EPIC Alert 26.17

EPIC Alert logo

1. EPIC Challenges Closed Door Meetings of U.S. AI Commission

EPIC has filed an open government lawsuit against the National Security Commission on Artificial Intelligence, following the Commission’s repeated failure to make its records and meetings open to the public. EPIC is also seeking a preliminary injunction to force the Commission to disclose its records immediately.

Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI in the United States. EPIC filed multiple requests for access to Commission meetings and records. But the Commission has operated almost entirely in secret, even as it prepares to submit recommendations to Congress and the President.

"The recommendations of the AI Commission could have far-reaching implications for the U.S. government, private companies, and the public at large," EPIC told the court. "Public access to the records and meetings of the AI Commission is vital to ensure government transparency and democratic accountability."

EPIC also noted that "there are no public references to any work on 'privacy’ or any consideration of 'privacy’ by the AI Commission, despite the Commission holding at least thirteen meetings and receiving more than 100 briefings over the past six months." The Commission is chaired by former Google CEO Eric Schmidt and dominated by representatives of large tech firms, including Microsoft, Amazon, and Oracle.

EPIC is one of the leading organizations in the country with respect to the privacy and human rights implications of AI use. Last year, EPIC—joined by nearly 100 experts and leading scientific organizations including AAAS, ACM, FAS, and IEEE—successfully petitioned the White House Select Committee on Artificial Intelligence to incorporate public input in the committee's work. EPIC’s case against the NSCAI is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

2. EPIC Publishes First Reference Book on AI Policy

EPIC has published The EPIC AI Policy Sourcebook 2019. The EPIC collection is the first compendium of AI policy, providing essential information to policy makers, researchers, journalists, and the public.

The EPIC Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI, as well as materials from the EU, the Council of Europe, national AI initiatives, and professional societies IEEE and ACM. The Sourcebook also features extensive resources on AI, including organizations, reports, articles, and books from around the world.

"An invaluable assembly of varied governmental, professional, and corporate documents on the development and use of AI, from founding principles to the latest detailed international guideline," said Professor and EPIC Advisory Board member Harry Lewis. "Required reading for a necessary conversation," said Professor and EPIC Advisory Board member Sherry Turkle. The EPIC AI Policy Sourcebook is now available in the EPIC Bookstore.

EPIC has long advocated for privacy and human rights protections to govern the use of AI. Last week, EPIC filed an open government lawsuit to open the meetings and records of the National Security Commission on Artificial Intelligence. In August, EPIC and more than two dozen legal scholars and technical experts filed comments on a White House proposal to open federal data sets for AI research and development, cautioning against the use of personal data.

3. EPIC Uncovers 3,156 More Facebook Complaints at FTC—Over 29,000 Now Pending

Through a Freedom of Information Act lawsuit, EPIC has obtained thousands of new consumer complaints (part 1, part 2) against Facebook.

The new release includes complaints from consumer groups and members of Congress. EPIC also obtained records of over 3,000 new complaints in the FTC’s Consumer Sentinel database. EPIC earlier uncovered 26,000 complaints against Facebook filed since the 2011 consent order.

The most recent documents follow the Commission’s proposed $5 billion settlement with Facebook, announced in July. EPIC is challenging the proposed settlement in court because it "is not adequate, reasonable, or appropriate."

EPIC has explained that the settlement "seeks to grant Facebook immunity from any unlawful practices identified in prior consumer complaints, without addressing or even identifying the prior complaints." EPIC has also argued that the FTC's failure to consider public comments on the settlement, as the agency is required to do under its own regulations, "denies EPIC and others the opportunity to submit comments on the consent agreement."

In 2009, EPIC and other consumer privacy organizations filed the original complaint that created legal authority for the FTC to oversee Facebook's privacy practices. Many members of Congress, consumer organizations, and corporate law experts have opposed the proposed Facebook settlement, which was narrowly approved by the Commission, 3-2.

