EPIC Alert 27.08

1. EPIC Argues for Disclosure of FAA Drone Committee Records

EPIC Counsel John Davisson argued before the D.C. Circuit Court of Appeals last week in EPIC's open government case against the FAA Drone Advisory Committee. EPIC filed suit in 2018 against the industry-dominated committee, which largely ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern.

As a result of EPIC's lawsuit, the committee was forced to disclose hundreds of pages of records last year under the Federal Advisory Committee Act. A lower court ruled that the agency could withhold records from the committee's secretive subcommittees, but EPIC appealed that decision to the D.C. Circuit.

"The Federal Advisory Committee Act was enacted to open to public scrutiny the manner in which government agencies obtain advice from private individuals," Davisson told the court. "The question at the heart of this case is whether the FAA and the Drone Advisory Committee can avoid the public scrutiny required by the [Act] simply by relying on advisory subcommittees to develop policy recommendations."

The three-judge panel hearing EPIC's appeal expressed doubt that top FAA officials could participate in subcommittees without opening them to the public. "If the agency does that and proceeds in that fashion, then there's consequences, and one of the consequences is that subgroup of the advisory committee is going to be treated as an advisory committee as well," Judge Robert Wilkins said.

A decision in EPIC's appeal is expected later this year. The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.).

2. Public Health Emergency Privacy Act Introduced

A group of five senators and representatives recently introduced the Public Health Emergency Privacy Act in Congress. The bill would protect personal data collected in connection with COVID-19 from being used for non-public health purposes, and provides for both public and private enforcement.

"The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals," said Caitriona Fitzgerald, EPIC Interim Associate Director and Policy Director. "The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so."

The bill is co-sponsored by Representatives Anna G. Eshoo (CA-18), Jan Schakowsky (IL-09), Suzan DelBene (WA-01), and U.S. Senators Richard Blumenthal (CT), and Mark Warner (VA).

Earlier this month, Senators Roger Wicker (MI), John Thune (SD), Jerry Moran (KS), and Marsha Blackburn (TN) announced the COVID-19 Consumer Data Protection Act, a bill which would regulate businesses' collection and use of personal health and location data in connection with the COVID-19 pandemic.

EPIC's report Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law, including the creation of a Data Protection Agency and room for states to enact stronger privacy laws.

3. EPIC Seeks Records About Utah and North Dakota's Contact Tracing Apps

EPIC has filed two government records requests to Utah and North Dakota seeking information about their contact tracing apps launched in response to the COVID-19 pandemic.

Utah launched Healthy Together, an app that tracks individual movements using Bluetooth and location tracking services. North Dakota similarly launched its own contact tracing app called Care19, which collects GPS location data, WiFi data, and cell phone tower data to track an individual's movements over time.

Both Utah and North Dakota claim that the use of the apps are voluntary and that users can delete the sensitive data collected. But neither state has disclosed any privacy assessments or independent audits conducted on the apps.

On the federal level, EPIC is pursuing a Freedom of Information Act request with the Department of Justice seeking legal analysis about the collect of GPS and cell phone location data. EPIC has also told Congress that government agencies and private companies must establish privacy safeguards for digital contact tracing.

4. EPIC Settles FOIA Case Regarding DHS Drone Reports

EPIC has settled a Freedom of Information Act lawsuit against the Department of Homeland Security for a key report on drones and other related documents required by a 2015 Presidential Memorandum.

The Presidential Memorandum required the DHS to report on privacy, civil liberties, and civil rights protections for the agency's use of surveillance drones.

The 2015 DHS report attempted to justify the use of drones by Customs and Border Protection, but a 2018 report by the Inspector General called into question the CBP's drone privacy policies and procedures. The Inspector General found that CBP failed to complete a required analysis for a drone surveillance system and failed to implement effective safeguards for information collected by drones.

EPIC has called on Congress to "establish drone privacy safeguards that limit the risk of public surveillance." In March, EPIC filed comments with the FAA urging the agency to require real-time public access to drone ID information.

