EPIC Alert 25.22

1. EPIC Files Suit to Block Census Citizenship Question

EPIC has filed a federal lawsuit to block the addition of a citizenship question to the 2020 Census. EPIC charged that the Census Bureau failed to complete multiple Privacy Impact Assessments, as required by law. The Bureau abruptly added the citizenship question earlier this year but did not assess the privacy impact on census respondents, who are legally obligated to answer all questions.

The collection of citizenship data poses unique threats to privacy, personal security, and the accuracy of the census. As EPIC explained in its complaint, "The citizenship question would compel the release of respondents' citizenship and immigration status, potentially exposing individuals and their family members to investigation, sanction, and deportation."

EPIC's lawsuit reveals a previously unreported admission by Census Bureau that personal data provided through the census could be used "for criminal law enforcement activities." This disclosure raises new questions about whether citizenship information will be transmitted to the Department of Justice.

"Americans are justifiably fearful that their census responses will be used against them by other federal agencies, which can lead individuals to provide false or incomplete information," EPIC wrote in the complaint. EPIC pointed to its 2004 FOIA lawsuit, which revealed that the Census Bureau had provided the Department of Homeland Security with data on Arab Americans after 9/11. EPIC's suit led the Census Bureau to revise its "sensitive data" policy for transfers to law enforcement and intelligence agencies.

EPIC has filed numerous successful lawsuits seeking to enforce federal agencies' obligation to publish Privacy Impact Assessments. Earlier this year, the Presidential Advisory Commission on Election Integrity was shut down after EPIC filed a lawsuit to block the collection of state voter data and challenging the Commission's failure to complete a Privacy Impact Assessment.

2. At European Parliament, EPIC Proposes Safeguards for Cross-Border Access to Personal Data

EPIC International Counsel Eleni Kyriakides called for safeguards for law enforcement access to personal data across national borders at a European Parliament hearing last month. The LIBE Committee hearing "Electronic evidence in criminal matters" focused on a European Commission proposal for cross-border access to data. The proposal is similar to recently enacted the U.S. CLOUD Act.

Speaking at the hearing, EPIC's Kyriakides stressed that new mechanisms to give law enforcement access to data across borders must to do more to protect human rights. She cited the need for additional safeguards, such as prior judicial review, data minimization, transparency, public reporting, and individual remedies. Kyriakides said such "well-established protections should be required for cross-border orders."

EPIC submitted an amicus brief in the related Supreme Court case United States v. Microsoft, pointing to fundamental rights obligations in international law and explaining that cross border access to data abroad should require international consensus. EPIC has joined an NGO coalition to establish human rights protections in the Convention on Cybercrime.

Kyriakides also recently published an analysis of cross-border access in Just Security: "Digital Free for All Part Deux: European Commission Proposal on E-Evidence."

3. EPIC Urges Senate to Examine FTC's Failure to Enforce Facebook Consent Order, Unwind WhatsApp Deal

Ahead of a recent Senate hearing on "Oversight of the Federal Trade Commission," EPIC submitted a statement highlighting the FTC's failure to protect consumer privacy. EPIC told the Committee that the FTC should enforce the 2011 Facebook Consent Order and unwind the 2014 Facebook-WhatsApp deal.

In 2011, the FTC entered into a Consent Order with Facebook following complaint brought by EPIC and other consumer privacy organizations. The Order prohibited Facebook from transferring personal data to third parties without user consent. But after acquiring text messaging application WhatsApp in 2014, Facebook altered WhatsApp's privacy policy to share user data with third parties. Facebook also transferred personal data on 87 million Americans to Cambridge Analytica without user consent.

EPIC's statement explained that the FTC could have prevented the WhatsApp and Cambridge Analytica privacy violations with effective enforcement. In March, the FTC announced that it would reopen the Facebook investigation in response to Cambridge Analytica. Yet eight months later, "there is no judgment, no report, nor even a public statement about one of the most serious data breaches in U.S. history," EPIC wrote. EPIC urged the Committee to ask the FTC why it has failed to hold Facebook to its privacy commitments.

"U.S consumers experience the highest levels of data breach, financial fraud, and identity theft in the world," EPIC wrote. "From EPIC's perspective, the FTC must do more far more to address the growing threats to consumer privacy and to assure our trading partners as to the adequacy of data protection in the United States."

