EPIC Alert 27.07

1. EPIC Urges FTC to Investigate Zoom, Issue Best Practices for Online Conferencing

In a recent letter to FTC Chairman Joe Simons, EPIC urged the FTC to "open an investigation of Zoom's business practices and to issue, as soon as practicable, Best Practices for Online Conferencing Services."

The EPIC letter followed a 2019 complaint from EPIC warning that Zoom had "placed at risk the privacy and security of the users of its services." EPIC also explained to the FTC that Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack."

In the April 2020 letter to the Commission, EPIC reminded the Commission that it acted on similar complaints from EPIC concerning Facebook and Google but failed to act on the Zoom complaint. EPIC cited widespread reports of privacy and security flaws with the online conferencing service.

"Now more than ever, the Federal Trade Commission has a responsibility to safeguard American consumers," EPIC wrote. "We urge you to act."

2. EPIC Settles Case With National Archives Over Kavanaugh Records

EPIC has settled a Freedom of Information Act lawsuit against the National Archives for records pertaining to Justice Kavanaugh's work on surveillance in the Bush White House post-9/11. EPIC will receive attorney's fees as part of the settlement.

The records released to EPIC through the lawsuit revealed that Kavanaugh discussed warrantless wiretapping with program architect John Yoo. The records also show that, after the New York Times exposed the program, Kavanaugh exchanged hundreds of emails with White House and DOJ staff about the program, gathered legal justifications for the program, and drafted speeches defending warrantless wiretapping. Congress ended the controversial program in 2015, following extensive hearings.

While serving on the D.C. Circuit Court of Appeals in 2015, Judge Kavanaugh issued a surprising opinion on surveillance authority. Senator Leahy pursued Kavanaugh's views on surveillance during the Supreme Court nomination hearing.

3. EPIC Seeks Records About Kushner-Backed Surveillance System

EPIC has filed an urgent FOIA request for a memo outlining a nationwide COVID-19 surveillance system sought by White House senior adviser Jared Kushner.

According to POLITICO, the memo describes "a national coronavirus surveillance system to give the government a near real-time view of where patients are seeking treatment and for what[.]"

"The collection and use of sensitive medical data raises profound privacy concerns," EPIC wrote in its request. "The public has the right to know the contents of the March 22, 2020 memo . . . and whether the proposed system complies with federal privacy law."

In a statement, Senator Ed Markey (D-MA) said that the administration is not "capable of creating or maintaining a massive health data network in a manner that doesn't undermine our fundamental right to privacy."

EPIC is pursuing FOIA requests with the Department of Justice and other federal agencies about efforts to track and monitor Americans during the pandemic.

4. EPIC Asks Supreme Court to Review Decision Preventing Internet Companies from Protecting User Data

EPIC has submitted an amicus brief in LinkedIn v. hiQ Labs, urging the Supreme Court to review a decision that prevents internet companies from blocking web scrapers who gather personal data on websites in violation of privacy policies.

The lower court ruled that LinkedIn must allow hiQ Labs, a data analytics firm, to scrape the personal data of LinkedIn users. In the amicus brief, EPIC explained that the decision "makes it impossible" for companies to protect personal data and sets "a dangerous precedent that could threaten the privacy of user data."

The EPIC amicus brief highlighted the business practices of Clearview AI, a company that scraped billions of photographs to create a secretive facial recognition system, used now by foreign intelligence agencies. EPIC said that the lower court decision will lead to more "unethical and unexpected uses" of personal data.

EPIC previously filed an amicus brief in support of LinkedIn users in the Ninth Circuit. EPIC routinely files amicus briefs in consumer privacy cases.

5. Kasparov, Experts, NGOs Urge OECD to Back Democratic Values

Former world chess champion Garry Kasparov has joined a statement to OECD Secretary General Ángel Gurría that urges the international organization to "continue to uphold the democratic values on which the OECD is based." Kasparov helped launch the OECD work on Artificial Intelligence policy that led to the OECD AI Principles, adopted by the OECD member countries, the G-20, and others.

The statement to the Secretary General Gurria, signed by more than 70 experts and NGOs, applauds the important work of the OECD in response to the pandemic. The statement asks the OECD SG to "make clear the ongoing importance of the OECD policy frameworks that safeguard fundamental rights, from the OECD Privacy Guidelines of 1980 to the OECD AI Principles of 2019."

The statement also asks the Secretary General to "continue to use the powerful analytical tools of the OECD to demonstrate that there are many uses of data that do not require 'trade-offs' or 'balancing' and to "urge colleagues at the G-7, the G-20, UNESCO, the ITU to uphold fundamental rights."

The OECD statement was coordinated by both the Civil Society Information Society Advisory Council to the OECD and the Public Voice coalition.