5. Supreme Court Hears Arguments in Robocall Ban, Trump Tax Returns Cases

The Supreme Court heard oral arguments last week in two cases for which EPIC filed an amicus brief: Barr v. American Association of Political Consultants, concerning the constitutionality of a federal law that prohibits unwanted robocalls, and Trump v. Vance, a case concerning the release of President Trump's tax returns to a grand jury.

In Barr v. AAPS, the Court is considering whether an exemption to the Telephone Consumer Protection Act is constitutional and, if not, whether the exemption should be severed or the whole law struck down. EPIC's amicus brief defended the law. EPIC said that the robocall ban is "constitutionally permissible and serves important governmental interests." EPIC explained that cell phone adoption has made "the harm caused by unwanted automated calls" greater than when the robocall ban was enacted in 1991.

In Trump v. Vance, EPIC filed an amicus brief in the case supporting disclosure. EPIC explained that President Trump broke with 40 years of precedent by concealing his tax records, even as he sought to collect sensitive voter and citizenship data from the public. "This is inverted liberty: privacy for the President and compelled disclosure of personal data for the public," EPIC argued. "That is antithetical to the structure and practice of modern democracies which safeguard the privacy of citizens and impose transparency obligations on political leaders, most notably the President."

EPIC frequently files amicus briefs on the TCPA, including in the related case, Gallion v. Charter Communications. And EPIC previously sought public release of President Trump's tax returns in EPIC v. IRS, arguing that disclosure was necessary to correct numerous factual misstatements made by the President. In EPIC v. IRS II, EPIC is currently seeking "offers-in-compromise" and related tax records of President Trump and his businesses.

News in Brief

EPIC, Coalition to White House: Set Privacy Standards for COVID-19 Data and Technology Uses

EPIC and 14 other consumer, privacy, civil and digital rights organizations sent a letter to Coronavirus Task Force leader Vice President Mike Pence urging the federal government to set guidelines that protect privacy and ensure equity in responding to the COVID-19 pandemic. The group stated, "[t]he proper use of technology, personal and aggregate data, and data analytics has the potential to provide important public health benefits, but it must incorporate proper privacy and security safeguards, as well as protections against discrimination and violations of civil and other rights." The group also raised concerns about public-private partnerships that utilize technology to respond to COVID-19 without the necessary privacy safeguards. The letter outlines 11 principles that form the basis for standards that the government and private sector can follow and asked Vice President Pence for a meeting to discuss their concerns. The group also asked that the Coronavirus Task Force immediately create an interdisciplinary advisory committee comprised of experts from privacy, social science, data security, public health, and members of civil society to develop standards. To Congress, EPIC has said that it is "essential that government agencies and private companies implement standards that safeguard privacy."

EPIC Obtains New Records in Case Against AI Commission

EPIC, as part of the open government case EPIC v. AI Commission, has obtained more documents from the National Security Commission on Artificial Intelligence and the Department of Defense. The records provide the first public look at the work of the AI Commission's closed-door working groups. Yet the records contain only a single reference to the privacy risks posed by the use of AI. The Commission's disclosure follows a court ruling in EPIC v. AI Commission that the Commission is subject to the FOIA. The AI Commission has regularly held closed-door meetings with tech firms and defense contractors without soliciting input from the American public. EPIC is also litigating to enforce the Commission's obligation to hold open meetings. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

EPIC, Coalition Tell FTC to Investigate TikTok's Failure to Protect Children's Privacy

EPIC and coalition of child advocacy, consumer, and privacy groups recently filed a complaint urging the Federal Trade Commission to investigate and penalize TikTok for violating the Children's Online Privacy Protection Act. TikTok paid a $5.7 million fine for violating the children's privacy law last year. But more than a year later, TikTok has failed to delete personal information previously collected from children and is still collecting kids' personal information without notice to and consent of parents. The groups were led by the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy.

