EPIC Alert 25.14

1. EPIC Requests Kavanaugh White House Records on Warrantless Wiretapping, Mass Surveillance Programs

EPIC has submitted two Freedom of Information Act requests to the George W. Bush Library and the National Archives and Records Administration for documents concerning Supreme Court nominee Brett M. Kavanaugh's involvement with mass surveillance programs. President Trump nominated Judge Kavanaugh to the Court after Justice Anthony Kennedy announced his retirement from the bench in June. The first EPIC FOIA request concerns staff files during Kavanaugh's tenure at the White House and the second EPIC FOIA request concerns his e-mails.

Judge Kavanaugh, who currently sits on the D.C. Circuit Court of Appeals, served for more than five years in the White House for President George W. Bush. From 2001 to 2003, Kavanaugh was involved in drafting reports, memoranda, and policy statements as Associate and Senior Counsel to the President. From 2003 to 2006, Kavanaugh served as Staff Secretary and Assistant to the President, controlling the flow of documents to and from the President and circulating documents to senior administration officials for comment. Judge Kavanaugh has stated that his three years as Staff Secretary to President Bush "were the most interesting and in many ways the most instructive" to him as a judge.

During Judge Kavanaugh's time as Staff Secretary, the Bush administration undertook a wide range of mass surveillance programs, including the warrantless wiretapping of Americans, which was later deemed unlawful. As a D.C. Circuit judge, Kavanaugh wrote that a suspicionless surveillance program "is entirely consistent with the Fourth Amendment." "Critical national security need outweighs the impact on privacy occasioned by the program," Kavanaugh wrote. Other programs and developments during Kavanaugh's White House tenure include Total Information Awareness, airport body scanners, passenger profiling, passage of the PATRIOT Act, and Real ID. These activities sparked widespread public opposition, and many were terminated after they were brought to light.

The release and review of Judge Kavanaugh's extensive paper trail has created conflict in the Senate over how much material should be released. Senate Judiciary Committee Chairman Chuck Grassley (R-IA) sent a letter to the Bush Library requesting Judge Kavanaugh's records, but the letter did not ask for documents from when Kavanaugh served as Staff Secretary. Senator Patrick Leahy (D-VT) criticized Senate Judiciary's incomplete request: "In a stark departure from bipartisan precedent, Senate Republicans are seeking to prevent the Senate from fulfilling its obligation to review the full record of a nominee for a lifetime appointment to our nation's highest court. We must ask: What do Senate Republicans so badly want to hide?"

2. Presidential Commission to Delete State Voter Data Wrongfully Obtained

EPIC and a coalition of groups recently gave the White House the final go-ahead to destroy the state voter data unlawfully collected by the Presidential Election Commission. In a notice to the federal court overseeing EPIC v. Commission, EPIC said that the White House should delete the data as it stated earlier it would. EPIC and the coalition also asked the White House to confirm that no copies of the state voter data had been made or retained.

The deletion of the voter data is the outcome EPIC sought in EPIC v. Commission, which challenged the Commission for failing to conduct a required Privacy Impact Assessment before collecting personal data. After EPIC brought suit against the Commission, the Commission suspended its data collection, discontinued the use of an unsafe computer server, and deleted a prior batch of voter information that was illegally obtained. The Commission was then disbanded in January 2018.

Meanwhile, EPIC will soon ask the Supreme Court to void last year's ruling by the D.C. Circuit Court of Appeals in EPIC v. Commission. A three-judge panel of the D.C. Circuit wrongly held that EPIC—a privacy and open government organization—did not have "standing" to challenge the Commission's failure to conduct and publish a Privacy Impact Assessment. That decision is eligible for reversal on two different grounds: it conflicts with Supreme Court precedent, and it is based on an appeal that was rendered moot as soon as the President terminated the Commission.

EPIC has a long history of working on voter privacy and democratic institutions. EPIC has pursued numerous FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). The latest EPIC FOIA gallery reviews developments on these lawsuits.

3. EPIC FOIA: EPIC Obtains CBP Drone Operations and Privacy Directive

EPIC, through a Freedom of Information Act lawsuit, has obtained Customs and Border Protection's directive on Unmanned Aircraft System Operations and Privacy. The directive allows the agency to disseminate information collected through drone operations to federal, state, local, tribal, and foreign law enforcement agencies.