News in Brief

Court Approves FTC-Facebook Deal, But Says Data Protection Laws Need Updating

Despite objections from EPIC and other consumer groups, a federal judge has approved the Federal Trade Commission's settlement with Facebook over the company's alleged violations of the 2012 consent decree and the FTC Act. The court called Facebook's alleged conduct "stunning," "unscrupulous," "shocking," and "underhanded," and even stated that it "might well have fashioned different remedies were it doing so out of whole cloth." The court nevertheless approved the deal because of the "deferential" standard it felt bound to apply, but the court warned that, should the FTC accuse Facebook of further violations of the law, the court "may not apply quite the same deference to the terms of a proposed resolution." EPIC had moved to intervene in the case and filed an amicus brief arguing that the deal imposes "few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices." The court denied EPIC's motion to intervene but acknowledged that EPIC's arguments as amicus "call into question the adequacy of laws governing how technology companies that collect and monetize Americans' personal information must treat that information."

EPIC Settles FOIA Case About Facial Recognition Opt-Out Procedures At Airports

EPIC has settled a Freedom of Information Act lawsuit against Customs and Border Protection. EPIC sought records concerning the agency's "alternative screening procedures" to determine whether travelers are able to to opt-out of facial recognition at airports. EPIC filed the request after Custom and Border Protection repeatedly modified the opt-out language, making it increasingly difficult for travelers to opt-out. EPIC obtained numerous documents, including the Standard Operation Procedure that states that the alternative procedure for U.S. citizens is a review of their U.S. passport. At the end of last year, CBP removed its proposal to require all U.S. citizens to undergo mandatory face recognition at airports. Last year, Buzzfeed featured documents from a related FOIA lawsuit about CBP's flawed airport facial recognition program.

EPIC v. DOJ: Court Aims to Rule on Mueller Report Redactions by June 18

A federal court has announced June 18 as a "target date" to complete its review of the unredacted Mueller Report and to decide what additional material must be released. Judge Reggie B. Walton ruled last month that he will conduct an "in camera" review of the complete Mueller Report as part of EPIC's Freedom of Information Act lawsuit. EPIC recently urged the court to begin that review soon as possible because "time is of the essence in this case." The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810.

Small Business Administration Exposes Personal Data of 7,000 COVID-19 Relief Applicants

The personal data of 7,000 small business owners applying for COVID-19 relief was recently exposed in a Small Business Administration data breach. Names, social security numbers, and financial details were made accessible to other users of the SBA's disaster loan website. Recent data breaches have highlighted the need for stronger data protection laws. EPIC has urged Congress to update federal privacy law and to investigate whether systems adopted in response to the pandemic safeguard the privacy of Americans. In 2018, EPIC argued in response to the OPM data breach that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained."

EPIC and Coalition Urge Congress to Include Transparency and Accountability Provisions in Next COVID-19 Stimulus

EPIC and a coalition of open government groups sent a letter to both the House and Senate urging Congress to include transparency and accountability measures in the next legislative response to the COVID-19 pandemic. The group recommended that Congress: strengthen protections for inspector generals, expand the funding for open government, broaden whistleblower protections, narrow the coronavirus relief bill's (CARES Act) secrecy exemption, promote court access, fortify the coronavirus relief bill's oversight mechanisms, disclose Office of Legal Counsel opinions related to the pandemic, and fund congressional oversight. The letter stated, "[d]uring this time of national crisis, it is vital that the public has timely access to information and that oversight mechanisms are as robust as possible, so that errors and abuses that threaten public health can be swiftly rectified." Last month, EPIC at 131 other organizations issued a public statement supporting government transparency and public access to information as the U.S. responds to the coronavirus pandemic.

Senator Markey Says Contact Tracing Plans Must Protect Privacy

Senator Edward Markey [D-MA] has outlined nine key principles to guide federal leadership on coronavirus contact tracing in the United States. In a letter sent today to the White House Coronavirus Task Force, Senator Markey urged the administration to design and implement a comprehensive coronavirus contact tracing plan with key privacy safeguards. In a statement to the Senate and House Commerce Committees last week, EPIC said it is "essential that government agencies and private companies implement standards that safeguard privacy." EPIC's letter followed a proposal from Apple and Google for a contact tracing app to "combat the spread of the novel coronavirus." EPIC cited public health officials in support of data protection and human rights. For digital contact tracing techniques, EPIC recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency."

