EPIC Alert 28.07

EPIC Alert 28.07 – September 16, 2021

  1. EPIC Sues Postal Service to Halt Use of Facial Recognition, Social Media Monitoring
  2. EPIC, Coalition to Senators: Reject Plan Requiring SSN Collection by Peer-to-Peer Payment Services
  3. EPIC Weighs In on European Commission Proposal for Harmonized AI Rules
  4. EPIC & NCLC: Cruise Company Must Be Held Responsible for Illegal Robocalls Made Using Lead Generators
  5. EPIC Obtains Documents About DC’s Use of Automated ‘Risk Scores’ for Public Benefit Recipients
  6. News in Brief
  7. EPIC in the News
  8. Upcoming Conferences and Events

1. EPIC Sues Postal Service to Halt Use of Facial Recognition, Social Media Monitoring

EPIC has filed a lawsuit against the U.S. Postal Service to block the use of facial recognition and social media monitoring tools under the Internet Covert Operations Program (iCOP).

EPIC’s case challenges the Postal Service’s failure to conduct and publish the Privacy Impact Assessment mandated by the E-Government Act before procuring and using advanced surveillance systems under iCOP. EPIC is seeking a court order to block iCOP from using these tools at least until the Postal Service has conducted the required assessment. EPIC brought suit after the Postal Service failed to locate a PIA in response to EPIC’s Freedom of Information Act request.

Under iCOP, law enforcement officials the U.S. Postal Inspection Service monitored protests in the summer of 2020 and spring of 2021 and used Clearview AI’s controversial facial recognition product to identify individuals. The iCOP’s surveillance of protests and tracking of “inflammatory” content goes far beyond the program’s mandate to investigate fraud and other crimes perpetuated through the mail or USPS’s website.

“EPIC intends to end the Postal Service’s unlawful use of facial recognition and social media monitoring tools, and we expect the court to enforce the agency’s legal privacy obligations,” EPIC Law Fellow Jake Wiener told Yahoo News. “We hope Congress will also take action to prohibit the Postal Service from engaging in this type of surveillance and to dramatically improve surveillance oversight across federal agencies.”

EPIC has previously used the E-Government Act to block the deployment of a media surveillance platform by the Department of Homeland Security and to halt the collection of voter data by the Presidential Advisory Commission on Election Integrity.

2. EPIC, Coalition to Senators: Reject Plan Requiring SSN Collection by Peer-to-Peer Payment Services

An EPIC-led coalition of privacy and consumer rights group sent a letter to Senators Ron Wyden and Mike Crapo of the Senate Finance Committee this week regarding a proposal to expand the mandatory reporting regime for private financial information in the United States.

The proposal, which is under consideration in the budget reconciliation bill, would require peer-to-peer payment apps and services such as Square Cash and Venmo to collect Taxpayer Identification Numbers (TINs) for virtually all payee accounts in order to comply with new reporting obligations. Because most individuals do not hold a separate TIN from their Social Security Number, unlike businesses, this means that private entities would be collecting the social security numbers of millions of Americans.

In the letter, EPIC and coalition members urged the Senators to “reject the Treasury Department’s proposal to expand tax reporting for individual peer-to-peer payment service accounts and instead explore ways to improve tax compliance that do not put Americans’ SSNs at risk.”

“At minimum, the expanded reporting requirement should be scaled back to apply only to business accounts or individual accounts with a high de minimus threshold, adjusted for inflation over time,” the groups said. “Peer to Peer payment apps and other similar services that currently do not collect TINs should not be required to do so under the new reporting requirements.”

3. EPIC Weighs In on European Commission Proposal for Harmonized AI Rules

EPIC has submitted comments identifying gaps and proposing privacy and fundamental rights-preserving updates to the European Commission’s Proposal for Harmonized Rules on Artificial Intelligence (the Artificial Intelligence Act). 

The AIA is intended as a step forward in proactive regulation of AI system use. However, EPIC’s comments describe how unaddressed privacy and human rights concerns may allow AI systems to be used in ways that cause serious harm to individuals interacting, knowingly or unknowingly, with those systems.

“While EPIC concurs that regulation of AI systems is desperately needed, EPIC believes that the AIA would not meaningfully address the identified privacy and human rights concerns related to use of AI systems.” EPIC wrote. “In particular, the combination of vague language and broad exemptions undermines the purpose of the AIA.”

