EPIC Alert 25.15

1. Kavanaugh as White House Counsel: PATRIOT Act, 'Measured, Careful, Responsible, and Constitutional Approach'

The Senate Judiciary Committee has released the first production of records for Supreme Court nominee Brett M. Kavanaugh from his time as associate White House counsel. The records show that the nominee supported programs of mass surveillance and misstated their impact on U.S. privacy laws.

According to the records released last week, Kavanaugh assisted in the effort to pass the PATRIOT Act and drafted a statement that President Bush incorporated into the bill signing. Kavanaugh wrote that the PATRIOT Act will "update laws authorizing government surveillance," which he claimed—and President Bush then restated—were from an era of "rotary phones." In fact, the PATRIOT Act weakened numerous U.S. privacy laws, including the subscriber privacy provisions in the Cable Act and the email safeguards in the Electronic Communications Privacy Act. Both laws were enacted after the era of rotary phones. Congress amended the Foreign Intelligence Surveillance Act after it was revealed that the White House had authorized warrantless wiretapping of Americans beginning in 2002.

In an email exchange included in the production, Kavanaugh also characterized the PATRIOT Act, a dramatic expansion of U.S. surveillance authorities, as a "measured, careful, responsible, and constitutional approach." Roughly 5,700 pages of documents were made available to the public, but the full records have been withheld.

EPIC recently submitted two urgenturgent Freedom of Information Act requests for all records concerning Judge Kavanaugh's activities in the Bush Administration. EPIC seeks to determine the extent of Kavanaugh's involvement in mass surveillance programs, including the PATRIOT ACT and the warrantless wiretapping program. As with prior nominees, EPIC will ask the Senate Judiciary Committee to question the nominee on a wide range of privacy, First Amendment, open government, and consumer protection issues.

2. EPIC Sues Justices Department for Reports on Cell Phone Tracking

EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice to obtain reports on the collection and use of cell phone location data. Modern cell phones generate precise records of their whereabouts known as cell site location information. Law enforcement agencies frequently seek these records to pinpoint an individual's coordinates and to create a map of their movements over time.

The Supreme Court recently held in Carpenter v. United States that the Fourth Amendment protects location records generated by cell phones and that "police must get a warrant when collecting" cell site location information. However, little information is available to the public about the actual use of this data by law enforcement.

Section § 2703(d) of the Stored Communications Act allows the government to obtain a court order for the release of certain subscriber records from any provider of electronic communications services. According to the Act, the government only has to show that there are "reasonable grounds to believe" that the records sought are "relevant and material" to an ongoing criminal investigation.

Several telecommunication companies, including AT&T, Sprint, Verizon, and T-Mobile, have released reports that reveal the number of government requests for customer data. Yet these reports are neither comprehensive nor sufficiently detailed to evaluate the full scope of law enforcement access to cell phone location data. The Department of Justice has never disclosed any comprehensive reports concerning the use of cell site data. Unlike the use of the Wiretap Act, which includes detailed reporting requirements, law enforcement use of cell site location information has no comparable public accounting.

In the complaint, EPIC explained that it "seeks to determine the use, effectiveness, cost, and necessity in the collection and use of cell site location information so that the public, lawmakers, and the courts may have a better understanding of the use of this investigative technique." EPIC's case for the release of reports on the government's use of cell site location information is EPIC v. DOJ, No. 18-1814 (D.D.C. filed August 1, 2018).

3. Following EPIC Comments, FTC Strengthens Safeguards for Kids' Data in Gaming Industry

The FTC has unanimously voted to approve new safeguards for children's data in the gaming industry, which include recommendations from EPIC. In response to an industry proposal to weaken standards for children's privacy, EPIC reminded the FTC that industry guidelines must comply with the Children's Online Privacy Protection Act (COPPA) and the updated 2013 COPPA Rule. As EPIC wrote, "COPPA has evolved to address changes in technology and business practices. These provisions must be competently carried forward in safe harbor programs, as the sensitive nature of children's data requires caution against self-regulation."

EPIC emphasized that limiting the material and territorial scope of the COPPA Rule is an express violation of children's privacy provided by law. Therefore, the FTC should reject industry guidelines that fall below the COPPA standard to ensure that children's privacy is adequately protected and prioritized. In particular, EPIC cautioned against lax industry interpretations of "anonymous information" and urged the FTC to extend privacy safeguards to de-identified children's data. EPIC also argued that COPPA should benefit all children without residency or nationality requirements, as the sensitivity of children's data merits universal protection.

