EPIC Alert 28.06

EPIC Alert 28.06

EPIC Alert logo

1. EPIC’s Winning Case Against AI Commission Comes to a Close

EPIC has reached a settlement agreement in EPIC v. AI Commission, bringing to a close EPIC’s successful litigation to open up the proceedings of the National Security Commission on Artificial Intelligence.

The Commission was charged by Congress with developing recommendations on the use of AI in national security and defense contexts. But after the Commission conducted much of its work in secret and without public input, EPIC filed an open government lawsuit against the Commission in 2019.

EPIC twice prevailed in the case, securing court rulings that the Commission was subject the Freedom of Information Act and the Federal Advisory Committee Act. The court sharply criticized the Commission’s arguments “not to read [the FOIA] literally,” likening the government to “a stranger offering candy to a child.” The court also ruled that the Commission could be forced to comply with both the FOIA and the FACA, explaining that “[n]o rule of law forced Congress to choose just one.”

As a result of EPIC’s case, the Commission was forced to hold public meetings and disclose thousands of pages of records about its work. The Commission issued its final report this spring, urging Congress and the President to implement key safeguards on federal AI deployment. However, the report failed to propose any substantive limits on AI use for Congressional enactment, as EPIC urged the Commission to do last year.

EPIC’s settlement with the Commission resolves EPIC’s claim to attorney’s fees for its work on the case. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

2. Federal Court Rejects Challenge to Census Privacy Protections

A federal court has rejected an effort by Alabama to scrap the Census Bureau’s system for protecting personal data collected in the 2020 Census. EPIC filed an amicus brief in the case urging the court not upend the Bureau’s use of differential privacy.

In March, Alabama filed a lawsuit challenging the Bureau’s reliance on differential privacy, in which controlled amounts of statistical noise are added to published census data to prevent individuals from being identified and linked with their census responses. The Bureau recently demonstrated that sophisticated “attacks” can identify tens of millions of people from published census data unless robust privacy safeguards are implemented.

Alabama sought a preliminary injunction blocking the Bureau’s use of differential privacy, but the court denied that motion and dismissed many of the claims in the case. The court subsequently paused proceedings in the case until after the Bureau publishes redistricting data later this month.

EPIC filed an amicus brief with the court arguing that differential privacy is “the only credible technique” to guard against reidentification attacks. EPIC also argued that differential privacy “is not the enemy of statistical accuracy,” but rather “vital to securing robust public participation in Census Bureau surveys[.]”

EPIC has long advocated for the confidentiality of personal data collected by the Census Bureau. In 2004, Bureau revised its “sensitive data” policy after an EPIC FOIA request revealed that the Department of Homeland Security had improperly acquired census data on Arab Americans from following 9/11. In 2018, EPIC filed suit to block the citizenship question from the 2020 Census, alleging that the Bureau failed to complete several privacy impact assessments required under the E-Government Act.

3. EPIC Urges DHS to End Use of Face Recognition & AI Systems, Implement Algorithmic Impact Assessments

In comments to the Homeland Security Department, EPIC highlighted systemic problems with DHS systems that use facial recognition and artificial intelligence and urged the agency to end these programs.

EPIC’s comments came in response to a proposed round of public polling the DHS plans to conduct concerning perceptions of advanced surveillance. EPIC called on the agency “to go beyond a simple household poll” and to “cease using facial recognition and AI-based technology in light of the serious threat these systems pose due to systemic problems with bias, accuracy, transparency and the disparate impacts they create.” The comments specifically highlighted the Biometric Entry/Exit Program, the FALCON Search & Analysis System, and the Analytical Framework for Intelligence.

EPIC also urged DHS to put in place rigorous algorithmic impact assessments before the agency undertakes any other AI or facial recognition projects. “For any impact assessment to be a useful endeavor it must be sufficiently detailed to identify real problems, preemptive so that an impact assessment can shape a proposed project, and ongoing so that DHS can understand how existing systems are performing,” EPIC explained. “An impact assessment that cannot alter the substance of a proposed system is simply a box checking exercise.”

