EPIC Alert 25.11

EPIC Alert logo

1. EPIC Urges Congress to Examine FBI Response to Russian Cyber Attacks

EPIC sent a statement to the Senate Judiciary Committee ahead of Monday's hearing "Examining the Inspector General's First Report on Justice Department and FBI Actions in Advance of the 2016 Presidential Election." EPIC urged the Committee to explore the FBI's ability to respond to future cyber attacks.

According to documents obtained by EPIC last year, the FBI is to notify victims of cyber attacks "even when it may interfere with another investigation or (intelligence) operation." But an AP investigation found that the FBI failed to notify hundreds of officials whose email was hacked during the 2016 election.

"It is stunning that the FBI failed to follow its own written procedures, particularly where the cyber attack may have threatened national security," EPIC wrote to the Committee. "And it is vitally important that the American public is fully informed about the extent of Russian interference with the 2016 election" EPIC urged the Committee to ask the FBI whether it did "all it should have done to alert the DNC and the RNC once it learned about cyber attacks" and whether the agency will "comply with government transparency laws and inform the public of the details of Russia's attempts to influence the outcome of a U.S. presidential election."

EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI. Last month, a federal court ruled that the agency may withhold records still sought by EPIC but said that lawmakers should pursue threats to democratic institutions described in the EPIC lawsuit. EPIC's Project on Democracy and Cybersecurity seeks to safeguard democratic institutions from various forms of cyber attack. EPIC is currently pursuing related FOIA cases about Russian interference in the 2016 election, including EPIC v. IRS (Release of Trump Tax Returns) and EPIC v. DHS (election cybersecurity).

2. EPIC FOIA: EPIC Obtains Documents About Decision to Add Census Citizenship Question

Through a Freedom of Information Act request, EPIC has obtained documents (part 1, part 2, part 3, part 4) considered by Commerce Secretary Wilbur Ross while deciding to add a citizenship question to the 2020 Census.

Following a request from the Department of Justice last December, the Census Bureau announced that it would ask about citizenship status for the first time in over 50 years. The Department of Justice stated that adding the question was "critical" to enforcing Section 2 of the Voting Rights Act, a law that prohibits voting practices or procedures that discriminate against minorities. The documents obtained by EPIC, and others who made similar requests, reflect varying opinions from lawmakers, scientists, and immigration groups about the proposal.

The documents reveal, among other things, that Kansas Secretary of State Kris Kobach urged Secretary Ross to add the citizenship question "on the direction of Steve Bannon." Mr. Kobach, who served as Vice Chair of the defunct Presidential Advisory Commission on Election Integrity, stated that the lack of a citizenship question "leads to the problem that aliens who do not actually 'reside' in the United States are still counted for congressional apportionment purposes."

According to an analysis conducted by the Census Bureau for Secretary Ross, the impact of asking about citizenship would be "very costly, harms the quality of the census count, and would use substantially less accurate citizenship data than are available" from other government resources. The analysis stated that the addition of the citizenship question could lead to misreporting or non-responsiveness and projected that the addition of the question would increase nonresponse follow-up costs by at least $27.5 million.

In a FOIA case against DHS, EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9/11. As a consequence of EPIC's FOIA case against the DHS, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies.

3. EPIC Advises Safety Commission to Regulate Privacy and Security of IoT Devices

EPIC recently submitted comments to the Consumer Product Safety Commission, urging the agency to regulate the privacy and security of Internet of Things devices. EPIC advised the Commission to require IoT manufacturers to (1) minimize data collection, (2) enhance transparency and user access to data (3) conduct privacy impact assessments, and (4) implement Privacy Enhancing Techniques.

EPIC explained that unsecured devices can expose consumers' personal information to malicious hackers and that unsecured connections to devices can cause botnet attacks on individuals and communities. Compromised devices often work fine, so most owners of devices that have been pulled into the "botnet of things" will have no idea that their IP cameras, DVRs, and home routers are no longer under their own control. IoT manufacturers are not incentivized to implement strong privacy and security safeguards through voluntary initiatives. Therefore, EPIC advocated for mandatory security standards based on the UK government's recent report.

The Federal Trade Commission also submitted comments to the CPSC. The FTC recommended that the CPSC require manufacturers to make their security standards public so that the FTC can take action against companies that misrepresent their security practices in their certifications. It is unusual for an agency to comment in response to another agency's request for public comments.