In a 5-0 vote, the FTC adopted EPIC's proposals to revise the Entertainment Software Rating Board's industry rules, which included (1) extending children's privacy protections in COPPA to all users worldwide, and (2) implementing privacy safeguards for the collection of data "rendered anonymous." The FTC wrote, "the Commission agrees with EPIC's comment. As COPPA's protections are not limited only to U.S. residents, the definition of 'child' in the ESRB program has been revised to remove the limitation." The Commission also strengthened protections for de-identified children's data: "companies must provide notice and obtain verifiable parental consent if personal information is collected, even if it is later anonymized. Accordingly, the Commission agrees with EPIC's comment and has rejected [ESRB's] change." The FTC affirmed that industry rules must provide "same or greater protections for children" as required by the COPPA rule.

EPIC has testified several times before Congress on protecting children's data and supported updates to COPPA and effective enforcement by the FTC.

4. EPIC Opposes Citizenship Question on 2020 Census

In extensive comments to the U.S. Census Bureau, EPIC opposed the agency's decision to add a citizenship question to the 2020 census. The administration's stated purpose for the question is to assist the Department of Justice in enforcing the Voting Rights Act, but EPIC argued that census data should never be used for enforcement purposes because it will interfere with the census's constitutional purpose and undermine the integrity of the census. EPIC said: "The Bureau does not serve an investigatory function and the DOJ (or any other agency) should not expect it to."

EPIC also argued that adding the citizenship question this late and without proper testing will threaten the integrity of the data collected by the decennial census. The typical process for adding new questions takes multiple years and requires extensive review, but the citizenship question was added after the 2018 End-to-End Census test (the "dress rehearsal" for the 2020 census) was already underway. Former directors of the Census Bureau, including EPIC Advisory Board member Bob Groves, wrote to Secretary Ross to warn him that adding a new question without adequate testing "at this late point in the decennial planning process would put the accuracy of the enumeration and success of the census in all communities at grave risk."

The Bureau previously conducted a Privacy Impact Assessment for the census, but it did not acknowledge the privacy risks raised by the recently-added citizenship question. Federal Agencies are required by law to conduct an assessment "where a system change creates new privacy risks," but the Bureau stated that the new question did not create any new risks.

EPIC said the assessment does not meet the Commerce Department's standards and that it is required to conduct a revised assessment analyzing the privacy risks created by the citizenship question. Through a Freedom of Information Act request, EPIC recently obtained documents (part 1, part 2, part 3, part 4) concerning Commerce Secretary Wilbur Ross and the citizenship question.

The census raises significant privacy risks and was used to target Japanese-Americans for internment in World War II. EPIC previously obtained documents which revealed that the Census Bureau transferred sensitive data on Muslim Americans after 9-11 in response to a Department of Homeland Security request. As a consequence of EPIC's lawsuit, the Census Bureau revised its policy on disclosing statistical information about "sensitive populations" to law enforcement and intelligence agencies.

5. Two More Nominees for Intelligence Oversight Board

The White House has announced the nomination of two new board members to the Privacy and Civil Liberties Oversight Board (PCLOB). The PCLOB is a federal agency charged with "ensur[ing] that the federal government's efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties." The oversight body has been unable to act in recent years due to long-term vacancies.

Travis LeBlanc is a partner at Boies Schiller and a former chief of the Federal Communications Commission's Enforcement Bureau. He also served as a senior advisor to California Attorney General (and now U.S. Senator) Kamala D. Harris.

Aditya Bamzai is a law professor at the University of Virginia who teaches civil procedure, administrative law, national security law, and computer crime. He previously served as an attorney-adviser in the Department of Justice's Office of Legal Counsel and was an appellate attorney in private practice and the DOJ's National Security Division.

The European Parliament has called for suspension of the Privacy Shield if the U.S. does not to improve data protection and restore the PCLOB. Three other members have been nominated but have yet to be confirmed. EPIC opposed the nomination of Adam Klein to serve as Chairman of the Board.

EPIC previously testified before PCLOB, made recommendations for PCLOB's handling of FOIA requests, and set out a broad agenda for the work of the independent agency. EPIC also sought public release of the PCLOB report on Executive Order 12,333.

EPIC Book Review: 'The Right of Publicity'

The Right of Publicity: Privacy Reimagined for a Public World, by Jennifer E. Rothman

In their seminal 1890 article "The Right to Privacy," Samuel Warren and Louis Brandeis argued that—in an era of "[i]nstantaneous photographs and newspaper enterprise"—"the law must afford some remedy for the unauthorized circulation of portraits of private persons." Over the past 130 years, this protection against "the unauthorized circulation of portraits" has evolved into the modern right of publicity. Yet as Professor Jennifer E. Rothman argues in The Right of Publicity: Privacy Reimagined for a Public World, that right has long since "lost its way, becoming a misunderstood, misshapen, bloated monster that has turned against even its initial masters and proponents."

