EPIC Alert 26.09

EPIC Alert logo

1. OECD Announces AI Principles, 42 Nations Endorse

The OECD this week announced the OECD Principles on Artificial Intelligence, the first international standard for AI, with the backing of 42 countries. The OECD AI principles make central "the rule of law, human rights and democratic values" and set out requirements for fairness, accountability and transparency.

OECD Secretary-General Guerra said the OECD AI principles "place the interests of people at its heart." Guerra also quoted Alan Turing, who once said, "We can only see a short distance ahead, but we can see plenty there that needs to be done." Civil society groups, working through the CSISAC, played a key role in the development of the OECD AI Principles as did the EPIC Public Voice project.

Earlier this year, EPIC President Marc Rotenberg commended the US administration for backing the OECD process, but also wrote in the New York Times that there is much more to be done. "The United States must work with other democratic countries to establish red lines for certain AI applications and ensue fairness, accountability, and transparency as AI systems are deployed," EPIC's Rotenberg wrote.

EPIC has also proposed the Universal Guidelines for Artificial Intelligence as the basis for AI legislation. The Guidelines aim to reduce bias in decisionmaking algorithms, to ensure that digital globalization is inclusive, to create human-centered evidence-based policy, to promote safety in AI deployment, and to rebuild trust in institutions. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries.

2. EPIC Publishes Original Collection, The Mueller Report: EPIC v. Department of Justice

EPIC has published The Mueller Report: EPIC v. Department of Justice and the Special Counsel's Report on the Investigation Into Russian Interference. The collection chronicles EPIC's efforts to obtain a full account of Russian interference in the 2016 presidential election.

The book includes the annotated version of the Mueller Report obtained in EPIC's Freedom of Information Act lawsuit, EPIC v. Department of Justice, No. 19-810 (D.D.C.). EPIC filed the first lawsuit in the nation for the release of the full and unredacted Mueller Report. EPIC is now challenging the redactions in federal court, which is considering EPIC's case on an expedited schedule.

The EPIC collection also includes the original EPIC FOIA request, the letter from the Department of Justice to EPIC regarding the FOIA redactions in the annotated Mueller Report, letters from the Attorney General to Congress, and the statement from the Special Counsel about the release of the Report.

Also included in the collection is a foreword by EPIC President Marc Rotenberg describing EPIC's related cases to obtain information about Russian interference in the 2016 presidential election, as well as a brief introduction to the Freedom of Information Act.

The Mueller Report: EPIC v. Department of Justice is now available in the EPIC Bookstore. In the words of Garry Kasparov, Chair of the Human Rights Foundation, "Read the book the Attorney General wouldn't! More great work from @EPICprivacy."

3. EPIC Calls for Suspension of White House Data Collection on Social Media Use

EPIC has sent a letter to President Trump urging the White House to suspend the collection of personal data concerning the use of social media. The White House is seeking to collect detailed personal information including unique social profile names and citizenship status. The company hosting the form is also tracking Internet users and their devices. EPIC explained that "this data collection is unlawful, unconstitutional, and itself a violation of the First Amendment."

EPIC pointed specifically to the failure of the White House to undertake a Privacy Impact Assessment. "Agencies are expected to review the assessment and to determine whether collection is necessary and appropriate," EPIC wrote. "A Privacy Impact Assessment may lead an agency to modify or withdraw a proposed data collection."

EPIC also explained that the government may not compel people to reveal their names to exercise their First Amendment rights. "Americans across the country share a deep commitment to the First Amendment and the protection of personal privacy," EPIC wrote. "The White House should protect these fundamental rights."

EPIC has long fought to ensure that federal agencies comply with their privacy obligations, including the E-Government Act and the Privacy Act. Previously, EPIC forced the now-defunct Presidential Election Commission to delete personal voter data that it had unlawfully obtained without a Privacy Impact Assessment.

