EPIC Alert 26.21

EPIC Alert logo

1. Pew Research: Americans Strongly Favor More Government Regulation of Consumer Data

According to a new poll from the Pew Research Center, Americans are overwhelmingly concerned about how companies use personal data and strongly favor greater regulation.

In the poll, 75% of Americans say there should be new regulations of what companies may do with personal data. 81% of the public believe that the risks of data collection by companies outweigh the benefits, and 66% say the same about government.

According to Pew, "majorities of the public are not confident that corporations are good stewards of the data they collect." 79% of Americans say they are at least somewhat concerned about how companies use personal data, while 36% say they are very concerned. Only 2% of respondents described digital privacy as "knowledge and consent."

Nearly a third of Americans—28%—said they had suffered at least one form of identity theft within the past year, and 70% of adults say their personal data is less secure than it was 5 years ago. The survey results are based on a nationally representative panel of randomly selected U.S. adults.

EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger privacy laws. EPIC advocates for comprehensive privacy legislation and the establishment of a U.S. data protection agency.

2. At Council of Europe, EPIC's Rotenberg Urges Focus on AI and Human Rights

Speaking to the Council of Europe in Strasbourg, EPIC's Marc Rotenberg urged democratic nations to move forward a policy framework for Artificial Intelligence that safeguards human rights.

"You cannot afford to wait," said EPIC's Rotenberg, describing the work of EPIC to establish algorithmic accountability. Rotenberg also explained that ensuring transparency is the primary goal in the regulation of artificial intelligence.

In the past few years, EPIC has promoted Algorithmic Transparency, supported the Universal Guidelines for AI, and published the first reference book on AI policy. EPIC has also challenged the secrecy of the US National Commission on AI and urged the recognition of AI policy frameworks to regulate the use of AI techniques.

3. Senate Democrats Set Out Comprehensive Data Protection Framework

Top Senate Democrats recently unveiled key goals for comprehensive federal data privacy legislation, writing that such a law "is essential to hold institutions accountable, restore consumer trust, and protect our privacy."

The Democratic Senators' proposal calls for strong consumer rights, corporate accountability, effective enforcement, data minimization, and accountability for algorithmic decision making. The proposal would not preempt stronger state privacy laws.

"Under our framework, consumers would control their personal information, and corporations, non-profits, and political entities would be held to higher standards for when and how they collect, use, share, and protect our data," the framework states.

The proposal is backed by Senators Maria Cantwell, Dianne Feinstein, Sherrod Brown, and Patty Murray, and endorsed by Senators Ron Wyden, Richard Blumenthal, Brian Schatz, and Ed Markey, as well as Minority Leader Chuck Schumer.

EPIC Policy Director Caitriona Fitzgerald called the new Senate proposal a game-changer. "We are now on track for the adoption of comprehensive privacy legislation in the United States," she said. "The Senate should move forward this excellent proposal."

4. EPIC Obtains Docs about Critical Infrastructure Designation for Election Systems

In a FOIA lawsuit, EPIC has obtained an original draft of the proposal by former DHS Secretary Jeh Johnson to designate state election systems as critical infrastructure.

Released in a set of previously withheld documents, the draft memo states "[g]iven the vital role elections play in this country, certain systems and assets of election infrastructure meet the statutory definition of critical infrastructure in fact and in law." The DHS policy was announced on January 6, 2017, the same day the ODNI found extensive Russian interference in the 2016 Presidential election.

EPIC later litigated for the release of the complete ODNI report, which found that Russian intelligence services had "obtained and maintained access to elements of multiple U.S. state or local electoral boards." EPIC also obtained from DHS documents about the background and implementation of the critical infrastructure designation.

Other documents released as a result of EPIC's suit show the DHS continued to encourage state efforts in election security by making federal resources available on a voluntary basis. The case is EPIC v. DHS, No. 17-2047.

5. PA Supreme Court Rules Government Cannot Compel Suspect to Disclose Password

The Pennsylvania Supreme Court has ruled that the Fifth Amendment right against self-incrimination prevents the government from requiring a suspect to divulge their computer passcode.

The court found that "compelling the disclosure of a password to a computer" is testimonial because a defendant's password is "equivalent to a combination to a wall safe" and could divulge information "that will be used to incriminate him."

The court also found that a limited exception to the Fifth Amendment privilege did not apply. "[I]nformation in one's mind to 'unlock the safe' to potentially incriminating information does not easily fall within" the so-called "foregone conclusion exception," the court wrote.

EPIC filed an amicus brief in a similar case in the New Jersey Supreme Court. EPIC argued in State v. Andrews that the Fifth Amendment exception should be limited because it predated the vast amounts of personal data stored on computers and telephones. EPIC cited the U.S. Supreme Court's recent decisions in Riley v. California and Carpenter v. United States.

