EPIC Alert 26.01

EPIC Alert logo

1. N.Y. Court Blocks Citizenship Question in 2020 Census

A federal judge in New York has ruled that the Secretary of Commerce's decision to add the citizenship question to 2020 Census was unlawful. EPIC filed an amicus brief in the case, arguing that "history has shown that personal data, collected by the government through the census, can threaten individual rights."

In a 277-page decision, the court held that Commerce Secretary Wilbur Ross "violated the public trust" by ignoring legal procedures and misrepresenting the Census Bureau's motives for adding the citizenship question. The court explained that federal law requires the Bureau to "consider all important aspects of a problem; study the relevant evidence and arrive at a decision rationally supported by that evidence; comply with all applicable procedures and substantive laws; and articulate the facts and reasons—the real reasons—for that decision. The Administrative Record in these cases makes plain that Secretary Ross's decision fell short on all these fronts."

In a separate case, EPIC v. Commerce, EPIC is challenging the Census Bureau's failure to complete required privacy impact assessments before collecting citizenship data. EPIC has asked the court to block the Bureau's unlawful data collection, which puts the privacy of census respondents at undue risk.

"Though Secretary Ross's plan to add the citizenship question to the 2020 Census is arguably the most consequential decision in the Census Bureau's recent history, the Department of Commerce and the Bureau have failed to conduct any of the privacy analysis required by the E-Government Act for a major collection of personally identifiable information," EPIC argued.

EPIC is a longtime advocate of robust privacy protections for census respondents. A 2004 EPIC FOIA request revealed that the Census Bureau provided DHS with data on Arab Americans after 9-11, leading the Census Bureau to revise its "sensitive data" policy for transfers to law enforcement and intelligence agencies. EPIC has also filed numerous successful lawsuits seeking to enforce federal agencies' obligation to publish privacy impact assessments. In 2018, the Presidential Advisory Commission on Election Integrity was shut down after EPIC filed a lawsuit to block the collection of state voter data and challenged the Commission's failure to complete a privacy impact assessment.

2. EPIC FOIA: Kavanaugh and Yoo Corresponded at White House About Warrantless Surveillance

Newly released emails from the George W. Bush White House reveal that Brett Kavanaugh and John Yoo, architect of the warrantless surveillance program, exchanged several messages about surveillance programs in the fall of 2001. The release follows EPIC's FOIA lawsuit for Justice Kavanaugh's records about surveillance.

The recent release shows that Kavanaugh sent multiple emails about the warrantless surveillance program, which was eventually overturned by Congress with passage of the USA FREEDOM Act. In one email, originally made public in October, Kavanaugh wrote to Yoo, "Any results yet on the 4A implications of random/constant surveillance of phone and e-mail conversations of non-citizens who are in the United States when the purpose of the surveillance is to prevent terrorist/criminal violence?"

Kavanaugh also sent Yoo a second email in the same thread, although the National Archives has so far withheld the full text of the email. Kavanaugh's emails to Yoo reference a signing statement—likely for the 2001 authorization of military force—and include the thread "FISA [Foreign Intelligence Surveillance Act] letter."

In response to EPIC's open government lawsuit, the National Archives previously identified several hundred e-mails that Kavanaugh authored about surveillance programs. But the text of many emails was withheld, leaving open questions about Kavanaugh's role in post-9/11 surveillance programs.

For example, although the National Archives identified 227 emails using the terms "Patriot Act" or "surveillance," only 9 of the released emails contain unredacted references to those terms. The Archives also identified 119 emails concerning "CAPPS II" (passenger profiling), "Fusion Centers" (government surveillance centers), or the Privacy Act, yet only released 5 emails displaying those terms. EPIC will continue to push for the release of Kavanaugh's records on surveillance programs.

3. Federal Court: NYC Data Disclosure Law Violates Fourth Amendment

A federal court has blocked a New York City law requiring home-sharing platforms to disclose detailed personal information about users, ruling that the ordinance violates the Fourth Amendment. The law would have required companies such as Airbnb to disclose the names, contact information, financial data, and rental histories of hosts, even when no unlawful conduct was suspected.