4. EPIC Again Urges FCC to Repeal Data Retention Regulation

EPIC recently filed comments with the Federal Communications Commission again urging the agency to repeal a regulation that requires the bulk retention of call records of American telephone customers.

Telephone companies are required to retain detailed call records for eighteen months for all subscribers, including the date, time, length, and number called for each call. The FCC's proposal would extend the rule for three years.

In the comments, EPIC explained that "the regulation is unduly burdensome, ineffectual, and threatens privacy and security." EPIC noted that the rule, which was originally designed to aid the Department of Justice in criminal investigations, now "serves little purpose," as "the type of data covered no longer match carrier billing practices." EPIC also explained that the rule "unnecessarily risks the security of Americans' personal information," as large collections of data "are the targets of state actors and criminals."

EPIC's comments pointed to recent cases in Europe prohibiting the mass retention of phone records, including a ruling of the EU's highest court that bulk telephone record retention violates fundamental rights. "The United States has fallen behind other advanced democracies around the world," EPIC explained.

EPIC and a coalition of civil rights organizations, technical experts and legal scholars first signed a petition for repeal of the FCC regulation three years ago. When the FCC docketed the petition for public comment, every comment received by the agency favored the EPIC petition to end the data retention regulation.

In comments to the agency last year, EPIC again urged the FCC to drop the requirement. EPIC noted that the Supreme Court's ruling in United States v. Carpenter, which recognized that cell phone location data is protected by the Fourth Amendment, "elevated the retention of cell phone data to a constitutional interest."

5. Following EPIC's Comments, UN Asks U.S. About Consumer Privacy Protection

Following comments by EPIC, the United Nations Human Rights Committee has asked the U.S. to report about consumer privacy protections. The questions come as part of the UN's periodic review of U.S. compliance with the International Covenant on Civil and Political Rights.

The human rights treaty, which the U.S. ratified in 1992, protects individuals from "arbitrary or unlawful interference with [their] privacy." The Human Rights Committee reviews parties' adherence to the ICCPR about every four years.

EPIC submitted comments to the Committee ahead of the U.S. review to raise concerns about protecting individuals against privacy violations by non-state actors. EPIC urged the Committee "to question the United States about the failure to protect the right to privacy . . . with respect to private sector data collection and use."

Adopting EPIC's recommendations, Human Rights Committee has asked the U.S. to explain what measures it has taken "to combat the interference of non-State organizations, such as Facebook, in privacy rights, including but not limited to the enforcement of judicial orders, the enactment of comprehensive privacy laws and the creation of a data protection authority."

This is the first time the Committee has asked the U.S. about how it protects the privacy of consumers. EPIC also recently submitted comments to the UN on the surveillance industry.

6. San Francisco Bans Facial Recognition

The San Francisco Board of Supervisors has passed an ordinance to limit the use of surveillance technology by city departments. The city will now require surveillance impact reports, annual audits, and review by the city controller.

The ordinances notes the impact of surveillance technologies on civil rights and civil liberties. "While surveillance technology may threaten the privacy of all of us, surveillance efforts have historically been used to intimidate and oppress certain communities and groups more than others, including those that are defined by a common race, ethnicity, religion, national origin, income level, sexual orientation, or political perspective."

EPIC is currently seeking to limit the use of facial recognition technology at the border. In December, EPIC warned the Department of Homeland Security's Data Privacy and Integrity Advisory Committee about the dangers of the agency's use of facial recognition at ports of entry and exit. EPIC called for a halt to the agency's use of facial recognition at the border until the agency has conducted a full notice-and-comment rulemaking. Earlier this week, EPIC filed a lawsuit for disclosure agreements between the State Department and other government agencies for facial images.

After 9/11, EPIC led an effort in Washington, DC, to document the growing use of surveillance cameras in the nation's capital. The project, Observing Surveillance, led to limitations on video surveillance by the City Council.