EPIC has long filed amicus briefs arguing that constitutional protections should keep pace with advances in technology.

News in Brief

Following EPIC Suit, AccuWeather Changes Location Tracking Practices

Following a DC consumer protection suit that EPIC filed against AccuWeather in 2018, the company has stopped deceptively gathering users' location data. In its Complaint, EPIC charged that AccuWeather grabbed consumers' location data even when they expressly opted out of location tracking. EPIC also charged that AccuWeather failed to disclose that it transferred location data to advertisers. Now AccuWeather, following EPIC's case, has changed its business practices. Users can decline dvertising and other non-functional uses of their device information, and users can delete the information that AccuWeather collects about their device. EPIC has long advocated for the privacy of location data. EPIC filed a "friend of the court" brief with the US Supreme Court in, Carpenter v. US, a case concerning police surveillance and a complaint with the Federal Trade Commission concerning Uber's tracking of subscribers. EPIC also opposed Apple's tracking of iPhone users. EPIC also maintains detailed webpages on location privacy.

EPIC Publishes 2020 Edition of The Privacy Law Sourcebook

EPIC has published the 2020 edition of The Privacy Law Sourcebook. The Privacy Law Sourcebook is the leading reference book for those interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws and key international privacy laws such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. PLS 2020 also features the California Consumer Privacy Act and the Illinois Biometric Privacy Act. PLS 2020 is available in print and Kindle editions. Other publications, including those by members of the EPIC Advisory Board, are available at the EPIC Bookstore.

EPIC Advises New York Senate on Privacy Legislation

EPIC has sent a statement to the New York State Senate recommending passage of legislation modeled on Fair Information Practices and creation of a Data Protection Agency. The statement came ahead of hearing by the N.Y. Senate on Senate Bill 5642, concerting oversight of personal data. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a privacy law. "A strong state privacy law would establish an independent state-level Data Protection Agency with resources, technical expertise, rulemaking authority and effective enforcement powers," EPIC told the New York Senate. EPIC's State Policy Project tracks privacy developments at the state level.

Senators Demand Information from Amazon on Ring and Surveillance

Five prominent Senators have demanded that Amazon provide information about Ring, the neighborhood surveillance system posing as a doorbell. Senators Wyden, Markey, Van Hollen, Coons, and Peters wrote that Amazon "holds a vast amount of deeply sensitive data and video footage detailing the lives of millions of Americans in and near their homes." The Senators pressed Amazon for Information about Ring and facial recognition, noting that the company has applied for facial recognition patents. The letter follows an investigation by Senator Markey into Ring's surveillance practices. Senator Markey has also sponsored the Privacy Bill of Rights Act, a bill that would limit some of Amazon's data collection practices. EPIC has recently launched a campaign to Ban Face Surveillance worldwide. After 9-11, EPIC also led the Observing Surveillance campaign to limit the use of surveillance cameras in DC.

EPIC Obtains Documents about Nebraska's Flawed Risk Assessment Software

In response to EPIC's Freedom of Information Act request, the Nebraska Department of Correctional Services has provided to EPIC several documents about Nebraska's use of pre-trial risk assessments. Emails among state officials reveal concerns about the accuracy of the Vant4ge algorithm used for risk assessment. The head of the state agency wrote, "there has not been consistency in how the STRONG-R training is delivered" and "there are errors in how the 'severity index' of specific crimes is coded in the Vant4ge software" which "affect the final risk and needs score calculations produced by the assessment." According to the contract obtained by EPIC, Nebraska committed to continue with Vant4ge until 2022. EPIC previously pursued several lawsuits to obtain information about "predictive policing" and "future crime prediction" algorithms. EPIC obtained documents about pre-trial risk assessments as well as a scoring system developed by the DHS to assign risk assessments to travelers, including US citizens. EPIC has urged government agencies to make transparent algorithmic-based decision making.

Swiss Sign Convention 108+, 35 Countries Back Privacy Convention

Switzerland has signed the Modernized International Privacy Convention. With the Swiss signature thirty-five countries now back Convention 108+. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data, algorithmic transparency, enhanced oversight. Non-members of the Council of Europe are able to sign the Convention, and EPIC and consumer groups have long urged the United States to ratify the international Privacy Convention.

Applications for Rodotà Award Now Open

The Committee of European Convention 108 (the "Privacy Convention") has announced the second edition of the Rodotà Award, intended to reward innovative academic research projects to advance data protection. The award honors the memory of Stefano Rodotà, a prominent Italian law professor and candidate for the Italian presidency who championed democratic institutions, human rights, and data protection. The competition is open to researchers from all regions of the world participating in the work of the Committee of Convention 108. Application here. Deadline: 18 December 2019. Competition rules. The prize winner will be announced on Data Protection Day (28 January 2020) and will have the opportunity to present his/her work at the next Plenary session of the Committee of Convention 108 to be held in Strasbourg in July 1-3, 2020. In 2009, Prof. Rodotà received the first EPIC International Champion of Freedom Award.

