EPIC Alert 25.19

EPIC Alert logo

1. In EPIC Suit, National Archives Identifies Thousands of Kavanaugh E-mails on Surveillance Programs

In response to EPIC's Freedom of Information Act suit, the National Archives has now identified thousands of additional records concerning Justice Kavanaugh's role in controversial White House surveillance programs that were later suspended, curtailed, or modified by Congress, including warrantless wiretapping and the Patriot Act. The National Archives will eventually release these records to the public as a result of EPIC's lawsuit.

The latest search results from the National Archives reveal that Kavanaugh received 183 messages from John Yoo, the architect of the warrantless wiretapping program, during a critical period between September 1, 2001, and February 1, 2002. The Archives also found that Kavanaugh received 1,988 e-mails including the terms "surveillance" or the "Patriot Act" and 754 e-mails concerning "CAPPS II" (passenger profiling), "Fusion Centers" (government surveillance centers), and the "Privacy Act." A previous Archives search revealed that Kavanaugh himself sent 11 e-mails to John Yoo during that period and hundreds of other e-mails concerning the same key terms.

"The fact that [Kavanaugh] appears to have had so many conversations about warrantless wiretapping when he denied, under oath, seeing anything related to President Bush's warrantless wiretapping program raises even more questions," Sen. Leahy's office said in response to the developments in EPIC's case. "If this process were designed to find the truth we would have answered those questions before we rushed to a vote with decades-long consequences."

Prior to the nomination hearings, EPIC had warned that Kavanaugh, both as a White House legal advisor and then as a federal appellate judge, showed little regard for the constitutional privacy rights of Americans. In a second letter, EPIC urged postponement of the Senate vote, pending release of Kavanaugh's White House documents on surveillance.

EPIC filed suit against the National Archives on September 17. The lawsuit followed NARA's failure to process two urgent EPIC FOIA requests for the records. EPIC then moved for a preliminary injunction so that the records could be made available prior to the Senate votes on the nominee. EPIC withdrew its preliminary injunction when the Archives agreed to search for documents responsive to EPIC's requests.

2. Consumer and Privacy Organizations Propose Framework for U.S. Data Protection

EPIC recently joined with eleven consumer and privacy organizations in a statement to the Senate Commerce Committee on consumer privacy.

In the statement, the groups outlined a draft framework for data protection in the United States and proposed that Congression should: (1) enact baseline federal data protection legislation; (2) limit government access to personal data; (3) require algorithmic transparency and end discriminatory profiling; (4) prohibit "take it or leave it" and other unfair terms; (5) ensure robust enforcement; (6) promote privacy innovation; and (7) establish a new federal data protection agency.

EPIC also submitted a statement to the Committee that highlighted recent breaches at Google and Facebook and the Federal Trade Commission's failure to enforce its own consent orders. EPIC highlighted the data protection "crisis" ongoing in the United States, explaining that the current federal enforcement system is "badly broken."

The consequences of the Commission's failure to act were made clear in a related case. EPIC, through a Freedom of Information Act lawsuit, obtained emails from the FTC showing that the Commission was concerned that required Facebook privacy audits did not address key privacy concerns after the company's acquisition of WhatsApp. Despite this, the FTC took no further action against Facebook and allowed the company to gain access to the personal data of WhatsApp users.

3. EPIC Files Appeals with D.C. Circuit, Seeks Release of 'Predictive Analytics Report'

EPIC has appealed a federal district court decision in order to obtain the release of a secret "predictive analytics report" from the Department of Justice. The DOJ report, prepared for the White House in 2014, is one of hundreds of records the agency has withheld concerning the use of algorithms in the criminal justice system.

EPIC sued the agency in 2017 under the Freedom of Information Act to obtain records about "risk assessment" tools. These controversial techniques are used to set bail, determine criminal sentences, and even contribute to determinations about guilt or innocence. In particular, EPIC sought a U.S. Sentencing Commission report requested by Attorney General Eric Holder about the use of risk assessment tools in criminal sentencing.

