EPIC Alert 25.18

1. Senate Committee Recommends Kavanaugh’s Nomination With White House Records on Mass Surveillance Still Secret

The Senate Judiciary Committee voted last week to recommend Judge Brett Kavanaugh's Supreme Court nomination for a full Senate vote, even as records of Kavanaugh's White House role in the Patriot Act, warrantless wiretapping, and other programs of mass surveillance remain secret. EPIC has filed a Freedom of Information Act lawsuit against the National Archives for release of these records so that they can be made available prior to Senate consideration of the nominee.

During Kavanaugh's time in the White House, the Bush administration developed several surveillance programs directed toward the American public. When these programs were made public, they were revised or scrapped. Recently released documents indicate that Kavanaugh helped draft President Bush's speech on the Patriot Act and communicated with John Yoo, architect of the warrantless wiretapping program, about the legal justification for such a program. But the vast majority of Kavanaugh's White House record remains secret. Further releases would explain the extent of Kavanaugh's role in developing and defending mass surveillance.

On September 17, EPIC filed a FOIA lawsuit against the National Archives for release of Kavanaugh's White House records related to mass surveillance. The lawsuit followed the National Archives' failure to process two urgent Freedom of Information Act requests for the records. EPIC then moved for a preliminary injunction so that the records could be made available prior to the Senate votes on the nominee. The National Archives is currently searching for the records requested by EPIC.

In an earlier statement to the Senate Judiciary Committee, EPIC warned that Kavanaugh, both as a top-level White House aide and then as a federal appellate judge, has shown little regard for the Constitutional privacy rights of Americans. In Klayman v. Obama, he backed the warrantless collection of the telephone records of all Americans under the "special needs" doctrine, a view endorsed by no other judge in the federal judiciary. In a second letter, EPIC urged postponement of the Senate vote, pending release of Kavanaugh's White House records. A full Senate vote has been delayed pending the completion of an FBI investigation into sexual assault claims against Judge Kavanaugh.

EPIC regularly shares its views with the Senate concerning nominees to the Supreme Court, including Justice Gorsuch, Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts.

2. Following EPIC Petition, National Science Foundation Seeks Public Comment on AI Policy

The National Science Foundation recently announced that it is seeking public comment on U.S. policy for artificial intelligence. The decision follows a petition by EPIC, leading scientific organizations including AAAS, ACM, FAS, and IEEE, and nearly 100 experts calling for public participation in the work of the White House Select Committee on Artificial Intelligence.

In May, the White House's Select Committee held its inaugural meeting in secret with government agencies and federal officials. In the secret meeting, several key AI challenges—such as accountability, transparency, ethics, and fairness—were ignored. In response, EPIC and coalition partners filed a petition for public involvement. EPIC also urged the Senate Commerce Committee to ensure public participation in U.S. AI policy.

Last week, NSF announced that it would seek public comment on whether the National Artificial Intelligence Research and Development Strategic Plan should be revised. The Strategic Plan sets out objectives for federally-funded AI research, including addressing ethical and legal issues of AI, ensuring safety and security in AI systems, and using consistent standards to evaluate AI technologies.

The Select Committee was formed under the National Science and Technology Council to advise the President and coordinate AI policies between federal agencies. According to the NSF, public comments will inform the Select Committee's work as it updates the Strategic Plan. Comments are due to NSF by October 26.

EPIC has long fought for transparency and accountability in the use of AI. EPIC launched an international campaign for Algorithmic Transparency in 2015 and has pursued several related criminal justice FOIA cases and FTC consumer complaints. EPIC is also hosting a Public Voice conference in Brussels on "AI, Ethics, and Fundamental Rights."

3. EPIC Urges Senate to Include Consumer Privacy Advocates in Hearings on Consumer Privacy

The Senate Commerce Committee held a hearing last week on "Examining Safeguards for Consumer Data Privacy." Though the hearing purported to focus on providing answers to consumers, the panel of witnesses came exclusively from industry and failed to include any consumer privacy advocates. Instead, executives from Google, Twitter, Amazon, Apple, Charter, and AT&T were given an opportunity to discuss their policy desires unopposed. The hearing followed on the heels of a recent Federal Trade Commission hearing on consumer protection that also failed to include any experts on digital privacy.

