EPIC Alert 27.01

1. EU Leaders to Consider Ban on Face Surveillance

European Union President von der Leyen and Commissioner Vestager are considering a ban on the use of facial recognition in public spaces, according to a draft white paper obtained by POLITICO.

The EU Commission paper proposes "a time-limited ban" whereby "the use of facial recognition technology by private or public actors in public spaces would be prohibited for a definite period (e.g. 3-5 years) during which a sound methodology for assessing the impacts of this technology and possible risk management measures could be identified and developed."

"This would safeguard the rights of individuals, in particular against any possible abuse of the technology," the paper adds.

Last fall, more than 100 organizations, and several hundred experts, from over 40 countries urged data protection officials to adopt a moratorium on facial recognition. The Public Voice petition warns that "the technology has evolved from a collection of niche systems to a powerful integrated network capable of mass surveillance and political control."

The petition asks countries to "establish the legal rules, technical standards, and ethical guidelines necessary to safeguard fundamental rights and comply with legal obligations before further deployment of this technology occurs."

EPIC is tracking efforts around the world to Ban Face Surveillance. EPIC has also urged Congress, state lawmakers, and local officials to establish moratoriums on face recognition.

2. EPIC to Congress: Suspend DHS Data Transfer to Census Bureau

In a statement to Congress, EPIC warned that the proposed transfer of DHS data to the Census Bureau would violate the federal Privacy Act. The data include personal information about citizens, immigrants, and foreign nationals. EPIC urged the Committee to "block DHS from carrying out this proposed data transfer pending further review."

"This unprecedented transfer of personal data would be illegal, irresponsible, and far in excess of what the Census Bureau could possibly need to fulfill its statistical mission," EPIC wrote. "The transfer also appears to serve a dual purpose: not only to generate demographic data on citizenship, but also to individually identify who is a citizen.

EPIC previously warned the House Oversight Committee that President Trump's Executive Order on collecting citizenship data could undermine Privacy Act safeguards.

EPIC opposed the citizenship question in the 2020 Census, arguing that the Bureau failed to complete required privacy impact assessments. EPIC also filed an amicus brief in the Supreme Court case warning that collecting citizenship information presents "enormous privacy and security concerns." The Supreme Court found the rational for adding the citizen question "contrived" and the question was withdrawn.

3. New Year Begins with California Consumer Privacy Law

The New Year begins with the advent of the California Consumer Privacy Act. The California law, which is the strongest data protection statute in the country, went into effect on January 1.

All Californians now have the right to find out the personal data that companies collect about them, their devices, and their children; the right to opt-out of the sale of personal data; and the right to sue companies for data breaches. Californians can also request that a business delete their personal information.

In comments to the California Attorney General, EPIC urged strong enforcement of the privacy law. EPIC urged the Attorney General to aggressively enforce the individual rights and data controller obligations established by the Act; to adopt a strong definition of personal information; to require algorithmic transparency; and to work with state lawmakers to establish an independent data protection agency and a private right of action.

EPIC's Mary Stone Ross, a coauthor of the law, spoke recently on NPR's All Things Considered about the new law. The complete text of the California Consumer Privacy Act is available in the EPIC 2020 Privacy Law Sourcebook.

4. Supreme Court to Review Constitutionality of Federal Robocall Ban

The Supreme Court has aqreed to hear a challenge to the constitutionality of the Telephone Consumer Protection Act, a federal law that prohibits unwanted robocalls.

The law generally restricts the use of autodialers, but in 2015 Congress created an exception for robocalls to collect debts guaranteed by the federal government. Several groups have since challenged the law on First Amendment grounds, arguing that the TCPA discriminates against particular speakers. The Court will now consider the issue in Barr v. American Association of Political Consultants.

EPIC filed an amicus brief in Gallion v. Charter Communications, a related case, arguing that "these challenges represent a systematic effort by companies to undermine the purpose of the TCPA and to inundates consumers with unwanted calls." EPIC also warned that "the TCPA prohibitions are needed now more than ever," citing the intrusiveness of marketing calls directed toward cell phones.