EPIC Seeks Records About FTC's Investigation of Zoom

EPIC has filed an urgent Freedom of Information Act request with the FTC seeking records about the status of the Zoom investigation. FTC Commissioner Noah Phillips recently declined to say whether the agency is investigating Zoom. The Commissioner's statement follows widespread reporting on privacy and security problems with the video conferencing service. In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." Earlier this month, EPIC urged the FTC to open an investigation. In a recent letter to FTC Chairman Simons, Senator Sherrod Brown stated, "I believe that the company is engaging in deceptive practices by inaccurately advertising end-to-end encryption of its virtual meetings and putting consumers' information and privacy at risk."

Justice Department Expedites EPIC's FOIA Request for Policies on Location Data Use

The Department of Justice has agreed to expedite EPIC's FOIA request for information about the agency's legal guidance on the use of location data. EPIC asked for records "regarding the lawfulness of the use of location data for public health surveillance." EPIC's request went to the Office of Legal Counsel which provides legal advice to the President and all executive branch agencies. EPIC has previously litigated several high-profile FOIA cases against the OLC, including EPIC v. DOJ (legality of the NSA PRISM Program) and EPIC v. DOJ (legality of the warrantless wiretapping program). Last month the Wall Street Journal reported that the White House is considering surveillance techniques, such as geolocation and facial recognition.

EPIC to Congress: Establish Privacy Safeguards for Digital Contact Tracing

In a statement to the Senate and House Commerce Committees, EPIC said it is "essential that government agencies and private companies implement standards that safeguard privacy." EPIC's letter follows a proposal from Apple and Google for a contact tracing app to "combat the spread of the novel coronavirus." EPIC cited public health officials in support of data protection and human rights. For digital contact tracing techniques, EPIC recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency." EPIC urged Congress to update federal privacy law and to investigate whether systems adopted in response to the pandemic safeguard the privacy of Americans.

EPIC Seeks Information About Secretary Ross's Decision to Delay Census Data Reporting

EPIC has sent an urgent Freedom of Information Act request to the Commerce Department, seeking records about Secretary Wilbur Ross's decision to delay the 2020 Census reporting deadlines. In a recent statement, Commerce Secretary Ross and the Census Bureau Director asked Congress for a four-month delay to "deliver final apportionment counts" that would be used in congressional redistricting. Rep. Carolyn B. Maloney, Chair of the House Oversight Committee, said that the administration is "stonewalling in providing information" that is "vital in assessing" the proposed extension. In a 2018 letter to Congress, EPIC said "the Census is an essential part of understanding the changing demographics in America. The census helps ensure evidence-based policy decisions and census data is the source of much political and economic planning in the United States."

EPIC Makes Final Arguments to Supreme Court in Census Privacy Case

EPIC has filed a brief urging the U.S. Supreme Court to review the D.C. Circuit decision in EPIC v. Commerce. In that case, the Court of Appeals denied EPIC the right to obtain privacy impact assessments concerning citizenship question on the 2020 Census. EPIC argued that the Census Bureau was required to publish the impact assessments before attempting to include the citizenship question. EPIC told the Supreme Court that the lower court decision conflicts with earlier Supreme Court precedent and that the government had "failed to rebut" the arguments EPIC set out in its initial petition for review. Last year, the Supreme Court's decision in Commerce v. New York led to the removal of the citizenship question from the 2020 census. EPIC filed an amicus brief in support of that outcome.

EPIC Asks Court to Begin Review of Mueller Report

EPIC, in a filing from EPIC v. Department of Justice has urged a federal court to begin its review of the unredacted Mueller Report to determine what additional material must be released to the public. Judge Reggie B. Walton recently ordered the DOJ to turn over the complete Report, citing "grave concerns about the objectivity of the process that preceded the public release of the redacted version of the Mueller Report[.]" EPIC noted that courts have ensured that "the federal judiciary continues its essential work" during the COVID-19 crisis and that "time is of the essence in this case." The book EPIC v. DOJ: The Mueller Report, which includes EPIC's original Freedom of Information Act request and related materials, is available for purchase at the EPIC Bookstore. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810.

EPIC Obtains Documents on Tech Industry and Countering Violent Extremism

Through a Freedom of Information Act request EPIC obtained documents about a 2016 meeting with the leaders of the tech industry on countering violent extremism. The meeting included Attorney General Loretta Lynch, FBI Director Jame Comey, and Director of National Intelligence James Clapper. The documents EPIC obtained reveal the attendees, agenda items, and email discussions in preparation for the meeting. Reports at the time indicated that tech leaders and administration officials were concerned about extremist content on social media. Administration officials also raised concerns about encryption. EPIC has long supported strong encryption to protect Internet users from financial fraud, identity theft, and other crimes. EPIC filed a "friend of the court" brief in support of Apple's challenge in the FBI's decryption order, noting that far more cellphones were lost or stolen than were obtained by law enforcement agencies in the course of an investigation.

