EPIC Alert 26.12

1. Supreme Court Blocks Census Citizenship Question

The U.S. Supreme Court has blocked the citizenship question from inclusion on the 2020 Census, upholding the result reached in a lower court. The Court ruled that the Commerce Department's decision to collect citizenship data "cannot be adequately explained" by the rationale provided by the agency. "Altogether, the evidence tells a story that does not match the explanation the Secretary gave for his decision," Chief Justice John Roberts wrote.

Although the Court gave the Commerce Department a second chance to provide a "reasoned explanation" for the citizenship question, the government conceded last week that it will not collect personal data concerning citizenship status on the 2020 Census. The government has since tried to retract that concession, but as of July 1, census forms are already being printed without the citizenship question.

EPIC separately sought to block the Census Bureau's collection of citizenship data because the agency failed to complete required privacy impact assessments. Last month, the D.C. Circuit issued a decision in the case, ruling that EPIC—one of the leading privacy organizations in the country—did not have a legal basis to obtain Privacy Impact Assessments from the federal government.

EPIC also filed an amicus brief in the Supreme Court case, joined by 23 legal scholars and technical experts, warning that "collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns." EPIC wrote that "in failing to assess the risks that would result from the collection of personal data regarding citizenship status, the Census Bureau has violated its obligations under the E-Government Act."

2. In Amicus, EPIC Proposes Duty to Protect Personal Data

In an amicus brief for the D.C. Circuit Court of Appeals, EPIC has recommended that courts recognize a common law obligation to protect the personal data that companies choose to collect.

In Attias v. CareFirst, Inc., inadequate security practices allowed hackers to obtain 1.1 million customer records from D.C.'s largest health insurer. A lower court dismissed many of the privacy claims in the case. But EPIC argued to the appellate court that data breaches underscore the need for companies to be held liable for faulty security.

"If courts do not permit individuals whose personal information has been mishandled and obtained by criminals to pursue redress, the problems of data breach and identity theft will only get worse," EPIC wrote. "Many data breaches are avoidable, and companies that collect and store sensitive information are in the best position to take the reasonable measures necessary to protect the data."

EPIC said that courts should impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data that they collect. "The time has come for companies to invest in reasonable data security precautions," EPIC argued.

EPIC previously filed an amicus brief in the same case supporting data breach victims. EPIC regularly files briefs defending consumer privacy.

3. EPIC Amicus: Georgia's Electronic Voting Machines Unreliable, Fail to Safeguard Secret Ballot

In an amicus brief joined by 31 legal scholars and technical experts, EPIC asked a federal court to stop Georgia's use of Direct Recording Electronic voting machines. The case is Curling v. Raffensperger.

Experts in election security have shown that DREs are insecure and vulnerable to hacking. The machines fail to provide a paper trail that enables auditing, leaving vote tallies open to manipulation by remote adversaries. DREs systems also undermine the secret ballot as particular voters could be linked to particular votes.

EPIC told the court that "the continued use of these systems poses a direct threat to personal privacy, election integrity, and democratic institutions." While many states have replaced the DRE machines, Georgia's continued use of DREs leaves "elections subject to attack," EPIC explained.

In 2016, EPIC published "The Secret Ballot at Risk: Recommendations for Protecting Democracy," highlighting the importance of the secret ballot for American democracy. Following the Russian interference in the 2016 presidential election, EPIC established the Democracy and Cybersecurity Project to preserve democratic institutions and review the federal response to election security failures.

4. EPIC v. Commerce: D.C. Circuit Rules Privacy Impact Assessments Not Available to the Public

The D.C. Circuit has issued a decision in EPIC v. Commerce, EPIC's suit to halt the collection of citizenship data in the 2020 Census over the government's failure to complete required Privacy Impact Assessments.

Under the E-Government Act, federal agencies must make Privacy Impact Assessments "publicly available" before undertaking a new collection of personal data. Privacy Impact Assessments offer the public with vital information about the government's data collection practices, including what information is to be collected, why it is being collected, how it will be used, how it will be secured, and whether individuals will have an opportunity to consent to or refuse collection.

Nonetheless, the D.C. Circuit ruled that the statute does not "vest a general right of information in the public" that would allow parties to compel the release of Privacy Impact Assessments. The court acknowledged that EPIC can sue on behalf of its members due to recent changes in EPIC's bylaws. Yet the Court concluded that EPIC—one of the leading privacy organizations in the country—did not have a legal basis to obtain Privacy Impact Assessments from the federal government.

EPIC is considering whether to appeal the decision. The case is EPIC v. Commerce, No. 19-5031.

