EPIC Alert 27.03

1. Sen. Gillibrand Introduces U.S. Data Protection Agency Bill

Senator Kirsten Gillibrand (D-NY) has introduced S. 3300, the Data Protection Act of 2020, which would create an independent Data Protection Agency in the United States to safeguard the personal data of Americans. EPIC, many leading consumer and civil rights organizations, privacy experts, and scholars support Senator Gillibrand's non-partisan bill.

"The U.S. confronts a privacy crisis," said Caitriona Fitzgerald, EPIC Policy Director. "Our personal data is under assault. Congress must establish a data protection agency. Senator Gillibrand has put forward a bold, ambitious proposal to safeguard the privacy of Americans."

"Businesses' inconsistent approach towards compliance with the California Consumer Protection Act proves that enforcement of privacy regulations is critical," said Mary Stone Ross, EPIC Associate Director and former President of Californians for Consumer Privacy. "Thankfully Senator Gillibrand's Data Protection Act puts enforcement first."

EPIC has long advocated for the creation of a U.S. Data Protection Agency, arguing that the Federal Trade Commission is an ineffective agency, lacking basic competence for privacy protection. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law, including the creation of a Data Protection Agency.

2. EPIC Launches Drone ID Campaign, Urges Action by FAA

EPIC has launched "Mandate Drone ID," a campaign to encourage the public to submit comments to the FAA regarding the agency's proposed rule for a drone ID requirement.

EPIC recommends that the FAA modify the draft rule to require public access to drone ID information, including the operator's identity, the purpose of each drone flight, and the drone's surveillance capabilities. In 2015, EPIC wrote that "drones should be required to broadcast their registration information to allow members of the public" to easily identify the operator and responsible party.

EPIC has recommended that the FAA follow the model for vessels and planes, which requires operators to broadcast location, course, and operator identity. The European Union has established real-time broadcasting requirement similar to the one EPIC has previously encouraged the FAA to implement.

EPIC also urges the FAA to "Make clear that the remote identification of drones is necessary not only 'to ensure public safety and the safety and efficiency of the airspace of the United States,' as the FAA states, but also 'to protect the privacy and civil liberties of those living in the United States.'"

Comments on the FAA proposed rule are due March 2, 2020.

3. EPIC Urges Congress to Suspend Face Surveillance

In advance of a hearing on the Department of Homeland Security's use of facial recognition technology, EPIC urged Congress to suspend the use of facial recognition for mass surveillance. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy."

"Facial recognition poses serious threats to privacy and civil liberties and can be deployed covertly, remotely, and on a mass scale," EPIC told Congress. "Ubiquitous identification by commercial or government entities eliminates the individual's ability to control the disclosure of their identities, creates new opportunities for tracking and monitoring, increases the security risks from data breaches."

EPIC provided to the House Committee the Public Voice Declaration, supported by more than 100 organizations and leading experts from around the world, calling for a moratorium on face surveillance. The Declaration calls on countries to (1) suspend deployment of facial recognition; (2) review systems to determine whether personal data was obtained lawfully; (3) undertake research to assess bias and risk; and (4) establish legal rules, technical standards, and ethical guidelines before further deployment occurs.

EPIC recently launched a campaign and resource page to ban face surveillance globally. Last week, Senators Cory Booker and Jeff Merkley introduced the Ethical Use of Facial Recognition Act, which would bar the federal government's use of facial recognition until Congress passes legislation regulating the technology.

4. EPIC v. DOJ: No Mueller Reports to Congress

The Justice Department has confirmed to EPIC that Special Counsel Mueller did not draft any reports for Congress during the investigation into Russian interference in the 2016 election.

In a filing from EPIC v. DOJ, the Justice Department stated that it found no "reports, recommendations, and other compilations of information prepared for the eventual consideration of one or more members of Congress."

Last year, EPIC's open government lawsuit revealed records of a previously-undisclosed Special Counsel investigation into a suspected "unregistered agent of a foreign government." The records included memo submitted one day after the Justice Department released a redacted version of the Mueller Report.

