EPIC - MA Attorney General v. Facebook

MA Attorney General v. Facebook

Whether the Attorney General can obtain from Facebook factual information derived from the company's investigation of third parties that improperly accessed user data.

Background |
EPIC's Interest |
Legal Documents |
Resources |
News

EPIC to Massachusetts Supreme Court: Facebook Needs to Disclose Apps that Violated User Privacy: EPIC has filed an amicus brief in Massachusetts Attorney General v. Facebook urging the Massachusetts Supreme Judicial Court to require Facebook to disclose information about third-party apps that violated user privacy protections. The Attorney General requested the information as part of an investigation into the 2018 Cambridge Analytica scandal. EPIC wrote that Facebook has been obligated to collect information about user privacy abuses for more than a decade but failed to do so in this case until threatened with litigation. As a consequence, EPIC argued, if the company is allowed to keep this information secret, "Facebook will continue to evade accountability and the harmful effects of Facebook's business practices could go undetected." EPIC argued that Facebook has had a long pattern of secrecy, and that Facebook now "knows a shocking amount about each of its users, but its users know shockingly little about Facebook." EPIC has long sought accountability for Facebook's broken privacy promises. EPIC filed the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, subsequently filed several complaints alleging violations of the Order, urged the FTC to investigate the Cambridge Analytica incident, and moved to intervene in and filed an amicus brief challenging the FTC's 2019 settlement with Facebook. (Nov. 16, 2020)

More top news »

EPIC, Coalition Urge States to Investigate Pharmacies Over Handling of Vaccine Recipients' Personal Data » (Apr. 2, 2021)

EPIC and a coalition of civil society groups urged officials in five states today to investigate major pharmacy chains over their collection and use of personal data from patients receiving COVID-19 vaccines. The federal government has partnered with retail pharmacies to expand vaccine distribution, including CVS, Walgreens, Walmart, and Kroger. But as the coalition letter explains, some pharmacies "are requiring patients seeking access to the vaccine to register through their existing customer portals, which in turn exposes patients to broad personal data collection and marketing." According to a recent report, CVS executives "plan to stay in touch with vaccine recipients beyond receiving their second shot and use information gleaned in the process to better market to them." The coalition urged state consumer protection authorities in California, Illinois, Massachusetts, New York, and the District of Columbia to conduct investigations, to prohibit the use of vaccine registrant data for commercial purposes, and to require pharmacies to separate vaccine registrant information from their general customer data. "Patients should not have to trade unrestricted use of their sensitive personal information for a life-saving vaccine," the letter argues. "We believe these practices are unfair and deceptive and should be halted immediately." The coalition called on state officials "to remove barriers to access the vaccine and promote an equitable vaccine distribution process by protecting the personal data of vaccine recipients."

Massachusetts Supreme Court Rules Facebook Cannot Shield All Information on Apps that Violated User Privacy » (Mar. 24, 2021)

The Massachusetts Supreme Judicial Court ruled today that Facebook could be required to disclose to the Attorney General certain factual information about privacy-abusive apps discovered during the company's investigation into the Cambridge Analytica scandal. Facebook had claimed that all information it collected was protected by attorney-client and attorney work product privileges because the company's investigation was led by attorneys in anticipation of litigation. The Massachusetts high court disagreed that the attorney client privilege applied to all of the records, and remanded to the trial court to determine if the records contain factual work product that must be turned over to the Attorney General. EPIC filed an amicus brief in the case urging the court to "reject Facebook's attempt to use litigation threats as an excuse to prevent the facts of its breach of user trust from coming to light." EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook.

FTC Commissioner Wilson Signals Openness to Data Privacy Rulemaking » (Feb. 12, 2021)

Christine Wilson, one of four current members of the Federal Trade Commission, said Friday that she is open to using the FTC's rulemaking authority to regulate data privacy. "I would hope that Congress will act, but if Congress doesn't act, maybe we do spend that time," Politico quoted Commissioner Wilson as saying during a Silicon Flatirons event. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained. Acting FTC Chair Rebecca Kelly Slaughter and Commissioner Rohit Chopra have previously signaled their support for using the FTC's rulemaking authority to address consumer privacy issues.