As a result of EPIC's lawsuit, the DOJ admitted that the Sentencing Commission had failed to generate the requested report. But EPIC did obtain DOJ emails revealing the existence of a different, previously unknown report on "predictive policing." The DOJ refused to disclose the report itself, asserting the "presidential communications privilege."

In August, a federal district court ruled that the report was protected by the presidential communications privilege—even though the D.C. Circuit Court of Appeals and the Supreme Court have never permitted a federal agency to invoke that privilege in a FOIA case. EPIC has now appealed that decision, and the D.C. Circuit is likely to hear EPIC's case next year.

EPIC has long advocated for algorithmic transparency and has pursued numerous FOIA cases concerning passenger risk assessment, "future crime" prediction, and proprietary forensic analysis.

4. EPIC Urges Removal of Citizenship Question on 2020 Census

In advance of a recent nomination hearing for the Census director, EPIC sent a statement to the Senate Homeland Security & Government Affairs Committee urging the U.S. Census Bureau to suspend the planned citizenship question on the 2020 Census until a Privacy Impact Assessment is conducted. EPIC also opposed the citizenship question in recent comments to the Census Bureau.

"The Census is an essential part of understanding the changing demographics in America," EPIC told the Committee. "However, it is of the utmost importance the individual privacy is respected. Every effort must be taken to ensure that the personal information of individuals and that census data is not used improperly." EPIC explained that the Census Bureau had failed to account for the privacy risks raised by the citizenship question and urged that the Bureau conduct a new Privacy Impact Assessment, as required by law.

EPIC also warned that allowing the Department of Justice to use census data for law enforcement purposes would "undermine the integrity, accuracy, and reliability of the census." Although federal law generally prohibits census data from being used for nonstatistical purposes, census data has been misused in the past. In 2004, EPIC uncovered documents revealing that, after 9/11, the Census Bureau provided the Department of Homeland Security with statistical data on people who identified themselves on the 2000 census as being of Arab ancestry.

"The decennial census was never intended to be a catch-all data collection to assist other federal agencies," EPIC told the Committee. "In fact, the statutes concerning the privacy of census data are meant to expressly prohibit this. If the Census Bureau gets into the business of collecting data because it will assist other federal agencies enforce laws, it will be difficult to stay true to its constitutional purpose of conducting impartial statistical analysis."

EPIC has consistently advocated for increased privacy in government data collection and has maintained that census data should never be used for law enforcement or intelligence purposes. EPIC filed a FOIA request that revealed documents (part 1, part 2, part 3, part 4) concerning Commerce Secretary Wilbur Ross and the citizenship question.

5. EPIC FOIA: EPIC Obtains ‘Secure Flight’ Documents

In response to an EPIC Freedom of Information Act request, the Transportation Security Administration has released records about Secure Flight, a program that compares airline passenger records with various watch lists.

The documents provided to EPIC contain an interagency agreement between the TSA and Customs and Border Protection, as well as related documents about Secure Flight. During the processing of EPIC's request, the TSA destroyed over a hundred pages of responsive records "due to the records disposition schedule."

EPIC submitted the FOIA request in June 2012 in response to a Privacy Impact Assessment which stated that the TSA maintains a list of people not qualified to receive TSA Pre-Check status. The Assessment also revealed that the TSA works with Customs and Border Patrol to create a list of travelers selected for enhanced screening using the CBP's Automated Targeting System.

In July, news reports revealed that under a Secure Flight program known as Quiet Skies, federal air marshals are tracking and observing travelers in airports and on flights. EPIC submitted a Freedom of Information Act request to the TSA seeking more information about Quiet Skies.

EPIC has testified before Congress and published a "Spotlight on Surveillance" report about the Watchlist Program. For more information, see EPIC: Passenger Profiling and EPIC: Air Travel Privacy.

News in Brief

EPIC Publishes 'Privacy Law Sourcebook 2018'

EPIC proudly announces the 2018 edition of the Privacy Law Sourcebook, the definitive reference guide to US and international privacy law. The Privacy Law Sourcebook is an edited collection of the primary legal instruments for privacy protection in the modern age, including United States law, International law, and recent developments. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The EPIC Privacy Law Sourcebook also includes the full text of the GDPR. EPIC will make the Privacy Law Sourcebook freely available to NGOs and human rights organizations. EPIC publications and the publications of EPIC Advisory Board members are available at the EPIC Bookstore.