Rothman's account begins in the late nineteenth century, when the increasing portability of cameras and a proliferation of newspapers sparked fears about the nonconsensual publication of personal photographs. Rothman follows these concerns through early legal disputes over a newspaper popularity contest, a statue of a famous philanthropist at the Chicago World's Fair, and advertisements that used personal portraits to sell flour and insurance. Bit by bit, courts began to recognize a legal right to control the use of one's name and image. This right, originally regarded as a component of the right to privacy, protected the dignitary and economic interests of both public and private figures.

But beginning in the 1950s, the "right to publicity got off track," transforming "from a personal right, rooted in the individual person" into "a powerful intellectual property right, external to the person, that can be sold to or taken by" other parties. Rothman highlights two major court decisions in this evolution: one, a widely misunderstood 1953 case between baseball card companies which suggested that baseball players' publicity rights might be transferrable, and two, a 1977 Supreme Court case acknowledging a circus performer's "proprietary interest" in the publicity of his human cannonball act. Once placed "in the pantheon of IP," the right of publicity was expanded in other ways, becoming freely assignable, covering traits beyond name and likeness, and even extending beyond death.

Rothman offers an extensive critique of this doctrinal shift. For example, she explains the dangers and abuses of allowing publicity rights to be freely transferred, pointing to actors, musicians, models, and college athletes who are pressured to sign over the use of their name and likeness. And just as alarming, "Social media sites already have claimed rights over photos and people's names and likenesses in their ever-changing and rarely read terms of service that their users all purportedly agree to in exchange for use of the sites." Rothman also refutes many of the claimed benefits of the modern right of publicity. She casts doubt on the view that the right incentivizes continuing creative endeavors, as the people who most need such an incentive—"obscure musicians, actors, scientists, and journalists"—are the least likely to benefit from legal protections for their persona.

Naturally, Rothman proposes some reforms, too. Calling for a "Big Crunch for the right of publicity," she recommends that the right be limited solely to names, likenesses, and voices; that the right be non-transferable (though still licensable on a limited basis); and that "any postmortem right of publicity should be narrow in scope and duration." Moreover, Rothman urges a renewed recognition that "the rights of publicity and privacy are intertwined, and that they both are focused on the same interests—protecting individuals' identities rather than protecting a separable, purely economic interest."

—John Davisson

News in Brief

EPIC Urges Senate Committee to Press FCC on Privacy

EPIC has sent a statement to the Senate Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to push the FCC to protect online privacy. EPIC also asked the Committee to press the FCC to repeal a regulation that requires the retention of telephone customer records for 18 months. EPIC filed the petition urging the repeal of this mandate more than two years ago. Every comment received by the FCC favored the EPIC petition. EPIC has submitted multiple comments to the FCC to strengthen online privacy and has recommended an industry-neutral and comprehensive privacy framework.

D.C. Circuit Announces Panel in EPIC v. IRS, FOIA Case for Trump's Tax Returns

The D.C. Circuit has announced the three-judge panel that will decide EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. Arguments will be held in the case on Thursday, September 13, 2018 before Judge Karen LeCraft Henderson, Judge Patricia A. Millett, and Judge Harry T. Edwards. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC has pursued concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity).

EPIC Comments on Second Annual Privacy Shield Review

EPIC provided comments this week to the European Commission to inform the second annual review of the EU-U.S. Privacy Shield, a framework that permits the processing of the personal data of Europeans in the United States. EPIC detailed the latest privacy developments in the U.S., including the extension of Fourth Amendment protection to cell phone location data in Carpenter v. United States, passage of the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the absence of a Privacy Shield Ombudsman at the Commerce Department, and the nomination of Judge Brett Kavanaugh to the Supreme Court. The Commission approved Privacy Shield last year but sought additional steps by the United States. The European Parliament has called for suspension of the pact if the U.S. does not fully comply by September 1st. The European Commission will make a final determination this fall.

EPIC Urges FCC to End Data Retention Mandate

EPIC has sent a letter to the Federal Communications Commission urging the FCC to act immediately on a petition submitted by EPIC and a coalition of civil rights organizations, technical experts, and legal scholars exactly three years ago. The petition called for an end to the FCC rule requiring the mass retention of phone records, known as the "data retention mandate." EPIC explained in the petition that the rule was "unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers." The U.S. Supreme Court recently declared that cell phone location records are protected under the Fourth Amendment in Carpenter v. United States. EPIC wrote in the letter that "as we anticipated in the original petition, the retention of cell phone data implicates constitutional interests." All of the comments received by the FCC on this topic favored an end to the mandate.

