EPIC Alert 28.04

EPIC Alert logo

1. After EPIC-Led Coalition Effort, DC Area Facial Recognition System Will Shut Down

The Metropolitan Washington Council of Governments informed EPIC in a letter this month that the National Capital Region Facial Recognition System (NCR-FRILS) "will be halted and cease to operate as soon as possible but no later than July 1, 2021."

The announcement came two weeks after an EPIC-led coalition sent a letter to the Council demanding an end to the system, citing the dangerous nature of facial recognition and racial bias in facial recognition software. NCR-FRILS is used by police departments and government agencies in the DC, Maryland, and Virginia area. The system is capable of running comparisons against a database of 1.4 million local mug shots.

"The public should be informed and provided a meaningful opportunity to weigh in on the use of new surveillance technologies, and some technologies, like facial recognition, are antithetical to democracy and should not be used," the coalition wrote. The coalition emphasized that "the Council should not be in the business of facial recognition."

As the Council noted in its recent letter, a new law in Virginia requiring approval from the General Assembly before using facial recognition was set to curtail NCR-FRILS use in that state, which helped cause the system's demise. The facial recognition system was first disclosed last year after it was used to identify a protester at a Black Lives Matter rally accused of assault.

2. At EPIC's Urging, Massachusetts AG Presses Pharmacies Over Vaccine Patient Data

The Massachusetts Attorney General, following up on a letter from an EPIC-led coalition of civil society groups, recently wrote to major pharmacies seeking details about their collection and use of personal data from COVID-19 vaccine recipients.

The federal government is coordinating with retail pharmacies to facilitate vaccine distribution. But as EPIC and coalition partners warned last month, some pharmacies "are requiring patients seeking access to the vaccine to register through their existing customer portals, which in turn exposes patients to broad personal data collection and marketing."

The Massachusetts AG letter calls on pharmacies to explain what personal data they collect from vaccine patients, what disclosures they make, whether the pharmacies will use the data for commercial purposes, and whether the data is being stored separately from general customer information.

"[A]ccess to life-saving vaccines should not be conditioned on a consumer's consent to provide personal data not necessary for the vaccination administration," the AG's letter explains. "Nor can consent to such data collection or marketing be presumed based on a consumer's desire to obtain a vaccination."

The CDC recently issued a directive prohibiting health providers "from using any data gathered in the course of their participation in the CDC COVID-19 Vaccination Program, including any Protected Health Information or other Personally Identifiable Information, for commercial marketing purposes." EPIC and coalition partners have also asked officials in California, Illinois, New York, and the District of Columbia to investigate and prevent pharmacies from putting vaccine patient data to commercial use.

3. Top Human Rights Court Rules UK Mass Surveillance Program Violated Privacy Rights, Cites EPIC

Earlier this week, the grand chamber of the European Court of Human Rights issued a final judgement in Big Brother Watch v. UK confirming that the UK's intelligence agency violated the right to privacy by systematically intercepting online communications without first applying necessary safeguards.

The court ruled that the agency's mass surveillance program was "not in accordance with [EU] law," which only allows governments to retain data in an effort to combat "serious crime" and requires a court or administrative body to sign off on data collection. The UK law at issue was not limited to serious crime, nor did it require independent authorization; these "fundamental deficiencies" impermissibly increased the "risk of the bulk interception power being abused."

Nevertheless, the grand chamber found that the agency's decision to operate a bulk interception program did not itself violate human rights, and the agency's sharing of sensitive digital intelligence with foreign counterparts—including with the NSA—was legal.

Several chamber judges believed this ruling did not go far enough to condemn the sharing of wrongfully collected communications with other countries, noting the chamber "missed an excellent opportunity to fully uphold the importance of private life ... when faced with interference in the form of mass surveillance."

EPIC has a strong interest in protecting the human right to privacy and has continuously opposed suspicionless mass collection of personal communications by domestic and foreign governments. EPIC participated in this case as a third-party intervenor and filed a brief describing U.S. intelligence authorities that allow the NSA to access the private communications of non-U.S. persons in violation of their rights, which the Court cited in its judgment. EPIC was also chosen by the Irish High Court to make amicus submissions in a case involving the international transfer of data from European servers to the U.S. in violation of EU law.