EPIC recommended that the Commission (i) remove the exemptions on regulatory requirements for AI systems and expand prohibitions where necessary; (ii) mandate prior notification to individuals subject to AI system decision-making; (iii) fully ban emotion recognition and biometric categorization systems; and (iv) mandate review and approval of AI system conformity assessments by data protection authorities prior to use.

EPIC advocates for algorithmic justice, transparency, and accountability, and recently submitted comments on the OECD Framework for Classifying AI Systems, recommending changes to more robustly address privacy concerns.

4. EPIC & NCLC: Cruise Company Must Be Held Responsible for Illegal Robocalls Made Using Lead Generators

EPIC and the National Consumer Law Center have filed an amicus brief in a case that highlights the privacy-invading behavior of the online lead generator industry.

The plaintiffs in the case, McCurley v. Royal Seas Cruises, are seeking to hold a cruise company accountable for tens of thousands of illegal robocalls made on its behalf by a foreign telemarketing company using leads from two unscrupulous online lead generators. The trial court dismissed the case against Royal Seas Cruises because a provision in their contract with the telemarketer that said the telemarketer would comply with the federal anti-robocall law, the Telephone Consumer Protection Act.

EPIC and NCLC argue in their brief that a simple contract provision cannot absolve Royal Seas Cruises from responsibility for these illegal robocalls. The amicus brief highlights the unscrupulous practices of the lead generator industry, including recent lawsuits accounting for millions of illegal calls and FTC enforcement actions against deceptive lead generator practices.

EPIC and NCLC also argue that failure to hold Royal Seas Cruises accountable would “dramatically weaken TCPA enforcement, denying consumers any remedy for their privacy injuries, and leaving consumers unprotected from future harms.”

“Royal Seas Cruises wants all of the advantages of robocalling people with none of the responsibilities,” the brief explains. “The Telephone Consumer Protection Act was meant to put a stop to this behavior.” 

EPIC routinely files amicus briefs in TCPA cases.

5. EPIC Obtains Documents About DC’s Use of Automated ‘Risk Scores’ for Public Benefit Recipients

EPIC, through a freedom of information request, has obtained records about the D.C. Department of Human Services’ use of automated systems to track and assign “risk score[s]” to recipients of public benefits.

The documents show that DCDHS has contracted with Pondera, a Thomson Reuters subsidiary, for case management software and a tool known as “Fraudcaster.” Fraudcaster tracks location history and other information about people receiving public benefits, combining this information with “DHS data and pre-integrated third-party data sets” to yield supposed risk scores. Factors that may cause the system to label someone as riskier include “travel[ing] long distances to retailers” and “display[ing] suspect activity.”

Thomson Reuters also offered a free trial of its CLEAR service to the DCDHS as an incentive to sign the Pondera contract quickly. CLEAR is “powered by billions of data points” and claims to “identif[y] potential concerns associated with people.” The system is used by Immigration & Customs Enforcement and other law enforcement agencies in the U.S.

EPIC is pursuing more information about DCDHS’s use of Pondera systems and mapping out automated decision-making tools used in D.C. through the EPIC Scoring and Screening Project. EPIC advocates for algorithmic transparency and accountability, particularly for systems used to make high-impact decisions like public benefit determinations.

News in Brief

EPIC Submits Feedback on NIST AI Risk Management Framework

EPIC has submitted feedback to the National Institute of Standards and Technology to inform the development of an AI Risk Management Framework that will help developers, users, and evaluators of AI systems to assess and improve those systems. EPIC’s feedback includes background on the proliferation of AI systems and the many harms stemming from their use, noting that NIST’s framework must seek to prevent those harms. EPIC recommends that the framework prioritize (i) protection of individuals affected by AI systems; (ii) accountability for AI system development and use; and (iii) interoperability with emerging and current AI and privacy regulations. EPIC frequently advocates for algorithmic justice, transparency, and accountability and has recently submitted comments on the European Commission’s proposes Artificial Intelligence Act and the OECD Framework for Classifying AI Systems.

