EPIC Alert 26.14

1. EPIC Challenges FTC-Facebook Settlement, Asks Court to Hear from Privacy Groups

EPIC has filed a motion to intervene in United States v. Facebook, a case concerning the proposed settlement between the Federal Trade Commission and Facebook. EPIC filed its motion one day after the Government and Facebook asked the court to approve the settlement. EPIC said the settlement "is not adequate, reasonable, appropriate, or consistent with the public interest" because it "fails to safeguard the interests of Facebook users.

EPIC explained that the proposed settlement would require no substantial changes in the Facebook's business practices and would send thousands of pending complaints to the paper shredder.

EPIC explained that "five detailed consumer complaints" EPIC filed with the Commission since 2012—along with more than 26,000 other consumer complaints against Facebook pending at the FTC—"would be extinguished by the proposed consent decree." EPIC asked the court for an opportunity for EPIC and others to be heard before the settlement is finalized.

Facebook and the Government have sought to block EPIC's participation. EPIC responded that "the commission's unprecedented decision to offer the largest social media company in the world immunity for all violations of the FTC Act and the prior consent order committed over a seven-year period raises significant fairness and arbitrariness concerns that justify EPIC's intervention and the court's close scrutiny." EPIC further said, "The FTC has not provided any reasoned explanation for rejecting the complaints that EPIC and other consumer groups submitted, nor has the Commission offered any reasoned explanation for granting a broad immunity to Facebook for past violations."

EPIC also explained that "the FTC's own regulations require the Commission to place consent agreements on the public record for a thirty-day comment period," and the FTC's failure to do so "deprives EPIC of an opportunity to influence the FTC's decision making on the proposed settlement."

In 2009, EPIC filed the original complaint that created legal authority for the FTC to oversee Facebook. Earlier this year, EPIC and others urged the FTC to pursue structural remedies, including the divestiture of WhatsApp. Many organizations and individuals have expressed concern about the proposed settlement, including former FTC chief technologist Ashkan Soltani and Senators Ed Markey (D-MA), Richard Blumenthal (D-CT), and Josh Hawley (R-MO).

2. EPIC Asks NJ Supreme Court to Apply Fifth Amendment to Cell Phone Searches

EPIC recently submitted an amicus brief in State v. Andrews, a New Jersey Supreme Court case about the compelled disclosure of a cell phone passcode and the right against self-incrimination under the Fifth Amendment.

EPIC argued that the Fifth Amendment limits the ability of the government to obtain cellphone passcodes. EPIC explained that the U.S. Supreme Court's decisions in Riley v. California and Carpenter v. United States held that the vast amounts of personal data stored in cell phones "justifies strong constitutional protections." EPIC also explained that exceptions to the Fifth Amendment were adopted before personal information was "consolidated in one place."

EPIC argued that "[m]odern cell phones have fundamentally changed the scope of personal information available to law enforcement" and that law enforcement need not expend substantial resources to identify and locate sensitive information. EPIC explained that a lower court decision in the case "places an astonishing amount of sensitive data in the hands of law enforcement through coercion of the suspect, in sharp contradiction to the reasons underlying the Fifth Amendment privilege against self-incrimination."

EPIC routinely files amicus briefs arguing that constitutional protections should keep pace with advances in technology. EPIC filed amicus briefs in Carpenter and Riley, which both involved the searches of cellphones. In Riley, the U.S. Supreme Court cited EPIC's amicus brief in its opinion. EPIC has also filed amicus briefs in the NJ Supreme Court in other occasions: State v. Earls, G.D. v. Kenny, and State v. Reid.

3. Following EPIC's Advice, Third Circuit Nixes Google Deal

A federal appeals court has rejected a proposed class action settlement in a case involving Google's tracking of internet users in violation of the users' privacy settings. The Third Circuit Court of Appeals wrote that it was particularly "troubled" by the prior relationships between Google, class counsel, and the organizations selected to receive funds in the settlement.

"[I]f challenged by an objector, a district court must review the selected cy pres recipients to determine whether they have a significant prior affiliation with any party, counsel, or the court," the court wrote. "A settlement should not be approved if such a prior affiliation 'would raise substantial questions . . . whether the selection of the recipient was made on the merits.'"

The court also pointed to the broad relief for monetary damages which "raises a red flag." The court explained that Google and the class counsel "sidestepped the requirements" for notice, yet "nonetheless obtained—for themselves anyway" the benefits of the settlement.

The appeals court instructed the lower court to determine whether the "the cy pres recipients have significant prior affiliations with Google, class counsel, or the Court, and, if so, whether . . . the recipients were chosen on the merits."

