EPIC Alert 27.13

1. EPIC to Supreme Court: Government Insiders Who Improperly Access Personal Data Violate Computer Crime Statute

EPIC has filed an amicus brief in the U.S. Supreme Court case Van Buren v. United States, which concerns whether a police officer violated the Computer Fraud & Abuse Act by accessing personal data in a government database for non-law enforcement purposes.

EPIC's brief argues that the CFAA was enacted "to protect personal information stored in recordkeeping systems" and that the scope of the law "should be co-extensive with its data protection purpose." EPIC wrote that government databases "hold vast quantities of some of the most sensitive personal data imaginable" and that "we need the CFAA, now more than ever, to be an extra check against abuse by the people entrusted to access sensitive data and systems."

The brief also responds to concerns about the potential scope of CFAA liability by noting that "any limiting principle should be tethered to the underlying purpose of" the provision, which is "to protect sensitive data from exposure and subsequent misuse."

EPIC has participated as amicus in LinkedIn v. hiQ Labs, which concerns the application of the CFAA to companies that scrape social media user data. The petition for review in the LinkedIn case is pending in the U.S. Supreme Court.

2. Appeals Court: NSA Call Metadata Program Was Illegal, Likely Unconstitutional

The Ninth Circuit U.S. Court of Appeals ruled this week that the National Security Agency's bulk collection of phone call metadata violated the Foreign Intelligence Surveillance Act and was likely unconstitutional. EPIC and a coalition of groups filed an amicus brief in the case, United States v. Moalin, arguing that call metadata is protected under the Fourth Amendment.

"We hold that the telephony metadata collection program exceeded the scope of Congress's [FISA] authorization," the Ninth Circuit wrote. The court rejected the argument that individuals lack a Fourth Amendment expectation of privacy in call metadata simply because the data is held by phone companies. The public is "likely to perceive as private several years' worth of telephony metadata collected on an ongoing, daily basis—as demonstrated by the public outcry following the revelation of the metadata collection program," the court explained.

The court's opinion cited repeatedly to the coalition amicus brief, in which EPIC and others argued that communications metadata "is a digital trail of past and present political associations, personal sympathies, and private affairs. It can reveal confidential relationships between reporters and sources, whistleblowers and watchdogs, as well as attorneys and clients. It implicates the kind of expressive and associational activities that the Framers sought to protect by including 'papers' in the text of the Fourth Amendment." The court also cited the work of EPIC Advisory Board member Laura K. Donohue.

In In re EPIC, EPIC petitioned the Supreme Court to end the NSA's bulk phone record collection program, which occurred with the 2015 passage of the USA Freedom Act.

3. EPIC FOIA: Documents Reveal DHS's Slow Response to Election Cybersecurity Threats, Underscore Risks of New Voting Tech

EPIC has obtained key new documents concerning the federal response to election cybersecurity threats in its suit against the Department of Homeland Security. The documents include summaries of the DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report.

The incident logs reveal difficulties contacting campaign officials in the lead up to the 2016 election and concerns voiced within the agency about "unbalanced" outreach. The documents show that DHS contacts with state election officials were limited, as some in the agency were wary that the critical infrastructure designation "would at a later time lead to regulation on states."

In the Cyber Risk Report, the DHS found that compromises in voter registration databases resulted in the potential release of personally identifiable information, though not the modification of the underlying records. The DHS determined that exposure of this information could undermine public confidence in election systems.

The DHS also counseled strongly against untested voting technologies, finding that the "introduction of new technologies in the voting system will increase vulnerabilities to the election system in the future"—particularly the implementation of internet-connected voting systems.

The case is EPIC v. DHS, 17-2047 (D.D.C.).

4. Unsealed Documents: Google Employees Knew Location Privacy Settings Were Misleading

Documents recently disclosed in Arizona's consumer protection lawsuit against Google show that the company's employees admitted Google's location privacy settings were "confusing" and potentially misleading.

The suit, brought by Arizona Attorney General Mark Brnovich, alleges that Google violated the Arizona Consumer Fraud Act by collecting and storing location data on mobile devices—even after users believed they had turned off location tracking.

A newly-unsealed version of Arizona's complaint reveals that Google employees knew the interface was "[d]efinitely confusing from a user point of view[.]" One employee wrote that Google's interface "feels like it is designed to make things possible, yet difficult enough that people won't figure it out."