Prior to the hearing, EPIC joined nearly thirty consumer privacy organizations in a letter asking the Committee to invite consumer privacy advocates in the hearing and to schedule additional hearings on the subject. EPIC also sent a statement in which it expressed "deep concern that not a single consumer group was invited to testify at this week's hearing." EPIC President Marc Rotenberg published an op-ed with consumer advocate Ralph Nader arguing that "the framing of the discussion, without the consumer voice, reflects the assumptions and biases of the industry."

"There are many reasons why it is so vital that public institutions, such as the FTC and the Senate Commerce Committee, ensure the participation of consumer advocates in the debate over the future of privacy protection," Rotenberg and Nader wrote. "Change is taking place quickly and it is consumer advocates who are in the best position to advise policy makers. The alternative, which we are now witnessing, is a backward-looking justification of ineffective policies or an invitation to industry to design the regulations it would favor."

In response to EPIC's concerns, Chairman John Thune agreed to hold additional hearings where consumer advocates will testify. EPIC will continue to advocate for a process that respects consumer rights and includes all relevant voices and opinions.

4. NTIA Seeks Comments on ‘Desired Outcomes' Framework for Privacy Protection

The National Telecommunications and Information Administration—the agency that advises the White House on telecommunications and information policy—released a proposed framework for consumer privacy. The NTIA framework outlines seven "desired outcomes" for the processing of personal data: (1) transparency, (2) control, (3) minimization, (4) security, (5) access and correction, (6) risk management, and (7) accountability. The NTIA framework is similar to many Fair Information Practices framework, such as the OECD Privacy Guidelines, but does not outline a strategy for implementation and enforcement.

Today the United States experiences unprecedented levels of identity theft, financial fraud, and data breaches. The personal data of Americans, stored by U.S. firms, is also the target of foreign adversaries. European governments, which recently adopted the GDPR to safeguard personal data, have expressed growing concern about the lack of legal protections in the United States. The European Parliament voted recently to suspend Privacy Shield, an arrangement that permits the transfer of personal data of Europeans to the United States.

Along with the agency's list of "desired outcomes," the NTIA also released a set of "high-level goals" for federal action on consumer privacy. Those goals include incentivizing privacy research, ensuring legal clarity, and securing FTC enforcement.

In earlier comments to the NTIA, EPIC urged the agency to "pursue comprehensive data protection legislation that would strengthen privacy protections for Americans and create an independent agency to enforce those rights." Comments are due to the NTIA by October 26, 2018 and may be submitted by email to privacyrfc2018@ntia.doc.gov. See the Federal Register for more information.

5. EPIC Opposes State Department Inspection of Visa Applicants' Social Media and Communications Records

In comments to the State Department, EPIC opposed changes to the visa application process that would allow the State Department to collect private social media identifiers, email addresses, and phone numbers for vetting purposes. The agency's plans to collect immigrant and nonimmigrant visa applicants' social media history and personal communications records raises substantial privacy, free expression and security concerns. EPIC urged the agency to retract these proposals.

"Government programs that threaten important First Amendment rights are immediately suspect and should only be undertaken where the government can demonstrate a compelling interest that cannot be satisfied in another way," EPIC wrote. "Government programs that scrutinize online comments, dissent, and criticism for the purpose of vetting visitors prior to entry into the U.S. send a chilling message to all users of social media—which increasingly provides important forums to share ideas, engage in debates, and explore new ideas."

EPIC also warned about the dangers of relying on algorithmic analysis of online speech and lack of algorithmic transparency in the visa application process. "It is difficult for algorithms to understand the complexity of language—sarcasm and slang are very difficult to detect," EPIC wrote. "The shortcomings of natural language processing could distort the results of an algorithm meant to classify statements by tone. Furthermore, the lack of algorithmic transparency amplifies these problems. If these algorithms are used to make decisions about someone's ability to enter the U.S., they should not be secret."