HireVue, Facing FTC Complaint From EPIC, Halts Use of Facial Recognition » (Jan. 12, 2021)

HireVue, a major vendor of AI-based hiring tools, announced today that it will stop relying on "facial analysis" to assess job candidates. The move comes a year after EPIC filed a Federal Trade Commission complaint targeting HireVue's use of opaque algorithms and facial recognition. EPIC argued that HireVue's AI tools—which the company claimed could measure the "cognitive ability," "psychological traits," "emotional intelligence," and "social aptitudes" of job candidates—were unproven, invasive, and prone to bias. EPIC also highlighted HireVue's deceptive claim that it did not use facial recognition in its assessments. In announcing the change, HireVue acknowledged the public outcry over its use of facial analysis and said the technology "wasn't worth the concern." However, HireVue will continue to analyze biometric data from job applicants including speech, intonation, and behavior—all of which present similar privacy and discrimination risks. EPIC advocates for a moratorium on facial recognition and recently filed a complaint with the D.C. Attorney General explaining how online test proctoring companies use opaque, unreliable AI tools to monitor students.

FTC Settlement Over Tenant Screening Algorithm Lacks Safeguards, Redress for Victims » (Dec. 8, 2020)

The Federal Trade Commission has reached a settlement with AppFolio which requires the company to fix its faulty and unlawful tenant screening algorithm—but which fails to compensate victims and lacks adequate safeguards to ensure AppFolio’s compliance. AppFolio included inaccurate information in tenant background reports in violation of the Fair Credit Reporting Act, which “directly resulted in qualified tenants being turned away from potential homes.” The settlement requires AppFolio to pay a $4.25 million fine, comply with FCRA in the future, and submit regular compliance paperwork to the FTC. But Commissioner Rohit Chopra dissented, arguing that the Commission should provide victims redress, impose stronger accountability measures, and refer the case to the Justice Department over possible housing discrimination. “Sloppy, inaccurate credit reporting practices are not mild inconveniences for American families,” Chopra wrote. “They can be deeply harmful, reinforcing discrimination and foreclosing opportunities for individuals to seek a better home, job, and life.” In February 2020, EPIC filed a complaint against Airbnb asking the FTC to investigate whether the company’s customer screening algorithm violates the Fair Credit Reporting Act.

Appeals Court Affirms Consumer Rights to Facebook Suit, But Upholds Ineffective Settlement » (Mar. 3, 2020)

The Ninth Circuit decided today that consumers could bring a case against Facebook for scanning private messages, but upheld a settlement that produced only a minor change in Facebook's business practices. In Campbell v. Facebook, the appeals court found that consumers "sued to protect concrete interests" because wiretap laws "codify a context-specific extension of the substantive right to privacy." EPIC filed an amicus brief in the case, arguing that the settlement "does not prevent Facebook from resuming the practices" consumers sued to stop. EPIC explained that the settlement only requires Facebook to post a "vague notice" that is "not the basis for consent" under applicable wiretap laws. EPIC routinely files amicus briefs in cases concerning consumer privacy and standing.

EPIC Comments on California Privacy Law » (Feb. 25, 2020)

In comments on proposed revisions to the California Consumer Privacy Act, EPIC backed changes to strengthen consumer protections. EPIC expressed support for the work of the California Attorney General on the CCPA and provided the recommendations to "further safeguard the privacy of California consumers." EPIC's comments follow EPIC's campaign to educate Californians about the CCPA and EPIC's recent report on federal privacy legislation, Grading on a Curve. EPIC has endorsed H.R. 4978, the Online Privacy Act (Eshoo/Lofgren), and S. 3300, The Data Protection Act (Gillibrand).

New Year Begins with California Consumer Privacy Law » (Jan. 2, 2020)

The New Year begins with the California Consumer Privacy Act. All Californians now have the right to find out the personal data that companies collect about them, their devices, and their children, the right to opt-out of the sale of personal data, and the right to sue companies for data breaches. Californians can also request that a business delete their personal information. In comments to the California Attorney General, EPIC urged strong enforcement of the privacy law. EPIC's Mary Stone Ross, a coauthor of the law, spoke recently on NPR's All Things Considered about the new law. The complete text of the California Consumer Privacy Act is available in the EPIC 2020 Privacy Law Sourcebook.