EPIC's FOIA request stems from a 2015 Presidential Memorandum that requires all federal agencies to address the privacy, civil liberties, and civil rights risks posed by the use of drones. Among other measures, the Memorandum instructed each agency to keep the public informed of how and where the agency uses drones and to issue an annual summary of the agency's drone operations.

EPIC has long focused public attention on the federal government's use of drones to conduct domestic surveillance. Drones have been used by the Department of Homeland Security for well over ten years. The public has a right to know the scope of DHS's drone usage as well as the policies for the collection, use, dissemination, and retention of the information obtained by drones.

EPIC recently sent a statement to the Senate Committee on Homeland Security and Government Affairs, urging the Committee to not consider pending Senate bill 2836 (the "Preventing Emerging Threats Act of 2018") until federal agencies establish drone privacy procedures.

4. For House Hearing, EPIC Urges FTC to Unwind WhatsApp Deal, Enforce Facebook Consent Order

EPIC recently sent a statement to the House Energy and Commerce Committee in advance of a hearing on "Oversight of the Federal Trade Commission." The hearing featured new FTC Chairman Joseph Simons and the recently confirmed FTC Commissioners. EPIC's statement highlighted the FTC's ongoing failure to enforce its own consent orders and its refusal to stop significant mergers and acquisitions that have harmed consumer privacy. EPIC urged the Committee to tell the new FTC leadership to enforce the Facebook Consent Order and to unwind the Facebook-WhatsApp merger.

EPIC had previously sent detailed statements to Congress in advance of hearings in April and June, explaining that the Cambridge Analytica breach affecting 87 million Facebook users could have been prevented if the FTC had enforced its 2011 Consent Order against Facebook. That Order was the result of extensive complaints filed by EPIC and consumer privacy organizations in 2009 and 2010 detailing Facebook's changes to its privacy settings—changes that caused users' information to be disclosed to third parties without their knowledge or consent.

EPIC and the Center for Digital Democracy also filed a complaint with the FTC in 2014 urging it to block Facebook's acquisition of WhatsApp unless appropriate privacy safeguards were put in place to protect WhatsApp users' data. Users had relied on WhatsApp's promises to never sell their data. The FTC approved the merger after Facebook and WhatsApp assured the FTC that they would make no changes to WhatsApp users' privacy settings. But in 2016, EPIC and CDD filed a second complaint with the FTC after Facebook began collecting WhatsApp users' data in violation of the companies' privacy promises.

During the hearing, Chairman Simons testified that the FTC needs greater authority to protect consumers. Simons said that privacy and data security are now the top priority for the Commission and signaled his support for legislation that would accomplish three things: (1) provide civil penalties for companies that violated the law, (2) give the FTC jurisdiction over nonprofits and common carriers, and (3) provide the FTC with rulemaking authority for privacy and data security.

5. EPIC Urges Suspension of Biometric Entry/Exit Program

In comments to Customs and Border Protection, EPIC urged the agency to suspend the Biometric Entry/Exit Program. EPIC argued that less privacy-invasive alternatives should be considered and that the program should not move forward until Congress has passed regulations implementing safeguards for the use of biometrics. CBP solicited comments about the collection of biometrics, based on facial recognition, from people in vehicles crossing the border. EPIC said that such an expansion could quickly lead to a program of mass surveillance.

EPIC told CBP that searches of biometric watch lists will exacerbate the problem of using facial recognition and disproportionately impact minorities. Studies have found that facial recognition technology performs much more accurately when identifying light-skinned men than it does for dark-skinned women.

Moreover, facial recognition technology is even less accurate when used to identify people in vehicles—because of many complicating factors such as vehicle speed and windshield glare—than it is in a controlled environment. Colleen Manaher, CBP executive director of planning, program analysis and evaluation stated in an interview that if the technology is able to identify fifty percent of the in-car passengers it would be a "home run."

In EPIC v. CBP, EPIC has sued the agency for details about the Biometric Entry/Exit Program. A report obtained by EPIC in the lawsuit shows that facial recognition at a pedestrian border failed to perform at a "satisfactory" level. More recently, EPIC submitted an urgent Freedom of Information Act request to the Department of Homeland Security seeking the Privacy Impact Assessment for the "Homeland Advanced Recognition Technology." The system, if implemented, will integrate biometric identifiers across the federal government and serve as the primary biometric database for the Biometric Entry/Exit program.