EPIC, Civil Society Groups Urge Congress to Protect Inspector General Independence

EPIC and a coalition of civil society organizations recently called on Congress to protect the independence of federal inspectors general. "To operate effectively, IGs need independence both from the agency they are overseeing, and from the president," the groups wrote in a statement. In recent days, President Trump abruptly removed Inspector General of the Intelligence Community and replaced the inspector general overseeing the federal government's use of COVID-19 relief funds. "There's a reason why inspectors general have traditionally always had bipartisan support in Congress: their work is paramount to a functioning government that's built on checks and balances," the groups explained. EPIC has long fought for stronger oversight of U.S. intelligence agencies and has pursued FOIA lawsuits against the CIA, the FBI, the ODNI, and the NSA.

EPIC Scrutinizes DHS 'Insider Threat' Database

In detailed comments, EPIC criticized the DHS's proposed "Insider Threat" database that would give the agency vast amounts of personal data. EPIC urged DHS to limit the scope of data collection and to drop proposed Privacy Act exemptions that would diminish the agency's responsibilities for the data gathered. Citing the surge in data breaches, EPIC warned that DHS data practices pose a risk to federal employees. EPIC previously recommended privacy protections in background checks and warned against inaccurate, insecure, and overbroad government databases.

EPIC, Coalition Oppose Facial Recognition at SeaTac Airport

EPIC joined a coalition of civil liberties and privacy groups to urge the Port of Seattle Commission to reverse an earlier decision to deploy facial recognition technology at SeaTac International Airport. The organizations stated that the Port Commission should not back the Customs and Border Protection's unauthorized use of facial recognition technology. Previously, EPIC and a coalition urged the Privacy and Civil Liberties Oversight Board to suspend the use of face surveillance systems across the federal government. And last year, the Public Voice coalition called for a global moratorium on face surveillance. Over 100 organizations and several hundred experts from over 40 countries endorsed the Public Voice declaration.

EPIC Seeks Records About Oracle's Proposed System to Track COVID Patients

EPIC has filed an urgent FOIA request to obtain information about a system, proposed by Oracle CEO Larry Ellison, to track COVID patients who are given experimental drug therapies. Oracle's "COVID-19 Therapeutic Learning System" urges healthcare companies to provide sensitive health information to Oracle. President Trump recently stated that federal agencies will be able to access data from the system. Ellison proposed a national identity card after the attacks on the United States on 9-11. Congress rejected that plan and made clear that L[national identification systems are not authorized] in the United States. EPIC has also filed FOIA requests to the Department of Justice and other federal agencies concerning the tracking and monitoring of Americans during the pandemic.

EPIC v. AI Commission: Internal Report Alludes to 'Mass Surveillance,' 'Streets Carpeted with Cameras'

In a FOIA lawsuit, EPIC has obtained more documents from the Commission on Artificial Intelligence. The records include internal correspondence and an unattributed report about China's social scoring, facial recognition tools, and AI-based surveillance. The internal report highlights the "draconian" consequences of China's AI use but states that "Mass surveillance is a killer application" for AI and that "having streets carpeted with cameras is good infrastructure for smart cities[.]" The Commission's disclosure to EPIC follows a ruling in EPIC v. AI Commission that the Commission is subject to the FOIA. The AI Commission held over 200 secret meetings with tech firms, defense contractors, and others. EPIC is also litigating to enforce the Commission's obligation to hold open meetings. The case is EPIC v. National Security Commission on AI, No. 19-2906 (D.D.C.).

EPIC Pursues Information About Predictive Policing Programs

EPIC has filed a detailed FOIA request with the Department of Justice for information about Predictive Policing and Risk Assessment programs, funded by the federal government. The programs are described in a 2014 Justice Department report that EPIC obtained in the lawsuit, EPIC v. DOJ. The 2014 DOJ report warned that "individual liberty is at stake" with predictive policing, but many of these systems have gone forward nonetheless. EPIC maintains a comprehensive resource on risk assessments systems in the Criminal Justice System.

DOJ Responds to EPIC FOIA on Location Data

In response to EPIC's Freedom of Information Act request to the Justice Department for information about the use of location data, including cell phone records, to counter the pandemic the DOJ wrote there are no "responsive records." EPIC had asked for "all legal memos, analysis, communications, and guidance documents, in the possession of the Department of Justice, concerning the collection or use of GPS data and cell phone location data for public health surveillance." The DOJ forwarded EPIC's request to its Office of Legal Counsel to see if responsive records exist in that office. EPIC will continue to seek information about the DOJ's views on the use of location data, and particularly phone records. After 9-11, the Justice Department supported the warrantless surveillance of Americans, a program that was later terminated after the New York Times broke the story, and EPIC pursued a FOIA lawsuit and then a Supreme Court petition.