4. EPIC Seeks Privacy Impact Assessment for Postal Service Covert Surveillance Program

EPIC, through a Freedom of Information Act request and letter to the USPS Privacy Office, is seeking the required Privacy Impact Assessment for the Internet Covert Operations Program (iCOP) operated by the U.S. Postal Inspection Service.

First revealed by Yahoo News in April, the iCOP uses Clearview AI's facial recognition system and a suite of social media monitoring tools to surveil individuals online, including protesters. Although the E-Government Act of 2002 requires federal agencies to conduct, review, and publish a privacy impact assessment before initiating a new collection of personal data or acquiring technology that will handle personal data, it does not appear that the USPS did so in this case.

EPIC also urged the USPS Privacy Office to fully comply with the E-Government Act by proactively publishing privacy impact assessments online, as most federal agencies do. "Privacy impact assessments are often the first source of information the public has about federal surveillance systems," EPIC wrote. "The current USPS practice of disclosing PIAs upon request creates a barrier to accessing information by imposing additional steps to obtain documents that are by law public information."

EPIC has previously used the E-Government Act to help stop the bulk collection of voter data by the Presidential Advisory Commission on Election Integrity, to pressure the Census Bureau to drop the citizenship question from the 2020 Census, and to secure an agreement from the Department of Homeland Security to abandon its development of "media monitoring services." EPIC also leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries.

5. EPIC Student Privacy Project Featured in Kennedy School Casebook

EPIC's Student Privacy Project has been selected for inclusion in the spring 2021 Tech Spotlight Casebook, a publication of the Harvard Kennedy School's Belfer Center for Science and International Affairs. The casebook "recognizes projects and initiatives that demonstrate a commitment to public purpose in the areas of digital, biotech, and future of work."

The book highlights EPIC's recent efforts to halt the use of unfair, unreliable, and invasive remote proctoring tools and the D.C. consumer protection complaint EPIC filed against online proctoring firms.

"Through meticulous research, the Student Privacy Project revealed the extent to which these companies collect and process student personal and biometric data," the casebook explains. "The complaint attempts to hold the five companies accountable for their practices by demonstrating how the data collection and processing practices may violate existing law."

The casebook also recognizes recent work around census privacy protections, community control over police surveillance, racially biased speech recognition tools, and the use of "garbage" facial recognition to identify criminal suspects. A virtual ceremony was held for honorees on May 20.

News in Brief

EPIC v. Drone Advisory Committee: Divided Appeals Court Endorses Secrecy of Key Working Groups

A divided panel of the D.C. Circuit, ruling in EPIC's case against the FAA Drone Advisory Committee, held that the committee can keep the records of its controversial working groups secret. EPIC filed suit in 2018 against the industry-dominated body, which ignored the privacy risks posed by the deployment of drones even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the committee was forced to disclose hundreds of pages of records under the Federal Advisory Committee Act. But a lower court ruled in 2019 that the records from the committee's working groups could be withheld from the public—a decision that the D.C. Circuit has now affirmed. Judge Robert L. Wilkins, writing in dissent, accused the majority of "doing violence to the text" of the FACA and argued that the decision "undermines FACA's purpose and greenlights an easily abusable system[.]" Noting the "obvious privacy concerns that drones present" and the fact that the DAC was "stacked with industry representatives," Wilkins warned that "[w]e should look with suspicion upon agency efforts to circumvent FACA by using subgroups." EPIC is now considering whether to ask the full D.C. Circuit to hear the appeal. The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.).

EPIC Urges DHS Data Privacy Committee to Ensure Meaningful Oversight of Information Sharing Agreements

In comments to the DHS's Data Privacy and Integrity Advisory Committee (DPIAC), EPIC urged a comprehensive review of DHS's Information Sharing Access Agreements (ISAAs) prioritizing the most sensitive types of data, information from marginalized groups, and agreements disclosing information to unreliable partners. EPIC's comments respond to DPIAC's tasking to provide guidance to the DHS Privacy Office after an OIG audit revealed that thousands of ISAAs had never been reviewed for compliance with privacy laws and regulations. EPIC previously urged DPIAC to undertake a comprehensive investigation of fusion centers for chronic privacy and civil liberties abuses.

