Comments of EPIC in re the Federal Trade Commission’s Proposed Order & Settlement with Global Tel*Link

December 21, 2023

Chair Lina M. Khan
Commissioner Rebecca Kelly Slaughter

Commissioner Alvaro Bedoya
Federal Trade Commission
600 Pennsylvania Avenue, NW

Washington, DC 20580

Re: Global Tel*Link, FTC File No. 212-3012

Dear Chair Khan and Commissioners Slaughter and Bedoya,

By notice published November 21, 2023, the Federal Trade Commission (FTC) announced its proposed consent order and settlement with Global Tel*Link Corporation (GTL) arising from GTL’s alleged violations of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), prohibiting unfair or deceptive acts or practices.[1] The proposed consent order is the result of the FTC’s six count complaint alleging that GTL failed to employ sufficient data security practices, leading to a severe data breach; failed to notify consumers impacted by the breach; misrepresented the results of the breach by claiming that consumers’ sensitive personal information was not exposed; and misrepresented the adequacy of the company’s data security practices, the company’s notice provisions, and the company’s history of data breaches.[2]

The Electronic Privacy Information Center (EPIC) submits this letter in support of the proposed consent order and to highlight GTL’s egregious conduct harming already exploited and vulnerable populations. EPIC is a public interest research center in Washington, D.C. established in 1994 to focus public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC routinely files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights.[3] EPIC also takes a special interest in ensuring privacy for prisoners, their families, and their lawyers.[4]

First, EPIC commends the Commission for using its Section 5 authority to investigate and take enforcement action against prison telecommunications companies like GTL that routinely engage in unfair and deceptive practices while benefitting from state-sponsored effective monopolies.[5] In particular, EPIC commends the commission for finding in Counts I and II that both the underlying breach and subsequent failures to notify consumers are unfair acts or practices.[6] The complaint further finds in Counts III–VI that GTL’s marketing practices and claims made about its data security practices were deceptive to both individual consumers and to jail and prison facilities that contract with the company for services.[7] The proposed consent order requires GTL to (1) implement a detailed information security program including mandated limits on data retention; (2) & (3) obtain and cooperate fully with an independent security assessments every two years; (4) annually certify compliance to the FTC; (5) provide impacted consumers with two years of credit monitoring services that includes $1 million in identity theft insurance; (6) notify affected consumers within 30 days in the event of any future data breach; (7) report any future data breach to the FTC; (8) refrain from making misrepresentations about GTL’s security and privacy practices; (9) post notice to consumers affected by the breach on GTL’s website and app and send notices directly to affected consumers; and (10) notify jail and prison facilities.[8]

Several aspects of the proposed consent order are particularly noteworthy as uses of the Commission’s Section 5 authority. The Commission’s mandated information security policies are comprehensive and require both technical controls like multi-factor identification and structural improvements such as designating and employee the head of the information security program.[9] The proposed consent order also continues the Commission’s laudable pattern of imposing data retention limits—in this case, a limit of two years after the last use of the data for a consumer purpose unless the information is “necessary for business operations or for other legitimate business purposes.”[10] However, the Commission should be careful to ensure that GTL’s affiliated data brokering businesses do not become a loophole that swallows the data retention rule.[11] The proposed consent order requires biennial third party auditing for information security practices, with the results to be reported to the Commission.[12] Independent auditing is a key feature to ensure that GTL is actually complying with the technical requirements of Section I. And the proposed consent order requires GTL to provide credit monitoring services to affected consumers for two years, with outreach targeted to inmates through GTL’s systems and notice by mail.[13] EPIC applauds the Commission for targeting relief towards the specific consumers impacted when they are in particularly hard to reach positions, though as we note below, the proposed measures may not be sufficient to ensure that inmates and particularly marginalized communities can take advantage of the credit monitoring on offer. The Commission is taking an important step to rein in bad practices in the industry by identifying areas where telecoms providers harm both consumers and facilities. EPIC urges the Commission to continue to subject prison telecommunications providers to such comprehensive scrutiny.

