EPIC Alert 28.03

EPIC Alert logo

1. EPIC, Coalition Call for End to DC-Area Facial Recognition System

In a letter to the Metropolitan Washington Council of Governments, an EPIC-led coalition of privacy, civil liberties, and good government groups urged the Council to end the National Capital Region Facial Recognition System (NCR-FRILS) project and disclose all documents associated with it.

NCR-FRILS is a facial recognition system used by police departments and government agencies in the DC, Maryland, and Virginia area. The system runs comparisons against a database of 1.4 million local mug shots. The project was never publicly announced and was only revealed during the prosecution of a Black Lives Matter protester last fall.

"Given the threats posed by facial recognition and the fact that its impacts fall most heavily on minority communities, the Council should not be in the business of facial recognition," the coalition letter read. "We urge the Council to immediately halt the NCR-FRILS program and end any further funding of the project, but at minimum the Council should suspend the use of NCR-FRILS until the public has a say in whether to continue funding the program and open all future meetings on the NCR-FRILS system to the public."

In a Washington Post article covering the coalition letter, EPIC Senior Counsel, Jeramie Scott, argued that "facial recognition is a particularly invasive surveillance technology that undermines democracy and First Amendment rights."

EPIC previously submitted a series of open government requests to police departments in the DC-area seeking more information on NCR-FRILS.

2. EPIC to Court: Don't Undermine 2020 Census Privacy Protections

EPIC has filed an amicus brief urging an Alabama federal court not to upend the Census Bureau's system for protecting personal data collected in the 2020 Census.

Alabama is challenging the Bureau's use of differential privacy, in which controlled amounts of statistical noise are added to published census data to prevent individuals from being identified and linked with their census responses. The Bureau recently demonstrated that sophisticated reidentification "attacks" can identify tens of millions of people from published census data unless stronger privacy safeguards are used.

As EPIC argues in its brief, "differential privacy is the only credible technique to protect against such attacks, including those that may be developed in the future." EPIC's brief explains that federal law imposes on the Bureau an "affirmative duty to protect the privacy of census respondents—not merely to avoid direct, unfiltered publication of census responses." EPIC also argues that differential privacy "is not the enemy of statistical accuracy," but rather "vital to securing robust public participation in Census Bureau surveys[.]"

EPIC has long advocated for the confidentiality of personal data collected by the Census Bureau. In 2004, Bureau revised its "sensitive data" policy after an EPIC FOIA request revealed that the Department of Homeland Security had improperly acquired census data on Arab Americans from following 9/11.

In 2018, EPIC filed suit to block the citizenship question from the 2020 Census, alleging that the Bureau failed to complete several privacy impact assessments required under the E-Government Act.

3. Florida House Passes Privacy Protection Act, Including EPIC-Backed Private Right of Action

The Florida House of Representatives recently passed the Florida Privacy Protection Act, HB 969, on a 118-1 vote. The bill would give Floridians the right to know what information companies have collected about them, the right to delete and correct that information, the right to opt-out of the sale or sharing of their personal information, strong limits on the retention of their data, and additional protections for children's privacy.

Critically, the bill would create robust enforcement mechanisms, including a private right of action, to ensure companies do not flout the law. EPIC and a coalition of privacy and consumer organizations had previously sent letters to Florida Governor Ron DeSantis, the Florida House Commerce Committee, and Florida's Senate Rules Committee urging them to preserve private rights of action the bill.

"The inclusion of a private right of action in HB 969 and SB 1734 is the most important tool the Legislature can give to Floridians to protect their privacy," the groups wrote. "The statutory damages set in privacy laws are not large in an individual case, but they can provide a powerful incentive in large cases and are necessary to ensure that privacy rights will be taken seriously and violations not tolerated. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined."

The Senate Rules Committee removed the private right of action provisions from the Senate bill, SB 1734, but the Senate could still restore the crucial enforcement provision.

4. Supreme Court Decision Threatens Autodialer Protections

Earlier this month, the U.S. Supreme Court ruled in Facebook v. Duguid that individuals can only claim protection under the Telephone Consumer Protection Act from unwanted calls made using a mass dialing system or "autodialer" if the system uses a random or sequential number generator to either store or produce the numbers called.

