EPIC Alert 25.08

EPIC Alert logo

1. EPIC Obtains Partial 2017 Facebook Audit, Sues FTC for Full Audits

EPIC has filed a Freedom of Information Act lawsuit against the Federal Trade Commission to obtain the full release of the Facebook Assessments required by a 2012 FTC Consent Order. In 2011, the FTC launched an extensive investigation into Facebook's policies and practices in response to a complaint from EPIC and consumer privacy organizations. The FTC reached a settlement with Facebook over deceptive privacy claims and issued the consent order, which requires biennial assessments of Facebook's privacy and security practices by a third-party auditor.

In March, EPIC filed a FOIA request for the 2013, 2015, and 2017 Facebook Assessments. Though the agency failed to fulfill EPIC's request by the required deadline, EPIC later obtained a heavily redacted version of the 2017 Facebook Assessment. EPIC is now suing for the release of the unredacted 2013, 2015, and 2017 reports.

In addition to requiring biennial assessments, the 2012 FTC Consent Order bars Facebook from making any future misrepresentations about the privacy and security of a user's personal information; requires Facebook to establish a comprehensive privacy program; requires Facebook to remove user information within they days after a user deletes their account; and requires Facebook to obtain a user's express consent before enacting changes in its data sharing methods

The 2017 Facebook Assessment, prepared by PricewaterhouseCoopers, states that "Facebook's privacy controls were operating with sufficient effectiveness" to protect the privacy of users. Most of the details supporting this assessment were heavily redacted.

The 2017 Facebook Assessment was prepared after Cambridge Analytica harvested the personal data of 87 million Facebook users without the users' consent. This transfer of data is one of the largest unlawful data transfers in Facebook's history. The FTC, various state Attorneys General, and lawmakers in other countries have opened investigations into the Cambridge Analytica scandal. The case is EPIC v. FTC, No. 18-942 (D.D.C. filed April 20, 2018).

2. EPIC Urges Congress to Require Algorithmic Transparency for Dominant Internet Firms

EPIC sent a statement to the House Judiciary Committee last week in advance of a hearing about social media filtering practices and their effects on free speech. EPIC's statement, which called for "algorithmic transparency" for the content that users see online, was entered into the record by Chairman Goodlatte.

EPIC told the Committee that algorithmic transparency helps users evaluate what they see on social media by identifying biased targeting, information-mediating techniques, and anticompetitive content indexing. EPIC explained that "transparency safeguards the cultural diversity of the Internet by upholding the exercise of free expression and ensures an open web where ideas can be exchanged without the domination of one particular viewpoint favored by a firm, reflected in the algorithms it has deployed."

EPIC also emphasized that algorithmic transparency can deter the manipulation of search results that would otherwise distort access to information on the Internet. A platform choosing to favor its own products above those of a competitor would be difficult to detect without a requirement that the platform disclose the basis of its search rankings. EPIC's statement concluded that "algorithmic transparency is necessary to police anti-competitive conduct by dominant platforms."

In 2011, EPIC sent a letter to the FTC warning that Google's acquisition of YouTube had led to a skewing of search results. As EPIC explained, Google substituted its secret "relevance" ranking for YouTube's original objective ranking, which had been based on hits and ratings. The FTC took no action on EPIC's complaint. But in 2017, following a seven-year investigation, the European Commission found that Google had rigged search results to give preference to its own shopping service. The Commission required Google to change its algorithm to remove this preference and to stop disadvantaging competitors and consumers. EPIC's 2011 letter was also entered into the record by Chairman Goodlatte.

Internationally, EPIC has submitted comments to UNESCO to recognize algorithmic transparency as an internet universality indicator. EPIC recently participated in a public consultation by the UK Information Commissioner's Office and urged for algorithmic transparency in privacy impact assessments.

