You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

EPIC Alert 27.12

EPIC Alert logo

1. EPIC Urges U.S. Supreme Court to Recognize Narrow Scope of FOIA Exemption for Deliberative Documents

EPIC has filed an amicus brief urging the U.S. Supreme Court to limit federal agencies' use of the deliberative process privilege to withhold documents from Freedom of Information Act requesters. EPIC's brief argues that "agencies have taken an unjustifiably broad view of the deliberative process privilege, often improperly withholding documents that are clearly not deliberative."

The case, U.S. Fish & Wildlife Service v. Sierra Club, concerns opinions from two federal agencies about a proposed Environmental Protection Agency rule. Parts of the agencies' opinions and recommendations were transmitted to the EPA, and the EPA revised its rule based on this information. Nevertheless, the agencies claim that the documents are deliberative and refused to disclose them under the FOIA.

"The Court should make clear that records describing the basis of an agency decision that are not followed by further deliberation are final and not deliberative," EPIC wrote. "In the absence of this clear guidance, agencies will continue to interpret the deliberative process privilege broadly and cause years of delay and unnecessary litigation."

"In EPIC's experience, agencies frequently make broad deliberative process privilege claims in the first instance that do not hold up upon a court's inspection, but nevertheless delay the release of reports and memoranda that reflect final agency decisions," EPIC continued. "This is not the narrow construction that Congress intended."

EPIC has many years of experience litigating FOIA cases and provided the Court with examples where agencies have taken an overbroad view of the privilege, such as EPIC v. DOJ (Predictive Policing) and EPIC v. DOJ (Warrantless Wiretapping Memoranda). EPIC regularly litigates FOIA cases and files amicus briefs on open government issues.

2. EPIC Urges FAA to Require Privacy Safeguards With Drone Exemption Grants

In comments to the Federal Aviation Administration, EPIC reminded the FAA of the importance of addressing the privacy risks of drones as they are integrated into the national airspace. EPIC's comments came in response to a drone company's petition for a special exemption to conduct unmanned aerial deliveries.

EPIC urged the FAA to use the exemption process to require the implementation of privacy safeguards. "In doing so, the FAA will help set expectations on commercial drone users that they will be responsible for being transparent about drone capabilities and accountable for protecting privacy," EPIC told the agency.

EPIC also called on the FAA "to do more to inform the public of the surveillance capabilities and uses of drones and implement safeguards to protect privacy. We urge the FAA to incorporate better transparency measures into their review of exemptions in order to better inform the public about."

Earlier this year, EPIC, joined by other organizations, submitted comments to the FAA regarding the agency's proposed rule for drone IDs. The comments urged the FAA to ensure that drone ID information "is made available in real or near real time to the public and includes relevant information to allow the public to understand the purpose of a drone in their vicinity, the surveillance capabilities of the drone, and to obtain the actual identity of the operator of the drone."

3. EPIC Obtains Records About Texas's Use of Aerial Surveillance

Through a Public Information Act request to the Texas Department of Public Safety, EPIC has obtained records about the state's use of two Pilatus surveillance planes—including videos recorded during the George Floyd protests. The planes, purchased by the state for border operations, were reportedly used were used to surveil cities hundreds of miles from the border.

EPIC obtained flight logs from January 1, 2018 to June 15, 2020, plane technical specifications, and the department's video retention policy. The flight logs reveal that the surveillance planes flew an average of one flight per day between May 25 to June 15, 2020, with a total of 103 hours of total flight time. In over ninety percent of these flights, the planes recorded no video.

The planes reportedly cost an average of $474 an hour to fly, and the Texas DPS spent roughly $49,000 to record three videos over the three-week span. The Texas DPS withheld three videos recorded between May 25 to June 15, 2020, during the height of the George Floyd protests, despite its video retention policy stating that "all retained video copies...will be subject to open records requests."

EPIC has long highlighted the privacy and civil liberties implications of aerial surveillance technology and has called on Congress to "establish drone privacy safeguards that limit the risk of public surveillance."

4. EPIC to Senate Commerce: Hold Hearing on Data Protection Agency Legislation

In a statement to the Senate Commerce Committee before a Federal Trade Commission oversight hearing, EPIC again urged lawmakers to establish an independent U.S. Data Protection Agency.