5. EPIC to FAA: Drone Advisory Committee Needs Privacy and Security Experts

EPIC has sent a letter to the Federal Aviation Administration urging the agency to name privacy and security experts to the Drone Advisory Committee. "The FAA has ignored well-documented privacy concerns and left US businesses, agencies, and consumers at risk," EPIC wrote. EPIC has repeatedly called on the FAA to adopt comprehensive rules for drones and to ensure that drones broadcast location and identifying information in real time.

The European Union recently adopted many of these recommendations. The new EU rules for drones require the real-time broadcasting of certain data, including the drone operator registration number, the geographical position of the drone, the drone route course, and the position of the drone operator.

EPIC filed suit last year to enforce the transparency obligations of the industry-dominated Drone Advisory Committee, which conducted much of its work in secret. EPIC's case forced the Committee to release hundreds of documents that it unlawfully withheld. The documents obtained by EPIC show that the Committee recognized drone privacy risks and even planned to form a "Privacy Subcommittee." Yet the Committee entirely failed to address privacy issues before making final policy recommendations to the FAA.

The FAA has recently come under criticism from members of Congress and the Department of Defense concerning commercial drones that enable remote surveillance.

News in Brief

EPIC, Coalition Oppose Facebook Libra Plan

EPIC joined a coalition of consumer groups in a letter to Congress calling for an end to Facebook's Libra plan. Facebook, the world's largest social network company, said it planned to enter the global financial services market, likely sidestepping government oversight and democratic accountability. Several groups warned that "a careful assessment will show that the proposal is too dangerous to proceed." The coalition also identified "profound questions" about governance, national sovereignty, law enforcement, consumer protection, privacy, competition and systemic risk. Meanwhile, the Federal Trade Commission has failed to take any action in the fifteen months since the FTC reopened the investigation of Facebook, following the Cambridge Analytica scandal. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order against Facebook. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook.

CREW Backs EPIC in Case for Release of Full Mueller Report

Citizens for Responsibility and Ethics in Washington has filed an amicus brief in support of EPIC's case for the release of the full Mueller Report. CREW argued that the Justice Department cannot withhold parts of the Report as "deliberative" because the Report explains the Special Counsel's final decisions. "Especially in the context of an investigation into interference with our electoral process by a foreign power and potential links to the sitting President's political campaign, the public interest in disclosure is at an apex once the investigation is complete and the prosecutorial decisions have been made," CREW argued. EPIC recently moved for summary judgment to obtain the full Mueller Report. The case is EPIC v. Department of Justice, No. 19-810 (D.D.C.). Copies of the Mueller Report obtained by EPIC, related materials, and background on the case are available for purchase at the EPIC Bookstore.

Citizenship Question Dropped from 2020 Census

The Census Bureau has confirmed that it will not collect personal data concerning citizenship status on the 2020 Census. The Bureau has instead ordered census forms to be printed without the proposed citizenship question. The decision follows a ruling by the U.S. Supreme Court blocking the citizenship question over the government's failure to provide a "reasoned explanation" for collecting citizenship information. EPIC filed a separate lawsuit to block the Census Bureau's collection of citizenship data because the agency had failed to complete required privacy impact assessments. The D.C. Circuit reached a decision in EPIC's case late last month. EPIC also filed an amicus brief in the Supreme Court case, joined by 23 legal scholars and technical experts, warning that "collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns."

Congress Sues for Release of Trump's Tax Returns

The U.S. House of Representatives has filed suit to obtain six years of President Trump's personal tax returns from the IRS. Rep. Richard Neal, Chairman of the House Ways and Means Committee, has the authority under a section of the tax code to obtain the tax returns. But the IRS and Treasury Department have repeatedly refused to comply with the law. EPIC has sought the release of the President's tax records in two lawsuits: EPIC v. IRS I and EPIC v. IRS II. The D.C. Circuit's opinion in EPIC v. IRS I is cited in the House's complaint multiple times. EPIC previously urged Congress to obtain and publicly release of President Trump's tax returns. EPIC is seeking to determine the extent of Russian interference in the 2016 presidential election.

Privacy Board Publishes Inventory of Current Oversight Activities

In an important step for transparency, the Privacy and Civil Liberties Oversight Board has published an inventory of current oversight activities. The Board announced it is reviewing NSA's search tool called "xkeyscore." The tool is used to search data collected under Executive Order 12333, a legal authority has not yet been subject to public oversight. EPIC previously sought public release of the PCLOB report on Executive Order 12333. The Board will also issue a public report on how the intelligence community is implementing proposed surveillance reforms. EPIC previously sent detailed comments to the Board, urging the oversight agency to become a "leader" in open government and recommending specific changes to agency practices regarding FOIA and open meetings.