Second, EPIC encourages the FTC to work with the Federal Communications Commission (FCC) to rein in harmful practices from the prison telecommunications industry. The FCC has regulatory authority over companies like GTL as telecommunications providers, while the FTC has authority to protect consumers from unfair and deceptive practices. These overlapping, non-exclusive authorities can work synergistically when both agencies lay out strong protections for prison telecoms customers and aggressively enforce those protections. Cybersecurity is an excellent example. The FCC promulgates cybersecurity rules for telecommunications providers to promote consumer privacy, system integrity, public safety, national security, and trust in the marketplace. Most recently the agency laid out new rules detailing how telecoms should protect consumer data and updated requirements for informing consumers when their information has been disclosed in a data breach.[14] Such rules for telecommunications providers allow the FCC to monitor for dangerous and insufficient cybersecurity practices upfront and can serve as part of the basis for an FTC enforcement action in the aftermath of a data breach if companies misrepresent their compliance with FCC rules. The 2015 Consumer Protection Memorandum of Understanding between the two agencies contemplates such cooperation explicitly in the context of privacy and other consumer protections.[15] The use of artificial intelligence and keyword databases are also examples of potentially harmful business practices at the intersection of FTC and FCC authority.[16] So too is charging inmates and their families for their own surveillance,[17] especially when that data is subsequently sold to third parties as a service.[18] EPIC urges the FTC to work with the FCC to rein in the litany of harmful data practices in the prison telecommunications industry and reduce costs for consumers forced to use companies like GTL to communicate with their loved ones.

Third, EPIC writes here to emphasize the gravity of the harm GTL inflicted in causing and failing to immediately mitigate a data breach of extraordinarily sensitive personal data from some of the most marginalized groups in the U.S. GTL operates prison phone and e-messaging services for jails, prisons, and immigration detention facilities, covering as much as 85% of people incarcerated in the U.S.[19] GTL holds intimate information on roughly 1.9 million currently or formerly incarcerated persons and over 13 million people on the outside.[20] Racialized policing and over-incarceration of marginalized groups in the U.S. have provided GTL with a population of consumers that are disproportionately poor, disproportionally Black and Hispanic, and highly likely to be particularly vulnerable immigrants.[21] GTL holds onto sensitive information including full names, contact information, social security numbers, driver’s license and passport numbers, location data, voice calls, emails, credit card numbers, and details of financial accounts.[22] In short, GTL holds all the information a person seeking to commit identity theft or credit card fraud could possibly want. The same data would be of particular use to a stalker or a criminal looking to implicate a currently incarcerated person in a crime as a distraction for investigators.

The company was demonstrably negligent in using real data to test a new system, uploading the data to a completely unsecured cloud environment, and then failing to notify consumers after the breach occurred and personal data appeared on the dark web.[23] While exposing sensitive information would be harmful to any person, the demographic groups that make up the majority of GTL’s consumers are more vulnerable than average. GTL’s captive consumer base—jail and prison inmates—is uniquely vulnerable to identity theft. Inmates have been targeted for identity theft because they are less likely to check their credit, may not have credit history, and are unlikely or unable to lock their credit and pursue claims.[24] Inmates are already subject to identity theft by corrections officials and frequently targeted by people on the outside.[25] People with household incomes below $50,000 make up roughly 30 percent of all victims of identity theft and make particularly attractive targets because they may lack the time or resources to aggressively pursue an identity theft claim.[26] Immigrants are also particularly vulnerable to identity theft as many may not actively monitor their credit or may fear that reporting identity theft risks triggering deportation proceedings.[27] In one illustrative case, an Immigrations and Customs Enforcement (ICE) lawyer used a database containing very similar information to GTL’s database to steal immigrants identities and take out credit cards in their names.[28] GTL exacerbated all of these harms by exposing more than 650,000 people’s sensitive personal information and failed comprehensively in the aftermath of the data breach to contact affected individuals or mitigate the damage.

