EPIC Alert 25.20

1. Universal Guidelines for Artificial Intelligence Announced in Brussels

The Universal Guidelines for Artificial Intelligence, the first human rights framework for AI, was announced in Brussels on October 23 at the Public Voice symposium "AI, Ethics, and Fundamental Rights."

The Universal Guidelines set out twelve principles to "inform and improve the design and use of AI": (1) the Right to Transparency; (2) the Right to Human Determination; (3) the Identification Obligation; (4) the Fairness Obligation; (5) the Assessment and Accountability Obligation; (6) the Accuracy, Reliability, and Validity Obligation; (7) the Data Quality Obligation; (8) the Public Safety Obligation; (9) the Cybersecurity Obligation; (10) the Prohibition on Secret Profiling; (11) the Prohibition on Unitary Scoring; and (12) the Termination Obligation.

The core purpose of the UGAI is to promote transparency and accountability for AI systems and to ensure that people and institutions retain control over the systems they create. The Guidelines are intended to maximize the benefits of AI, to minimize the risks, and to ensure the protection of human rights. Above all else, systems that impact the rights of people should do no harm.

The UGAI are intended to be incorporated into ethical standards, adopted in national law and international agreements, and built into the design of systems. The Guidelines include several well-established principles for AI governance and put forward new principles not previously found in similar policy frameworks. The UGAI explanatory memorandum discusses the context, terminology, application, and origin of the principles.

More than 200 experts and 50 organizations, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines. Representatives from more than 30 countries supported the statement.

The Public Voice conference featured the data protection commissioners of France, Ireland, and the UK; the European Data Protection Board Chair; NGO leaders; and experts in AI. Professor Anita Allen delivered keynote remarks.

2. In Amicus Brief, EPIC Opposes Citizenship Question on 2020 Census

EPIC has filed an amicus brief in a case challenging the addition of a citizenship question to the 2020 Census. EPIC expressed support for the decennial tally of those in the United States but warned that "history has shown that personal data, collected by the government through the census, can threaten individual rights."

In March, the Department of Commerce revealed the Census Bureau's plan to collect citizenship information as part of the 2020 Census. A coalition of state and local governments sued the agency seeking to prevent the citizenship question from being added. The case is set to go to trial in November.

EPIC, in its brief, warned against the potential misuse of census data by other agencies. "Many Americans are justifiably fearful that their census responses will be used against them by other federal agencies, which can lead individuals to provide false or incomplete information," EPIC wrote. EPIC pointed to its 2004 FOIA lawsuit against the Department of Homeland Security, which revealed that the Census Bureau had provided DHS with data on Arab Americans after 9-11. EPIC's suit led the Census Bureau to revise its "sensitive data" policy for transfers to law enforcement and intelligence agencies.

EPIC also argued that the Census Bureau "entirely failed to address the security risks posed by collecting citizenship information" and violated the Bureau's legal obligation to conduct a thorough Privacy Impact Assessment before collecting new personal data. "The Bureau has not adequately justified the collection of citizenship information or shown that it has implemented the safeguards necessary to protect the data that it collects," EPIC wrote.

EPIC has long advocated for increased privacy protections for data collected through the census. Earlier this year, EPIC opposed the citizenship question in comments to the Census Bureau and a statement to Congress. EPIC also obtained Census Bureau documents through a FOIA request, including an email from Kris Kobach to Secretary Ross requesting the addition of the citizenship question "on the direction of Steve Bannon."

3. EPIC FOIA: Records Show DHS Ignored Privacy, First Amendment Threats of Media Monitoring Program

EPIC has obtained records concerning "Media Monitoring Services," a controversial DHS project to track journalists, news outlets, and social media accounts. The records, released in EPIC's FOIA lawsuit against the agency, reveal that the DHS bypassed the agency's own privacy officials and ignored the privacy and First Amendment implications of monitoring the coverage by particular journalists.

In April, the DHS put out a call for a contractor to develop Media Monitoring Services, which would give the agency the ability to track and analyze media coverage and store large volumes of personally identifiable information about journalists, bloggers, and social media users. The system would collect and retain personal data such "locations, contact information, employer affiliations, and past coverage."

The DHS's proposed media monitoring tools pose significant risks to privacy and threaten to chill the exercise of press freedoms. Within days of the agency's announcement, EPIC filed a Freedom of Information Act request seeking the Privacy Impact Assessment that the DHS was required by law to produce before developing any monitoring capabilities. When the agency failed to process EPIC's request, EPIC filed suit.

As a result of EPIC's lawsuit, the agency admitted that it did not conduct a Privacy Impact Assessment for the program, as required by law. The records newly obtained by EPIC also show that DHS privacy officials were unaware that a media monitoring program had even been launched until it was reported in the press.