EPIC previously filed comments opposing the government's inspection of immigrants' social media activities, and has continuously advocated for strong First Amendment protections.

EPIC Book Review: 'Click Here to Kill Everybody'

Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, by Bruce Schneier

Two centuries ago, The Modern Prometheus (better known as Frankenstein) inspired nightmares by showing how innovation can go horribly wrong. In 2018, cryptographer and privacy expert Bruce Schneier has detailed the many ways that technology can not only go wrong—but become deadly. For a book that might have been called The Post-Modern Prometheus, Schneier chose a more direct title: Click Here to Kill Everybody.

As our cars, toys, fitness trackers, planes, and power grids are increasingly placed under the control of software and embedded computer chips, we face ever-greater threats to our privacy, health, and safety. Thieves with basic hacking skills can disable home security systems and steal personal data with malware placed on home routers. Schneier predicts that it will soon be just as easy to commit murder over the internet by disabling an insulin pump or pacemaker. With a bit of high-level training, a terrorist could shut down a country's power grid upon command or start a global pandemic with a manipulated bioprinter.

Whereas Frankenstein created a monster he could not control from recycled limbs and flesh, computer scientists have used computer chips to build a creature that no one can control: "Internet+". Schneier coins the term to refer to the "system of [connected] systems" that "senses, thinks, and acts" by operating our IoT devices. Twenty years ago, we had to log on to access the internet. Today, Schneier shows how the internet interacts with us all the time—whether we're turning on the oven with our smartphone, using e-banking apps, or controlling air traffic through a database. If something goes wrong, it can bring headaches, financial ruin, or death.

Why has Internet+ become so dangerous? Schneier points to three key causes: the mass production of cheap computer chips and software with weak cybersecurity; the lack of a cohesive regulatory system over the IoT industry; and the development of a new global arms race, where the ability to manipulate technology equals power. To make matters worse, our need for larger, well-trained cybersecurity taskforces to make Internet+ more secure cannot keep up with growing demand for connected products—nor with the growth of new hacking technologies.

Not surprisingly, solutions to these problems are difficult to come by and even harder to enforce. Schneier has a variety of recommendations for all players involved, from consumers to tech developers. But Schneier underscores that government and industry have the greatest role to play in making Internet+ safer and more sustainable. Airplanes were once the most dangerous means of travel, yet they are now among the safest after decades of dedicated government regulation and heightened corporate accountability. The same is possible for Internet+.

–Spencer K. Beall

News in Brief

EPIC Opposes OMB FOIA Regs That Block Access to Public Information

In comments to the Office of Management and Budget, EPIC opposed changes to FOIA regulations that would create obstacles to those seeking access to public information. EPIC urged the agency to remove changes that would delay FOIA requests, increase request costs, and reduce agency accountability. The proposed rules also conflict with the federal law and cases that favor disclosure over withholding. EPIC routinely comments on agency proposals that affect the rights of FOIA requestors. Several agencies, including the Federal Trade Commission, the Privacy and Civil Liberties Oversight Board, and the Defense Logistics Agency have adopted EPIC's recommendations on proposed FOIA rule changes.

EPIC, Consumer Groups Urge Senate Commerce to Invite Privacy Witnesses to Privacy Hearing

EPIC joined a coalition of 28 consumer privacy groups in a letter to Senate Commerce Committee Chairman John Thune (R-S.D.) and ranking member Bill Nelson (D-Fla.) that asked the Senators to include consumer advocates in an upcoming hearing on consumer privacy. At this time, the Committee has invited, AT&T, Amazon, Google, Twitter, Apple and Charter Communications. The consumer privacy groups wrote, "the absence of consumer representatives all but ensures a narrow discussion, focused on policy alternatives favored by business groups." Proposals endorsed by consumers include, "federal baseline legislation, heightened penalties for data breaches, the end of arbitration clauses, the establishment of a privacy agency in the U.S., techniques for data minimization, [and] algorithmic transparency to prevent the secret profiling of American consumers." The groups also noted that a recent Harris survey found that "78 percent of U.S. respondents say a company's ability to keep their data private is 'extremely important,' but only 20 percent 'completely trust' organizations they interact with to maintain the privacy of their data."

