EPIC Alert 26.16

1. EPIC Report Finds Privacy Bills in Congress Lacking Basic Elements

EPIC has released a detailed analysis of the privacy bills that have been introduced in Congress. EPIC's report—Grading on a Curve: Privacy Legislation in the 116th Congress—reviews recent developments, identifies key characteristics of privacy laws, provides a glossary of key terms, and assesses pending legislative proposals. The report sets out a detailed methodology to help lawmakers, journalists, and the public evaluate the various privacy bills now pending in Congress.

EPIC found that many of the bills in Congress lack the basic elements of a privacy law, such as an opportunity for individuals to enforce their rights. The EPIC report strongly recommends the creation of a federal data protection agency, noting that almost every democratic country in the world has an agency to help protect personal data. The EPIC Report contends that "the failure to establish a data protection agency in the United States has contributed to the growing incidents of data breach and identity theft."

According to EPIC, Senator Ed Markey's Privacy Bill of Rights ranks #1. EPIC President Marc Rotenberg said, "There are shortcomings with all of the bills, but Senator Markey's is clearly the best."

EPIC Policy Director Caitriona Fitzgerald said, "As we prepared the report, we also become aware that Congress has yet to hold hearings on these legislative proposals. There appears to be a bottleneck at the Senate Commerce Committee and little activity in House Commerce. Before Congress enacts a bill, it will need to hold hearings and hear from experts."

2. In Amicus Brief, EPIC Urges Supreme Court to Limit Traffic Stops Based Solely on Owner's License Status

In an amicus brief, EPIC has urged the Supreme Court not to allow police traffic stops based solely on the status of the registered owner. Writing in Kansas v. Glover, EPIC warned that permitting police stops based on this factor, when combined with the growing use of Automated License Plate Readers, would "dramatically alter policing practices" and would "unfairly burden disadvantaged communities."

EPIC provided the Court with empirical data showing that "police departments across the country use ALPRs." The brief explains that "the technology is rapidly expanding to smaller police departments and municipalities" because "the cost of deploying" ALPRs "has dropped dramatically." EPIC presented evidence that use of ALPRs has already "significantly increased the number of traffic stops and false positives." EPIC argued that the "growing market for carsharing will also magnify the impact of ALPRs on drivers who have committed no traffic violation."

EPIC also argued that "the combined impact of ALPRs" and the proposed rule "will fall disproportionately on disadvantaged communities and people of color." EPIC presented data which indicate that these "groups are most heavily surveilled by ALPRs" and are "significantly more likely to be sharing a single car than those averaging a higher income."

EPIC explained that, because drivers in these communities often have suspended licenses "for reasons completely unrelated to traffic safety, including unpaid court fines," ALPRs would lead police to hunt drivers whose "temporary seizure" "would serve no traffic safety purpose." EPIC also argued that, because "people of color are disproportionately likely to be searched during traffic stops," the privacy invasion from ALPR would fall particularly hard on this demographic.

The Supreme Court has previously expanded Fourth Amendment protections for new technologies, such as GPS tracking devices, (US v. Jones), cell phones (Riley v. California), and location data (Carpenter v. United States), in response to evolving policing techniques. EPIC recommended that the Court do the same in this case. EPIC routinely files amicus briefs in cases before federal and state courts concerning emerging privacy issues.

3. Following EPIC's 2011 Recommendation, Facebook Changes Default Setting on Facial Recognition

Following a decision by a federal appeals that consumers can sue Facebook for violating the Illinois biometric privacy law, Facebook has changed its default setting for facial recognition. Since 2011, EPIC has warned that Facebook's use of facial recognition technology threatens privacy rights.

As of September 3, facial recognition—used primarily for automatic photo tagging—is set to "off" by default for both new and current Facebook users. Users who already have the setting turned on will be notified by Facebook and given a choice to deactivate it.