Last fall, EPIC led a coalition of consumer groups that submitted a complaint to the CPSC about the Google Home Mini, urging the Commission to recall the device because a defect caused it to record user conversations without their consent or knowledge. EPIC also testified before the CPSC, calling out the agency for its reluctance to address the privacy and security challenges of IoT. EPIC recently told Congress that "CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream."

4. EPIC to House Committee: The 'Digital Advertising Ecosystem' Is Not Healthy

EPIC submitted a statement to the House Energy and Commerce Committee last week for a hearing titled "Understanding the Digital Advertising Ecosystem." EPIC told the Committee that the "'Digital Advertising Ecosystem' today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The ad platforms are manipulated by foreign adversaries. Secrecy and complexity are increasing as accountability is diminished. It would be foolish to imagine that the current model is sustainable."

EPIC highlighted how the gathering of personal data has eliminated traditional revenue sources for journalism, allowing two firms–Google and Facebook–to dominate the digital advertising market through invasive tracking and profiling of consumers. As the Boston Globe recently explained, "[o]nce the lifeblood of a vital free press, and later of a vast array of independent sites serving every possible interest, ad dollars increasingly flow to two tech giants that organize information produced at other people's expense."

During the hearing, Representative Debbie Dingell (D-MI) warned of the potential consequences of this tracking and profiling. Rep. Dingell noted how she began seeing targeted advertisements for drug rehab facilities after doing opioid research. As Dingell explained, "that's the kind of data that's being collected, and then a potential employer can buy that from somebody."

EPIC has long called attention to the problem of increasing concentration in the digital advertising industry. In 2000, EPIC opposed Doubleclick's acquisition of Abacus, a firm that collected detailed information of Internet users' offline purchases. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. Last week, EPIC President Marc Rotenberg participated in a panel discussion on the effect of digital advertising monopolies on the free press at an event hosted by the Open Markets Institute entitled "Breaking the News: Free Speech & Democracy in the Age of Platform Monopoly."

5. Sec. Dunlap, Sec. Padilla, Dr. Neumann, and Dr. Perrin Receive EPIC Award

At the National Press Club in Washington, DC, EPIC presented the 2018 Campion of Freedom Awards to Maine Secretary of State Matthew Dunlap and California Secretary of State Alex Padilla for their defense of the privacy of state voter records. Secretary Dunlap and Secretary Padilla successfully opposed the efforts of the Presidential Advisory Commission on Election Integrity to obtain voter data on state residents. The inscription on the award read "Guardian of privacy and democratic institutions."

Dr. Peter Neumann received the 2018 EPIC Lifetime Achievement Award for his work on the computer-related risk. As a computer science researcher, he worked on the Multics operating system in the 1960s and founded the Association of Computing Machinery's Special Interest Group on Software Engineering, a forum for computing professionals from all different backgrounds to examine new research in software engineering.

Dr. Stephanie Perrin received the 2018 EPIC Privacy Champion Award for her work on WHOIS privacy. She is currently the Director of Integrity Policy and Risk Management, Integrity Branch, Service Canada; and formerly the Director of Research and Policy at the Office of the Privacy Commission of Canada. Dr. Perrin also served as the first Chief Privacy Officer in Canada. Dr. Perrin was instrumental in developing Canada's privacy and cryptography policies for almost two decades.

The EPIC Champion of Freedom Awards are presented annually to individuals who defend democratic values with courage and integrity. Previous recipients include Senator Patrick Leahy, Judge Pat Wald, Tim Cook, and Garry Kasparov. The EPIC awards event was preceded by a policy panel on the GDPR with FTC Commissioner Rohit Chopra and leading experts in data protection and privacy law.

News in Brief

EPIC Pursues Privacy Impact Assessments for Proposed DHS Biometric Database

EPIC has submitted an urgent Freedom of Information Act request to the Department of Homeland Security seeking the Privacy Impact Assessment for the "Homeland Advanced Recognition Technology," a proposed system that will integrate biometric identifiers across the federal government. HART would replace IDENT, which now contains biometric records on over 220 million unique individuals. In 2015 a breach at the Office of Personnel Management compromised 22 m records, including 5 m digitized fingerprints. It appears that Homeland Security failed to complete the Privacy Assessment prior to launching HART. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that stores personally identifiable information. In EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year.