The court made clear that individuals should be able to pursue legal claims when privacy rights are violated. The court wrote, "In an era when millions of Americans conduct their affairs increasingly through electronic devices, the assertion Google makes—that federal courts are powerless to provide a remedy when an internet company surreptitiously collects private data—is untenable"

EPIC, in an amicus brief, had urged the court to reject the Google deal. EPIC said the settlement was "fundamentally flawed" because "Google is allowed to continue its unlawful conduct and the class members receive no monetary relief." EPIC also explained that the selection of organizations awarded in the settlement "raise significant conflicts of interest concerns."

EPIC has proposed an objective basis for courts to make determinations in consumer privacy cases that protect the interests of class members and avoid the risk of collusion between the parties in settlement.

4. EPIC to Congress: Executive Order on Citizenship Status Threatens Privacy

EPIC has sent a statement to Congress warning that President Trump's Executive Order on Collecting Information about Citizenship Status could undermine Privacy Act safeguards. "Although President Trump has abandoned his quest to seek citizenship information through the 2020 Census, the plan to aggregate data from other agencies in the Commerce Department is also problematic," EPIC warned.

"Because the Executive Order contemplates both the collection of statistical data and the use of citizenship data for determinations about individuals, we urge you to scrutinize closely the Executive Order," EPIC wrote. "As the Supreme Court recently made clear in the census decision, the Commerce Department's stated purpose for collecting the data was 'contrived.' We believe there is a similar problem with the President's Executive Order."

EPIC has also submitted a Freedom of Information Act request to the Commerce Department seeking records about the creation and implementation of the President's Executive Order.

EPIC opposed the citizenship question in the 2020 Census, arguing in federal court that the Census Bureau failed to complete required privacy impact assessments. EPIC also filed an amicus brief in the Supreme Court case, joined by 23 legal scholars and technical experts, warning that "collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns."

5. EPIC, Legal Scholars, Technology Experts Publish Statement on US AI R&D Policy

EPIC and more than two dozen legal scholars and technical experts have filed comments on a White House Office of Management and Budget proposal to open federal data sets for AI research and development. The comments call for the federal government to rely on non-personal data for AI R&D, respect U.S. privacy laws protecting government held personal data, and encourage compliance with framework principles for AI.

"EPIC supports the public availability of data from the federal government for use in AI research, development, and testing that is not personally identifiable information," the comments read. However, the comments strongly caution "against the use of data sets containing personally identifiable information," noting that federal agencies are under legal obligations to safeguard personal information from the Privacy Act and section 208 of the E-Government Act.

The letter also encourages compliance by federal agencies with the OECD Principles on Artificial Intelligence, which the U.S. recently endorsed, and the Universal Guidelines for AI. Both frameworks emphasize the importance of privacy protection in AI research.

EPIC has also previously proposed the Universal Guidelines as the basis for federal AI policy. The UGAI are twelve principles intended to maximize the benefits of AI, to minimize the risk, and to ensure the protection of human rights. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries.

News in Brief

Bipartisan FOIA Reform Bill Would Correct Recent Supreme Court Decision

Senators Chuck Grassley (R-IA), Patrick Leahy (D-VT), John Cornyn (R-TX), and Dianne Feinstein (D-CA) have introduced the Open and Responsive Government Act (S. 2220) to reverse the recent Supreme Court decision in Food Marketing Institute v. Argus Leader Media which overturned over 40 years of Freedom of Information Act precedent. The bill codifies the National Parks test, requiring that information may only be withheld from the public if disclosure would cause "substantial competitive harm" to the oompany that provided that information to the government. The bill also makes clear that agencies may only redact information under the FOIA's nine exemptions and cannot redact information as "non-responsive." In a press release Senator Leahy said, "The bill would limit the extent to which the government can use a recent Supreme Court opinion to justify abuses of a particular FOIA exemption to withhold information. And it would codify another court decision - one that the Trump administration increasingly ignores - prohibiting the government from withholding information on the tenuous rationale that it is supposedly not responsive to the FOIA request." According to Senator Grassley, "This balanced and bipartisan bill . . . mak[es] crystal clear where Congress stands on the public's right to know." EPIC submitted an amicus brief in the Food Marketing Institute case, warning the Court that changing the National Parks standard would deprive the public and groups such as EPIC access to important government information. EPIC frequently uses the FOIA to promote government oversight.

EPIC v. DEA: Court Rules Agency Can Keep Secret the Names of Agencies Using Hemisphere

A federal court in Washington, DC ruled last week that the DEA does not have to disclose to EPIC the names of the other agencies that use the Hemisphere call records database managed by AT&T. Earlier in the same FOIA case, EPIC obtained documents from DEA which revealed that both the FBI and CBP query the Hemisphere database. The agency was allowed to submit a secret affidavit in support of its claims, but the court ordered the agency to file a revised declaration, "consistent with its recent disclosures to EPIC."