News in Brief

EPIC Sues State Department About Secret Facial Recognition Database

EPIC has filed a lawsuit to compel the State Department to release information about the transfer of facial images, gathered from visa and passport applicants, to other federal agencies. EPIC explained to the federal court in Washington, DC that the Customs and Border agency is now using those images in an unlawful border system. EPIC has called for the suspension of the CBP program. Senators Markey and Lee have also opposed expansion of the CBP program to U.S. citizens. In a related FOIA lawsuit, EPIC obtained documents concerning CBP's facial recognition program. A summary report revealed that the system did not perform operational matching at a "satisfactory" level.

EPIC Urges House Oversight Committee to Investigate FBI's Use of Facial Recognition

EPIC has sent a statement to the House Committee on Oversight concerning Facial Recognition Technology. EPIC urged the Committee to investigate the FBI's Next Generation Identification program. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." The FBI biometric database is one of the largest in the world, but the FBI has opposed privacy safeguards that EPIC supported. The Bureau also proposed to exempt the database from Privacy Act protections. EPIC has sued the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.

EPIC to Senate Committee: The 'Digital Advertising Ecosystem' is Not Healthy

EPIC has submitted a statement to the Senate Judiciary Committee for a hearing on online advertising. EPIC told the Committee "The 'Digital Advertising Ecosystem' today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The ad platforms are manipulated by foreign adversaries. Secrecy and complexity are increasing as accountability is diminished. It would be foolish to imagine that the current model is sustainable." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web.

Court: Government Can't Skimp on Attorney's Fees in Public Interest Cases

The D.C. Circuit Court of Appeals has rejected the government's attempt to pay a public interest plaintiff far less than what is owed in attorney's fees. When a plaintiff wins a public interest lawsuit, federal law often requires the defendant to reimburse the plaintiff for attorney's fees. Many defendants—including federal agencies—try to minimize those payments by using artificially low billing rates. But in D.L. v. D.C., the federal appeals court ruled that the government's calculation of attorney's fees was based on "irrelevant figures" and "wrong" assumptions that attempted to diminish the complexity and cost of public interest cases brought in Washington, DC. The decision will make it harder for the government to underpay successful public interest plaintiffs in the future. EPIC, which often recovers attorney's fees in Freedom of Information Act cases, joined in an amicus brief in the case.

National Archives Releases New Kavanaugh Records

In response to EPIC's Freedom of Information Act lawsuit, the National Archives has released hundreds of new emails from Justice Kavanaugh's time in the White House. The emails concern the controversial surveillance programs Total Information Awareness, Computer Assisted Passenger Prescreening System II (CAPPS II), and Secure Flight. The contents of many emails were withheld in full. EPIC's FOIA lawsuit, along with a related lawsuitby Senator Richard Blumenthal, resulted in the public release of hundreds of thousands of pages about Justice Kavanaugh's work in the White House. The records include communications between Kavanaugh and John Yoo, the author of the warrantless surveillance program.

EPIC Says FAA Drone App Should Track Drones

In comments on the Federal Aviation Administration's proposed drone app B4UFLY EPIC reiterated the need for drones to broadcast ID, location, course and purpose. The FAA app would provide situational awareness to drone operators, but fails to provide the public with information about nearby drones. As EPIC explained, commercial planes and vessels routinely provide this information on apps widely available to the public. Further, it is unclear what data is collected by the FAA app, as the Privacy Impact Assessment provides conflicting explanations. EPIC said the FAA should limit the information it collects on non-commercial drone operators. EPIC has repeatedly called for remote, broadcast ID for drones, and led a coalition in 2012 to petition the agency to conduct a rulemaking on drone privacy. EPIC also sued the agency when it failed to establish limits on drone surveillance.