EPIC Joins Call for Privacy Reform from Indian Government

EPIC has joined with several international privacy and human rights advocacy groups in a statementcalling for privacy reform in the wake of allegations that the Indian government used Pegasus to surveil activists, journalists, and opponents. The statement highlights the fundamental right to privacy established under both the Indian Constitution and international human rights law, condemns the illegal use of spyware, and calls for (i) an independent investigation into allegations of Pegasus use; (ii) surveillance reform ensuring independent judicial oversight and providing for judicial remedy; and (iii) establishing a data protection framework that will respect privacy rights. EPIC has previously filed suitagainst the U.S. Department of Homeland Security to obtain records of a system designed to surveil journalists⁠—a surveillance effort that was subsequently suspended. In addition, EPIC has previously joined coalition letters calling for surveillance reform within the U.S. and has testified before Congress regarding the risks of commercial spyware.

EPIC Urges UK Surveillance Commissioner to Foreground Privacy, Ban Facial Recognition in Updates to Surveillance Camera Code

EPIC has submitted comments to the Biometrics and Surveillance Commissioner of the United Kingdom on proposed updates to the Surveillance Camera Code of Practice. The proposed updates focus on aligning the Code with developments in surveillance law and recent court decisions. EPIC recommended ways to more directly address risks to privacy and international human rights, including banning facial recognition technology, emotion recognition, and biometric categorization systems; setting clear assessment and consultation requirements for databases used for matching; and strengthening protections against improper use of facial and biometric recognition systems. EPIC has long fought to protect the public against surveillance, including by campaigning to ban facial recognition technology and filing suit against agencies misusing surveillance technology. EPIC recently brought suit against the Postal Service over its unlawful use of facial recognition and social media monitoring tools.

Supreme Court to Continue Live Audio Streaming of Arguments Through Fall

The U.S. Supreme Court announced Wednesday that it will continue streaming live audio of its oral arguments at least through December of this year. The justices will also resume holding arguments in person, though the Court building will remain closed to the public. The Court’s announcement came the same day that EPIC and a coalition of over 75 civil society, transparency, media, and disability rights organizations wrote to the Court urging it to make live audio access to oral arguments permanent. The letter emphasized that “[f]air and equal justice can’t be delivered without accountability and transparency. Ensuring that live audio of oral arguments remains accessible to the public . . . would promote transparency and increase public confidence in the nation’s highest court.” At the start of the COVID-19 pandemic, the Court began streaming live audio feed oral arguments for the first time in its history. More than 130,000 people streamed arguments live during the Court’s May 2020 sitting, and oral arguments since the beginning of the pandemic have been streamed nearly three million times. During its last term, the Court held oral arguments by teleconference in four cases in which EPIC filed an amicus brief, including U.S. Fish & Wildlife Service v. Sierra ClubVan Buren v. United StatesFacebook v. Duguid, and TransUnion v. Ramirez.

UN Calls for Moratorium on Harmful AI, Establishment of Data Protection Legislation and AI Regulation

In a report published this week, the United Nations High Commissioner for Human Rights called on governments to “ban AI applications that cannot be operated in compliance with international human rights law and impose moratoriums on the sale and use of AI systems that carry a high risk for the enjoyment of human rights, unless and until adequate safeguards to protect human rights are in place.” The report also stresses the need for comprehensive data protection legislation in addition to a regulatory approach to AI that prioritizes protection of human rights. UN High Commissioner for Human Rights Michelle Bachelet explained: “The risk of discrimination linked to AI-driven decisions—decisions that can change, define or damage human lives—is all too real. This is why there needs to be systematic assessment and monitoring of the effects of AI systems to identify and mitigate human rights risks.” EPIC has long advocated for comprehensive data protection legislationmoratoriums on particularly dangerous tools and commonsense AI regulation to protect the public. 

Senators Announce Probe Into Facebook’s Alleged Coverup of Negative Influence on Children and Teens

Senators Richard Blumenthal and Marsha Blackburn announced an investigation this week into Facebook’s knowledge and coverup of the harmful effects of Facebook’s Instagram on children and teenagers. According to a recent Wall Street Journal investigation, Facebook’s researchers found that Instagram is harmful to a “sizeable percentage” of its young users, most notably teenage girls. Internally, Facebook knew that Instagram’s effects on young people included increased anxiety and depression, body image issues, and thoughts of suicide. Publicly, CEO Mark Zuckerberg testified before Congress that Facebook’s research suggested that the use of its social media apps had positive mental health benefits to users. The Wall Street Journal uncovered several documents that “show that Facebook has made minimal efforts to address these issues and plays them down in public.” In response to Senators Blumenthal and Blackburn’s August 2020 request for Facebook to release its internal research on the matter, Facebook sent a six-page letter that did not include the company’s studies. EPIC has fought for transparency and accountability for Facebook’s privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC’s 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC’s 2019 settlement with Facebook.