4. EPIC Advises CFPB to Reform Debt Collector Practices

In comments to the Consumer Financial Protection Bureau, EPIC urged the agency to strengthen consumer protections in the Fair Debt Collection Practices Act. The CFPB's proposed amendment to the Act would place minimal limits on the methods debt collectors use to contact consumers.

EPIC explained how debt collection practices continue to cause substantial consumer harm. Constant calls, texts, and emails from debt collectors intrude on privacy by disrupting consumers’ daily lives. Unfair debt collection practices, inadequate security procedures, and misuse of consumer information can expose consumers’ personal information in third-party disclosures or larger data breaches, resulting in economic, social, and psychological harms to the consumer.

EPIC recommended that the CFPB: (1) clarify the definition of debt collector, (2) impose limitations on quantities of texts and emails, (3) not provide a safe harbor for debt collectors through limited-content messages, (4) impose liability for third-party disclosures by email or text, (5) require debt collectors to offer a streamlined process for opt-out on any given medium, (6) limit the consumer information that can be included in debt validation notices, and (7) require debt collectors to comply with E-Sign Act consent requirements.

EPIC previously advised the CFPB on debt collector practices and the agency's publication of consumer narratives in the public complaint database.

5. EPIC Obtains New Documents in Mueller Case

EPIC has obtained new documents concerning Robert Mueller's investigation into Russian interference in the 2016 election. The records were released in EPIC v. Department of Justice, EPIC's case for the release of the Mueller Report and related documents.

The documents consist of previously undisclosed correspondence between Mueller's office and the Justice Department concerning the Special Counsel's budget. The DOJ withheld thirteen additional pages of records sought by EPIC, claiming that they are privileged.

EPIC recently argued in court for the release of the complete and unredacted Mueller Report. A ruling in the case is expected this fall. The book "EPIC v. DOJ: The Mueller Report" is available for purchase at the EPIC Bookstore.

The EPIC Democracy and Cybersecurity Project has pursued numerous FOIA cases concerning Russian interference with the 2016 election In EPIC v. FBI, EPIC obtained the FBI’s victim notification procedures. In EPIC v. ODNI, EPIC confirmed that Russia engaged in a "multi-pronged" attack against the U.S. elections. In EPIC v. IRS I, EPIC sought the release of President Trump's tax returns. In EPIC v. IRS II, EPIC is seeking the release of related business tax returns. And in EPIC v. DHS, EPIC obtained documents about election security procedures.

News in Brief

EPIC’s Danielle Citron Wins MacArthur Award

The MacArthur Foundation has selected EPIC Board Member and former EPIC Board Chair, Danielle Citron for the prestigious MacArthur Fellowship. Recipients of the MacArthur Fellowship must show exceptional creativity, promise for important future advances based on a track record of significant accomplishments, and potential for the Fellowship to facilitate subsequent creative work. Professor Citron’s research has focused on cyber harassment and hate crimes. In a recent TED talk, Citron discussed Deepfakes - a technique using artificial intelligence and superimposed images to create malicious video and hoaxes, and the long-term reputational impact for victims. Her work has been featured in The New York Times, The Atlantic, Slate, The Guardian, and TIME. Danielle Citron is the author of Hate Crimes in Cyberspace (HUP 2014), available at the EPIC Bookstore. The MacArthur Foundation wrote that Danielle Citron is "a legal scholar addressing the scourge of cyber harassment by raising awareness of the toll it takes on victims and proposing reforms to combat the most extreme forms of online abuse."

EPIC to Congress: Improve Public Access to Court Decisions

For a hearing on "Ensuring the Public’s Right of Access to the Courts," EPIC told the House Judiciary Committee that "in the digital age, access to court decisions is a critical component of the public’s right of access to the courts." EPIC has worked for many years to promote online access to judicial opinions, urging the federal government to make legal materials freely available on agency websites. "The public’s constitutional and common law rights of access to the law are fundamental to a society governed by the rule of law," EPIC said. EPIC also cited the work of the Internet Archive, which has worked to "promote universal access to all knowledge." EPIC noted, "Today the Internet Archive is one of the largest libraries in the world, harnessing the power of the Internet to make information freely available."

