EPIC Alert 25.13

1. EPIC Urges Supreme Court to Ensure Fairness of Cy Pres Awards in Class Action Settlements

EPIC has filed an amicus brief in Frank v. Gaos, a case before the U.S. Supreme Court concerning a class action settlement that provided no benefit to Internet users and no change in the business practices of the defendant Google. EPIC said the settlement was not "fair, reasonable, and adequate." The case involves Google's disclosure of Internet users' search histories to third parties without user consent, a business practice that could violate federal and state privacy laws.

Earlier in the same case, EPIC told the district court that "The proposed settlement is bad for consumers and does nothing to change Google's business practices." A federal appeals court narrowly approved that settlement, 2-1, with the dissenting judge warning that courts must be on the lookout "not only for explicit collusion, but also for more subtle signs that class counsel have allowed pursuit of their own self-interests."

In an amicus brief, EPIC urged the Supreme Court to recognize that "cy pres requires vigilant judicial oversight to guard against the risks of collusion and ensure that judges are not rubber-stamping settlements that pay attorneys while failing to benefit class members." EPIC also asserted that to be effective, "class action settlements should stop business practices that harm consumers, compensate individuals for injuries suffered and deter future misconduct."

EPIC and several consumer privacy organizations have objected to the proposed settlement on three separate occasions. EPIC routinely opposes class action settlements that fail to compensate class members or change business practices. In 2013, Chief Justice John Roberts wrote that the Court would soon need to address "fundamental concerns" surrounding the use of cy pres in class action settlements. EPIC has proposed an objective basis to evaluate cy pres awards.

2. EPIC Asks FTC and EDPB to Suspend Transfer of Facebook User Data to Social Science One

EPIC has sent a letter to the Federal Trade Commission and the European Data Protection Board urging the suspension of a proposed study that will disclose user data to third parties without their consent. EPIC warned that the Social Science One project transfer likely violates the GDPR, as well as the FTC's 2011 Consent Order with Facebook, which bars Facebook from disclosing data to third parties without users' affirmative consent. Although EPIC fully supports academic research about the effects of social media on democracy and elections, the lack of meaningful consent from users necessitates suspending this study.

Facebook is giving Social Science One "full access" to data on its 2.2 billion users in violation of the GDPR requirement of data minimization. Social Science One describes Facebook's data as "the largest and most comprehensive information base ever used to study social media, and even some of the most extensive data ever used to study human behavior in general."

Social Science One plans to combine post-election surveys (from Mexico, Brazil, United States, and India) with Facebook data to research the effect of social media on elections. As EPIC explained, "Anonymity is a fundamental aspect of voting rights in the U.S. and in many other countries. Matching data on how people voted with their detailed Facebook profiles threatens to undermine that fundamental right."

EPIC told regulators that Facebook's history with researchers indicates a disregard for user privacy and consent. The FTC announced in April that Facebook is under investigation over the transfer of personal data to Cambridge Analytica, a research organization affiliated with a prestigious university. Cambridge Analytica was able to exploit data because Facebook gave improper access to an academic researcher. And in 2012, Facebook conducted a psychological experiment on its users by secretly manipulating their news feeds to examine the effects of social media on user emotions. The study was suspended after objections from EPIC, professional societies, and others. The Guardian reported that the "lack of 'informed consent' means that Facebook experimented on nearly 700,000 news feeds broke rules on tests on human subjects."

3. EPIC Urges Illinois Supreme Court to Uphold Strict Limits on Biometric Data Collection

EPIC has filed an amicus brief with the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp, a case concerning the collection of a child's biometric data in violation of the Illinois Biometric Information Privacy Act (BIPA).

Six Flags scanned a child's fingerprint without obtaining written parental consent or disclosing the company's business practices relating to the collection, use, and retention of fingerprint data. The child's mother sued Six Flags, but the lower court ruled that Plaintiff was not an "aggrieved party" for purposes of BIPA because she had not alleged an "actual injury."