EPIC Redials FCC, Urges Agency to Block Unlawful Robocalls

In comments to the FCC, EPIC has renewed its call to the agency to block unlawful robocalls. The FCC proposed a rule that would allow phone companies to block calls from numbers they know are invalid, such as numbers that have not been assigned to a subscriber. EPIC recommended that the FCC (1) require phone providers to proactively block calls from numbers that are unassigned, unallocated, or invalid; (2) prohibit spoofing if there is an intent to defraud or cause harm; and (3) encourage the use of call authentication technology that safeguards caller anonymity. EPIC previously filed comments in when the FCC proposed the rule, and has long advocated for robust telephone privacy protections. EPIC filed an amicus brief in 2015 that strengthened consumer protections.

Following Lax FTC Action, State AGs Fine Uber $148 Million in Data Breach Case

The attorneys general of all 50 states and the District of Columbia have settled their lawsuit with Uber for $148 Million. The nationwide investigation found that Uber had violated data breach notification laws because the company payed a hacker $100,000 to keep quiet about the breach instead of notifying consumers that their information had been compromised. The settlement also requires Uber to adopt model data breach notification and data security practices, a corporate integrity program, and hire an independent third party to conduct data security assessments. After Uber made the breach public, EPIC wrote detailed comments to the FTC and the agency revised its settlement with the company. While EPIC supported the FTC's action, EPC said that "the FTC should make Uber's privacy assessments public so that consumers can evaluate whether the company is meeting its obligations under the Consent Order." The FTC's initial investigation and subsequent settlement with Uber were prompted by EPIC's complaint against Uber in 2015.

Indian Supreme Court Imposes New Limits on National Identity System

In a recent ruling, the Indian Supreme Court imposed new limits on Aadhar, India's national biometric identification system. The Court found the system did not violate the Indian constitution, but struck down a section of the law permitting private entities to demand Aadhar to verify identity. Aadhar can no longer be mandatory to register for education, open a bank account, or obtain a cell phone connection. However, the state-issued number may still be required for purposes related to government funds, including filing an income tax. The Court also struck down an exception authorizing disclosure of Aadhar data for national security purposes. The Court encouraged the state to establish a "a robust statutory regime" for data protection "in near future." The dissent would have held Aadhar unconstitutional. The biometric system "violates essential norms pertaining to informational privacy, self-determination and data protection," the dissent states, and "dignity of individuals cannot be made to depend on algorithms or probabilities." Last year, India's Supreme Court ruled that privacy is a fundamental right under the Indian Constitution. EPIC has also backed comprehensive privacy legislation in comments to the Indian government, and urged creation of a private right of action and breach notification requirement.

FAA Funding Bill Ignores Drone Surveillance Risks

Congress is considering legislation to reauthorize the FAA and expand drone integration, but the bill ignores pressing concerns about the privacy impact of drones. A previous version of the bill included privacy protections originally proposed by Sen. Markey and Rep. Welch in the Drone Aircraft Privacy and Transparency Act. The pending bill only requires a report on drone surveillance risks but does not establish any baseline privacy safeguards. EPIC has repeatedly urged both Congress and the FAA to take decisive action to limit the use of drones for surveillance and to establish a national database detailing drone surveillance capabilities. EPIC sued the FAA to establish privacy rules for drones, after more than 100 experts and organizations petitioned the agency.

