United States v. Miller

Whether the Fourth Amendment permits constant scanning of images uploaded to Google with corresponding reports automatically sent to law enforcement, absent evidence establishing that the underlying algorithm is accurate and reliably detects only contraband images
  • EPIC Files Amicus in Case Concerning Government Searches and Google's Email Screening Practices: EPIC has filed an amicus brief with the U.S. Court of Appeals for the Sixth Circuit in United States v. Miller, arguing that the Government must prove the reliability of Google email screening technique. The lower court held that law enforcement could search any images that Google's algorithm had flagged as apparent child pornography. EPIC explained that a search is unreasonable when the government cannot establish the reliability of the technique. EPIC also warned that the government could use this technique "to determine if files contain religious viewpoints, political opinions, or banned books." EPIC has promoted algorithmic transparency for many years. EPIC routinely submits amicus briefs on the application of the Fourth Amendment to investigative techniques. EPIC previously urged the government to prove the reliability of investigative techniques in Florida v. Harris. (Oct. 18, 2018)
  • More top news »
  • EPIC Amicus: Unlawful Collection of Biometric Data Establishes Standing » (Dec. 18, 2018)
    EPIC has filed an amicus brief in a case concerning Facebook's collection of facial images in violation of the Illinois Biometric Information Privacy Act. In Patel v. Facebook, EPIC argued that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC said that that the legal doctrine of standing "simply requires plaintiffs to demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Earlier in 2018, EPIC filed an amicus brief in Rosenbach v. Six Flags, another case about the Illinois biometric privacy law. EPIC routinely submits briefs in support of standing in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software.
  • EPIC Investigates Airport Facial Recognition Opt-Out Procedures » (Dec. 12, 2018)
    In an urgent FOIA request, EPICis seeking documents from CBP about the procedures for travelers to opt-out of biometric entry/exit program. EPIC found that CBP frequently changes the program without any formal procedures. One consequence is that it is now more difficult for travelers to opt-out of the screening procedure EPIC wrote that "CBP is modifying rules as it is implementing the program," contrary to federal law. Earlier this week, EPIC urged Congress to suspend the program until privacy safeguards and meaningful opt-out procedures are established. In comments to the DHS Data Privacy and Integrity Advisory Committee, EPIC explained the substantial privacy risks of CBP's use of facial recognition technology.
  • EPIC to Congress: Federal Agency Making Up the Rules for Facial Recognition Screening » (Dec. 11, 2018)
    EPIC has sent a statement to the Senate Judiciary Committee for an oversight hearing of Customs and Border Protection. EPIC cited frequent changes CBP has made to the opt-out procedures for the biometric entry/exit program. "Without legal authority or the opportunity for public comment, CBP is making up the rules as it rolls out the program," EPIC said. EPIC urged the Committee to suspend the screening program until privacy safeguards and meaningful opt-out procedures are established. Last week, EPIC warned Customs and Border Protection about facial recognition technology and urged the DHS Privacy committee to end the program.
  • Indian Supreme Court Imposes New Limits on National Identity System » (Sep. 26, 2018)
    In a ruling today, the Indian Supreme Court imposed new limits on Aadhar, India's national biometric identification system. The Court found the system did not violate the Indian constitution, but struck down a section of the law permitting private entities to demand Aadhar to verify identity. Aadhar can no longer be mandatory to register for education, open a bank account, or obtain a cell phone connection. However, the state-issued number may still be required for purposes related to government funds, including filing an income tax. The Court also struck down an exception authorizing disclosure of Aadhar data for national security purposes. The Court encouraged the state to establish a "a robust statutory regime" for data protection "in near future." The dissent would have held Aadhar unconstitutional. The biometric system "violates essential norms pertaining to informational privacy, self-determination and data protection," the dissent states, and "dignity of individuals cannot be made to depend on algorithms or probabilities." Last year, India's Supreme Court ruled that privacy is a fundamental right under the Indian Constitution. EPIC has also backed comprehensive privacy legislation in comments to the Indian government, and urged creation of a private right of action and breach notification requirement.
  • EPIC Urges DHS To Abandon Privacy Act Exemptions for New Biometric Database » (Aug. 31, 2018)
    In comments to the Department of Homeland Security, EPIC urged the agency to withdraw proposed Privacy Act exemptions that would reduce privacy safeguards in the federal government. The Immigration Biometric and Background Check database will contain personal data on U.S. and non-U.S. citizens. DHS has proposed to exempt the database from several Privacy Act protections, including ensuring that records are accurate, timely, and complete. DHS also claims numerous “routine uses” that allow the agency to disseminate the data to law enforcement and intelligence agencies. EPIC has urged strict compliance with Privacy Act obligations and warned that inaccurate, insecure, and overbroad government databases threaten both privacy and national security.
  • EPIC Urges Suspension of Biometric Entry/Exit Program » (Jul. 25, 2018)
    In comments to Customs and Border Protection, EPIC urged the agency to suspend the Biometric Entry/Exit Program. EPIC argued that less privacy-invasive alternatives should be considered and that the program should not move forward until Congress has passed regulations implementing safeguards for the use of biometrics. CBP solicited comments about the collection of biometrics, based on facial recognition, from people in vehicles crossing the border. EPIC said that such an expansion could quickly lead to a program of mass surveillance. In EPIC v. CBP, EPIC has sued the agency for details about the program. A report EPIC obtained in the lawsuit showed that facial recognition at a pedestrian border failed to perform at a "satisfactory" level.