On appeal to the Illinois Supreme Court, EPIC explained that the Illinois biometric law imposes "clear responsibilities on companies that collect biometric identifiers" and prohibits collection without (1) disclosure in writing notifying the data subject of the collection, (2) limited retention periods and specific purposes for the data collected, and (3) obtaining a "written release" from the data subject. Six Flags failed to comply with these provisions. EPIC made clear that "collection is the threshold safeguard in privacy law" and that if corresponding provisions are "not enforced, the statute's subsequent provisions are of little consequence."

EPIC first identified the risk of collecting biometric data from children entering amusement parks in a 2005 report "Theme Parks and Your Privacy," which noted that it is unnecessary for theme parks to collect biometric identifiers from guests. EPIC has long advocated for strict limits on use of biometric data. EPIC also routinely submits amicus briefs, including in the recent OPM data breach case concerning a breach of 5.1 million fingerprints. In April 2018, EPIC and a coalition of consumer privacy organizations filed a complaint with the Federal Trade Commission, charging that Facebook's facial recognition practices facilitate the collection of biometric data without privacy safeguards and thus violate Facebook's 2011 Consent Order with the Commission.

4. EPIC to Congress: Warrant Should be Required for Searches of Phones at Border

In advance of a hearing last week on "Examining Warrantless Smartphone Searches at the Border," EPIC sent a statement to the Senate Subcommittee on Federal Spending Oversight and Emergency Management urging a warrant requirement for searches of electronic devices at the border.

Searches of cell phones and other electronic devices by border agencies have skyrocketed in recent years. "CBP and ICE are using electronic devices without even reasonable suspicion despite the U.S. Supreme Court having recognized a Constitutionally significant privacy interest in mobile devices," EPIC told the committee. "This practice should be stopped."

EPIC recently filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement for details of the agency's warrantless searches of mobile devices. ICE has contracts with mobile forensics company Cellebrite to extract data from mobile devices, including personal data stored in cloud-based accounts, without judicial authority or assistance from the device owner.

Privacy complaints regarding the search of mobile devices at the border continue to increase. The Department of Homeland Security has received nearly 250 complaints since 2011 about warrantless searches of personal devices when crossing the United States border. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced S. 2386, legislation which would restrict border searches of cellphones. The bill sets out detailed procedures for seizing electronic devices, including a warrant requirement prior to inspection of the device, data minimization, and exclusion of evidence that is obtained in violation of the Act.

EPIC Advisory Board member Professor Laura Donohue spoke at the hearing. Professor Donohue testified that "[t]he lack of legislation is of particular concern, as it leaves citizens' privacy at the mercy of each agency's regulatory regime." She says, "the time is ripe for Congress to take action."

5. Privacy Concerns Raised with Kavanaugh Nomination to Supreme Court

President Trump's nomination of Judge Brett M. Kavanaugh to the Supreme Court has raised concerns about the future of privacy and Constitutional protections against government surveillance.

As a judge on the D.C. Circuit Court of Appeals, Kavanaugh upheld the NSA's warrantless, widespread, and suspicionless collection of Americans' call records. In that case, Klayman v. Obama, Kavanaugh took the unusual step of writing a concurrence to the D.C. Circuit's per curium order to say that the surveillance program was "entirely consistent with the Fourth Amendment," and that even if it triggered constitutional concerns, it "fit comfortably" in the special needs exception to the Fourth Amendment. "Critical national security need outweighs the impact on privacy occasioned by the program," Kavanaugh wrote. Congress subsequently determined that the data collection activity at issue in Klayman was overly broad and terminated the program in 2015. EPIC had petitioned the Supreme Court in 2013 to halt the program.

Kavanaugh further stated in Klayman that the Government's collection of bulk call data was not considered a search under the Supreme Court's decision in Smith v. Maryland, which held that the Fourth Amendment does not protect records held by third parties (the so-called "third-party doctrine"). The Supreme Court recently held in Carpenter v. United States, however, that the Fourth Amendment does protect mobile location records held by third-party providers. EPIC authored an amicus brief in Carpenter urging the Court to overturn the third-party doctrine because "world has changed since Smith v. Maryland."