EPIC explained that "the FTC has not done enough to address the growing threats to consumer privacy. Our federal laws do not create adequate data protection standards. Meanwhile the collection, aggregation, and monetization of personal data is expanding at a rapid pace as Americans continue to face unprecedented risks of identity theft, financial fraud, and data breaches."

EPIC pointed to the FTC's failure to both stop mergers that threaten consumer privacy and enforce its own consent orders. "When it comes to data protection, the FTC is not up to the task," EPIC explained. "It is time to establish an independent federal data protection agency in the United States."

EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency. EPIC's report Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law, including federal baseline legislation and the creation of a Data Protection Agency.

5. AI Commission Releases More Records to EPIC

EPIC, as part of the open government case EPIC v. AI Commission, has obtained more documents from the National Security Commission on Artificial Intelligence.

The records include a third-party presentation provided to the AI Commission about the use of "psychology and AI" to "help prepare an AI-enabled workforce." The presentation endorses the use of AI job screening tools like HireVue and claims that "reducing time-to-hire is as important as making good decisions." EPIC filed a Federal Trade Commission complaint last year highlighting HireVue's unlawful failure to meet baseline standards for AI decision-making.

The presentation also argues that "sociometers can be used to train AI about effective communication" in the workplace. Sociometers are "wearable electronic device[s] capable of automatically measuring the amount of face-to-face interaction, conversational time, physical proximity to other people, and physical activity levels using social signals derived from vocal features, body motion, and relative location."

Separately, EPIC obtained a presentation from IARPA on "Artificial Intelligence and Threats." The document discusses the use of AI in autonomous weapons systems, psyops, and image classifiers.

The AI Commission's disclosure of records follows a ruling in EPIC's lawsuit that the Commission is subject to the Freedom of Information Act. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

News in Brief

New Jersey Court Finds Passcode Disclosure Testimonial, But Allows Compelled Decryption of Cell Phone

The New Jersey Supreme Court recently ruled in State v. Andrews that an exception to the Fifth Amendment privilege against self-incrimination allows the government to compel decryption of a cell phone if the government has a valid search warrant and knows the identity of the phone's owner. The court determined that compelled disclosure of a passcode is a testimonial act but found that the "foregone conclusion" exception can apply to force decryption under certain circumstances. But the court stressed that, because the scope of the search in this case was very narrow, the decision did not license a "fishing expedition." The court also signaled that it would apply the same restrictions to biometric passcodes as alphanumeric passcodes, stating that applying different standards to the two types of passcodes would be "problematic." EPIC filed an amicus brief and presented oral argument in the case. Citing Riley v. California and Carpenter v. United States, EPIC argued that the vast troves of personal data stored in cell phones "justifies strong constitutional protections." During oral argument, EPIC urged the court to adopt one rule for biometric and alphanumeric passcodes.

Federal Appeals Court Dismisses CareFirst Data Breach Appeal

The D.C. Circuit has ruled that it lacks jurisdiction to hear the appeal of CareFirst customers whose data was stolen in a 2014 data breach. The lower court in Attias v. CareFirst dismissed most of the plaintiffs and claims in the case for failure to allege damages and certified the dismissed claims for appeal. The D.C. Circuit determined that some of the claims could not be appealed until the remaining claims were resolved by the lower court, and it was not clear whether the district court judge intended to certify the claims of the dismissed plaintiffs alone. The decision comes over a year after the parties briefed the substantive questions on appeal. EPIC filed an amicus brief that urged the court to impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data they collect. EPIC also filed an amicus brief in the case the last time it was in the D.C. Circuit on a challenge to consumer standing. The D.C. Circuit held that the CareFirst consumers had standing to sue for the data breach.