EPIC Comments on Canada Transborder Data Flow Policy

EPIC provided comments to the Office of the Privacy Commissioner on Canada's policy for transborder data flows. EPIC urged the OPC to require that legal protection for personal data protection extend across borders, citing risks to privacy after the Capital One breach impacted affected six million Canadians. EPIC also encouraged the OPC to recognize multiple grounds for transfer, coupled with strong accountability measures. This approach is reflected in the EU General Data Protection Regulation and the Council of Europe's Modernized Privacy Convention. EPIC recently submitted comments on the third annual review of the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, the full slate appointments to the PCLOB, and U.S. endorsement of the OECD AI Principles.

Government Seeks to Block EPIC Intervention in Facebook Case

The federal government has asked a court to deny EPIC's Motion to Intervene in United States v. Facebook, a case which concerns a proposed settlement between the Federal Trade Commission and Facebook. EPIC filed the motion to protect the privacy interests of Facebook users. EPIC argued that the settlement "is not adequate, reasonable, or appropriate." EPIC also explained that the settlement would extinguish more than 26,000 consumer complaints against Facebook pending at the FTC. EPIC has asked the court for an opportunity for EPIC and others to be heard before the settlement is finalized. EPIC filed the original complaint that created legal authority for the FTC to oversee Facebook. Many members of Congress, consumer organizations, and corporate law experts have opposed the proposed settlement, which was narrowly approved by the Commission, 3-2.

International DPAs Raise Concerns About Facebook and Libra

Data protection commissioners from several countries published a joint statement on Facebook's proposed Libra currency network. The Commissioners said "strong privacy safeguards are the foundation for innovation in the digital world" and "we are joining together to express our shared concerns about the privacy risks posed by the Libra digital currency and infrastructure." The Commissioners said Facebook has "failed to specifically address the information handling practices that will be in place to secure and protect personal information." The Commissioners cited EPIC statements for Senate and House warning stating that "Facebook clearly cannot be trusted with consumers' financial data." EPIC also joined a coalition of consumer groups calling for an end to Facebook's Libra plan.

Congress Seeks Answers on Capital One Data Breach

Top-ranking Republicans on the House Oversight and Reform Committee sent a letter to Capital One and Amazon seeking briefings on the data breach that compromised the personal information of 106 million people. Rep. Maxine Waters, Chair of the House Committee on Financial Services, released a statement that said "I plan to work with my colleagues and take action in the Financial Services Committee on legislation to improve oversight of the cybersecurity of financial institutions." In testimony before the Senate and the House several years ago, EPIC warned Congress that US financial institutions were not doing to safeguard consumer data. Following the Capitol One data breach, EPIC President Marc Rotenberg wrote for CNN that "Congress needs to update federal privacy laws, establish meaningful oversight, and encourage business practices that are more resilient when breaches occur."

Google Speech Transcription Suspended in Europe

Following an investigation by a German data protection agency, Google has suspended Assistant for a three-month period. Johannes Caspar, the head of the Hamburg data protection agency, found Google was recording and transcribing private conversations for examination by Google contractors. Caspar said there are "significant doubts" as to whether Google Assistant complies with EU data-protection law. Caspar previously uncovered the fact that Google Street View vehicles were intercepting and recording private wifi communications, a charge that Google denied until the hard drives in the Google vehicles were examined. In the US, Google settled a "Spy-Fi" case for $7 million with state AGs following the investigation by the German privacy agency. EPIC previously asked the FTC and the Department of Justice to determine whether "always on" devices violate federal wiretap law. Neither agency has made a determination.

EPIC Comments on FTC Safeguards Rule

EPIC provided comments to the FTC on the agency's proposed update to the Safeguards Rule on data security for financial institutions. In the proposal, the FTC highlighted that EPIC "recommended that certain practices set forth in the FTC's Safeguards Rule Guidance, such as employee background checks, authentication requirements, and encryption, should be mandatory." EPIC's comments (1) express support for the FTC's decision to mandate baseline security requirements, (2) request that the Safeguard Rules apply to all organizations and companies that collect consumer data, and (3) urge the FTC impose data minimization requirements. Recent breaches have highlighted the need for stronger data protection laws. EPIC has renewed calls for a data protection agency in the U.S.