In August, the Ninth Circuit Court of Appeals ruled that consumers have the legal right—or "standing"—to sue Facebook for using facial recognition technology in violation of the Illinois Biometric Information Privacy Act. The court's decision in Patel v. Facebook explained that "because the privacy right protected by BIPA is the right not to be subject to the collection and use of such biometric data, Facebook's alleged violation of these statutory requirements would necessarily violate the plaintiffs' substantive privacy interests."

EPIC filed an amicus brief in the case arguing that "the unlawful collection of an individual's biometric information in violation of [state law] is an invasion of a legal right," and thus allows users to sue in federal court. "Judicial second-guessing of statutory protections for biometric data established by the state legislature, following a careful weighing of the public safety concerns, will come at an enormous cost to the privacy of Illinois residents," EPIC warned.

EPIC has consistently advocated for changing Facebook's facial recognition policy. In comments on the original FTC consent order in 2011, EPIC wrote that the FTC should "require that Facebook cease creating facial recognition profiles without users' affirmative, opt-in consent." EPIC had filed a complaint with the FTC early in 2011 charging that the "secretive collection compilation and subsequent use of facial images for automated online identification adversely impacts consumers in the United States and around the world."

EPIC also filed similar complaints regarding Facebook's facial recognition technology with the FTC in 2016 and 2018, but the FTC simply failed to act on one of the most controversial business practices of the social media company.

4. EPIC Appeals Decision Allowing FAA Drone Committee to Operate in Secret

EPIC has appealed a lower court decision allowing the Federal Aviation Administration's Drone Advisory Committee to conduct much of its work in secret. EPIC filed suit last year against the industry-dominated Committee, which has consistently ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern.

Although the Committee previously claimed that it had published all of its records, EPIC's case forced the Committee to release hundreds of documents that it unlawfully withheld. The documents showed that the Committee initially recognized the importance of regulating drone privacy risks and planned to form a "Privacy Subcommittee." Yet the Committee entirely failed to address privacy issues before making final policy recommendations to the FAA.

However, the lower court ruled that the Committee did not need to disclose records from its secretive subcommittees, where many drone policy recommendations were developed. EPIC will now challenge that ruling before the U.S. Court of Appeals for the D.C. Circuit. The case is EPIC v. Drone Advisory Committee, No. 18-833 (D.D.C.), No. 19-5238 (D.C. Cir.).

EPIC has long fought to protect privacy right against the growing use of drones in U.S. airspace. Recently, EPIC filed comments on the FAA's proposal to renew the drone registration system urging the agency to move quickly on a drone ID broadcasting requirement.

5. Federal Court Rules FBI Watchlist Unconstitutional

A federal court has ruled that the "suspected terrorist" watchlist used by the FBI and Department of Homeland Security is unconstitutional.

The plaintiffs in Elhady v. Kable, twenty-three U.S. citizens, argued that they were not notified of their placement on the watchlist and were denied a meaningful opportunity to challenge their inclusion. Judge Anthony J. Trenga held that the watchlist "imposes a substantial burden on Plaintiffs' exercise of their rights to international travel and domestic air travel" and "fails to provide constitutionally sufficient procedural due process."

In 2011, government documents obtained by EPIC under the Freedom of Information Act revealed the Federal Bureau of Investigation's standards for adding and removing names from the watchlist and showed that individuals may remain on the FBI watch list even if charges are dropped or a case is dismissed. The documents showed that individuals could be added to the watchlist based only on "particularized derogatory information"—a standard that has never been recognized by a court of law

In 2018, EPIC obtained key records about Secure Flight, a Transportation Security Administration program that compares airline passenger records with various government watchlists. The released documents included a table revealing, for the first time, the number of people on two or more travel "blacklists."

EPIC has long campaigned against the use of secret watchlists. In 2011, EPIC told the DHS that. "[s]ecretive government lists without any meaningful safeguards present a very real risk of 'mission creep,' in which a system is pressed into unintended or unauthorized uses."