EPIC Urges HHS to Prioritize Patient Privacy in Modifications to HIPAA Privacy Rule

In comments to the Health and Human Services Department (HHS), EPIC opposed proposed changes to the HIPAA Privacy Rule reducing restrictions on disclosing patients' Protected Health Information (PHI). HHS's proposed rule would expand the entities that can receive PHI without patient consent, lower the standard for disclosing PHI in the process of care coordination, and specifically authorized certain non-consensual disclosures of PHI for patients with mental illness and substance abuse disorders. EPIC argued that the modifications will expose patients to greater risk of data breach and increase barriers to receiving care for stigmatized populations without providing benefits to patients. Recently, EPIC Executive Director Alan Butler and Counsel Enid Zhou published a paper in the American University Law Review analyzing the increased collection of health data during the Covid-19 pandemic.

EPIC Obtains 2018 DHS Election Security Briefing with Members of Congress

Through a Freedom of Information Act request to the Department of Homeland Security, EPIC obtained records circulated in a 2018 election security meeting with members of the U.S. House of Representatives. On May 22, 2018, then-DHS Secretary Kirstjen Nielsen, then-Federal Bureau of Investigation Director Christopher Wray, and then-Director of National Intelligence Dan Coats held a classified briefing for members of Congress informing them of the risks to the election process and steps the administration was taking to assist state officials in ensuring election security. The briefing materials include charts on election infrastructure cyber risk scenarios and cybersecurity considerations, as well as compiled anecdotes of the DHS's engagement with state election security officials. These anecdotes highlighted how states have taken efforts to strengthen their election systems for the 2018 mid-term elections, including some states taking up the voluntary election security resources from DHS. EPIC sued the DHS for records about the agency's assessment of election vulnerabilities following the 2016 presidential election and its ongoing role in protecting election systems as critical infrastructure. The agency released hundreds of pages of records to EPIC about its role in election cybersecurity, with records revealing the agency's rocky initial involvement in election security following its 2017 designation of election infrastructure as critical infrastructure and how far the agency has come since then. The case is EPIC v. DHS, 17-2047 (D.D.C.).

EPIC, Coalition Urge Spotify to Abandon Speech-Recognition Technology

In a letter to Spotify, EPIC and a coalition of over 100 recording artists, 69 non-profit organizations, and 10 prominent individuals urged the streaming service to publicly commit not to explore a newly-patented voice-recognition feature. Spotify's new patent would allow the company to identify individuals' "emotional state, gender, age, or accent" to recommend music. The coalition letter identified major concerns with the potential technology including emotional manipulation, discrimination, massive privacy violations, and increased inequality within the music industry. Spotify recently stated that the company has not implemented the technology, and claims to have "no plans" to do so. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition gathered support from over 100 organizations and experts from more than 30 countries.

Schumer Bill Would Rapidly Escalate AI Funding but Fails to Propose AI Safeguards

The U.S. Innovation and Competition Act introduced recently by Senate Majority Leader Chuck Schumer would earmark $53 billion for technological and AI development yet fails to propose critical safeguards for federal AI deployment. One part of the bill, the Endless Frontier Act, would significantly increase National Science Foundation funding to expand research and improve the diversity of the STEM workforce. The bill would also allocate funds for analyzing and combatting human rights violations in China and promoting "American Leadership" in AI development. Another part of the bill, the Advancing American AI Act, would incrementally improve the transparency and accountability of government AI use. Under the bill, Office of Management and Budget would be tasked with ensuring that federal contracts for AI systems address "privacy, civil rights, and civil liberties," and each agency would be required to assemble and publish (when "practicable") an inventory of its AI systems. However, the bill—much of which tracks recommendations by the NSCAI—fails to establish binding limitations on federal AI use and offers little protection for members of the public injured by government-operated AI systems. EPIC previously urged the Commission to recommend substantive limits on AI to protect individuals against harmful, biased, invasive, and unreliable AI systems.