EPIC has successfully obtained several Privacy Impact Assessments, including for a related media tracking system (EPIC v. DHS) and for facial recognition technology (EPIC v. FBI). In EPIC v. Presidential Election Commission, EPIC challenged the Commission's failure to publish a Privacy Impact Assessment prior to the collection of state voter data.

4. EPIC Files Amicus in Case Concerning Government Searches and Google's Email Screening Practices

EPIC has filed an amicus brief with the U.S. Court of Appeals for the Sixth Circuit in United States v. Miller, arguing that the government must prove the reliability of a Google email screening technique used to detect suspected child pornography.

Google uses a proprietary algorithm to routinely search Gmail accounts and files uploaded by users for images that contain what Google believes to be child pornography. Once images are detected, Google notifies the National Center for Missing and Exploited Children, which then forwards the report about individual Internet users to law enforcement. Although the Fourth Amendment prohibits unreasonable searches, the lower court held that the police were allowed to search images that Google flagged from the defendant's Gmail account.

EPIC explained that a search is unreasonable when—as in this case—the government fails to establish the reliability of the technique. "The sheer volume of data being subjected to these searches, including private files uploaded to cloud storage on the largest platforms, means that the risk of error in the identification or algorithmic matching of these images is significant," EPIC wrote. EPIC also warned that the government could use this technique "to determine if files contain religious viewpoints, political opinions, or banned books."

EPIC has long advocated for algorithmic transparency and routinely submits amicus briefs on the application of the Fourth Amendment to investigative techniques. EPIC previously urged the government to prove the reliability of investigative techniques in Florida v. Harris.

5. Rotenberg Addresses Role of Civil Society, Ethics at Commissioner's Conference

Speaking at a closing session of the 40th annual meeting of the Data Protection Commissioners in Brussels, EPIC President Marc Rotenberg emphasized the importance of civil society participation at the annual privacy conference. "This cannot be a conversation between governments and industry. Democratic legitimacy requires public participation," EPIC's Rotenberg said.

Mr. Rotenberg thanked European Data Protection Supervisor Giovanni Buttarelli and the Data Protection Commissioners for their support of The Public Voice and the work of civil society. Mr. Rotenberg also emphasized the importance of ethics to emerging challenges in data protection. "Ethics tells us not only what the law is, but also what the law should be," Mr. Rotenberg said.

Earlier in the week, the Public Voice announced the Universal Guidelines for AI, the first human rights framework for AI. Rotenberg described the development of the Guidelines, which set out twelve principles to "inform and improve the design and use of AI" and are "intended to maximize the benefits of AI, to minimize the risk, and to ensure the protection of human rights."

More than 200 experts and nearly 50 NGOs have endorsed the Guidelines. EPIC has urged the U.S. National Science Foundation to adopt the Guidelines as a basis for U.S. policy and will continue to advocate for their widespread implementation.

EPIC Book Review: ‘The Known Citizen’

The Known Citizen: A History of Privacy in Modern America, by Sarah E. Igo

From colonial America to the present day, The Known Citizen traces a long history of laments over the supposed death of privacy in the United States. Indeed, author Sarah E. Igo suggests that many considered privacy dead as soon as the idea was first articulated. Inherent in these expressions of loss is the notion that there was something of value to begin with—that privacy was available and important, and now has slipped away. But as Igo recounts, Americans of different economic circumstances have not always enjoyed the same privacy rights to begin with.

On the one hand, Igo traces the age-old link between privacy and privilege. The ideal distilled by Warren and Brandeis—the right "to be let alone"—has in many ways been an entitlement unique to the upper classes throughout American history. It was this desire for privacy that helped shape post-war suburbia. Privacy was the luxury of a large house and a wide lawn, yet at the same time a mask for more invidious motives to flee urban centers.

But a different narrative emerges for low-income Americans. Beginning with New Deal, surrendering one's privacy was effectively a requirement of obtaining social assistance. From probing questions by social workers about the sexual habits of female welfare recipients to voyeuristic studies by sociologists determined to help poorer African American populations, access to government benefits has often come at the cost of divulging personal information. Whether this trade-off was a fair or consensual one was given little thought until the civil rights movement gained traction in the 1960s and 70s.

Still, despite new technological threats and a history of unequal access to privacy, Igo's book suggests that efforts to protect privacy are not in vain. Assaults on privacy are not new, and many of the ethical issues surrounding the commodification and use of personal data are centuries old. As The Known Citizen describes: although the cries that privacy is dead are oft-repeated, in truth they are calls to action.