  • EPIC Urges Illinois Supreme Court to Uphold Strict Limits on Biometric Data Collection » (Jul. 5, 2018)
    EPIC has filed an amicus brief with the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp, about the collection of a child's biometric data in violation of the Illinois Biometric Information Privacy Act. EPIC explained that the Illinois biometric law "imposes clear responsibilities on companies that collect biometric identifiers" and said the company had failed to comply with the state law. EPIC made clear that "collection is the threshold safeguard in privacy law" and if corresponding provisions are "not enforced, the statute’s subsequent provisions are of little consequence." EPIC first identified the risk of collecting biometric data from children entering amusement parks in a 2005 report "Theme Parks and Your Privacy." The state of Illinois adopted the nation's first biometric privacy law in 2008. EPIC has long advocated for strict limits on use of biometric data. EPIC also routinely submits amicus briefs, including in the recent OPM data breach case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case.
  • EPIC Pursues Privacy Impact Assessments for Proposed DHS Biometric Database » (Jun. 18, 2018)
    EPIC has submitted an urgent Freedom of Information Act request to the Department of Homeland Security seeking the Privacy Impact Assessment for the "Homeland Advanced Recognition Technology," a proposed system that will integrate biometric identifiers across the federal government. HART would replace IDENT, which now contains biometric records on over 220 million unique individuals. In 2015 a breach at the Office of Personnel Management compromised 22 m records, including 5 m digitized fingerprints. It appears that Homeland Security failed to complete the Privacy Assessment prior to launching HART. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that stores personally identifiable information. In EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year.
  • Senators Urge DHS to Address Concerns Over Facial Recognition at Airports; Conduct Public Rule-Making » (May. 11, 2018)
    In a letter to DHS Secretary Kirstjen Nielson, Senators Edward Markey (D-MA) and Mike Lee (R-UT) urged the agency to promptly conduct a public rulemaking on the agency's biometric exit program prior to any expansion of the program. The program, currently implemented in nine U.S. airports, requires travelers on departing international flights to submit to facial recognition identification. The Senators requested that DHS determine the accuracy of the technique and the procedures for collecting passenger data. EPIC is currently pursuing documents about the biometric exit program, but documents EPIC obtained about a related program that tested iris and facial recognition scanning at the border revealed that the technology did not perform operational matching at a "satisfactory" level. An earlier EPIC lawsuit against the DHS led to the removal of backscatter x-ray devices — "body scanners" — at US airports.
  • EPIC to Congress: Enhanced Surveillance at Border Will Impact Rights of U.S. Citizens » (Apr. 24, 2018)
    EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing with the Commissioner of Customs and Border Protection. EPIC urged the Committee to ask the CBP Commissioner about the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC is currently seeking records from the federal agency concerning the accuracy of facial recognition. EPIC also recommended the Committee examine how CBP will comply with state laws prohibiting warrantless aerial surveillance when deploying drones at the border. As a result of an earlier FOIA lawsuit, EPIC found that the CBP is deploying drones with facial recognition technology without warrant authority.
  • EPIC FOIA: EPIC Obtains FBI Policy for Disseminating Biometric Info » (Mar. 22, 2018)
    Through a Freedom of Information Act request, EPIC has obtained the FBI’s “Policy for Biometric Information Sharing with Domestic and International Agencies.” The documents EPIC obtained also contain details of the United States’ agreement with Iraq to exchange biometric data, including to not subject the information to any dissemination restrictions of the US or Iraq. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification” system, which includes facial IDs gathered from international conflicts. In 2007, EPIC, Privacy International, and Human Rights Watch warned the Secretary of Defense that the “system of biometric identification contravene international privacy standards and could lead to further reprisals and killings.” EPIC noted in 2010 "President Obama’s address on the end of the combat mission in Iraq has left open the question of what will happen to the massive biometric databases on Iraqis, assembled by the United States, during the course of the conflict."
  • Court Rules that Users have Standing to Sue Facebook about Facial Recognition » (Feb. 27, 2018)
    The Northern District of California has ruled that Facebook users have standing to pursue a class action challenging Facebook's use of facial recognition software. The court said that the Illinois Biometric Information Privacy Act requires plaintiffs only to show that Facebook has unlawfully collected their biometric data without their consent. Facebook sought to dismiss the suit by arguing that the Supreme Court's decision in Spokeo v. Robins required the plaintiffs to show additional harm. EPIC submitted a friend-of-the-court brief in Spokeo, arguing that courts should not second-guess privacy laws. The Ninth Circuit Court of Appeals recently agreed with EPIC that internet users have standing when a company has disclosed their personal information in violation of the Video Privacy Protection Act.
  • EPIC Urges Congress to Suspend Facial Recognition At US Airports » (Feb. 26, 2018)
    EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC previously pursued a significant lawsuit against the TSA that led to the removal of x-ray body scanners from US airports. EPIC is currently seeking records from Customs and Border Protection concerning the accuracy of facial recognition.
  • Republican DACA Bill Would Expand Use of Drones, Biometrics » (Feb. 21, 2018)