3. Tax Day: EPIC Files Second Lawsuit to Obtain Trump Tax Records

EPIC has filed a second Freedom of Information Act lawsuit to obtain President Trump's tax records. EPIC is seeking information about IRS settlements involving the President and his businesses—information which the agency is required to disclose to the public upon request. President Trump was the first major party presidential candidate in 40 years not to make his returns available for public review.

The IRS stated in February that it would fulfill EPIC's FOIA request, marking the first time—to EPIC's knowledge—that the agency has agreed to process a third-party FOIA request for the President's tax information. However, the IRS has failed to release any records to date.

"If the Freedom of Information Act means anything, it means that the American public has the right to know whether records exist in the possession of a federal agency which reveal that the President of the United States has financial dealings with a foreign adversary," EPIC wrote in the complaint. "The public urgently requires as much information about President Trump's finances as the IRS can lawfully release."

EPIC previously sued the IRS for the release of the President's personal tax returns to correct misstatements of fact about his financial ties to Russia. For example, President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's own lawyers. That case, EPIC v. IRS, No. 17-5225, is now pending before the D.C. Circuit Court of Appeals.

EPIC is litigating several other FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyberattack) and EPIC v. DHS (election cybersecurity).

4. EPIC Tells Congress to Consider Census Privacy Risks

In advance of a hearing on the Census Bureau, EPIC told Congress to consider the privacy issues arising from potential misuse of Census Data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC warned the House Appropriations Committee that "it is of utmost important that individual privacy is respected. Every effort must be taken to ensure that the personal information of individuals and that census data is not used improperly."

The U.S. Constitution requires the government to conduct a census of all individuals in the country every ten years. But Census data has been used in the past to discriminate. During World War II, the Census Bureau provided information to the War Department that led to the internment of 120,000 innocent Japanese Americans.

After 9/11, EPIC pursued a Freedom of Information Act request about the potential misuse of data from the 2000 Census. EPIC obtained documents that revealed that the Census Bureau had transferred information to the Department of Homeland Security on individuals of Arab ancestry. As EPIC explained in 2004, "special tabulations were prepared specifically for the law enforcement agency, and do not indicate that similar information about any other ethnic groups was requested." As a consequence of EPIC's FOIA efforts, the Census Bureau revised its policy on disclosing statistical information about "sensitive populations" with law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau."

In its statement, EPIC urged that "amid rising fears that minority groups may be targeted by law enforcement agencies, your committee should ensure that the data collected by the federal government is not misused." Senator Robert Menendez (D-NJ) has also introduced a bill that would prohibit the Census from including a citizenship question.

EPIC maintains a comprehensive webpage on the U.S. Census, which details its history and the numerous threats to privacy and civil liberties that have arose from the misuse of Census Data over the years.

5. EPIC to Congress: Enhanced Surveillance at Border Will Impact Rights of U.S. Citizens

EPIC sent a statement to the House Homeland Security Committee last week ahead of a hearing with the Commissioner of Customs and Border Protection (CBP). EPIC urged the Committee to ask the CBP Commissioner about the collection of biometric data at U.S. airports and the use of drones at the border.

EPIC described the growing use of facial recognition that captures the images of U.S. travelers. The use of facial recognition at the border has real consequences for both U.S. citizens and non-U.S. persons. All travelers entering the U.S., including U.S. passport holders, can be subject to this intrusive screening technique. EPIC has filed a lawsuit to obtain documents to determine if there are proper privacy safeguards in place for the collection of biometric information at U.S. airports.

EPIC also pointed to a recent study that found racial disparities in facial recognition. The MIT study found that the error rate in face recognition software for dark-skinned females was 20.8%-34.7%, while the error rate for light-skinned males was 0.0%-0.3%. If facial recognition as a form of identification discriminates against persons of color in ways that other forms of identification do not, there is a substantial civil rights concern.

Meanwhile, CBP is deploying aerial drones with facial recognition technology at the border. The use of drones for border security threatens to place U.S. citizens living near the border under constant surveillance by the government. EPIC told the Committee that any authorization granted to CBP to conduct surveillance at the border must demand compliance with federal privacy laws and regulations concerning surveillance tools.