Fourth, EPIC urges the FTC to carefully tailor remedies to the uniquely vulnerable populations involved in this data breach and to recognize that these populations are exposed to acute harms from data breaches that cannot be remedied with credit monitoring alone. As described above, EPIC commends the Commission for its requirement that GTL act in concert with a credit monitoring product to provide consumers credit monitoring services. However, we are concerned that the poor state of prison telecommunications—a state which GTL and other providers are largely responsible for—and the marginalization of populations involved will limit the benefits of the prescribed credit monitoring. EPIC urges the FTC to continue to refine the remedies in settlements with prison services companies to ensure that such agreements provide meaningful relief for inmates. In 2021, the Commission highlighted a study by the Karlsruhe Institute of Technology, University of Michigan, and the George Washington University which found that “[r]egulators should also set and frequently revisit requirements for the types of services breached organizations must offer as compensation.”[29] While credit monitoring has been a default remedy for data breaches in normal consumer contexts, we urge the Commission to consider how other remedies might be more relevant in this context—for example, a requirement that GTL (and similarly situated companies) assist in interpreting credit reports and resolving any inaccuracies for impacted incarcerated persons and their families.[30]

Although the FTC has prescribed methods to provide incarcerated individuals with access to credit monitoring, those methods will likely not be enough for individuals to actively monitor their credit from inside jail, prison, or immigration detention. Few inmates have the type of unrestricted internet access that would allow for regular credits checks online, and that lack of connectivity makes them vulnerable to scams and identity theft both in prison and once they are released.[31] While credit reporting bureaus do offer credit monitoring by mail or phone, these options may be of limited use to inmates. Mail correspondence in prison can be dangerously slow, and inmates’ mail is often withheld for no reason at all.[32] Meanwhile the shift to tablet-based phone systems in many jails and prisons has made already-costly prison phone calls less reliable, with more dropped calls and difficulty hearing speakers in crowed prison recreation rooms where tables are often installed.[33] Taken together, the structural challenges imposed by the prison system and prison telecommunications providers may stymie the remedies in the GTL settlement without careful implementation and aggressive enforcement. In particular, the Commission should consider mandating a longer enrollment period than the current 90 days required by section V(F) of the proposed consent order to ensure that slow communications do not hamper inmates’ efforts to obtain credit monitoring and other relief.

The strongest provision of the proposed consent order, Section V(E), would require GTL to work with the credit monitoring service to facilitate communication with inmates through GTL’s services and to “make reasonable efforts to ensure that calls and mail between Third Party and Affected Consumers are free of charge.”[34] Inmates have extremely limited time, and limited funds, to communicate with people on the outside. The Commission should ensure that inmates do not have to sacrifice phone calls or emails with their friends and family to obtain credit monitoring services. The Commission should specify that GTL can comply with Section V(E) by (1) not charging for calls or emails going out to the credit monitoring agency for the duration of the service (two years plus the enrollment period); (2) putting money directly in inmates’ accounts to compensate for instances where the free calls scheme does not work (e.g., where an inmate is instructed to call a customer service provider back on a dedicated line that isn’t flagged for free calls in GTL’s system); and (3) providing funds both for affected consumers in facilities that do not use GTL’s services. We re-iterate that the Commission should also require GTL (and similarly situated companies) to assist in interpreting credit reports and resolving any inaccuracies for impacted incarcerated persons and their families.