    The Secure and Succeed Act (S. Amdt. 1959 to H.R. 2579), sponsored by several Republican Senators, would link DACA with hi-tech border surveillance. Customs and Border Protection would use facial recognition and other biometric technologies to inspect travelers, both US citizens and non-citizens, at airports. The bill also establishes "Operation Phalanx" that instructs the Department of Defense—a military agency—to use drones for domestic surveillance. EPIC has pursued many FOIA cases on border surveillance involving biometrics, drones, and airport body scanners, In a statement to Congress, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens."
  • EPIC Urges FBI to Limit Fingerprint-Based Background Checks » (Jan. 9, 2018)
    In response to a request for comments, EPIC has urged the FBI to expand its use of name-based — rather than fingerprint-based — background checks for noncriminal purposes, such as employment. The FBI currently uses fingerprints, stored in the Next Generation Identification (NGI) database, to conduct non-criminal background checks. "Names checks" were only conducted for individuals whose fingerprints failed the NGI matching requirements. EPIC told the FBI that the "name-based background check accomplishes the same purpose as the fingerprint-based background check without requiring the collection of sensitive biometric information." EPIC has opposed the expansion of the NGI system for non-law enforcement purposes. EPIC has also pursued a series of Freedom of Information Act requests to assess the reliability of the NGI system.
  • EPIC FOIA: Report Reveals Failure of Border Biometric Matching Program » (Dec. 18, 2017)
    Through a Freedom of Information Act lawsuit, EPIC has obtained a report from Custom and Border Protection, which evaluated iris imaging and facial recognition scans for border control. The "Southwest Border Pedestrian Field Test" reveals that the agency program does not perform operational matching at a "satisfactory" level. In a statement to Congress earlier this year, EPIC warned that biometric identification techniques are unreliable and lack proper privacy safeguards. EPIC is pursuing related documents for the use of biometrics at airports. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA (concerning body scanner modifications) and EPIC v. DHS (concerning full body scanner radiation risks).
  • EPIC Urges Senate to Block Biometric Collection At US Airports » (Sep. 28, 2017)
    EPIC has sent a statement to the Senate Commerce Committee following a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing and regulated use of biometrics in US airports, often targeting US citizens. EPIC previous pursued a significant lawsuit against the TSA to limit the use of body scanners. EPIC is currently seeking records from Customs and Border Protection concerning the agency's use of facial recognition for a biometric entry/exit program at airports. EPIC has also objected to a proposal to increase the collection of biometric data for the TSA Pre-Check program.
  • NGOs to Meet with Privacy Commissioners at Public Voice Event in Hong Kong » (Sep. 19, 2017)
    The Public Voice will host an event with NGOs and Privacy Commissioners at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. "Emerging Privacy Issues: A Dialogue Between NGOs & DPAs" will address emerging privacy issues, including biometric identification, Algorithmic transparency, border surveillance, the India privacy decision, and implementation of the GDPR. Speakers include Chairman Isabelle Falque-Pterrotin of the CNIL and Article 29 Working Party, Commissioner John Edwards of New Zealand, and Director Eduardo Bertoni of Argentina. Also participating will be representatives of Access Now, EPIC, GP Digital, Privacy International, and the World Privacy Forum. The Public Voice, established in 1996, facilitates public participation in decisions concerning the future of the Internet.
  • EPIC Obtains Final Report on "Face ePassport Air Entry Experiment" » (Sep. 8, 2017)
    As the result of a Freedom of Information Act request, EPIC has obtained a report on the use of face recognition on travelers entering the United States at Dulles Airport. The report was obtained after EPIC filed a lawsuit against Customs and Border Protection for documents about the agency's biometric entry/exit program, expedited by Executive Order 13769. As the report was heavily redacted, EPIC's FOIA lawsuit is ongoing. In a statement to the House Homeland Security Committee earlier this year, EPIC warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA, concerning airport body screening.
  • Supreme Court of India Rules Privacy is a Fundamental Right » (Aug. 24, 2017)
    India's Supreme Court has ruled that privacy is a fundamental right under the Indian Constitution. In a unanimous ruling, the Court explained the "right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution." The Court also recognized that "Informational privacy is a facet of the right to privacy" and modern privacy risks are caused by both the public and private sector. The ruling may impact significant cases pending in India, including a challenge to Aadhaar, India's massive biometric identification system, and WhatsApp's privacy policy change. In 2009 NGOs and privacy experts set out the Madrid Privacy Declaration, which affirmed privacy as a fundamental human right. In 2010, EPIC urged the US Supreme Court to recognize the right of "informational privacy." EPIC explained that the Whalen decision and a famous German census case, "influenced international privacy jurisprudence, resulting in the widespread recognition of the right to informational privacy." EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world.
  • EPIC to Congress: Examine Facial Recognition Surveillance at the Border » (Jul. 24, 2017)
    EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on "Technology's Role on Securing the Border." EPIC alerted the Committee to EPIC's recent FOIA lawsuit about the federal government's deployment of a biometric "entry/exit tracking system," including at US airports. A recent Executive Order on immigration will push forward the biometric identification system, and will include citizens returning to the U.S. EPIC has warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC noted that the federal agency pursuing the border identification program is also deploying drones, and should comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance.
  • EPIC Files FOIA Lawsuit Over Border Biometrics, Expanded Tracking » (Jul. 20, 2017)