Professor Strossen Testifies on Social Media and Censorship

EPIC Advisory Board member and New York Law School Professor Nadine Strossen testified last week before the House Homeland Security Committee for a hearing on "Examining Social Media Companies' Efforts To Counter Online Terror Content and Misinformation." Professor Strossen advocated for non-censorial strategies to countering terror content and misinformation on social media. EPIC has previously told Congress that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online.

House Passes Election Security and Paper Ballot Bill

The House of Representatives has passed the SAFE Act, an election security bill establishing cybersecurity safeguards for election equipment, prohibiting wireless modems in voting machines, and requiring paper ballots. The bill would also provide for grants to states that perform risk-limiting audits. EPIC, along with the U.S. Technology Policy Committee of the Association for Computing Machinery, recently filed comments to the Election Assistance Commission. The groups urged the Commission to ban internet-connected voting machinery, citing the risks to voting integrity and democratic institutions. "The EAC should ban the use of internet-connected voting machines and protect ballot secrecy," EPIC and USTPC said. EPIC has a long history of working to protect voter privacy and election integrity.

Facebook Fined 1,000,000 Euro Over Cambridge Analytica Scandal

The Italian Data Protection Authority has fined Facebook 1 million euros for its misuse of personal data in the Cambridge Analytica scandal. The authority said that 57 Italian users downloaded the "ThisIsYourDigitalLife" app through Facebook, which enabled Cambridge Analytica to unlawfully collect the personal data of more than 200,000 Italians. Meanwhile, the Federal Trade Commission has failed to issue any fines or take any action against Facebook in the fifteen months since the Cambridge Analytica scandal broke. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order against Facebook. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook.

Travis LeBlanc Confirmed for Privacy Oversight Board

The Senate has confirmed three members to the Privacy and Civil Liberties Oversight Board, including EPIC Advisory Board member Travis LeBlanc. LeBlanc is a partner at Boies Schiller, and former Federal Communications Commission Enforcement Bureau Chief. Aditya Bamzai and Ed Felten were also confirmed. Aditya Bamzai is a law professor at the University of Virginia and former Department of Justice attorney. Professor Ed Felten is a former Chief Technology Officer for the FTC, former Deputy White House Science Advisor, and past member of the EPIC Advisory Board. The confirmations establish a quorum for the long dormant agency. The European Parliament has called for suspension of the Privacy Shield if the U.S. does not to improve data protection and restore the PCLOB. EPIC previously testified before PCLOB, made recommendations for PCLOB's handling of FOIA requests, and set out a broad agenda for the work of the independent agency. EPIC previously sought public release of the PCLOB report on Executive order 12333. In 2016, EPIC awarded the Champion of Freedom Award to former PCLOB Board Member Judge Patricia Wald.

Professor Sweeney Testifies Before Congress on Election Security

EPIC Advisory Board member and Harvard Professor Latanya Sweeney testified last week before the House Science Committee for a hearing on "Election Security: Voting Technology Vulnerabilities." Professor Sweeney is the lead author on a paper that surveyed vulnerabilities in voter information websites in 2016. She found that the voter information websites for 35 states and DC were vulnerable to identity theft attacks, meaning a hacker could submit changes to voter registration information. Professor Sweeney recommended that Congress urge states to improve security on voter registration websites, such as using the latest version of CAPTCHAs. EPIC has long defended voter privacy including EPIC's case that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained.

CPDP 2020 Conference "Data Protection and Artificial Intelligence": Call for Papers

Computers, Privacy and Data Protection, the leading international conference devoted to privacy and data protection, has opened a call for papers ahead of the 2018 conference. The 13th annual conference will take place in Brussels on January 22-24, 2020. The theme of the conference is "Data Protection and Artificial Intelligence." The CPDP 2020 call for papers is addressed to all researchers who wish to present papers at this year's conference. Papers will be reviewed by the CPDP Scientific Committee. The deadline for submission is Tuesday, October 1, 2019. EPIC is one of the founders of CPDP and an annual sponsor of the event. The EPIC International Champion of Freedom Award will be presented at CPDP.

At G-20, Merkel Calls for Comprehensive AI Regulation

Speaking at the G-20 Summit in Japan, German Chancellor Angela Merkel called for the European Commission to propose comprehensive regulation for artificial intelligence. "It will be the job of the next Commission to deliver something so that we have regulation similar to the General Data Protection Regulation that makes it clear that artificial intelligence serves humanity," Chancellor Merkel said. EPIC recently urged the U.S government to implement the OECD Principles on Artificial Intelligence and the Universal Guidelines for AI as standards for U.S. AI policy. Over 250 experts and 60 organizations, representing more than 40 countries have endorsed the Universal Guidelines, which are intended to maximize the benefits of AI, to minimize the risk, and to ensure the protection of human rights.