EPIC Asks Senate Rules Committee to Investigate Tech Task Force's Closed-Door Meetings

EPIC, the Center for Digital Democracy, and the Consumer Federation of America have written to the Senate Rules Committee regarding a closed-door meeting of a Senate "Tech Task Force." The groups allege that the meeting violated the Senate Rules of Procedure for open meetings, public notice, and recording of Committee meetings. As EPIC and the groups explained, "the Senate Rules of Procedure establish a strong presumption that meetings of the Senate shall be open to the public." There are six narrow exceptions to this rule, none of which apply to the meeting of the "Judiciary Committee Tech Task Force" held on July 18, 2019 in the hearing room of the Senate Judiciary Committee. The meeting included four industry lobbyists, members of the Senate and their staff. The public and the press were not notified of the meeting, nor were they invited, nor was a record of the meeting created. EPIC, CDD, and CFA asked the Rules Committee to open an investigation and make a determination, and then instruct the Member to conduct meetings in accordance with the Senate Rules and Regulations. The groups said "Open meetings, public notice, and hearing records are central to the integrity of the United States Senate." The groups wrote earlier to the Senator who organized the Tech Task Force, expressing support for the initiative but also urging her to establish a more "open, inclusive process."

U.S. AI Commission Releases Initial Report, Priorities Ignored, Secret Meetings Continue

The National Security Commission on Artificial Intelligence, following months of closed-door meetings, has released a four-page initial report. The disclosure follows an EPIC Freedom of Information Act request seeking the report and related records. Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI to address national security and defense needs. But the Commission's initial report makes no mention of the risks of AI, "international humanitarian law, and escalation dynamics," despite Congress's express instructions to address these concerns. The report also contains no discussion of protecting privacy and civil liberties, as is required by an Executive Order concerning "American Leadership on Artificial Intelligence." Representatives of large tech firms, including Google and Microsoft, dominate the Commission. According to the report, the Commission has held 13 plenary and working group meetings in secret—a clear violation of the Federal Advisory Committee Act.

Voter Privacy Act Would Limit Targeting

Senator Dianne Feinstein (D-CA) has introduced the Voter Privacy Act, S. 2398, a bill to ensure privacy with respect to voter information. The Act would give voters basic rights regarding their personal data: right of access, right of notice, right of deletion, right to prohibit transfer, and the right to prohibit targeting. The Federal Election Commission would oversee enforcement of the Act. "Political candidates and campaigns shouldn't be able to use private data to manipulate and mislead voters. This bill would help put an end to such actions," Senator Feinstein said. The bill cites EPIC Advisory Board members Julie E. Cohen's forthcoming publication "Between Truth and Power," quoting "today's networked information flows are optimized to produce what social psychologist Shoshana Zuboff calls instrumentarian power: They employ a radical behaviorist approach to human psychology to mobilize and reinforce patterns of motivation, cognition, and behavior that operate on automatic, near-instinctual levels and that may be manipulated instrumentally." The Voter Privacy Act was referred to the Senate Rules Committee.

Pew: States Battle Big Tech Over Data Privacy Laws

The Pew Charitable Trusts reports that of the 24 states legislatures that considered data privacy legislation in 2019, only a few have passed new laws. Last year, California passed the California Consumer Privacy Act of 2018, the most comprehensive consumer privacy state law ever enacted in the United States. Last month, New York state passed the Stop Hacks and Improve Electronic Data Security, which imposes new obligations on businesses collecting personal data on New York residents. According to the National Conference on State Legislatures, more than 100 privacy bills are currently pending in the states. The EPIC State Policy Project monitors privacy bills nationwide.

EPIC Seeks Documents About Executive Order on Citizenship Status Data Collection

EPIC has filed a Freedom of Information Act request with the Department of Commerce seeking documents about Executive Order 13,880, "Collecting Information About Citizenship Status in Connection With the Decennial Census." The executive order requires federal agencies across the government to transfer personal data, subject to Privacy Act safeguards, to the Department of Commerce to determine citizenship "status." Trump also ordered the Commerce Department to develop mechanisms for expanding the collection of data, including collecting data from state governments. Trump vowed that the government "will leave no stone unturned" when seeking citizenship information from every person living in the United States. EPIC recently sent a statement to Congress, warning that the executive order could undermine Privacy Act safeguards. EPIC opposed a similar effort by the Privacy Advisory Commission on Election Integrity to gather personal data from the states. The program was eventually suspended, the data deleted, and the Commission disbanded.

New York Passes Data Breach Law

New York state passed the Stop Hacks and Improve Electronic Data Security, which imposes new obligations on businesses collecting personal data on New York residents. The SHIELD Act requires notification to affected consumers when there is a security breach, broadens the scope of covered information, expands the definition of data breach, and extends the notification requirement to any entity with private information of a New York resident. Governor Cuomo said: "The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data." Recent breaches have highlighted the need for stronger data protection laws. EPIC has renewed calls for a data protection agency in the U.S. and also warned that federal preemption of state privacy laws will lead to an increase in data breaches and financial fraud.