    EPIC has filed a FOIA lawsuit against Customs and Border Protection for information about the agency’s deployment of a biometric entry/exit tracking system, including at US airports. Trump's recent Executive Order regarding immigration ordered the expedited implementation of a biometric entry/exit tracking system, which will include U.S. citizens. Biometric techniques, including facial recognition, lack proper privacy safeguards. EPIC previously sued the FBI over the Bureau’s Next Generation Identification database, which contains face prints, fingerprints, and other biometrics of millions of Americans. EPIC's lawsuit against the FBI revealed that biometric identification is often inaccurate.
  • EPIC Urges TSA to Consider Alternative to Biometric Collection » (Jul. 5, 2017)
    In comments to the Transportation Security Administration, EPIC urged the agency to consider alternatives to expanding the collection of biometric identifiers for the TSA Pre-Check application. EPIC explained the potential for biometric identifiers to be used for purposes other than determining eligibility for Pre-Check and the substantial personal privacy risks for applicants if the databases associated with Pre-Check were compromised. EPIC also proposed privacy enhancing alternatives, such as limiting the storage of biometric identifiers or providing information on how to have information removed from databases associated with Pre-Check. EPIC routinely highlights the risks of large, overbroad government databases and the privacy risks inherent in the collection of biometric information.
  • EPIC Urges Senate Committee to Investigate FBI's Massive Biometric Database » (May. 1, 2017)
    EPIC has sent a statement to the Senate Judiciary Committee for an upcoming FBI oversight hearing. EPIC urged the Committee to investigate the FBI's Next Generation Identification system, a massive biometric database. EPIC has sought to ensure that the FBI database complies fully with the federal Privacy Act which the Bureau has opposed. EPIC explained to the Senate Committee that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." In a leading FOIA lawsuit, EPIC v. FBI, EPIC also uncovered documents which revealed high error rates in the biometric system. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
  • EPIC Joins Coalition to Urge FOIA Compliance on Immigration Enforcement » (Apr. 25, 2017)
    EPIC joined a coalition of civil society organizations to urge the Immigration and Customs Enforcement to comply with the Freedom of Information Act. The letter to DHS Secretary Kelly calls upon the federal agency to "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." EPIC previously received documents through a Freedom of Information Act Request about DHS's immigration enforcement practices. The documents obtained by EPIC detail the "Priorities Enforcement Program," a controversial program that relied on biometric data collection for immigration enforcement.
  • EPIC Urges House Oversight Committee to Explore FBI's Use of Biometric Data » (Mar. 21, 2017)
    EPIC has sent a letter to the House Committee on Oversight concerning "Law Enforcement's Use of Facial Recognition Technology." EPIC urged the Committee to investigate the FBI's Next Generation Identification program. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." The FBI biometric database is one of the largest in the world, but the FBI has opposed privacy safeguards that EPIC supported. The Bureau proposed to exempt the database from Privacy Act protections. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
  • Data Protection Experts Recommend New protections for Biometric Identification Online » (Mar. 17, 2017)
    The International Working Group on Data Protection in Telecommunications adopted new recommendations to improve the privacy and security of biometric identification online. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. The "Working Paper on Biometrics in Online Authentication )" explains that “biometrics in online authentication offers one possibility to address some of the shortcomings” of conventional online passwords, but the “data protection and privacy risks” must be considered. Among their recommendations, the experts urge policymakers to support for “[p]roactive privacy tools,” and contend biometric authentication should “remai[n] an active choice by the user and not a condition of use.” EPIC will host the 61st meeting of the International Working Group in Washington DC in April 2017.
  • EPIC FOIA: EPIC Seeks Information about Airport Eye Scans of U.S. Travelers » (Mar. 2, 2017)
    EPIC has filed an urgent FOIA request with U.S. Customs and Border Protection for details of eye scans conducted on U.S. citizens traveling internationally. The CBP has long been testing biometric identification of travelers, including U.S. citizens, and a recent report indicates U.S. citizens were subject to eye scans before traveling abroad. EPIC seeks public disclosure of the details of CBP policies for scanning U.S. citizen irises and retinas upon entry or exit to the U.S. EPIC makes frequent use of the Freedom of Information Act. As the result of a FOIA lawsuit, EPIC recently obtained several memorandum of understanding regarding the transfer of biometric identifiers between the FBI and DOD. Last month, EPIC also prevailed in EPIC v. FBI, a FOIA lawsuit public release of the FBI's privacy assessments.
  • EPIC FOIA: EPIC Obtains FBI-DoD Biometric Data Plans » (Jan. 30, 2017)
    Through a Freedom of Information Act lawsuit, EPIC has obtained several memorandum of understanding regarding the transfer of biometric identifiers between the Federal Bureau of Investigation and the Department of Defense. One of the agreements, which includes the State Department, calls for "a direct conduit for the parties to access databases storing biometric information." Last year, EPIC filed extensive comments scrutinizing the FBI's proposal to remove Privacy Act safeguards from the Bureau's massive biometric database known as "Next Generation Identification." EPIC also lead a coalition effort urging Congress to hold an oversight hearing on the FBI database. The case is EPIC v. FBI, No. 16-2237 (D.D.C. filed Nov. 10, 2016) (Biometric Data Transfer Agreements).
  • Open Government Lawsuits at Near-Record Highs in 2016 » (Dec. 9, 2016)
