EPIC Alert 25.07

EPIC Alert logo

1. EPIC Tells Senate to Focus on FTC Consent Order with Facebook

EPIC submitted a comprehensive statement to Congress this week in advance of a joint hearing in the Senate and a hearing in the House on Facebook's failure to protect user privacy. EPIC urged Congress to focus on the 2011 Consent Order between Facebook and the Federal Trade Commission. "The FTC's failure to enforce the order we helped obtain has resulted in the unlawful transfer of 87 million user records to a controversial data mining firm to influence a presidential election as well as the vote in Brexit," EPIC wrote. "The obvious question now is 'why did the FTC fail to act?'"

Facebook CEO Mark Zuckerberg faced two days of questioning before the Senate Committees and the House Committee on Energy and Commerce. A key topic was Facebook's failure to comply with the FTC Consent Order. During the Senate hearing, EPIC's statement was entered into the hearing record by Senator Grassley (R-IA) and Senator Feinstein (D-CA). Senator Blumenthal (D-CT) questioned Zuckerberg on Facebook's practice of granting third-party apps unrestricted access to user data, stating that it amounted to "willful blindness" and violated the Consent Order.

In 2009, EPIC and a coalition of consumer groups presented the FTC with a complaint containing detailed evidence, legal theories, and proposed remedies to address growing pirvacy concerns about Facebook. The FTC adopted a Consent Order in 2011 based on EPIC's Complaint. EPIC submitted comments to the FTC urging it to strengthen the Order, including by requiring Facebook to end secret post-logout tracking of users across web sites. However, the FTC adopted a final Order in 2012 without any modifications. Between 2011 and 2018, the FTC failed to enforce the Order against Facebook, even after EPIC sued the agency in a related matter.

In the wake of the Cambridge Analytica revelations last month, EPIC and a coalition of privacy organizations wrote a letter to Acting FTC Chairman Ohlhausen and Commissioner McSweeny urging the Commission to enforce the 2011 Consent Order against Facebook. The letter explained that the Cambridge Analytica breach could have been prevented if the FTC had enforced the Order. Following that letter, the FTC confirmed an investigation into Facebook. EPIC also submitted an urgent FOIA request to the FTC seeking all privacy assessments required by the Order.

2. Zuckerberg, Urged by Consumer Groups, Confirms Global Compliance with GDPR

Facebook CEO Mark Zuckerberg testified before the Senate and House this week on Facebook's failure to protect user data. In response to a series of questions from Rep. Gene Green, (D-TX), Zuckerberg confirmed that Facebook will comply with the new European Union privacy law—"the GDPR"—in all jurisdictions.

The GDPR, or General Data Protection Regulation, aims to strengthen the fundamental rights of individuals and put users back in control of their personal data. The rules include data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. The law will also tackle fragmentation of rules and provide legal certainty for businesses. The comprehensive data protection legislation will fully enter into force on May 25, 2018.

Earlier this week, the Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organizations in North America and Europe, sent a letter to Mr. Zuckerberg urging him to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD wrote: "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and democratic process."

"The GDPR provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered," TACD continued. "These are protections that all users should be entitled to no matter where they are located." The TACD was established in 1998 and works to promote the consumer interest in EU and US policy making.

EPIC and EU and US consumer groups have supported the GDPR, stating that it provides "important new protections for the privacy and security of consumers." EPIC also supports the ratification of an international privacy framework. Speaking at the Council of Europe in 2016, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention.

3. EPIC Sues ICE Over Technology Used to Conduct Warrantless Searches of Mobile Devices

EPIC filed a Freedom of Information Act lawsuit this week against Immigration and Customs Enforcement for details on the agency's use of mobile forensic technology to conduct warrantless searches of mobile devices. EPIC is seeking ICE contracts related to the purchase of mobile forensics devices, all guidance and training materials on the agency's use of the technology, and all related privacy impact assessments. EPIC's lawsuit challenges ICE's failure to timely process EPIC's FOIA request and asks the court compel production of documents.

