EPIC Alert 25.16
EPIC Alert 25.16 - August 31, 2018
- EPIC v. Commission: Presidential Election Commission Destroys State Voter Data Wrongfully Obtained
- Following EPIC Complaint, FTC Acknowledges Review of Google Consent Order
- EPIC and Open Government Groups Urge Senate to Delay Hearing on Kavanaugh
- EU Deadline Approaches With No Action by U.S. on Data Privacy, Facebook Investigation
- EPIC Urges DHS To Abandon Privacy Act Exemptions for Biometric Database
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
1. EPIC v. Commission: Presidential Election Commission Destroys State Voter Data Wrongfully Obtained
The White House confirmed this month that it has destroyed the state voter data unlawfully collected last year by the Presidential Election Commission. Responding to a court order in EPIC v. Commission the White House stated that the voter data is now "entirely deleted and unrecoverable."
The deletion of the voter data is the outcome EPIC sought in the case, which challenged the Commission's failure to conduct a required Privacy Impact Assessment before collecting personal data. Commission Vice Chair Kris Kobach had asked state election officials nationwide to turn over vast amounts of personal data from state voter rolls. Only about twenty states had agreed to cooperate with Kobach before the Commission was disbanded in January 2018.
"This is the end of the line for one of the most ill-conceived, privacy-violating programs in modern U.S. history," EPIC President Marc Rotenberg said. "The Kobach Commission attempted to toss aside state privacy law and the sanctity of the ballot box. But state election officials, members of Congress, civil rights organizations, and privacy groups said 'no.' And this order in EPIC's lawsuit closes the door on that attempt to undermine American democracy."
Meanwhile, EPIC has asked the Supreme Court to review and vacate a court of appeals decision that wrongly refused to acknowledge EPIC's standing to seek the required privacy impact assessment. EPIC told the Supreme Court that the D.C. Circuit "misconstrued" the privacy impact assessment requirement "in a way that will seriously undermine the provision." EPIC warned that the lower court decision could adversely impact the privacy of personal data held by federal agencies.
The FTC confirmed last week that it is investigating Google's compliance with a 2011 FTC consent order. The acknowledgement came in response to an EPIC complaint urging the Commission to determine whether Google violated the consent order. EPIC brought the complaint after a report that Google tracked user locations even when users opted out.
After news of Google's practices broke, EPIC called for the Commission to enforce the consent order and hold Google accountable. In its complaint to the Commission, EPIC explained that "Google's subsequent changes to its policy, after it has already obtained location data on Internet users, fail to comply with the 2011 order." EPIC told FTC that "The Commission's inactions have made the Internet less safe and less secure for users and consumers." In the response, the agency said that FTC attorneys monitor compliance with the agency's consumer protection orders and that "the Google order is undergoing just such a review."
The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations. The groups charged that Google had engaged in unfair and deceptive trade practices when it changed the privacy settings of Gmail users and opted them into Google Buzz. The FTC agreed with the consumer groups; Google entered into a settlement; and Buzz was shuttered. FTC chairman John Liebowitz said at the time, "When companies make privacy pledges, they need to honor them."
EPIC also submitted comments recently to the FTC advising the agency on how to address algorithmic decision-making and competition and consumer protection for the hearings on "Competition and Consumer Protection in the 21st Century."
EPIC, along with a nonpartisan coalition of fifteen open government groups, sent a letter this week to the Chair and Ranking Member of the Senate Judiciary Committee urging the Senate to delay hearings on Supreme Court nominee Judge Brett M. Kavanaugh until all relevant records are released.
Last month, Senate Judiciary Committee Chairman Chuck Grassley (R-IA) sent a letter to the George W. Bush Library requesting Judge Kavanaugh's records but did not ask for records of when Judge Kavanaugh served as White House Staff Secretary. The National Archives and Records Administration is processing more than 900,000 pages of records in response to Senator Grassley's request but does not expect to complete the review of all pages by the end of October.
"Secrecy and selective availability of information continue to plague public confidence in the Senate's ability to conduct a fair and impartial review of Judge Kavanaugh's background and qualification," the coalition told the committee. The groups urged the senators to work across party lines to ensure maximum transparency and protect the public's right to know.