    Advocates, journalists, and businesses have brought a near-record 512 lawsuits under the Freedom of Information Act in 2016. The findings, complied by for FOIAproject.org by the Transactional Records Access Clearinghouse, show a 35 percent increase in FOIA litigation over the past five years. According to the new report, the lawsuits have covered diverse issues including "private email accounts, national security, immigration, the environment and even Donald Trump." In 2016, EPIC brought FOIA suits for the DOJ's secret inspector general reports, the DOT's drone task force records, and the FBI's biometric data transfer memos.
  • EPIC FOIA: EPIC Obtains Secret Inspector General Reports » (Nov. 21, 2016)
    Through a Freedom of Information Act lawsuit EPIC has obtained nonpublic reports from the Department of Justice's Inspector General. The documents include audits of drug control funds. Another set of documents include audits of other grant programs, as well as a list of information security audits conducted since 2005. EPIC also obtained a previously unpublished audit of a state lab's DNA database. The mission of the DOJ Inspector General is "to detect and deter waste, fraud, abuse, and misconduct in DOJ programs and personnel." EPIC also recently sued the Federal Bureau of Investigation to obtain information on the massive biometric database "Next Generation Identification."
  • EPIC Sues FBI Over Biometric Data Program » (Nov. 14, 2016)
    EPIC has filed a FOIA lawsuit against the Federal Bureau of Investigation for information about the agency's plans to transfer biometric data to the Department of Defense. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification" system, but the FBI has resisted maintaining privacy safeguards. The Bureau previously proposed to exempt the database from many of the safeguards in the federal Privacy Act, which EPIC opposed. Then EPIC, following a FOIA lawsuit, obtained documents that revealed an error rate up to 20% for facial recognition searches in the FBI database. Now EPIC has filed an open government lawsuit to obtain a secret document that details the transfer of personal data in the FBI system to the Department of Defense. [Press Release]
  • High Court Extends Fourth Amendment Protections to DUI Blood Tests » (Jun. 23, 2016)
    In Birchfield v. North Dakota, the U.S. Supreme Court today held that states cannot criminalize an individual’s refusal to submit to a warrantless blood test. The Court also found that the Fourth Amendment does not allow warrantless blood tests incident to arrest, but does permit warrantless breath tests. In the 2013 case Maryland v. King, EPIC urged the Supreme Court to protect genetic privacy by extending Fourth Amendment protections the collection of DNA from arrestees. In that case, the Supreme Court held that a cheek swab incident to an arrest was permissible.
  • Federal Court Upholds Photo Tagging Suit Against Facebook » (May. 8, 2016)
    A federal judge has rejected Facebook's argument that the company did not violate an Illinois law that requires companies to obtain consent from consumers before collecting biometric data such as a "faceprint." Describing the biometric privacy law, the court said that Facebook's position was "antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology." In 2011, EPIC filed a complaint with the Federal Trade Commission, arguing that the facial identification of users was an unfair and deceptive trade practice. In 2012, EPIC urged the FTC to suspend facial recognition "until adequate safeguards and privacy standards are established." Canada and Europe have since required Facebook to suspend the use of photo tagging.
  • Federal Agencies Seek Comment on Protections for Human Research Subjects » (Sep. 8, 2015)
    The Department of Health and Human Services is seeking public comment on proposed revisions to the "Common Rule," ethical rules regarding biomedical and behavioral research involving human subjects in the United States. The proposal seeks to strengthen requirements for informed consent but would also exempt certain categories of research from administrative review. The Department will accept public comments on the proposed revisions until December 6, 2015. EPIC previously submitted comments to the Department of Health and Human Services, warning that medical privacy standards for deidentification were "gravely inadequate" and urged support for stronger techniques of deidentification. EPIC routinely comments on privacy issues involved in health data.
  • California Court Strikes Down DNA Collection Law » (Dec. 4, 2014)
    A state appeals court in California has struck down a state law that requires collection of DNA from people arrested on felony charges. The California court ruled that DNA collection by a cheek swab is an unreasonable search and seizure prohibited by the state's constitution. "The California DNA Act intrudes too quickly and too deeply into the privacy interests of arrestees," wrote the court. The appeals court also said that the U.S. Supreme Court's ruling in Maryland v. King, which upheld a similar law in Maryland, did not apply in this case because of significant differences between each state's DNA collection laws. EPIC has participated as amicus in several cases concerning the collection of DNA. In Maryland v. King, EPIC argued that the government collection of DNA opens the door to misuse and threatens personal privacy. For more information, see EPIC: Maryland v. King, EPIC: Maryland v. Raines, EPIC: Kohler v Englade, EPIC: US v. Kincade, EPIC: Herring v. US, EPIC: Comments on TSA Biometric Systems, and EPIC: Genetic Privacy.
  • Senate to Hold Homeland Security Oversight Hearing » (Jun. 10, 2014)
    The Senate Judiciary Committee will hold an oversight hearing for the Department of Homeland Security. Secretary Jeh Johnson will testify. EPIC has objected to many of the agency's mass surveillance practices, including the secret profiling of American air travelers, the use of drones for aerial surveillance, the amassing of information on Americans into "fusion centers", and the collection of biometric identifiers. EPIC has also warned that the DHS Chief Privacy Officer has failed to safeguard privacy, a legal obligation for that office. According to the DHS, the number of privacy complaints increased in 2013. EPIC has several Freedom of Information Act case pending against the DHS. In an earlier case, EPIC determined the DHS was monitoring social media and news organizations for criticisms of the agency. Another EPIC case led to the removal of the x-ray backscatter devices from US airports. For more information, see EPIC v. DHS - Social Media Monitoring and EPIC v. DHS (Suspension of Body Scanner Program).