EPIC filed an amicus brief urging the Court to interpret the autodialer restriction broadly to include systems that automatically dial numbers stored in lists or databases. EPIC argued that "narrowing the autodialer definition would not protect privacy" but would instead "put the most widely used mass dialing systems outside the scope" of the ban.

Many robocallers and would-be robocallers will interpret the Court's decision as essentially abrogating the autodialer restriction, which will likely lead to a surge in unwanted automated calls to cell phones. Automated calls are already a daily nuisance for Americans. Individuals increasingly ignore calls from unknown numbers because they assume the calls are robocalls, which has caused particular harm to contact tracing during COVID-19. Congress must update the autodialer restriction to protect Americans from the coming onslaught of unwanted automated calls.

But the Court's decision is not a total victory for robocallers. The decision does not limit the definition of an autodialer to systems that dial random or sequential telephone numbers. The Court merely held that autodialers include systems must use random or sequential number generators, and referred specifically to systems that use prepopulated lists of telephone numbers. Because automated dialing programs commonly use random or sequential number generators to store or pull information from a list, it is hard to think of a mass dialing system that would not fit the Court's definition.

Litigation will continue over the scope of the autodialer definition, and the Federal Communications Commission will likely further clarify its scope. But Americans need protection from robocallers now; Congress should act swiftly to update the autodialer restriction.

5. EPIC-Led Coalition Asks States to Investigate Pharmacies Over Handling of Vaccine Patient Data

An EPIC-led coalition of civil society groups urged officials in five states this month to investigate major pharmacy chains over their collection and use of personal data from patients receiving COVID-19 vaccines.

The federal government has partnered with retail pharmacies to expand vaccine distribution, including CVS, Walgreens, Walmart, and Kroger. But as the coalition letter explains, some pharmacies "are requiring patients seeking access to the vaccine to register through their existing customer portals, which in turn exposes patients to broad personal data collection and marketing." According to a recent report, CVS executives "plan to stay in touch with vaccine recipients beyond receiving their second shot and use information gleaned in the process to better market to them."

The coalition urged state consumer protection authorities in California, Illinois, Massachusetts, New York, and the District of Columbia to conduct investigations, to prohibit the use of vaccine registrant data for commercial purposes, and to require pharmacies to separate vaccine registrant information from their general customer data.

"Patients should not have to trade unrestricted use of their sensitive personal information for a life-saving vaccine," the letter argues. "We believe these practices are unfair and deceptive and should be halted immediately." The coalition called on state officials "to remove barriers to access the vaccine and promote an equitable vaccine distribution process by protecting the personal data of vaccine recipients."

EPIC has long sought strong confidentiality protections for medical records and has laid out numerous recommendations concerning privacy and the pandemic.

News in Brief

EPIC Celebrates Sunshine Week with 2021 FOIA Gallery

In celebration of Sunshine Week, EPIC has unveiled the 2021 FOIA Gallery. Since 2001, EPIC has annually published highlights of EPIC's most significant open government cases and documents obtained through government records requests. For example, EPIC's 19-month legal effort in EPIC v. DOJ resulted in the release of new sections from the previously redacted Mueller Report, including details about Roger Stone and passages concerning decisions by Special Counsel Mueller to not charge particular individuals with criminal offenses. EPIC also prevailed twice in EPIC v. AI Commission, in which the court forced the Commission to hold public meetings and disclose thousands of pages of records to EPIC. In this year's FOIA gallery, EPIC also highlights records about the DHS's initial response to election cybersecurity threats, a DOJ report on predictive policing and AI, records about contact tracing efforts from North Dakota and Utah, and records about CBP's electronic device border search audits.