Equifax Settlement: Exercise Your Rights!

After a settlement with Equifax, consumers can now file a claim for free credit monitoring or a cash payment of $125. If you spent time recovering from the breach or lost or spent money because of the breach, you can request payment of up to $20,000. Credit monitoring or the $125 cash payment is easy and requires no documentation, though the actual amount provided may be less depending on the total number of claims. Supporting documents are necessary if you seek payment for time lost or costs because of the breach. The settlement also requires Equifax to provide all U.S. consumers with 6 free credit reports per year. EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer remedies following the 2017 data breach.

Capital One Breach Sets Record

Capital One bank announced that a criminal hacker stole the personal information of 106 million people who had applied for credit, including credit scores, social security numbers, and bank account numbers. By some measures, it is the largest data breach of a US bank in history. The FBI arrested the alleged hacker and filed a complaint in federal court. Capital One joins a long list of companies that have had data breaches in recent years. In testimony before the Senate and the House several years ago, EPIC warned Congress that US financial institutions were not doing to safeguard consumer data. EPIC has recently renewed calls for the creation of a US Data Protection Agency.

Top European Court Rules Companies Using Facebook 'Like' Button Are Responsible for User Privacy

The Court of Justice for the European Union has ruled websites embedding the Facebook "like" button are responsible for user privacy. Facebook's tracking technique collects the personal data of visitors to a third-party website and transfers it to Facebook. In Fashion ID v Verbraucherzentrale NRW, the Court stated FashionID can be held jointly responsible with Facebook for compliance with Europe's data protection rules. Fashion ID must obtain prior consent from users or have a legitimate interest in processing their data. The case concerns Europe's 1995 privacy law, but implicates similar terms in the new EU General Data Protection Regulation. EPIC Senior Counsel Alan Butler also recently appeared before the Court of Justice in DPC v. Facebook. The landmark case considers whether the transfer of data to the U.S. using standard contract clauses violates fundamental rights.

EPIC Seeks Consumer Complaints about Facebook Pending Before FTC Prior to Settlement Agreement

EPIC has filed a Motion to Intervene in United States v. Facebook to protect the interests of Facebook users. The case concerns a proposed settlement between the FTC and Facebook. EPIC said the settlement "is not adequate, reasonable, or appropriate." EPIC also explained that the settlement would extinguish more than 26,000 consumer complaints against Facebook pending at the FTC. EPIC asked the court for an opportunity for EPIC and others to be heard before the settlement is finalized. EPIC filed the original complaint that created legal authority for the FTC to oversee Facebook. Back in 2011, EPIC also urged the Commission to require Facebook to restore the privacy settings of users, give users access to all of the data that Facebook keeps about them, stop making facial recognition profiles without users' consent, make the results of the government privacy audits public, and stop secretly tracking users across the web. Earlier this year, EPIC and others urged the FTC to pursue structural remedies, including the divestiture of WhatsApp. Many organizations and individuals have expressed concern about the proposed settlement, which was narrowly approved by the Commission, 3-2. More info at: https://epic.org/privacy/facebook/epic2019-challenge/.

Senate Intelligence Committee: Russian Election Interference 'Extensive'

The Senate Intelligence Committee has released the results of its investigation into Russian interference in the 2016 Presidential Election. The Committee found "extensive" Russian interference dating back to 2014. The EPIC Democracy and Cybersecurity Project has pursued numerous FOIA cases concerning Russian interference with the 2016 election. In EPIC v. DOJ, EPIC is seeking the complete, unredacted Mueller Report. In EPIC v. FBI (response to Russian cyberattacks), EPIC obtained the FBI victim notification procedures. In EPIC v. ODNI (Russian hacking), EPIC confirmed that Russia engaged in a "multi-pronged" attack against the U.S. elections. In EPIC v. IRS I, EPIC sought the release of President Trump's tax returns. In EPIC v. IRS II, EPIC is seeking the release of related business returns. And in EPIC v. DHS (election cybersecurity), EPIC obtained documents about election security procedures.

FTC Opens Antitrust Investigation of Facebook

Facebook has disclosed that the Federal Trade Commission opened an antitrust investigation into the company. In a recent statement for a Senate Judiciary committee hearing on antitrust, EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. This year, EPIC, Color of Change, the Open Markets Institute, and others urged the FTC to spin off WhatsApp as a remedy for violations of the 2011 consent order. In a settlement announced last month, the Commission failed to do so.