Appeals Court Questions Government on Reliability of Google Scanning Algorithm

A federal appellate judge recently pressed the government about the reliability of a Google scanning algorithm that provided the basis for the warrantless search of a private email. EPIC raised concerns about the scanning technique in an amicus brief for the appeals court. In United States v. Wilson, EPIC argued that "because neither Google nor the Government explained how the image matching technique actually works or presented evidence establishing accuracy and reliability, the Government's search was unreasonable." Judge Watford told the government attorney that he "would like to hear your defense of the evidentiary record" because what we have "is this declaration from the Google person," and "I would need far more explanation of how reliable the hash matching technology is before I could validate this search." EPIC filed an amicus brief in a similar case in United States v. Miller. EPIC routinely submits amicus briefs on the privacy implications of new investigative techniques. EPIC has also long promoted algorithmic transparency to ensure accountability for AI-based decision making.

Google Announces Limits on Data Transfer in Ad Bids

Google has announced that it will no longer describe the type of content on an app or webpage when conducting auctions for ads. Google stated the change was the result of "engagement with data protection authorities" and would help prevent those bidding on ads from linking individual people to sensitive content. The change raised concerns about entrenching Google's dominance over internet advertising and whether the policy change would further diminish advertising revenue for content publishers. Questions also remain as to whether the change is necessary under the GDPR if user IDs are effectively deidentified as Google has claimed. Google's modifications to its Street View data collection failed to halt multiple fines by data protection agencies for legal violations. The company's ad exchange is still under investigation for violations of the EU General Data Protection Regulation. EPIC recently urged lawmakers to unwind bad mergers, including Google's acquisition of YouTube and Nest.

Following Stone Verdict, DOJ Must Disclose More of Mueller Report to EPIC

With the recent conclusion of Roger Stone's trial, the Justice Department must now disclose additional sections of the Mueller Report to EPIC in EPIC v. DOJ. Previously, the agency argued that it could withhold portions of the Report because disclosure would interfere with Mr. Stone's right to a fair trial. But following Mr. Stone's conviction on seven counts, the DOJ can no longer make that claim. The material withheld by the DOJ would likely reveal the role that Wikileaks played in the 2016 presidential election. In EPIC v. DOJ, EPIC is seeking the public release of the complete and unredacted Mueller Report. A ruling is expected soon. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore.

Intelligence Agencies Halt Collection of Cell Location Data Without 'Probable Cause'

The Director of National Intelligence has notified Congress that U.S. intelligence agencies are no longer obtaining cell site location data without "a showing of probable cause." The change is a direct result of the Supreme Court's decision in Carpenter v. United States, which held the Fourth Amendment protects location records generated by mobile phones. The Director wrote that "given the significant constitutional and statutory issues the decision raises," the intelligence community has "not sought CSLI records or global positioning system (GPS) records" without probable cause "since Carpenter was decided." EPIC filed an amicus brief in Carpenter, joined by 36 technical experts and legal scholars (members of the EPIC Advisory Board), urging the Court to extend Constitutional protection to cell phone data. Last year, EPIC's Marc Rotenberg wrote that "Congress now has an opportunity to update federal privacy law, providing greater clarity for digital searches after the Carpenter decision."

.ORG Sold to Private Equity Firm, Transparency Diminished

The Internet Society announced that it plans to sell the Public Interest Registry, which manages the .ORG domain, and all of its assets to Ethos Capitol, a private equity firm. The announcement follows a decision to remove price caps on domain name purchases that was widely opposed by the user community. EPIC's Marc Rotenberg, who was a founding board member and former chair of PIR, told Gizmodo he was "very disappointed" by the news. "We built the .org domain with the specific goal of promoting the noncommercial use of the Internet," Rotenberg said. "There are many models, including ICANN itself, that could allow for effective management of the domain by a non-profit corporation. There are critical elements of transparency and accountability that will be lost when the Public Interest Registry is acquired by a private equity firm." The PIR website currently states, "PIR's believes that a best practice is transparency and accountability to itself, its stakeholders, and the public. The release of our annual IRS 990 Form provides publicly-available financial information to maintain our non-profit status in good standing."

Privacy Commissioners Launch 'Global Privacy Assembly'

The International Conference of Data Protection and Privacy Commissioners has announced a new logo and a new name: the Global Privacy Assembly (GPA). According to the Commissioners, "the new logo and name represent the evolution of the conference and the current work to modernise it, including a new policy strategy which sets out a clear vision for the organization." The GPA Policy Strategy outlines three goals for regulatory cooperation: global frameworks and standards, enforcement co-operation, and policy themes. The Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) will host the Global Privacy Assembly in Mexico City in October 2020. Francisco Javier Acuña Llamas, President of the INAI, said "Thanks to the collaboration of our colleagues, we created a logo which represents the organization's main attributes: international cooperation, knowledge sharing, independence and leadership." The Public Voice Project and the EPIC Public Voice Fund will provide opportunities for civil society organizations to participate in the work of the Global Privacy Assembly.