EPIC also recommended the Committee examine how CBP will comply with state laws prohibiting warrantless aerial surveillance when deploying drones. As a result of an earlier FOIA lawsuit, EPIC found that the CBP is deploying drones with facial recognition technology without warrant authority.

News in Brief

EPIC, Coalition Condemn Russia Ban on Encrypted Messaging App

EPIC joined dozens of human rights organizations condemning Russia's attempt to block encrypted messaging app Telegram. In an open letter, the coalition states Russia's attempts to block the app have "resulted in extensive violations of freedom of expression and access to information, including mass collateral website blocking." The groups call on international organizations and governments to challenge Russia's actions, and on tech companies to resist government attempts to compromise fundamental rights. EPIC has historically campaigned in support of strong encryption. In April 1994, EPIC initiated the campaign to stop the Clipper Chip, a key escrow encryption scheme developed by the NSA.

EPIC, Coalition Urge Ethics Board to Prevent the Use of Facial Recognition on Body Cameras

In a letter to Axon's Artificial Intelligence Ethics Board, EPIC and a coalition of civil rights and civil liberties groups called upon the Board to prevent Axon, the largest provider of police body cameras, from implementing real-time facial recognition. The letter states that "real-time facial recognition would chill the constitutional freedoms of speech and association." In 2015, EPIC forewarned that body cameras implemented for police accountability "could easily become a system of mass surveillance." EPIC also highlighted at the time that "the benefits of body cameras as a tool of police accountability have not been established." Last year, the largest study to date of police body cameras concluded that the cameras had no impact on police use of force and civilian complaints.

EPIC to Senate: Weaknesses in Cybersecurity Threaten Both Consumers and Democratic Institutions

EPIC submitted a statement to the Senate Homeland Security Committee in advance of a hearing on "Cyber Threats Facing America." Last year, the White House National Security Strategy report set out the administration's goals for global policy. EPIC supports several of the goals in the National Strategy report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the Senate Committee to seek assurances that those goals will remain priorities for this administration. Quoting former world chess champion Garry Kasparov, EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."

EPIC to House Committee: Require Transparency for Government Use of AI

In advance of a hearing on "Game Changers: Artificial Intelligence Part III, Artificial Intelligence and Public Policy," EPIC told the House Oversight Committee that Congress must implement oversight mechanisms for the use of AI by federal agencies. EPIC said that Congress should require algorithmic transparency, particularly for government systems that involve the processing of personal data. EPIC also said that Congress should amend the E-Government Act to require disclosure of the logic of algorithms that profile individuals. EPIC made similar comments to the UK Privacy Commissioner on issues facing the EU under the GDPR. A recent GAO report explored challenges with AI, including the risk that machine-learning algorithms may not comply with legal requirements or ethical norms. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability. In 2015, EPIC launched an international campaign for Algorithmic Transparency.

EPIC Supports Additional Regulation of Robocalls

In advance of a hearing on "Abusive Robocalls and How We Can Stop Them" EPIC recommended reforms that would combat fraud while protecting privacy. EPIC supports regulations that would (1) allow phone providers to proactively block numbers that are unassigned, unallocated, or invalid; (2) block invalid numbers without requiring consumer consent; (3) provide strong security measures for any database of blocked numbers; and (4) prohibit spoofing with the intent to defraud or cause harm. EPIC played a leading role in the creation of the Telephone Consumer Protection Act and continues to defend the Act.

EPIC to House Oversight Committee: Support Release of Trump Tax Records

In advance of a hearing regarding IRS oversight, EPIC sent a statement to a House committee urging the release of President Trump's tax returns. As EPIC explained, "candidates for the Presidency have routinely released tax record information to the American public. Mr. Trump broke with that tradition even though he pledged to make this information publicly available." As a consequence, EPIC brought a FOIA suit for the release of the President's tax returns. EPIC recently filed the opening brief in EPIC v. IRS, now before the D.C. Circuit Court of Appeals. EPIC told the court that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"--a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC explained to the Court and to Congress, "there has never been a more compelling FOIA request presented to the IRS."