ICE enforces federal border laws and conducts homeland security investigations, both at the immediate border and within the United States. The Department of Homeland Security, of which ICE is part, has significantly increased the number of mobile device searches at the border. These mobile device searches include inspections of text messages, private emails, contact lists, photos, and other personal information.

Over the years, ICE has tested various mobile forensics technologies. ICE has contracts with a firm called Cellebrite for techniques to unlock, decrypt, and extract data from mobile devices, including personal data stored in cloud-based accounts. This retrieval process poses grave privacy risks and is conducted without a warrant. When the DHS released a privacy impact assessment in 2009 pertaining to border searches, the assessment failed to address the privacy implications of retrieving personal data from cloud-based service through mobile devices.

Privacy complaints regarding the search of mobile devices at the border continue to increase. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact the rights of U.S. citizens. In Congress, Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced legislation to place restrictions on searches and seizures of electronic devices at the border.

4. EPIC Sues to Enforce Transparency Obligations of FAA's Drone Advisory Committee

EPIC has filed suit to enforce the open government obligations of the Drone Advisory Committee, an industry-dominated committee that advises the Federal Aviation Administration on U.S. drone policy.

For over a year, the Committee has conducted much of its work in secret and ignored the privacy risks posed by the deployment of drones, even after the Committee identified privacy as a top public concern. And despite the imminent threat that drones pose to the privacy rights of millions of Americans, the few Committee records that are public reveal a near-total failure to consider the privacy implications of drones and drone surveillance.

EPIC's suit, brought under the Federal Advisory Committee Act, would force the DAC to open its subcommittee meetings and release its records so that the public can understand the nature, content, and origins of the drone policy advice that the FAA relies on. EPIC also aims to determine how, if at all, the DAC has addressed the privacy effects of mass drone deployment.

EPIC has a long history of promoting government transparency and raising public awareness of the privacy risks of drones. In 2012, EPIC filed a petition—joined by over 100 organizations, experts, and members of the public—demanding that the FAA issue privacy regulations. EPIC has also filed suit to establish privacy protections against drones, a case which is pending before the D.C. Circuit Court of Appeals (EPIC v. FAA, No. 16-1297).

5. D.C. Circuit Won't Fix Deeply Flawed Ruling in EPIC’s Case Against Presidential Election Commission

The D.C. Circuit Court of Appeals has refused to void an earlier ruling in EPIC's case to halt the collection of state voter data by the Presidential Election Commission. Although the Commission was disbanded in January, last year's decision by a three-judge panel of the D.C. Circuit remains on the books. The panel wrongly held that EPIC, a privacy and open government organization, did not have "standing" to challenge the Commission's failure to conduct and publish a Privacy Impact Assessment (PIA).

The E-Government Act requires agencies to produce a Privacy Impact Assessment "before initiating a new collection of information" and to make the PIA publicly available. Although the Commission sought to collect highly sensitive voter data on tens of millions of Americans, the court refused to order the Commission to conduct a privacy assessment.

The Commission's sudden demise unfairly prevents EPIC from appealing the Court's legal reasoning because there is no "live" dispute left for a higher court to consider. EPIC asked the full D.C. Circuit to take the rare step of revisiting the panel's decision, but the court declined. The panel's decision, which contradicts U.S. Supreme Court precedent, is now eligible for review by the high court.

EPIC's lawsuit previously led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, delete the voter information that was unlawfully obtained. Many states and over 150 members of Congress opposed the Commission's efforts to collect state voter data. The case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.).

News in Brief

EPIC Tells Senate Finance Committee: Support Release of Trump Tax Records

In advance of a hearing regarding challenges facing the IRS, EPIC sent a statement to the Senate Finance Committee urging the release of President Trump's tax returns. EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election. EPIC recently filed the opening brief in the case before the D.C. Circuit Court of Appeals. EPIC told the court that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS."

