EPIC Alert 26.04

1. EPIC to FTC: After Home Spying Reports, Google Should Divest Nest

Following reports that Google installed secret listening devices in the home security product Nest, EPIC asked the Federal Trade Commission to require Google to spin off Nest and to disgorge the data obtained from users. It is a federal crime to intercept private communications or to plant a listening device in a private residence. It is unclear whether Google, a remote hacker, or anyone else may have enabled the microphones in the Nest devices after they were installed by customers in their homes.

In 2014, EPIC filed a complaint with the FTC regarding a related merger review and noted that the "Commission clearly failed to address the significant privacy concerns presented in the Google acquisition of Nest." EPIC also said at the time that FTC's "early termination" approval of the Google/Nest merger was surprising given that the Commission closely scrutinized Google's acquisition of Doubleclick.

Both the Senate Commerce Committee and the House Energy and Commerce Committee have expressed interest in merger review in the tech industry. Rep. Cicilline, Chairman of the House Antitrust Subcommittee, recently hired leading antitrust scholar Lina Khan, author of Amazon's Antitrust Paradox.

Last year, EPIC the Center for Digital Democracy, the Consumer Federation of America, and US PIRG submitted comments to the FTC in advance of hearings on "Competition and Consumer Protection in the 21st Century." The consumer groups said that privacy protection is critical for competition and innovation. The groups told the FTC that it should: (1) unwind the Facebook-WhatsApp deal; (2) require Facebook and Google to spin off their advertising units into independent companies; (3) block all future acquisitions by Facebook and Google that would enable the companies to increase their monopoly over consumer data; (4) impose privacy safeguards for all future mergers that implicate data privacy concerns; and (5) perform audits of algorithmic tools to promote accountability and to limit anticompetitive conduct.

2. EPIC Files Brief on Government Hacking with Court of Human Rights

EPIC has filed a brief with the European Court of Human Rights detailing the public safety and privacy risks of government hacking. Privacy International v. United Kingdom concerns remote hacking by UK intelligence services, which appears to violate the European Charter of Fundamental Rights. The Court recently granted EPIC's request to intervene in the case.

EPIC's brief describes how "hacking tools stockpiled by governments could be used by criminals to mount cyberattacks." As an example, EPIC detailed the Wannacry ransomware attack, which was the result of leaked NSA hacking tools. The attack hit the UK National Health Service, disrupting ambulances and causing tens of thousands of pounds in damage.

EPIC also explained that "Government hacking weakens security safeguards." EPIC cited U.S. case Apple v. FBI as one example. That case involved an order compelling Apple to take extraordinary measures to undo iPhone security features, putting consumers at risk of identity theft and crime.

EPIC has advocated for strong encryption since its founding in 1994 and published the first comprehensive survey of encryption use around the world.

3. EPIC Files Opening Brief in Appeal to Block Census Citizenship Question

EPIC has filed an opening brief in its appeal to block the Census Bureau from collecting citizenship data in the 2020 Census. EPIC told the D.C. Circuit that the Census Bureau failed to complete privacy impact assessments required by law. "This uninformed data collection by a federal agency is precisely what the E-Government Act prohibits," EPIC explained.

The Bureau concedes that it must complete privacy impact assessments under the E-Government Act, but the Bureau has so far failed to do so. EPIC warned the federal appeals court that "Key deadlines are fast approaching, and major privacy risks have not been addressed by the agency."

Previously, a lower court denied EPIC's motion for a preliminary injunction blocking the citizenship question. The lower court agreed that the Bureau is required to conduct detailed privacy impact assessments, but oddly concluded that the Bureau is not required to do so "until the Bureau mails its first batch of Census questionnaires to the public"—a view entirely at odds with the E-Government Act.

The Court has scheduled oral argument in EPIC's case for May. A federal court in New York recently blocked the citizenship question in a different case, but the Supreme Court will now review that decision in April.

EPIC has filed numerous successful lawsuits to require privacy impact assessments, including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. EPIC's appeal is EPIC v. Commerce, No. 19-5031 (D.C. Cir.).