As part of the same case, EPIC is also seeking disclosure of the complete, unredacted Mueller Report. A ruling on the Mueller Report is expected soon from Judge Reggie B. Walton.

The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. The case is EPIC v. DOJ, No. 19-810 (D.D.C.).

5. Chinese Military Charged with Equifax Breach

A federal grand jury has indicted four members of China's military on charges of hacking Equifax to exploit the personal data of 150 million Americans.

According the indictment, the four defendants conspired to hack into Equifax's computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of nearly half of all American citizens.

EPIC President Marc Rotenberg testified before the House in 2018 and the Senate in 2017 about the Equifax breach. Rotenberg warned lawmakers and regulators that the failure of the U.S. government to safeguard the personal data of Americans has placed American consumers at risk.

"Today our country is facing cyberattacks from foreign adversaries and it is the personal data stored by companies that is the target," Rotenberg testified. "When these companies engage in lax security practices or freely disclose consumer data without consent, they are placing not only consumers, but also our nation at risk.

In the Harvard Business Review, EPIC's Rotenberg explained that "consumer privacy is not a goal achieved by markets. It must be mandated by Congress."

EPIC has called for passage of the Online Privacy Act, H.R. 4978, and the creation of a U.S. data protection agency.

News in Brief

EPIC to Court: Order AI Commission to Open Meetings, Records

EPIC has filed a brief urging a federal court to enforce the transparency obligations of the National Security Commission on Artificial Intelligence. EPIC explained that the AI Commission must hold open meetings and publish its records on a regular basis. The court previously ruled that the AI Commission must comply with EPIC's Freedom of Information Act request, but the Commission now claims that it is exempt from a related statute that requires advisory committees to operate transparently. EPIC told the court that "as is often the case for federal entities, the AI Commission must comply with two (or three, or more) statutory obligations at the same time." The Commission, which is tasked with developing U.S. AI policy, recently released a report to Congress criticizing the EU General Data Protection Regulation and calling for greater "government access to data on Americans." The AI Commission met frequently in secret with lobbyists and private contractors, but never gathered opinions from the American public.

EPIC, Coalition Urge School Administrators to Reject Face Surveillance

In a letter to school administrators, EPIC joined Fight for the Future and over 40 organizations opposing the use of facial recognition technology in schools. The coalition stated that facial recognition is an "invasive and biased technology that violates the rights of students and faculty and has no place in educational institutions." EPIC launched a campaign and resource page to ban face surveillance globally. The Public Voice declaration has the support of over 100 organizations and many leading experts across 30 plus countries. EPIC has also called on the Privacy and Civil Liberties Oversight Board to suspend face surveillance systems across the federal government.

EPIC Joins Civil Liberties Groups, Backs Surveillance Reform

EPIC has joined 44 civil liberties organizations in endorsing the Safeguarding Americans' Private Records Act of 2020 (S. 3242 / H.R. 5675), sponsored By Senator Wyden [D-OR] and, in the House, Rep. Lofgren [D-CA]. The bills would repeal the NSA's bulk telephone surveillance program, establish a warrant requirement for location data and internet browsing history, increase transparency, and strengthen the Privacy and Civil Liberties Oversight Board. EPIC recently advised Congress to reform Section 702 of FISA and to sunset Section 215 of the Patriot Act.

Face Surveillance Moratorium Introduced in the Senate

Senators Cory Booker and Jeff Merkley introduced the Ethical Use of Facial Recognition Act, which would ban the federal government's use of facial recognition until Congress passes legislation regulating the technology. The bill also prevents state and local government from using federal funds for facial recognition systems and creates a commission to develop guidelines for the use of facial recognition. EPIC has launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. An EPIC-led coalition has also called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.