In July, twenty-seven members of EPIC's advisory board signed a letter urging the court to reject Google's efforts to delay a decision on unsealing the documents. "Delaying the decision to seal the case documents would diminish our capacity, as well as the public's opportunity, to exercise First Amendment rights to speak regarding the Attorney General's complaint and exhibits," the letter read.

In 2018, EPIC told to the Federal Trade Commission that Google's surreptitious tracking of user location data violated the FTC's 2011 Google consent order. "Google's subsequent changes to its policy, after it has already obtained location data on Internet users, fails to comply with the 2011 order," EPIC wrote. The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations.

5. EPIC Obtains Additional Records From AI Commission

EPIC, as part of the open government case EPIC v. AI Commission, has obtained additional records from the National Security Commission on Artificial Intelligence.

The documents produced include a delegation letter from AI Commission chair and former Google CEO Eric Schmidt, as well as reports on AI research and "workforce automation."

In June, a federal court ruled in EPIC's case that the AI Commission is subject to the Federal Advisory Committee Act. Judge Trevor N. McFadden ordered the Commission to hold open meetings, which the Commission did for the first time in July. The Commission approved a set of recommendations to Congress at the meeting and is set to issue a final report next year.

Judge McFadden previously ruled that the AI Commission is subject to the Freedom of Information Act, and the Commission has since disclosed thousands of pages of records to EPIC. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

News in Brief

GAO Report: CBP Needs to Address Privacy Issues with Facial Recognition Deployment

A new report by the Government Accountability Office found that Customs and Border Protection needs to address privacy issues with the agency's deployment of facial recognition technology at ports of entry. CBP currently deploys facial recognition at 27 airports as part of its Biometric Entry-Exit Program. The GAO found that CBP has not provided adequate privacy notices or information on opting out of facial recognition to the public. Additionally, the agency has failed to implement a plan to audit privacy compliance by airline partners involved in the program. EPIC has previously explained to Congress and the CBP that its Biometric Entry-Exit program unfairly burdens travelers exercising their rights to opt-out of facial recognition. EPIC has called on Congress to suspend facial recognition at airports and earlier this year urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.

Report Details EU States' Use of Automated Decision-Making During Pandemic

In a report released this week, AlgorithmWatch analyzed how 16 countries throughout the European Union have adopted automated decision-making tools in response to the COVID-19 pandemic. Deployment of these tools is widespread across the EU, including voluntary exposure notification apps, a mandatory app recently greenlit by Slovenian government, and an app used in Poland and Hungary that relies on geolocation and face surveillance to enforce quarantine rules. The report notes that the effectiveness of automated contract tracing "lack[s] hard evidence . . . even months after the first deployments." EPIC has published recommendations on preserving privacy during the pandemic and has called on Congress to establish privacy safeguards for digital contact tracing.

Apple and Google Announce Changes to Digital Contact Tracing System

Apple and Google have announced "Exposure Notification Express," an updated version of the companies' joint digital contact tracing technology. The revised system will allow public health agencies to conduct digital contact tracing without having to develop their own independent apps. In jurisdictions that have adopted the Apple-Google system, mobile users will now be automatically notified that the contact tracing tool is available, though the system will remain opt-in only. In response to Apple and Google's original proposal for a COVID-19 contact tracing system, EPIC told Congress that it is "essential that government agencies and private companies implement standards that safeguard privacy." For digital contact tracing techniques, EPIC recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency." EPIC has also obtained records from Utah and North Dakota that underscore the privacy risks of both states' COVID-19 contact tracing apps.

Amazon Claims 'Halo' Device Will Monitor User's Voice for 'Emotional Well-Being'

Despite the exceptional privacy risks of biometric data collection and opaque, unproven algorithms, Amazon last week unveiled Halo, a wearable device that purports to measure "tone" and "emotional well-being" based on a user's voice. According to Amazon, the device "uses machine learning to analyze energy and positivity in a customer's voice so they can better understand how they may sound to others[.]" The device also monitors physical activity, assigns a sleep score, and can scan a user's body to estimate body fat percentage and weight. In recent years, Amazon has come under fire for its development of biased and inaccurate facial surveillance tools, its marketing of home surveillance camera Ring, and its controversial partnerships with law enforcement agencies. Last year, EPIC filed a Federal Trade Commission complaint against Hirevue, an AI hiring tool that claims to evaluate "cognitive ability," "psychological traits," and "emotional intelligence" based on videos of job candidates. EPIC has long advocated for algorithmic transparency and the adoption of the Universal Guidelines for AI.