The letter also urged the senators to allow the National Archives and Records Administration to complete a review of the nomination records before proceeding with the hearings. The groups stated, "In order for the Senate to carry out its constitutional duty to provide advice and consent on Supreme Court nominee Judge Kavanaugh, it is critical to have a full understanding of his White House record, his positions, and policy choices."
Judge Kavanaugh's confirmation hearing is currently scheduled for September 4. Traditionally, the records of Supreme Court nominees who served in the White House are made available prior to committee hearings. For instance, there was bipartisan support for a full request of Justice Elena Kagan's White House records from when she served in the Clinton administration.
Earlier this month, EPIC submitted two urgent Freedom of Information Act requests for Judge Kavanaugh's records. At issue are concerns about Judge Kavanaugh's role in the warrantless wiretapping program and the secret expansion of the Patriot Act. Both of EPIC's requests were granted expedited processing.
EPIC and a coalition of thirteen consumer groups asked the FTC to conclude the Facebook-Cambridge Analytica investigation by September 1, 2018. The groups said, "It is critical that the FTC conclude the Facebook matter, issue a significant fine, and ensure that the company upholds its privacy commitments to users."
The European Parliament recently passed a resolution calling for the suspension of the EU-US Privacy Shield agreement by September 1 if the United States does not fully comply. The Privacy Shield permits the flow of data on European consumers to companies located in the United States that would otherwise be subject to European law. A lack of enforcement by the FTC would imperil both European and American consumers and undermine the digital economy.
In an earlier letter to the FTC, the groups emphasized that the disclosure of data on 87 million Facebook users to Cambridge Analytica could have been prevented had the FTC enforced its 2011 consent order with Facebook in the first place. FTC Chairman Simons has stated that a "first priority for the Commission" will be "vigorous enforcement."
The FTC announced in March that it would reopen the Facebook investigation, but the agency has not updated the public on the progress of the investigation. Congress and the European Parliament have both conducted extensive hearings on the Cambridge Analytica matter. The UK Information Commissioner's Office conducted an extensive investigation, published a substantial report, and issued a significant fine in July.
In comments to the Department of Homeland Security, EPIC urged the agency to withdraw proposed Privacy Act exemptions for the Immigration Biometric and Background Check (IBBC) database that would reduce privacy safeguards in the federal government.
The IBBC database will contain personal data on U.S. and non-U.S. citizens. DHS has proposed to exempt the database from several Privacy Act protections, including ensuring that records are accurate, timely, and complete. DHS also claims numerous "routine uses" that allow the agency to disseminate the data to law enforcement and intelligence agencies.
"Consistent and broad application of Privacy Act obligations are the best means of ensuring accuracy and reliability of database records, and the DHS must rein in the exemptions it claims for its IBBC database," EPIC explained in its comments. "The IBBC represents a wide, unaccountable net cast by DHS for information on U.S. and non-U.S. individuals to be used for law enforcement and intelligence purposes. The IBBC database essentially creates a criminal/intelligence database posing as an immigration benefit system."
EPIC warned specifically about the risks of collecting facial recognition and other biometric data in the IBBC. "Ubiquitous identification eliminates an individual's ability to control their identities and poses specific risk to the First Amendment rights of free association and free expression," EPIC wrote. "The use of facial recognition by DHS for this database will have real consequences for U.S. citizens as well as non-U.S. citizens and will disproportionately impact marginalized groups."
EPIC Pursues Voter Data Privacy Case at Supreme Court
Following then end of the Presidential Election Commission and the deletion of the voter data it unlawfully obtained, EPIC has asked the Supreme Court to review a lower court decision that wrongly denied EPIC access to a privacy impact assessment the Commission was required to publish. EPIC told the Supreme Court that the D.C. Circuit "misconstrued" the privacy impact assessment requirement "in a way that will seriously undermine the provision." EPIC also warned that the lower court decision could adversely impact the privacy of personal data held by federal agencies. EPIC's suit against the Commission led to the suspension of data collection, the discontinued use of an unsafe computer server, and the deletion of state voter data wrongly acquired. EPIC's case in the Supreme Court is EPIC v. Commission, No. 17A1406.