EPIC Files Complaint with FTC about Zoom » (Jul. 11, 2019)

Today EPIC filed a complaint with the FTC alleging that the videoconferencing company Zoom has committed unfair and deceptive practices in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks. EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google. EPIC cited the Google order, which produced a $22.5 m fine, in the complaint concerning Zoom. EPIC, In re Zoom ("Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.”)

EPIC to Lobby for US Privacy Agency » (Jun. 21, 2019)

In a statement released today, EPIC's Marc Rotenberg said the privacy organization would lobby for the creation a data protection agency in the United States. Criticizing the failure of the FTC to enforce the consent order against Facebook, Rotenberg said "the Commission has turned its back on the American public...Instead of going after the dominant tech firms that pose the greatest threats to privacy and competition, the FTC has chosen instead to go after small businesses." EPIC's President explained that EPIC had not previously lobbied Congress, but would do so now, "we have decided that EPIC can no longer stand on the sidelines." The statement concluded, "A data protection agency is the cornerstone of effective privacy protection. Data protection agencies act as ombudsmen for the public. They encourage innovation and good business practices. They identify emerging privacy challenges and pursue solutions. They take enforcement action when necessary and they impose penalties that are meaningful. Virtually every democratic country has created a privacy agency. But the United States has not. As a consequence, data breach and identity theft continue to rise in the United States. The pace of mergers is accelerating and the rate of innovation is slowing."

EPIC Tells Senate Consumer Safety Commission Responsible for IoT Safety » (Jun. 19, 2019)

In advance of an oversight hearing for the Consumer Product Safety Commission, EPIC wrote to the Senate Commerce Committee to say that the CPSC must do more to protect consumers and ensure security of IoT devices. EPIC advised the Commission to require manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques. EPIC told the Senate committee that "CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream." In 2017, EPIC and other consumer privacy groups petitioned the CPSC to recall Google Home Mini after it became known that a defect in the product set record to always on. In recent comments to the CPSC, EPIC urged the agency to regulate Internet of Things devices.

With Complaints Against Facebook Piling Up, FTC Goes After Small Businesses » (Jun. 14, 2019)

The FTC today announced a minor settlement with a company called SecurTest over its claims concerning the EU-U.S. Privacy Shield program. The Commission also sent letters to 13 small companies for falsely claiming participation in various privacy programs. The FTC issued no fines and took no further action. The proposed consent agreement is subject to public comment after publication in the Federal Register. The announcement comes more than a year after the Commission said it would reopen the investigation of Facebook, following the Cambridge Analytica scandal. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook.

Supreme Court Won’t Disturb Data Breach Decision » (Mar. 25, 2019)

The Supreme Court today declined to review Zappos.com, v. Stevens, a decision that allowed consumers to sue the online retailer following a breach of their personal data. More than 24 million Zappos customers were affected by the breach, which included account numbers and passwords. Zappos tried to block the lawsuit, claiming that consumers had to show additional damages. The Ninth Circuit rejected that argument, and the Supreme Court left the decision of the appeals court in place. EPIC has filed amicus briefs in similar data breach cases, including Attias v. Carefirst, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges.

House Committee Report: "Additional Federal Authority Could Enhance Consumer Protection" » (Feb. 13, 2019)

In advance of a hearing on consumer privacy, the House Energy & Commerce Committee released a GAO report calling for federal legislation to "enhance consumer protections." The announcement follows the scheduling of a Senate Commerce hearing the same week. The report highlighted the Fair Information Practices (FIPs) as a framework for federal privacy law, an approach long supported by EPIC. The GAO report further noted that the FTC has failed to use its existing authorities to regulate privacy. EPIC has advocated for the establishment of a federal data protection agency to ensure strong consumer privacy rights.