European Commission Proposes Risk-Based AI Regulation, Banning 'Unacceptable' Uses

The European Commission released a long-awaited proposal for how to regulate AI throughout the European Union. The proposed regulation includes a ban on "unacceptable" uses of AI such as general social scoring and "real time remote biometric identification" for law enforcement. The proposal also imposes testing and transparency obligations for "high-risk" uses of AI, including a publicly accessible EU database on stand-alone high-risk systems. The proposal requires notice to individuals when they interact with certain types of AI and "conformity" assessments for high-risk systems. The prohibitions on unacceptable AI are very limited, and many of the strongest provisions are subject to significant exceptions. However, a penalty of up to 4% of annual revenue on companies that violate the regulation is included. EPIC has called for prohibitions on secret scoring, mass surveillance, and facial recognition. EPIC urges legislators to implement the OECD Principles on AI and adopt the Universal Guidelines of AI.

In EPIC Suit, DOJ Provides More Details on Federal Location Data Requests

As part of EPIC's ongoing lawsuit for cell phone surveillance orders issued by federal prosecutors, the Department of Justice identified 75 orders and warrants for cell phone location data under § 2703(d) from the U.S. Attorney's Office for the Virgin Islands from 2016 to 2019. During the same period, the attorneys handled 283 criminal cases. The U.S. Attorney's Office for the Virgin Islands is one of the smallest districts in the country. In February, EPIC obtained the number of location data requests for the District of Delaware, the first of five districts that the DOJ has agreed to search for location data requests. EPIC is still waiting for responses from three of the agency's other prosecutors' offices and will continue to update its comparative table as each district releases more information. Currently prosecutors do not release any comprehensive or uniform data about their surveillance of cell phone location data. In 2018, the U.S. Supreme Court ruled in Carpenter v. United States that the collection of cell phone location data without a warrant violated the Fourth Amendment. The case is EPIC v. DOJ, No. 18-1814 (D.D.C.).

EPIC Calls for Ban on Corporate Use of Facial Recognition in Coalition Letter

In an open letter, EPIC and twenty four civil rights and social justice organizations called on elected officials to ban corporate, private, and government use of facial recognition technology, suggesting Portland, OR's recent ban on facial recognition as a model. The letter also urges corporate leaders to ban the technology within their companies. The coalition notes recent uses of facial recognition to monitor workers and instances of wrongful firings when facial recognition systems mis-identified black gig workers. EPIC and a coalition recently urged New York City Council to enact a comprehensive ban on facial recognition. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition gathered support from over 100 organizations and experts from more than 30 countries.

EPIC, Coalition Urge AG and Senate to Conduct Oversight and Restore Government Transparency

EPIC and a coalition sent letters to Attorney General Garland and the Senate Judiciary Committee urging them to conduct oversight and review agency implementation of the Freedom of Information Act. The coalition requested the Senate Judiciary to hold an oversight hearing on agency FOIA compliance. The committee's last oversight hearing on FOIA was more than three years ago. The letter to Senate Judiciary states, "[I]t is imperative that the Committee provide oversight of agencies' compliance with FOIA, both to understand FOIA implementation by the Trump administration, as well as to seek commitments to comply with the law from the newly confirmed Biden administration officials." The coalition also asked Attorney General Garland to follow the precedent of many former AGs and issue a memorandum to agencies on how to interpret and apply the FOIA and to support legislative reform. During Sunshine Week, Attorney General Garland remarked that for the Justice Department to succeed, it must adhere to "the principles that have become core to our DNA" and that "faithful administration of FOIA is essential to American democracy." EPIC recently published its 2021 FOIA Gallery highlighting EPIC's most significant open government cases and records obtained through government records requests.

EPIC Presents Argument in NJ Supreme Court on Privacy of Personal Information in Government Records

Megan Iorio, counsel at EPIC, recently presented oral argument as a friend of the court in Bozzi v. Jersey City, a New Jersey Supreme Court case concerning a commercial open government request for names and addresses of dog license registrants. The lower court found no privacy interest in the information and ordered its release. Ms. Iorio urged the court to reverse and to find that personal information in government records should only be disclosed when a government transparency interest could be served by disclosure. The argument drew on the historic and constitutional origins of the right to informational privacy, federal courts' interpretation of the Freedom of Information Act's privacy exemptions, and New Jersey's strong constitutional right to privacy. EPIC filed an amicus brief in the case and argued before the court last year in State v. Andrews about whether an individual can be compelled to disclose their cell phone passcode.