EPIC Settles Suit Against DHS Regarding Communications with Presidential Election Commission
EPIC has settled a Freedom of Information Act lawsuit against the Department of Homeland Security that sought communications between the agency and the Presidential Election Commission. Through the lawsuit, EPIC obtained records showing that DHS communicated frequently with the Presidential Election Commission after EPIC sued to block the Commission's efforts to obtain state voter data. The records also revealed that Kirstjen Nielsen, now the DHS Secretary, worried that the Commission's voter data grab would "disrupt critical efforts DHS is leading to work with state and local officials" on election cybersecurity. EPIC's separate lawsuit against the Presidential Election Commission led to the suspension of state voter data collection and ultimately to the complete destruction of the wrongfully collected data.
EPIC and Coalition Urge Senate to Confirm PCLOB Nominees
EPIC and 30 other organizations sent a letter to the Senate Judiciary Committee to urge action on the final two nominees to the Privacy and Civil Liberties Oversight Board. The Senate Judiciary has held hearings on only three of the five nominees. The independent agency reviews federal surveillance programs to ensure that they provide adequate safeguards for privacy and civil liberties, but the PCLOB has lacked a quorum for over 19 months and not held hearings, issued reports, or performed other critical functions. The letter stated that the absence of a quorum is a "lost opportunity to better inform the public and facilitate Congressional action." EPIC previously testified before PCLOB, made recommendations for PCLOB's handling of FOIA requests, and set out a broad agenda for the work of the independent agency.
EPIC FOIA: EPIC Obtains Emails About White House AI Committee
Through a Freedom of Information Act request to the National Science Foundation, EPIC has obtained communications between the Office of Science and Technology Policy and the NSF about the White House's Select Committee on Artificial Intelligence. The Committee was announced earlier this year at the White House Artificial Intelligence Summit. In an e-mail Michael Kratsios, Deputy Assistant to the President for Technology Policy, stated that the summit was "well received by industry and academia" but makes no mention of the absence of public participation. The Committee's inaugural meeting in May was held in secret, and the OSTP has still not announced a plan for public participation. EPIC and leading scientific organizations, including AAAS, ACM, and IEEE, and technology experts petitioned the OSTP to solicit public comments on artificial intelligence policy. EPIC again argued for public participation in US AI policy in a recent statement to the Senate Commerce Committee.
EPIC to Congress: Public Participation Required for U.S. Policy on Artificial Intelligence
In advance of a hearing concerning the Office of Science and Technology Policy, EPIC said that OSTP should ensure public participation in the development of AI policy. EPIC told the Senate Commerce Committee that Congress must also implement oversight mechanisms for the use of AI. EPIC said that Congress should require algorithmic transparency, particularly for government systems that involve the processing of personal data. In a recent petition to OSTP, EPIC, leading scientific organizations, including AAAS, ACM and IEEE, and nearly 100 experts urged the White House to solicit public comments on artificial intelligence policy. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability. In 2015, EPIC launched an international campaign for Algorithmic Transparency.
EPIC to FTC: Algorithmic Decision-Making Requires Transparency
EPIC has advised the FTC on algorithmic decision tools, artificial intelligence, and predictive analytics for the hearings on "Competition and Consumer Protection in the 21st Century." In the comments, EPIC urged the FTC to (1) prohibit unfair and deceptive algorithms, (2) seek legislative authority for "algorithmic transparency" to establish consumer protection in automated decision-making, (3) provide guidance on the ethical design and implementation of algorithms, and (4) make public the "Universal Tennis Rating" algorithm that secretly scores young athletes. Calling on the Commission to act on EPIC's repeated complaints on the proprietary algorithm that poses risks to children's privacy, EPIC said: "secret algorithms are unfair and deceptive," conceal bias, and deprive consumers of opportunities in the marketplace. EPIC champions "Algorithmic Transparency", and has advised Congress that algorithmic transparency is necessary for fairness and accountability.