  • Sen. Franken Questions Apple on iPhone Fingerprint Scanning » (Sep. 21, 2013)
    Senator Al Franken has raised questions about the privacy and security implications of the fingerprint reader on Apple's new iPhone 5S. "If someone hacks your password, you can change it—as many times as you want. You can't change your fingerprints," Senator Franken wrote. He also pressed Apple for additional details on the protection available to users against law enforcement access to biometric data. In Congressional testimony, EPIC has previously warned that biometric identifiers will "allow for greater data collection and tracking of individuals." For more information, see EPIC: Biometric Identifiers.
  • EPIC FOIA - DHS Facial Recognition System Lacks Privacy Safeguards » (Aug. 22, 2013)
    In response to an EPIC FOIA request, the Department of Homeland Security has produced documents revealing that the agency has failed to establish privacy safeguards for "BOSS" (the Biometric Optical Surveillance System), an elaborate system for facial recognition and individual identification. The documents obtained by EPIC indicate that none of the agency's contracts or statements of work require any data privacy or security protections for BOSS' design, production, or test implementations. The New York Times reported on EPIC's acquisition of these documents, noting also high failure rates for these systems. EPIC is also pursuing a FOIA lawsuit with the FBI over the agency's development of "Next Generation ID," which, when complete, will be the largest biometric identification database program in the world. For more information, see EPIC: Face Recognition, EPIC: EPIC Opposes DHS Biometric Collection, and EPIC - Biometric Identifiers.
  • EPIC Opposes DHS Biometric Collection » (Jun. 21, 2013)
    EPIC has submitted comments to the Department of Homeland Security, staunchly opposing the agency's border biometric collection, facilitated through the Office of Biometric Identity Management program. Since at least 2004, DHS has collected fingerprint and facial photos from individuals entering the United States. DHS then disseminates this information to DHS agency components, other federal agencies, and "federal, state, and local law enforcement agencies," and the "federal intelligence community." Currently, at least 30,000 individuals from federal, state, and local governments access the data contained obtained by DHS's biometric collection program. DHS shares this biometric data with foreign governments, including Canada, Australia, and the United Kingdom. In its comments, EPIC urged the agency to cease collecting biometric information without proper privacy safeguards in place. Should the agency continue to collect this sensitive information, EPIC recommends that DHS: (1) impose strict information security safeguards on its biometric information collection and limit its dissemination of biometric information; (2) conduct a comprehensive privacy impact assessment on the biometric collection program; (3) grant individuals Privacy Act rights before collecting additional biometric information; and (4) adhere to international privacy standards. For more information, see EPIC: US-VISIT and EPIC: Biometric Identifiers.
  • FBI Performs Massive Virtual Line-up by Searching DMV Photos » (Jun. 17, 2013)
    Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs. The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs. EPIC also obtained the Standard Operating Procedure for the program and a Privacy Threshold Analysis that indicated that a Privacy Impact Assessment must be performed, but it is not clear whether one has been completed. EPIC is currently suing the FBI to learn more about its development of a vast biometric identification database. For more information, see EPIC: Face Recognition and EPIC: Biometric Identifiers.
  • EPIC Sues FBI to Obtain Details of Massive Biometric ID Database » (Apr. 8, 2013)
    EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition.
  • US to Retain Biometric Database on Iraqis » (Dec. 21, 2011)
    According to Wired, although the war in Iraq is officially over US Central Command will retain a massive database with retinal scans, thumb prints, religious affiliation, as well as other personal data on millions of Iraqis. In 2007, EPIC, Privacy International, and Human Rights Watch sent a letter to then Secretary of Defense Robert Gates to warn that the collection of biometric data in the region poses a direct risk to human rights and could result in genocidal violence. The Defense Science Board also warned that the database could "become a hit list if it gets in the wrong hands." For more information, see EPIC - "Iraqi Biometric Identification System."
  • EPIC, Coalition Seeks Investigation of New FBI ID Program and "Secure Communities" » (Sep. 26, 2011)
    A coalition of civil liberties and civil rights organizations have asked the Inspector General of the Department of Justice to investigate the FBI's Next Generation Identification program, a "billion-dollar initiative to create the world's largest biometric database." The 70 organizations, including EPIC, have also urged an assessment of "Secure Communities," the mismanaged federal deportation effort. Several states, including Illinois, Massachusetts, and New York, have already withdrawn from the DHS program. For more information, see EPIC - "Secure Communitities."
  • FTC Announces Workshop on Facial Recognition Technology » (Sep. 20, 2011)
    The Federal Trade Commission announced that it will host a workshop on December 8, 2011, on the privacy and security issues raised by the increasing use of facial recognition technology. Facial recognition technology has been used by Facebook to build a secret data base of users’ biometric data and to enable Facebook to automatically tag users in photos. The Army has also used facial recognition technology to collect biometric data from Iraqi and Afghan civilians at checkpoints, workplaces, the sites of attacks, and door-to-door canvasses. EPIC, Privacy International, and Human Rights Watch wrote to the US Secretary Defense in 2007 to warn that the system could lead to reprisals and further killings. Police agencies are also using facial recognition to identity political protesters. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, EPIC: Face Recognition, and EPIC: Iraqi Biometric Identification System.