—Ellen Coogan

News in Brief

Supreme Court Hears Arguments About Controversial Consumer Privacy Settlement

The U.S. Supreme Court heard arguments this week in Frank v. Gaos, a class action settlement case that provided no benefit to Internet users. Google disclosed user search histories to third parties without consent, a practice that could violate federal and state privacy laws. But under the terms of the settlement, Google "will not be required or requested to make any changes" to its business practices. Also, no funds were provided to the Internet users on whose behalf the case was brought. EPIC filed an amicus brief arguing that the settlement was not "fair, reasonable, and adequate." EPIC stated, "The proposed settlement is bad for consumers and does nothing to change Google's business practices." A federal appeals court narrowly approved the settlement, 2-1, with the dissenting judge warning that courts must be on the lookout "not only for explicit collusion, but also for more subtle signs that class counsel have allowed pursuit of their own self-interests." EPIC and several consumer privacy organization objected to the original settlement on three separate occasions. EPIC routinely opposes class action settlements that fail to benefit consumers and Internet users.

EPIC Urges NSF to Establish Universal Guidelines as Basis for U.S. AI Policy

Following a petition from EPIC and leading scientific societies requesting the opportunity for public comment on national policies for Artificial Intelligence, EPIC submitted comments urging the National Science Foundation to adopt the Universal Guidelines for Artificial Intelligence, and to promote and enforce the UGAI across funding, research, and deployment of US AI systems. Over 200 experts and 50 organizations, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines for Artificial Intelligence. The Guidelines outline rights to transparency and human determination, obligations for identification, fairness, accountability, validity, data quality, public safety, cybersecurity, termination, and prohibitions on secret profiling and unitary scoring. EPIC said that UGAI should shape the National AI Strategic Planfor the United States.

EPIC FOIA: National Archives Finds More Kavanaugh E-mails on Surveillance Programs

The National Archives has found hundreds of e-mails about Justice Kavanaugh's role in controversial White House surveillance programs, including warrantless wiretapping and passenger profiling. Following EPIC's Freedom of Information Act lawsuit, the agency found hundreds of Kavanaugh email messages about the wiretapping program from 2003. Kavanaugh also exchanged 95 e-mail messages about the controversial renewal in 2004, which the Attorney General and FBI Director opposed. There are also 573 Kavanaugh email messages about "Lichtblau" and "Risen" prior to the New York Times expose on the warrantless wiretapping program. The National Archives also found more than 8,000 e-mails that Kavanaugh sent or received about passenger profiling programs. Prior to the nomination hearing, EPIC warned that Kavanaugh, both as a White House legal advisor and then as a federal appellate judge, showed little regard for the constitutional privacy rights of Americans.

EPIC v. FTC: EPIC Obtains Facebook-FTC Emails About 2011 Consent Order

In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Following a detailed complaint by EPIC and other consumer privacy organizations, the FTC issued an order in 2011 that required biennial audits of Facebook's privacy practices. EPIC pursued public release of these reports and related emails to understand why the FTC failed to bring an enforcement action against the company. In the FTC's latest round of disclosures, the Commission released to EPIC 89 emails between the FTC and Facebook from the years 2011, 2012, 2013, 2014, 2015, 2016, 2017, and 2018. In March 2018, following the Cambridge Analytica data breach, the FTC announced it was reopening the Facebook investigation. To date, there is still no announcement, no report, and no fine.

European NGOs Launch GDPR Campaign

EDRi, a powerful association of European NGOs, launched a campaign to implement the EU General Data Protection Regulation. GDPR Today is an online hub reporting the latest developments in data protection. "The initiative will prioritise building knowledge around legal guidelines and decisions, data breaches, new codes of conduct, tools facilitating individuals' exercise of rights, important business developments and governmental support for data protection authorities," EDRi explained. EPIC recently encouraged US firms to comply with the GDPR, and advised the UK Information Commissioner's Office on Data Protection Impact Assessments and GDPR implementation. The 2018 Privacy Law Sourcebook also includes the full text of the GDPR.

Federal Trade Commission Approves Settlement with Uber

The Federal Trade Commission finalized a settlement with Uber after the company failed to implement reasonable security measures and allowed employees to access customers' personal information. Because of Uber's lax security practice, the company was breached twice, exposing vast amounts of sensitive information. The settlement follows on the heels of Uber's settlement with the attorneys general of all fifty states and the District of Columbia for failing to notify users of Uber's second breach in 2016. EPIC wrote to the FTC in May, urging the Commission to strengthen its existing settlement with Uber. The Commission responded directly to several of EPIC's suggestions, which included mandating cybersecurity and privacy requirements. Commissioner Chopra also agreed with EPIC that "the Commission should make required audits and assessments public." EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to a previous FTC settlement with Uber. EPIC has also proposed a privacy law for Uber and other similar transportation companies.

Professor Allen Backs AI Universal Guidelines at Press Event in Brussels

Professor Anita Allen expressed support for the Universal Guidelines for AI at a press conference in Brussels. Allen called attention to the fairness, transparency, and accountability guidelines as foundational ethical principles. More than 220 experts and NGOs have endorsed the UGAI. Allen also called for a comprehensive privacy law in the US, noting that US law is "outdated." Allen spoke on a panel with Tristan Harris, Elizabeth Denham, Tim Berners Lee, and Pascale Fung, organized by the European Data Protection Supervisor.