EPIC to Senate Committee: Press FAA on Drone Privacy

Prior to a hearing on "New Entrants in the National Airspace," EPIC has urged the Senate Commerce Committee to ensure that the FAA establish drone privacy safeguards. EPIC also said the FAA should require remote identification of drones. "Currently, individuals cannot hold drone operators accountable because it is essentially impossible to identify the drone or the operator of a drone," EPIC said. EPIC recently filed comments on the FAA's proposal for external ID for drones. Recently, Senators Edward Markey (D-MA) and John Thune (R-SD) urged the FAA to quickly publish a rule for the realtime, remote identification of drones. In 2012 EPIC, backed by more than one hundred organizations and privacy experts, petitioned the agency to establish privacy safeguards for drones. EPIC also cited a 2012 law requiring the FAA to develop a "comprehensive plan" for drone deployment. EPIC subsequently filed suit against the FAA, challenging the agency rule authorizing commercial drone operations without privacy safeguards.

Privacy Complaints Near 150,000 in First Year of GDPR

One year after the EU General Data Protection Regulation, European authorities have received a total of 144,000 privacy complaints and identified 89,000 data breaches. Europe's comprehensive data protection law went into effect on May 25, 2018. EPIC and coalitions of consumer groups have written to ninety-five major internet companies seeking compliance with the GDPR as a baseline standard for all users worldwide, and recently proposed "A Framework for Privacy Protection in the United States." The EPIC 2018 Privacy Law Sourcebook, a comprehensive overview of privacy laws in the US and around the world, includes the full text of the GDPR. At present, the United States has neither a comprehensive federal privacy law nor a data protection agency.

Senator Hawley Introduces 'Do Not Track' Bill for Internet

Senator Hawley (R-MO) introduced the Do Not Track Act, which would create a right to control the use of personal data similar to the national Do Not Call registry that gives every person the legal right to block companies from collecting any data beyond what is necessary to provide the company's service to the user. The legislation would prohibit companies from profiling users who activate Do Not Track and would ban discrimination against those who exercise their legal rights. EPIC President Marc Rotenberg earlier testified before the House Energy and Commerce Committee on a Do Not Track bill, and stated that legislation "would need to ensure that a consumer's decision is 'enforceable, persistent, transparent, and simple'." Voluntary proposals, developed by industry groups, to limit online tracking have been ineffective and ignored.

Judge Orders Redacted Portions of Mueller Report Be Made Public

U.S. District Judge Emmet G. Sullivan has ordered the government to release redacted portions of the Mueller report related to Michael Flynn, President Trump's former national security adviser by May 31. In the case about false statements to FBI investigators regarding contact with the Russian Ambassador, Judge Sullivan ordered the release of parts of the redacted Mueller report and related transcripts of calls with Russian officials. This is the first instance where a judge has ordered the release of redacted portions of the Special Counsel's report on Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the nation to release the full Mueller Report. EPIC obtained the annotated version of the Special Counsel's report and has published this version at the EPIC Bookstore. EPIC's case will go forward this summer on an expedited briefing schedule. EPIC's case EPIC v. Department of Justice, No. 19-810 (D.D.C).

Intimate Privacy Protection Act Reintroduced in Congress

Representatives Jackie Speier (D-CA) and John Katko (R-NY) reintroduced the bipartisan Intimate Privacy Protection Act. The legislation would target perpetrators who share intimate images without consent. Congresswoman Speier said the Act "will hold accountable and deter violators of intimate privacy, from vengeful exes to online predators who profit from and entertain themselves with the distribution of private intimate images." Senator Kamala Harris (D-CA) is introducing companion legislation in the U.S. Senate. EPIC has backed efforts to combat revenge porn, supported the Cyber Civil Rights Initiative, and awarded the 2017 EPIC Privacy Champion Award to Carrie Goldberg and the 2015 EPIC Award to Senator Harris.

House Members Begin Public Reading of Mueller Report

Members of the House of Representatives, led by Rep. Mary Gay Scanlon (D-PA, @RepMGS), have begun a public reading of the Muller Report. The reading is being broadcast live on C-SPAN. EPIC (@EPICprivacy) sued the Department of Justice for the release of the full, unredacted Mueller Report. EPIC has now obtained the document, processed pursuant to the Freedom of Information Act. EPIC has made the new version of the Muller Report and related documents available at Amazon. EPIC's FOIA case is on an expedited briefing schedule. Briefing will continue over the summer. EPIC expects to receive additional information from the Department of Justice about the Russian interference in the 2016 presidential election.

