EPIC Alert 25.23

EPIC Alert logo

1. EPIC to Congress: Federal Agency Making Up the Rules for Facial Recognition Screening

EPIC sent a statement to the Senate Judiciary Committee last week ahead of an oversight hearing concerning Customs and Border Protection. EPIC opposed CBP's use of facial recognition technology at U.S. airports and other ports of entry. EPIC also alerted the Committee that CBP has repeatedly changed the opt-out policy for the entry/exit program without legal authority or public input.

EPIC pointed to several recent CBP changes in the "alternative procedures" for identity verification at the border. "Without legal authority or the opportunity for public comment, CBP is making up the rules as it rolls out the program," EPIC said.

As EPIC explained to the Senate committee, "the original procedures described at the CBP website regarding alternative screening, 'manual processing,' is in fact not the agency's practice. Remarkably, the agency has repeatedly modified the FAQ for alternative procedures for U.S. citizens who do not wish to have a photo taken." Despite early representations that travelers could opt out of the facial recognition program, CBP no longer provides that option. EPIC urged the Committee to suspend the screening program until privacy safeguards and meaningful opt-out procedures are established.

EPIC has also filed a FOIA request seeking all records on the creation and modification of the border control program and the "alternative procedures" originally promised by the agency. In comments made to the Department of Homeland Security last week, EPIC urged the agency to suspend the program until Congress has enacted safeguards to ensure that facial recognition and other biometric data is not misused or stolen.

2. EPIC Urges Public Input on AI Policy

EPIC urged the House Armed Services Committee panel last week to ensure public input on Artificial Intelligence policy. The statement from EPIC follows a petition to the White House, backed by EPIC and leading scientific organizations, to solicit public comments on US AI policy. Developing effective AI policies is critical to protecting consumer safety, privacy, cybersecurity, and intellectual property rights in the U.S, according to the IEEE.

AI has a tremendous impact on our daily lives, determining opportunities for employment, housing, travel, and credit, and even making determinations regarding criminal justice. Algorithmic decision-making can also lead to discrimination and secret profiling that threatens individual liberties and democratic values. Without algorithmic transparency, "it is impossible to know whether government and companies engage in practices that are deceptive, discriminatory, or unethical," EPIC explained.

"The foundation for U.S. AI policy should be a broad policy framework that recognizes both the opportunities and risks associated with AI," EPIC said in its statement. EPIC recommended that Congress enact legislation based on the Universal Guidelines for Artificial Intelligence. The Universal Guidelines establish twelve principles to influence the design, development, and deployment of AI to "maximize the benefits of AI, minimize the risk, and ensure the protection of human rights." More than 230 experts and 60 organizations, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines.

EPIC and its advisory board members have consistently supported algorithmic transparency in commerce, criminal justice, and national security. According to EPIC President Marc Rotenberg, "At the core of modern privacy law is a single goal: to make transparent the automated decisions that impact our lives."

3. EPIC Obtains DHS Pre-Election Assessment on Threats to U.S. Election Infrastructure

As part of EPIC's Freedom of Information Act lawsuit against the Department of Homeland Security, the DHS Office of Intelligence and Analysis released to EPIC documents related to Russian interference in the 2016 presidential election.

One notable document in the release to EPIC is the report "Cyber Threats and Vulnerabilities to US Election Infrastructure." The report, issued prior to the 2016 presidential election, stated that the "DHS ha[d] no indication that adversaries or criminals [we]re planning cyber operations against US election infrastructure that would change the outcome of the coming US election." The DHS report also stated that a successful, widespread cyber operation against U.S. voting machines would require "a multiyear effort with significant...resources available only to a nation state." The DHS intelligence assessment claimed that this level of effort "would make it nearly impossible to avoid detection."

According to election experts, the DHS's assessment ignores the possibility that an adversary can change an election outcome without widespread attacks. Launching targeted attacks on swing districts could compromise an election, especially when a recount is impossible in states with paperless voting machines. Moreover, few states that can conduct post-election audits do so.

The DHS report also acknowledged that voter registration databases are vulnerable to cyberattack. However, the report dismissed this concern, stating that while exposure of voters' information "could undermine confidence in the system," the DHS believed that it "would have limited impact on the integrity of the election process." In fact, the voting rolls in at least 21 states were attacked by foreign adversaries during the 2016 election, a fact that the DHS was reluctant to admit during subsequent oversight hearings.

EPIC has long worked to safeguard voter data and successfully blocked the Presidential Election Commission's attempt to collect and store voter registration data. EPIC has pursued several other related FOIA cases about Russian interference with the 2016 election, including EPIC v. FBI (response to Russian cyberattacks), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of President Trump's tax returns), and EPIC v. IRS II (release of President Trump's offers-in-compromise).