In 2010, Kavanaugh wrote a dissent in United States v. Jones, arguing that the D.C. Circuit should have revisited its ruling that the Government needed a warrant to install a GPS device on a suspect's car. Kavanaugh wrote that he would have addressed "the defendant's alternative and narrower property-based Fourth Amendment argument concerning the installation." The Supreme Court ultimately adopted that property-based approach in an opinion authored by Justice Scalia.

EPIC will ask the Senate Judiciary Committee to question Kavanaugh on a wide range of privacy, First Amendment, open government, and consumer protection issues. EPIC has submitted similar statements to the Judiciary Committee for the hearings on Justice Gorsuch, Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts.

News in Brief

EPIC Joins Coalition Urging Congress to Investigate Destruction of Records on Family Separation

EPIC and a coalition of organizations sent a letter to Congress urging an investigation of the Department of Homeland Security's records management practices. The concern follows the administration's "zero-tolerance" immigration enforcement policy and family unification efforts. Recent reports indicate that border agents are improperly destroying records of the separated families, making it difficult to reestablish family connections. "The purposeful deletion of records by border agents would be a clear violation of the [Federal Records Act], with dire humanitarian consequences," the group stated. The letter also encouraged Congress to ensure DHS is fulfilling its transparency obligations by making its policy guidances available to the public. EPIC has previously warned the Senate about the misuse of immigrant data by the DHS.

EPIC to European Data Protection Board: GDPR Certifications Should Uphold Rights Above Privacy Seals

In the first public consultation held by the European Data Protection Board, EPIC proposed a rights-based certification criteria for the General Data Protection Regulation. The Data Protection Board is now the lead privacy agency in Europe. EPIC explained the risks of self-regulatory certification mechanisms, pointing to TRUSTe and the Facebook audits obtained by EPIC that wrongly certified Facebook's compliance with the 2011 FTC Consent Order. EPIC said, certification mechanisms "must be developed by national DPAs and implemented in conformity with the fundamental principles and rights of the GDPR." EPIC has also advised the UK Information Commissioner's Office and the Irish Data Protection Commissioner on GDPR enforcement.

EPIC to Congress: Declassified Russian Meddling Report Should be Released

In advance of a joint Committee hearing on "Oversight of FBI and DOJ Actions Surrounding the 2016 Election," EPIC sent a statement to the House Judiciary and House Oversight Committees urging the release of the complete declassified Intelligence Community report on Russian interference in the 2016 U.S. Presidential Election. EPIC pursued a FOIA lawsuit, EPIC v. ODNI, to obtain public release of the complete Intelligence report, and a federal court ruled that ODNI could withhold the document from public release. However, a recent report from the Senate Select Committee on Intelligence confirmed the 2017 assessment from the Intelligence Community. The Intelligence report stated "Russia's goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump." EPIC argued that, in light of this report, the public has a right to know the Intelligence Community's findings. In 2017, EPIC launched a new project on Democracy and Cybersecurity to focus attention on new threats to democratic institutions.

EPIC Advises Congress to Protect Consumer Call Records

In advance of the hearing "Protecting Customer Proprietary Network Information in the Internet Age," EPIC urged Congress to protect the privacy of users of third-party apps, such as WhatsApp and Google Voice. The Telecommunications Act of 1996 protects the privacy of "CPNI" — phone numbers dialed, date and time of calls — but this safeguard does not cover internet-based calls. EPIC told Congress that CPNI privacy rules should apply to both telecommunications companies and Internet firms. In 2005, EPIC filed the original FCC petition to extend CPNI privacy protections. EPIC also proposed uniform privacy standards for telecommunications firms and information service providers in the 2016 FCC Privacy Order.