"An attempt by a municipality in an era before electronic data storage to compel an entire industry monthly to copy and produce its records as to all local customers would have been unthinkable under the Fourth Amendment," the court wrote. The court explained that city's Fourth Amendment violation was "all the greater because (1) the user data in question is commercially sensitive and subject to potential disclosure; and (2) the [law]'s requirement for monthly productions of such data is perpetual."

"A ruling upholding the Ordinance as reasonable would invite municipalities to make similar demands on e-commerce companies, whether by legislation or subpoena, for the routinized production to investigative agencies of broad-ranging records as to all users or customers," the court added. "It would invite such productions so as to permit regulators to troll these records for potential violations of law, even as to customers as to which there had been no basis theretofore to suspect any violation of law."

The court followed a Supreme Court case, Los Angeles v. Patel, which prohibited the warrantless searches of hotel records. EPIC filed an amicus brief in Patel. The federal court also cited Carpenter v. United States, Byrd v. United States, Riley v. California, and United States v. Jones, Supreme Court cases in which EPIC also filed amicus briefs. The decision has implications for the data collection practices of so-called Smart Cities.

4. EPIC Asks UN to Question U.S. About Privacy Violations by Private Firms

As part of a routine review, EPIC asked the United Nations Human Rights Committee to question the United States about the failure to protect individuals against privacy violations by private industry. EPIC's request explained that the United States has failed to take any action against the private sector's tracking of "movements, habits, and private communications" and that "the failure to safeguard personal data stored in private record-keeping systems has also exposed U.S. residents to cyber attack by foreign states and foreign non-state actors."

The UN review will examine U.S. compliance with human rights obligations under the International Covenant on Civil and Political Rights. EPIC explained that countries "have a duty to protect individuals against human rights violations by non-state actors" under Article 17 in the international agreement. The Article protects against interference with "privacy, family, home or correspondence" and gives individuals the "right to the protection of the law" against that interference. EPIC explained that the failure of the Federal Trade Commission to enforce its 2011 consent order against Facebook and the agency's narrow authority demonstrate that the U.S. is not meeting its obligations under the agreement.

EPIC further highlighted the United States' failure to enforce privacy and data protections amid massive breaches and privacy violations. "Despite record-breaking data breaches, identity theft, and extensive corporate surveillance, the U.S still lacks both comprehensive privacy legislation and a data protection authority," EPIC wrote. EPIC urged the Committee to ask the United States about "any measures" it has adopted to protect U.S. residents against interference and privacy violations and to push the U.S. to enact a comprehensive privacy law regulating the private sector.

EPIC has called on the U.S. to enact a federal privacy law and has advocated the establishment of a new Data Protection Agency to enforce comprehensive privacy rights. The EPIC 2018 Privacy Law Sourcebook provides a comprehensive overview of privacy laws in the United States and around the world.

5. Supreme Court to Consider Open Government and Fourth Amendment in 2019

The Supreme Court has agreed to hear two cases of interest to privacy and open government advocates. Food Marketing Institute v. Argus Leader Media concerns the withholding of "confidential" information requested under the Freedom of Information Act. Mitchell v. Wisconsin concerns a state law that permits law enforcement officers to draw blood from unconscious motorists without a warrant.

In the first case, Court will decide whether federal agencies are required to withhold all "commercial or financial information" requested under the FOIA, or whether a party seeking to suppress records must demonstrate that it would suffer "substantial competitive harm" from disclosure. The Court may also decide what it means to suffer "substantial competitive harm."

The case has implications for EPIC's suit against the Federal Trade Commission for information about Facebook's privacy practices. The FTC has claimed many records are confidential and therefore should not be disclosed. As a result of EPIC's request and lawsuit, the Federal Trade Commission has released hundreds of pages of communications between Facebook and the FTC related to the agency's enforcement of the 2012 Consent Order. The documents reveal the cordial relationship between the Commission and Facebook and provides insight into the FTC's inability to make use of its current enforcement authority. Nonetheless, the FTC has withheld EPIC records that could describe the FTC's involvement or inaction concerning the Cambridge Analytica scandal.