Immigrants comprise a second population that the Commission’s proposed remedies may not effectively reach. Roughly 5 percent of people incarcerated in state and federal jails and prisons are non-citizens, held for both immigration offenses on contracts with ICE to provide bed space and for violations of criminal law.[35] An equal or higher percentage of inmates’ families and friends are likely immigrants as well, with potentially limited fluency in English and distrust for financial services that often appear indistinguishable from scams targeting immigrants. The Commission should ensure that GTL provides services in multiple languages to match the proposed consent order’s requirement that notice and disclosures be provided in multiple languages as appropriate.[36]

None of this is to doubt that that providing credit monitoring for incarcerated persons and marginalized communities is a valuable remedy. EPIC urges the FTC to continue tailoring settlement relief to marginalized populations and to aggressively enforce GTL’s compliance with the consent order, particularly the provisions that provide concrete benefits to affected consumers.

EPIC urges the Commission to finalize the proposed GTL consent order and to aggressively enforce the order, as GTL’s conduct indicates that the company is unlikely to sufficiently protect affected consumers absent strict oversight. EPIC commends the Commission’s investigation of GTL and urges the Commission to continue building on its Section 5 authority in privacy, data security, and the protection of incarcerated persons.

[1] Global Tel*Link; Analysis of Proposed Consent Order To Aid Public Comment, 88 Fed. Reg. 81,801 (Nov. 21, 2023); Press Release, FTC, FTC Takes Action Against Global Tel*Link Corp. for Failing to Adequately Secure Data, Notify Consumers After Their Personal Data Was Breached (Nov. 16, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/11/ftc-takes-action-against-global-tellink-corp-failing-adequately-secure-data-notify-consumers-after.

[2] See GTL Complaint, In re Global Tel*Link Corporation, File No. 212-3012 at ¶¶ 44-57 (2023), https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-GlobalTelLinkCorp.pdf.

[3] See, e.g., Comments of EPIC, In re Chegg, Inc., FTC File No. 202-3151 (Dec. 12, 2022), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlement-with-chegg-inc/; Comments of EPIC, FTC Proposed Trade Regulation Rule on Commercial Surveillance and Data Security (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf; Comments of EPIC, In re CafePress, FTC File No. 192-3209 (2022), https://epic.org/wp-content/uploads/2022/04/EPIC-comments-in-re-cafepress.pdf; Comments of EPIC, In re Support King, LLC (SpyFone.com), FTC File No. 192-3003 (2021), https://archive.epic.org/apa/comments/In-re-SpyFone-Order-EPIC-comment-100821.pdf; Comments of EPIC et al., In re Zoom Video Communications, Inc., FTC File No. 192-3167 (2020), https://epic.org/apa/comments/EPIC-FTC-Zoom-Dec2020.pdf; Complaint of EPIC, In re Online Test Proctoring Companies (Dec. 9, 2020), https://epic.org/wp-content/uploads/privacy/dccppa/online-test-proctoring/EPIC-complaint-in-re-online-test-proctoring-companies-12-09-20.pdf; Complaint of EPIC, In re Airbnb (Feb. 26, 2020), https://epic.org/privacy/ftc/airbnb/EPIC_FTC_Airbnb_Complaint_Feb2020.pdf; Complaint of EPIC, In re HireVue (Nov. 6, 2019), https://epic.org/privacy/ftc/hirevue/EPIC_FTC_HireVue_Complaint.pdf; Comments of EPIC, In re Unrollme, Inc., FTC File No. 172-3139 (2019), https://epic.org/apa/comments/EPICFTC-Unrollme-Sept2019.pdf; Comments of EPIC, In re Aleksandr Kogan and Alexander Nix, FTC File Nos. 182-3106 & 182-3107 (2019), https://epic.org/apa/comments/EPIC-FTCCambridgeAnalytica-Sept2019.pdf; EPIC, Comments on Standards for Safeguarding Customer Information, Docket No. 2019-04981 (Aug. 1, 2019), https://epic.org/apa/comments/EPIC-FTC-Safeguards-Aug2019.pdf; Complaint of EPIC, In re Zoom Video Commc’ns, Inc. (July 11, 2019), https://epic.org/privacy/ftc/zoomEPIC-FTC-Complaint-In-re-Zoom-7-19.pdf.