Facebook Gave Personal Data to Third Parties Without Consent in Violation of FTC Consent Order » (Dec. 20, 2018)

A New York Times investigation revealed that Facebook had deals with companies giving them access to personal data without meaningful user consent. These companies include Amazon, Sony, Microsoft, Yahoo, Spotify, and Netflix, as well as two companies considered security threats to the U.S.: Chinese smartphone manufacturer Huawei and Russian search engine Yandex. The deals Facebook made gave companies broad access to user data, including the the ability to read users’ private messages and access friend lists. EPIC and several consumer privacy organizations helped establish the 2011 consent order against Facebook, following a public campaign, and extensive complaints in 2009 and 2010. In March 2018, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Several related EPIC complaints regarding Facebook are also pending at the FTC, including facial recognition.

EPIC Urges Senate to Include Consumer Privacy Advocates in Hearings on Consumer Privacy » (Sep. 24, 2018)

In advance of a hearing on "Examining Safeguards for Consumer Data Privacy," EPIC has sent a brief statement to the Senate Commerce Committee, expressing "deep concern that not a single consumer group was invited to testify at this week's hearing." The Senate Commerce hearing follows an FTC hearing on consumer privacy that also excluded experts on consumer privacy. Last week, EPIC joined a coalition of 28 consumer privacy groups in a letter to Committee Chairman John Thune (R-S.D.) and ranking member Bill Nelson (D-Fla.) that asked the Senators to include consumer advocates in the hearing. The Committee is currently scheduled to hear from AT&T, Amazon, Google, Twitter, Apple and Charter Communications. EPIC President Marc Rotenberg and consumer advocate Ralph Nader recently wrote "the voices of these consumer advocates should be heard. It is not too late to start a meaningful dialogue on the future of privacy in America."

EPIC, Consumer Groups Advise FTC on Competition and Privacy » (Aug. 20, 2018)

EPIC, the Center for Digital Democracy, the Consumer Federation of America, and US PIRG submitted comments to the FTC in advance of hearings on "Competition and Consumer Protection in the 21st Century." The consumer groups said that privacy protection is critical for competition and innovation. The groups told the FTC that it should: 1) unwind the Facebook-WhatsApp deal; 2) require Facebook and Google to spin off their advertising units into independent companies; 3) block all future acquisitions by Facebook and Google that would enable the companies to increase their monopoly over consumer data; 4) impose privacy safeguards for all future mergers that implicate data privacy concerns; and 5) perform audits of algorithmic tools to promote accountability and to limit anticompetitive conduct. This will be the first time the FTC has reexamined its approach to consumer protection and competition since the FTC's 1995 hearings on "Global Competition and Innovation." EPIC participated in the 1995 hearings which led to the FTC's work on consumer privacy.

California Passes Milestone Privacy Law » (Jun. 28, 2018)

The State of California has enacted the California Consumer Privacy Act of 2018, the most comprehensive consumer privacy state law ever enacted in the United States. The Act will establish the right of residents of California to know what personal information about them is being collected; to know whether their information is sold or disclosed and to whom; to limit the sale of personal information to others; to access their information held by others; and to obtain equal service and price, even if they exercise their privacy rights. The Act will allow individuals to delete their data and it will establish opt-in consent for those under 16. The Consumer Privacy Act provides for enforcement by the Attorney General, a private right of action, and will establish a Consumer Privacy Fund to support the purposes of Act. The California Consumer Privacy Act of 2018 follows a California ballot initiative that gathered over 600,000 signatures. After the Equifax data breach, EPIC testified in the U.S. Senate that comprehensive privacy legislation was long overdue. The EPIC State Policy Project also provides expertise to the states to help shape strong privacy laws.

FTC Launches New Inquiry on "Competition and Consumer Protection in the 21st Century" » (Jun. 20, 2018)

The FTC Chairman Joe Simmons announced today that the FTC will hold a series of public hearings this fall on how to safeguard consumer protection and competition in light of economic and technologic developments. "The hearings may identify areas for enforcement and policy guidance, including improvements to the agency's investigation and law enforcement processes, as well as areas that warrant additional study," said the FTC. The hearings will focus on several topics, including "the intersection between privacy, big data, and competition" and "the use of algorithmic decision tools, artificial intelligence, and predictive analytics." The FTC is requesting public comment in advance of the hearings. This will be the first time the FTC has reexamined its approach to consumer protection and competition since the FTC's 1995 hearings on "Global Competition and Innovation." EPIC participated in those hearings and helped the FTC develop authority to address emerging privacy issues. More recently, EPIC has put forward "10 Recommendations" for how the FTC can protect consumers, promote competition, and encourage innovation.