Brazil's General Data Protection Law to Take Effect This Month

Brazil's Lei Geral de Proteção de Dados (or LGPD), enacted in 2018, will go into effect this month. The LGPD is similar to the EU's General Data Protection Regulation, granting individual rights and placing obligations on companies processing personal data. The Brazilian law also creates a National Data Protection Authority. EPIC has long advocated for the enactment of comprehensive privacy legislation and the creation of data protection agency. EPIC's report Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law.

Federal Government Advises on Federal Laws Potentially Violated When Intercepting Drones

The FAA, DOJ, FCC, and DHS jointly issued the "Advisory on the Application of Federal Laws to the Acquisition and Use of Technology to Detect and Mitigate Unmanned Aircraft Systems." The advisory covers the applicable federal laws that non-federal or private entities might violate if they sought to detect or mitigate drone threats, including the Wiretap Act and Computer Fraud and Abuse Act. Congress previously granted the DOJ and DHS broad authority to detect and mitigate drone "threats" in the Preventing Emerging Threats Act of 2018 that was incorporated into the FAA Reauthorization Act of 2018. The FAA Reauthorization Act of 2018 required a report on drone surveillance risks but did not establish any baseline privacy safeguards. EPIC has repeatedly urged both Congress and the FAA to take decisive action to limit the use of drones for surveillance and to establish a national database detailing drone surveillance capabilities.

Algorithm in UK Disadvantaged Poorer Students in Grade Estimation Effort

An algorithm was used by the UK Office of Qualifications and Examinations Regulation (Ofqual) to assign grades to students after exams were cancelled due to the COVID-19 pandemic. The tool downgraded 36% of A-level grades suggested by instructors, and students form poorer neighborhoods and state-run schools were downgraded disproportionately. After threats of lawsuits and significant public outrage, OfQual announced they will use teacher evaluations rather than the products of the algorithm. In July, the International Baccalaureate program used an opaque algorithm to assign scores that were key to college admissions. EPIC has advocated for Algorithmic Transparency and the adoption of the Universal Guidelines for AI.

Schrems Files 101 Complaints Targeting US-EU Data Transfers

None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. "We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now." says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

GAO Releases Report on Privacy, Discrimination Risks of Facial Recognition

The U.S. Government Accountability Office has released a key report about privacy and discrimination risks posed by the commercial use of facial recognition. The GAO completed the report in response to research showing the disparate impact the technology has on minorities, including a National institute of Science and Technology study which found that facial recognition systems misidentify Black women at disproportionately high rates. The GAO report finds that, despite improvements in facial recognition technology, "differences in performance exist for certain demographic groups." The GAO report reiterates the office's 2013 recommendation urging Congress to update the federal consumer privacy framework to reflect changes in technology. EPIC advocates for a comprehensive federal privacy law and has called for a moratorium on face surveillance.

EPIC in the News

• The road to reasonable security: What CISOs should know, Privacy Perspectives, Sep. 3, 2020
• TSA tests touchless system that matches your ID to your face, avoids COVID-19 risks, USA TODAY, Sep. 2, 2020
• Brave New World: How AI Tools Are Used in the Legal Sector, Lexology, Sep. 1, 2020
• Column: An attack on California's landmark privacy law moves to the ballot box, Los Angeles Times, Aug. 28, 2020
• Column: Billboards that follow you? It's not sci-fi. They're already here, Los Angeles Times, Aug. 25, 2020
• Ruling that the transfer of data from the EU to the US was sufficiently protected invalid, The Times, Aug. 24, 2020

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:

EU Law in Populist Times: Crises and Prospects (Francesca Bignami ed., 2020).

Authored by leading academics and policymakers, EU Law in Populist Times provides a comprehensive and cutting-edge analysis of the fields of European Union law at the heart of contemporary political debates—economic policy, human migration, internal security, and constitutional fundamentals at the national level.

Recent EPIC Publications

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes "just-in-time" delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.