[4] See, e.g., EPIC Reply Comments to FCC on Martha Wright Reed Act Implementation, WC Docket Nos. 12-375, 23-62 (Jun. 6, 2023), https://epic.org/documents/epic-reply-comments-to-fcc-on-martha-wright-reed-act-implementation/; EPIC Comments to FCC on Martha-Wright Reed Act Implementation, WC Docket Nos. 12-375, 23-62 (May 8, 2023), https://epic.org/documents/epic-comments-to-fcc-on-martha-wright-reed-act-implementation/; EPIC Comments to FCC on Securus Technologies Petition for Prison Phone Services Alternative Pricing Scheme, WC Docket No. 12-375 (Jan. 7, 2022), https://epic.org/documents/epic-comments-on-securus-technologies-petition-for-prison-phone-services-alternative-pricing-scheme/.

[5] Because jails and prisons contract with a single communications provider, each prison is a miniature monopoly wherein inmates and their families are exploited. See, e.g., The Prison Industry: How it started. How it works. How it Harms, Worth Rises (Dec. 2020), https://static1.squarespace.com/static/58e127cb1b10e31ed45b20f4/t/621682209bb0457a2d6d5cfa/1645642294912/The+Prison+Industry+How+It+Started+How+It+Works+and+How+It+Harms+December+2020.pdf; Peter Wagner & Wanda Bertram, State of Phone Justice 2022: The problem, the progress, and what’s next, Prison Policy Institute (Dec. 2022), https://www.prisonpolicy.org/phones/state_of_phone_justice_2022.html.  

[6] See GTL Complaint at ¶ 45-48.

[7] See id. at ¶ 49–56.

[8] See GTL Draft Decision and Order, In re Global Tel*Link Corporation, File No. 212-3012 (2023), https://www.ftc.gov/system/files/ftc_gov/pdf/DecisionandOrder-GlobalTelLinkCorp.pdf.

[9] See id. at 7–11.

[10] Id. at 11; see also Comments of EPIC, In re Chegg, Inc., FTC File No. 202-3151 (Dec. 12, 2022), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlement-with-chegg-inc/.

[11] GTL continues to act as a data broker, marketing its Intelligence and Investigative Solutions to facilities and regular law enforcement agencies. Although ViaPath’s website markets these tools more towards jail and prison management, the GTL website markets them for general policing purposes, too. The company offers private intelligence analysis as well. GTL, Intelligence and Investigative Tools (2023), https://www.gtl.net/crime-analysis/.

[12] See GTL Draft Decision and Order at 12–14.

[13] See id. at 15–17.

[14] See FCC, FCC Adopts Updated Data Breach Notification Rules to Protect Consumers (Dec. 13, 2023), https://www.fcc.gov/document/fcc-adopts-updated-data-breach-notification-rules-protect-consumers; see also Initial Comments of EPIC, In re Data Breach Reporting Requirements, WC Docket No. 22-21 (Feb. 22, 2023), https://epic.org/documents/in-re-data-breach-reporting-requirements/ and Reply Comments of EPIC et al., In re Data Breach Reporting Requirements, WC Docket No. 22-21 (Mar. 24, 2023), https://epic.org/documents/reply-comments-in-re-data-breach-reporting-requirements/.

[15] See FCC-FTC Consumer Protection Memorandum of Understanding 1 (Nov. 16, 2015), https://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db1116/DOC-336405A1.pdf. A later, similar, MOU was signed specific to ISPs. See Restoring Internet Freedom: FCC-FTC Memorandum of Understanding (Dec. 2017), https://www.ftc.gov/policy/cooperation-agreements/restoring-internet-freedom-fcc-ftc-memorandum-understanding.