EPIC routinely files amicus briefs on consumer privacy issues, including several amicus briefs on the TCPA.

5. EPIC Urges D.C. Circuit to Order Disclosure of FAA Drone Committee Records

EPIC has filed its opening brief urging the D.C. Circuit Court of Appeals to reverse a lower court decision that allowed FAA's Drone Advisory Committee to conduct much of its work in secret.

"If the decision is allowed to stand, other federal agencies could circumvent the law by creating subcommittees and task forces and developing policy in secretive meetings held by entities that agencies attempt to place beyond the reach of the [Federal Advisory Committee Act]," EPIC told the Court of Appeals.

EPIC filed suit in 2018 against the industry-dominated Committee, which consistently ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the Committee was forced to disclose hundreds of pages of records that it previously withheld. But the lower court ruled that the Committee did not need to disclose records from its secretive subcommittees.

"As a result, EPIC has been prevented from learning how or why privacy was dropped from the DAC's agenda, even as drone deployment over U.S. skies rapidly increases," EPIC told the Court of Appeals.

The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.).

News in Brief

EPIC to Argue in Court Fifth Amendment Protects Cell Phone Passcodes

EPIC will present argument today in State v. Andrews, a New Jersey Supreme Court case about the compelled disclosure of a cell phone passcode. In its amicus brief, EPIC argued that the Fifth Amendment limits the ability of the government to obtain cellphone passcodes. Citing Riley v. California and Carpenter v. United States, EPIC said the U.S. Supreme Court has held that the vast troves of personal data stored in cell phones "justifies strong constitutional protections." EPIC also explained that limited exceptions to Fifth Amendment safeguards were adopted before personal information was "consolidated in one place." EPIC routinely files amicus briefs arguing that constitutional protections should keep pace with advances in technology. EPIC filed amicus briefs in Carpenter and Riley, which both involved the searches of cellphones. The Supreme Court cited EPIC's amicus brief in the Riley opinion.

Facing Growing Criticism, Facebook Reverses Decision to Sell Ads in WhatsApp

Facebook reversed the controversial decision to sell ads in WhatsApp. Before WhatsApp was acquired by Facebook, the company promised users it would not sell ads. But Facebook did not honor that promise to users, causing the WhatsApp founders to resign. When Facebook proposed to acquire WhatsApp in 2014, EPIC filed a complaint with the FTC advising the agency to block the sale unless adequate privacy safeguards were established for WhatsApp user data.The FTC wrote in response "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook." EPIC has challenged the proposed FTC settlement with Facebook, arguing that it is procedurally unfair and that the FTC failed to address growing concerns about the use of WhatsApp user data. The FTC is now considering blocking the integration of Facebook and WhatsApp user data.

EU Legal Advisor Advances Privacy for National Security Matters

The EU Advocate General advised the European Court of Justice that "the means and methods of combating terrorism must be compatible with the requirements of the rule of law" in a case concerning the retention of personal data for law enforcement purposes. The AG recommended limiting retention of data to data that are essential for national security and limiting access to that data subject to prior review by courts. The opinion is not binding on the Court of Justice and the Court will issue a judgment at a later date. The AG cited EPIC's expert submissions in "Schrems 2.0," another case concerning Facebook's transfer of personal data to the United States and the adequacy of U.S. privacy law.

EPIC Recommends Congress Implement OECD AI Principles, Back Universal Guidelines

EPIC has urged Congress to implement the OECD Principles on AI and adopt the Universal Guidelines of AI. In a statement in advance of a hearing on "Industries of the Future," EPIC also highlighted the White Houses's Guidance for AI Regulation, and urged the Senate to prioritize public participation and democratic values. Senator Roger Wicker's (R-MS) bill, the "Industries of the Future Act," would promote government investment in research and development and create a government Council to advise the Office of Science and Technology Policy on future industries, including artificial intelligence. EPIC has long advocated for transparency and public participation in AI policymaking. EPIC successfully sued the National Security Commission on Artificial Intelligence to ensure public access to agency records. EPIC recently filed a complaint with the FTC alleging that recruiting company HireVue fails to comply with baseline standards for AI decision-making. EPIC also sued the DOJ to uncover documents about the use of algorithms in the criminal justice system.