4. FAA to Require Visible Registration Numbers on Drones

The Federal Aviation Administration has published an interim final rule that will require a visible registration number on the exterior of drones. Previously, registration numbers could be hidden inside drones. EPIC supports improved drone identification requirements but has urged the FAA to go further.

The FAA's new rule does little to protect against unauthorized surveillance, as a small registration number is unlikely to be visible while the drone is in operation. This could encourage dangerous self-help remedies, like shooting down drones, in order to trace the unwanted drone back to its owner.

In extensive comments filed with the FAA, EPIC previously wrote that drones should broadcast location, course, and operator identification—much like the automated identification systems for planes and boats. EPIC also argued that the FAA should require drone operators to disclose surveillance capabilities and broadcast those capabilities when drones are in operation.

EPIC previously sued the FAA to force the agency to establish national rules to limit drone surveillance. EPIC is currently pursuing records about a key FAA task force, the Drone Advisory Committee, to understand why the agency has not promoted better privacy safeguards.

Comments on the FAA rule on "External Marking Requirement for Small Unmanned Aircraft" are due March 15, 2019 (Docket: FAA-2018-1084). EPIC recommends that commenters ask the FAA to establish stronger requirements for remote identification of drones.

5. EPIC Seeks Release of Overdue AI Commission Report

EPIC has submitted an open records and meetings request concerning the National Security Commission on Artificial Intelligence. Congress established the AI Commission in August 2018 "to review advances in artificial intelligence, related machine learning developments, and associated technologies." Yet no information has been disclosed about the Commission's plans, operations, or findings to date.

The AI Commission is funded out of the Department of Defense budget and comprised of 15 members. Commission members include executives from Google, Amazon, Microsoft, and Oracle and several former Department of Defense officials.

The Commission is tasked with reviewing, among other issues, "the competitiveness of the United States in artificial intelligence"; "means and methods for the United States to maintain a technological advantage in artificial intelligence"; "means by which to foster greater emphasis and investments" in AI research; "risks associated with United States and foreign country advances in military employment of artificial intelligence"; and "ethical considerations related to artificial intelligence."

Congress ordered the Commission to publish a report by February 9 on its preliminary findings and any recommendations. Although that report must be made publicly available by law, it has not yet been disclosed. After this initial report, the AI Commission is required to publish comprehensive reports by August 2019 and August 2020.

Last year, EPIC—joined by nearly 100 experts and leading scientific organizations including AAAS, ACM, FAS, and IEEE—successfully petitioned the White House Select Committee on Artificial Intelligence to incorporate public input in the committee's work. EPIC has also proposed the Universal Guidelines for Artificial Intelligence as the basis for AI legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. EPIC previously urged lawmakers to appoint AI Commission members who support the Universal Guidelines.

News in Brief

EPIC Launches #EnforceTheOrder, Urges FTC Action on Facebook

With the one-year deadline of the reopening of the Facebook investigation approaching, EPIC has launched the campaign #EnforceTheOrder. EPIC is urging the Federal Trade Commission to act before March 26, 2019. Many experts, including former FTC Chief Technology Officer Ashkan Soltani, Senator Richard Blumenthal, and former FTC Chair William Kovacic, have said that Facebook violated the consent order. EPIC has also joined with Color of Change, the Open Markets Institute and others to urge the FTC to impose a significant fine and also to break up the company, reform hiring and management practices, and install a director to represent users. Follow EPIC at @EPICprivacy for the latest on the campaign. Join us. Tweet why enforcement matters to you. Include #EnforceTheOrder @FTC @facebook.

EPIC Obtains FBI's Updated Media Guidelines

In response to EPIC's Freedom of Information Act request, the Federal Bureau of Investigation has released documents (part 1, part 2, part 3) concerning the agency's use of National Security Letters to obtain information from the media. The disclosure to EPIC includes a revised policy that followed criticisms of government surveillance of journalists. In an earlier amicus brief, EPIC recommended enhanced oversight of National Security Letters.