EPIC Book Review: ‘The Fifth Domain’

The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats, by Richard A. Clarke & Robert K. Knake

Writing in The Fifth Domain, co-authors Richard A. Clarke and Robert K. Knake put it bluntly: "If we do not take concerted steps to reduce the risk of cyber war, if we do not engage in a multifaceted program to bring us close to cyber peace, we risk highly destructive cyberattacks that could cripple modern societies and escalate into the kind of Great Power conflict we have not seen in more than seventy-five years." Yet Clarke, a former counterterrorism coordinator under Presidents Clinton and Bush, and Knake, a senior fellow at the Council on Foreign Relations, see cause for hope. "We have full faith that, in time, we will find workable solutions to the problems that plague cyberspace today through an ugly and disruptive process of trial and error," the authors write.

The Fifth Domain—named after the Pentagon's byword for cyberspace—presents Clarke and Knake's view of what that "ugly and disruptive process" should look like. The book is part memoir, recounting many of Clarke's experiences in federal cybersecurity, and part history, laying out a grim chronicle of data breaches and cyberattacks. But at bottom, The Fifth Domain is a call for "cyber resilience": an approach of "building systems so that most attacks cause no harm, and that allow us to respond to and recover from attacks that do succeed, with minimal to no disruption."

Much of the book focuses on the optimal division of labor between private sector and government actors in developing "cyber resilience." On the private side, the Clarke and Knake argue that—despite a sordid history of poor network security—"corporations can now achieve a fairly high level of cybersecurity if they spend enough, deploy state-of-the-art IT and cyber solutions, and adopt the right policies and procedures." The authors attribute this in part to an ongoing power shift from cyber "attackers" to cyber "defenders." "It's getting harder to find vulnerabilities in new systems and even harder to exploit them," they write.

As for government, Clarke and Knake see a more supervisory role. "In short, private companies must protect themselves," the authors write. "The government may provide assistance, but its responsibilities are to do the things that only the government can do, such as investigate crimes, collect intelligence, and wage war." The authors call on Congress to pass a comprehensive law establishing government-wide cybersecurity principles and coordinating the regulation of cybersecurity across various federal agencies.

At times, the Clarke and Knake give short shrift to the privacy implications of their policy recommendations. For example, the authors propose a centralized, private-sector system of online identification—dubbed "ReallyU"—yet largely ignore the threats that such a system would pose to data privacy and online anonymity. Still, The Fifth Domain offers a compelling, clear-eyed, and cautiously optimistic take on the future of cybersecurity and cyberwarfare.

—John Davisson

News in Brief

California to Ban Police Body Cameras with Facial Recognition

California Governor Gavin Newsom is expected to sign legislation—The Body Camera Accountability Act—to ban the use of facial-recognition technology in law enforcement body cameras. Assembly Member Phil Ting (D), who wrote the bill, told the Washington Post "Body cameras have been used as a tool to build trust between communities and law enforcement and to provide more transparency. Putting facial recognition software into those body cameras helps destroy that trust. It turns a tool of transparency and openness into a tool of 24-hour surveillance." EPIC had long warned lawmakers about police-worn body cameras and facial recognition. In a 2015 statement for the Senate, EPIC explained that "the use of facial recognition technology by law enforcement agencies is expanding within the United States without proper oversight or input from the public." In a related commentary, EPIC Domestic Surveillance Counsel Jeramie Scott wrote, "Police body cameras may help improve police relations with the public, but steps must also be taken to ensure that concerns about privacy are addressed. As body cameras increase, we must guard against expanding their use and remain focused on true police accountability." EPIC's State Policy Project tracks privacy developments in the states.

As Senate 'Tech Task Force' Meets Again Behind Closed Doors, EPIC Presses for Investigation

EPIC has again written to the Senate Rules Committee regarding the closed-door meetings of a Senate "Tech Task Force." EPIC said that the closed-door meetings violate the Senate Rules of Procedure. As EPIC explained, "the Senate Rules of Procedure establish a strong presumption that meetings of the Senate shall be open to the public." EPIC, the Center for Digital Democracy, and the Consumer Federation of America previously asked the Rules Committee to begin an investigation, make a determination, and then require Tech Task meetings be held in accordance with the Senate Rules. The groups said "Open meetings, public notice, and hearing records are central to the integrity of the United States Senate."