FTC to Investigate Prior Big Tech Acquisitions

The FTC announced plans to review acquisitions by Google, Amazon, Apple, Facebook, and Microsoft between 2010-2019. The FTC will review those acquisitions that the companies were not required by law to report at the time of acquisition. FTC Chairman Joe Simons said the initiative would "evaluate whether the federal agencies are getting adequate notice of transactions that might harm competition." In a joint statement, Commissioner Wilson and Commissioner Chopra said, "While we commend the FTC for exploring this timely and important topic, we reiterate our call for the Commission to prioritize 6(b) studies that explore consumer protection issues arising from the privacy and data security practices of technology companies, including social media platforms." EPIC filed a complaint with the FTC in 2014 opposing Facebook's acquisition of WhatsApp. EPIC is presently in federal court seeking to improve the FTC's proposed settlement with Facebook and to unwind the merger.

European Parliament Passes Resolution for AI Oversight

The European Parliament has passed a resolution urging the European Commission to adopt strong rules for industrial policy on artificial intelligence and robotics. The Resolution emphasizes safety, transparency, explainability, and data quality. The Resolution also seeks to "ensure that automatic decision-making is not being used to discriminate against consumers based on their nationality, place of residence or temporary location." The Resolution also supports the free flow of non-personal data to promote innovation. Earlier this month, a Dutch Court ruled that an AI system to detect welfare fraud violated human rights. EPIC has promoted Algorithmic Transparency and the Universal Guidelines for AI, and also published the AI Policy Sourcebook, the first reference book on AI policy.

California Attorney General Publishes Privacy Regulations, Seeks Public Comment

The California Attorney General has released the final draft of the regulations implementing the California Consumer Privacy Act. The draft updates key definitions, recommends an opt-out button image, and clarifies how businesses should respond to consumer access and deletion requests. The public has until February 25 to provide comments on the proposed regulation. Enforcement of the law will begin on July 1, 2020. In previous comments, EPIC urged strong enforcement of the state privacy law. The complete text of the California privacy law is available in the EPIC 2020 Privacy Law Sourcebook. EPIC has published a resource to help California residents exercise their rights under the CCPA.

New Voting Standards Move Closer to Approval

The Technical Guidelines Development Committee has approved the Voluntary Voting System Guidelines 2.0. The Committee provides technical recommendations to the Election Assistance Commission regarding voting systems in the United States. EPIC, along with the Association for Computing Machinery, previously recommended strong principles for voter privacy, ballot secrecy, and data protection. The groups also urged the Commission to ban internet-connected voting machinery, citing the risks to voting integrity and democratic institutions. The Technical Committee recommended banning internet-connected voting systems, as well as strong provisions on voter privacy, ballot secrecy, and data protection. Though states are not mandated to comply with the Voting System Guidelines, the Guidelines shape the election security market. EPIC has a long history of working to protect voter privacy and election integrity.

House Votes to Ban Foreign-Made Drones at DHS

The House passed H.R. 4357, which bans the use or purchase of foreign-made drones by the Department of Homeland Security. Last month, the Interior Department banned the use of foreign-made drones for non-emergency operations. The US government actions respond to growing concern that Chinese-made drones collect sensitive information in the United States. In 2012, EPIC and more than 100 experts petitioned the FAA to establish a rule to limit drones surveillance, but the agency failed to act. In recent comments to the FAA, EPIC warned the agency that regulating drone surveillance was essential to privacy and security. Last year, EPIC's Marc Rotenberg and Len Kennedy cited the FAA's failure to develop appropriate regulations in a commentary for the New York Times, and also warned that China's surveillance model requires "comprehensive privacy legislation to safeguard the personal data of Americans."

Dutch Court Rules Secret Welfare Algorithm Violates Human Rights

A Dutch Court ruled that an algorithmic risk assessment technique that ostensibly detects fraud violates human rights and privacy laws. The SyRi system processed massive amounts of personal data held in a government agencies with an opaque algorithm. The Dutch court ruled "there is a risk that the use of SyRI will inadvertently make connections based on bias." EPIC tracks and publicizes the use of risk assessments in the US Criminal Justice System as well as advocates for the Universal Guidelines for AI to ensure Algorithmic Transparency in automated decision making, EPIC published the AI Policy Sourcebook, the first reference book on AI policy.