Supreme Court Won't Review Deeply Flawed Ruling in EPIC v. Commerce

The U.S. Supreme Court has refused to review a deeply flawed ruling in EPIC v. Commerce, EPIC's suit to halt the collection of citizenship data in the 2020 Census due to the government's failure to complete required privacy impact assessments. Under the E-Government Act, federal agencies must make privacy impact assessments "publicly available" before undertaking a new collection of personal data. Yet a three-judge panel of the D.C. Circuit ruled that the statute does not "vest a general right of information in the public" that would allow EPIC—one of the leading privacy organizations in the country—to obtain information about the government's data collection practices. Last year, the Supreme Court's decision in Commerce v. New York led to the removal of the citizenship question from the 2020 Census. EPIC filed an amicus brief in support of that outcome.

ICANN Blocks .ORG Sale to Private Equity Firm

ICANN has blocked the proposed sale of the .ORG domain to a private equity fund. ICANN cited the importance of maintaining the "fundamental public interest nature of [the Public Interest Registry]." EPIC has long been involved in the governance and promotion of the .ORG domain and had argued that the sale should be blocked.

French Court Bans the Use of Drone Surveillance to Enforce COVID-19 Lockdown

The Conseil d'État, France's highest administrative court, issued a decision banning French authorities from using drone surveillance to track individuals violating social distancing rules. The Court cited privacy issues with drone surveillance and stated that drone surveillance by police would be banned until technology is added to prevent the filming and identification of individuals or approval was given by France's privacy regulator, the Commission nationale de l'informatique et des libertés. EPIC recently argued argued before the D.C. Circuit Court of Appeals in EPIC's open government case against the FAA Drone Advisory Committee. EPIC filed suit in 2018 after the Advisory Committee largely ignored the privacy risks posed by drones. Despite the Committee's disregard for privacy, documents obtained by EPIC showed the Committee identified privacy as a top public concern. EPIC also recently settled a Freedom of Information Act lawsuit against DHS for a report detailing the status of implementing privacy, civil liberties, and civil rights protections against DHS' use of surveillance drones.

Senate Amends FISA Reauthorization Bill, Sends Back to the House

The Senate has voted to pass an amended version of the USA FREEDOM Reauthorization Act of 2020, which was passed by the House in March. The bill would end the NSA's bulk telephone metadata program and make further reforms to the Foreign Intelligence Surveillance Act. The Senate agreed to further amendments by Senators Lee and Leahy that expand FISA protections, but rejected amendments proposed by Senators Wyden and Daines that would have protected Americans' internet browsing and search histories. The adopted Leahy/Lee amendment strengthens the role of "amici curiae," who are independent, expert advisors to the Foreign Intelligence Surveillance Court, by increasing their access to information, their power to raise issues with the Court, and the number of cases they are appointed in. Since amendments were adopted, the bill now returns to the House of Representatives for consideration. Members of both parties have expressed support for reform of the controversial NSA surveillance program. EPIC closely tracks the use of FISA authority. EPIC has advocated for significant FISA reforms, and recently advised Congress to limit Section 702 surveillance and to allow Section 215 to expire.

New York AG Reaches Agreement with Zoom over Privacy Violations

New York Attorney General Letitia James has announced an agreement with Zoom Video Communications following an investigation into Zoom's consumer safeguards. Zoom agreed to enhance encryption protocols, perform yearly penetration testing, and add privacy-enhancing features to its platform. The agreement also provides enhanced privacy controls for education accounts. Last month, EPIC urged the FTC to issue best practices for online conferencing.

U.S. Government Agencies Warn That Internet Voting Poses Significant Security Risk

The Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Election Assistance Commission, and the National Institute of Standards and Technology has sent a risk assessment to states warning of the "significant security risk" of online voting. "While there are effective risk management controls to enable electronic ballot delivery and marking," the agencies said, "we recommend paper ballot return as electronic ballot return technologies are high-risk even with controls in place." EPIC has a long history of working to protect voter privacy and election integrity. In 2016 EPIC published The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy.