4. Equifax Breach 'Entirely Preventable': House Oversight Committee

In a report released last week, the House Committee on Oversight declared that the Equifax breach, which affected 148 million U.S. consumers, was "entirely preventable." The breach, one of the largest in U.S. history, compromised the authenticating details (including dates of birth and social security numbers) of more than half of American consumers. The House report concluded that Equifax "failed to fully appreciate and mitigate" the cybersecurity risks and placed corporate growth over data security.

The report found that failures in management and security practices led to the breach. Equifax failed to implement responsible security measures and relied on outdated IT systems. The company's lack of accountability within its internal IT management structure stunted the implementation of security measures. And after Equifax disclosed the breach to the public, it was not prepared adequately to assist affected consumers.

Despite several federal agencies, such as the CFPB and the FTC, pledging to take action against Equifax, none have done so. The House Committee recommended that Equifax "provide more transparency to consumers" about data use and security practices and reduce the use of social security numbers as identifiers—both longstanding priorities of EPIC.

Following the Equifax data breach in 2017, EPIC President Marc Rotenberg testified before the Senate Banking Committee, recommending free credit freezes and other consumer safeguards to mitigate the risk of identity theft. Rotenberg also testified before the House Financial Services Committee, calling for comprehensive data protection regulation and a new privacy agency.

5. EPIC Makes Final Arguments to Supreme Court in Voter Data Privacy Case

EPIC has filed a reply brief in EPIC v. Commission, urging the Supreme Court to review a decision that wrongly denied EPIC access to a required privacy impact assessment for state voter data.

EPIC filed suit against the Presidential Election Commission last year to halt the collection of state voter data pending the completion of the assessment. As a result of EPIC's case, the Commission suspended data collection, discontinued the use of an unsafe computer server, and deleted the state voter data it wrongly acquired. The Commission was terminated in January of this year.

EPIC told the Supreme Court that "there is, quite literally, no organization other than the 'Electronic Privacy Information Center' that suffers a greater concrete harm when a federal agency fails to comply with a publication requirement for privacy impact assessments."

EPIC also told the Court that the D.C. Circuit had incorrectly denied EPIC's "standing" to pursue a privacy impact assessment, which federal agencies are required to produce and publish before collecting personal data. "Congress has extended a legal right to receive information and has provided a mechanism by which that right can be enforced," EPIC explained, which is enough to allow EPIC to bring suit.

EPIC has long fought to ensure voter privacy. EPIC recently called on Immigrations and Customs Enforcement to abandon a request for over 18 million voter records from North Carolina. The agency backed down from the demand within a day. EPIC's case in the Supreme Court is EPIC v. Commission, No. 18-267.

EPIC Holiday Gift Guide

Scratching your head over holiday gift ideas for the privacy buff in your life? Fear not: EPIC has you covered! Here are a few products to help safeguard the privacy and security of you and your loved ones.

1. Privacy Stamp Roller

Roll your paper-and-ink personal data away with this privacy stamp roller. Comes in medium and large.

2. 'Come Back With a Warrant' Doormat

This handy item will remind overzealous investigators about their obligations under the Fourth Amendment. Protection for open fields not included.

3. A Wide Brim Hat & Sunglasses

These two timeless classics are perfect for helping you evade detection by cameras and facial recognition technology.

4. A Nice Set of Window Blinds

Who says privacy can't be stylish? Pick up a chic new window treatment to keep your home shielded from prying eyes.

5. High-Security Smartphone Case

The Privoro SafeCase features "high-security hardware that blocks cameras, jams microphones and provides unprecedented user and device management."

6. 'No Drone Zone' Sign

Keep your home and yard free of flying cameras (and that incessant buzzing sound) with one of these 'No Drone Zone' signs.

7. ZenBooth Privacy Booth

For the serious privacy connoisseur, why not equip your home with a soundproof booth this holiday season?

8. Black Hole Faraday Tent

Soundproof booth not secluded enough? For a cool $22,200, you can pick up a Black Hole Faraday Tent and enjoy total privacy from electronic communications.

9. A Good Book on Privacy

Visit the EPIC Bookstore for the best publications on privacy. Find such classics as 1984, Brave New World, The Handmaid's Tale, The Origins of Totalitarianism, and The Trial. All sales support the work of EPIC.

10. GDPR Compliant Wrapping Paper

Need something to wrap one of your excellent purchases from the EPIC Bookstore? We've got just the thing.