EPIC in the News

• Algorithms Were Supposed to Fix the Bail System. They Haven't, WIRED, Feb. 19, 2020
• Trump's next health care move: Giving Silicon Valley your medical data, POLITICO, Feb. 19, 2020
• Senators Call for a Moratorium on Government's Use of Facial Recognition, NextGov, Feb. 18, 2020
• Will banks get caught up in facial recognition backlash?, American Banker, Feb. 18, 2020
• Facial Recognition Surveillance Technology Should Be Suspended in the U.S. Says Coalition of 40 Privacy and Free Speech Groups, CPO Magazine, Feb. 17, 2020
• "Face search" creeps people out. But it still has a future-in AR, Fast Company, Feb. 14, 2020
• A new Senate bill would create a US data protection agency, Yahoo News, Feb. 14, 2020
• Senate Democrat Wants To Create New Privacy Agency, MediaPost, Feb. 14, 2020
• Senator Kirsten Gillibrand Introduces Bill To Create A Data Protection Agency, Forbes, Feb. 14, 2020
• Senator Kirsten Gillibrand Introduces Bill To Create A Data Protection Agency, Forbes, Feb. 14, 2020
• Senator Calls for Creation of Federal Online Privacy Agency, BankInfo Security, Feb. 14, 2020
• 4 Takeaways From Calif.'s Revised Consumer Privacy Regs, Law360, Feb. 14, 2020
• Sen. Gillibrand Proposes Creating Agency To Enforce Privacy, Law360, Feb. 14, 2020
• Gillibrand bill would create new data protection agency, FCW, Feb. 14, 2020
• The Technology 202, Washington Post, Feb. 14, 2020
• Gillibrand proposes creating new digital privacy agency, The Hill, Feb. 13, 2020
• Kirsten Gillibrand outlines new Data Protection Agency to take on Big Tech, The Verge, Feb. 13, 2020
• Kirsten Gillibrand's new bill would establish a US data protection agency, Protocol, Feb. 13, 2020
• Retailers now know more about us than ever before thanks to AI, but experts insist it 'can improve lives', Business Insider, Feb. 13, 2020
• Gillibrand's push for a new data protection agency, POLITICO Morning Tech, Feb. 13, 2020
• Facebook Delivers Long-Awaited Trove of Data to Outside Researchers, Wall Street Journal, Feb. 13, 2020
• A new senate bill would create a US data protection agency, TechCrunch, Feb. 13, 2020
• Gillibrand calls for new federal agency to protect data privacy rights, Daily Dot, Feb. 13, 2020
• Senate bill proposes a Data Protection Agency to secure your privacy, CNET, Feb. 13, 2020
• Senator Kirsten Gillibrand proposes new government agency for internet privacy, TechSpot, Feb. 13, 2020
• Is Facial Recognition a Threat to Privacy?, CBS Los Angeles, Feb. 12, 2020
• Legal briefs: Predictive technology stirs debate, Buffalo Business Journal, Feb. 12, 2020
• Consumer Confidential: Equifax left unencrypted data open to Chinese hackers. Most big US companies are just as negligent, MSN, Feb. 11, 2020
• California Privacy Law Prompts Companies to Shed Consumer Data, Consumer Reports, Feb. 11, 2020
• Employers Using AI in Hiring Take Note: Illinois' Artificial Intelligence Video Interview Act Is Now in Effect, JD Supra, Feb. 11, 2020
• China alone isn't to blame for Equifax hack. U.S. firms are also at fault , Los Angeles Times, Feb. 10, 2020
• Recognize Behavioral Tracking's Opportunities and Pitfalls, Information Week, Feb. 10, 2020
• Justice Dept: Mueller prepared no reports to Congress, POLITICO, Feb. 8, 2020
• Mortgage Lender Inks $6.3M Deal To End TCPA Class Action, Law360, Feb. 8, 2020
• ICE, CBP Purchase Phone Location Data to Enforce Immigration Law: Report, National Law Review, Feb. 8, 2020
• Federal Agencies Use Cellphone Location Data for Immigration Enforcement, Wall Street Journal, Feb. 7, 2020
• Trump's Immigration Crackdown Has Taken a Dystopian Turn, Vanity Fair, Feb. 7, 2020
• Report: Homeland Security is using location data from games and weather, Fast Company, Feb. 7, 2020
• Facebook, YouTube order Clearview to stop scraping them for faces to match, Ars Technica, Feb. 7, 2020
• Trump admin using commercial phone database to track illegal border crossings: WSJ, American Military News, Feb. 7, 2020
• Federal agencies reportedly bought phone location data to track immigrants, Engadget, Feb. 7, 2020
• Cellphone tracking everywhere, Axios, Feb. 7, 2020
• ICE, CBP Purchase Phone Location Data to Enforce Immigration Law: Report, Yahoo, Feb. 7, 2020
• The US government is using a commercial app database to track, arrest immigrants, Android Authority , Feb. 7, 2020
• Facebook, YouTube order Clearview to stop scraping them for faces to match, Ars Technica, Feb. 7, 2020
• ACLU says it'll fight DHS efforts to use app locations for deportations, TechCrunch, Feb. 7, 2020
• ICE Is Using Location Data From Games and Apps to Track and Arrest Immigrants, Report Says, VICE News, Feb. 7, 2020
• Don't Sell My Data - There's a law for that , Washington Post, Feb. 6, 2020
• Inside the closed-door campaigns to rewrite California privacy law, again, Protocol, Feb. 6, 2020
• An Algorithm That Grants Freedom, or Takes It Away, New York Times, Feb. 6, 2020
• Inadequate data protection: A threat to economic and national security, Vox, Feb. 5, 2020
• EPIC Asks FTC to Regulate Use of AI in Employment Screenings, Business Computing World, Feb. 5, 2020
• What is the fourth industrial revolution?, The Week, Feb. 4, 2020
• Facebook's settlement puts spotlight on 'biometric privacy', Economic Times , Feb. 4, 2020
• FTC Should Regulate Artificial Intelligence, EPIC Petition Says, Bloomberg News, Feb. 4, 2020