Congress, FTC Take Action Against Robocallers

A House subcommittee voted unanimously to advance a wide-ranging bill intended to crack down on robocalls. The Stopping Bad Robocalls Act (H.R. 3375) would enroll customers in free call-blocking programs and take more aggressive rulemaking steps to ensure people only get calls they ask to receive. The FTC also announced a partnership with state enforcers--"Operation Call it Quits"—to crack down on illegal robocalls. The initiative includes 94 actions targeting robocallers responsible for more than one billion calls. EPIC has worked to ensure that telephone users are protected from invasive business practices through agency comments and amicus briefs in cases such as ACA International and Gallion v. Charter Communications.

Mueller to Testify Before Congress on July 17

Special Counsel Robert Mueller will testify before Congress on Wednesday, July 17, according to the chairs of the House Judiciary and Intelligence Committees. "Americans have demanded to hear directly from the Special Counsel so they can understand what he and his team examined, uncovered, and determined about Russia's attack on our democracy," Chairmen Jerrold Nadler and Adam Schiff said in a statement. Mueller's testimony comes as EPIC is pursuing the release of the complete and unredacted Mueller Report in EPIC v. Department of Justice. Judge Reggie B. Walton will hold a hearing on EPIC's case August 5. Copies of the Mueller report obtained by EPIC, related materials, and background on the case are available for purchase at the EPIC Bookstore.

Privacy Board to Review Use of Biometrics at Airports, Privacy of Passenger Data, and FBI Surveillance

The Privacy and Civil Liberties Oversight Board has announced three new oversight projects. The PCLOB reviews federal agency programs to ensure they do not diminish privacy and civil liberties. The Board said it will review: (1) the use of biometrics, such as facial recognition, in airports; (2) how the FBI queries data collected under the Foreign Intelligence Surveillance Act's Section 702, including searches for US person information called "backdoor searches"; and (3) oversight of passenger identity databases used by airlines. Earlier this year, EPIC sent a statement to the Board urging limits on the government use of facial recognition and and end to backdoor searches. In 2012, EPIC sent a detailed statement to PCLOB outlining priorities for the agency. In 2016, EPIC awarded former PCLOB Board Member Judge Patricia Wald with the EPIC Champion of Freedom Award.

EPIC in the News

• Federal Agencies Use DMV Photos for Facial Recognition. Here's What You Need to Know., Consumer Reports, July 9, 2019
• 'What's the point?' Lawmakers fess up to not fully reading the Mueller report, POLITICO, July 9, 2019
• FBI, ICE Turn Drivers' Licenses Into Facial Recognition Gold, TechNewsWorld, July 9, 2019
• Antitrust enforcers can think of privacy as a parameter of competition, CIO, July 9, 2019
• Is Europe winning the argument on how to regulate big tech?, The Telegraph, July 6, 2019
• The Biggest Cybersecurity Crises of 2019 So Far, WIRED, July 5, 2019
• House Dems Call For Facebook To Put Libra Plans On Pause, Law360, July 3, 2019
• Consumer groups ask lawmakers to halt Facebook cryptocurrency project, The Hill, July 2, 2019
• DC Circ. Piles Onto Standing Split With Data Breach Ruling, Law360, June 29, 2019
• Congress, Courts Both Take on Robocalls, WND, June 28, 2019
• US District Court Blocks New York City Data Collection, Ordinance Violates Fourth Amendment, European Data Protection Law Review, June 28, 2019
• Government privacy watchdog to probe airport facial recognition, The Hill, June 28, 2019
• Census Citizenship Question Saved From EPIC's Challenge, Bloomberg Law, June 28, 2019
• Smile for the camera: Systems to scan, analyze face of everyone entering Rochester airport, Democrat & Chronicle (Rochester, NY), June 26, 2019
• The problem with tech people who want to solve problems, Vox, June 26, 2019

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (2019)

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

'Privacy in the Digital Age.' The Washington Center, Washington, DC. July 12, 2019. Marc Rotenberg, EPIC President.

Cyber Crime Review. Aug. 8, 2019. ABA Annual Meeting, San Francisco, CA. Alan Butler, EPIC Senior Counsel.

'Designing New Digital Divides: Tech Platforms' Myth of Inclusion Drives Exclusion.' Aug. 11, 2019. Academy of Management, Boston, MA. Marc Rotenberg, EPIC President.

'In Harm's Way: Smart Regulation of Digital & Network Technology.' Aug. 12–14, 2019. Conference on Communications Policy, Aspen, CO. Marc Rotenberg, EPIC President.

41st International Data Protection and Privacy Commissioners Conference. Oct. 21–24, 2019. Tirana, Albania. Marc Rotenberg, EPIC President.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.