Court Greenlights EPIC Suit Against Drone Advisory Committee

A federal court in Washington, D.C. has ruled that EPIC's open government case against the FAA's Drone Advisory Committee can go forward. EPIC filed suit last year against the Committee, which has conducted much of its work in secret and ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. The government asked the court to dismiss EPIC's suit, but the court was "unconvinced by Defendants' arguments" and indicated that the government must "provide the full list of [Committee] records" to EPIC. However, the Court ruled that the Committee did not need to release the records of its secretive subcommittees. EPIC intends to challenge that part of the court's decision. The case is EPIC v. Drone Advisory Committee, No. 18-833 (D.D.C.).

Arguments Set for EPIC Appeal to Block Census Citizenship Question

The D.C. Circuit has scheduled oral argument for May in EPIC's expedited appeal to block the Census Bureau from collecting citizenship information in the 2020 Census. EPIC alleges that the Bureau failed to complete privacy impact assessments required by the E-Government Act before adding the question. A lower court denied EPIC's motion for a preliminary injunction, agreeing that the Bureau is required to conduct the detailed assessments, but oddly concluding that it is not required to do so "until the Bureau mails its first batch of Census questionnaires to the public"—a view entirely at odds with the relevant law. A federal court in New York recently blocked the citizenship question in a different case, but the Supreme Court will now review that decision. EPIC has filed numerous successful lawsuits to require privacy impact assessments, including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained. EPIC's appeal is EPIC v. Commerce, No. 19-5031 (D.C. Cir.).

EPIC, Coalition Ask Australia to Amend 'Assistance and Access' Law

EPIC and a coalition of civil society organizations told the Australian Parliament that a law allowing police to require weak security for tech products should be amended. The Parliament reopened debate over the "Assistance and Access" law, broadly denounced as a threat to security and freedom of expression. Following earlier comments, the coalition has now called on the Australian Parliament to narrow the law. EPIC has long advocated for strong encryption, led the campaign against the Clipper Chip, and published the first global survey on Cryptography and Liberty. And when the FBI sued Apple in 2016 for refusing to allow law enforcement access to iPhones, EPIC filed an amicus brief in support of Apple arguing the FBI's demand "places at risk millions of cell phone users across the United States."

EPIC FOIA: National Archives Releases New Batch of Kavanaugh Records

In response to EPIC's Freedom of Information Act lawsuit, the National Archives has just released thousands of records about Justice Kavanaugh work in the White House Counsel's office after 9-11. The records include e-mails from 2002-2003, briefings, meeting memos, and correspondence, and office files about anti-terrorism legislation and access to presidential records. Emails previously released to EPIC revealed that Kavanaugh and John Yoo, architect of the warrantless surveillance program overturned by the US Congress, exchanged messages about the development of domestic surveillance programs. During the Supreme Court nomination hearing, EPIC warned the Senate that the nominee has shown little regard for the Constitutional privacy rights of Americans as a top White House legal advisor and then as a federal appellate judge.

EPIC Joins Coalition Calling on FTC to Investigate Facebook for Deception of Children

A coalition of consumer groups recently sent a complaint to the FTC, charging that Facebook engaged in unfair and deceptive practices and violated the Children's Online Privacy Protection Act after court documents from a 2012 class action lawsuit revealed that Facebook encouraged children to make credit card purchases on Facebook's platform. Parents and minors repeatedly complained about the credit card charges, but the documents indicate that the company refused to refund charges and set up a complex complaint system to deter refund requests. EPIC helped enact the children online privacy law and regularly submits comments to the FTC on children's privacy issues.

Human Rights Court Accepts EPIC Intervention in Government Hacking Case

The European Court of Human Rights has accepted EPIC's request to intervene in a case concerning the legal standards for government remote hacking. Privacy International v. United Kingdom asks whether remote hacking or the use of malware by UK intelligence services violates the European Convention on Human Rights. Privacy International alleged that the hacking violates Articles 8 and 10 of the Convention, which protect right to privacy and the right to freedom of expression. EPIC previously filed a brief with the Court of Human Rights in Big Brother Watch v. UK, which found UK mass surveillance violated fundamental rights to privacy and freedom of expression. EPIC also participated as amici in Apple v. FBI, concerning a court order that would have required Apple to assist the FBI hack a seized iPhone.