EPIC Urges Secretary of State to Support International Privacy Convention

EPIC submitted a statement following the Senate nomination hearing on Mike Pompeo for Secretary of State. EPIC said that the US Secretary of State should uphold privacy as a fundamental human right around the world. The United States Department of State publishes an annual human rights report that covers "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements." EPIC also said that "international agreements provide the best opportunity to establish data protection standards" and urged the Secretary of State to ratify the International Privacy Convention. Privacy experts and advocates have also called for adoption of the Madrid Privacy Declaration, a comprehensive framework for data protection

EPIC to UK Privacy Commissioner: Data Protection Assessments Require Algorithmic Transparency

EPIC has submitted extensive comments on proposed guidance for Data Protection Impact Assessments. The new European Union privacy law - the "GDPR" — requires organizations to carefully assess the collection and use of personal data. In comments to UK privacy commissioner, EPIC said that disclosure of the technique for decision making is a core requirement for Data Protection Impact Assessments. EPIC supports "Algorithmic Transparency". EPIC has pursued criminal justice FOIA cases, and FTC consumer consumer complaints to promote transparency and accountability. EPIC has warned Congress of the risks of "citizen scoring."

EPIC Pursues Privacy Impact Assessments for DHS Database of Journalists

EPIC has submitted a Freedom of Information Act request to the Department of Homeland Security seeking Privacy Impact Assessments and other records related to the solicitation for "media monitoring services." The DHS posted a solicitation to compile a database of journalists and "media influencers," including bloggers and social media influencers. The DHS is seeking to identify journalists based on their beat, publication, contact information, and articles published. Agency officials plan to search lists and analyze news coverage. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that contains personally identifiable information. In a prior FOIA lawsuit, EPIC obtained Privacy Impact Assessments from the FBI that were not publicly available. And in EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year.

U.S. Courts Release 2017 FISA Report

The Administrative Office of the U.S. Courts has issued the 2017 report on activities of the Foreign Intelligence Surveillance Court. Scrutiny of FISA applications increased substantially in 2017. The 2017 FISA report reveals that there were 1,614 FISA applications in 2017, of which 1,147 were granted, 391 were modified, 50 were denied in part, and 26 were denied in full. As compared to 2016, the FISA court denied nearly two times as many applications in part, and denied nearly three times as many applications in full. EPIC testified before Congress in 2012 on the need to improve review of FISA applications. In recent comments on US surveillance authority, EPIC noted the reauthorization of 702 spying authorities without sufficient safeguards.

Senator Blumenthal Calls On FTC To Enforce Consent Order Against Facebook

Senator Richard Blumenthal (D-CT) has called for "monetary penalties that provide redress for consumers and stricter oversight" in a letter to the Federal Trade Commission. Senator Blumenthal focused on the FTC's 2011 Consent Order that EPIC, and a coalition of consumer groups obtained, after preparing a detailed complaint in 2009. Referring to the Cambridge Analytica scandal, Senator Blumenthal wrote that "three of the FTC's claims concerned the misrepresentation of verification and privacy preferences of third-party apps." Senator Blumenthal also raised questions about the FTC's monitoring of the consent order, noting that "even the most rudimentary oversight would have uncovered these problematic terms of service." And the Senator stated, "The Cambridge Analytica matter also calls into question Facebook's compliance with the consent decree's requirements to respect privacy settings and protect private information." EPIC and other consumer groups recently urged the FTC to reopen the investigation. The FTC has confirmed that an investigation of Facebook is now underway.