House Committee Approves $1B to Create New Privacy Bureau at FTC

The House Energy and Commerce Committee has approved a $1 billion appropriation for the Federal Trade Commission to create and operate a new bureau focused on privacy, data security, identity theft, data abuses, and related matters. EPIC strongly supports the appropriation but urges Congress to follow up this budget measure with comprehensive privacy legislation and to create an independent data protection agency. “This increased funding for enforcement is a step in the right direction, but the increasing pervasiveness of technology in our lives and our economy necessitates an update to our privacy laws and a dedicated agency,” said Caitriona Fitzgerald, EPIC’s Deputy Director. “While the FTC helps to safeguard consumers and promote competition, it is not a data protection agency. Congress must follow up this budget measure with comprehensive baseline privacy legislation and the creation of an independent data protection agency. And the FTC should use these funds to promptly initiate a privacy rulemaking and go after unfair data practices and biased AI systems.” EPIC has long advocatedfor the creation of a U.S. Data Protection Agency.

Privacy & Civil Rights Expert Alvaro Bedoya Nominated to Federal Trade Commission

President Biden has nominated Alvaro Bedoya, founding director of the Georgetown Center on Privacy & Technology, to serve as member of the Federal Trade Commission. Bedoya will succeed Commissioner Rohit Chopra when confirmed by the Senate. As a legal scholar and advocate, Bedoya has exposed the harms and biases of facial recognition technology and argued for legislation that would prevent predatory and discriminatory targeting of online ads. Bedoya is the author of Privacy as a Civil Right, in which he details how “the burdens of government surveillance have fallen overwhelmingly on the shoulders of immigrants, heretics, people of color, the poor, and anyone else considered ‘other'” and argues that privacy must be understood as a “shield that allows the unpopular and persecuted to survive and thrive.” Bedoya previously served as Chief Counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law. “Alvaro brings more than a decade of experience in privacy and surveillance issues, including a special focus on the impact that invasive technologies have on communities of color, to an FTC that needs to quickly and dramatically ramp up its responses to these emerging threats,” said Alan Butler, EPIC’s Executive Director. “There is no doubt that his expertise on these issues will put the Commission in a much better position to investigate data abuses and to craft new rules to bring these invasive business practices under control.”

Sixth Circuit Says Callers Liable for Illegal Robocalls Made in 2015-2020

The Sixth Circuit has rejected a robocall defendant’s bid to use the Supreme Court’s decision last year in Barr v. American Association of Political Consultants to create immunity for illegal robocalls made between 2015 and 2020. In Barr, the Supreme Court found that an exception added in 2015 to the decades-old robocall restriction was unconstitutional and must be severed from the law. The defendant in the case before the Sixth Circuit, Lindenbaum v. Realgy, LLC, argued that the decision in Barr made the broad robocall ban unenforceable for the period between the unconstitutional exception’s enactment and the Supreme Court’s decision to sever, from 2015-2020. The district court agreed and threw the lawsuit out. The Sixth Circuit’s decision reverses the district court and allows the robocall suit to continue. EPIC and the National Consumer Law Center filed an amicus brief in the case arguing that granting robocallers immunity “would reward those who made tens of billions of unwanted robocalls and deprive consumers of any remedy for the incessant invasion of their privacy.” EPIC regularly files amicus briefs supporting consumers in illegal robocall cases.

Ireland’s Data Protection Commission Fines WhatsApp €225 Million

The Irish Data Protection Commission (DPC) fined Facebook’s WhatsApp €225 million ($266 million) for privacy violations following a GDPR investigation that began in 2018. In the decision, the data privacy regulator explained that WhatsApp breached the GDPR’s rules about data transparency, including when it processed user information between WhatsApp and other Facebook companies. While the €225 million fine is a record for the DPC and the second largest fine ever issued under the GDPR, privacy advocate and EPIC Advisor Max Schrems noted “[t]he DPC also proposed an initial € 50 million fine and was forced by the other European data protection authorities to move towards € 225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover.” EPIC has long urged the Federal Trade Commission to block or unwind Facebook’s acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward.