Report Finds Dating Apps Leak Personal Data, EPIC and Coalition Urge Investigation

A new report from Norweigian consumer group Forbrukerradet finds that dating apps transmit personal data to at least 135 different third parties involved in behavioral advertising. The data includes IP address, GPS location, age, gender, sexual orientation, and religious beliefs. EPIC joined coalition letters to Congress, the FTC, and state Attorneys General urging investigation of the business practices detailed in the report. EPIC Consumer Protection Counsel Christine Bannan said: "This report highlights the pervasiveness of corporate surveillance and the failures of the FTC notice-and-choice model for privacy protection. Congress should pass comprehensive data protection legislation and establish a U.S. Data Protection Agency to protect consumers from the privacy violations of the adtech industry."

U.S. Government Grounds Drone Fleet, Cites Surveillance Concerns

The U.S. Interior Department is permanently grounding its fleet of drones over concerns that the devices will enable aerial surveillance by the Chinese government, according to the Financial Times. The Chinese-manufactured drones, which were used to monitor and map federal land, have been temporarily grounded since October. EPIC, NGOs, and leading experts had long urged the Federal Aviation Administration to regulate the privacy risks of drones. Although the FAA is set to require remote identification of drones—as EPIC first recommended five years ago—the FAA has refused to address drone surveillance. EPIC is currently challenging the FAA's failure to disclose records from the Drone Advisory Committee, which acknowledged the privacy risks posed by drones but failed to propose any privacy safeguards.

Department of Transportation Releases Voluntary Guidelines for Driverless Vehicles

The Department of Transportation announced AV 4.0, voluntary guidelines for driverless vehicles. The guidelines "use a holistic, risk-based approach to protect the security of data and the public's privacy as AV technologies are designed and integrated." EPIC commented on an earlier version of the guidelines, saying the agency "should promulgate mandatory rather than voluntary cybersecurity guidelines." EPIC warned that "the very real possibility of remote car hacking poses substantial risks to driver safety and security." EPIC also testified before Congress in 2015, explaining that "current approaches, based on industry self-regulation, are inadequate and fail to protect driver privacy and safety."

White House Publishes Guidance for AI Regulation

The White House has published Guidance for Regulation of Artificial Intelligence Applications. In a statement, US Chief Technology Officer Michael Kratsios said "The White House calls on agencies to protect privacy and promote civil rights, civil liberties, and American values in the regulatory approach to AI. Among other important steps, agencies should examine whether the outcomes and decisions of an AI application could result in unlawful discrimination, consider appropriate measures to disclose when AI is in use, and consider what controls are needed to ensure the confidentiality and integrity of the information processed, stored and transmitted in an AI system." The US AI Guidance follows from the OECD AI Principles, which the United States has endorsed, as well as some of the Universal Guidelines for AI, a human rights framework for AI endorsed by more than 250 experts and 60 associations in 40 countries. The Guidance makes clear the importance of public participation in the formulation of AI policy. EPIC successfully sued the National Security Commission on Artificial Intelligence to ensure public access to agency records.

EPIC to Congress: Voting Systems Must Accurately Record Votes, Protect Secret Ballot

Prior to a hearing with voting system vendors, EPIC urged the House Administration Committee to ensure that voting systems must accurately record votes and protect the secret ballot. "The bar for voting technology and election administration should be set high," EPIC said. Earlier this year EPIC asked a federal court to stop Georgia's use of Direct Recording Electronic voting machines in an amicus brief. Experts in election security have shown that DREs are insecure, vulnerable to attack, fail to provide a paper trail, and subject to manipulation by foreign adversaries. DREs also undermine the secret ballot as particular voters could be linked to particular votes. In 2016, EPIC published "The Secret Ballot at Risk: Recommendations for Protecting Democracy," highlighting the importance of the secret ballot for American democracy.