In Brussels, Professor Allen Addresses Ethics and Law

Professor Anita Allen delivered a moving keynote address last week at the Privacy Commissioners Conference. Allen spoke about ethics as the "basis of character and moral life." And she described the coexistence of law and ethics. "Ethics are respected as the ideal foundation of law and professional standards." Allen published an essay recently in New Europe entitled "Why Ethics Now?" Allen is a member of the EPIC board of directors and a recipient of an EPIC Lifetime Achievement award. She is the author of several books, including Privacy Law and Society.

Tim Cook Calls for 'Comprehensive' Federal Privacy Law

Apple CEO Tim Cook (@tim_cook) delivered an impassioned speech last week at the Commissioners Conference in Brussels. Cook said, "Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies." Cook warned, "Rogue actors and even governments have taken advantage of user trust to deepen divisions, incite violence, and even undermine our shared sense of what is true and what is false. This crisis is real. It is not imagined, or exaggerated, or crazy." Cook endorsed the GDPR and called for comprehensive privacy legislation in the US. Tim Cook received the EPIC Champion of Freedom Award in 2015.

Buttarelli Opens Commissioners Conference: 'Put Dignity Back Into Digital'

Giovanni Buttarelli, the European Data Protection Supervisor, delivered the opening speech of the Privacy Commissioners Conference, "Choose Humanity: Putting Dignity back into Digital." Buttarelli said "we need to establish a sustainable ethics for a digital society." The privacy commissioners have adopted new resolutions on Artificial Intelligence, E-Learning, Collaboration with Consumer Protection Authorities, and Building Effective Privacy Networks.

Federal Appeals Court: No Copyright for Public Law

A federal appeals court has ruled that Georgia cannot copyright any part of the state's code of laws. Georgia had previously charged citizens as much as $400 to access official "annotations" to the code, which establish the meaning of the state's laws. But the appeals court ruled that "the People are the owners of these works, meaning that the works are intrinsically public domain material and, therefore, uncopyrightable." EPIC has long advocated for public access to court documents and other sources of law. In 2015, EPIC called on federal agencies to make statutes, regulations, adjudications, and relevant court documents freely available on agency websites.

EPIC in the News

• Groups Ask FTC To Probe Children's Apps Over Ad Practices, Law360, October 31, 2018
• EPIC v. National Archives, Daily Dot, October 30, 2018
• Uber Finalizes Privacy Settlement With FTC, MediaPost, October 29, 2018
• EPIC calls on U.S. government to adopt universal AI guidelines to protect safety, security and civil liberties, TechCrunch, October 29, 2018
• Google it: Supreme Court tackles class action settlement that left nothing for millions of online customers, USA TODAY, October 29, 2018
• FTC Pushed to Investigate Marketing in Android Kids Apps, MultiChannel, October 29, 2018
• Judges: Georgia can't copyright its laws, WND, October 27, 2018
• Apple appears to have blocked GrayKey iPhone hacking tool, Computerworld, October 26, 2018
• The Future of Student Data Privacy, POLITICO Morning Education, October 25, 2018
• Take two ads twice a day – how smart devices mean there's always a doctor in the house, WARC, October 25, 2018
• This Thermometer Tells Your Temperature, Then Tells Firms Where to Advertise, New York Times, October 23, 2018
• Google Urges Judge To Dismiss Suit Over Location Tracking, MediaPost, October 23, 2018
• Sen. Markey: Kids Need Online Privacy 'Constitution', Multichannel News, October 18, 2018

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

'Privacy in Context: Critically Engaging With Theory to Guide Privacy Research and Design.' Nov. 3, 2018. ACM Conference on Computer-Supported Cooperative Work and Social Computing, New York, NY. Lorraine Kisselburgh, EPIC Scholar in Residence.

'Going Digital.' Nov. 12-13, 2018. Working Party on Security and Privacy in the Digital Economy, OECD, Paris. Marc Rotenberg. EPIC President.

Internet Governance Forum 2018. Nov. 14, 2018. UNESCO, Paris. Marc Rotenberg, EPIC President.

Panel: 'How Should Engineering Professionals Respond to the Rapid Deployment of AI in Our Society?' Nov. 14, 2018. IEEE International Symposium on Technology and Society, Washington, DC. Lorraine Kisselburgh, EPIC Scholar in Residence.

Centrum Wiskunde & Informatica Privacy and Security Lecture. Nov. 17, 2018. CWI, Amsterdam. Marc Rotenberg, EPIC President.

CPDP2019: Data Protection and Democracy. Jan. 30–Feb. 1, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.