FTC YouTube Settlement Fails to Safeguard Children's Privacy

Following a comprehensive complaint launched by the CCFC and the CDD concerning children's privacy, the Federal Trade Commission has announced a settlement with YouTube and parent company Google. The companies agreed to pay $170 million to settle claims that they violated the Children's Online Privacy Protection Act, but little will change in the companies business model. Writing in dissent, Commissioner Slaughter said, "Youtube and Google were knowingly profiting off of the unlawful tracking of children." She said the Commission should have required a "technological backstop" to ensure that behavioral advertising of children would not continue. Commissioner Chopra, also dissenting, wrote "the Commission repeats many of the same mistakes from the Facebook settlement." In a statement, Senator Markey said the FTC should have required Google to delete all data it collected from children under 13, prohibit Google from launching kids service without prior review, and required annual public audits. EPIC joined the CCFC and the CDD in the complaint to the FTC. Earlier, after Google acquired YouTube, EPIC sued the FTC to block Google's proposed consolidation of user data. The judge ruled against EPIC, but wrote "EPIC - along with many other individuals and organizations - has advanced serious concerns that may well be legitimate..."

EPIC Says FTC Responsible for Cambridge Analytica

EPIC has filed comments on the FTC's proposed consent order with the individuals responsible for the Cambridge Analytica breach that impacted 87 million Facebook users, and possibly the outcome of the Brexit vote. EPIC wrote: "the Cambridge Analytica breach could have been prevented if the Commission had enforced the Consent Order." EPIC pointed to numerous reports that Facebook's improper sharing of personal data with third party developers was known to the FTC after the 2011 Consent Order. EPIC is currently pursuing two cases against the FTC, one to obtain the release of the complete biennial audits, the other to block the FTC's proposed settlement that would leave the Facebook's business practices largely unchanged.

State Department Seeks Comment on UK Privacy Protections for CLOUD Act Certification

The State Department is seeking comment on certification of the UK for a CLOUD Act agreement. The CLOUD Act permits the U.S. to enter into "executive agreements" that allow foreign authorities to order production of communications content stored in the U.S. without obtaining a warrant. To form an agreement, the Attorney General must certify to Congress that the country's domestic law "affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government." The State Department is required to take into account expert input for the certification and is seeking comments on the rule of law in the UK, protection of human rights, and other factors listed for consideration in the CLOUD Act Section 105(b)(1)(B)(i-vi). Comments must be submitted via email to IFBHR@state.gov by Friday, September 13th. Earlier this year, EPIC International Counsel Eleni Kyriakides argued in the European Data Protection Law Review that the CLOUD Act fails to include key human rights protections, such as notice, judicial authorization, and transparency.

Federal Appeals Court Says LinkedIn Must Allow "Scraping" of Personal Data

A federal appeals court has ruled that LinkedIn must allow hiQ, a data analytics firm, to scrape user data from public profiles—at least, for now. The appeals court found that "hiQ's interest in continuing its business" outweighed users' privacy interests in their profile information. EPIC filed an amicus brief in the case. In 2017, a lower court permitted hiQ access to the user data of LinkedIn users. EPIC argued that "the lower court has undermined the fiduciary relationship between LinkedIn and its users." EPIC also said the order is "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." Siding with neither party, EPIC urged reversal to protect online privacy. EPIC routinely participates as amicus curiae in cases concerning consumer privacy.

Top European Court to Review National Data Retention Laws

The Court of Justice for the European Union recently heard challenges to the data retention laws of the UK, Belgium, and France. The Court previously invalidated European and national data retention laws that required companies to retain communications data for law enforcement purposes. The Court said the laws were a "particularly serious" interference with the right to privacy. The new challenges, brought by civil society organizations, contend that European national laws fail to comply with the earlier rulings. EPIC recently urged the FCC to repeal a similar regulation that requires the retention of US telephone records, following an earlier petition to the agency. When the FCC docketed the EPIC petition for public comment, every comment received supported an end to the data retention regulation.