EPIC has played a leading role in establishing the FTC's authority to bring privacy investigations and to protect the personal data of American consumers. In addition to EPIC's 2009 and 2010 complaints that prompted the Facebook Consent Order, EPIC urged the FTC to investigate Uber, Google, and other companies for major privacy violations.

4. In Hearing on Election Assistance Commission, EPIC Highlights Voting Report of National Academies

In advance of a hearing concerning the Election Assistance Commission, EPIC submitted a statement to the Senate Rules Committee stressing the importance of strong election security standards.

The Election Assistance Commission is a federal agency charged with developing guidance to meet the requirements of the Help American Vote Act, adopting voluntary voting system guidelines, and serving as a national clearinghouse of information on election administration. As threats to U.S. elections increase, the role of the Commission is increasingly vital.

EPIC described growing threats to election security and said that the Commission should finalize the Voluntary Voting Systems Guidelines, the technical guidance for securing voting infrastructure. "The drive for perfecting the election process and voting technology is grounded in a fundamental promise of our form of democracy—one vote for each person," EPIC wrote. "The bar for voting technology and election administration should be set high in the final guidance produced by the Commission."

"Voters need an advocate for their interests before, during, and after public elections," EPIC added. "They need voting systems and procedures that reflect the best that human factors, computer science, cryptography, data protection, security, computer architecture, and informatics can produce.

EPIC also cited the recent report of the National Academies of Science—"Securing the Vote: Protecting American Democracy"—which concluded that "all U.S. elections should use paper ballots by the 2020 presidential election." The National Academies also advised against Internet voting. In 2016, EPIC co-published The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy.

5. EPIC's Rotenberg Urges Support for AI Guidelines at OECD

Speaking to the OECD Global Strategy Group in Paris, EPIC President Marc Rotenberg urged OECD member countries to endorse the Universal Guidelines for Artificial Intelligence ("UGAI"). The OECD Global Strategy Group brings together senior officials from member countries to discuss the challenges shaping today's world.

"Civil society recognizes that AI may help solve the world's greatest challenges—from climate change and resource scarcity to medical breakthroughs and sustainable development," EPIC's Rotenberg said. "But we also believe that the public must be given the opportunity to participate in the development of AI policy. And there should be guidelines at the outset that safeguard democratic values and human rights."

The UGAI set out twelve principles to "inform and improve the design and use of AI:" (1) the Right to Transparency; (2) the Right to Human Determination; (3) the Identification Obligation; (4) the Fairness Obligation; (5) the Assessment and Accountability Obligation; (6) the Accuracy, Reliability, and Validity Obligation; (7) the Data Quality Obligation; (8) the Public Safety Obligation; (9) the Cybersecurity Obligation; (10) the Prohibition on Secret Profiling; (11) the Prohibition on Unitary Scoring; and (12) the Termination Obligation. The UGAI explanatory memorandum discusses the context, terminology, application, and origin of the principles.

The core purpose of the UGAI is to promote transparency and accountability for AI systems and to ensure that people and institutions retain control over the systems they create. The Guidelines are intended to maximize the benefits of AI, to minimize the risks, and to ensure the protection of human rights. Above all else, systems that impact the rights of people should do no harm. The UGAI are intended to be incorporated into ethical standards, adopted in national law and international agreements, and built into the design of systems.

EPIC announced the Universal Guidelines for AI on October 23 at the Public Voice conference in Brussels. More than 200 experts and 50 NGOs from across 40 countries have endorsed the UGAI.

EPIC Book Review: ‘The Curse of Bigness’

The Curse of Bigness: Antitrust in the New Gilded Age, by Tim Wu

In his new book, The Curse of Bigness, Columbia Law School Professor Tim Wu examines the striking parallels between the Gilded Age of railroads and oil and the "New Gilded Age" of big data. Professor Wu describes the parallels between trusts and tech, exposing the similarities in how companies in both eras wield power and profoundly shape the private lives of individuals through corporate authority.

The short volume explores the roots of antitrust law and pulls the reader through to the heyday of trust-busting under Theodore Roosevelt. Professor Wu makes the past prologue, highlighting Roosevelt's proclamation that "when aggregated wealth demands what is unfair, its immense power can be met only by the still greater power of the people as a whole." As Wu shows, the same holds true when aggregated data insists on concessions.