Amazon Echo Secretly Recorded And Disclosed User's Private Conversation » (May. 24, 2018)

"Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices.

EPIC Joins Coalition Urging CFPB To Maintain Public Database of Consumer Complaints » (May. 3, 2018)

EPIC and a coalition of consumer organizations have sent a letter to Mick Mulvaney urging the Acting Director not to ban public access to the CFPB consumer complaint database. "The public complaint database is a tool that empowers individuals to inform and protect themselves in the marketplace," the groups stated. In recent remarks at a banking industry conference, Mulvaney said that he is considering closing off access to the database. The database has helped expose wrongdoing by numerous financial institutions-including failures by Equifax following its data breach, as detailed in a report just released by three Senators. EPIC has called on the CFPB to more vigorously pursue its investigation of Equifax, and has filed a Freedom of Information Act request to obtain communications about that investigation.

EPIC Advises Safety Commission on Dangers of IoT » (May. 2, 2018)

EPIC submitted comments to the Consumer Product Safety Commission for an upcoming hearing on "The Internet of Things and Consumer Product Hazards." EPIC urged the Commission to focus on privacy and security issues, which the Commission claims are outside its scope. EPIC told the Consumer Product Safety Commission that "Holding a hearing in the year 2018 to discuss IoT without addressing privacy and security is akin to holding a hearing in the last century about kitchen appliances without addressing the risk that a toaster might catch fire because of bad wiring." EPIC recommended that the Commission implement thirteen rules for manufacturers of IoT devices that were laid out by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups preciously urged the Commission to order the recall of the Google Home Mini "smart speaker" and received a response saying that it does not pursue privacy or data security issues.

Senators Release Report On Consumer Complaints Following Equifax Breach » (May. 1, 2018)

Senators Warren (D-MA), Schatz (D-HI) and Menendez (D-NJ) have published a report examining thousands of consumer complaints filed with the Consumer Financial Protection Bureau after Equifax's massive data breach last fall. The report, entitled "Breach of Trust," reveals the extent of Equifax's failure to address significant harms consumers faced as a result of the breach. The Senators sent their report along with a letter to the CFPB demanding the agency hold Equifax accountable. Despite the massive number of complaints, the CFPB has yet to announce any action against Equifax eight months after the breach. The Senators also admonished Director Mulvaney for his recent suggestion that he would end public access to the CFPB's complaint database. In testimony before the House Financial Services Committee in February, EPIC called on Congress to ensure that the CFPB takes action against Equifax. A February Reuters story indicated that the CFPB had halted its investigation into Equifax, but Mulvaney since confirmed that an investigation is still ongoing. EPIC submitted a Freedom of Information Act request to obtain information about the CFPB's Equifax investigation.

Safety Commission Responds to EPIC's Google Home Mini Complaint » (Apr. 2, 2018)

The Consumer Product Safety Commission responded to a complaint from EPIC and a coalition of consumer groups, urging the Commission to order the recall of the Google Home Mini "smart speaker." The touchpad on the device was permanently set to "on" so that Google recorded all conversations without a consumer's knowledge or consent. The groups wrote "this is a classic manufacturing defect that places consumers at risk. The defect in Google Home Mini is well within the purview of the Consumer Product Safety Commission." In the response, the Commission claimed that it monitors the hazards of IoT but said that it does not pursue privacy or data security issues. IoT devices are frequently the target of botnet attacks. According to Hacker News, "the DDoS threat landscape is skyrocketing" and the UK National Cyber Security Centre's report has called for comprehensive safeguards for IoT devices. EPIC Senior Counsel Alan Butler has written about products liability for IoT manufacturers.