Senator Markey Presses Amazon on Ring Police Surveillance Deal

In a letter to Amazon CEO Jeff Bezos, Senator Ed Markey pressed the company to provide details about Amazon's deal with police departments for police access to the video footage from the company's Ring doorbells. Senator Markey wrote "the integration of Ring's network of cameras with law enforcement offices could easily create a surveillance network that places dangerous burdens on people of color and feeds racial anxieties in local communities." Senator Markey sought information about Amazon's plan to add facial recognition to the doorbell cameras, noting that "facial recognition technology disproportionately misidentifies African Americans and Latinos." In comments to federal law enforcement agencies and statements to Congress, EPIC has repeatedly warned of the dangers posed by facial recognition technology. Several years ago, EPIC urged the FTC to establish a moratorium on the commercial use of facial recognition technology until adequate privacy safeguards were established.

EPIC in the News

• HiQ Labs vs LinkedIn case OKs robot monitoring of employees, SearchHRsoftware, September 13, 2019
• Senate Rules: Blackburn’s Closed-Door Sessions A-OK, POLITICO Morning Tech, September 13, 2019
• EU, U.S. Officials Set to Scrutinize Privacy Shield Data Pact, Bloomberg Law, Sept. 12, 2019
• Senate Tech Task Force Tackles Portability, POLITICO Morning Tech, Sept. 11, 2019
• Delta expands facial recognition technology to 4 airports, BizJournal, Sept. 10, 2019
• Where We're At on Privacy, POLITICO Morning Tech, Sept. 9, 2019
• Delta Air Lines will use facial recognition cameras at LAX boarding gates, Los Angeles Times, Sept. 6, 2019
• Influential Coalition With 15 Million Members Calls for Outright Ban on Facial Recognition, Gizmodo, Sept. 6, 2019
• Activists demand facial recognition ban for law enforcement in major new push, Fox News, Sept. 6, 2019
• DMVs Are Selling Your Data to Private Investigators, Vice, Sept. 6, 2019
• Google To Pay $170M Over YouTube Child Privacy Claims, Law360, Sept. 5, 2019
• Judge Rules Terrorism Watchlist Violates Constitutional Rights, New York Times, Sept. 5, 2019
• Activists pushing for federal facial recognition ban, New York Post, Sept. 5, 2019
• Google fined $170M for allegedly improper collection of kids’ data from YouTube channels, SC Magazine, Sept. 5, 2019
• 4 Biggest Cybersecurity Crises of 2019 to Date, The Hack Post, Sept. 5, 2019
• YouTube Fined $170 Million Over Children's Privacy Violations, MediaPost, Sept. 4, 2019
• Fines Alone Aren't Enough to Slow Down Big Tech, WIRED, Sept. 4, 2019
• YouTube Reportedly Will Pay More Than $150 Million to Settle FTC Allegations of COPPA Violations, Lexology, Sept. 1, 2019
• Google to pay up to $200M to settle FTC YouTube investigation, POLITICO, Aug. 30, 2019
• Google Deal's Setbacks Renew Doubts On Cy Pres Awards, Law360, Aug. 30, 2019

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The AI Policy Sourcebook 2019, edited by Marc Rotenberg (2019)

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (2019)

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

AI and The Rule of Law. Sept. 20-21, 2019. IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems. Athens, Greece. Marc Rotenberg, EPIC President.

National Tort Law Day. Oct. 5, 2019. American Museum of Tort Law. Winsted, CT. Marc Rotenberg, EPIC President.

International Working Group on Data Protection in Telecommunications. Oct. 10–11, 2019. Brussels, Belgium. Eleni Kyriakides, EPIC International Counsel.

'Law and Algorithms.' Oct. 14, 2019. Northwestern School of Law. Chicago, IL. Marc Rotenberg, EPIC President.

41st International Data Protection and Privacy Commissioners Conference. Oct. 21–24, 2019. Tirana, Albania. Marc Rotenberg, EPIC President.

Privacy and Personal Data Protection Enforcement. Nov. 18, 2019. EPIC and the UK ICO. OECD. Paris, France. Marc Rotenberg, EPIC President.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.