EPIC v. U.S. Postal Service, No. 21-2156 (D.D.C. filed August 12, 2021) is a lawsuit under the E-Government Act of 2002 to stop the U.S. Postal Service’s law enforcement arm from using facial recognition and social media monitoring tools.
The Internet Covert Operation Program (iCOP)
The U.S. Postal Inspection Service, a component law enforcement agency of the Postal Service, operates a surveillance program known as the Internet Covert Operations Program, or “iCOP”. Since 2018, iCOP has used a suite of surveillance tools, including facial recognition and social media monitoring services, to monitor individuals and produce intelligence products distributed across the federal government. iCOP’s stated mandate is the “identification, disruption, and dismantling of individuals and organizations that use the mail or USPS online tools to facilitate black market trade or other illegal activities.”
On April 21, 2021, a Yahoo News story revealed that iCOP had used Clearview AI’s facial recognition product and social media monitoring tools to surveil protesters in the summer of 2020. The iCOP also monitored online activity after the January 6, 2021 insurrection in Washington, D.C. iCOP officers adopt covert online identities and attempt to identify upcoming protests and “inflammatory” posts on various social media sites.
Clearview AI performs facial recognition matching using a database of over 3 billion images scraped from Facebook and other social media sites. Clearview AI’s combined facial recognition and social media monitoring product identifies (or purports to identify) an individual from their image and provides the user with links to the individual’s personal information, social media profiles, and other related online material. Clearview AI has incurred extensive public backlash and legal scrutiny over its bulk scraping of images from social media websites without user consent and contrary to those websites’ terms of service. iCOP also used a trial of Vigilant Solutions’ facial recognition service for at least ten months in 2017.
iCOP also uses Zignal Labs’ social media surveillance platform, which is capable of tracking a social media “narrative” back to the individual who initiated the narrative and of identifying specific individuals as “influencers.” In addition, ICOP agents use Nfusion software to create anonymous email accounts and social media profiles for information collection.
The Government’s Failure to Publish Required Privacy Impact Assessments
Under Section 208 of the E-Government Act of 2002, any agency that “initiat[es] a new collection of information that . . . will be collected, maintained, or disseminated using information technology” is required to complete and publish a privacy impact assessment (PIA) before doing so. Specifically, the agency must “(i) conduct a privacy impact assessment; (ii) ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and (iii) if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means.”
The aim of Congress in enacting the E-Government Act was “[t]o make the Federal Government more transparent and accountable” and “to ensure sufficient protections for the privacy of personal information[.]” Thus, a privacy impact assessment must be “commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information.” The PIA must specifically address “(I) what information is to be collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; [and] (VI) how the information will be secured.”
Despite these explicit obligations under the E-Government Act, the Postal Service failed to produce a Privacy Impact Assessment covering its procurement and use of facial recognition and social media monitoring technology.
EPIC has long highlighted the obligation of federal agencies to conduct and publish a privacy impact assessment before any new collection of personal data, and EPIC has brought numerous successful cases seeking the release of PIAs. In EPIC v. DHS, No. 11-2261 (D.D.C. filed Dec. 20, 2011), EPIC obtained a PIA and related records concerning a prior effort by the DHS to track social media users and journalists. In EPIC v. FBI, No. 14-1311 (D.D.C. filed Aug. 1, 2014), EPIC obtained unpublished PIAs from the Federal Bureau of Investigation concerning facial recognition technology. And in EPIC v. DEA, No. 15-667 (D.D.C. filed May 1, 2015), EPIC learned that the Drug Enforcement Administration had failed to produce PIAs for the agency’s license plate reader program, a telecommunications records database, and other systems of public surveillance.
More recently, in EPIC v. Presidential Advisory Commission on Election Integrity, No. 17-1320 (D.D.C. filed July 3, 2017), EPIC challenged the failure of the Presidential Advisory Commission on Election Integrity to undertake and publish a PIA prior to the collection of state voter data. EPIC’s suit led the now-defunct Commission to suspend its data collection and later delete all of the voter information that had been illegally obtained. In EPIC v. DHS, No. 18-1268 (D.D.C. filed May 30, 2018), EPIC succeeding in blocking the development of a Department of Homeland Security system designed to monitor journalists. And in EPIC v. Commerce, 928 F.3d 95 (D.C. Cir. 2019), EPIC challenged the Census Bureau’s failure to conduct and publish a PIA before collecting citizenship data in the 2020 Census. The citizenship question was ultimately withdrawn by the Bureau.
EPIC v. U.S. Postal Service et. al, No. 21-2156 (D.D.C. filed Aug. 12, 2021)