EPIC, Consumer Groups Advise FTC on Competition and Privacy
EPIC, the Center for Digital Democracy, the Consumer Federation of America, and US PIRG submitted comments to the FTC in advance of hearings on "Competition and Consumer Protection in the 21st Century." The consumer groups said that privacy protection is critical for completion and innovation. The groups told the FTC that it should: 1) unwind the Facebook-WhatsApp deal; 2) require Facebook and Google to spin off their advertising units into independent companies; 3) block all future acquisitions by Facebook and Google that would enable the companies to increase their monopoly over consumer data; 4) impose privacy safeguards for all future mergers that implicate data privacy concerns; and 5) perform audits of algorithmic tools to promote accountability and to limit anticompetitive conduct. This will be the first time the FTC has reexamined its approach to consumer protection and competition since the FTC's 1995 hearings on "Global Competition and Innovation." EPIC participated in the 1995 hearings which led to the FTC's work on consumer privacy.
EPIC to FTC: Google's Location Tracking Violates Consent Order
Following a report that Google tracks user location even when users opt-out, EPIC wrote to the FTC that Google violated the 2011 consent order. EPIC said "Google's subsequent changes to its policy, after it has already obtained location data on Internet users, fails to comply with the 2011 order." EPIC also told the FTC that "The Commission's inactions have made the Internet less safe and less secure for users and consumers." The 2011 settlement with Google followed a detailed complaintbrought by EPIC and a coalition of consumer organizations. The groups charged that Google had engaged in unfair and deceptive trade practices when it changed the privacy settings of Gmail users and opted them into Google Buzz. The FTC agreed with the consumer groups, Google entered into a settlement and Buzz was shuttered. FTC chairman John Liebowitz said at the time, "When companies make privacy pledges, they need to honor them. This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."
Court Blocks EPIC's Efforts to Obtain 'Predictive Analytics Report'
A federal court in the District of Columbia has blocked EPIC's efforts to obtain a secret "Predictive Analytics Report" in a FOIA case against the Department of Justice. The court sided with the agency which had withheld the report and claimed the "Presidential communications privilege." Neither the Supreme Court nor the D.C. Circuit has never permitted a federal agency to invoke that privilege. EPIC sued the agency in 2017 to obtain records about "risk assessment" tools in the criminal justice system. These techniques are used to set bail, determine criminal sentences, and even contribute to determinations about guilt or innocence. Many criminal justice experts oppose their use. EPIC has pursued several FOIA cases to promote "algorithmic transparency," passenger risk assessment, "future crime" prediction, and proprietary forensic analysis. The case is EPIC v. DOJ (Aug. 14, 2018 D.D.C.). EPIC is considering an appeal.
EPIC FOIA: EPIC Obtains DOD Inspector General Audits of Hotline Allegations
Through a Freedom of Information Act request, EPIC has obtained the Department of Defense's Inspector General report on audit of hotline allegations involving improper use of agency funds for foreign counterintelligence billets. The report found that the Defense Intelligence Agency followed proper appropriation authorities but did not ensure proper function and management for the program. The Inspector General found that "employees were performing duties not aligned with their position descriptions and funding." In a 2012 FOIA case, EPIC v. CIA, EPIC uncovered an Inspector General's report which revealed that the CIA, in collaboration with the NYPD, conducted domestic surveillance of mosques, Muslim student groups, and Muslim stores and businesses. EPIC continues to pursue the release of government documents to improve oversight and accountability through litigation and EPIC's Open Government Project.
Appeals Court Finds Smart Meters Trigger Constitutional Scrutiny, but Data Logging Is Reasonable
A federal appeals court has ruled that smart meters perform a "search" under the Fourth Amendment but found that their collection of household energy data is "reasonable." Smart meters periodically transmit information to public utilities about home energy consumption, which can reveal personal behavior patterns and enable real-time surveillance. "The ever-accelerating pace of technological development carries serious privacy implications," the Seventh Circuit wrote. "Smart meters are no exception." The Court held that the searches performed by smart meters are justified by cost reductions and service improvements, but the Court warned that "our conclusion could change" if the meters sent data more frequently or if law enforcement were given easier access to the data. EPIC has long warned about the privacy implications of the smart grid and filed an amicus brief in United States v. Carpenter, a recent Supreme Court case that recognized Fourth Amendment protections for cell phone location data.