Federal Agencies Move Forward Plan for DNA Collection

In a Privacy Impact Assessment, Customs and Border Protection and Immigration and Customs Enforcement announced a plan for the DNA collection of individuals detained at the border, including U.S. citizens. The change comes after a Department of Justice proposed rule that removed the authority of DHS components, including CBP and ICE, to exempt detained individuals from DNA collection. EPIC joined a coalition of civil liberties and immigrant rights organizations in comments to the Justice Department and urged the DOJ to rescind the proposed rule. The coalition stated the proposed rule was an "unacceptable and unnecessary privacy intrusion" that will impact not only the individual's DNA being collected but also family members, including American citizens. In an amicus brief to the Supreme Court, EPIC argued that law enforcement's warrantless collection of DNA is unconstitutional.

Facebook Announces Deepfakes Ban

Facebook has announced its plan to ban "deep fakes" in advance of a House hearing on "Americans at Risk: Manipulation and Deception in the Digital Age" this week. The new policy would ban users from posting deepfakes—computer-generated, highly manipulated videos using technologies like AI—to prevent the spread of disinformation but would allow simpler forms of manipulation. Deepfakes have been used to spread disinformation about politicians, but 96% of "deep fakes" online are videos in which women's faces are superimposed into pornography without their consent. EPIC Board Member Danielle Citron testified before Congress, saying "we need a combination of law, markets, and societal resistance" to combat deepfakes and "the phenomenon is going to be increasingly felt by women and minorities."

European Privacy Experts to Assess GDPR Compliance

The European Data Protection Board will determine whether data brokers and mobile apps comply with the General Data Protection Regulation. The EDPB has commissioned a privacy expert to provide a legal analysis of 25 mobile applications and 10 data brokers. The study is one of several launched by the EDPB to examine the impact of the GDPR. A recent report from the Transatlantic Consumer Dialogue found that Amazon, Netflix, and Spotify do not comply with GDPR and recommended for the United Sates "baseline federal data protection and privacy law that does not pre-empt stronger state privacy protections and that creates an independent data protection agency." EPIC's recent report on federal privacy legislation Grading on a Curve: Privacy Legislation in the 116th Congress evaluates federal privacy bills. EPIC has called for comprehensive baseline, federal legislation and the creation of a data protection agency.

Congress Enacts Robocall Legislation

Congress has passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act of 2019. The TRACED Act establishes penalties for certain robocalls and requires voice service provide to develop call authentication technologies. The FCC will develop rules to limit unwanted calls or texts from a caller using an unauthenticated number. EPIC has long advocated for stronger regulations surrounding robocalls. EPIC provided expert analysis to Congress, submitted numerous comments to the FCC, and filed multiple amicus briefs in appellate courts emphasizing the need to limit robocalls.