EPIC Urges FTC to Strengthen PayPal/Venmo Settlement » (Mar. 29, 2018)

In detailed comments, EPIC advised the FTC to strengthen a proposed settlement with PayPal concerning Venmo, a mobile app for peer-to-peer payments. The FTC complaint found that Venmo made misrepresentations about privacy and security practices. EPIC recommended that the FTC require PayPal to (1) change the default setting to private, (2) require affirmative consent for subsequent changes, (3) make the privacy assessments public, (4) require multi-factor authentication, and (5) comply with Fair Information Practices. The FTC is obligated to consider public comments before finalizing a proposed settlement and must provide a “reasoned response” if it fails to modify an order. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat.

EPIC, Coalition Call On Facebook to Stop Electioneering » (Mar. 28, 2018)

EPIC joined Consumer Watchdog and a coalition of consumer organizations to urge Facebook to cease all campaign contributions and electioneering activity. The groups also recommended that Facebook retain Jimmy Carter and the Carter Center to audit Facebook's use of personal information for election advertisements. Last week, EPIC and a coalition of consumer groups called on the Federal Trade Commission to investigate Facebook. EPIC has also urged the Federal Election Commission to provide transparency for online political ads. EPIC is fully engaged in protecting the integrity of elections with its Project on Democracy and Cybersecurity.

House Bill Would Create Commission on AI » (Mar. 22, 2018)

Congresswoman Elise Stefanik (R-NY) has introduced a bill (H.R. 5356) that would create the National Security Commission on Artificial Intelligence (AI).Congresswoman Stefanik said, “It is critical to our national security but also to the development of our broader economy that the United States becomes the global leader in further developing this cutting edge technology.” The Commission would conduct a comprehensive review of AI technologies, assess the risks to national security, identity actionable items, and provide recommendations to the President and Congress. The Commission’s recommendations would also address: data and privacy, international law and ethics, competitiveness, technological advantages, cooperation and competition, investments and research, and workforce and education. In 2015, EPIC launched an international campaign for Algorithmic Transparency. EPIC has also warned Congress about the use of opaque technique in automated decision-making.

FTC Report - ID Theft Complaints Rank High » (Mar. 1, 2018)

Identity theft ranked second among all complaints submitted to the Federal Trade Commission in 2017. Although the total number of complaints dropped, consumers reported losing $63 million more to identity theft and fraud in 2017 than in 2016. EPIC has warned that "the FTC's failure to act against the growing threats to consumer privacy and security could be catastrophic." 2017 marked a record year for data breaches. EPIC urged the FTC to enforce data security standards as part of its 10 recommendations for the FTC's five-year strategic plan. EPIC President Marc Rotenberg also testified before the Senate and the House following the Equifax breach, calling for comprehensive data protection legislation.

EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees » (Feb. 13, 2018)

In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google.

Data Breaches on the Rise » (Jan. 25, 2018)

2017 marked the "worst year ever" for data breaches, according to a pair of reports by Thales and the Online Trust Alliance. Data breaches nearly doubled from 2016 to 2017, and 73% of all U.S. companies have now been breached. Noteworthy were the data security failures of Equifax and Uber. In testimony before the Senate Banking Committee following the Equifax breach last year, EPIC called on Congress to enact meaningful reforms, including default credit freezes and prompt data breach notification. Two years ago, EPIC launched the DataProtection2016 campaign to promote stronger privacy safeguards in the U.S.

EPIC Warns Congress of Risks of "Internet of Things" » (Jan. 18, 2018)

In advance of a hearing on Internet of Things, EPIC urged Congress to consider the privacy and safety risks of internet-connected devices. EPIC told Congress that the Internet of Things "poses risks to physical security and personal property" because data "flows over networks that are not always secure, leaving consumers vulnerable to malicious hackers." EPIC said that Congress should protect consumers. EPIC is a leader in the field of the Internet of Things and consumer protection. EPIC has advocated for strong standards to safeguard American consumers and testified before Congress on the "Internet of Cars."