EPIC, Coalition Call for Human Rights Protections in Cybercrime Convention Update

EPIC and a coalition of civil society organizations urged the Council of Europe to include robust human rights protections in the proposed revision to the Convention on Cybercrime. Otherwise, the updates could enable "a race to the bottom for protection," the coalition warned. The groups opposed the CLOUD Act model for law enforcement access to data in foreign jurisdictions, calling instead for robust transparency and accountability requirements. The human rights groups also urged widespread ratification of the International Privacy Convention 108. EPIC and US consumer rights groups have long campaigned for United States ratification of Convention 108.

EPIC to Irish Data Protection Commission: Privacy Assessments Require Algorithmic Transparency

In comments to the Irish Data Protection Commission, EPIC proposed guidance for Data Protection Impact Assessments. The EU General Data Protection Regulation requires organizations to carefully assess the collection and use of personal data. EPIC explained that Data Protection Impact Assessments require the disclosure of the reason for the processing of personal data. EPIC also urged the Irish Privacy Commission to protect individuals against profiling and tracking by minimizing the collection of sensitive data. EPIC supports "Algorithmic Transparency" and brought FTC consumer complaints to promote accountability over secret algorithms. EPIC has also advised the UK Information Commissioner's Office on Data Protection Impact Assessments and GDPR implementation.

Special Counsel: Russian Intelligence Stole Data on 500,000 Voters

Russian intelligence officers hacked the website of a political organization in 2016 and stole personal data on more than 500,000 voters, according to a new indictment from the Special Counsel's Office. The stolen data included "names, addresses, partial social security numbers, dates of birth and driver's license numbers." In January 2017, EPIC sued the FBI for information about the agency's failure to respond to foreign cyberattacks on the DNC and the RNC. EPIC eventually obtained the victim notification procedures that would have applied during the 2016 Presidential election, but which the FBI failed to follow. Almost 18 months have passed since the filing of EPIC v. FBI and the first criminal indictments.

Federal Court Upholds Regulations for Drone Hobbyists

In a companion case to EPIC v. FAA, the D.C. Circuit ruled in Taylor v. FAA that the regulations for drones operated by hobbyists are within the agency's statutory authority. The D.C. Circuit previously ruled that EPIC lacked standing to compel the FAA to establish privacy rules for commercial drones. The D.C. Circuit declined to reach the merits of EPIC's challenge. The FAA is expected to issue rules later this year that will require drones to identify themselves with radio beacons, as EPIC had previously urged.

UK Data Watchdog Fines Facebook Maximum £500,000 for Cambridge Analytica Breach

The Information Commissioner's Office, the lead agency for data protection in England, has issued the maximum £500,000 fine on Facebook for failing to secure user data from Cambridge Analytica. ICO investigations found that Cambridge Analytica harvested 87 million Facebook users' personal data to target ads for political purposes, and that Facebook did not compel the deletion of this data to prevent further misuses. Facebook was charged with two violations of the UK Data Protection Act 1998: "failing to safeguard people's information [and] failing to be transparent about how people's data was harvested by others and why they might be targeted by a political party or campaign." ICO also told other companies that served online political ads during the EU Brexit Referendum to stop processing UK citizens' data. In March and April, EPIC told the FTC and Congress that the Cambridge Analytica breach could have been prevented if the FTC had enforced the 2011 Consent Order with Facebook. The FTC is currently investigating Facebook but has never imposed any fines against the company.

Congress Asks Google, Apple About Smartphone Data Collection

Members of the House Energy and Commerce Committee have sent letters to Apple CEO Tim Cook and Alphabet CEO Larry Page seeking information about the data collection capabilities of smartphones. Prompted by recent privacy scandals, the representatives asked Google and Apple whether their devices track users' location even when location services are disabled or record users' private conversations without a "trigger" word. The issue of smartphones and privacy has generated widespread attention following the Supreme Court's landmark ruling in Carpenter v. U.S. that the Fourth Amendment protects location records generated by mobile phones. EPIC recently advised Congress to strengthen privacy protections for mobile location data in response to the Supreme Court's ruling.