EPIC Sues AccuWeather for Deceptively Tracking Consumers

EPIC has filed a consumer protection lawsuit against AccuWeather for deceptively tracking the location of subscribers who downloaded the company's app. In papers filed in the District of Columbia, EPIC charged that AccuWeather tracked consumers even when they expressly opted out of location tracking. EPIC also charged that AccuWeather failed to disclose that it transferred location data to third-party advertisers. EPIC alleges that these practices violate the District of Columbia Consumer Protection Procedures Act. EPIC has long advocated for the privacy of location data. EPIC filed a "friend of the court" brief with the U.S. Supreme Court in a case concerning police surveillance and a complaint with the Federal Trade Commission concerning Uber's tracking of subscribers. EPIC also opposed Apple's tracking of iPhone users. EPIC maintains detailed webpages on location privacy.

EPIC, Consumer Groups to Urge Federal Trade Commission to Investigate Facebook's Use of Facial Recognition

EPIC and a coalition of consumer groups have filed a complaint with the FTC charging that Facebook's use of facial recognition techniques threaten user privacy and "in multiple ways" violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last month the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." In 2011, EPIC and consumer groups urged the FTC to investigate Facebook's facial recognition practices. In 2012, EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." EPIC President Marc Rotenberg said recently, "Facebook should suspend further deployment of facial recognition pending the outcome of the FTC investigation."

EPIC Comments to UN Highlight Privacy Flaws in US Surveillance, Consumer Protection

EPIC has submitted input to the UN Office of the High Commissioner for Human Rights for an upcoming report on the right to privacy in the digital age. The OHCHR is soliciting information for a report to Human Rights Council on the right to privacy around the world. EPIC's comments detail shortcomings in U.S. privacy law, including the CLOUD Act, the reauthorization of FISA Section 702, and the FTC's failure to enforce consumer privacy guarantees. EPIC also highlighted the need for the Special Rapporteur on Privacy to promote fundamental privacy rights, particularly Article 12 of the Universal Declaration of Human Rights.

EPIC Provides U.S. Report for Privacy Experts Meeting

EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy for the 63rd meeting of the International Working Group on Data Protection. The Working Group includes Data Protection Authorities and experts from around the world who work together to address emerging privacy challenges. The EPIC 2018 report details the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the ongoing investigation of Russian interference in the 2016 election, federal nominees to the FTC and PCLOB, recent legislative proposals on Artificial Intelligence, and more. The 64th meeting of the IWG will take place in Queenstown, New Zealand on November 29–30. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

Safety Commission Responds to EPIC's Google Home Mini Complaint

The Consumer Product Safety Commission has responded to a complaint from EPIC and a coalition of consumer groups urging the Commission to order the recall of the Google Home Mini "smart speaker." The touchpad on the device was permanently set to "on" so that Google recorded all conversations without consumers' knowledge or consent. The groups explained that "this is a classic manufacturing defect that places consumers at risk. The defect in Google Home Mini is well within the purview of the Consumer Product Safety Commission." In its response, the Safety Commission claimed that it monitors the hazards of IoT but said that it does not pursue privacy or data security issues. IoT devices are frequently the target of botnet attacks. According to Hacker News, "the DDoS threat landscape is skyrocketing," and the UK National Cyber Security Centre's report has called for comprehensive safeguards for IoT devices. EPIC Senior Counsel Alan Butler has written about products liability for IoT manufacturers.

FTC Strengthens Penalties Against Uber for Covering Up Data Breach

The Federal Trade Commission has strengthened its 2017 settlement with Uber because the company hid a massive data breach and bug bounty program in 2016. Under the revised settlement, Uber must submit all of its privacy audits to the FTC and will face civil penalties if it fails to disclose another breach. In February 2018, EPIC advised Congress that "bug bounty programs do not excuse non-compliance with data breach notification laws." The FTC's 2017 settlement with Uber was the result of EPIC's 2015 complaint to the Commission detailing Uber's numerous privacy abuses. In public comments, EPIC advised the FTC to strengthen the settlement by making all of Uber's privacy audits available to the public.