News in Brief

EPIC Seeks Records on 'Quiet Skies,' TSA Airport Surveillance Program

EPIC submitted a Freedom of Information Act request to the Transportation Security Authority after renews reports that the agency secretly surveills airport travelers. The program, known as "Quiet Skies," uses teams of federal marshals to track and observe unsuspecting travelers while they are in the airport and on flights. A Government Accountability Office report on a similar program that used behavioral analysis found the program to be ineffective. The GAO report stated that the "Screening of Passengers by Observation Techniques" program also raised significant concerns over racial and ethnic profiling. EPIC has urged TSA to undertake a comprehensive audit of the civil rights impact of airport screening policies on racial and religious minorities.

For Internet Policy, EPIC Urges Congress to Update U.S. Privacy Laws

In advance of a hearing on "The Internet and Digital Communications: Examining the Impact of Global Internet Governance," EPIC urged the Senate Commerce Committee to prioritize updating U.S. privacy law to respond to changes in technology. "The failure of the United States to address the growing concerns about online privacy is threatening both the digital economy and democratic institutions," EPIC stated. EPIC explained that privacy protection is necessary to ensure the free flow of information online. EPIC again warned Congress that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency.

EPIC Urges House Committee to Push FCC on Comprehensive Privacy Plan

EPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to push the FCC to develop a comprehensive plan for online privacy. EPIC also asked the Committee to press the nominees to repeal a FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submitted multiple comments to the FCC for strong online privacy protections.

EPIC Urges FAA to Make Drone Committee Meetings Accessible to the Public

EPIC recently wrote to FAA Acting Administrator Daniel K. Elwell to request that the agency livestream the Drone Advisory Committee's July 17 meeting in Santa Clara, CA. Earlier this year, EPIC filed suit against the Drone Committee, alleging that it had conducted much of its work in secret and ignored the privacy risks posed by the deployment of drones. As EPIC explained in the request for public streaming, "the FAA's Drone Advisory Committee plays a key role in setting public policy on drone deployment for the United States, yet the public is largely excluded from this process. This secrecy is of particular concern given ongoing public concerns about the deployment of drones in the United States."

EPIC to Congress: Require Algorithmic Transparency For Dominant Internet Firms

In advance of a hearing on Filtering Practices of Social Media Companies, EPIC has sent a statement to the House Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But last year, after a seven year investigation, the European Commission found that Google rigged search results to give preference to its own shopping service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors.

Legal Challenge to Citizenship Question on Census Moves Forward

A federal judge ruled that lawsuits challenging the Trump administration's decision to add a question on citizenship status to the 2020 census could move forward. The court rejected the administration's claim that the plaintiffs lacked standing and ruled that it was "plausible" that the decision was motivated by racial animus and would result in a discriminatory effect on immigrant communities. Through a Freedom of Information Act request, EPIC obtained documents (part 1, part 2, part 3, part 4) considered by Commerce Secretary Wilbur Ross to add the citizenship question. The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11.

NSA Inspector General Issues First Unclassified Report

The NSA's Office of Inspector General issued the first unclassified semi-annual report to Congress on the National Security Agency. The report describes the internal watchdog's audits, studies, and investigations of the NSA's activities. Among other findings, the OIG uncovered improper searches through U.S. persons' data collected under the Foreign Intelligence Surveillance Act, as well as "many instances of noncompliance" with rules to secure NSA networks, systems, and data. In 2012, EPIC testified before Congress on the need for better reporting on the use of FISA authorities. EPIC also routinely highlights reporting on federal surveillance under the Wiretap Act. In EPIC v. NSA, EPIC obtained the Presidential Decision Directive, outlining the agency's authority for domestic surveillance.

Bot Disclosure Act Would Promote Identification, Accountability

Sen. Dianne Feinstein (D-Calif.) has introduced S. 3127, the Bot Disclosure and Accountability Act of 2018. The bill directs the FTC to create a rule to require social media companies to disclose any social media bots on their platform. The bill also prohibits candidates and political parties from using bots. "This bill is designed to help respond to Russia's efforts to interfere in U.S. elections through the use of social media bots, which spread divisive propaganda," Feinstein said. Recently, EPIC sent a statement to the House Judiciary Committee arguing that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. EPIC has also recommended identification requirements for drones.