In the second case, the Court will decide whether states can "authorize blood draws without a warrant, without exigency, and without the assent of the motorist, under a variety of circumstances," including when a motorist is unconscious. This case could resolve a circuit split on the constitutionality of these kinds of "implied-consent" laws. In 2018, EPIC filed an amicus brief in Byrd v. United States, a case concerning the applicability of the Fourth Amendment to searches of rental cars.

EPIC routinely participates as amicus in Supreme Court cases concerning open government and privacy issues. Both cases are expected to be decided by the end of the Court's term in June.

6. EPIC Seeks to Intervene in Human Rights Case on Government Hacking

EPIC is requesting to intervene in a case before the European Court of Human Rights that is testing the human rights standards for government hacking of computers and other devices. Brought by international NGO Privacy International, Privacy International v. United Kingdom asks whether the international hacking of devices and the use of malware by UK intelligence services violate the European Convention on Human Rights.

The case presents a dispute over the meaning of Article 8 of the Convention—the right to privacy. Privacy International contends that the UK's Intelligence Services Act unlawfully authorizes acts by intelligence services outside of the country that would be illegal under UK law.

EPIC seeks to present information to the Court on the unique privacy risks of government hacking. EPIC noted that it "has advocated for human rights standards to emerging state practices" and recently "urged adherence to well-established international safeguards for cross-border law enforcement access to data" in an amicus brief for the Supreme Court and in testimony to the European Parliament.

EPIC previously filed a brief with the European Court of Human Rights in Big Brother Watch v. UK, which found that UK mass surveillance violated fundamental rights to privacy and freedom of expression. EPIC provided the Court with information concerning the scope and nature of surveillance conducted by the National Security Agency.

EPIC also participated as amicus in Apple v. FBI, concerning a court order that would have required Apple to assist the FBI hack a seized iPhone. EPIC and eight other consumer privacy organizations highlighted the risk of weak encryption and noted that stolen cell phones are tired to identity theft and financial fraud.

EPIC Book Review: ‘Dawn of the Code War’

Dawn of the Code War: America's Battle Against Russia, China, and the Rising Global Cyber Threat, by John P. Carlin

Addressing cybersecurity begins with recognizing that there is a "code war" happening around us and to us. The heart of Dawn of the Code War, by former Assistant Attorney General for National Security John P. Carlin, is a historical review of the significant cyberattacks against the United States as seen from inside the Department of Justice. Carlin charts the evolution of cyberthreats against the U.S. with intense clarity.

The attacks Carlin cites vary widely in their intent, target, and tools. Well-organized Chinese efforts to steal American intellectual property cost the U.S. hundreds of billions of dollars each year. Cyberattacks on political expression stretch as far back as an Iranian attack on the Sands Hotel in early 2014, launched after a series of fiery public comments directed at Iran by CEO Sheldon Adelson. A similarly motivated North Korean attack on Sony followed later that year.

Hackers' infiltration of a New York dam in 2013 signaled the vulnerability of critical infrastructure, and Atlanta's municipal government systems were ransacked in 2018 by a ransomware attack. The same year, a compromised Associated Press Twitter account posted a fake message that then-President Obama had been injured, sending the stock market tumbling. Of course, there are also the ongoing Russian attempts to interfere in U.S. elections. In short, the scope of today's cyber threats is vast.

The problem is still growing. Carlin does note the increasing willingness and ability of the U.S. to "name and shame" foreign actors for attacks and to prosecute perpetrators. These strides toward deterrence and the development of cyber norms are necessary—but not sufficient. In part, Dawn of the Code War is Carlin's call to action. Today, we depend on technologies and an internet that were designed without much security in mind. We are "playing a massive game of digital catch-up," Carlin rightly concludes, and we cannot afford to make the same security mistakes with the next generation of technology. Diverse and increasing cyberthreats will require a comprehensive, society-wide response.

—Eleni Kyriakides

News in Brief

EPIC to FTC: Establish Free Credit Monitoring for All Consumers

In comments to the FTC, EPIC recommended free credit monitoring for all consumers. The agency will require free credit monitoring for all active service members following legislation enacted last year. EPIC said the FTC should urge Congress to extend free credit monitoring services. The statute includes several pro-consumer measures that EPIC favored: it (1) requires consumer reporting agencies to provide a consumer with free "credit freezes" that limit third party access to personal data, (2) establishes clear provisions for these freezes, and (3) creates new protections for the credit records of minors. In testimony before the Senate and House following the Equifax data breach, EPIC recommended credit freezes and free credit monitoring services.