EPIC, Coalition Urge Governments to Respect Human Rights as They Respond to Pandemic

EPIC joined civil society groups from around the world to urge governments to respect human rights as they consider digital technologies to combat the coronavirus pandemic. The coalition warned that "efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance." The civil society groups insisted that governments not implement surveillance measures unless lawful, time-limited, only for the specific purpose of combating the pandemic, and the data collected is absolutely necessary. EPIC recently joined 131 other organizations in a public statement supporting public access to information as the U.S. responds to the coronavirus pandemic. EPIC is pursuing a Freedom of Information Act request with the Department of Justice seeking DOJ legal analysis about the collection of GPS and cell phone location data.

EPIC Releases Updated Report on Privacy Bills in Congress

EPIC has released an updated report on the privacy bills in Congress. EPIC's report - Grading on a Curve: Privacy Legislation in the 116th Congress - reviews recent developments, sets out a model bill, and assesses pending legislation. According to EPIC, Representative Eshoo and Lofgren's Online Privacy Act ranks #1. The bill would establish a data protection agency, create meaningful privacy safeguards, and hold companies accountable for the collection and use of personal data. Senator Gillibrand's Data Protection Act, S. 3300, solves one critical privacy problem very well by creating an independent Data Protection Agency in the United States. The US is one of the few democratic countries in the world without a federal data protection agency. The updated EPIC report also scores Senator Moran and Senator Wicker's privacy proposals.

OECD Releases New Guidance on Privacy and Contact Tracing

The OECD has released "Tracking and tracing COVID:Protecting privacy and data while using apps and biometrics." The OECD warns that "current digital solutions for monitoring and containment have varying implications for privacy and data protection." The OECD recommends that "fully transparent and accountable privacy-preserving solutions should be embedded by design to balance the benefits and the risks associated with personal data collection, process and sharing. Data should be retained only for so long as is necessary to serve the specific purpose for which it was collected." The report is one of several published by the OECD on "Tackling Coronavirus (COVID-19): Contributing to a Global Effort." Garry Kasparov was among 70 experts and NGOs who recently applauded the OECD's response to the pandemic and also urged the organization to "continue to uphold the democratic values on which the OECD is based."

Supreme Court to Consider Whether Improper Data Access Violates Computer Crime Law

The Supreme Court will decide whether a person who is authorized to access data for some purposes violates the Computer Fraud and Abuse Act if they access the information for other purposes. The case, Van Buren v. United States, concerns a police officer who accessed a law enforcement database to sell the information to a third party. EPIC recently urged the Supreme Court to consider whether another provision of the CFAA prohibits third parties from scraping user data when an internet company bans the practice. EPIC staff raised concerns about the civil liberties implications of the law when Congress passed the first computer crime statute in 1984.

Privacy Safeguards Lacking for FAA Drone Registration System

The Inspector General for the Department of Transportation released an report of the FAA's drone integration system, which includes personal data for drone registration. The IG report found that the "FAA did not adequately assess privacy and security controls for protecting PII." The report also found that the "FAA's inadequate monitoring of security controls increases the risk of the systems being compromised." EPIC stated that "the FAA should adopt safeguards to protect registrants' information from improper release." EPIC also warned that "the FAA's proposed rule fails to consider the privacy implications for recreational drone operators" who will be required to provide personal information.

Pew Survey: Americans Avoid Internet Services to Protect Personal Data

A new Pew Research survey found about half of U.S. adults said they recently opted out of a product or service because they were concerned about privacy. Respondents cited concerns about the unnecessary collection of personal data, the reliability of the service, and surveillance. The Pew survey results are based on a nationally representative panel of randomly selected U.S. adults. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger privacy laws. EPIC advocates for comprehensive privacy legislation and the establishment of a U.S. data protection agency.

Supreme Court to Hold Oral Arguments by Teleconference

The U.S. Supreme Court has announced that it will hold oral arguments by teleconference in light of the COVID-19 crisis, including two cases in which EPIC filed amicus briefs. "The Court anticipates providing a live audio feed of these arguments to news media," the Court said in a statement. It marks the first time that the Supreme Court has held arguments remotely or made a live broadcast available. The cases to be argued next month include Trump v. Vance, in which EPIC urged the Supreme Court to allow the release of President Trump's tax returns to a grand jury, and Barr v. American Association of Political Consultants, in which EPIC defended the Telephone Consumer Protection Act as a check against unwanted robocalls.