Recently, EPIC joined over 40 other organizations to detail the issues with police using facial recognition and call for a law enforcement ban on the technology’s use. EPIC has proposed the Universal Guidelines for Artificial Intelligence as the basis for federal legislation. The Universal Guidelines have been endorsed by more than 250 experts and 60 organizations in 40 countries.

4. EPIC, ACLU, & EFF Urge Court to Prohibit Wholesale Forensic Cell Phone Searches When Probable Cause is Limited

EPIC has filed an amicus brief with the ACLU and EFF in United States v. Morton urging the full Fifth Circuit to prohibit invasive forensic searches of cell phones when law enforcement only has probable cause to search some of the data on the phone.

In Morton, police obtained a warrant to search the defendant’s cell phone for evidence of an alleged drug crime, but instead conducted a forensic search of the phone’s full contents and uncovered evidence of an entirely unrelated crime. A Fifth Circuit panel ultimately found that the search violated the Fourth Amendment because it reached a type of data on the phone that was not likely to contain evidence of the specific crime being investigated.

EPIC, ACLU, and EFF applauded the panel’s recognition that “the scope of cell phone searches must closely adhere to the probable cause showing, lest authority to search a device for evidence of one crime mutate into authority to search the entirety of the device for evidence of any crime—a prohibited general search.” The groups argued that, in an age when “Americans’ dependency on smartphones has, intentionally and inadvertently, resulted in our phones containing vast troves of our personal information, strict limits on searches and seizures are necessary to preserve privacy” and that technological and administrative convenience “is no justification for discarding the Fourth Amendment’s probable cause and particularity requirements.”

EPIC regularly files amicus briefs challenging unconstitutionally broad cell phone searches, including forensic searches of entire cell phones.

5. New Experts Join the EPIC Advisory Board

EPIC is pleased to announce the newest members of the EPIC Advisory Board. EPIC’s new members are leading experts in privacy, technology, and civil liberties law and policy who will help inform EPIC’s important work on emerging privacy and human rights issues. Since its inception, the EPIC Advisory Board has been comprised of innovative and solution-oriented scholars, experts, and advocates. EPIC’s newest Members are:

  • Colleen Brown, a Partner at Sidley Austin LLP focused on privacy, cybersecurity, data protection, and emerging technology issues. Co-founded Women in Privacy and recently named by Washingtonian as one of the “Top Lawyers” in Cybersecurity.
  • Simone Browne, an Associate Professor of Black Studies and Research Director of Critical Surveillance Inquiry with Good Systems, at the University of Texas at Austin. She is the author of Dark Matters: On the Surveillance of Blackness.
  • Mishi Choudhary, the Legal Director at the Software Freedom Law Center and Founding Executive Director of SFLC.in, a legal services organization based out of New Delhi that brings together lawyers, policy analysts, technologists, and students to protect freedom in the digital world.
  • Michele Bratcher Goodwin, a Chancellor’s Professor at the University of California, Irvine and founding director of the Center for Biotechnology and Global Health Policy.
  • Adrian Gropper, a serial entrepreneur in healthcare computing who has focused on using engineering to advance open and free technology that enables self-sovereign patients, physicians, and communities.
  • Marcia Hofmann, a digital rights attorney currently serving as US-UK Fulbright Cyber Security Scholar and board member of the Filecoin Foundation. She has previously taught courses in computer crime at Colorado Law and internet law at UC Hastings.
  • Jumana Musa, a human rights attorney and racial justice activist, the Director of the Fourth Amendment Center at the National Association of Criminal Defense Lawyers, and former Deputy Director of the Rights Working Group.
  • Scott Skinner-Thompson, an Associate Professor at Colorado Law School whose research focuses on issues of constitutional law, civil rights, and privacy law, with a particular focus on LGBTQ and HIV issues. His recently published book, Privacy at the Margins, examines how privacy can function as an expressive, anti-subordination tool of resistance to surveillance regimes helping to create a more equitable public sphere.
  • Ashkan Soltani, an independent researcher and technologist specializing in privacy, security, and technology policy. He is a former Senior Advisor to the Chief Technology Officer in the White House Office of Science and former Technology Policy and Chief Technologist at the Federal Trade Commission.
  • Amie Stepanovich, the Executive Director at Silicon Flatirons who is widely recognized as an expert on domestic surveillance, cybersecurity, and privacy law issues. She is a former U.S. Policy Manager and Global Policy Counsel at Access Now.
  • Katherine Strandburg, the Alfred B. Engelberg Professor of Law at NYU and a leading expert in the fields of information privacy, innovation policy, and patent law. She is the co-editor of the Governing Knowledge Commons series, and the latest installment is Governing Privacy in Knowledge Commons.