EPIC Commends FAA Comment Opportunity on Aircraft Security, Urges More Public Reporting

In comments to the Federal Aviation Administration, EPIC praised the agency for inviting public input on technology that exposes aircraft control networks to remote hacking. EPIC previously warned the FAA that, "hackers can exploit weaknesses in drone software to gain control of a drone's movement and other features." EPIC has also called attention to the potential for connected cars and Internet of Things devices to be hacked. EPIC recommended that the FAA routinely report on the growing risks of cyberattack.

Supreme Court Denies Review of EPIC Petition

The Supreme Court has let stand an adverse lower court ruling in EPIC's case about state voter data. EPIC filed suit against the Presidential Election Commission in 2017 to halt the collection of state voter data. As a result of EPIC's case, the Commission suspended data collection, discontinued the use of an unsafe computer server, and deleted the state voter data it wrongly acquired. And the Commission was terminated last year. However, a lower court ruled that EPIC, at the time it brought the case, was limited in its ability to pursue certain claims. EPIC asked the Supreme Court to review that decision and the fact the demise of the Commission made it impossible for EPIC to challenge the ruling. But the Court left the ruling unchanged. EPIC's case in the Supreme Court is EPIC v. Commission, No. 18-267.

National Archives Releases Kavanaugh Emails on Surveillance Programs Identified in EPIC Suit

The National Archives has released thousands of emails Justice Kavanaugh sent between January 2001 and July 2003 while working in the White House Counsel's office. The release includes hundreds of emails concerning controversial White House surveillance programs the Archives previously identified in response to EPIC's lawsuit. In October, the National Archives revealed that Kavanaugh sent 11 e-mails to John Yoo, the architect of warrantless wiretapping; 227 e-mails about "surveillance" programs and the "Patriot Act;" and 119 e-mails concerning "CAPPS II" (passenger profiling), "Fusion Centers" (government surveillance centers), and the Privacy Act. Subsequent searches revealed thousands more emails sent to Kavanaugh about mass surveillance programs.

Congress Requests Emergency Meeting on Location Privacy

A key House panel requested an emergency briefing from the Federal Communications Commission to determine why the agency has not prevented wireless carriers from selling consumers' location data. The request followed reports that wireless providers sell location data to third parties, despite pledging to not do so after investigations last year. In 2007, EPIC urged the FCC to establish privacy safeguards for location data. And in 2010 EPIC wrote to the House Commerce Committee that "Locational privacy concerns are substantial and growing more severe." EPIC also filed a friend of the court brief in 2017 in the landmark location privacy case, Carpenter v. United States. A recent article by EPIC President Marc Rotenberg, for the American Constitution Society, sets out recommendations for Congress after the Carpenter decision.

Senator Leahy Questions Barr About Carpenter Case, Future of Privacy

During the nomination hearing for the next Attorney General, Senator Leahy asked Mr. Barr whether the Supreme Court's recent decision in the Carpenter case affected his views on privacy. "You had said that a person has no Fourth Amendment right to these records left in the hands of third parties—the third-party doctrine—which seems to be undercut by Carpenter," observed Senator Leahy. Barr responded, somewhat surprisingly, that he had "not read that decision" but "it may modify [his] views." Senator Leahy said he would expect an answer from the nominee to a written question. EPIC filed an amicus brief in Carpenter. The Supreme Court ruled that the Fourth Amendment protects location records stored by telephone companies.

Senate Considers Nomination of William Barr for Attorney General

This week the Senate Judiciary Committee is holding hearings on the nomination of William Barr for Attorney General. In a statement to the Committee, EPIC warned that "Mr. Barr has consistently supported warrantless surveillance of the American people." EPIC pointed to Barr's previous Congressional testimony where he stated that FISA is "too restrictive" and that Americans have no Fourth Amendment right in records held by third parties. EPIC recommended that the Department of Justice work with Congress to update federal wiretap laws after the Supreme Court's decision in Carpenter, improve reporting on surveillance orders, and protect consumers in cases before the Supreme Court.

