EPIC Alert 25.10

EPIC Alert logo

1. EPIC to D.C. Circuit: Informational Privacy is a Constitutional Right

EPIC recently filed a "friend of the court" brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breach case. The case concerns the data breach at the U.S. Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and their family members.

A lower court dismissed the case, which was brought by the American Federation of Government Employees and the National Treasury Employees Union. On appeal, the D.C. Circuit Court of Appeals is set to determine the scope of the constitutional right to informational privacy and the application of Article III standing doctrine to data breach victims.

In its brief to D.C. Circuit, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." EPIC also noted that "the right to privacy has been broadly adopted in international declarations and enshrined in constitutions in the United States and around the world."

EPIC has long fought to protect the constitutional right to informational privacy and to defend the ability of individuals to seek legal redress after data breaches result. In a 2011 case NASA v. Nelson, EPIC urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government. In Doe v. Luzerne County, EPIC argued that the government's surreptitious surveillance of an employee while showering and distribution of naked images on a computer network implicated the right to informational privacy.

2. U.S. and European Consumer Groups Urge Global Compliance with GDPR

The Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups, has written to ninety-five major internet companies seeking compliance with the EU General Data Protection Regulation (GDPR) as a baseline standard for all users worldwide.

The GDPR, which went into effect on May 25, strengthens data protection under EU law, providing new rights to individuals and new responsibilities for entities handling personal data. The GDPR applies to all entities which process European consumers' personal data and requires them to operate in a transparent and accountable manner.

The TACD Letter, which was signed by EPIC and 27 other groups, calls on some of the largest internet firms and digital advertisers to apply "strong privacy standards" to "everyone who uses online platforms and services no matter where they live." The letter states that "European regulation provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for people whose data is gathered." The letter urges companies to commit to providing GDPR baseline privacy protections globally by June 25, 2018 and to implement these commitments by the beginning of 2019.

Following an earlier TACD letter directed at Facebook and series of questions from Congress, Marc Zuckerberg said Facebook would apply GDPR protections in all jurisdictions. The Transatlantic Consumer Dialogue was established in 1998 and works to promote consumer interests in EU and U.S. policy making.

3. In Congressional Testimony, EPIC Calls for Privacy Safeguards for Social Security Number

EPIC Consumer Privacy Counsel Sam Lester testified recently before the House Ways and Means Committee at a hearing on "Securing American's Identities: The Future of the Social Security Number." Lester laid out a series of steps that Congress can take to protect the privacy of the Social Security Number.

In particular, EPIC's Lester urged Congress to: (1) prohibit the use of the SSN in the private sector without explicit legal authorization; (2) prohibit companies from compelling consumers to disclose their SSN as a condition of sale or service unless there is a statutory basis for the request; and (3) promote technological innovations that enable the development of context-specific identifiers. Lester also warned Congress not to create a national biometric identifier, which would raise serious privacy and civil liberties concerns.

EPIC's Lester emphasized that "the SSN was never meant to be an all-purpose identifier in the private sector. The fact that the SSN is now so pervasive as both an identifier and an authenticator in both the public and private sector has undoubtedly contributed to the alarming rise in data breaches, identity theft, and financial fraud."

EPIC has repeatedly urged Congress to limit the use of the SSN in the private sector. Earlier this year, EPIC President Marc Rotenberg testified before the House Financial Services Committee that Congress can reduce identity theft by limiting industry's reliance on the SSN. And in October 2017, following the Equifax breach, Rotenberg testified before the Senate Banking Committee that "the unregulated use of the Social Security Number in the private sector has contributed to record levels of identity theft and financial fraud." In 2015, EPIC testified before the Senate on the risks of SSNs on Medicare Cards. In 2017, Medicare finally announced that it would remove SSNs from ID cards. EPIC also maintains an archive of information about the SSN online.

4. EPIC Urges FEC to Pass Stronger Transparency Rules for Political Ads

EPIC recently submitted comments on the Federal Election Commission's (FEC) proposed rules for political ads on the internet. The FEC proposed two alternative rules, one which would hold internet companies to the same standard as traditional media companies and the other which would make exceptions for online ads. As EPIC explained, "FEC rules should be technology-neutral and consistent across media platforms." EPIC emphasized that the disclosures must be accessible by all recipients of the communication, including those using mobile devices.

EPIC opposes exceptions to the disclaimer requirements that would allow an advertiser to conceal the funder of an ad if disclosure would be too "burdensome" due to the size or format. EPIC argued that "as companies innovate new forms of advertising, they should also be innovating new forms of disclosure." As EPIC explained, there is no exception for broadcast, radio, or print ads, and there should not be one for online ads. The FEC will hold a hearing on the proposed rules on June 27, 2018.