[16] See, e.g., George Joseph & Debby Nathan, Prisons Across the U.S. Are Quietly Building Databases of Incarcerated People’s Voiceprints, The Intercept (Jan. 30, 2019), https://theintercept.com/2019/01/30/prison-voice-prints-databases-securus/; Akela Lacy et al., Prisons Launch “Absurd” Attempt to Detect Coronavirus in Inmate Phone Calls, The Intercept (Apr. 21, 2020), https://theintercept.com/2020/04/21/prisons-inmates-coronavirus-monitoring-surveillance-verus/.

[17] See, e.g., Comments of Wright Petitioners, Benton Institute For Broadband & Society, Prison Policy Initiative, and Public Knowledge, In re Incarcerated People’s Communications Services; Implementation of the Martha Wright-Reed Act, Rules for Interstate Inmate Calling Services, WC Dkt. Nos. 12-375, 23-62, at 24 (May 8, 2023), https://www.fcc.gov/ecfs/search/search-filings/filing/1050883878528 (“Security and safety costs may be necessary for the operation of a correctional facility, but that does not mean the costs should be shifted to the incarcerated person.”).

[18] See note 11 supra.

[19] See GTL Complaint at ¶¶ 9–11.

[20] See id. at ¶ 10.

[21] See, e.g., Nazgol Ghandnoosh, One in Five: Ending Racial Inequity in Incarceration, The Sentencing Project (Oct. 11, 2023), https://www.sentencingproject.org/reports/one-in-five-ending-racial-inequity-in-incarceration/; Leah Wang, Updated data and charts: Incarceration stats by race, ethnicity, and gender for all 50 states and D.C., Prison Policy Initiative (Sept. 27, 2023), https://www.prisonpolicy.org/blog/2023/09/27/updated_race_data/.

[22] See GTL Complaint at ¶ 31.

[23] See id. at ¶¶ 24–41.

[24] See, e.g., Kevin Krause, Government fraudsters have a new weapon as they commit identity theft: prison inmates, Dallas Morning News (Dec. 30, 2012), https://www.dallasnews.com/news/crime/2012/12/30/government-fraudsters-have-a-new-weapon-as-they-commit-identity-theft-prison-inmates/; Logan Smith, Colorado company banned from producing fake documents, CBS Colorado (Dec. 17, 2023), https://www.cbsnews.com/colorado/news/colorado-company-propdoks-fake-documents-cease-operations-ban/ (“The victims of the scheme were often children, older adults and inmates, according to the office’s research.”). Prisoners’ Social Security Numbers (SSNs) have long been used to attempt to defraud the U.S. government. See, e.g., Review of the President’s Fiscal Year 2018 Funding Request for the Internal Revenue Service: Hearing Before S. Comm. on Appropriations, Subcomm. on Finan. Svcs. and Gen. Gov’t, 115th Cong. 13–14, https://www.tigta.gov/sites/default/files/publications/2021-11/congress_07262017.pdf; Treasury Inspector General for Tax Administration, Final Results of the 2023 Filing Season, Report Number: 2024-400-006 at 9–10 (Nov. 9, 2023), https://www.tigta.gov/sites/default/files/reports/2023-11/2024400006fr.pdf; Treasury Inspector General for Tax Administration, Actions Were Taken to Improve the Identification of Prisoner Tax Returns, Report Number: 2021-40-027 (Apr. 15, 2021), https://www.tigta.gov/sites/default/files/reports/2022-02/202140027fr_0.pdf.

[25] See, e.g., Christopher Zoukis, Corrections Officials Stealing Prisoners’ Identities a Growing Problem, Prison Legal News (Dec. 8, 2016), https://www.prisonlegalnews.org/news/2016/dec/8/corrections-officials-stealing-prisoners-identities-growing-problem/.

[26] See, e.g., Sara S. Greene, Stealing (Identity) From the Poor, 106 Minn. L. Rev. 59, 64-66 (2021), https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=6795&context=faculty_scholarship; Erika Harrell & Alexandra Thompson, Victims of Identity Theft 2021, NCJ 306474, DOJ Bureau of Just. Stats. at 4, (Oct. 2023), https://bjs.ojp.gov/document/vit21.pdf.