EPIC Joins Letter Urging New York City to Ban Government Use of Facial Recognition

EPIC and a coalition of civil-rights and community-based organizations submitted a letter to New York City Council Speaker Corey Johnson urging the council to introduce a comprehensive ban on government use of facial recognition. The letter highlights the use of facial recognition by the NYPD and other NYC agencies; the potential for far-reaching surveillance posed by facial recognition technology; and the risk of errors from racial bias in facial recognition algorithms. EPIC leads a campaign to Ban Face Surveillance and gathered support from over 100 organizations and experts from more than 30 countries through the Public Voice Coalition.

EPIC Seeks Documents on Protest Monitoring, Advanced Surveillance Technologies from Fusion Centers

EPIC filed a series of open government requests seeking information on fusion centers' role in monitoring Black Lives Matter protests this summer and on fusion centers' possession of advanced surveillance technologies including location tracking services, cell phone data extraction tools, facial recognition, and social media monitoring tools. EPIC sent requests to federally funded fusion centers in Pennsylvania, South Carolina, Northern California, and North Dakota. Fusion centers are state or regional intelligence units that provide police with access to advanced surveillance technologies while relaying information to the Department of Homeland Security. EPIC previously urged DHS's DPIAC committee to investigate fusion centers and recommend ending federal funding of fusion centers.

Poll: Vast Majority of Americans Support Online Data Protection Legislation

A new poll from Morning Consult found that 83% of voters say that Congress should pass national data privacy legislation this year. Democrats (86%) and Republicans (81%) expressed bipartisan support for Congress to prioritize a federal privacy bill. The poll also found that voters place similar amounts of responsibility on both federal and state lawmakers, as well as federal regulators, to regulate data privacy. With respect to regulating how companies collect, store, and share personal information, 72% of voters said Congress is either "very responsible" or "somewhat responsible" while 79% said the same for federal agencies and 75% for state governments. Nearly 9 in 10 adults said it was either "very" or "somewhat" important to protect their most sensitive identifiable information under a privacy law, including Social Security numbers (89%), banking information (89%), biometric data (88%), and driver's license numbers (88%). EPIC has called for comprehensive baseline federal legislation and the creation of a U.S. data protection agency and has advocated for strong state privacy laws.

Supreme Court Limits FTC Authority to Recover Ill-Gotten Gains

The Supreme Court, ruling last week in AMG Capital Management v. Federal Trade Commission, sharply limited the FTC's ability to obtain restitution for individuals harmed by companies' unlawful trade practices. Disagreeing with years of FTC practice and numerous decisions by appellate courts, the Court ruled that a key provision in the FTC Act "does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement." As a result of the decision, the FTC must now go through a burdensome administrative process to force companies to give up ill-gotten gains rather than going directly to court. Acting Chairwoman Rebecca Kelly Slaughter responded that the decision is a ruling "in favor of scam artists and dishonest corporations, leaving average Americans to pay for illegal behavior." Members of Congress have already proposed amendments to Section 13(b) of the FTC Act that would restore the Commission's power to seek consumer redress. EPIC routinely advocates before the FTC for meaningful financial penalties against companies whose unlawful data and privacy practices harm consumers.

FTC: Racially Biased AI Violates FTC Act

The FTC announced last week that the sale or use of racially biased algorithms is an unfair and deceptive trade practice in violation of the FTC Act. In a blog post, the Commission warned companies to ensure fairness and equity in their use of AI. The FTC cautioned companies to "Start with the right foundation," "Watch out for discriminatory outcomes," "Embrace transparency and independence," "Don't exaggerate what your algorithm can do or whether it can deliver fair or unbiased results," "Tell the truth about how you use data," "Do more good than harm," and "Hold yourself accountable–or be ready for the FTC to do it for you." The FTC cited its 2016 report on big data analytics and machine learning; its 2018 hearing on algorithms, AI and predictive analytics; and its 2020 business guidance on AI and algorithms. The post also cited a recent study from the Journal of the American Medical Informatics Association finding that AI may worsen healthcare disparities for people of color, even if an AI system was meant to benefit all patients. In 2019, EPIC filed a complaint with the FTC asking the Commission to investigate HireVue's use of opaque, unproven AI and to require baseline protections for AI use. Last year, EPIC petitioned the FTC to conduct a rulemaking on commercial uses of AI, including protections against discrimination and unfair bias.

