EPIC Alert 27.14

1. EPIC Urges EU to Enact Comprehensive AI Legislation

In comments to the European Commission, EPIC urged the EU to enact robust legislation covering all uses of AI in order to protect fundamental rights. The comments came in response to the Commission's Inception Impact Statement, which presented legislative options ranging from non-regulation of AI to regulating only "high-risk" AI to regulating all forms of AI.

"Biases and other inaccuracies caused by AI systems can have a severely harmful impact on individuals," EPIC wrote. "Oversight of both public and private uses of AI will help avoid inappropriate applications of the technology, minimize the opacity of AI decision-making, and avoid arbitrary actions and determinations."

EPIC explained that is essential to regulate all forms of AI—rather than just "high risk" applications—because "[i]nformation collected under one purpose not previously determined as 'high-risk' can easily be used in a 'high-risk' purpose" later. But if the EU decides to treat "high risk" applications differently, EPIC wrote, it "should designate as "high-risk" all programs that impact people of different classes unequally, that invade personal privacy, or that lack adequate data security. The use of AI in the criminal justice system, the use of AI for secret consumer scoring, and the use of AI in hiring and educational settings all pose especially high risks."

EPIC also urged the EU to rely on the OECD AI Principles and the Universal Guidelines for AI as a baseline for AI policy. EPIC was instrumental in the creation of the UGAI, which have been endorsed by more than 290 experts and 60 associations in 40 countries.

2. EPIC Policy Director: 'Regulators Failed and Google Turned the Internet Into a Surveillance Machine'

In advance of a Senate Judiciary Committee hearing titled "Stacking the Tech: Has Google Harmed Competition in Online Advertising?," EPIC Policy Director Caitriona Fitzgerald argued in a Medium post that the answer to that question is obviously yes—but that Congress shares some of the blame.

"There are many problems with today's online advertising systems — the profiling and tracking of Internet users, the increasing concentration of power in the hands of a few companies (e.g., Google and Facebook), the loss of support for editorial content, the use of discriminatory practices and redlining, the design of systems to unfairly promote the advertiser's products over competitors', and the misuse of ads to undermine democratic institutions," Fitzgerald wrote. "All of these issues require careful examination by Congress. The threats to innovation, competition, civil rights, and democracy are real."

"But it didn't have to be this way," Fitzgerald explained. "More active regulation by the government could have sustained online advertising models that were good for advertisers and businesses and for consumers, journalism, and democracy."

EPIC has long advocated for the protection of consumer privacy in digital advertising. In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the Federal Trade Commission that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. In 2018, EPIC underscored the dangers posed by lax enforcement of consumer protection laws in comments to the FTC, noting that Google and Facebook's access to consumer data "is at the very heart of why the digital platforms have been able to entrench their dominance."

3. EPIC, Coalition Urge for Congressional Briefings on Election Security to Continue

In a letter to the Direction of National Intelligence John Ratcliffe, EPIC joined a coalition of other groups calling for the continuation of in-person briefings to Congress on election security.

"Efforts to interfere with American elections are a serious threat to our democratic process and undermine public confidence in our institutions," the letter reads. "You hold an office of public trust that requires you to treat all matters before you in an impartial, non-partisan manner."

"As the Legislative branch that is responsible for oversight of the Executive branch and holds lawmaking authority, the DNI must refrain from raising pretextual concerns to absolve your office of its obligation to answer to congressional oversight committees," the letter continues. "As such, it is critical that [ODNI] continue responding to all congressional oversight inquiries and continue to appear in-person to answer questions."

EPIC is currently suing the Department of Homeland Security for records about the agency's assessment of election vulnerabilities following the 2016 presidential election and its ongoing role in protecting election systems as critical infrastructure. The agency has released hundreds of pages of records to EPIC about its role in election cybersecurity, including summaries of the DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report. EPIC has also created a new educational resource for those interested in learning more about how to ensure the security and integrity of the 2020 Election.

4. Court Holds Closed-Door Hearing in EPIC Mueller Report Case

A federal court in Washington, D.C. held a closed-door hearing with the Department of Justice this week in EPIC's case for disclosure of the complete, unredacted Mueller Report. The hearing is likely the last step in the case before a final ruling from the court.

Judge Reggie B. Walton is currently conducting an "in camera" review of the full Report to determine what additional information must be released to public. In March, Judge Walton ruled that in camera review was necessary because of "grave concerns about the objectivity of the process that preceded the public release of the redacted version of the Mueller Report[.]"

In June, Judge Walton said that he could not "assess the merits of certain redactions without further representations from the Department" and ordered the DOJ to attend an "ex parte" (one-on-one) hearing. After several delays due to COVID-19, that hearing was held on Tuesday.

The DOJ also provided written responses to the court in July, which revealed that Judge Walton had questioned every legal basis asserted by the DOJ to withhold material in the Mueller Report. As part of those responses, the DOJ conceded that it would have to disclose additional material from the Report.

EPIC's Freedom of Information Act case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810.

5. Portland City Council Votes to Ban Facial Recognition

The city council of Portland, Oregon passed two key ordinances last week banning the use of facial recognition. One ordinance prohibits the city government from using facial recognition. A second ordinance prohibits private companies from using facial recognition in public spaces.

"Face Recognition Technologies have been documented to have an unacceptable gender and racial bias," the council found, warning that "the risk for misidentification and misuse is always present. Safe use of these technologies requires adequate due process, transparency, and oversight measures to be trusted."