This case follows the prosecution of an individual based on the discovery of two illegal images that he uploaded via Gmail. These images were automatically flagged by Google’s “product abuse detection system” based on the company’s proprietary hashing technology and automatically relayed to government investigators without human review of a matching image. The defendant has argued that the searches of his e-mail data were unreasonable under the Fourth Amendment. The lower court found that the "private search" doctrine applied and exempted these actions from Fourth Amendment scrutiny. Neither Google nor the Government has produced the underlying algorithm used to scan the images, and the Government has not established that the investigative technique is accurate or reliably identifies only contraband images.


Legal Background

The Fourth Amendment only protects against searches by the government, not private entities. In United States v. Jacobsen, 466 U.S. 109, 131 (1984), the Supreme Court decided that government searches that follow private searches and are within the scope of the private search are reasonable. In Jacobsen, the Court held that the Government’s warrantless inspection and testing of the contents of a package that had been previously searched by FedEx was permissible because “there was a virtual certainty” that the law enforcement officer’s search would not reveal “anything more than he had already been told.”

The question in this case is whether the Government has provided sufficient evidence to establish that there was "virtual certainty" that the files Google sent in a CyberTipline Report to the NCMEC, and were ultimately opened by police, were the same as those a Google employee previously viewed.

Factual Background

Google maintains a prorprietary image matching system that automatically scans files uploaded to Google products, including Gmail, to search for child pornography. The defendant uploaded two images to Google's e-mail system, which flagged the images as "apparent child pornography." Google's system flagged the defedant's images, and then automatically generated and submitted “CyberTip Report # 5778397” to the National Center for Missing and Exploited Children (“NCMEC”) with the following information:

  • the date and time of the incident;
  • the e-mail address associated with the user account that uploaded the file;
  • the IP address associated witht he upload;
  • a list of IP addresses used to access the user account (which can go as far back as the original account registration date);
  • the filename;
  • the "categorization" of the image based on an existing rubric; and
  • copies of te image files(s);

Google was required by law to submit this CyberTipline report once it became aware of apparent child pornography. 18 U.S.C. § 2258A.