Professor Wu then turns to the development of the "consumer welfare" standard, which hinges on the price benefit of a merger to consumers. Wu shows how that standard—divorced from the original language and intent of antitrust law—fails to account for the many distortions in markets created by concentrated corporate power. In recent years, lax enforcement brought on by this standard has led to significant shortcomings in antitrust law. For instance, both the Facebook-Instagram and Facebook-WhatsApp mergers were approved, despite clear indications of monopolistic intent and pointed concerns about consumer privacy. As Wu wryly notes: "It takes many years of training to reach conclusions this absurd."

Professor Wu recommends sweeping changes to the legal and intellectual framework of antitrust, including reforming merger review to include "broader and tougher standards" (though he does not linger on specifics), democratizing and introducing transparency into the review process, instigating a new wave of blockbuster cases, breaking up companies that are too large to be tolerated, providing regulators with market tools, and leaving the "consumer welfare" standard behind. Wu is precise but not proscriptive with his recommendations, and leaves policymakers and academics ample room to negotiate specifics within his framework.

Louis Brandeis once remarked that "we may have democracy, or we may have wealth concentrated in the hands of a few, but we can't have both." In The Curse of Bigness, Wu demonstrates that data concentrated in the hands of a few proves just as fatal to democracy, and Wu provides a meaningful roadmap for reversing the startling trends of the "new gilded age."

—Jeff Gary

News in Brief

Trump-Russia Records at Issue in Mueller Probe, EPIC v. IRS

New revelations in the Mueller probe implicate EPIC's Freedom of Information Act cases for President Trump's tax returns. In EPIC v. IRS, currently before the D.C. Circuit, EPIC argues that the IRS has the authority to disclose the returns to correct misstatements of fact concerning financial ties to Russia. Trump had tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." This claim is now disproven by the Special Counsel's investigation, which recently determined that Mr. Trump pursued a major real estate deal with the Russian government in 2016. In a second case, EPIC v. IRS II, EPIC is seeking the release of tax records related to President Trump's businesses. EPIC has also filed a FOIA request for records concerning the Special Counsel investigation.

EPIC to Senators: Universal Guidelines for Artificial Intelligence Are a Model Policy

In a statement to a Senate committee focused on technology and privacy, EPIC urged Senators to implement the Universal Guidelines for Artificial Intelligence in US law. The Guidelines maximize the benefits of AI, minimize the risk, and ensure the protection of human rights. More than 200 experts and 50 organizations, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines. EPIC also expressed concern about the secrecy surrounding the Senate workshops on AI. In a petition earlier this year, EPIC and leading scientific organizations, including AAAS, ACM and IEEE, and nearly 100 experts urged the White House to solicit public comments on AI policy. EPIC told the Senate committee that the Senate must also ensure a public process for developing AI policy. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability for AI decision-making. In 2015, EPIC launched an international campaign for Algorithmic Transparency.

DHS Privacy Office Releases 2017 Data Mining Report

The Department of Homeland Security released the 2017 Annual Data Mining Report. According to the report, Customs and Border Protection expanded the use of Automated Targeting System's risk assessments to TSA's Secure Flight passenger data. TSA uses the Secure Flight data to compare airline passenger records against various watch lists and to score air travellers. The report describes the use of biometric data to match and screen individuals applying for immigration benefits against other databases. In EPIC v. CBP, EPIC is currently pursuing documents related to the biometric entry/exit program, which uses facial recognition at border crossings to identify and screen travelers.

EPIC Provides U.S. Report for Privacy Experts Meeting

EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy for the 64th meeting of the International Working Group on Data Protection, held this year in Queenstown, New Zealand. The Working Group includes Data Protection Authorities and experts from around the world who review emerging privacy challenges. The EPIC 2018 report details the NTIA's proposed U.S. consumer privacy framework, the confirmation of three members of the Privacy and Civil Liberties Oversight Board, the passage of the California Consumer Privacy Act of 2018, the announcement of the Universal Guidelines on Artificial Intelligence, and more. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

EPIC Urges Congress to Examine Surveillance at the Border

EPIC wrote to a Senate committee about the nominee to head the Immigration and Customs Enforcement agency. EPIC urged the Committee to examine the agency's practices, including the use of secretive algorithms and databases, warrantless searches of mobile devices, social media profiling, and the use of DACA application data for investigative purposes. EPIC has filed multiple FOIA lawsuits against ICE regarding theses surveillance programs. A previous FOIA lawsuit, EPIC v. CBP, uncovered Planter's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to travelers.