EPIC in the News

• So far, under California's new privacy law, firms are disclosing too little data — or far too much, Washington Post, Jan. 21, 2020
• Facebook still hasn't paid that $5B FTC fine, but what happens when it does?, Mashable, Jan. 17, 2020
• Feds may already have found a way to hack into Apple iPhones, ComputerWorld, Jan. 17, 2020
• Large Military-Grade Drones Could Soon Be Flying Over Your Backyard, Truthout, Jan. 17, 2020
• AI Hiring Tools Are Becoming Common—Just Not in Legal, Law.com, Jan. 16, 2020
• Analysis of popular apps finds rampant sharing of personal data, SC Magazine, Jan. 16, 2020
• Dating apps leak personal data, Norwegian group says, Lake Placid News, Jan. 15, 2020
• There's a new obstacle to landing a job after college: Getting approved by AI, CNN, Jan. 15, 2020
• Grindr Shares Location, Sexual Orientation Data, Study Shows, Bloomberg, Jan. 14, 2020
• Apple refuses latest government iPhone-unlock request, ComputerWorld, Jan. 14, 2020
• Dating apps leak personal data, Norwegian group says, Houston Chronicle, Jan. 14, 2020
• Grindr Shares Location, Sexual Orientation Data, Study Shows, Yahoo Finance, Jan. 14, 2020
• Grindr, Tinder and OkCupid apps share personal data, group finds, Los Angeles Times, Jan. 14, 2020
• Dating apps like Tinder leak personal data, one data privacy group says, Atlanta Journal Constitution, Jan. 14, 2020
• Dating Apps Leak Personal Data, European Group Says, CBS Boston WBZ, Jan. 14, 2020
• Dating Apps, Ad Firms Accused of Illegally Leaking User Data, Law360, Jan. 14, 2020
• Artificial Intelligence and the changing face of job interviews – The Wall Street Journal, BizNews, Jan. 10, 2020
• Landmark Facebook Settlement Still Working Its Way Through Court, Wall Street Journal, Jan. 10, 2020
• Facebook's FTC Privacy Settlement Challenged in Court, Data Breach Today , Jan. 10, 2020
• Facebook's FTC Privacy Settlement Challenged in Court, BankInfoSecurity, Jan. 10, 2020
• EPIC Files Complaint with FTC Regarding AI-Based Facial Scanning Software, LexBlog, Jan. 9, 2020
• New Illinois Law Could Serve as Benchmark for AI Use in Hiring, Future of Work News, Jan. 9, 2020
• EPIC Files Complaint with FTC Regarding AI-Based Facial Scanning Software, The National Law Review, Jan. 9, 2020
• US Government Kicks Off Controversial DNA Collection Program, Education News, Jan. 9, 2020
• FTC Nearing Decision On Facebook Antitrust Probe, Law360, Jan. 8, 2020
• Every Click You Make: Data Tracking, Consumer Privacy In The Age Of Surveillance Capitalism, Texas Public Radio, Jan. 8, 2020
• How job interviews will transform the next decade, Wall Street Journal, Jan. 7, 2020
• How Job Interviews Will Transform in the Next Decade , Wall Street Journal, Jan. 7, 2020
• To produce citizenship data, Homeland Security to share records with census, NPR, Jan. 6, 2020
• Cyber experts warn of potential Iranian cyber attack threat, wpxi.com, Jan. 6, 2020
• I helped draft California's new privacy law. Here's why it doesn't go far enough, Fast Company, Jan. 3, 2020
• Brazil Fines Facebook Over Cambridge Analytica Data Sharing, Law360, Jan. 3, 2020
• INTERVIEW: Mary Stone Ross, ksro.com, Jan. 3, 2020
• New California privacy law lets people find out exactly what companies know about them, CBC / Radio Canada, Jan. 2, 2020
• California's new privacy law puts you first. Too bad companies are ignoring it, CNET, Jan. 2, 2020
• DHS maps out data sharing with Census Bureau, FCW, Jan. 2, 2020

Cybersecurity & Privacy Cases To Watch in 2020, Law360, Jan. 1, 2020

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:

The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, by Shoshana Zuboff (Public Affairs 2019)

The challenges to humanity posed by the digital future, the first detailed examination of the unprecedented form of power called "surveillance capitalism," and the quest by powerful corporations to predict and control our behavior.

• New York Times Notable Book of the Year
• One of The Guardian's Best 100 Books of the 21st Century

Recent EPIC Publications

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. EPIC’s Privacy Law Sourcebook also includes extensive contact information for privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, commentary by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM (West Academic 2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott (The New Press 2015).

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Oral Argument in State v. Andrews. Jan. 21, 2020. Supreme Court of New Jersey, Trenton, NJ. Megan Iorio, EPIC Appellate Advocacy Counsel.

EPIC International Champion of Freedom Awards. Jan. 22, 2020. Brussels, Belgium.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.

"Artificial Intelligence and Facial Recognition: the EU Approach," European Data Protection Supervisor. Feb. 13, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.

"Social Media: Challenges and Ways to Promote Freedoms and Protect Activists," UN High Commissioner for Human Rights. Feb. 16–17, 2020. Doha, Qatar. Marc Rotenberg, EPIC President.

OECD AI Expert Group. Feb. 26–27, 2020. Paris, France. Marc Rotenberg, EPIC President.

AI World Society, Harvard University. Apr. 28, 2020. Harvard University, Cambridge, MA. Marc Rotenberg, EPIC President.

EPIC Champion of Freedom Awards Dinner. June 3, 2020. Washington, DC.