Largest Drone Manufacturer Will Implement Remote Identification

Responding to concerns raised by EPIC and others, the largest manufacturer of civilian drones in the world plans to implement a remote identification technique that would allow anyone with a smartphone to identify and track drones near them. According to DJI, "the location, altitude, speed and direction of the drone, as well as an identification number for the drone and the location of the pilot" would be available via a mobile phone app. In several comments to the FAA, EPIC urged the agency to require manufacturers to implement an active drone ID broadcasting requirement. This past summer the European Union established a requirement for real-time drone identification that aligns with EPIC's 2015 recommendations to the FAA, which stated that drone identification should be "similar to the Automated Identification System for commercial vessels." EPIC also wrote that "Because drones present substantial privacy and safety risks, EPIC recommends that any drone operating in the national airspace system include a mandatory GPS tracking feature that would always broadcast the location of a drone when aloft (latitude, longitude, and altitude), course, speed over ground, as well as owner identifying information and contact information." Speaking at the 2016 privacy commissioners conference in Marrakech, EPIC President Marc Rotenberg warned of the "identification asymmetry" that would arise if drones were not required to broadcast identifying information.

European Privacy Board Cites Concerns about EU-U.S. Privacy Shield

In a new report the European Data Protection Board is raising concerns about the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The EDPB, a group of top data protection authorities from across Europe, called for more rigorous review of compliance with the Shield, urged the Privacy and Civil Liberties Oversight Board to publish assessments of U.S. surveillance, and concluded that the Shield Ombudsperson was not a sufficient remedy for potential privacy violations. The European Commission recently renewed the agreement, despite comments from EPIC and other civil society organizations highlighting U.S. mass surveillance practices and weak privacy safeguards.

Bipartisan Senate Bill Requires Warrant for Ongoing Face Surveillance

Senators Chris Coons (D-Del) and Mike Lee (R-Utah) recently introduced legislation that will require federal law enforcement agencies to obtain a warrant before engaging in ongoing face surveillance. The Facial Recognition Technology Warrant Act of 2019 would apply to public surveillance using facial recognition technology that lasts more than 72 hours, and the warrants would expire after 30 days. EPIC recently testified before the Massachusetts Legislature in support of a moratorium on face surveillance. And a recent Public Voice petition calling for a moratorium on the use of facial recognition has received support from more than 90 organizations and 700 individuals (including many leading experts) in more than 40 countries.

EPIC, Coalition Urge Justice Department to Rescind Rule Expanding DNA Collection of Detainees

EPIC joined a coalition of civil liberties and immigrant rights organizations to urge the Department of Justice to rescind a proposed rule that effectively requires the DHS to collect DNA from all non-US persons the agency detains or arrests. The coalition stated that the proposed rule was an "unacceptable and unnecessary privacy intrusion" that will impact not only the individual's DNA being collected but also family members, including American citizens. In an amicus brief to the Supreme Court, EPIC argued that law enforcement's warrantless collection of DNA is unconstitutional. In the 2013 brief, EPIC described the "dramatic and unpredictable" expansion of the government's DNA collection over the past decade.

EPIC to Congress: FTC Must Consider Privacy, Block Google-Fitbit Deal

In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review must consider data protection and that the Federal Trade Commission must block Google's plan to acquire Fitbit. "Far from protecting market competition and promoting innovation, the Commission is facilitating industry consolidation," EPIC said in the statement released in advance of the hearing. EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC noted that if the FTC approves Google's acquisition of Fitbit, it will be the 230th firm that Google/Alphabet has acquired "with barely a whimper from the Federal Trade Commission." EPIC said: "This is not antitrust enforcement. This is agency negligence." EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC warned the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers.

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (2020)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. EPIC’s Privacy Law Sourcebook also includes extensive contact information for privacy agencies, organizations, and publications.

The AI Policy Sourcebook 2019, edited by Marc Rotenberg (2019)

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (2019)

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Yale CEO Leadership Forum. Dec. 17-18, 2019. New York, NY. Marc Rotenberg, EPIC President.

2020 Aspen Institute Roundtable on Artificial Intelligence. Jan. 12-14, 2020. Santa Barbara, CA. Marc Rotenberg, EPIC President.

EPIC International Champion of Freedom Awards. Jan. 22, 2020. Brussels, Belgium.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.

EPIC Champion of Freedom Awards Dinner. June 3, 2020. Washington, DC.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security