UK Government Agrees to Stop Using 'Visa Streaming' Algorithm

The Home Office of the UK has announced that it will halt the use of its "Visa Streaming" algorithm. This change is the result of a settlement in a lawsuit brought to challenge use of the algorithmic decision system by the UK Government. The system produced a "traffic light" assessment of visa applicants (Green, Yellow, or Red ) that informed how they would be treated during the visa approval process. The algorithm used for the assessments is not transparent, and critics have raised concerns that the system was discriminating against individuals based on their nationality in a discriminatory form. The challengers in the suit alleged that the program violated the Equality Act of 2010, in that the algorithm exacerbated unequal treatment for Visa applicants from particular countries. Secretary of the Home office Priti Patel committed to redesign the program and to consider "issues around unconscious bias and the use of nationality" in the visa application process. EPIC advocates for algorithmic transparency, has counseled the US and EU on responsible AI, and maintains a resource on algorithms used in the US Criminal Justice System.

Massachusetts Supreme Court Rejects Long-Term Video Surveillance of Residents' Homes

The Massachusetts Supreme Judicial Court ruled recently that the Massachusetts Declaration of Rights protects the right to privacy in the areas around one's home from warrantless pole camera surveillance over several months. The court held that residents are constitutionally protected against extended surveillance when, "in the aggregate, [it] expose[s] otherwise unknowable details of a person's life." The court also refused to make privacy rights "contingent upon an individual's ability to afford to install fortifications and a moat around his or her castle." The court cited Commonwealth v. Connolly, which declared that Massachusetts residents have a right to be free from warrantless GPS surveillance under the Declaration of Rights. EPIC filed a friend of the court brief in Connolly. EPIC regularly files briefs in cases that involve emerging privacy and civil liberties issues.

Lawmakers Request FTC Privacy Investigation Into Adtech Industry

A bipartisan group of lawmakers led by Senators Ron Wyden [D-Ore.] and BIll Cassidy [R-La.] have called on the Federal Trade Commission to investigate the online ad economy. Wyden, Cassidy and other members asked the FTC to investigate how personal data, including the tracking of individuals at places of worship and protests, collected from Americans' phones to deliver advertisements is being obtained by data brokers and sold without the knowledge or consent of users. The lawmakers urged the FTC to open a 6(b) investigation into the matter. Earlier this year, consumer groups called on the FTC to use its 6(b) authority to conduct a study on companies collecting data on children. No action has been taken on that request. In addition to Sens. Wyden and Cassidy, the letter is signed by Sens. Maria Cantwell, D-Wash., Sherrod Brown, D-Ohio, Elizabeth Warren, D-Mass., and Edward Markey, D-Mass. Reps. Anna Eshoo, D-Calif, Zoe Lofgren, D-Calif., Yvette D. Clarke, D-N.Y., and Ro Khanna, D-Calif., signed as well. EPIC has filed many detailed complaints with the FTC regarding consumer privacy and has called for the creation of a U.S. Data Protection Agency due to the FTC's lack of action on privacy issues.

NIST Study Finds Masks Undermine Face Recognition Accuracy

A study conducted by the National Institute of Standards and Technology showed that face masks undermine the accuracy of facial recognition algorithms. The NIST study tested digitally applied masks of various shapes on 89 commercial algorithms. The result were error rates between 5% and 50%. The algorithms tested were all created pre-Covid-19. NIST plans to test facial algorithms developed with face masks in mind later this summer. A previous NIST study released at the end of last year found that false positives are up to 100 times more likely for Asian and African American faces when compared to White faces. EPIC has previously launched a Ban Face Surveillance campaign and called for a facial recognition moratorium across the globe, as well as suspension across the federal government and in U.S. schools.

Transatlantic Consumer Groups: No New Data Transfer Agreement Until Privacy Protections Improved

The Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups, urged EU Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross to stop negotiations for a new data transfer agreement following the invalidation of the EU-U.S. Privacy Shield. In Data Protection Commissioner v. Facebook & Max Schrems, the European Court of Justice (CJEU) found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. In its letter, TACD claims the CJEU's decision is "crystal clear," and that any future data transfer deal will not be valid until the U.S. enacts comprehensive federal privacy legislation. EPIC participated as an amicus curiae in the Schrems case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:

EU Law in Populist Times: Crises and Prospects (Francesca Bignami ed., 2020).

Authored by leading academics and policymakers, EU Law in Populist Times provides a comprehensive and cutting-edge analysis of the fields of European Union law at the heart of contemporary political debates—economic policy, human migration, internal security, and constitutional fundamentals at the national level.

Recent EPIC Publications

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security