Senator Markey, Rep. Matsui Introduce Bill to Increase Transparency and Decrease Discrimination in Algorithms

Senator Ed Markey (MA) and Representative Doris Matsui (CA) have introduced the Algorithmic Justice and Online Transparency Act of 2021. The bill prohibits discrimination based on protected classes for algorithmic processes on online platforms, requires online platform companies to create and maintain documentation about their algorithms for review by the FTC, and sets out a standard for what safe and effective algorithmic processes would be. The bill also calls for the creation of an inter-agency task force to investigate discriminatory algorithmic processes including the Federal Trade Commission, Department of Housing and Urban Development, Department of Education, Department of Justice, and the Department of Commerce. EPIC endorses the bill, and has been advocating for Algorithmic Transparency and Equity, specifically urging state, federal, and international governments to regulate harmful AI guided by the Universal Guidelines for AI. Last year, EPIC petitioned the FTC to establish a rule making regulating algorithmic tools in order to address discrimination.

D.C. Attorney General Files Antitrust Suit Against Amazon

D.C. Attorney General Karl Racine has filed a lawsuit against Amazon alleging that the online retail giant has violated the District of Columbia Antitrust Act. The complaint accuses Amazon of stifling competition by imposing contractual clauses that prevent third-party sellers from offering lower prices outside of the Amazon platform. The lawsuit explains that the agreements ultimately lead to higher prices for consumers and less innovation. "Amazon wins because it controls pricing across the online retail sales market, putting itself at an advantage over everyone else," Racine told reporters. "These restrictions allow Amazon to build and maintain monopoly power." In February, EPIC filed a complaint with the D.C. Attorney General alleging that Amazon unlawfully employs dark patterns to manipulate consumers when they attempt to cancel their Amazon Prime subscriptions. These dark patterns enable Amazon to continue collecting subscription fees and retain the personal data of misdirected subscribers. EPIC also signed onto a recent coalition letter calling for the Federal Trade Commission to investigate Amazon's use of dark patterns in the Prime cancellation process. EPIC has long argued that anticompetitive practices and market consolidation in the technology sector pose a threat to privacy rights.

Irish High Court Orders DPC to Move Forward in Facebook Investigation

The Irish High Court has issued an order in a follow-on case to Irish Data Protection Commissioner v. Facebook and Schrems ("Schrems II") and, as a result, the investigation into Facebook's U.S.-EU data transfers will move forward. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). The case has since been referred two separate times to the highest court in Europe (the CJEU), and has led to the invalidation of both the U.S.-EU Safe Harbor Agreement and the U.S.-EU Privacy Shield Agreement. The CJEU in the Schrems II decision last year remanded the case to the Irish DPC to determine whether Facebook violated the law and whether it was necessary to block Facebook's U.S.-EU data transfers. The DPC later issued a Preliminary Draft Decision to Facebook and laid out procedures for the inquiry. Both Facebook and Schrems challenged the DPC procedures. The DPC agreed in a settlement with Schrems that it would complete the investigation into his original complaint. The Irish High Court rejected Facebook's challenge to the DPC inquiry, and both the Schrems complaint and this new DPC inquiry against Facebook will move forward. EPIC participated as an amicus curiae in Schrems II, arguing that U.S. Surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

Lawmakers Call on Facebook to Reverse WhatsApp Terms of Service Update

Congresswoman Lori Trahan (MA-03) and a group of Congressional Hispanic Caucus members recently called on Facebook CEO Mark Zuckerberg to reverse the company's decision to require WhatsApp users to accept expanded data collection or leave the platform entirely. "We write to respectfully ask Facebook to consider reversing WhatsApp's decision to update their new terms of service. We believe Facebook is potentially offering a false choice to users across the globe: accept the sharing of metadata with Facebook by May 15th or leave the platform altogether," the lawmakers wrote. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter noted that "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." In their letter, the members highlight that pledge and the FTC's statement.