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:

The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, by Shoshana Zuboff (Public Affairs 2019)

The challenges to humanity posed by the digital future, the first detailed examination of the unprecedented form of power called "surveillance capitalism," and the quest by powerful corporations to predict and control our behavior.

• New York Times Notable Book of the Year
• One of The Guardian's Best 100 Books of the 21st Century

Recent EPIC Publications

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD, and Marc Rotenberg, JD, LLM. West Academic (West Academic 2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott (The New Press 2015).

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Invited Lectures. Feb. 19–21, 2020. Bocconi University, Milan, Italy. Marc Rotenberg, EPIC President.

2020 Internet Data Privacy Colloquium. Feb. 20, 2020. Dialogue on Diversity. Washington, DC. Alan Butler, General Counsel.

OECD AI Expert Group. Feb. 26–27, 2020. Paris, France. Marc Rotenberg, EPIC President.

Launch of OECD AI Policy Observatory. Feb. 27, 2020. Paris, France. Marc Rotenberg, EPIC President.

Yale CEO Conference. Mar. 17, 2020. Washington, DC. Marc Rotenberg, EPIC President.

OECD AI Expert Group. Apr. 22–24, 2020. Paris, France. Marc Rotenberg, EPIC President.

AI World Society, Harvard University. Apr. 28, 2020. Harvard University, Cambridge, MA. Marc Rotenberg, EPIC President.

Technonomy East. May 19, 2020. New York, New York. Marc Rotenberg, EPIC President.

EPIC Champion of Freedom Awards Dinner. June 3, 2020. Washington, DC.