EPIC v. FTC: EPIC Obtains Emails about Facebook Audits

In response to EPIC's Freedom of Information Act lawsuit, the FTC has released communications about Facebook's biennial audits. The audits are required by the FTC's 2011 Consent Order with Facebook, which followed a detailed complaint by EPIC and other consumer privacy organizations. The emails show that the FTC had concerns about the scope of Facebook's 2015 assessment, stating "PwC's report does not demonstrate whether and how Facebook addressed the impact of acquisitions on its Privacy Program." In other email, the FTC expressed similar concerns about the 2017 assessment and whether the audit evaluated the company's acquisitions impact on Facebook's privacy program. EPIC had previously opposed Facebook's acquisition of WhatsApp and submitted detailed comments for the FTC's review of the merger remedy process. In March 2018, following the Cambridge Analytica breach, the FTC announced it was reopening the Facebook investigation, but still there is no announcement, no report, and no fine.

Registration Opens for Public Voice Symposium on AI and Ethics

EPIC and the Public Voice, a coalition of civil society organizations, will host a symposium in Brussels on AI and ethics on October 23, 2018. Speakers for "AI, Ethics, and Fundamental Rights" include Professor Anita Allen, European Data Protection Board Chair Andrea Jelinek, UK Information Commissioner Elizabeth Denham, Irish Data Protection Commissioner Helen Dixon, NGO leaders, human rights advocates, and experts in Artificial Intelligence. EPIC has provided Public Voice Scholarships to support NGO participation in the International Conference of Data Protection and Privacy Commissioners, which follows the Public Voice symposium. Registration is now open for the Public Voice symposium. Email brussels18@thepublicvoice.org with full name and affiliation to register. EPIC will also provide copies of the 2018 Privacy Law Sourcebook to symposium participants.

EPIC, Coalition Warn Australian Bill Would Weaken Encryption

EPIC and a coalition of civil society organizations told the Australian Parliament that pending legislation would weaken digital security and increase the risks to human rights. The proposal is one of several that promotes weak encryption for digital services. In 2016, Apple refused a demand by the FBI to redesign iPhones to enable law enforcement access. The FBI sued Apple, and EPIC filed an amicus brief in support of Apple, arguing that the FBI's demand "places at risk millions of cell phone users across the United States." The FBI eventually dropped the case.

U.S. Senate Confirms EPIC Advisory Board Member Ed Felten to PCLOB

The Senate last night confirmed Advisory Board Member Ed Felten to serve on the Privacy and Civil Liberties Oversight Board. Professor Felten is a former Chief Technology Officer for the FTC and former Deputy White House Science Advisor. Felten's confirmation, along with two others, establishes a quorum for the long dormant agency but still leaves key nominees pending. EPIC and others have urged the Senate to fill the vacant PCLOB seats. EPIC helped establish the PCLOB. In 2003 EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out priorities for the PCLOB and spoke at the first meeting of the Oversight Board in 2013. In 2016, EPIC awarded former PCLOB Board Member Judge Patricia Wald with the Champion of Freedom Award.

EPIC Tells Senate U.S. Faces Data Protection 'Crisis'

In advance of a hearing on consumer privacy, EPIC told the Senate Commerce Committee that America is facing a data protection "crisis." EPIC highlighted recent breaches at Google and Facebook, coupled with the FTC's failure to enforce its own consent orders, and said the system is "badly broken." EPIC also noted that more than six months have passed since the FTC said it would investigate Cambridge Analytica, "but still there is no report, no outcome, and no fine." EPIC joined a coalition of 28 consumer privacy groups in a letter to the Senate Commerce Committee, endorsing "federal baseline legislation, heightened penalties for data breaches, the end of arbitration clauses, the establishment of a privacy agency in the U.S., techniques for data minimization, [and] algorithmic transparency to prevent the secret profiling of American consumers." In its statement, EPIC told the Committee, "The FTC's failure to enforce consumer privacy safeguards has led not only to diminished data protection in the United States, but also to less innovation and less competition among Internet services."