Latin American Consumer Groups Urge Facebook to Comply with GDPR in All Countries

A coalition of 14 consumer groups in Latin America has sent a letter to Facebook CEO Mark Zuckerberg, urging him to comply with the EU General Data Protection Regulation (GDPR) at a global level. The groups wrote, "The GDPR provides a solid foundation for the protection of personal data: it establishes clear responsibilities for companies that collect and process personal data and provides data subjects, Facebook users whose data your company collects and processes, with clear rights. These are protections that all users should be entitled to, regardless of where they are located." Earlier this month, the Transatlantic Consumer Dialogue (TACD), a coalition of consumer groups in North America and Europe, also sent a letter to Facebook advocating for the GDPR to be implemented as a baseline standard of data protection for all users.

Supreme Court Vacates Microsoft Email Privacy Case

The Supreme Court has vacated United States v. Microsoft, a case concerning whether a U.S. communications law can be used by a U.S. law enforcement agency to obtain personal data stored outside of the U.S. While the case was pending, the Congress quickly passed the CLOUD Act, which requires internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Court then determined that there was no longer a matter to adjudicate and ended the proceeding. EPIC's amicus brief to the Supreme Court argued that human rights law and privacy standard should govern law enforcement access to personal data stored abroad. In recent comments to the UN, EPIC explained that the CLOUD Act "undermines communications privacy protections."

EU Privacy Officials Back Strong Crypto

The Article 29 Working Party has released a statement on encryption policy. The Working Party stated "strong and efficient encryption is a necessity in order to guarantee the protection of individuals with regard to the confidentiality and integrity of their data which are the elementary underpinning of the digital economy." The Working Party found that "backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner. Any obligation aiming at reducing the effectiveness of those techniques in order to allow law enforcement access to encrypted data could seriously harm the privacy of European citizens." The Working Party is a group of leading privacy officials in the European that often issues reports and opinions on emerging privacy issues. Under the GDPR, the Working Party will become the European Data Protection Board with new legal authorities. Communications services with escrow encryption, and other similar techniques, could be prohibited under the GDPR. EPIC began in April 1994 with the first internet petition, the campaign to stop the Clipper Chip, a key escrow encryption scheme developed by the NSA.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Countering Innovative Repression: Challenges, responsibilities, and opportunities
April 30, 2018
Marc Rotenberg, EPIC President
Civil Rights Defenders
Embassy of Sweden
Washington, DC

Facebook, Cambridge Analytica, and the Future of Consumer Privacy in America
May 8, 2018
Alan Butler, EPIC Senior Counsel
ABA CRSJ Committee on Privacy and Information Protection

Techonomy NYC
May 8-9, 2018
Marc Rotenberg, EPIC President
New York, NY

May 16-18, 2018
Jeramie Scott, EPIC Domestic Surveillance Project Director
Toronto, Canada

OECD Global Forum on Digital Security for Prosperity
May 15-16, 2018
Marc Rotenberg, EPIC President
OECD Directorate for Science, Technology and Innovation
Paris, France

Privacy and Surveillance in a Digital Era: Challenges for Transatlantic Cooperation and European Criminal Law
Annual Conference of the European Criminal Law Academic Network (ECLAN)
May 17-18, 2018
Marc Rotenberg, EPIC President (keynote)
School of Law of Queen Mary, University of London
London, England

2018 EPIC Champions of Freedom Awards Dinner
Honoring Supreme Court Justice Ruth Bader Ginsburg, Maine Secretary of State Matthew Dunlap, California Secretary of State Alex Padilla, and Dr. Peter G. Neumann
June 6, 2018
National Press Club
Washington, DC

The American Colossus: The Best of Times and the Worst of Times?
Yale CEO Conference
June 13, 2018
Marc Rotenberg, EPIC President
New York Public Library
New York, NY

Trans-Atlantic Consumer Dialogue (TACD): Consumer Protection in a Connected World
Panel: "Face-crash: how to reduce the harms of technology"
Sunny Kang, EPIC International Consumer Counsel
June 19, 2018
Brussels, Belgium

Next-Generation Digital Infrastructure: Towards a New Regime for Promoting Investment, Competition and Consumer Protection
August 13-15, 2018
Marc Rotenberg, EPIC President
Aspen, CO

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security