, NY

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security