Congress Raises Concerns About Kushner-Let Effort to Establish National COVID-19 Surveillance System

Senators Mark Warner (D-VA) and Richard Blumenthal (D-CT) and Representative Anna Eschoo (D-CA) sent a letter to White House Senior Advisor Jared Kushner, raising concern about his efforts to establish a national COVID-19 surveillance system. The members of Congress stated, "We fear that further empowering technology firms and providing unfettered access to sensitive health information during the COVID-19 pandemic could fatally undermine health privacy in the United States." They stressed that, "absent a clear commitment and improvements to our health privacy laws -these extraordinary measures could undermine the confidentiality and security of our health information and become the new status quo." EPIC recently filed a Freedom of Information Act request with Health and Human Services for the March memo from health technology companies that touted their ability to gather patient information. The letter from Congress to Kushner reflected several of the issues raised in EPIC's original FOIA request.

Apple and Google Propose Contact Tracing App

Apple and Google have announced "a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design." The companies are proposing "Privacy-Preserving Contact Tracing." EPIC has previously testified in Congress in support of genuine Privacy Enhancing Techniques, which are as technologies that "minimize or eliminate the collection of personally identifiable information." But EPIC has also warned that these techniques must be "robust, scalable and provable." And EPIC has repeatedly stated that notice and consent is not the basis of data protection.

Appeals Court Greenlights Privacy Suit Over Facebook's Invasive Web Tracking

The Ninth Circuit Court of Appeals has ruled that Facebook users whose privacy was violated by Facebook's tracking of web browsing can bring suit against the social media platform. The court held that consumers had the legal right, or "standing," to sue Facebook and that most legal claims could go forward. Chief Judge Sidney Thomas wrote "that Facebook set an expectation that logged-out user data would not be collected, but then collected it anyway." EPIC filed an amicus brief in the case explaining that "Facebook's tracking techniques are designed to escape detection, and the company routinely ignores users' privacy protections." EPIC argued that Facebook's "cookie tracking practices" cause "harm to the privacy of the large and diffuse group of Facebook users." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including United States v. Facebook, Attias v. Carefirst, Frank v. Gaos, and Rosenbach v. Six Flags.

Council of Europe Issues Guidance on Fundamental Rights During Pandemic

The Secretary General of the Council of Europe, Marija Pejčinović Burić, has issued recommendations for governments across Europe on human rights, democracy and the rule of law during the COVID-19 crisis. The report covers (1) Derogation from the European Convention on Human Rights, (2) Respect for the rule of law and democratic principles, including limits on emergency measures, (3) Fundamental human rights standards including freedom of expression, privacy and data protection, protection of vulnerable groups from discrimination and the right to education, and (4) Protection from crime and the protection of victims of crime, in particular regarding gender-based violence. The EU Fundamental Rights Agency has also published a new report "Protect human rights and public health in fighting COVID-19." As the FRA explains, "Respecting human rights and protecting public health is in everyone's best interest - they have to go hand-in-hand." Video blog Michael O'Flaherty: COVID-19.

Trump Removes Inspector General for Intelligence Agencies

President Trump has removed Inspector General of the Intelligence Community Michael Atkinson from his post. The President cited Atkinson's referral to Congress of a whistleblower complaint concerning Trump's efforts to have Ukraine investigate former Vice President Joe Biden. Atkinson was required by law to transmit the report to Congress. EPIC has long fought for stronger oversight of U.S. intelligence agencies, and has pursued FOIA lawsuits against the CIA, the FBI, the ODNI, and the NSA. In EPIC v. Department of Justice, EPIC is currently seeking release of the complete Mueller Report, which details foreign interference in the 2016 presidential election. The DOJ recently submitted the full Mueller Report to a federal judge, who will determine what additional material must be released to the public.

Supreme Court Won't Limit Vehicle Stops Based on Owner's License Status

The U.S. Supreme Court recently held, 8-1, that police can stop a vehicle if a database says that the registered owner has a suspended license. Justice Sotomayor dissented. EPIC filed an amicus brief in the case, Kansas v. Glover, arguing that the Court should not allow the police to stop a vehicle simply because the registered owner's license is expired. EPIC described the growing use of Automated License Plate Readers, and warned the Court that permitting police stops based on the registered owner's status would "dramatically alter police practices" and "unfairly burden disadvantaged communities." EPIC provided empirical data for the Supreme Court which indicate that ALPRs are more widely used in disadvantaged communities and also that car sharing is more prevalent in these communities. Justice Kagan's concurrence noted that car sharing and database inaccuracies, issues that EPIC raised in its brief, could lead to unreasonable searches. EPIC routinely files amicus briefs in cases before federal and state courts concerning emerging privacy issues. In Herring v. United States (2012), EPIC explained to the Supreme Court that government databases are "filled with errors, according to the federal government's own reports."