California AG Proposes Stronger Enforcement for State Privacy Law

The attorney general of California has unveiled legislation that would strengthen the California Consumer Privacy Act. The new bill would enable consumers to enforce their rights in court. The proposal comes as California seeks to implement the Consumer Privacy Act. In testimony for the US Congress, EPIC has explained that the "most effective way to improve data security is to establish a private right of action." At present, there are hundreds, perhaps thousands, of substantial privacy complaints pending before the Federal Trade Commission. The EPIC State Policy Project monitors privacy bills nationwide.

Representatives Lawrence and Khana Introduce Resolution on AI Policy

Reps. Brenda Lawrence (D-MI) and Ro Khanna (D-CA) have introduced a Congressional resolution calling for guidelines for the ethical development of artificial intelligence. The Ethical AI resolution sets out core principles, including transparency, accountability, fairness, privacy protection, public engagement, education, and safety. EPIC has proposed similar principles, the Universal Guidelines for Artificial Intelligence as the basis for AI legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries. EPIC previously urged lawmakers to appoint AI Commission members who support the Universal Guidelines.

FTC Obtains Fines TikTok for Violation of Children's Privacy

TikTok has settled with the FTC for $5.7 million over allegations that the Chinese video app company violated the Children's Online Privacy Protection Act. The FTC complaint alleges that TikTok violated COPPA by collecting personal information from kids without parental consent. The $5.7 million fine is the Commission's largest COPPA penalty. The Commission's vote was unanimous. EPIC helped enact the children online privacy law and regularly submits comments to the FTC on children's privacy issues.

FTC Announces Task Force on Competition in Tech

The FTC recently announced a new task force dedicated to monitoring U.S. technology markets and investigating anticompetitive conduct. FTC Chairman Joe Simons said "it makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition." According to the FTC, the Technology Task Force will examine "prospective merger reviews" and will review "consummated technology mergers." EPIC objected to Facebook's acquisition of Whatsapp in 2014 and Google's acquisition of DoubleClick in 2007. EPIC has called on the FTC to require Google to divest Nest, after reports that the company hid listening devices in the home thermostat, and pressed the Commission to use its equitable authorities, including divestiture, to enforce consent orders.

European Data Supervisor Releases Annual Report, Warns U.S. on Bulk Collection

European Data Protection Supervisor Giovanni Buttarelli recently released the 2018 EDPS annual report. Among recent accomplishments are the 2018 Conference on Digital Ethics, adoption of an EU-Japanese data transfer deal, and implementation of the GDPR. At a press conference for the report's release, Buttarelli also recommended that the United States enact a federal privacy law, ratify the Council of Europe Privacy, Convention, and resolve long-standing concerns about mass surveillance. "In my opinion, bulk collection as such is not fully compatible with our system," Buttarelli said. EPIC has long recommended that the United States ratify the International Privacy Convention. EPIC has always proposed changes to Section 702 of the Patriot Act, which permits the bulk collection of the personal data of Europeans.

UK Report Faults FTC Failure to Enforce Facebook Order

The UK House of Commons published the report "Disinformation and 'fake news'" following an eighteen-month investigation of Facebook. The report found that if Facebook had fully complied with the FTC settlement, Cambridge Analytica would not have happened. The UK report stated, "It seems clear that Facebook was, at the very least, in violation of its Federal Trade Commission settlement." The FTC announced in March 2018 that it was reopening the Facebook investigation, following news that Cambridge Analytica improperly harvested the personal data of 87 millions users. Still no word from the FTC on how that one case is proceeding. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order.