EPIC also urged the FEC to enact rules that go further in promoting transparency, arguing that the potential for online ads to be micro-targeted requires greater scrutiny from the FEC. EPIC recommended that the FEC adopt algorithmic transparency rules, which would require advertisers to disclose the demographic factors used to target political ads, to identify the sources and payments behind such ads, and to maintain a public directory of advertiser data. Users should have the ability to know why they were targeted by a particular ad and who targeted them.

EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack. EPIC submitted comments to the FEC last fall urging the Commission to begin this rulemaking process.

5. EPIC Testifies Before Safety Commission on IoT Privacy Hazards

EPIC recently testified before the U.S. Consumer Product Safety Commission (CPSC) at the hearing on "The Internet of Things and Consumer Product Hazards." The public hearing was held to inform the Commission's work on safety risks and hazards associated with internet-connected consumer products. EPIC urged the Commission to focus on privacy and security issues that are integral to consumer safety.

EPIC International Consumer Counsel Sunny Kang told the Commission that "IoT is the weakest link to privacy and security vulnerabilities in consumer products," yet "current safety regulations are outdated and inadequate to address these risks." EPIC advised the CPSC that manufacturers must ensure the privacy and security of their products—a burden that should not shift to the consumers.

EPIC also recommended baseline rules for IoT device manufacturers adopted by the UK government in a recent report on privacy and security for IoT devices. These rules include obligations on IoT manufacturers to "securely store credentials and security-sensitive data" and to "make it easy for consumers to delete personal data." EPIC's Kang also urged the Commission to issue guidance on "privacy by design" that would eliminate hazardous conditions designed into products and minimize personal data collection by IoT devices.

EPIC has a long history of protecting consumer privacy with respect to IoT. EPIC and a coalition of consumer groups previously urged the Commission to recall the Google Home Mini for a design defect that allowed the device to always record conversations without the knowledge or consent of the consumer. Last year, EPIC filed a consumer complaint with the Federal Trade Commission (FTC) on "Toys that Spy," calling to attention the privacy risks of Internet connected toys that record and analyze what children say to them. EPIC has also advised the FTC on the privacy implications of IoT and recommended regulatory oversight for transparency in the design and operation of Internet-connected devices.

News in Brief

Council of Europe Modernizes International Privacy Convention

The Council of Europe has updated Convention 108, the first international treaty for privacy and data protection. Among other changes, the amending protocol requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights including algorithmic transparency. EPIC and consumer coalitions have urged the United States to ratify the International Privacy Convention. The complete text of the Privacy Convention is contained in the Privacy Law Sourcebook, available at the EPIC Bookstore.

EPIC Urges Appeals Court to Deny Immunity for Dating App That Ignores Egregious Abuse

EPIC has filed an amicus brief in a case about whether a dating app should be liable for failing to remove false profiles, including name and likeness, that posed a danger to personal safety. In Herrick v. Grindr, LLC, EPIC told the Second Circuit Court of Appeals that Section 230, a provision in the Communication Decency Act, was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." EPIC emphasized that a lower court opinion "would not advance the speech-promoting policy of the statute." EPIC explained that victims may be subjected to ongoing "psychological, social, and financial harm" if Internet services are not accountable for harassment and abuse. EPIC frequently participates as amicus curiae in cases concerning emerging privacy and civil liberties issues, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN.

EPIC's Spotlight on Surveillance: Social Media Monitoring

In 2011, EPIC uncovered the first government program to monitor social media. EPIC v. DHS revealed that a government agency was tracking posts on social media to identify critics of government. Last week, EPIC released a new report on the recent developments in government media monitoring. The report follows a case filed by EPIC concerning a new DHS program for "Media Monitoring Services." The report explores different media monitoring systems and points to the absence of effective controls. EPIC's Spotlight on Surveillance also highlights the privacy and civil liberties risks, including chilling free speech, discrimination, unreliability, and misattribution. EPIC's Spotlight on Surveillance project explores the privacy and civil liberties implications of surveillance programs in the United States. EPIC has previously released reports on drones, the FBI's Next Generation Identification program, and "enhanced" driver's licenses.

EPIC, Coalition Urge Compliance With Freedom Act Transparency Requirements

EPIC and a coalition of privacy and civil liberties groups urged the Office of the Director of National Intelligence to abide by the transparency requirements of the USA FREEDOM Act. The Act ended the NSA's bulk collection of domestic call detail information. The Act also requires the public reporting of the number of unique identifiers gathered under the Foreign Intelligence Surveillance Act. A related letter to the House Judiciary Committee urged the Committee to oversee the reporting requirement. In 2012, EPIC testified before Congress on the need for better reporting on the use of FISA authorities. Several of EPIC's recommendations were incorporated in the USA FREEDOM Act.