European Parliament: 'Privacy Shield' Does Not Protect Privacy, Calls for Suspension

The European Parliament has called for the suspension of the "Privacy Shield" if the U.S. does not comply in full by September 1, 2018. The resolution states that the pact, which permits US companies to obtain the personal data of European, does not protect privacy. The Parliament cited numerous problems, including the Cambridge Analytica breach of 87 million Facebook users data, the reauthorization of FISA Section 702, the failure to appoint members to the PCLOB, and passage of the CLOUD Act, which permits US law enforcement agencies to access personal data stored in Europe. The vote of the full Parliament follows an earlier statement from the civil liberties "LIBE" committee. EPIC highlighted many of the same concerns in recent comments. EPIC also told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its 2011 Consent Order with Facebook. The European Commission, the EU body in charge of the Shield, must now decide how to respond.

EPIC in the News

• Two Senators Call for Investigation of Smart TV Industry, New York Times, July 13, 2018
• DOS Proposed Rules on Social Media Data Collection from U.S. Immigrant Nonimmigrant Visa Applicants Draw Public Criticism, Law Firm Newswire, July 13, 2018
• FTC Urged To Stop Facebook From Sharing Data With Researchers, MediaPost, July 13, 2018
• Walmart patents audio surveillance technology to record customers and employees, CBS News, July 13, 2018
• Government-data watchdog slaps Facebook on wrist, WND, July 12, 2018
• Facebook faces allegations of privacy violations and manipulating consent for facial recognition, BiometricUpdate, July 12, 2018
• Google leans more on algorithms for ads as critics highlight risks, Reuters, July 11, 2018
• Kavanaugh's Privacy Views Could Boost Gov't Access To Data, Law360, July 11, 2018
• Facebook Is Still Abusing Your Privacy, New Republic, July 11, 2018
• Biometric Privacy Suits Don't Need Actual Harm, Ill. Court Told, Law360, July 10, 2018
• Facebook's Push for Facial Recognition Prompts Privacy Alarms, New York Times, July 9, 2018
• Drones need regulating, but this isn't the way to do it, Washington Post, July 9, 2018
• Artificial Intelligence Policy Needs Public Input, Gov't Told, Law360, July 6, 2018
• FAA Drone Rule Advisers Aim to Ax Privacy Group's Suit, Law360, July 6, 2018
• AI-ming Big, POLITICO Morning Tech, July 6, 2018
• Privacy Group Asks Court To Revive Suit Over Facebook Tracking, MediaPost, July 5, 2018
• Google's Gmail controversy is everything people hate about Silicon Valley, CNET, July 3, 2018

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Artificial Intelligence – Striking the Balance between Privacy and Competitiveness. July 18, 2018. European Liberal Forum's Transatlantic Lab, Washington, DC. Christine Bannan, EPIC Administrative Law and Policy Fellow.

Cyber Court Review: A Discussion of Recent Court Opinions Addressing Issues in CyberLaw. Aug. 2, 2018. ABA Annual Meeting, Chicago, IL. Alan Butler, EPIC Senior Counsel.

Next-Generation Digital Infrastructure: Towards a New Regime for Promoting Investment, Competition and Consumer Protection. Aug. 13–15, 2018. Aspen, CO. Marc Rotenberg, EPIC President.

Privacy, News, and the Future of Freedom of the Press. Sep. 27-28, 2018. Tulane Law School, New Orleans, LA. Marc Rotenberg, EPIC President.

Public Voice Conference. Oct. 23, 2018, Brussels, Belgium.

'Debating Ethics: Dignity and Respect in Data Driven Life.' Oct. 24, 2018. 40th International Conference of Data Protection and Privacy Commissioners, Brussels, Belgium. Marc Rotenberg, EPIC President.

'Going Digital.' Nov. 12-13, 2018. Working Party on Security and Privacy in the Digital Economy, OECD, Paris. Marc Rotenberg. EPIC President.

Internet Governance Forum 2018. Nov. 14, 2018. UNESCO, Paris. Marc Rotenberg, EPIC President.

Centrum Wiskunde & Informatica Privacy and Security Lecture. Nov. 17, 2018. CWI, Amsterdam. Marc Rotenberg, EPIC President.

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.