The council underscored that "Portland residents and visitors should enjoy access to public spaces with a reasonable assumption of anonymity and personal privacy. This is true for particularly those who have been historically over surveilled and experience surveillance technologies differently."

Portland joins a growing list of cities that have banned the facial recognition technology, including Boston, Oakland, and San Francisco. EPIC has launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. Earlier this year, an EPIC-led coalition called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.

News in Brief

Reps. Hurd, Kelly Introduce Resolution to Guide U.S. AI Policy

Rep. Will Hurd (R-TX) and Rep. Robin Kelly (D-IL) released a resolution this week proposing a set principles for AI policy in the United States. The recommendations include enacting federal privacy legislation "to build trust [and] prevent harm"; developing AI standards in order to ensure "technologies that are safe, secure, reliable, and comport with the norms and values of the United States"; and conducting regular oversight of AI use in the executive branch. The resolution comes after the two representatives released multiple reports on AI with the Bipartisan Policy Center. EPIC advocates for comprehensive data protection legislation, has evaluated existing proposals for federal privacy legislation, and recommends the Universal Guidelines for AI and the OECD Principles on AI as a baseline for AI policy.

Mauritius Ratifies Convention 108+, 36 Countries Back Privacy Convention

Mauritius signed and ratified the Modernized International Privacy Convention. Mauritius became the sixth state to officially ratify the modernized Convention 108, and the 36th country to become a signatory. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data, algorithmic transparency, enhanced oversight. Non-members of the Council of Europe are able to sign the Convention, and EPIC and consumer groups have long urged the United States to ratify the agreement.

House Passes IoT Security Bill

The House of Representatives has passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) "The Internet of Things grows every single day, and, by the end of next year, it will include more than 20 billion devices," said Hurd. "The result is an astounding, unimaginable amount of data—90% of the data in the entire world was created in the last two years. America needs to keep up with this incredible trend, and that means ensuring proper security and protections—the IoT Cybersecurity Improvement Act is a step in that direction." The Senate Homeland Security Committee advanced a similar bill last year. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards.

Bipartisan Policy Center Calls for AI Regulation, Data Privacy Law

The Bipartisan Policy Center, along with Rep. Will Hurd (R-TX) and Rep. Robin Kelly (D-IL), recently released white paper outlining recommendations for Congress to regulate the use Artificial Intelligence. The recommendations include enacting federal data privacy legislation, funding the National Institute of Standards and Technology to develop optional technological standards, and publicly releasing benchmark datasets for some applications of AI. The Center also published a report on Artificial Intelligence and National Security report this summer. EPIC advocates for the enactment of a federal comprehensive data privacy law, tracks privacy legislation, and recommends baseline mandatory technical standards for AI.

Oracle Proposes Deal with TikTok to Be 'Trusted Tech Provider' in U.S.

Oracle, of the nation's largest data brokers, has agreed to a deal with ByteDance to become TikTok's "trusted technology provider" in the U.S. The U.S. government has raised concerns about the protection of user data collected by the popular video sharing app, especially given the power of the Chinese government to obtain data from TikTok. The full details of the agreement between TikTok and Oracle are unknown, but the White House and the Committee on Foreign Investment in the United States still need to approve the deal. Treasury Secretary Steve Mnuchin said that the department plans to review the deal, and the department acknowledged its obligation to review the service's data protection standards. Earlier this year, EPIC and a coalition of child advocacy, consumer, and privacy groups filed a complaint to the Federal Trade Commission to investigate TikTok's failure to protect children's privacy. The proposed partnership between Oracle and TikTok could further threaten the privacy of TikTok users.

Professors Hartzog and Richards: Clearview AI Gets Privacy and First Amendment Wrong

In a recent Boston Globe op-ed, Professors Woody Hartzog, an EPIC Advisory Board member, and Neil Richards assert that Clearview AI's claim of a First Amendment right to scrape, analyze, and disseminate publicly available photos is a threat to privacy and misunderstands the right to free speech. Clearview AI's claim comes in response to a lawsuit under the Illinois Biometric Information Privacy Act (BIPA) challenging the company's collection of photos and sale of facial recognition services. EPIC filed an amicus brief before the 9th Circuit defending an individual's right to sue companies who violate BIPA and other privacy laws. Recently, EPIC filed FOIA requests with several government agencies revealed as users of Clearview AI technology. Earlier this year, EPIC and over 40 organizations urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.

Facebook Faces Order to Stop Sending EU User Data to U.S.

The Irish Data Protection Commissioner has reportedly issued a preliminary order to Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the European Court of Justice (CJEU) decision which found that Privacy Shield, an EU-U.S. agreement permitting companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

EPIC in the News

• Google Hit With UK Privacy Suit Over Children's YouTube Data, Law360, September 14, 2020
• Lawmakers to Weigh NSCAI Recommendation for Classified Technology Annex, Defense Daily, September 9, 2020
• Billboards that follow you? It's not sci-fi. They're already here, Telegraph Herald, September 7, 2020
• Some universities say notifying students of COVID-19 cases on campus violates privacy rights. Experts say transparency is key., Yahoo, September 4, 2020
• Federal Judge Finds Certain Trump Administration Redactions of Mueller Probe Are Lawful, Law and Crime, September 4, 2020
• EPIC Says High Court Should Embrace Broad CFAA Reading, Law 360, September 4, 2020

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020)

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes "just-in-time" delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.