State Attorneys General Investigate Zoom

The Attorneys General from several states including New York, Connecticut, and Florida are investigating Zoom's privacy and security practices. The New York AG stated that she was "concerned that Zoom's existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network." Last year, EPIC filed a complaint about Zoom security practices with the Federal Trade Commission. EPIC explained that Zoom had "placed at risk the privacy and security of the users of its services." EPIC's 22-page analysis detailed how Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." The Federal Trade Commission failed to act on EPIC's 2019 Zoom complaint.

HHS Removes Safeguards for Personal Health Data, Suspends Public Comment

Health and Human Services has announced it will reduce privacy safeguards for personal health data. Under the federal patient privacy law (HIPAA), a third party "business associate" that receives personal data from a health care provider or insurer must have express permission to redisclose the data. HHS has now suspended that protection, as long as "business associates" disclose personal health data in "good faith" for "public health activities" and provide notice within 10 days. There was no opportunity for public comment on the rule change. Previously, HHS announced that it would not take enforcement action against health care providers that violate the HIPAA when consulting with patients remotely.

Global Privacy Assembly Surveys Policies on Coronavirus

The Global Privacy Assembly, the international network of data protection officials, has published Data protection and Coronavirus (COVID-19) resources. The GPA stated that it "recognises the unprecedented challenges being faced to address the spread of Coronavirus (COVID-19). Data protection authorities across the world stand ready to help facilitate swift and safe data sharing to fight COVID-19, while still providing the protections the public expects." EPIC is also tracking privacy statements from UN Human Rights experts, the Council of Europe, German data protection experts, NGOs, the European Data Protection Board, and the World Health Organization.

ICE Seeks to Expand Use of Facial Recognition

According to the Statement of Work, Immigration and Customs Enforcement is seeking to connect the agency's facial recognition system to the DHS Gang Intelligence Application database. ICE recently solicited contracts to overhaul the agency's interface with the Gang Intelligence Application database to establish a face template for all photos added to the database. EPIC has filed a Freedom of Information Act request seeking details of ICE's use of Clearview AI's facial recognition technology. The secretive tech company scraped billions of facial images from Internet websites. EPIC and more than a hundred organizations have called for a moratorium on facial recognition technology.

Senators Again Question White House Google Website Plan

Five U.S. Senators have sent a follow-up letter to Google requesting more information about the company's plans to protect user data on the coronavirus screening website. Senators Bob Menendez, Sherrod Brown, Richard Blumenthal, Kamala Harris, and Cory Booker had previously sent a letter to the White House expressing concern about the website. The Senators wrote now to say that personal data should "not be used for any commercial purposes in the future, and Verily should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA)." Google is under a consent order that gives the FTC authority to oversee the company's privacy practices as a consequence of EPIC's complaints about Google Buzz. EPIC later sued the FTC, EPIC v. FTC, for the agency's failure to enforce the consent against Google.

Senator Blumenthal Calls on Zoom to Address Privacy Issues

Senator Richard Blumenthal has called on video conference platform Zoom to provide clear answers about its consumer data privacy rules and safety practices. "Zoom has a troubling history of software design practices and security lapses that have posed significant risks to the privacy and safety of its users," Senator Blumenthal said. Last year, EPIC filed a complaint about Zoom security practices with the Federal Trade Commission. EPIC explained that Zoom had "placed at risk the privacy and security of the users of its services." EPIC's 22-page analysis detailed how Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." The Federal Trade Commission failed to act on EPIC's 2019 Zoom complaint.

Inspector General Report Uncovers Widespread FISA Abuse

A report from the Department of Justice's Inspector General has uncovered widespread abuse of FISA surveillance authority by the DOJ. The Inspector General "identified apparent errors or inadequately supported facts" in each of the 25 surveillance applications it reviewed. The report follows an earlier investigation by the Inspector General which found the FBI personnel investigating Russian interference in the 2016 presidential election "fell far short of the requirement in FBI policy that they ensure that all factual statements in a FISA application are 'scrupulously accurate.'" EPIC closely tracks the use of FISA authority. EPIC has advocated for significant FISA reforms for more than a decade, and recently advised Congress to reform Section 702 of FISA and to sunset Section 215 of the Patriot Act. Members of both parties have recently expressed support for reforming U.S. surveillance authorities.

Europe Debuts New Privacy-Preserving Coronavirus Tracing App

POLITICO reports that eight European countries are taking part in a "privacy-preserving proximity tracing" app that uses Bluetooth signals between mobile phones to track users who are close enough to infect each other. The software uses privacy-enhancing techniques such as encryption, data anonymization, and data minimization in order to provide effective tracing while maintaining Europe's high data protection standards under the General Data Protection Regulation (GDPR). EPIC Advisory Board member Ron Rivest and colleagues at MIT have published a paper that explores "A simple proximity-based approach to contact tracing."