News in Brief

EPIC Signs on to Protect Encryption in the Brazilian Code of Criminal Procedure Updates

EPIC has joined other members of the Global Encryption Coalition in a letter urging Brazil to address proposed updates to the Brazilian Code of Criminal Procedure that would threaten encryption and data security in Brazil. The text as it stands could force companies using strong security protections—such as end-to-end encryption—to introduce security flaws into their systems to be used as backdoors for law enforcement. Such measures endanger users and encourage exploitation of these weaknesses. EPIC led the effort in the United States in the 1990s to support strong encryption tools and played a key role in the development of the international framework for cryptography policy that favored the deployment of strong security measures to safeguard personal information. EPIC also filed an amicus brief in Apple v. FBI in support of encryption.

EPIC & CDT Amicus Brief Highlights Dangers of Unchecked Government Collection of E-Scooter Location Data

EPIC and the Center for Democracy & Technology have filed an amicus brief supporting Los Angeles residents’ court battle against a city initiative to collect detailed location information on all individual e-scooter trips taken in Los Angeles. The lawsuit is currently on appeal after the trial court dismissed the case because it found no privacy interest in the data. EPIC and CDT’s amicus brief describes how Los Angeles spearheaded a new data collection pipeline called the Mobility Data Specification to standardize the location data that ride share providers collect so that the data can easily be disclosed to governments for analysis—and, potentially, surveillance. EPIC and CDT wrote that MDS has the “power to turn a so-called ‘smart city’ into a surveillance state that is inimical to the Fourth Amendment.” The amicus brief describes how MDS was developed to track any shared mobility vehicle, and that Los Angeles already had plans to expand the program to rideshare data from Uber and Lyft. EPIC and CDT also argued that the city’s policy goals could be achieved without collecting individual trip data, and described how aggregation, differential privacy, and sampling are widely used to analyze mobility data and protect privacy more than bulk disclosure of individualized trip data. EPIC routinely files amicus briefs in cases applying the Fourth Amendment to novel technologies.

EPIC Urges DHS to Slow Implementation of Mobile Driver’s License Systems, Prioritize Privacy Protections

In comments responding to a Homeland Security Department (DHS) Request for Information, EPIC urged the agency to slow its investigation into mobile driver’s license technology and implement only systems with the most rigorous cryptographic and privacy-preserving design standards. EPIC recently urged the National Institute of Standards and Technology to adopt anonymous credentialing for identity verification cards for federal employees.

EPIC, Coalition Call on Retailers to Ban Facial Recognition in Stores

EPIC and a coalition of privacy and civil liberties groups are calling for stores to stop using facial recognition technology. The new campaign tracks which major retailers use or are considering using facial recognition and aims to pressure these entities to stop. Corporate use of facial recognition is especially concerning because, according to Sen. Ron Wyden, government agencies are already buying surveillance information from corporations to evade warrant requirements. EPIC has joined a number of coalitions urging a ban on facial recognition including: an international letter opposing the technology, a statement of concerns on police use of FR, and EPIC’s Ban Face Surveillance campaign. EPIC recently endorsed legislation that would ban federal law enforcement use of facial recognition and pressure state law enforcement to do the same.

Poll: Nearly 8 in 10 Americans Support Creation of U.S. Data Protection Agency

A new poll from Data for Progress found that 7 in 10 Americans think the government should be doing more to keep their personal data safe and nearly 8 in 10 Americans across the political spectrum support Senator Gillibrand’s Data Protection Act, which creates a U.S. Data Protection Agency. “Our government must continue to evolve alongside our society, and adapt to meet new challenges the American people face,” Senator Gillibrand said in a blog post. “I believe the best way to do that is by creating a new federal agency designed with your data privacy in mind: the Data Protection Agency.” EPIC has long advocated for the creation of a U.S. Data Protection Agency.