EPIC Advises FCC on Robocalls Regulation

EPIC advised the FCC on how to interpret the Telephone Communications Protection Act to best protect consumers in light of a recent decision in ACA Int'l v. FCC. EPIC filed a friend of the court brief in that case arguing that consumers could revoke consent by any "reasonable means." The court agreed but vacated other aspects of the rule. EPIC's comments argue that the FCC should require callers to meet three conditions to simplify the revocation of consent: (1) inform consumers of their right to revoke, (2) provide a simple means of revocation, and (3) comply in a timely manner. EPIC contributed to the development of the Telephone Communications Protection Act and regularly submits comments to the FCC.

EPIC to Senate Committee: Suspend Action on Drone Bill Until Agency Reports Complete

As the Senate Commitee on Homeland Security and Government Affairs considers S. 2836, the Preventing Emerging Threats Act of 2018: Countering Malicious Drones, EPIC has sent a statement to the Committee urging that action on the bill be suspended until DHS and other federal agencies establish and publish drone privacy procedures as required by a 2015 Presidential Memorandum. EPIC has brought a series of open government cases against the DHS and the Department of Defense to determine the use of drones by the federal government in the United States. EPIC's cases have determined that drones operated by the DHS intercept private communications, conduct human identification at a distance, and may include military payloads.

EPIC to Senate Commerce: Work with NTIA to Update U.S. Privacy Laws

EPIC sent a statement to the Senate Commerce Committee in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC urged Congress and the NTIA to work together to update U.S. privacy laws and establish a data protection agency. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.

EPIC Tells Congress to Consider Census Privacy Risks

In advance of a hearing on the 2020 Census, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9/11. As a consequence, the Census Bureau revised its policy on disclosing statistical information about "sensitive populations" to law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau."

Apple Will Bolster Encryption of Devices, Prevent Apps From Selling Contact Lists

Apple announced two measures to strengthen the privacy and security of its devices: it will close a loophole that allowed law enforcement to access devices and it will prevent apps from secretly selling contact lists. In 2016, Apple refused a demand by the FBI to build backdoor access to iPhones to allow the FBI to unlock the phone of a criminal suspect. The FBI sued Apple, and EPIC filed an amicus brief in support of Apple, arguing that the FBI's demand "places at risk millions of cell phone users across the United States." The FBI eventually dropped the case. In a privacy complaint to the FTC, EPIC also opposed Google's plan to launch "Buzz," a social networking service, with private address book information. Google later backed off the plan and shuttered Buzz. In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.

European Civil Liberties Committee: 'Privacy Shield' Should Be Suspended

Members of European Parliament are calling for the suspension of the EU-U.S. Privacy Shield if the U.S. does not comply in full by September 1, 2018. The Civil Liberties Committee ("LIBE") passed a resolution stating that the pact, which permits the flow of European consumers' personal data to the U.S, does not adequately protect privacy. LIBE urged US authorities to respond without delay to the Cambridge Analytica breach of 87 million Facebook users. The groups also expressed "strong concerns" about the CLOUD Act which permits US law enforcement to unilaterally access personal data stored in Europe. EPIC recently told the FTC that the Cambridge Analytica breach could have been avoided had the agency enforced a 2011 Consent Order that EPIC and a coalition of consumer privacy groups obtained.

Court of Appeals Vacates FTC's LabMD Order, Finding It Lacked Specifics

The Court of Appeals for the Eleventh Circuit has vacated an administrative order by the Federal Trade Commission, which required the medical testing company LabMD to implement "reasonable" data security measures, finding that the order was not specific enough to be enforceable. The court explained that the FTC can require companies to implement data security measures as long as it provides specific guidance. EPIC has repeatedly urged the FTC to mandate specific data security requirements in consumer privacy settlements, including in comments on recent settlements with Uber and PayPal. EPIC also submitted an amicus brief in FTC v. Wyndham, a case in which the Third Circuit Court of Appeals upheld the FTC's authority to enforce data security standards.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Trans-Atlantic Consumer Dialogue (TACD): Consumer Protection in a Connected World, Panel: "Face-crash: how to reduce the harms of technology." June 19, 2018. Brussels, Belgium. Sunny Kang, EPIC International Consumer Counsel.

Next-Generation Digital Infrastructure: Towards a New Regime for Promoting Investment, Competition and Consumer Protection. August 13–15, 2018. Aspen, CO. Marc Rotenberg, EPIC President.

Privacy, News, and the Future of Freedom of the Press. September 27-28, 2018. Tulane Law School, New Orleans, LA. Marc Rotenberg, EPIC President.

Share this page:

Defend Privacy. Support EPIC.
EPIC Mueller Report book
US Needs a Data Protection Agency