EPIC in the News

• Privacy advocates call for new agency to replace FTC, Washington Times, March 5, 2019
• Privacy Groups Take Their Turn, POLITICO Morning Tech, March 4, 2019
• US consumer regulator forms task force to monitor big tech, Business Times, Feb. 28, 2019
• FTC's New Task Force Could Be Trouble for Big Tech, Wall Street Journal, Feb. 28, 2019
• Google Nest device sets alarm bells ringing, Verdict, Feb. 28, 2019
• Facebook, Google in crosshairs of new FTC competition task force, Fox News, Feb. 27, 2019
• FTC faces skeptics as it targets big tech, The Hill, Feb. 27, 2019
• The Technology 202: Critics Skeptical FTC's New Competition Task Force Will Shake Up Big Tech, The Washington Post, Feb. 27, 2019
• U.S. consumer regulator forms task force to monitor big tech, Reuters, Feb. 26, 2019
• The Trump administration orders government to speed up its use of AI, MuckRock, Feb. 26, 2019
• California wants Silicon Valley to pay you a data dividend, CNET, Feb. 25, 2019
• Guiding the Development of AI, Firewalls Don't Stop Dragons Podcast, Feb. 24, 2019
• FTC Urged To Make Google Spin Off Nest After Privacy Flap, Law360, Feb. 22, 2019
• EPIC demand: It's time for Google to fly the Nest after 'forgetting' to mention home alarm hub has built-in mic, The Register, Feb. 22, 2019
• Why the U.K. Condemned Facebook for Fuelling Fake News, The New Yorker, Feb. 22, 2019
• Consumer Groups Livid Over Senate Hearing Snub, Politico, Feb. 22, 2019
• EPIC is calling on the FTC to force Google to divest the Nest business after it failed to let consumers know about a hidden microphone, Business Insider, Feb. 21, 2019
• Jeers & Cheers for Google, POLITICO Morning Tech, Feb. 21, 2019
• Nest's Hidden Microphone Prompts EPIC to Call for FTC Action Against Google, Fortune, Feb. 21, 2019
• Facebook Once Again Under Fire for In-App Purchases Made by Children, Fortune, Feb. 21, 2019
• Privacy groups accuse Facebook of deceiving children into spending parents' money, The Hill, Feb. 21, 2019
• Google Admits Your Nest Camera Has a Secret Microphone–Here's How to Make Sure It's Off, Real Simple, Feb. 21, 2019
• Google forgot to mention that Nest Secure has a built-in microphone, PC Mag India, Feb. 21, 2019
• Can Washington keep watch over Silicon Valley? The FTC's Facebook probe is a high-stakes test, Washington Post, Feb. 20, 2019

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Eyes in the Sky Conference on Aerial Surveillance. Mar. 7, 2019. POGO/AAAS, Washington, DC. Jeramie D. Scott, EPIC Senior Counsel.

'Going Digital.' Mar. 11-12, 2019. OECD, Paris, France. Marc Rotenberg, EPIC President.

The Film Corner: Slave to the Algorithm. Mar. 11, 2019. OECD, Paris, France. Marc Rotenberg, EPIC President

'Privacy: Has Targeted Marketing Gone Too Far?' Mar. 13, 2019. SXSW, Austin, TX. Christine Bannan, EPIC Consumer Protection Counsel.

Yale CEO Conference. Mar. 20, 2019, Washington, DC. Marc Rotenberg, EPIC President.

Tech Frontiers in Communications Privacy. Mar. 21, 2019. ABA/FCBA. Washington, DC. Alan Butler, EPIC Senior Counsel.

UK Data Protection Practitioners' Conference 2019. Apr. 8, 2019. Manchester, UK. Marc Rotenberg, EPIC President.

FTC Hearing: The FTC's Approach to Consumer Privacy. Apr. 10, 2019. Washington, DC. Christine Bannan, EPIC Consumer Protection Counsel.

AI World Society. Apr. 25, 2019. Harvard University, Cambridge, MA. Marc Rotenberg, EPIC President.

Cyber Crime Review. Aug. 8, 2019. ABA Annual Meeting, San Francisco, CA. Alan Butler, EPIC Senior Counsel.

EPIC Champions of Freedom Awards Dinner. June 5, 2019. National Press Club, Washington, DC.