Virginia to Ban Local Police from Using Facial Recognition

A bill passed in Virginia will ban local law enforcement agencies from using facial recognition technology without prior legislative approval starting July 1, 2021. Even when such approval is given, the bill further requires local police agencies to have "exclusive control" over the facial recognition systems they use, preventing the use of Clearview AI and other commercial FR products. However, Virginia State Police and other state law enforcement agencies may continue to use facial recognition without legislative approval. EPIC and a coalition recently urged New York City Council to enact a comprehensive ban on facial recognition. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition gathered support from over 100 organizations and experts from more than 30 countries.

Facebook Breach Exposes Personal Data of Over 500 Million Users

A trove of sensitive personal data from more than 500 million Facebook users was posted online this month. The leaked data includes names, phone numbers, email addresses, birthdates, location information, and biographical details. The original breach of personal data appears to have occurred in 2019. At least one privacy regulator, the Irish Data Protection Commissioner, has launched an investigation into Facebook's handling of the breach. The Commissioner's office said that it had "received no proactive communication from Facebook" following the disclosure of personal data. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook.

Privacy Oversight Board Releases Report on EO 12333

The Privacy and Civil Liberties Oversight Board released its report on Executive Order 12333, which provides broad legal authority for data collection. The Oversight Board conducted three deep-dives into related counterterrorism activities—two on classified CIA programs and one on NSA's XKEYSCORE. XKEYSCORE is a tool used to search data collected under Executive Order 12333 that was revealed in the Snowden disclosures. The report lacks specifics on the 12333 programs the Board reviewed, but according to the Board the focus was on programs that either likely collected U.S. persons' information, targeted U.S. persons, or occurred in the U.S. The report also does not indicate the specific advice or recommendations the Board provided, but it does reveal that many intelligence agencies were using guidelines to protect U.S. persons that had not been updated since the 1980s or were never implemented as required by 12333. EPIC previously urged the Oversight Board to conduct a review of 12333.

California Supreme Court Rules Phone Calls Cannot be Recorded Without Consent of All Parties

The California Supreme Court held this month that all parties must consent to the recording of a cellular phone call under the state's Invasion of Privacy Act. In Smith v. LoanMe, an individual alleged that a loan servicer had recorded their call without obtaining consent from the called party. The lower court found that the law's ban on recording calls without consent only applied to eavesdroppers and did not apply when one of the parties to the communication recorded the call. The lower court ruling went against decades of cases and guidance that held California was a "two party consent" state. The California Supreme Court reversed and held that the law prohibited both eavesdroppers and parties to a call from recording without consent. The Court recognized that the California legislature intended to create an all-party consent regime and that recording a call without consent of all parties "can implicate significant privacy concerns, regardless of whether a party or someone else is performing the recording." EPIC filed an amicus brief arguing that recording a call without consent of all parties "poses unique threats to privacy." EPIC routinely files amicus briefs in cases implicating consumer privacy.

Massachusetts Supreme Court Rules Facebook Cannot Shield All Information on Apps that Violated User Privacy

The Massachusetts Supreme Judicial Court ruled last month that Facebook could be required to disclose to the Attorney General certain factual information about privacy-abusive apps discovered during the company's investigation into the Cambridge Analytica scandal. Facebook had claimed that all information it collected was protected by attorney-client and attorney work product privileges because the company's investigation was led by attorneys in anticipation of litigation. The Massachusetts high court disagreed that the attorney client privilege applied to all of the records, and remanded to the trial court to determine if the records contain factual work product that must be turned over to the Attorney General. EPIC filed an amicus brief in the case urging the court to "reject Facebook's attempt to use litigation threats as an excuse to prevent the facts of its breach of user trust from coming to light." EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook.