House Passes Bill to Combat Robocalls

In a 429-3 vote, the House passed a bill to combat the onslaught of robocalls. The Stopping Bad Robocalls Act would increase the fines for illegal robocalls, require phone companies to block robocalls by default, require more businesses to obtain consumer consent before calling, and much more. The Act comes two months after the Senate passed a similar bill—the Traced Act—with near unanimous support. Many criticized the Senate's bill for not going far enough. EPIC joined a coalition of consumer groups that urged members of Congress to support the House bill. EPIC has long advocated for stronger regulations surrounding robocalls. EPIC provided expert analysis to Congress, submitted numerous comments, and filed multiple amicus briefs emphasizing the need to limit robocalls.

Bill Introduced to Strengthen Privacy Protections at U.S. Borders

U.S. Senators Patrick Leahy (D-Vt.) and Patty Murray (D-Wash.) have reintroduced legislation that would strengthen privacy protections through limiting warrantless border searches. Customs and Border Protection officials are currently authorized to stop and search drivers without a warrant or even reasonable suspicion of wrongdoing within 100 miles of any U.S. border. They can also search private land within 25 miles of the border. In practice, this means government officers have authority to conduct searches without cause in a region that includes nearly two-thirds of the U.S. population. The Border Zone Reasonableness Restoration Act of 2019 would reduce the "border zone" from 100 miles to 25 miles and only allow officers access to private property within 10 miles of the border. A companion bill was introduced in the House of Representatives by Representative Peter Welch (D-Vt.). EPIC has long advocated against privacy-invasive border surveillance and has filed numerous lawsuits to force CBP and Immigration and Customs Enforcement to be more transparent about their border surveillance practices.

FTC Issues Facebook Fine; EPIC – 'Too little, too late.'

The Federal Trade Commission recently announced the first fine against Facebook since EPIC and a coalition of privacy organizations filed a complaint with the Commission about the company's businesses practices back in 2009. In a 2011 consent order the FTC said it would bar Facebook "from making any further deceptive privacy claims." But in the years that followed, the FTC failed to act even as complaints emerged about marketing to children, privacy settings, tracking users,gathering health data, and facial recognition. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. EPIC President Marc Rotenberg said, "The FTC's action is too little, too late. American consumers cannot wait another decade for the Commission to act against a company that violates their privacy rights. Congress should move quickly to establish a data protection agency."

EPIC to Congress: Executive Order on Citizenship Status Threatens Privacy

EPIC has sent a statement to Congress, warning that President Trump's Executive Order on Collecting Information about Citizenship Status could undermine Privacy Act safeguards. EPIC said "Although President Trump has abandoned his quest to seek citizenship information through the 2020 Census, the plan to aggregate data from other agencies in the Commerce Department is also problematic." EPIC explained that the "Executive Order contemplates both the collection of statistical data and the use of citizenship data for determinations about individuals." EPIC opposed the citizenship question in the 2020 Census, arguing in federal court that the Census Bureau failed to complete required privacy impact assessments. EPIC also filed an amicus brief in the Supreme Court case, joined by 23 legal scholars and technical experts, warning that "collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns."

In Advance of Mueller Hearings, EPIC Sends Copies of Report to Congress

EPIC has sent dozens of copies of "The Mueller Report: EPIC v. Department and the Special Counsel's Report on Russian Interference in the 2016 Presidential Election" to members of the House Judiciary Committee and the House Permanent Select Committee on Intelligence. Mr. Mueller testified before both committees on July 24. The book, also available at Amazon, chronicles EPIC's efforts, in a Freedom of Information Act lawsuit, to obtain the complete, unreacted report.

Proposed Cy Pres-Only Settlement Provides No Benefit to Class Members

A proposed settlement with Google concerning the Street View program will provide no actual benefit to class members. With Street View, Google not only captured digital images of streets but also intercepted private wifi communications, including passwords. Beginning in 2007, EPIC and other consumer groups spent several years urging federal and state regulators to act. In 2013, 38 State Attorneys General settled claims against Google. In that settlement, Google agreed to end the collection of network data and launch a public service campaign to help users install secure wireless networks. Six years later, lawyers have just put before a federal judge a settlement that proposes that the company again end the program and launch a public service campaign. Chief Justice Robert has raised "fundamental concerns" about settlements that provide no benefits to class members and no change in business practices. In a cy press case earlier this year, Justice Thomas opposed the Gaos settlement, which also involved Google, explaining "because the class members here received no settlement fund, no meaningful injunctive relief, and no other benefit whatsoever in exchange for the settlement of their claims." EPIC seeks to promote class action fairness and has proposed objective criteria that courts should consider to protect the interests of Internet users in class action settlements.