International Privacy Convention Open for Signature

The Council of Europe has opened for signature updates to Convention 108, the international Privacy Convention. Among other changes, the modernized Convention requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights, including algorithmic transparency. Twenty-one nations have signed the treaty. Many more are expected to sign. EPIC and consumer coalitions have urged the United States to ratify the international Privacy Convention. The complete text of the modernized Convention will be available in the 2018 edition of the Privacy Law Sourcebook, available at the EPIC Bookstore.

Inspector General Report: Airport Facial Recognition Faces Technical Problems

A Department of Homeland Security Inspector General report highlighted many challenges to facial recognition at airports. The problems of accurate biometric matches apply to all travelers, and particularly U.S. citizens. According to the Inspector General's report, "U.S. citizens accounted for the lowest biometric confirmation rate." A report obtained by EPIC last year through a Freedom of Information Act lawsuit revealed that iris imaging and facial recognition for border control did not perform at a "satisfactory" level. In a statement to Congress earlier this year, EPIC warned that biometric identification techniques are unreliable and lack proper privacy safeguards.

International Privacy Experts Adopt Recommendations for Connected Vehicles

The International Working Group on Data Protection adopted new recommendations to protect privacy as vehicles become increasingly connected. The Berlin-based Working Group includes data protection authorities who assess emerging privacy challenges. As cars today connect both to the Internet and other vehicles "more and more personal data will be collected and processed by the vehicles and will become accessible to third parties," the Working Group paper explains. The Working Group recommended that vehicle sensors not store personal data of persons outside the vehicle, allow drivers to opt out of non-essential data collection, and minimize personal data collection. In comments to NHTSA, EPIC called for national safety standards for connected cars. EPIC also underscored the privacy risks of modern vehicles in a recent amicus brief to the Supreme Court. In 2017, EPIC hosted a meeting of the IWG in Washington, D.C. at the Goethe-Institut.

FAA Funding Bill Passed by Senate Ignores Drone Surveillance Risks

The Senate has passed legislation to reauthorize the FAA and expand drone integration, but the bill ignores pressing concerns about the privacy impact of drones. A previous version of the bill included privacy protections originally proposed by Sen. Markey and Rep. Welch in the Drone Aircraft Privacy and Transparency Act. The version passed by the House and Senate only requires a report on drone surveillance risks but does not establish any baseline privacy safeguards. The bill now goes to the President's desk. EPIC has repeatedly urged both Congress and the FAA to take decisive action to limit the use of drones for surveillance and to establish a national database detailing drone surveillance capabilities. EPIC sued the FAA to establish privacy rules for drones, after more than 100 experts and organizations petitioned the agency.

Tim Cook to Keynote International Data Protection Conference

Apple CEO Tim Cook, an EPIC Champion of Freedom, will deliver the keynote speech at the 40th International Conference of Data Protection and Privacy Commissioners in Brussels on October 24. European Data Protection Supervisor Giovanni Buttarelli said, "Tim has been a strong voice in the debate around privacy, as the leader of a company which has taken a clear privacy position, we look forward to hearing his perspective." The theme of the International Conference is "Debating Ethics: Dignity and Respect in Data Driven Life." EPIC and the Public Voice are organizing a related symposium, "The Public Voice: AI, Ethics, and Fundamental Rights." Speakers include the European Data Protection Board Chair Andrea Jelinek, UK Information Commissioner Elizabeth Denham, NGO leaders, human rights advocates, and experts in Artificial Intelligence. EPIC has provided Public Voice Scholarships to support NGO participation.

California Bans Anonymous Bots, Regulates Internet of Things

California Governor Jerry Brown recently signed two modern privacy laws, including a first in the nation law governing the security of the Internet of Things. SB327 sets baseline security standards for IoT devices. EPIC recently submitted comments to the Consumer Product Safety Commission recommending similar action. Governor Brown also signed a bill banning anonymous bots. The law makes it illegal to use a bot, or automated account, to mislead California residents or communicate without disclosing the identity of the actual operator. EPIC President Marc Rotenberg had earlier proposed that Asimov's Laws of Robotics be updated to require that robots reveal the basis of their decisions (Algorithmic Transparency) and that robots reveal their actual identity.