Senators Warren and Warner Introduce Bill To Hold Credit Reporting Agencies Accountable » (Jan. 10, 2018)

Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced legislation to hold credit reporting agencies accountable for data breaches. The Data Breach Prevention and Compensation Act establishes an office of cybersecurity within the FTC to give it direct supervisory authority over the credit reporting industry and imposes mandatory penalties for breaches involving consumer data at credit reporting agencies. The bill is a direct response to the Equifax data breach last year that exposed the sensitive personal information of over 145 million Americans. "Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers," said EPIC President, Marc Rotenberg. EPIC testified before Congress last year following the Equifax breach, urging legislation to give consumers more control over their credit reports. Senators Warren and Brian Schatz (D-HI) also introduced a bill last year that would allow consumers to freeze and unfreeze their credit reports for free.

EPIC Urges Congress to Focus on Consumer Privacy and Data Security in Antitrust Hearing » (Dec. 12, 2017)

In a statement to the Senate Judiciary committee, EPIC urged lawmakers to consider consumer privacy at a hearing on "The Consumer Welfare Standard in Antitrust." EPIC emphasized the privacy risks of mergers, stating that "when companies merge, they combine not only their products, services, and finances, but also their vast troves of personal data." EPIC reminded Congress that the United States is experiencing an epidemic of data breaches, and large databases of personal data are more vulnerable to attack. EPIC testified before the Senate Judiciary Committee in 2007 about the growing risks to competition and privacy of mergers in the online advertising industry. EPIC also warned the FTC about the consumer privacy risks of high profile mergers. In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. And in 2014 EPIC urged the FTC to mandate privacy safeguards for Facebook's acquisition of WhatsApp.

EPIC Offers 10 Recommendations for the FTC's Five-Year Strategic Plan » (Dec. 5, 2017)

EPIC has submitted 10 recommendations for the Federal Trade Commission's "Draft Strategic Plan" for 2018-2022. EPIC explained how the FTC can protect consumers, promote competition, and encourage innovation. Among the several proposals, EPIC urged the FTC to enforce consent orders, incorporate public comments into settlements, promote transparency, produce concrete outcomes, and endorse data protection legislation. EPIC and several consumer privacy groups outlined these proposals in a letter to the FTC in February, 2017. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers, and even filed a lawsuit in 2012 to get the FTC to enforce an existing consent order against Google. EPIC has also filed several consumer privacy complaints with the FTC, including a recent complaint about "toys that spy."

EPIC Amicus - Ninth Circuit Holds Violation of Video Privacy Law Establishes 'Standing' » (Nov. 29, 2017)

The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.

Consumer Groups Ask Safety Commission to Recall Google Home » (Oct. 13, 2017)

EPIC and a coalition of leading consumer groups have asked the Consumer Product Safety Commission to recall the Google Home Mini "smart speaker." The touchpad on the Google device is permanently set to "on" so that it records all conversations without a consumer's knowledge or consent. The consumer groups said that "as new risks to consumers arise in consumer products, it is the responsibility of the Consumer Product Safety Commission to respond." The groups also urged the Safety Commission to enforce the Duty to Report to CPSC against manufacturers of "IoT" devices. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of young children. The Cayla complaint spurred a Congressional investigation and toy stores across Europe removed the doll from their shelves.

Privacy Officials from Around the World Adopt Resolutions on Connected Vehicles, Collaboration, and Enforcement » (Sep. 28, 2017)

The International Conference of Data Protection and Privacy Commissioners, meeting in Hong Kong, has adopted three resolutions on emerging privacy issues. The resolution on Data Protection in Automated and Connected Vehicles urges all parties to "fully respect the users' rights to the protection of their personal data and privacy." The resolution on Collaboration between Data Protection and Consumer Protection Authorities calls for joint efforts at the international level to "protect citizens and consumers in the digital economy." And the resolution on "Future Options for International Enforcement" builds on the OECD Recommendations for Cross-Border Cooperation. EPIC and other NGOs convened a Public Voice event in Hong Kong to promote a dialogue on emerging privacy issues with data protection officials and seek progress on the Madrid Privacy Declaration.