European Court Adviser Says Right to Be Forgotten Need Not Be Applied Worldwide

The opinion of a key adviser to the Europe's top court found that that the "right to be forgotten" need not be applied worldwide. Google v. Commission nationale de l'informatique et des liberté follows a ruling in Google v. Spain that Europeans have a right, in some circumstances, to remove links to their personal data posted online by Google. The Advocate General said that while Europeans are entitled to have private information delisted in the EU, search engines do not have to remove links from view in foreign domains even though they make the personal data available in those domains for commercial benefit. EPIC has supported the CNIL's approach instead, contending "the right to privacy is global." The European Court of Justice will now decide whether to adopt the opinion from the Advocate General. EPIC published "The Right to be Forgotten on the Internet: Google v. Spain" an account of the case by former Spanish Privacy Commissioner and EPIC Champion of Freedom Professor Artemi Rallo.

Appeals Court Hears Arguments in Dating App Abuse Case

A federal appeals court heard oral arguments in a case about whether a dating app is liable for failing to remove a false profile that enabled abusive conduct. EPIC filed an amicus brief in Herrick v. Grindr, arguing that the relevant law was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." EPIC explained that victims may be subjected to ongoing "psychological, social, and financial harm" if internet services are not accountable for harassment and abuse. EPIC routinely files amicus briefs in cases concerning emerging privacy and civil liberties issues.

European Commission Seeks Input on AI Policy

The European Commission's Expert Group on Artificial Intelligence has requested comments on draft Guidelines for Trustworthy AI. The EU Guidelines state, "Trustworthy AI has two components: (1) it should respect fundamental rights, applicable regulation and core principles and values, ensuring an 'ethical purpose' and (2) it should be technically robust and reliable since, even with good intentions, a lack of technological mastery can cause unintentional harm." The EU Guidelines reflect several principles from the Universal Guidelines for Artificial Intelligence, which have been endorsed by more than 250 experts and 60 organizations in 40 countries. The Universal Guidelines promote transparency, accuracy, and fairness for AI systems. Comments to the European Commission are due January 18, 2019. The final report will be released in March 2019.

Border Agency Finalizes Social Media Collection Rule

Despite comments from EPIC and others, Customs and Border Protection will collect social media information from Americans and place that data outside legal protections provided by the Privacy Act. EPIC opposed the collection of personal data and said that CBP should narrow the Privacy Act exemptions. The agency responded briefly to public comments, failing to defend the agency's decision. In a related FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government.

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

OECD AI Experts Meeting. Jan. 16–17, 2019. MIT, Cambridge, MA. Marc Rotenberg, EPIC President.

'AIWS for Leadership and Innovation.' Jan. 17, 2019. AI World Society. Harvard Kennedy School, Cambridge, MA. Marc Rotenberg, EPIC President.

DLD Munich 19. Jan. 19–21, 2019. Munich, Germany. Marc Rotenberg, EPIC President.

International Cybersecurity Forum (FIC). Jan. 22, 2019. Lille, France. Eleni Kyriakides, EPIC International Counsel.

'Has the EU lost its compass towards an European Area of Freedom Security and Justice?' Jan. 28, 2019. FREE Group. Rome, Italy. Marc Rotenberg, EPIC President.

Collective Action Workshop. Jan. 29, 2019. Brussels, Belgium. Marc Rotenberg, EPIC President.

EPIC International Champion of Freedom Award. Jan. 30, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

CPDP2019: Data Protection and Democracy. Jan. 30–Feb. 1, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

OECD AI Meeting. Feb. 7­–9, 2019. Dubai, UAE. Marc Rotenberg, EPIC President.

Aspen Roundtable on AI. Feb. 11-13, 2019. Santa Barbara, CA. Marc Rotenberg, EPIC President

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.

'Privacy: Has Targeted Marketing Gone Too Far?' Mar. 13, 2019. SXSW, Austin, Texas. Christine Bannan, EPIC Consumer Protection Counsel.

EPIC Champions of Freedom Awards Dinner. June 5, 2019. National Press Club, Washington, DC.

Share this page:

Defend Privacy. Support EPIC.
EPIC Mueller Report book
US Needs a Data Protection Agency