Wisconsin Supreme Court Refuses to Limit Warrantless Forensic Searches of Cell Phones

The Wisconsin Supreme Court issued an opinion in Wisconsin v. Burch finding that cell phone data downloaded with a forensic device can be used in a subsequent, unrelated investigation and trial regardless of whether the data was initially obtained without a warrant in violation of the Fourth Amendment. A police department used a forensic device to download the entire contents of the defendant’s phone while investigating a hit-and-run and retained a full copy indefinitely. The sheriff’s office later accessed and searched the copy during an unrelated homicide investigation and used the defendant’s cell phone data as evidence during his trial. The Wisconsin Supreme Court refused to decide the constitutional question. Instead, the Court found that the evidence should not be excluded because the police “acted by the book” and there was no conduct to deter with exclusion. The Court said that the sheriff’s office “ha[d] every reason to think [the downloaded data] was lawfully obtained” and found there was no police misconduct because it is “common police practice to share records with other agencies.” Dissenting from this holding, Judge Bradley, along with two other justices of the court, recognized that law enforcement “generally needs a warrant to search the data [cell phones] hold.” She added that the exclusionary rule should apply in this case because “excluding evidence obtained by following such an unlawful and widespread policy provides significant societal value by both specifically deterring continued adherence to an unconstitutional practice and more broadly incentivizing police agencies to adopt policies in line with the Fourth Amendment.” EPIC, along with the ACLU and EFF, filed an amicus brief in the case arguing that the unchecked use of forensic devices to download, store, and share cell data violated the Fourth Amendment by “enabl[ing] the State to rummage at will among a person’s most personal and private information whenever it wanted, for as long as it wanted” without a warrant. EPIC regularly files amicus briefs challenging unlawful access to cell phone data.

GAO Finds Widespread Use of Facial Recognition Without Adequate Privacy Protections

In a recent report, the Government Accountability Office found that 13 federal law enforcement agencies are unable to track employees use of facial recognition services and reported that 20 agencies use some form of facial recognition. Eight agencies own systems while 17 agencies used a system outside the agency in the last two years. The report found that 10 agencies used Clearview AI and 5 used its competitor Vigilant Systems. The GAO also reported that most federal law enforcement agencies were unable to comply with Privacy Act and E-Government Act requirements because the agencies do not track employee use of outside facial recognition systems. EPIC has an ongoing lawsuit under the Freedom of Information Act seeking documents on Immigration and Customs Enforcement’s use of Clearview AI and other facial recognition services. Recently, EPIC joined over 40 other organizations to detail the issues with law enforcement’s use facial recognition and call for a law enforcement ban on the technology’s use.

Rep. Castor Introduces KIDS PRIVCY Act to Protect Children, Teens

Rep. Kathy Castor (D-Fla.) has introduced an updated Protecting the Information of our Vulnerable Children and Youth Act (Kids PRIVCY Act) to strengthen the existing Children’s Online Privacy Protection Act. “Representative Castor’s bill makes critical updates to our children’s privacy laws to address the dangers of today’s technologies,” said Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC). “Everyone deserves strong privacy protections online, but children and teens especially need to be protected from corporate surveillance and manipulative targeted advertising. The Kids PRIVCY Act prohibits behavioral ad targeting to children and teens and includes strong enforcement mechanisms to ensure that companies comply with the law. EPIC is proud to support this bill and encourages Congress to move this legislation forward in order to protect children and teens online.”

House Passes the Consumer Protection and Recovery Act

The House of Representatives passed the Consumer Protection and Recovery Act (H.R. 2668) last month on a 221-205 vote. The bill explicitly authorizes the Federal Trade Commission to seek monetary relief for injured consumers in federal court and to require bad actors to return money obtained through illegal actions. The amendment to the FTC Act restores a key piece of the FTC’s Section 13(b) power, which the FTC previously used to obtain restitution and disgorgement for wronged consumers until the Supreme Court recently limited this authority in AMG Capital Management v. FTC. The White House has also expressed support for the bill. EPIC has long called for greater protection of consumer privacy through FTC enforcement and the imposition of financial penalties against companies who engage in unfair data practices. Recently, EPIC published a report that highlighted a number of key authorities that the FTC should use to address emerging privacy threats.