143 Million US Consumers Suffer Massive Data Breach, Equifax at Fault » (Sep. 8, 2017)

In one of the most serious data breaches in U.S. history, the credit records of more than 140 million consumers, maintained by Equifax, have been compromised. Credit reports typically include social security numbers, drivers license infomation, and other personal data that make possible identity theft and financial fraud. Senator Warner said the breach, “represents a real threat to the economic security of Americans." For years, EPIC has urged Congress to strengthen privacy laws and to require Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. In 2011, EPIC testified before the House and the Senate on the specific risk of data breaches in the financial services sector. Equifax has set up www.equifaxsecurity2017.com to help consumers. But last year EPIC created www.dataprotection2016.org to promote the adoption of stronger privacy safeguards in the U.S.

Summary

The Massachusetts Attorney General opened an investigation into consumer privacy abuses following the Cambridge Analytica scandal. The AG sought information about the identities of developers and applications which Facebook found had impermissibly accessed user data, along with Facebook's internal communications about them. Facebook challenged this request, claiming that the information was privileged because it was prepared in anticipation of the extensive litigation Facebook now faces. After a trial court ordered Facebook to hand over the requested information, Facebook directly appealed to the Supreme Judicial Court of Massachusetts.

Background

Factual Background

The Facebook Platform allows third-party app developers to promote and offer apps that are integrated with Facebook. The system provides the developers with access to a variety of users' personal information.

In 2009, EPIC and others urged the FTC to investigate Facebook's Platform and the extent to which third parties could access granular user information without their knowledge or consent. After investigating the company for several years, the FTC ordered entered into a consent order with Facebook that required the company to implement detection and enforcement programs which would regularly monitor and investigate apps and developers that potentially violated user privacy policies. The FTC also required Facebook to limit the amount of user data parties on the Platform could access.

In 2014, a single Facebook Platform app developer was able to access and extract the personal information of 87 million users without their knowledge or consent and then provided that data to Cambridge Analytica for use in political ad campaigns. The FTC nor the independent auditor tasked with assessing Facebook's privacy program under the 2012 Consent Order detected the failure in Facebook's monitoring system.

When news broke of the Cambridge Analytica incident in March 2018, Facebook announced an investigation into other apps and developers who may have used the Platform in a similar way to extract personal information.

In 2018, Massachusetts AG Maura Healey announced that her office would investigate Facebook. The investigation seeks in part to identify app developers who may have violated the state's Consumer Protection Act. The AG has demanded information from Facebook's investigation of other third party apps. Facebook refused to provide the requested information.

Procedural History

In 2019, the AG filed a petition with the trial court to compel Facebook to comply with the demand for information on apps and developers identified by Facebook's investigation and related internal communications. In response to the petition, Facebook argued that all of the requested information was protected by attorney-client privilege because it was gathered by the company in the course of an internal investigation designed and managed by Facebook's lawyers. The trial court rejected Facebook's argument and ordered Facebook to provide the requested information. Facebook then applied for direct review to the Supreme Judicial Court. The Court granted review in May 2020.

A central issue on appeal is whether the information the AG seeks contains protected or privileged client-attorney communications. Facebook argues they do, since the information only exists because Facebook chose to investigate the Platform after the company faced a wave of litigation in early 2018. EPIC argues in an amicus brief that Facebook was obligated to proactively monitor for the very information at issue in the case, and that the company's failure to do so until there was a threat of litigation should not justify secrecy.

EPIC's Interest

EPIC has consistently urged the FTC to investigate and regulate Facebook's data practices, especially sharing users' personal information without their knowledge or consent. In 2009, EPIC and others focused the FTC's attention on this particular issue in a complaint highlighting the vast amounts of personal information available to third parties through the Platform. EPIC was directly involved in the Cambridge Analytica investigations, urging the FTC to investigate the company's data sharing practices. EPIC more recently moved to intervene in the FTC's 2020 settlement with Facebook and filed an amicus brief arguing that the deal would not require Facebook to change its practices in any meaningful way. EPIC gathered thousands of complaints filed by users with the FTC regarding Facebook's data sharing practices in the years between the 2012 Order and the 2020 settlement. EPIC also uncovered communications between the FTC and Facebook that demonstrated the FTC's reluctance to effectively enforce the requirements of the 2012 Order, which may have prevented the Cambridge Analytica incident altogether.