Under Scrutiny, Clearview Plans to Cancel Accounts With Private Companies

In response to a lawsuit brought under the Illinois Biometric Information Privacy Act, Clearview AI—the controversial facial recognition company—committed to cancelling all accounts with private companies. The commitment comes as Clearview AI tries to stave off a temporary injunction that would prevent the company from using any information it has collected from Illinois residents. In an amicus brief before the ninth circuit, EPIC defended an individual's right to sue companies who violate the Illinois Biometric Information Privacy Act and other privacy laws. More recently, EPIC filed a Freedom of Information Act request to several government agencies seeking records about the government's use of Clearview AI technology. Earlier this year, EPIC and over 40 organizations urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.

Senators Call on FTC to Investigate Ed Tech, Advertising Aimed at Children

A bipartisan group of Senators has urged the Federal Trade Commission to launch an investigation into children's data practices in the educational technology and digital advertising sectors. In a letter to the FTC, Senators Edward Markey (D-Mass.), Josh Hawley (R-Mo.), Richard Blumenthal (D-Conn.), Bill Cassidy (R-La.), Dick Durbin (D-Ill.), and Marsha Blackburn (R-Tenn.) said "The FTC should use its investigatory powers to better understand commercial entities that engage in online advertising to children—especially how those commercial entities are shifting their marketing strategies in response to the Coronavirus pandemic and increased screen time among children." In December 2019, EPIC submitted comments to the FTC on the agency's regulatory review of the Children's Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should : (1) maintain the strong safeguards for children's data, (2) reject the "school official exception", (3) the FTC define the term "commercial purpose" and ensure that children's personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eight hours of a data breach of children's data by a company subject to COPPA.

AI Commission Calls for Privacy, Civil Liberties Safeguards on COVID-19 Contact Tracing

The National Security Commission on Artificial Intelligence has released a set of privacy and civil liberties recommendations concerning digital contract tracing during the COVID-19 pandemic. The Commission urged that contact tracing tools must include data minimization, transparency, explicit user consent, and input from privacy and security professionals. The Commission also warned that contract tracing systems must address "challenges with inclusiveness and potential discrimination." The Commission advised Congress to establish technological standards and to require the Federal Trade Commission to regulate the technology. Since January, the Commission has released hundreds of pages of documents as part of the open government lawsuit EPIC v. AI Commission. EPIC is also litigating to enforce the Commission's obligation to hold open meetings.

Pew Survey: Use of Location Data to Enforce Social Distancing "Unacceptable"

A new Pew Research survey found about 62% of Americans believe it is unacceptable for the government to use location data to ensure compliance with social distancing guidelines. The Pew survey results are based on a nationally representative panel of randomly selected U.S. adults. EPIC has urged that the use of technology to combat COVID-19 must be lawful and voluntary. Last year, Pew found that 75% of Americans say there should be new regulations of what companies may do with personal data. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger privacy laws. EPIC advocates for comprehensive privacy legislation and the establishment of a U.S. data protection agency.

Massachusetts Governor: State Will Not Adopt Digital Contact Tracing Without Privacy Protections

Massachusetts Governor Charlie Baker (R) expressed skepticism about digital contact tracing in a recent press conference, saying in response to a reporter's question about the apps: "That means if we incorporate something like the types of technology you're talking about into this, we're going to have to do it in a way that makes people feel comfortable that they're not giving up some of their privacy and confidentiality because we incorporated an electronic app into the process." Massachusetts has led the country in quickly building a workforce to perform manual contact tracing in partnership with Partners in Health. For digital contact tracing techniques, EPIC recently recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency."