EPIC Joins Consumer Groups in Amicus Brief on Illegal Text Messages

EPIC has joined an amicus brief, led by the National Consumer Law Center, urging a federal appellate court to rehear a case about whether a consumer can sue a company for sending an illegal text message. A panel of the court recently decided that consumers cannot sue companies that send one text message in violation of the Telephone Consumer Protection Act. The consumer brief states that the decision "opens the floodgates to mass text messaging, a result that is contrary to the plain language of the statue and Congress’s intent." EPIC routinely files amicus briefs supporting consumers’ right in privacy cases. EPIC has filed several amicus briefs about the Telephone Consumer Protection Act.

EPIC Opposes Nomination of Marshall Billingslea for Top Human Rights Position

In a EPIC statement to the Senate Foreign Relations Committee, EPIC has urged the U.S. Senate to reject the nomination of Marshall Billingslea for Under Secretary of State for Civilian Security, Democracy, and Human Rights. "This is a critical position in the U.S. government for human rights and should be filled by a person with a deep regard for international law and fundamental rights, such as a constitutional scholar. Mr. Billingslea simply lacks the necessary qualifications for this post," EPIC said. EPIC also said that the US should ratify the International Privacy Convention. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data and algorithmic transparency.

EPIC to FTC: Strengthen Unrollme Order

In comments to the FTC on a proposed consent agreement with Unrollme, EPIC recommended requiring Unrollme to notify users of past deceptive practices and to obtain reauthorization from users before using personal data. According to the settlement with the FTC, Unrollme deceived users as to the privacy protections for personal emails. EPIC also respond to the Separate Statement of Commissioner Noah Phillips, warning that "continued support for 'Notice and choice' will only contribute to further erosion of privacy protection for American consumers." EPIC also suggested "if the Commissioner is genuinely concerned about restoring consumer choice and competition for Internet services, then unwinding the Facebook-WhatsApp merger, as EPIC has repeatedly urged, would be a good place to start." Agency regulations require the FTC to consider public comments before finalizing a proposed consent order.

EPIC to Congress: Do Not Renew Section 215 Surveillance Program

In advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a statement to the House Judiciary Committee urging Congress to end the NSA's phone record collection program, known as "Section 215." Section 215 of the Patriot Act, according to White House legal advisors including now Supreme Court Justice Brett Kavanaugh, allowed the NSA to collect in bulk the telephone records of Americans. In 2013, following the Snowden disclosures, EPIC filed a petition with the Supreme Court, challenging the lawfulness of Section 215. Congress found the 215 program was ineffective and passed the USA Freedom Act to limit data collection. NSA has since acknowledged significant compliance problems with the reformed program, and the Director of National Intelligence confirmed that the limited collection program was suspended. Section 215 will sunset unless Congress chooses to renew the program.

EPIC Renews Call for Antitrust Agencies to Unwind Bad Mergers

In a statement to the Senate Judiciary Committee, EPIC urged lawmakers to press the FTC and the Department of Justice on Enforcement of the Antitrust Laws. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so.

EPIC Urges Rules Committee to Clarify Position on Closed Door Hearings

EPIC has again written to the Senate Rules Committee regarding the meetings of a Senate "Tech Task Force," following a news item which suggested that the Rules Committee approved closed-door hearings. EPIC had called for an investigation into the meetings in the Senate Judiciary Committee hearing room, which were closed to the public and press, lacked public notice, and produced no written record. According to the POLITICO story, an unnamed staff person told a reporter that they had decided the Task Force was not subject to the open meeting requirement. EPIC was never notified of any decision. "This saga increasingly resembles a Kafka short story," EPIC wrote. EPIC has requested a written response to its requests for investigation and also wrote "we fully intend to pursue this issue until there is a favorable resolution."