Senators Call for FTC to Investigate Amazon Echo for Kids

Senators Markey (D-Mass), Blumenthal (D-Conn.), Durbin (D-Ill.), and Hawley (R-Mo.) sent a letter to the Federal Trade Commission to launch an investigation into new evidence of Amazon violations of the Children's Online Privacy Protection Act (COPPA) with an Amazon device targeted to children. The Senators wrote: "Children are a uniquely vulnerable population. We urge the Commission to take all necessary steps to ensure their privacy as 'Internet of Things' devices targeting young consumers come to market, including promptly initiating an investigation into the Amazon Echo Dot Kids Edition's compliance with COPPA.: The letter cites a recent complaint to the FTC by Campaign for a Commercial-Free Childhood and joined by EPIC. EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law.

Senators Introduce 'Honest Ads' Act for Online Political Ads

Senators Klobuchar (D-MN), Warner (D-VA), and Graham (D-SC) announced a bipartisan bill to make online political advertisements more transparent. The Honest Ads Act is a direct response to Russian interference in the 2016 election, which relied on anonymous political ads on Facebook, Google and Twitter. The Honest Ads Act would impose the same disclosure requirements for online ads as for TV and radio ads. "Foreign adversaries interfered in the 2016 election and are continuing to use information warfare to try to influence our government and divide Americans. We must act now to protect our democracy and prevent this kind of interference from ever happening again," Senator Klobuchar said. EPIC Consumer Protection Counsel Christine Bannan testified at the Federal Election Commission hearing in 2018 on the agency's proposed rule for political ads. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records).

Lawmakers introduce Legislation Regulating Equifax, Credit Reporting Agencies

Senators Warren and Warner and Representatives Cummings and Krishnamoorthi introduced the Data Breach Prevention and Compensation Act of 2019. The legislation would compensate consumers for stolen data, impose mandatory penalties on credit reporting agencies for data breaches, and give the FTC greater authority over data security at credit reporting agencies. The lawmakers also released a new report "Breach of Trust: CFPB's Complaint Database Shows Failure to Protect Consumers after Equifax Breach." The report found that consumers have filed over 52,000 complaints since Equifax announced the breach in September 2017. Following the Equifax data breach, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

FBA: Leveraging Technology to Enhance Transportation Security. May 23, 2019. Arlington, VA. Jeramie Scott, EPIC Senior Counsel.

AI World Society. May 25, 2019. Washington, DC. Marc Rotenberg, EPIC President.

AI and Human Rights: The Future of AI Policy in the U.S. June 5, 2019. National Press Club, Washington, DC.

EPIC Champions of Freedom Awards Dinner: 'Data Protection and Democracy' (REGISTRATION NOW OPEN). June 5, 2019. National Press Club, Washington, DC.

Cyber Crime Review. Aug. 8, 2019. ABA Annual Meeting, San Francisco, CA. Alan Butler, EPIC Senior Counsel.

'Designing New Digital Divides: Tech Platforms' Myth of Inclusion Drives Exclusion.' Aug. 11, 2019. Academy of Management, Boston, MA. Marc Rotenberg, EPIC President.

'In Harm's Way: Smart Regulation of Digital & Network Technology.'Aug. 12–14, 2019. Conference on Communications Policy, Aspen, CO. Marc Rotenberg, EPIC President.

41st International Data Protection and Privacy Commissioners Conference. Oct. 21–24, 2019. Tirana, Albania. Marc Rotenberg, EPIC President.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.

Share this page:

Defend Privacy. Support EPIC.
EPIC Mueller Report book
US Needs a Data Protection Agency