GAO Report Finds 10 Federal Agencies Plan to Expand Use of Facial Recognition Through 2023

In a new report, the Government Accountability Office (GAO) surveyed 24 federal agencies on their use of facial recognition technology. The report reveals that 18 of those agencies are using facial recognition for purposes including law enforcement, physical security/surveillance, and digital access. Ten of those agencies, including the Department of Homeland Security, the Department of Justice, and the State Department plan to expand their use of facial recognition in the near future by acquiring new systems. According to the GAO, 27 states and 6 municipalities currently allow federal agencies to access non-federal facial recognition systems. The GAO’s report follows the office’s June report that 42 federal law enforcement agencies are using facial recognition technology with little to no oversight. According to the report, many agencies were unaware that employees were using the technology. The report also reveals that the Department of the Interior accessed the DC-area NCR-FRILS facial recognition system. EPIC organized a coalition opposing the system, leading to its shutdown in July of this year. EPIC recently filed suit against the U.S. Postal Service for using of facial recognition and social media monitoring technology without completing statutorily required Privacy Impact Assessments.

Federal Trade Commission Refiles Facebook Antitrust Lawsuit

The Federal Trade Commission has refiled its antitrust complaint against Facebook after a federal court dismissed its original complaint in June. In the new complaint, the FTC alleges that Facebook used illegal anticompetitive methods to thwart competition and maintain a monopoly, including by buying competitors like Instagram and WhatsApp. The complaint details how Facebook’s practices enabled the social media giant to maintain its dominance at the expense of competition and consumers. For example, before Facebook’s acquisition of WhatsApp, the messaging platform “embraced privacy-focused offerings and design, including the principle ‘of knowing as little about you as possible’ and an ads-free subscription model” which provided “an important form of product differentiation for WhatsApp as an independent competitive threat in personal social networking.” The FTC also highlights the importance of meaningful competition, without which “Facebook has been able to provide lower levels of service quality on privacy and data protection than it would have to provide in a competitive market.” This complaint is the highest profile challenge that the Commission has brought against any tech company in decades. EPIC has long urged the FTC to block or unwind Facebook’s acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward.

World Health Organization Issues Guidance on Documenting and Tracking COVID-19 Vaccination Certificates

The World Health Organization (WHO) has issued guidance on documentation of COVID-19 vaccination certificates. Among other items, the guidance outlines ethical and data protection considerations, different use scenarios, and procedures for use and verification. Critically, the guidelines emphasize that emergency circumstances do not permit authorities to ignore legal obligations relating to privacy and human rights. The guidelines also mandate data protection safeguards and warn against normalizing surveillance of health information. EPIC has previously recommended that public health responses to the pandemic be consistent with privacy and human rights standards and urgedauthorities to limit unnecessary collection and use of vaccine-related personal data by third parties, including pharmacies.

Mass. High Court: Two Days of Mass Transit Records Don’t Constitute Search Under Fourth Amendment Mosaic Theory

The Massachusetts Supreme Judicial Court issued an opinion last month in Commonwealth v. Zacharyfinding that when Boston Police accessed two days of rider history from a metro pass they did not perform a search under the Fourth Amendment. The court first followed an argument from EPIC’s amicus brief urging the court to reject the third-party doctrine for electronic data collected by a third party from an individual for the purpose of obtaining a service. The court decided, “we reject the doctrine as applied to this case, where the data at issue has no connection to the limited purpose for which an individual uses a CharlieCard.” The court then applied the mosaic theory of the Fourth Amendment which looks at the whole sweep of a government action and the insights derived when individual data points are aggregated to determine whether a search occurred under the Constitution. The court held that while “an extensive record of an individual’s MBTA activity could constitute a search under the mosaic theory, the minimal amount of data obtained in this case does not constitute a violation of art. 14 or the Fourth Amendment.” EPIC previously filed an amicus brief in the landmark location privacy case Carpenter v. United States, in which the Supreme Court held that collecting seven days of cell phone location data, considered in aggregate, constituted a search.

EPIC in the News

Upcoming Conferences and Events 

EPIC Symposium on Regulating AISept. 21, 2021.

EPIC Champions of Freedom AwardsNov. 3, 2021. National Press Club, Washington, D.C.