[27] See Nathalie Martin, Giving Credit Where Credit Is Due: What We Can Learn from the Banking and Credit Habits of Undocumented Immigrants, 2015 Mich. St. L. Rev. 989 (2015), https://digitalrepository.unm.edu/cgi/viewcontent.cgi?article=1676&context=law_facultyscholarship.

[28] See Former ICE Chief Counsel Sentenced to Four Years in Prison for Wire Fraud and Aggravated Identity Theft Scheme, U.S. Dep’t of Just. (Jun. 28, 2018), https://www.justice.gov/opa/pr/former-ice-chief-counsel-sentenced-four-years-prison-wire-fraud-and-aggravated-identity-theft.

[29] Peter Mayer et al., “Now I’m a bit angry:” Individuals’ Awareness, Perception, and Responses to Data Breaches that Affected Them 12 (2021), https://www.ftc.gov/system/files/documents/public_events/1582978/now_im_a_bit_angry_-_individuals_awareness_perception_and_responses_to_data.pdf.

[30] The Consumer Financial Protection Bureau has long required similar protections for children in foster care, who are subject to similar identity theft vulnerabilities. See, e.g., Press Release, CFPB, CFPB Releases Tools To Protect Foster Care Children From Credit Reporting Problems (May 1, 2014), https://www.consumerfinance.gov/about-us/newsroom/cfpb-releases-tools-to-protect-foster-care-children-from-credit-reporting-errors/; Press Release, CFPB, Director Chopra’s Prepared Remarks on the Release of the CFPB’s Buy Now, Pay Later Report (Sept. 15, 2022), https://www.consumerfinance.gov/about-us/newsroom/director-chopras-prepared-remarks-on-the-release-of-the-cfpbs-buy-now-pay-later-report/.

[31] See, e.g., Joe Garcia, Opinion: Why prisoners like me need internet access, MIT Tech. Rev. (Jun. 30, 2021), https://www.technologyreview.com/2021/06/30/1026334/why-prisoners-need-internet-access/; Luke Elliott Sommer, Inmates Need Internet to Prepare for Life After Prison, Wired (Jun. 30, 2023), https://www.wired.com/story/inmates-need-internet-to-prepare-for-life-after-prison/.

[32] See e.g., F. Amanda Tugade, ‘Our loved ones… are human beings’: Iowa prisons mail delays isolate inmates, families say, Des Moines Register (Mar. 20, 2023), https://www.desmoinesregister.com/story/news/2023/03/20/iowa-prison-inmates-families-isolated-issues-with-mail-video-apps/69814531007/; Leah Sakala, Return to Sender: Postcard Only Mail Policies in Jail, Prison Policy Institute (Feb. 7, 2013), https://www.prisonpolicy.org/postcards/report.html.

[33] In one EPIC attorney’s experience, jails in Virginia that shifted from landline calling to tablet-based phone systems often had more dropped calls, and communicating with inmates at some jails became impossible due to ambient noise. See also Olivia Heffernan & Steve Brooks, Calls are Free, But California Prisoners Still Face Communications Obstacles, The Appeal (May 22, 2023), https://theappeal.org/viapath-california-prison-phones-tablets-messaging/ (documenting problems with ViaPath’s tablet-based phone and email messaging systems); Tue Kha, The Pros and Cons of California’s New Prison Tablets, Prison Journalism Project (Apr. 4, 2023), https://prisonjournalismproject.org/2023/04/04/new-california-prison-tablets-ok/.

[34] GTL Draft Decision and Order at 16.

[35] See Caterina Amuedo-Dorantes & Mary J. Lopez, Immigration Policy, immigrant detention, and the U.S. jail system, 21 Criminology & Pub. Pol. 433, Table 1 at 442 (2022), https://onlinelibrary.wiley.com/doi/full/10.1111/1745-9133.12580.

[36] See GTL Draft Decision and Order at 4.