D.C. Circuit Won't Fix Deeply Flawed Ruling in EPIC's Census Privacy Case

The D.C. Circuit has refused to void an earlier ruling in EPIC v. Commerce, EPIC's suit to halt the collection of citizenship data in the 2020 Census due to the government's failure to complete required privacy impact assessments. Under the E-Government Act, federal agencies must make privacy impact assessments "publicly available" before undertaking a new collection of personal data. Yet a three-judge panel of the D.C. Circuit ruled that the statute does not "vest a general right of information in the public" that would allow EPIC—one of the leading privacy organizations in the country—to obtain information about the government's data collection practices. EPIC asked the full D.C. Circuit to take the rare step of revisiting the panel's decision, but the court declined. The case is eligible for appeal to the Supreme Court, which blocked the citizenship question from being added to the 2020 Census in June. EPIC's case is EPIC v. Commerce, No. 19-5031 (D.C. Cir.).

Top European Court Elaborates on Right to Be Forgotten for Sensitive Data

In G.C. and Others v. CNIL the Court of Justice for the European Union has ruled a search engine operator must balance rights to determine whether to remove sensitive data - such as racial or ethnic origin, political opinions, religious or philosophical beliefs - from search results. Users brought suit against the CNIL after the French DPA declined to order Google to delist their sensitive data. The European Court ruled that a search engine operator which receives a request to de-list sensitive data must weigh the requester’s rights of privacy and data protection against the rights to freedom of information of internet users. EPIC publication "The Right to be Forgotten on the Internet: Google v. Spain," an account of the original case written by former Spanish Privacy Commissioner Artemi Rallo, is available in the EPIC bookstore.

Google Wins Global Delisting Case at European High Court, But Paragraph 72

In Google v. CNIL, the Court of Justice for the European Union ruled Google is not required to apply Europeans' requests to de-reference search results globally. The case follows an earlier ruling in Google v. Spain that Europeans have a right to remove links to their personal data in Google search results - the "Right to Be Forgotten." In the most recent case, the Court ruled that "currently there is no obligation under EU law, for a search engine operator...to carry out such a de-referencing on all the versions of its search engine." However, the Court also said that the search operator must "take sufficiently effective measures" to prevent searches for deferenced information from within the EU with a search engine outside of the EU. The Court also stated, in paragraph 72, that national authorities, in some circumstances, could require global delisting. EPIC supported the CNIL's approach contending that "commercial search firms should remove links to private information when asked." EPIC published "The Right to be Forgotten on the Internet: Google v. Spain" an account of the original case by former Spanish Privacy Commissioner Artemi Rallo.

Bill Introduced to Regulate Forensic Algorithms

U.S. Rep. Mark Takano (D-CA 41) has introduced the "Justice in Forensic Algorithms Act of 2019." The Act would create federal standards for the development and use of forensic algorithms as well as prohibit the use of trade secrets privileges to prevent defense access to evidence in criminal proceedings. The Computational Forensic Algorithm Standards include considerations of bias, accuracy, precision, and reproducibility, and makes "publicly available documentation by developers of computational forensic software of the purpose and function of the software, the development process, including source and description of training data, and internal testing methodology and results, including source and description of testing data." Earlier this year, Iowa passed a law regarding pre-trial risk assessment algorithms. EPIC has advocated for Algorithmic Transparency across all applications and urges the use of the Universal Guidelines for Artificial Intelligence to guide AI regulation. A new publication from EPIC — the AI Policy Sourcebook — includes major policy frameworks for artificial intelligence.

Secret AI Policy Meetings Continue

The National Security Commission on Artificial Intelligence held yet another closed-door meeting recently—the fourth such meeting in the Commission's short existence. Created by Congress in 2018, the AI Commission is tasked with considering "the methods and means necessary to advance the development of" AI to address national security and defense needs. But the Commission has operated almost entirely in secret, unlawfully refusing to publish any meeting notices or to allow any public participation. Last month, EPIC renewed its request to access Commission records and meetings. The Commission is dominated by representatives of large tech firms, including Google and Microsoft. EPIC has urged Congress to ensure that the Commission operates transparently.