When NCMEC received Google's CyberTipline report, NCMEC staff initiated a websearch for the email and IP addresses associated with the report without opening the images sent by Google to confirm that they were contraband. NCMEC identifies information associated with the user’s IP address(es): Country, Region, City, Metro Code, Postal Code, Area Code, Latitude/Longitude, and Internet Service Provider or Organization. NCMEC staff also collect "data gathered from searches on publicly-available, open-source websites" using the account and user identifying informatiomn provided by the CyberTipline report. This information can include social media profiles, websites, addresses, and other personal data.

After NCMEC staff collected this information on defendant, the report was referred to the Kentucky State Police and the Kenton County Police Department for potential investigation. A detective in the KCPD opened the images attached to the Cybertipline report and confirmed they were child pornograpy.

The extent of what is known about Google’s practices in using the hashing technology is described in the declaration of Cathy McGoff, a Senior Manager for Law Enforcment and Information Security at Google:

4. Based on [Google’s] private non-government interests, since 2008, Google has been using its own proprietary hashing technology to tag confirmed child sexual abuse images. Each offending image, after it is viewed by at least one Google employee is given a digital fingerprint (“hash”) that our computers can automatically recognize and is added to our repository of hashes of apparent child pornography as defined in 18 USC § 2256. Comparing these hashes to hashes of content uploaded to our services allows us to identify duplicate images of apparent child pornography to prevent them from continuing to circulate on our products.

5. We also rely on users who flag suspicious content they encounter so we can review it and help expand our database of illegal images. No hash is added to our respository without a corresponding image first having been visually confirmed by a Google employee to be apparent child pornography.

6. Google trains a team of employees on the legal obligation to report apparent child pornography. The team is trained by counsel on the federal statutory definition of child pornography and how to recognize it on our products and services. Google makes reports in accordance with that training.

7. When Google’s product abuse detection system encounters a hash that matches a hash of a known child sexual abuse image, in some cases Google automatically reports the user to NCMEC without re-reviewing the image. In other cases, Google undertakes a manual, human review, to confirm that the image contains apparent child pornography before reporting it to NCMEC.

While Google describes its algorithm as assigning each image in its repository a "digital fingerprint," there is no information provided on the type of hash function Google uses to assign this "digital fingerprint." This is important becasue file hashing functions work differently than image hashing functions. File hashing functions create a unique hash value for a file, and changing one bit of data will change the hash value of the file. File hashing is a method of demonstrating that two files are the same, bit-for-bit, without comparing each bit to the corresponding bit of the other file, which is very time and resource consuming. In contrast, image hashing algorithms provide a way to match images even if they have been altered slightly, but also enable by design the matching of files that do not have the same file-hash values.

Procedural History

Detective Aaron Schihil of the Kenton County Police Department received the information from NCMEC and “opened the attachments viewed the relevant images, which he confirmed to be child pornography.” After confirming they were child pornography, Detective Schihil obtained a search warrant for several categories of data held by Google and associated with the Defendant’s account. Detective Schihil later obtained a search warrant for the Defendant’s residence and a separate search warrant for various electronic devices seized at the Defendant’s residence.

The Defendant was charged in the U.S. District Court for the Eastern District of Kentucky and subsequently filed a motion to suppress the evidence obtained by Detective Schhil. He argued that Google's search was that of a government actor in this case and that it was therefore an unreasonable warrantless search under the Fourth Amendment, or in the alternative that the Detective's search exceeded the scope of Google's private search. The district court disagreed. In denying the motion to supress, the district court found that Google's search was a private search and that the police did not exceed the scope of the private search because there was a "virtual certainty" that a Google employee had previously viewed the images before the police did so. The district court relied upon Google's representation that its algorithm assigns each image in its database a "digital fingerprint" that is "uniquely associated with the input data." Defendant was subsequently convicted on several counts and appealed to the U.S. Court of Appeals for the Sixth Circuit.

EPIC's Interest

EPIC seeks to ensure that Fourth Amendment protections keep pace with advances in technology. For instance, EPIC filed an amicus brief before the Supreme Court in Carpenter v. United States arguing that the technological changes justified broader Fourth Amendment protections. The Court declined to extend the “third party doctrine” to permit the warrantless collection of cell site location information. Here, EPIC has an interest in ensuring that the Government does not conduct warrantless searches based on proprietary and potentially unreliable algorithmic search techniques.

This case also implicates questions about the standard of proof required to demonstrate the validity of a new investigative technique, an issue EPIC has advised the courts on previously. EPIC advised the Supreme Court about this issue as amicus curiae in Florida v. Harris, arguing that the government should bear the burden of establishing the reliability of investigative techniques in criminal cases.

EPIC has promoted algorithmic transparency for many years. EPIC has also litigated several cases where algorithms used to make decisions that impact individuals were withheld from the public.

Legal Documents

U.S. Court of Appeals for the Sixth Circuit, No. 18-5578

U.S. District Court for the Eastern District of Kentucky, No. 16-047



Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.