EPIC Sues to Obtain Privacy Impact Assessment for DHS Journalist Database

EPIC has filed a Freedom of Information Act lawsuit to obtain a Privacy Impact Assessment for "Media Monitoring Services," a controversial new database proposed by the Department of Homeland Security. In April, the DHS announced a system to track journalists and "media influencers" and to monitor hundreds of thousands of news outlets and social media accounts. Although the system is designed to monitor journalists, the federal agency failed to conduct a Privacy Impact Assessment as required by law. EPIC submitted a request for the Assessment, but the agency did not respond. EPIC has successfully obtained several Privacy Impact Assessments, including a related media tracking system (EPIC v. DHS) and for facial recognition technology (EPIC v. FBI). In EPIC v. Presidential Election Commission, EPIC challenged the Commission's failure to publish a Privacy Impact Assessment prior to collection of state voter data.

EPIC FOIA: DHS Collaborated With Presidential Election Commission on Voter Data Collection

EPIC has obtained records under the Freedom of Information Act showing that the Department of Homeland Security communicated frequently with the Presidential Election Commission after EPIC filed a lawsuit to block the Commission's efforts to obtain state voter data. The documents show that DHS officials had numerous communications with Commission staff beginning in July 2018. The records obtained by EPIC also reveal that Kirstjen Nielsen, now the DHS Secretary, worried that the Commission's voter data grab would "disrupt critical efforts DHS is leading to work with state and local officials" on election cybersecurity. After EPIC brought suit in July, the Commission suspended the data collection program, discontinued the use of an unsafe computer server, and deleted voter information that was illegally obtained. The Commission was ultimately shut down in January 2018.

EPIC, Coalition Oppose State Department's Plan to Collect Social Media Identifiers of Visa Applicants

EPIC, the Brennan Center and 55 privacy, civil liberties, and civil rights organizations submitted comments opposing the State Department's plan to collect social media identifiers from individuals applying for visas. The coalition warned that the proposal would "undermine First Amendment rights of speech, expression, and association." Social media monitoring raises serious privacy and civil liberties issues. EPIC previously opposed the State Department's expansion of social media collection as well as a similar proposal by the Department of Homeland Security. In EPIC v. DHS, a 2011 Freedom of Information Act case, EPIC uncovered the first agency plan to monitor social media.

EPIC Renews Call for FTC to Stop Secret Scoring of Young Athletes

EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the FTC about the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating," a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. According to EPIC, "the UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens." EPIC pointed to objective, provable, and transparent rating systems such as ELO as far preferable. EPIC has championed "Algorithmic Transparency" as a fundamental human right. Last month, the Council of Europe adopted the modernized Privacy Convention that establishes a legal right for individuals to obtain "knowledge of the reasoning" for the processing of personal data.

After EPIC Obtains FBI Victim Notification Procedures, Court Rules for Bureau

After EPIC obtained the FBI cyberattack victim notification procedures in Freedom of Information Act lawsuit EPIC v. FBI, a D.C. federal court has ruled that the agency may withhold remaining records explaining FBI's response to the Russian interference in the 2016 election. EPIC had argued that the FBI had failed to demonstrate that releasing records of the agency's response to cyberattacks would interfere with its investigation of the Russian interference. The "Victim Notification Procedures" obtained by EPIC led to Associated Press investigation which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. EPIC is currently pursuing related FOIA cases about Russian interference in the 2016 election, including EPIC v. IRS (Release of Trump Tax Returns) and EPIC v. DHS (election cybersecurity).

EPIC Urges Congress to Regulate the Internet of Things

In advance of a hearing on the Internet of Things (IoT), EPIC wrote to Congress on the need for privacy and security regulations for IoT consumer products. EPIC explained that regulation is necessary "because neither the manufacturers nor the owners of those devices have incentive to fix weak security." EPIC has called upon the Consumer Product Safety Commission to regulate IoT products, saying that the privacy and security of IoT devices, such as Internet-connected door locks and thermostats, are critical concerns for American consumers. In May, EPIC testified before the Safety Commission on IoT hazards and promoted baseline standards to protect consumer safety. EPIC previously testified before Congress on the "Internet of Cars."