European Court of Justice Receives Key Questions on Future of EU-U.S. Personal Data Transfers

The Irish High Court has sent eleven questions to the European Court of Justice for review in Data Protection Commissioner v. Facebook. The case considers whether Facebook's transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision Schrems v. DPC, which found that the U.S. had insufficient privacy law to protect the personal data of Europeans. The new case examines "standard contractual clauses," whether the U.S. provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-U.S. "Privacy Shield" matters. EPIC was designated the U.S. NGO amicus curiae in this case and provided a detailed assessment of U.S. privacy law.

Congress Launches Caucus on Artificial Intelligence

Congressional leaders have announced the establishment of the Congressional Artificial Intelligence Caucus. The Caucus will bring together experts from academics, government, and the private sector to inform policymakers of the technological, economic, and social impacts of advances in AI. The Congressional AI Caucus is bipartisan and co-chaired by Congressmen John Delaney (D-MD) and Pete Olson (R-TX). This is one of several initiatives in Congress to pursue AI policy objectives. Rep. Delaney introduced the FUTURE of Artificial Intelligence Act (H.R. 4625), and Rep. Elise Stefanik (R-NY) introduced a bill (H.R. 5356) that would create the National Security Commission on AI. In 2015, EPIC launched an international campaign for Algorithmic Transparency. EPIC has also warned Congress about the growth of opaque and unaccountable techniques in automated decision-making.

French President: Algorithmic Transparency Key to National AI Strategy

French President Emmanuel Macron has expressed support for "Algorithmic transparency" as a core democratic principle. In an interview with Wired magazine, President Macron said that algorithms deployed by the French government and companies that receive public funding will be open and transparent. President Macron emphasized, "I have to be confident for my people that there is no bias, at least no unfair bias, in this algorithm." President Macron's statement echoed similar comments in 2016 by German Chancellor Angela Merkel, who said "These algorithms, when they are not transparent, can lead to a distortion of our perception, they narrow our breadth of information." EPIC has a longstanding campaign to promote transparency and to end secret profiling. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a fundamental human right. In recent comments to UNESCO, EPIC highlighted the risks of secret profiling, content filtering, skewing of search results, and adverse decision-making based on opaque algorithms.

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Data and Democracy: Responding to the Cambridge Analytica Facebook Data Scandal
April 19, 2018
Sam Lester, EPIC Consumer Privacy Fellow
Gelman Library, George Washington University
Washington, DC

NIST Smart Grid Advisory Committee Meeting
April 24–25, 2018
Christine Bannan, EPIC Administrative Law and Policy Fellow
Washington, DC

Techonomy NYC
May 8-9, 2018
Marc Rotenberg, EPIC President
Convene
New York, NY

RightsCon
May 16-18, 2018
Jeramie Scott, EPIC Domestic Surveillance Project Director
Toronto, Canada

OECD Global Forum on Digital Security for Prosperity
May 15-16, 2018
Marc Rotenberg, EPIC President
OECD Directorate for Science, Technology and Innovation
Paris, France

Privacy and Surveillance in a Digital Era: Challenges for Transatlantic Cooperation and European Criminal Law
Annual Conference of the European Criminal Law Academic Network (ECLAN)
May 17–18, 2018
Marc Rotenberg, EPIC President (keynote)
School of Law of Queen Mary, University of London
London, England

2018 EPIC Champions of Freedom Awards Dinner
Honoring Supreme Court Justice Ruth Bader Ginsburg, Maine Secretary of State Matthew Dunlap, California Secretary of State Alex Padilla, and Dr. Peter G. Neumann
June 6, 2018
National Press Club
Washington, DC

The American Colossus: The Best of Times and the Worst of Times?
Yale CEO Conference
June 13, 2018
Marc Rotenberg, EPIC President
New York Public Library
New York, NY

Next-Generation Digital Infrastructure: Towards a New Regime for Promoting Investment, Competition and Consumer Protection
August 13–15, 2018
Marc Rotenberg, EPIC President
Aspen, CO

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.