EPIC Challenges FTC's Withholdings of Records Regarding Irish Audits of Facebook

EPIC has submitted a Freedom of Information Act appeal challenging the Federal Trade Commission's withholdings of 42 pages of records about the Irish Data Protection Commissioner's inquiries regarding Facebook's compliance with the FTC Consent Order In response to EPIC's FOIA request the FTC released 413 pages of publicly available documents but withheld 42 pages in full under several exemptions, including an exemption protecting records compiled for law enforcement purposes. In 2011 the Irish Data Protection Commissioner initiated an audit of Facebook Ireland, a subsidiary of Facebook that is responsible for data protection for all Facebook users outside of the U.S. and Canada, to assess its compliance with both Irish Data Protection law and EU law. The 2011 audit found that the safeguards for third party applications did not ensure security for user data. The 2012 re-audit found a "satisfactory response" from Facebook regarding preventing third party applications from accessing unauthorized user information. Following the 2012 re-audit, the FTC and Irish Data Protection Commissioner signed a Memorandum of Understanding to mutually assist and exchange information to protect consumer privacy. Two years after the Irish Data Protection Commissioner determined a "satisfactory response," Cambridge Analytica improperly harvested the personal data of millions of users to use for political purposes. The FTC announced that it was reopening the Facebook investigation after the Cambridge Analytica scandal but to date, there has been no announcement, no report, and no fine. EPIC is holding FTC accountable to its 2011 consent order enforcement obligations in EPIC v. FTC seeking the full release of the Facebook Assessments and related records.

EPIC in the News

• Uber and FTC Arrive at Settlement: Extensive Monitoring, but no FTC Fines Ahead, National Law Review, Dec. 1, 2018
• Delta opening America's first facial recognition airport terminal in Atlanta, CBS News, Nov. 30, 2018
• In the Wake of GDPR, Will the U.S. Embrace Data Privacy?, Fortune, Nov. 29, 2018
• Spotify's Year-End Ads Highlight the Weird and Wonderful, WIRED, Nov. 28, 2018
• Consumer groups want EU to go after Google for tracking users with their phones, BGR, Nov. 28, 2018
• Late Payment? A 'Kill Switch' Can Strand You and Your Car, Stateline, Nov. 27, 2018
• FTC Blasted Over Privacy Report, MediaPost, Nov. 27, 2018
• Details still elusive on possible federal data privacy standard, FCW, Nov. 27, 2018
• Judge denies Trump administration request for emergency halt to census citizenship trial, Washington Post, Nov. 21, 2018
• Amazon says it mistakenly shared customer emails and names due to technical error, Amazon, Nov. 21, 2018
• EPIC Challenges Citizenship Question on 2020 Census, Bloomberg Law, Nov. 21, 2018
• NTIA Publishes Stakeholder Comments on Consumer Privacy Proposal, National Law Review, Nov. 20, 2018
• Could Plastic Driver's Licenses Become a Thing of the Past?, Stateline, Nov. 20, 2018
• Too 'Bad To The Bone' For A Facebook Facelift?, Chief Executive, Nov. 20, 2018
• The data firms hired by ICE to hunt people down raise alarm about a hidden surveillance industry, Fast Company, Nov. 20, 2018
• What the FTC really needs to deal with Facebook, IAPP, Nov. 20, 2018
• Algorithms are being used to convict criminals and decide jail time. We need to make sure they are fair, World Economic Forum, Nov. 19, 2018
• Concerns over privacy in TSA facial recognition program, CBS 6 (Albany), Nov. 19, 2018
• Uber and FTC Arrive at Settlement: Extensive Monitoring, but no FTC Fines Ahead , Lexology, Nov. 16, 2018
• Were those gunshots? New technology lets Atlanta police know instantly, Atlanta Journal-Constitution, Nov. 16, 2018

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Dave Miller Memorial Lecture. Dec. 13, 2018. Free Legal Advice Centres, Dublin, Ireland. Marc Rotenberg EPIC President.

EPIC International Champion of Freedom Award. Jan. 30, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

CPDP2019: Data Protection and Democracy. Jan. 30–Feb. 1, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

Aspen Roundtable on AI. Feb. 11-13, 2019. Santa Barbara, CA. Marc Rotenberg, EPIC President

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.

EPIC Champions of Freedom Awards Dinner. June 5, 2019. National Press Club, Washington, DC.