Equifax to Pay Up to 700 Million in 2017 Data Breach Case

The CFPB, the FTC, and 48 State AGS recently announced a settlement with Equifax arising from the 2017 data breach that compromised personal data of 143 million Americans. The company, which offers authentication services, failed to safeguard the names, addresses, dates of birth and SSNs of 147 million Americans, and then failed to act once aware of the breach. EPIC President Marc Rotenberg testified before the House in 2018 and the Senate in 2017 about the Equifax breach. Rotenberg warned lawmakers and regulators that "the Equifax data breach is one of the most serious in the nation's history." EPIC urged lawmakers to update federal privacy laws and also ensure that the CFPB pursues an effective investigation. In the Harvard Business Review, Rotenberg explained the significance of the breach. "Reforms should not just fix these problems but also aim to transform the industry for the better," he wrote. Under the terms of the settlement, Equifax will pay up to 425 million to consumers impacted by the breach as well as a 100 million civil fine. EPIC has recently renewed calls for the creation of a U.S. Data Protection Agency.

EPIC in the News

• Are You Ready for Facial Recognition at the Airport?, Wall Street Journal, Aug. 14, 2019
• EPIC Steps Up Bid To Stop Facebook's $5B FTC Deal, Law360, Aug. 14, 2019
• Facebook fumbles on privacy, again, POLITICO, Aug. 14, 2019
• Facebook Ruling Extends Life Of Ill. Biometric Privacy Claims, Law360, Aug. 13, 2019
• Judge punts on speedy verdict for possible Mueller records release, POLITICO, Aug. 9, 2019
• CBP Plans to Use Facial Recognition For 'All Passenger Applications', NextGov, Aug. 9, 2019
• Appellate Court Sides Against Facebook In 'Faceprint' Privacy Battle, MediaPost, Aug. 8, 2019
• Facebook, Feds Oppose EPIC's Attempt To Intervene In $5B Privacy Settlement, MediaPost, Aug. 7, 2019
• DOJ, Facebook Oppose Group's Motion To Intervene In $5 Billion FTC Settlement, Lexis Legal News, Aug. 7, 2019
• Facebook, FTC Fight Privacy Group's Bid To Block $5B Deal, Law360, Aug. 7, 2019
• Facebook And FTC Oppose EPIC's Attempt To Intervene In Privacy Settlement, MediaPost, Aug. 6, 2019
• EPIC Privacy Group to Challenge $5 Billion FTC-Facebook Settlement, CPO Magazine, Aug. 6, 2019
• Gmail Keeps a Record of Your Purchase History in Plain Sight, and It's Not Alone, Fast Company, Aug. 6, 2019
• EPIC Privacy Group to Challenge $5 Billion FTC-Facebook Settlement, CPO Magazine, Aug. 6, 2019
• The Early Edition: August 6, 2019, Just Security, Aug. 6, 2019
• Letting Trump off the hook, Columbia Journalism Review , Aug. 6, 2019
• Judge hints at okaying release of unredacted Mueller report while House plods on toward impeachment, Daily KOS, Aug. 6, 2019
• Systematic Inequality and American Democracy, Center for American Progress, Aug. 6, 2019
• Judge Signals Interest in Removing Mueller Report Redactions, Politico, Aug. 5, 2019
• Judge Questions Barr's Handling of Mueller Findings, The Hill, Aug. 5, 2019
• Fed Judge: 'Difficult to Reconcile' Mueller Report with AG Barr's Statements, Law and Crime, Aug. 5, 2019
• FTC Praises Weak Slap On The Wrist For Facebook, The Ring of Fire, Aug. 5, 2019
• Facebook faces major identity crisis after $5B fine, new privacy procedures, WRAL Tech Wire, Aug. 5, 2019
• Facebook's settlements with the Federal Government - Key takeaways for all companies to consider, JDSupra, Aug. 5, 2019
• BREAKING: Judge questions Barr's handling of Mueller findings, USSA News, Aug. 5, 2019
• Consumers, Advocates Rail Against Lowered Equifax Cash Payouts, Longview News-Journal, Aug. 4, 2019
• Facebook antitrust inquiry by the FTC focuses on acquisitions, report says, Express Newsline, Aug. 4, 2019
• Facebook's settlements with the Federal Government—Key takeaways for all companies to consider, Lexology, Aug. 2, 2019
• Groups Seek Probe of Senate Task Force Meetings, POLITICO Morning Tech, Aug. 2, 2019
• JEDI tug-of-war, Politico, Aug. 2, 2019
• Google suspends eavesdropping after caught in another privacy scandal , World News Daily (WND), Aug. 2, 2019
• You'll Get Your Equifax Money. It Just Might Take a While, WIRED, Aug. 1, 2019
• 'Did someone forget to do the math?' Consumers, advocates rail against lowered Equifax cash payouts, Washington Post, Aug. 1, 2019