Justice Department Releases 2018 FOIA Report

The Department of Justice has released a summary and assessment of federal agencies' Chief FOIA Officer Reports. The annual FOIA Report provides a detailed assessment of FOIA processing across the federal government. The summary tracks the Department's FOIA Guidelines: Applying the Presumption of Openness, Having Effective Systems for Responding to Requests, Making Information Available Proactively, Utilizing Technology, and Reducing Backlogs and Improving Timeliness. The guidance offers methods to manage these backlogs, guidance on closing oldest consultations, and recommending that agencies post raw data from the annual FOIA reports. EPIC pursues an extensive FOIA docket.

FTC Chair Seeks New Privacy and Data Security Authority

In recent testimony before the House Energy and Commerce Committee, new Federal Trade Commission Chairman Joseph Simons said the FTC needs greater authority to protect consumers. Simons asserted that privacy and data security are now the top priority for the FTC and signaled his support for data protection legislation that would accomplish three things: (1) provide civil penalties for companies that violated the law, (2) give the FTC jurisdiction over nonprofits and common carriers, and (3) provide the FTC with rulemaking authority for privacy and data security. EPIC submitted a statement prior to Simons' testimony emphasizing that the FTC must conclude its investigation of Facebook and issue a fine for its violations of the 2011 Consent Order and unwind the Facebook-WhatsApp deal.

EPIC in the News

• Facebook Fights Users' Attempt To Revive Suit Over Tracking, MediaPost, August 1, 2018
Is Twitter curbing access to certain political voices?, Sinclair Broadcast Group, July 31, 2018
• Diving into the previously undisclosed TSA program that monitors unaware passengers, 89.3 KPCC, July 31, 2018
• The Trump administration is talking to Facebook and Google about potential rules for online privacy, Washington Post, July 27, 2018
• Facial Recognition Software Wrongly Identifies 28 Lawmakers As Crime Suspects, NPR, July 26, 2018
• Lawmakers Can't Ignore Facial Recognition's Bias Anymore, WIRED, July 26, 2018
• FTC Under the Microscope, POLITICO Morning Tech, July 18, 2018
• Zelle Catches A Growth Wave, Threatening Venmo, PYMNTS.com, July 18, 2018
• State AGs, ABA Press High Court Over Google Privacy Deal, Law360, July 18, 2018
• U.S. Google critics ask EU to 'speed up and broaden' antitrust probe, POLITICO, July 18, 2018
• Don't Expect Big Changes from Europe's Record Google Fine, WIRED, July 18, 2018
• EPIC urges FTC to halt research using Facebook user data, citing GDPR violations, Inside Cybersecurity, July 17, 2018
• Venmo: how the payment app exposes our private lives, The Guardian, July 17, 2018
• Walmart files patent for audio surveillance technology to monitor employees and customers, SC Magazine, July 17, 2018
• FAA to Hold First Drone Advisory Meeting Since Recharter, Chairman Resignation, Aviation Today, July 16, 2018

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Cyber Court Review: A Discussion of Recent Court Opinions Addressing Issues in CyberLaw. Aug. 2, 2018. ABA Annual Meeting, Chicago, IL. Alan Butler, EPIC Senior Counsel.

Next-Generation Digital Infrastructure: Towards a New Regime for Promoting Investment, Competition and Consumer Protection. Aug. 13–15, 2018. Aspen, CO. Marc Rotenberg, EPIC President.

Privacy, News, and the Future of Freedom of the Press. Sep. 27-28, 2018. Tulane Law School, New Orleans, LA. Marc Rotenberg, EPIC President.

AI, Ethics, and Fundamental Rights: A Public Voice Event. Oct. 23, 2018. Brussels, Belgium.

'Debating Ethics: Dignity and Respect in Data Driven Life.' Oct. 24, 2018. 40th International Conference of Data Protection and Privacy Commissioners, Brussels, Belgium. Marc Rotenberg, EPIC President.

'Going Digital.' Nov. 12-13, 2018. Working Party on Security and Privacy in the Digital Economy, OECD, Paris. Marc Rotenberg. EPIC President.

Internet Governance Forum 2018. Nov. 14, 2018. UNESCO, Paris. Marc Rotenberg, EPIC President.

Centrum Wiskunde & Informatica Privacy and Security Lecture. Nov. 17, 2018. CWI, Amsterdam. Marc Rotenberg, EPIC President.

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.