EPIC Renews Call for FTC to Stop Samsung's Surveillance of the Home

EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Samsung's "always on" SmartTV, which surreptitiously records consumers' private conversations and transmits their unencrypted voice recordings to third parties. EPIC also warned the FTC that "Samsung is now collecting viewing data from consumers," a practice the FTC found unlawful in a recent settlement with VIZIO. EPIC originally filed this complaint with the FTC on February 24, 2015, but the Commission took no action. EPIC routinely files complaints with the FTC. EPIC's complaints against Uber, Facebook and Google all led to FTC settlements with the companies. In May, EPIC renewed its complaint against Google for tracking consumers' in-store purchases.

Amazon Echo Secretly Recorded and Disclosed User's Private Conversation

"Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices.

FBI Overstated Number of Encrypted Devices it Could Not Access Last Year

According to the Washington Post, the FBI "provided grossly inflated statistics to Congress and the public" about the number of encrypted cellphones inaccessible to law enforcement. The FBI stated it was locked out of 7,800 devices, but a subsequent review suggested the actual number is about 1,200. EPIC President Marc Rotenberg told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States." According to the federal wiretap reports, in 2016 a total of 68 federal wiretaps were reported as being encrypted, of which 53 could not be decrypted. In a 2016 debate before the American Bar Association, former FBI Director James Comey said the FBI was locked out of about 650 phones. Rotenberg countered that 3.1 million phones were stolen or lost in a year and subject to misuse without strong encryption.

Congressional Leaders Reintroduce Bipartisan Bill to Protect Children's Online Privacy

Senator Edward Markey (D-MA) and Congressman Joe Barton (TX-06), along with Senator Richard Blumenthal (D-CT) and Congressman Bobby L. Rush (IL-01), have reintroduced the Do Not Track Kids Act, a bill that would strengthen the Children's Online Privacy Protection Act (COPPA) by extending its protections to children under 15 and creating an "Eraser Button" that would allow parents and children to delete publicly available personal information. The bill would also prohibit targeted advertising to children, mandate data security standards for internet-connected devices sold to children, and establish a "Digital Marketing Bill of Rights for Minors" that would limit the collection of children's personal information, including geolocation information. EPIC recently warned the Federal Trade Commission not to weaken existing rules under COPPA that safeguard children's privacy. EPIC and a coalition of consumer groups have also urged the FTC to stop companies from selling dangerous, internet-connected "toys that spy".

CPDP 2019 Conference 'Data Protection and Democracy': Call for Panels

The 12th international conference on Computers, Privacy and Data Protection will take place in Brussels, January 30 to February 1, 2019. The theme of the conference is "Data Protection and Democracy." CPDP is seeking panel proposals from academic consortia, research projects, think tanks and other research organizations. The deadline is June 21, 2018. CPDP2018 offered 85 panel sessions with 420 international speakers from academia, public and private sectors and civil society. More than 1,000 people from from 55 countries attended CPDP2018. EPIC is an event sponsor of CPDP and will present the 2019 International Champion of Freedom Award on January 30, 2019.

ICE Abandons 'Extreme Vetting' Software to Screen Visa Applicants

Immigration and Customs Enforcement has dropped a plan to use machine learning software to determine if a visa applicant might commit a crime or terrorist act. Last year, EPIC joined over 50 privacy, civil liberties, and civil rights groups to oppose the plan, stating that the "initiative was tailor-made for discrimination." EPIC has pursued several FOIA cases to uncover the use of secret algorithms by government agencies to score people, including EPIC v. CBP about the "Analytical Framework for Intelligence" that generated secret "risk assessments" on US travelers. In testimony for the 9-11 Commission, EPIC warned that "the use of information technology to identify individuals that may pose a specific threat to the United States" is a "complex problem [that] necessarily involves subjective judgments."

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Policy Panel: The Future of Privacy in America After GDPR, June 6, 2018, National Press Club, Washington, DC

2018 EPIC Champions of Freedom Awards Dinner, Honoring Supreme Court Justice Ruth Bader Ginsburg, Maine Secretary of State Matthew Dunlap, California Secretary of State Alex Padilla, and Dr. Peter G. Neumann, June 6, 2018, National Press Club, Washington, DC

ABA Webinar: ISA Section 702 Reauthorization, Alan Butler, EPIC Senior Counsel, June 11, 2018

The American Colossus: The Best of Times and the Worst of Times?, Yale CEO Conference, June 13, 2018, Marc Rotenberg, EPIC President, New York Public Library, New York, NY

Trans-Atlantic Consumer Dialogue (TACD): Consumer Protection in a Connected World, Panel: "Face-crash: how to reduce the harms of technology," Sunny Kang, EPIC International Consumer Counsel, June 19, 2018, Brussels, Belgium

Next-Generation Digital Infrastructure: Towards a New Regime for Promoting Investment, Competition and Consumer Protection, August 13–15, 2018, Marc Rotenberg, EPIC President, Aspen, CO

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security