• EPIC challenges FTC-Facebook settlement, IAPP, July 31, 2019
• Facebook cares about its users' privacy*, Think Progress, July 31, 2019
• Privacy group asks court to reconsider FTC's $5 billion Facebook deal, Ars Technica, July 30, 2019
• What's Next After Facebook's Record $5 Billion Fine and Cambridge Analytica?, National Law Review, July 30, 2019
• To prevent data breaches like Capital One, Congress needs to act, CNN, July 30, 2019
• Facebook privacy deal with regulator under attack, The Times, July 28, 2019
• EPIC privacy group sues FTC for letting Facebook off easy, The Verge, July 26, 2019
• EPIC asks judge to hear from critics before approving $5B Facebook settlement, The Hill, July 26, 2019
• EU Court of Justice Grapples with U.S. Surveillance in Schrems II, Just Security, July 26, 2019
• EPIC Files Legal Challenge to Facebook's $5 Billion F.T.C. Settlement, New York Times, July 26, 2019
• Facebook Penalty Sends Message to Big Tech, WSJ, July 25, 2019
• 4 Takeaways From Facebook's Historic $5B Privacy Settlement, Law360, July 25, 2019
• Facebook Board to Tighten Oversight, as Zuckerberg Keeps Control, Wall Street Journal, July 25, 2019
• Critics Pan Facebook's Privacy Settlement, Forbes, July 25, 2019
• A $5 Billion Fine for Facebook Won't Fix Privacy, New York Times (Editorial), July 25, 2019
• Facebook hit with $5-billion federal fine for privacy violations, Los Angeles Times, July 24, 2019
• Facebook Fined Record $5 Billion By FTC For Privacy Violations, HuffPost, July 24, 2019
• FTC fines Facebook $5 billion for privacy violations, adds oversight, PBS Newshour, July 24, 2019
• Facebook expected to settle with FTC today, paying $5bn over data handling and agreeing to new controls, Computing (UK), July 24, 2019
• Facebook Fined $5 Billion and Ordered to Add Oversight of Data Practices, New York Times, July 24, 2019
• US slaps $5 bn fine on Facebook, toughens privacy oversight, AFP, July 24, 2019
• FTC Fines Facebook $5 Billion Over Privacy Violations, CBS San Francisco, July 24, 2019
• Facebook to pay $5bn fine, but will privacy prevail?, Al Jazeera, July 24, 2019
• Facebook Settlement Criticized for Weak Privacy Protections, Consumer Reports, July 24, 2019
• There's Zero Chance Facebook's 'Historic' FTC Fine Prevents Future Abuse, Lawmakers and Privacy Advocates Say, Gizmodo, July 24, 2019
• This is what Facebook's $5 billion fine means for your privacy, MarketWatch, July 24, 2019
• FTC fines Facebook $5B, adds limited oversight on privacy, Washington Post, July 24, 2019
• Facebook To Pay Record $5B FTC Fine For Privacy Breaches, Law360, July 24, 2019
• For Facebook's Zuckerberg, FTC settlement could bring a new era of accountability, Washington Post, July 24, 2019
• Facebook FTC Deal Shows Need for Privacy Bill, Lawmakers Say, Bloomberg, July 24, 2019
• Today was Facebook's worst day ever, and it won't make a difference, Engadget, July 24, 2019
• Facebook will have to pay a record-breaking fine for violating users' privacy. But the FTC wanted more., The Washington Post, July 23, 2019
• New York City to Consider Banning Sale of Cellphone Location Data, New York Times, July 23, 2019
• Facebook Settlement Requires Mark Zuckerberg to Certify Privacy Protections, Wall Street Journal, July 23, 2019
• NYC To Consider Bill To Ban Sale Of Cellphone Location Data, CBS New York, July 23, 2019
• Google settled two multi-million dollar lawsuits this week, Daily Dot, July 23, 2019
• Experts Say Travelers Unknowingly Put Their Personal Data at Risk, NBC Washington, July 23, 2019
• Facebook Settlement Expected to Mandate Privacy Committee, Wall Street Journal, July 22, 2019
• FTC Set to Unveil Terms of $5 Billion Facebook Settlement, Barron's, July 22, 2019
• Google agrees to pay $13 million in Street View privacy case, CNN, July 22, 2019
• Who should keep an eye on Silicon Valley?, POLITICO, July 21, 2019

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (2019)

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

AI and The Rule of Law. Sept. 20-21, 2019. IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems. Athens, Greece. Marc Rotenberg, EPIC President.

41st International Data Protection and Privacy Commissioners Conference. Oct. 21–24, 2019. Tirana, Albania. Marc Rotenberg, EPIC President.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.