International Privacy Experts Adopt Recommendations for Cross-Border Law Enforcement Requests for Data

The International Working Group on Data Protection in Telecommunications has adopted new recommendations to protect individual rights during criminal cross-border law enforcement. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The Working Group on Data Protection called on governments and international organizations to ensure that law enforcement requests accord with international human rights norms. The Working Group also recommended specific safeguards for data protection and privacy, including accountability, procedural fairness, notice, and an opportunity to challenge. EPIC addressed similar issues in an amicus brief for the U.S. Supreme Court in the Microsoft case. EPIC and a coalition of civil society organizations recently urged the Council of Europe to protect human rights in the proposed revision to the Convention on Cybercrime. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

Open Government Groups Call for Full Access to Kavanaugh Records

A coalition of nonpartisan open government groups has called for the disclosure of Supreme Court nominee Brett Kavanaugh's White House records. In a letter to the Senate Judiciary Committee, the coalition asserted that "curtailed document requests will hinder the Senate's ability to fully assess Judge Kavanaugh's background and qualifications[.]" To uphold the constitution, the coalition emphasized that "senators from both parties must have equal access to all documents relevant to a nominee, in as timely and complete a manner as possible." EPIC recently submitted two urgent Freedom of Information Act requests for Judge Kavanaugh's White House records from the period when many post-September 11 mass surveillance systems were implemented.

Senator Feinstein Rebuts National Archives' Decision to Withhold Kavanaugh Records

Senator Feinstein has sent an urgent letter to Archivist David S. Ferriero demanding reconsideration of the National Archives' decision to withhold documents related to Supreme Court nominee Brett Kavanaugh. In the letter, Senator Feinstein stated that the "records are crucially important to the Senate's understanding of Mr. Kavanaugh's full record, and withholding them prevents the minority from satisfying its constitutional obligation to provide advice and consent on his nomination." Under the National Archives' unprecedented interpretation of the Presidential Records Act, Feinstein explained that "minority members of the Senate Judiciary Committee now have no greater right to Mr. Kavanaugh's records than members of the press and the public."

EPIC in the News

• Online manipulation is the the latest data protection debate, CIO (Opinion), August 15, 2018
• FTC Approves Modifications to Video Game Industry Self-Regulatory COPPA Safe Harbor Program, Federal Trade Commission, August 15, 2018
• Employee privacy at stake as surveillance technology evolves, CBS News, August 14, 2018
• Google Tracks You Even If Location History's Off. Here's How to Stop It, Wired, August 13, 2018
• Inside the Decades-Long Fight to Protect Your Children's Data From Advertisers, New York Magazine, August 13, 2018
• Districts Tap Digital Monitoring Services to Guard Against School Shootings, eLearning Inside News, August 12, 2018
• Smartphone Voting Is Happening, but No One Knows if It's Safe, Wired, August 9, 2018
• Privacy Policies are Needed With Utility Smart Meters, The St. Louis American, August 9, 2018
• In Crash Investigations, Police Upgrade From Chalk, Tape Measures to Drones, The Christian Science Monitor, August 7, 2018
• Utility Smart Meters May be Leaving Consumer Information Vulnerable, Next STL, August 7, 2018
• Facebook Taps Banks, but for Chatbots not Purchase Data Like Google, TechCrunch, August 6, 2018
• Mind the Gap: Drone Privacy Falling Through Regulatory Cracks, Bloomberg Government, August 6, 2018
• Technology Forces Criminal Law to Evolve, ABA Journal, August 3, 2018

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Next-Generation Digital Infrastructure: Towards a New Regime for Promoting Investment, Competition and Consumer Protection. Aug. 13–15, 2018. Aspen, CO. Marc Rotenberg, EPIC President.

Privacy, News, and the Future of Freedom of the Press. Sep. 27-28, 2018. Tulane Law School, New Orleans, LA. Marc Rotenberg, EPIC President.

AI, Ethics, and Fundamental Rights: A Public Voice Event. Oct. 23, 2018. Brussels, Belgium.

'Debating Ethics: Dignity and Respect in Data Driven Life.' Oct. 24, 2018. 40th International Conference of Data Protection and Privacy Commissioners, Brussels, Belgium. Marc Rotenberg, EPIC President.

'Going Digital.' Nov. 12-13, 2018. Working Party on Security and Privacy in the Digital Economy, OECD, Paris. Marc Rotenberg. EPIC President.

Internet Governance Forum 2018. Nov. 14, 2018. UNESCO, Paris. Marc Rotenberg, EPIC President.

Centrum Wiskunde & Informatica Privacy and Security Lecture. Nov. 17, 2018. CWI, Amsterdam. Marc Rotenberg, EPIC President.

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.