Sen. Wyden Pushes Intelligence Community to Protect Data From Online Advertising Data Collection

Senator and veteran privacy advocate Ron Wyden recently sent a letter to the Acting Intelligence Community Chief Information Officer urging him to protect intelligence community computers and personnel from threats posed by the sale and misuse of online advertising data. The letter emphasized that advertising companies operate in an unregulated market where they can “collect vast amounts of sensitive information about users, their movements, web browsing, and other online activities” and then offer that information “for sale to anyone with a credit card.” Senator Wyden previously led an investigation that uncovered the ways advertising companies were selling so-called “bidstream” data to firms in China, Russia, and other high-risk foreign countries. The sale of bidstream data poses both privacy and national security risks because that data includes precise location information of Americans as well as their device identifiers and browsing histories. In the letter, Sen. Wyden sought information on how, if at all, the intelligence community protects data from online advertisers, including through the use of ad blocking technologies. EPIC has repeatedly raised concerns over the collection of vast amounts of data online and has joined a growing coalition of groups in their call to Ban Surveillance Advertising.

Competition Executive Order Requires Dept. of Transportation to Address Drone Privacy

The Executive Order signed by President Biden addressing competition in the American economy requires the Department of Transportation to address drone privacy. “[G]iven the emergence of new aerospace-based transportation technologies, such as low-altitude unmanned aircraft system deliveries, advanced air mobility, and high-altitude long endurance operations,” the Executive Order reads, the Secretary of Transportation shall ensure that the Department of Transportation take action to “facilitate innovation that fosters United States market leadership and market entry to promote competition and economic opportunity and to resist monopolization, while also ensuring safety, providing security and privacy, protecting the environment, and promoting equity.” EPIC has long highlighted the privacy and civil liberties implications of aerial surveillance technology and has called on Congress to “establish drone privacy safeguards that limit the risk of public surveillance.”

President Biden Signs Executive Order Requiring More Scrutiny of Tech Mergers and Data Privacy

President Biden has signed a wide-ranging executive order with the aim of promoting competition. EPIC has long argued that market consolidation in online platform threatens privacy. The Executive Order aims to address the ways in which dominant tech firms are undermining competition and reducing innovation in three ways: 1) greater scrutiny of mergers, especially by dominant internet platforms, with particular attention to the acquisition of nascent competitors, serial mergers, the accumulation of data, competition by “free” products, and the effect on user privacy; 2) encouraging the FTC to establish rules on “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy”; and 3) encouraging the FTC to establish rules barring unfair methods of competition on internet marketplaces. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned FTC that other mergers posed similar risks to consumer privacy and competition, including Facebook’s acquisition of WhatsApp.

Maine Becomes First State to Enact Statewide Ban on Face Surveillance

The Maine Legislature has enacted the country’s strongest statewide facial recognition law. Maine’s new law prohibits public officials and public employees at the state, county and municipal levels from possessing and using facial recognition technology, with extremely limited exceptions. The Maine law includes a private right of action, meaning that individuals may bring a lawsuit if they believe a government agency or official has violated the law. EPIC Board Member Shoshana Zuboff testified in support of the legislation. “An individual’s ability to control access to his or her identity and personal information, including determining when, how, and to what purpose these are revealed, is an essential aspect of personal security and privacy guaranteed by the Bill of Rights,” Professor Zuboff said. “The use of facial recognition technology erodes that ability.” EPIC has joined a number of coalitions urging a ban on facial recognition including: an international letter opposing the technology, a statement of concerns on police use of FR, and EPIC’s Ban Face Surveillance campaign. EPIC recently endorsed legislation that would ban federal law enforcement use of facial recognition and pressure state law enforcement to do the same.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020)

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes “just-in-time” delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.

The AI Policy Sourcebook 2020,edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC’s request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Upcoming Conferences and Events

EPIC Symposium on Regulating AI. Sept. 21, 2021.

EPIC Champions of Freedom Awards. Nov. 3, 2021. National Press Club, Washington, D.C.