Congressional Research Service: Kavanaugh Has a 'More Restrictive View' of the Fourth Amendment
The Congressional Research Service, has published a report regarding Supreme Court nominee Judge Kavanaugh's jurisprudence. The nonpartisan CRS provides policy and legal analysis to committees and Members of both the House and Senate, regardless of party affiliation. The CRS report discusses Judge Kavanaugh's potential impact on the Supreme Court if confirmed. According to the report, Judge Kavanaugh has a "more restrictive view" on the constitutional right to be free of unreasonable searches and seizures than other judges on the D.C. Circuit Court of Appeals. Notably in Klayman v. Obama, Judge Kavanaugh stated that the National Security Agency's suspicionless surveillance of the American public was "entirely consistent with the Fourth Amendment." The report also includes an Appendix with tables that summarizes his rate of concurring and dissenting opinions relative to other judges on the D.C. Circuit and how his opinions have fared when reviewed by the Supreme Court.
- Data collected by Trump's Kobach-led voter fraud commission is 'entirely deleted', The Kansas City Star, August 31, 2018
- The Zacks Analyst Blog Highlights: Alphabet, Amazon, Alibaba, Apple and JD.com, Yahoo Finance, August 30, 2018
- Advocacy Groups Urge Movement On Privacy Board Noms, Law360, August 30, 2018
- U.S.-Mexico Trade Pact Aims to Allow Banks to Move Data, Bloomberg, August 27, 2018
- What To Watch As Privacy Shield Data Pact Scrutiny Heats Up, Law360, August 23, 2018
- Google as an Outdoor Ad Player? The Industry Is Anticipating It, Morning Consult, August 23, 2018
- Bloke hurls sueball over Google's 'is it off yet?' location data slurping, The Register, August 22, 2018
- Class action filed against Google over location tracking, ABA Journal, August 22, 2018
- Before Using Birth Control Apps, Consider Your Privacy, WIRED, August 21, 2018
- Man sues over Google's "Location History" fiasco, case could affect millions, Ars Technica, August 21, 2018
- Google Tracks Users After It's Told To Stop, Consumer Says, Law360, August 21, 2018
- A Lawsuit Over Google's Sneaky Location Tracking Could Be a Game-Changer, Gizmodo, August 21, 2018
- Google's creepy location-tracking policy just landed the company a brand-new lawsuit, BGR, August 21, 2018
- A Lawsuit Against Google For Sneaky Location Tracking Impacts All of us, New18, August 21, 2018
- The Cybersecurity 202: Google's location tracking could bring scrutiny from Congress, regulators, Washington Post, August 20, 2018
- Facebook, Google Could Be Wild Cards In Privacy Law Fight, Law360, August 18, 2018
- EPIC tells FTC Google tracking violated 2011 order, ABC News, August 18, 2018
- EPIC Urges FTC To Fine Facebook Amid EU Data Row, Law360, August 17, 2018
- FTC Heeds Groups' Input In OK'ing Modified COPPA Program, Law360, August 16, 2018
- FTC's Facebook Finish Line, Politico Morning Tech, August 16, 2018
- What Happens to Privacy Shield Post-Brexit?, POLITICO Morning Tech, August 16, 2018
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.
Recent EPIC Publications
The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)
The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.
Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).
This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
Oral Argument in EPIC v. IRS (D.C. Cir. 17-5225). Sep. 13, 2018. U.S. Court of Appeals for the D.C. Circuit. John Davisson, EPIC Counsel.
Privacy, News, and the Future of Freedom of the Press. Sep. 27-28, 2018. Tulane Law School, New Orleans, LA. Marc Rotenberg, EPIC President.
AI, Ethics, and Fundamental Rights: A Public Voice Event. Oct. 23, 2018. Brussels, Belgium.
'Debating Ethics: Dignity and Respect in Data Driven Life.' Oct. 24, 2018. 40th International Conference of Data Protection and Privacy Commissioners, Brussels, Belgium. Marc Rotenberg, EPIC President.
'Going Digital.' Nov. 12-13, 2018. Working Party on Security and Privacy in the Digital Economy, OECD, Paris. Marc Rotenberg. EPIC President.
Internet Governance Forum 2018. Nov. 14, 2018. UNESCO, Paris. Marc Rotenberg, EPIC President.
Centrum Wiskunde & Informatica Privacy and Security Lecture. Nov. 17, 2018. CWI, Amsterdam. Marc Rotenberg, EPIC President.
'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.