EPIC in the News

• 50 million Facebook accounts were exposed: What we know, what you can do, USA TODAY, September 30, 2018
• FTC Could've Prevented Facebook Data Breach, EPIC President Rotenberg Says, Bloomberg, September 28, 2018
• What will a national data privacy law look like?, Federal Computer World, September 28, 2018
• States Stake Claim To Privacy Role With Uber Breach Pact, Law360, September 28, 2018
• FBI fitness app asks users to agree to 'all of their activities monitored and recorded', CNBC, September 28, 2018
• National Science Foundation Seeks Comments on Artificial Intelligence, Continuing Policy Makers' Focus on AI, JD Supra, September 28, 2018
• US Supreme Court Affirms Fourth Amendment in Rental Car Search, Steers Clear of Commercial Contract Limitation (Byrd v United States), Marc Rotenberg and Natasha Babazadeh, European Data Protection Law Review (September 26, 2018)
• White House Seeks Input On New Approach To Privacy Rules, Law360, September 26, 2018
• Amazon, Apple, Google and other companies say they'd support privacy laws — with a caveat, Los Angeles Times, September 26, 2018
• What's Left for Congress to Ask Big Tech Firms? A Lot, WIRED, September 25, 2018
• Consumer Voices Needed in US Privacy Debate, Ralph Nader and Marc Rotenberg, Nader.org, September 24, 2018
• Opinion: Giving TSA facial-recognition software isn't worth a faster security line, MarketWatch, September 24, 2018
• Just Don't Call It Privacy, New York Times, September 22, 2018
• Google Admits That It Lets Outside Services Share Your Gmail Data, Fortune, September 21, 2018
• Big life insurer shifts to activity tracking in health push, France 24, September 21, 2018
• Don't Weaken Autodialing Rules, Consumer Groups Tell FCC, Law360, September 21, 2018
• Fight looms over national privacy law, The Hill, September 20, 2018
• Google Says It Continues to Allow Apps to Scan Data From Gmail Accounts, Wall Street Journal, September 20, 2018
• Consumer groups voice 'surprise and concern' over Senate privacy hearing snub, POLITICO, September 19, 2018
• Corporate Tech Giants Invited, But Consumer Advocacy Groups Shut Out of Senate Hearing on Data Privacy, Common Dreams, September 19, 2018

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Guest Lecture on the Freedom of Information Act. Oct. 2, 2018. Archival Methods, Georgetown University, Washington, DC. Enid Zhou, EPIC Open Government Counsel.

MFIA Access and Accountability Conference, Oct. 12–13, 2018. Yale Law School. Jeramie Scott, EPIC National Security Counsel.

'Arena Civil Dialogues: Digital Well-Being.' Oct. 14, 2018. Institute for Communitarian Policy Studies. Arena Stage, Washington, DC. Marc Rotenberg, EPIC President.

AI, Ethics, and Fundamental Rights: A Public Voice Event. Oct. 23, 2018. Brussels, Belgium. Eleni Kyriakides, EPIC International Counsel

'Debating Ethics: Dignity and Respect in Data Driven Life.' Oct. 24, 2018. 40th International Conference of Data Protection and Privacy Commissioners, Brussels, Belgium. Marc Rotenberg, EPIC President.

'Privacy in Context: Critically Engaging With Theory to Guide Privacy Research and Design.' Nov. 3, 2018. ACM Conference on Computer-Supported Cooperative Work and Social Computing, New York, NY. Lorraine Kisselburgh, EPIC Scholar in Residence.

'Going Digital.' Nov. 12-13, 2018. Working Party on Security and Privacy in the Digital Economy, OECD, Paris. Marc Rotenberg. EPIC President.

Internet Governance Forum 2018. Nov. 14, 2018. UNESCO, Paris. Marc Rotenberg, EPIC President.

Panel: 'How Should Engineering Professionals Respond to the Rapid Deployment of AI in Our Society?' Nov. 14, 2018. IEEE International Symposium on Technology and Society, Washington, DC. Lorraine Kisselburgh, EPIC Scholar in Residence.

Centrum Wiskunde & Informatica Privacy and Security Lecture. Nov. 17, 2018. CWI, Amsterdam. Marc Rotenberg, EPIC President.

CPDP2019: Data Protection and Democracy. Jan. 30–Feb. 1, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.