State AGs Push Back Against Facebook's Plan to Launch Instagram for Children

More than 40 state attorneys general have sent a letter to Mark Zuckerberg pressuring Facebook to drop its plans to launch a version of Instagram for children younger than 13. The Attorneys General, led by Massachusetts Attorney General Maura Healey, expressed bipartisan support to protect children's privacy and their physical and mental health. The AGs raised concerns about Facebook's history of privacy incidents, stating "Facebook has a record of failing to protect the safety and privacy of children on its platform, despite claims that its products have strict privacy controls[.]" The Campaign for a Commercial-Free Childhood commented "If Facebook insists on plowing ahead, it's the clearest sign yet that the company views itself as accountable to no one, even when it comes to the well-being of children, and must be regulated much more rigorously," and lawmakers have similarly expressed concerns about children's privacy issues with social media. EPIC signed on to a coalition letter by the Campaign for a Commercial-free Childhood that urged Zuckerberg to cancel plans to launch a version of Instagram for Children under 13.

Biden Administration Abandons DHS Plans to Expand Biometric Collection

According to a news report, the Biden Administration plans to rescind a proposed rule to massively expand the collection of biometric information from immigrants. The rule, proposed towards the end of the Trump Administration, would have granted the Department of Homeland Security broad authority to collect biometric data from immigrants and their families and associates. The rule would have enabled the collecting of palm prints, iris images, voiceprints, DNA, and images for facial recognition regardless of age. In comments to the Department of Homeland Security, EPIC opposed the rule and urged the agency to rescind the proposed rule. EPIC argued that DHS']s broad authorization to collect biometrics was incompatible with the Department's Fair Information Practice Principle. EPIC also specifically called on the agency to suspend the use of facial recognition technology. Last year, EPIC, joined by over 40 organizations called for the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.

White House Launches Website for National AI Initiative, AI.gov

The White House has launched AI.gov, the new website of the National Artificial Intelligence Initiative Office featuring reports, policy priorities, and news about artificial intelligence from across the federal government. The site lists "Advancing Trustworthy AI" and "International Cooperation" as two of six top priorities for federal AI policy, embracing the Organization for Economic Cooperation and Development AI Principles and the G20 AI Principles. EPIC has urged both the White House and Congress to prioritize human rights over AI adoption and has recommended the OECD Principles and the Universal Guidelines for Artificial Intelligence as baseline frameworks for regulating AI and mitigating algorithmic harms. EPIC has also fought for transparency in AI policymaking, successfully suing the National Security Commission on Artificial Intelligence to enforce its public records and open meetings obligations.

Surveillance Court Finds FBI Repeatedly Misused FISA Program to Conduct Unlawful Surveillance of Americans

The Foreign Intelligence Surveillance Court (FISC) recently disclosed an opinion revealing that the FBI has repeatedly misused Section 702 of Foreign Intelligence Surveillance Act (FISA) to gather information in domestic investigations. Section 702 (sometimes referred to as the "PRISM" program) authorizes certain programs of surveillance of private communications for foreign intelligence purposes, without prior court approval, where the surveillance targets non-US persons located abroad. The law has been widely criticized, in part, because of the "backdoor search" loophole that allows domestic law enforcement officials to access Americans' communications without a warrant. The surveillance court previously found that the FBI's procedures for obtaining information through backdoor searches violated the Fourth Amendment. The newly published opinion demonstrates how the FBI has failed to reform these unlawful practices. An audit revealed that the agency searched FISA information 40 times last year while investigating a wide range of purely domestic crimes, including health-care fraud, gang violence, domestic terrorism by "racially motivated violent extremists," and public corruption. Again, the FISC expressed "concern[] about the [FBI's] apparent widespread [Section 702] violations." EPIC has long tracked FISA court orders and advocated for FISA reform. More recently, EPIC filed a Freedom of Information Act lawsuit seeking disclosure of a report concerning FBI use of Section 702 authority for domestic criminal investigations and participated as amicus to address the scope of U.S. surveillance authorities in the Court of Justice of the European Union.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020)

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes "just-in-time" delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security