Federal Government Issues Intrusive Presidential Emergency Alert

The Department of Homeland Security and FCC recently conducted a controversial test that allows the President to suspend cell phone service and communicate directly with cell phone subscribers in the United States. Cell phone users cannot opt out of the test, and the President has sole authority to determine when the alert will be activated. The system uses the same special tone and vibration as with alerts for Tornado Warnings and AMBER Alerts. In 2006, the Department of Homeland Security established a secret procedure - "SOP 303" - to suspend cell phone services. EPIC sued the agency after government officials disabled wireless service during a peaceful protest at a San Francisco metro station in 2011.

Government Report: Border Drones Lack Effective Privacy Safeguards

An Inspector General report has found that a federal agency failed to establish privacy safeguards for sensitive drone communications. Customs and Border Control did not complete a privacy threshold analysis and sidestepped review by the agency privacy office. According to the IG report, the CBP also collected and stored surveillance data that "remained unprotected for more than 2 years." Through a Freedom of Information Act lawsuit, EPIC obtained a related CBP directive on Unmanned Aircraft System Operations and Privacy. In a recent statement to Congress, EPIC highlighted the unique threat drones pose to privacy and said that the Congress should "establish drone privacy safeguards that limit the risk of public surveillance" before granting new authority to federal agencies.

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

COPPA - Protecting Children's Privacy Online for 20 Years. Oct. 17, 2018. Center for Digital Democracy, Senate Russell Office Building, Washington, DC. Marc Rotenberg. EPIC President.

AI, Ethics, and Fundamental Rights: A Public Voice Event. Oct. 23, 2018. Brussels, Belgium. Eleni Kyriakides, EPIC International Counsel

'Debating Ethics: Dignity and Respect in Data Driven Life.' Oct. 24, 2018. 40th International Conference of Data Protection and Privacy Commissioners, Brussels, Belgium. Marc Rotenberg, EPIC President.

Panel: Interpreting COPPA - Key Questions & Challenges. Oct. 24, 2018. COPPA at 20: Protecting Children's Privacy in the New Digital Era, Georgetown University Law Center, Washington, DC. Christine Bannan, EPIC Consumer Protection Counsel.

Cyber Security: Trends and Challenges for Organizations. Oct. 25, 2018. New York, NY. Caitriona Fitzgerald, EPIC Policy Director.

Panel: New Rules for Your Data - Changes in Consumer Privacy Regulation. Oct 31, 2018. The Catholic University of America Columbus School of Law, Washington, DC. Christine Bannan, EPIC Consumer Protection Counsel.

'Privacy in Context: Critically Engaging With Theory to Guide Privacy Research and Design.' Nov. 3, 2018. ACM Conference on Computer-Supported Cooperative Work and Social Computing, New York, NY. Lorraine Kisselburgh, EPIC Scholar in Residence.

'Going Digital.' Nov. 12-13, 2018. Working Party on Security and Privacy in the Digital Economy, OECD, Paris. Marc Rotenberg. EPIC President.

Internet Governance Forum 2018. Nov. 14, 2018. UNESCO, Paris. Marc Rotenberg, EPIC President.

Panel: 'How Should Engineering Professionals Respond to the Rapid Deployment of AI in Our Society?' Nov. 14, 2018. IEEE International Symposium on Technology and Society, Washington, DC. Lorraine Kisselburgh, EPIC Scholar in Residence.

Centrum Wiskunde & Informatica Privacy and Security Lecture. Nov. 17, 2018. CWI, Amsterdam. Marc Rotenberg, EPIC President.

CPDP2019: Data Protection and Democracy. Jan. 30–Feb. 1, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.

Share this page:

Defend Privacy. Support EPIC.
EPIC Mueller Report book
US Needs a Data Protection Agency