EPIC in the News

• Zeroing in on Zoom's Threat to Financial Services, Traders Magazine, Apr. 16, 2020
• Dating apps leak personal data, Norwegian group says, FOX 5 NY, Apr. 16, 2020
• Advocates Worldwide Call to Protect Children from Edtech Exploitation, Common Dreams, Apr. 16, 2020
• Be very wary of Trump's health surveillance plans, Washinton Post, Apr. 16, 2020
• Privacy Group Urges Supreme Court To Intervene In LinkedIn Scraping Battle, Media Post, Apr. 15, 2020
• Human Rights Groups: Kids Need Protection from EdTech Commercialization, Multichannel, Apr. 15, 2020
• Kids' Apps Are Surging in Popularity During Quarantine, but Many Have Rocky Records on Privacy, Adweek, Apr. 13, 2020
• Apple, Google Unveil Joint Effort To Track COVID-19 Spread, Law360, Apr. 10, 2020
• Shareholders Sue Zoom Over Privacy, Hacking Concerns, Law360, Apr. 9, 2020
• Zoom Rushes to Improve Privacy for Consumers Flooding Its Service, New York Times, Apr. 9, 2020
• Zoom rushes to improve privacy for consumers flooding its videoconference service, Seattle Times, Apr. 9, 2020
• ZOOM GETS FEDERAL GOVERNMENT'S ATTENTION AS PRIVACY CONCERNS MOUNT, Vanity Fair, Apr. 8, 2020
• Privacy agenda threatened in West's virus fight, POLITICO, Apr. 7, 2020
• NYC Schools Drop Zoom As Privacy, Security Scrutiny Grows, Law360, Apr. 7, 2020
• In Harm's Way: Smart Regulation of Digital & Network Technologies , Aspen Institute, Apr. 7, 2020
• Senator calls for federal investigation into Zoom's 'deceptive' practices, Daily Dot, Apr. 7, 2020
• Zoom: Every security issue uncovered in the video chat app, CNET, Apr. 7, 2020
• 'Explosion' in Distance-Learning Tech Use Sparks Privacy Worries, Bloomberg, Apr. 6, 2020
• Covid-19: Pandemic data-sharing puts new pressure on privacy protections, The Star, Apr. 6, 2020
• Pandemic data-sharing is putting new pressure on privacy protections, The Print, Apr. 6, 2020
• Zoom looks to reframe its narrative in the Beltway, POLITICO Morning Tech, Apr. 6, 2020
• Gov Scrutiny of Zoom, POLITICO Morning Cybersecurity, Apr. 6, 2020
• Zoom got popular during coronavirus. Now it's facing scrutiny from advocacy groups, Daily Dot, Apr. 6, 2020
• High Court Rules for Kansas in Fourth Amendment Stop Dispute, Bloomberg Law, Apr. 6, 2020
• FTC Urged To Investigate Zoom Over Privacy, MediaPost, Apr. 6, 2020
• Zoom got popular during coronavirus. Now it's facing scrutiny from advocacy groups, Daily Dot, Apr. 6, 2020
• Pandemic Data-Sharing Puts New Pressure on Privacy Protections, Bloomberg, Apr. 5, 2020
• Pandemic Data-Sharing Puts New Pressure on Privacy Protections, Yahoo, Apr. 5, 2020
• Privacy agenda threatened in West's virus fight, POLITICO, Apr. 5, 2020
• Everybody seems to be using Zoom. But its security flaws could leave users at risk., Washington Post, Apr. 3, 2020
• Zoom security flaws could leave people at risk, say experts, IOL, Apr. 3, 2020
• Big Brother and the coronavirus: Will pandemic be used to expand surveillance state?, Salon, Apr. 3, 2020
• CDC granted $500 million for surveillance, data collection system to fight coronavirus, WSBTV, Apr. 3, 2020
• Why Most Should Avoid The 'Out Of Control' Zoom Right Now, Forbes, Apr. 2, 2020
• Virus Delaying Court's Review Of Unredacted Mueller Report, Law360, Apr. 1, 2020
• Zoom è sotto inchiesta negli Usa per problemi di privacy, AGI, Apr. 1, 2020

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:

EU Law in Populist Times: Crises and Prospects (Francesca Bignami ed., 2020).

Authored by leading academics and policymakers, EU Law in Populist Times provides a comprehensive and cutting-edge analysis of the fields of European Union law at the heart of contemporary political debates—economic policy, human migration, internal security, and constitutional fundamentals at the national level.

Recent EPIC Publications

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD, and Marc Rotenberg, JD, LLM. West Academic (West Academic 2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott (The New Press 2015).

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

EPIC Champion of Freedom Awards. June 3, 2020.