FTC Announces New Rulemaking Group

Acting FTC Chairwoman Rebecca Kelly Slaughter recently announced the creation of a new rulemaking group within the FTC. The announcement follows criticism that the FTC has not adequately used its authorities, including its rulemaking power, to address consumer protection harms and promote competition. Section 18 of the FTC Act enables the Commission to issue trade regulation rules to address unfair or deceptive practices that occur commonly. Once the commission has promulgated a trade regulation rule, it may seek civil penalties for each violation of the rule. "I believe that we can and must use our rulemaking authority to deliver effective deterrence for the novel harms of the digital economy and persistent old scams alike," Acting Chair Slaughter said. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained.

Wiretapping Claims Against Facebook Move Forward as Supreme Court Denies Review

The U.S. Supreme Court recently denied a petition for review in In re: Facebook, Inc. Internet Tracking Litigation, a case challenging Facebook's use of "cookies" to track internet browsing activity even when users were logged out of their Facebook accounts. The U.S. Court of Appeals for the Ninth Circuit held that Facebook's use of cookies to track Internet users browsing other websites might violate the federal Wiretap Act because Facebook was not an authorized party to those communications. Facebook's efforts to get the Supreme Court to reject this holding of the Ninth Circuit failed, and now the case will move forward. EPIC filed an amicus brief in the Ninth Circuit and has filed briefs concerning settlements in other cases challenging cookie-based surveillance. EPIC has long advocated against the use of cookies and other surveillance tools to track people online. EPIC continues to advocate for clear rules and restrictions on web tracking as companies replace cookies with new surveillance techniques that would do little to protect privacy online.

Records Show FTC Botched Google Antitrust Investigation

The Federal Trade Commission's 2013 failure to sue Google for antitrust violations went against the advice of FTC staff and disregarded evidence of Google's growing market dominance, according to records obtained by Politico. FTC antitrust attorneys advised the Commission to bring suit against Google to block future deals with mobile companies in which Google would be an exclusive search provider. But the Commission rejected that recommendation on the view that mobile search was only a small part of the search market, a conclusion that quickly proved outdated. The records published by Politico also reveal that Amazon and Facebook—both of which are now facing their own antitrust proceedings—privately pushed the FTC to take enforcement action against Google. Google's anticompetitive practices in search and targeted advertising are the basis of two antitrust lawsuits brought by the Department of Justice and state attorneys general last year. Recently, Texas announced that it would broaden its lawsuit to cover Google's planned replacement for third-party cookies—so-called "FLoCs"—which would do little to protect privacy but further consolidate Google's market power. EPIC has long targeted anticompetitive practices by Google, including its acquisition of DoubleClick and bias in YouTube search rankings. EPIC also helped bring about the FTC's 2011 order establishing privacy safeguards for Google users and sued when Google violated that order.

California Bans 'Dark Patterns' That Subvert CCPA's Opt-Out Rights

California Attorney General Xavier Becerra has announced updated regulations under the California Consumer Privacy Act (CCPA) that ban so-called "dark patterns" that delay or obscure the process for opting out of the sale of personal information. Specifically, the regulations prohibit companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn't opt out. "These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights," said Attorney General Becerra. Dark patterns "are design features used to deceive, steer, or manipulate users into behavior that is profitable for an online service, but often harmful to users or contrary to their intent." In February, EPIC filed a complaint with the D.C. Attorney General alleging that Amazon unlawfully employs manipulative "dark patterns" in the Amazon Prime subscription cancellation process. Today, the FTC will hold a workshop on "Bringing Dark Patterns to Light."

Security Breach of Surveillance Start-Up Exposes Private Residences, Schools, Companies

Around 150,000 networked and facial recognition-capable security cameras located in hospitals, schools, homes, and prisons were accessed in a security breach of Verkada, a surveillance company. The breach exposed vulnerable populations surveilled by Verkada's cameras and highlights the degree to which unregulated surveillance and data collection are ubiquitous within the United States. Verkada's software offerings include facial recognition tools, exacerbating the risks created by its surveillance systems. EPIC, along with a coalition of advocates, warned about similar risks for Amazon's Ring Doorbell and called for a ban on facial recognition as well as regulation of surveillance and data governance.

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020)

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes "just-in-time" delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Upcoming Conferences and Events

Consumer Federation of America Consumer Assembly. May 4, 2021. Caitriona Fitzgerald, EPIC Deputy Director.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security