Senators to Introduce COVID-19 Data Protection Bill

A group of four senators has announced plans to introduce the COVID-19 Consumer Data Protection Act, a bill which would regulate businesses' collection and use of personal health and location data in connection with the COVID-19 pandemic. The bill would require companies to obtain "affirmative express consent" before collecting personal data, to disclose details about how personal data will be used, to satisfy data minimization and security requirements, and to allow consumers to opt out. Businesses would also be required to "delete or de-identify all personally identifiable information" when it is no longer needed for the COVID-19 crisis. The bill—sponsored by Senators Roger Wicker, John Thune, Jerry Moran, and Marsha Blackburn—charges the Federal Trade Commission with enforcement. EPIC recently told Congress that "privacy and public health are complimentary goals" and that "Privacy Enhancing Techniques can be deployed to serve the public interest and protect individuals." EPIC's report Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law, including the creation of a Data Protection Agency and room for states to enact stronger privacy laws.

EPIC in the News

• Lessons for the US after 2 years of Europe's landmark data protection regulation, AEI, May 19, 2020
• Privacy Concerns in the Age of Expanding Online Education, Online Education, May 19, 2020
• Warner-backed bill addresses concerns over security of info gathered to fight COVID-19, Augusta Free Press, May 17, 2020
• Democrats unveil coronavirus data privacy bill that is a direct rebuke of Republicans, Daily Dot, May 15, 2020
• Democrats unveil coronavirus data privacy bill that is a direct rebuke of Republicans, DailyDot, May 15, 2020
• TikTok Accused of Breaching Child Privacy Regulations, IT News Africa, May 15, 2020
• Advocacy group says TikTok violated FTC consent decree and children's privacy rules, Yahoo, May 14, 2020
• https://www.multichannel.com/news/ftc-complaint-filed-against-tiktok, Multichannel News, May 14, 2020
• TikTok accused of breaching US child privacy regulations, Financial Times, May 14, 2020
• US advocacy group says TikTok violated FTC consent decree and children's privacy rules, The Star, May 14, 2020
• Church Sues After Bible Class Zoombombed With Porn, Media Post, May 14, 2020
• Thermal cameras are big business in battle with COVID-19 but experts raise questions, WCYB News, May 14, 2020
• Wary DC Circ. Grills FAA On Access To Drone Policy Advice, Law360, May 13, 2020
• How big tech plans to profit from the pandemic, The Guardian, May 13, 2020
• Scraping Dispute Highlights Need for CFAA Review, Infosecurity, May 11, 2020
• Under Cover of Mass Death, Andrew Cuomo Calls in the Billionaires to Build a High-Tech Dystopia, The Intercept, May 8, 2020
• Suit alleges firm soils reputations, then seeks money to improve them, mprnews.org, May 8, 2020
• Would You Let The Government Track Your Smartphone If It Meant We Could Reopen Sooner?, Newsweek, May 8, 2020
• Anaheim Police to Use Facial Recognition Tech, Tech Wire, May 8, 2020
• Anti-Robocall Law Exemption Faces Test in Supreme Court Argument, Bloomberg Law, May 6, 2020
• The Supreme Court Could Use the First Amendment to Unleash a Robocall Nightmare, The Atlantic, May 6, 2020
• How to Track COVID-19 Without Mass Surveillance, Reason.com, May 5, 2020
• 'I Could Solve Most of Your Problems': Eric Schmidt's Pentagon Offensive, New York Times, May 3, 2020
• How the coronavirus is upending medical privacy, POLITICO, Apr. 28, 2020
• Drones used in effort to slow the spread of COVID-19, CBS News, Apr. 27, 2020
• Congress Urged To Boost Court Access Amid COVID-19 Crisis, Law360, Apr. 24, 2020
• Judge Cautions Facebook in Approving Record $5B Fine for Alleged Privacy Violations, Law.com, Apr. 24, 2020`

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:

EU Law in Populist Times: Crises and Prospects (Francesca Bignami ed., 2020).

Authored by leading academics and policymakers, EU Law in Populist Times provides a comprehensive and cutting-edge analysis of the fields of European Union law at the heart of contemporary political debates—economic policy, human migration, internal security, and constitutional fundamentals at the national level.

Recent EPIC Publications

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD, and Marc Rotenberg, JD, LLM. West Academic (West Academic 2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott (The New Press 2015).

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

EPIC Champion of Freedom Awards. June 3, 2020. Virtual Event.