11. Contribute to EPIC

Why not give the gift of privacy to a loved one? We'll litigate, advocate, and educate on your behalf. Drop a little coin at epic.org/donate.

News in Brief

National Archives Moves Forward EPIC's Request for Kavanaugh White House Records

The National Archives has announced its intent to release dozens of undisclosed emails concerning Justice Kavanaugh's role in controversial White House surveillance programs. The announcement comes in response to EPIC's Freedom of Information Act lawsuit, which previously led the agency to discover hundreds of Kavanaugh email exchanges about warrantless wiretapping and passenger profiling. Prior to Kavanaugh's confirmation hearing, EPIC warned that Kavanaugh—both as a White House legal advisor and then as a federal appellate judge—showed little regard for the constitutional privacy rights of Americans. The Kavanaugh emails are set to be released to EPIC in March.

EPIC Investigates Airport Facial Recognition Opt-Out Procedures

In an urgent FOIA request, EPICis seeking documents from CBP about the procedures for travelers to opt-out of biometric entry/exit program. EPIC found that CBP frequently changes the program without any formal procedures. One consequence is that it is now more difficult for travelers to opt-out of the screening procedure EPIC wrote that "CBP is modifying rules as it is implementing the program," contrary to federal law. Last week, EPIC urged Congress to suspend the program until privacy safeguards and meaningful opt-out procedures are established. In comments to the DHS Data Privacy and Integrity Advisory Committee, EPIC explained the substantial privacy risks of CBP's use of facial recognition technology.

EPIC Urges Antitrust Agencies to Raise Their Game

In a statement to the House Judiciary committee, EPIC urged lawmakers press the FTC and the Department of Justice at a hearing on "Oversight of the Antitrust Enforcement Agencies." EPIC emphasized the risks of mergers to American consumers, stating that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. Consumer organizations in the US and the European Union recently urged antitrust authorities on both sides of the Atlantic to subject mergers to greater scrutiny.

EPIC to DHS Privacy Advisory Committee: End Facial Recognition

In response to a public notice by the Data Privacy and Integrity Advisory Committee, EPIC submitted comments urging the CBP to halt implementation of the biometric border program. EPIC stressed the need for federal regulation to safeguard privacy and prevent the misuse of facial recognition technology. EPIC called for a public rulemaking for the federal entry/exit program. EPIC also criticized the Committee's draft recommendations for facial recognition. EPIC said that the transfer of personal data from the State Department to the CBP was unlawful and that the opt-opt procedures were ignored in practice. Documents EPIC previously obtained in a FOIA lawsuit against CBP revealed that facial scanning did not perform operational matching at a "satisfactory" level.

EPIC Urges Department of Transportation to Improve Framework on Connected Car Safety

In detailed comments to the Department of Transportation EPIC urged the agency to establish national privacy and safety standards for connected cars. The agency requested comment on its revised framework that establishes "voluntary guidance" for the development of autonomous vehicles. "A connected car is the ultimate Internet of Things device," EPIC explained, highlighting the risks of autonomous vehicles. EPIC has diligently advocated for stronger regulation of IoT. EPIC has called attention to the privacy and security risks of connected cars in comments to NTHSA, complaints to the CFPB, congressional testimony, FTC workshops, petitions to NHTSA and an amicus brief to Ninth Circuit.

EPIC Urges European Commission to Regulate Connected Toys

In comments to the European Commission, EPIC highlighted the safety and security risks of IoT toys and wrote "There should be 'smart' regulations for 'smart' toys." The European Commission sought public comment on the EU Toy Directive, which establishes toy safety guidelines to protect children's health and safety but ignores connected toys. EPIC has repeatedly demonstrated the risks of IoT and smart toys before Congress, the Federal Trade Commission, and the Consumer Product Safety Commission in testimony, agency comments, petitions, and investigative complaints.

EPIC Celebrates 70th Anniversary of UDHR

On December 10, EPIC celebrated Human Rights Day, which commemorates the United Nations adoption of the Universal Declaration on Human Rights, the most widely translated text in the world. This year marks the 70th Anniversary of the UDHR, which was adopted on December 10, 1948. EPIC has called for the fundamental right to privacy (Article 12 of the UDHR) to be reaffirmed in the digital age. Article 12 states "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that promotes international instruments for privacy protection, identifies new challenges, and calls for concrete actions. The complete text of the UDHR can be found in the 2018 EPIC Privacy Law Sourcebook, available at the EPIC Bookstore.