Access Now Calls for Privacy Shield to be Struck Down

Access Now has called on the European Commission to strike down the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. In comments to the Commission, Access Now wrote "the Privacy Shield has manifestly failed to meet the standards set by EU law from inception to today." The comments cite the limited redress provided by the Privacy Shield Ombudsperson, increased U.S. border surveillance, and the Cambridge Analytica scandal among the shortcomings in US privacy protection. EPIC's earlier comments on the Privacy Shield highlighted the failure of the U.S. to curtail surveillance authorities, the absence of a comprehensive privacy law and a data protection agency. In October, the European Commission will decide whether to renew the pact.

Google Seeks to Establish Facial Recognition in Homes

With opposition growing to facial recognition, Google has decided instead to build facial recognition into Nest Hub Max, an "always on" device intended for use in the home. Google's "face match" constantly targets the facial images of each person in the household. Any interaction with the Google device is added to the secret user profile Google maintains for ad targeting. In 2014, EPIC filed a complaint with the FTC and said the "Commission clearly failed to address the significant privacy concerns presented in the Google acquisition of Nest," a related device that enabled surveillance in the home. EPIC later asked the Federal Trade Commission to require Google to spin-off Nest and to disgorge the data obtained from Nest users. A 2017 complaint to the Consumer Product Safety Commission from EPIC and consumer organizations pointed out that the "touchpad on the Google device is permanently set to 'on' so that it records all conversations without a consumer's knowledge or consent."

D.C. Metro Wants to Track Riders for Advertising Revenue

The D.C. Metro is proposing to track the cellphones of D.C. metro riders, with a network of sensors to detect Wi-Fi and Bluetooth connections. "WMATA has already begun to develop a network of digital display units and seeks to expand that network through digital place-based and location-based devices and programs," the Metro contracting document stated. After 9-11. EPIC led the Observing Surveillance campaign to limit the use of surveillance cameras in DC against residents and visitors. EPIC is pursuing a lawsuit against AccuWeather alleging that the company engaged in unlawful and deceptive practices in tracking consumers' locations in violation of the D.C. Consumer Protection Procedures Act.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The AI Policy Sourcebook 2019, edited by Marc Rotenberg (2019)

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (2019)

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law andEPIC Report Finds Privacy Bills in Congress Lacking Basic Elements In Amicus Brief, EPIC Urges Supreme Court to Limit Traffic Stops Based Solely on Owner's License Status Following EPIC's 2011 Recommendation, Facebook Changes Default Setting on Facial Recognition EPIC Appeals Decision Allowing FAA Drone Committee to Operate in Secret Federal Court Rules FBI Watchlist Unconstitutional policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

'Emerging Global Principles and Concerns in Data Privacy and AI.’ Oct. 2, 2019. Multilateral Development Bank Privacy Symposium, World Bank. Washington, DC. Marc Rotenberg, EPIC President.

National Tort Law Day. Oct. 5, 2019. American Museum of Tort Law. Winsted, CT. Marc Rotenberg, EPIC President.

International Working Group on Data Protection in Telecommunications. Oct. 10–11, 2019. Brussels, Belgium. Eleni Kyriakides, EPIC International Counsel.

'Law and Algorithms.’ Oct. 14, 2019. Northwestern School of Law. Chicago, IL. Marc Rotenberg, EPIC President.

41st International Data Protection and Privacy Commissioners Conference. Oct. 21–24, 2019. Tirana, Albania. Marc Rotenberg, EPIC President.

Privacy and Personal Data Protection Enforcement. Nov. 18, 2019. EPIC and the UK ICO. OECD. Paris, France. Marc Rotenberg, EPIC President.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
EPIC 2020 Champions of Freedom Awards June 3, 2020