EPIC Urges European Commission to Address Security Risks of Connected Cars

In comments to the European Commission, EPIC identified several key privacy and security concerns related to the development of connected cars. EPIC emphasized the need for comprehensive regulation to ensure the safety of connected vehicles and encouraged the Commission to require developers to build in safety measures, and not place new burdens on drivers. "Safety features should be under the hood, not on the dash board," EPIC wrote. EPIC has diligently advocated for stronger regulation of the Internet of Things, including connected vehicles. EPIC has highlighted the risks of connected cars in testimony before Congress, at the Federal Trade Commission, in comments to federal agencies, and in amicus briefs.

EPIC Supports Extension of Children's Privacy Reporting Requirements

EPIC submitted comments in support of the FTC's proposed extension of the information collection requirements for the Children's Online Privacy Protection Act. EPIC explained the importance of the law that protects the personal data of children who use Internet services but added that the law "would be more effective if the FTC established new limits on how firms can collect and use children's data." EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. Earlier this year, the FTC unanimously voted to approve EPIC's recommendations to create new safeguards for children's data in the gaming industry.

Irish Court Finds Data Retention Law Violates Human Rights

The Irish High Court has ruled that Ireland's retention of telephone data violates European Law and the European Convention on Human Rights. The Communications Act, which requires all service providers to retain data for two years, is "general and indiscriminate." The Court also found insufficient safeguards for access to data, noting that the law did not require prior judicial and had few guarantees against abuse. The Court will now issue a final order to determine how the case will proceed. EPIC is participating in DPC v. Facebook, an Irish High Court Case recently referred to the top European Court of Justice to determine whether Facebook's transfer of data from Ireland to the United States violates EU data protection law. EPIC has also petitioned the FCC to end a similar data retention mandate, arguing that it is inconsistent with international law.

EPIC to Congress: Require Algorithmic Transparency For Google, Dominant Internet Firms

EPIC has sent a statement to the House Judiciary Committee in advance of a hearing on Google's business practices. EPIC said that "algorithmic transparency" should be required for Internet firms. EPIC explained that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. EPIC pointed out that Google's algorithm preferences YouTube's web pages over EPIC's in searches for videos concerning "privacy." Last year the European Commission found that Google rigged search results to preference its own online service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. The US Federal Trade Commission has failed to take similar action, after even receiving substantial complaints. EPIC also urged Congress to consider the Universal Guidelines for AI as a basis for federal legislation.

In Facebook Case, Ninth Circuit Ignores Privacy Risks of Visits to Healthcare Websites

In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites' explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users' data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the "data show only that Plaintiffs searched and viewed publicly available health information…." EPIC filed an amicus brief in the case, arguing that "consent is not an acid rinse that dissolves common sense." In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations.

Facebook Documents Raise New Questions About Consent Order Compliance

Earlier this month, a British parliamentary committee released internal Facebook emails and documents. The documents revealed that Facebook concealed its decision to collect record of calls and texts on Android devices, in violation of privacy policies. An employee said of this decision: "This is a pretty high risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it." The documents also show that Facebook examined user data to determine which companies posed a threat, deciding to either target or acquire those firms. Last month, UK regulators released a report on the misuse of personal data by Cambridge Analytica for the Brexit vote. In 2011 EPIC, and other consumer privacy organizations obtained a far-reaching consent order against Facebook but the FTC has failed to enforce the legal judgment. In March, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order.

Senator Markey Insists on Privacy, Safety for Self-Driving Vehicles

In a recent statement, Senator Markey said he would not permit legislation on self-driving cars to proceed until the bill created meaningful "safety, cybersecurity, and privacy protections" for consumers. In January, EPIC wrote to the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has long supported baseline protections in self-driving vehicles. EPIC has appeared before Congress, written to federal agencies, and provided amicus briefs about the privacy and security risk of autonomous vehicles. In comments to the European Commission earlier this month, EPIC identified several key concerns related to connected cars.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

International Cybersecurity Forum (FIC). Jan. 22, 2019. Lille, France. Eleni Kyriakides, EPIC International Counsel.

Collective Action Workshop. Jan. 29, 2019. Brussels, Belgium. Marc Rotenberg, EPIC President.

EPIC International Champion of Freedom Award. Jan. 30, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

CPDP2019: Data Protection and Democracy. Jan. 30–Feb. 1, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

OECD AI Meeting. Feb. 7­–9, 2019. Dubai, UAE. Marc Rotenberg, EPIC President.

Aspen Roundtable on AI. Feb. 11-13, 2019. Santa Barbara, CA. Marc Rotenberg, EPIC President

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.

EPIC Champions of Freedom Awards Dinner. June 5, 2019. National Press Club, Washington, DC.

Share this page:

Defend Privacy. Support EPIC.
EPIC Mueller Report book
US Needs a Data Protection Agency