EPIC Alert 28.08 – December 8, 2021

  1. Facebook Abandons Facial Recognition System Long Targeted by EPIC
  2. Reps. Eshoo, Lofgren Reintroduce EPIC-Backed Online Privacy Act
  3. EPIC-Led Coalition Urges California Privacy Agency to Establish Strong Data Protection Regulations
  4. EPIC Urges Court to Recognize First Amendment Right to Livestream Police
  5. EPIC, Coalition Urge Congress to Strengthen FTC’s Power to Halt Data Abuse
  6. EPIC Honors Privacy Advocates at 2021 Champions of Freedom Awards Ceremony
  7. News in Brief
  8. EPIC in the News

1. Facebook Abandons Facial Recognition System Long Targeted by EPIC

Facebook has announced that it will end its use of facial recognition over “growing societal concerns,” bringing an end to a deeply controversial practice that EPIC twice targeted in complaints to the Federal Trade Commission.

Since 2010, Facebook has used facial recognition to identify people who appear in users’ photos and videos and to suggest that users tag them. But as EPIC explained in a 2011 FTC complaint, this system was deployed “without the knowledge or consent of Facebook users and without adequate consideration of the risks to Facebook users.”

In 2018, EPIC again highlighted the lack of privacy safeguards on Facebook’s facial recognition system and argued that its use violated the FTC’s 2011 Facebook consent order. Although the FTC ordered Facebook in 2019 to delete some facial recognition data and to obtain express consent from users in the future, Facebook was allowed to keep using the technology.

“This was a known problem that we called out over 10 years ago but it dragged out for a long time,” EPIC Executive Director Alan Butler told the New York Times. “We need more clear legal rules and principles and a regulator that is actively looking into these issues day in and day out.”

In addition to abandoning its use of facial recognition, Facebook said it would delete the facial scan data that it had improperly obtained from over a billion users.

EPIC has long fought to protect the privacy of social media users, for a ban on face surveillance, and for the enactment of comprehensive federal privacy legislation that includes a data protection agency.

2. Reps. Eshoo, Lofgren Reintroduce EPIC-Backed Online Privacy Act

Representatives Eshoo and Lofgren have reintroduced the Online Privacy Act, a comprehensive framework for privacy and data protection in the United States.

The bill would establish a digital privacy agency, create meaningful privacy rights for consumers, and hold companies accountable for the collection and use of personal data.

“The Online Privacy Act of 2021 takes the steps needed to change the business practices that drive corporate surveillance in the United States,” said Caitriona Fitzgerald, EPIC Deputy Director. “Representatives Eshoo and Lofgren’s bill sets forth strong rights for Internet users, promotes innovation, and establishes a Digital Privacy Agency that will ensure that the U.S. adequately oversees technologies that permeate all our lives.

EPIC urges Congress to pass the Online Privacy Act.” EPIC’s legislative report graded the Online Privacy Act the #1 privacy bill in Congress last session.

3. EPIC-Led Coalition Urges California Privacy Agency to Establish Strong Data Protection Regulations

EPIC and three peer organizations urged the California Privacy Protection Agency recently to implement strong, privacy-protective regulations under the state’s new data protection law.

Approved by California voters in 2020, the California Privacy Rights Act established the state’s data protection agency, requires risk assessments for certain types of data processing, permits residents to opt out of automated decisionmaking, and builds on the California Consumer Privacy Act in numerous other ways.

EPIC and its partners urged the agency “to continue ‘protect[ing] consumers’ rights’ and ‘strengthening consumer privacy’ at every opportunity, consistent with the expressed will of California voters.”

Specifically, the comments call on the agency “to impose rigorous risk assessment obligations on businesses whose data processing activities could reasonably harm individuals’ privacy or security; to maximize the transparency of automated decisionmaking systems and minimize the burdens on individuals who wish to opt out of such systems; and to prevent any exceptions to user-directed limits on the use and disclosure of sensitive personal information from swallowing the rule.”

The comments were joined by Consumer Action, the Consumer Federation of America, and New America’s Open Technology Institute. EPIC has previously provided comments on the CCPA and published a detailed analysis of the CPRA before its approval.

4. EPIC Urges Court to Recognize First Amendment Right to Livestream Police

EPIC has filed an amicus brief in Sharpe v. Winterville Police Department supporting people’s right to livestream their public interactions with police.

The plaintiff in the case, Sharpe, sued the Winterville Police Department after an officer forcibly grabbed his phone and threatened him with jailtime for livestreaming his encounter with police as a passenger in a pulled-over car on Facebook Live. The district court dismissed the case, finding that passengers do not have a First Amendment right to livestream a traffic stop.

EPIC’s amicus brief describes how livestreaming is the newest method of the long-running, First-Amendment-protected practice of “copwatching.” Copwatching is an activity in which members of overpoliced communities peaceably watch citizen-police encounters “to hold police accountable for misconduct and to increase the safety of those policed.”

EPIC also explained that stopping passengers from livestreaming traffic stops serves no legitimate purpose because police “conduct stops on streets and highways where hundreds of people may pass during the course of a stop” and where “[c]opwatching groups, journalists, and other bystanders can communicate essentially the same information as a passenger in a traffic stop.”

Finally, EPIC explained that banning passengers from communicating information about their traffic stop in real-time is impracticable because “[p]eople in a stopped car can communicate a traffic stop’s existence and exact location through a text message, phone call, or social media before the officer even approaches their car.”

EPIC regularly files amicus briefs protecting freedom of expression and constitutional rights in using new technologies.

5. EPIC, Coalition Urge Congress to Strengthen FTC’s Power to Halt Data Abuse

EPIC and thirty-four civil rights, civil liberties, and consumer protection organizations joined a letter recently urging Congress to pass key provisions of the Build Back Better Act that will strengthen the Federal Trade Commission’s power to halt discriminatory and abusive data practices.

The bill provides $1 billion in funding for the Commission’s privacy and antitrust work and establishes an FTC bureau to address privacy, civil rights, and data security issues. “A better funded and organized Commission will be better equipped to prevent unfair and deceptive data practices, which disproportionately harm people of color and low-income communities,” the letter reads.

The Act will also give the Commission crucial power to fine companies for their first data abuse violation. “Enabling the Commission to seek civil penalties against first-time violators of the FTC Act will be a powerful deterrent against exploitative data practices and a key tool for holding lawbreaking companies accountable,” the letter argues.

EPIC has repeatedly called on the FTC to establish data protection rules and has long advocated for the creation of a U.S. Data Protection Agency. EPIC also published a report on the FTC’s unused statutory authorities, What the FTC Could Be Doing (But Isn’t) to Protect Privacy, in June.

6. EPIC Honors Privacy Advocates at 2021 Champions of Freedom Awards Ceremony

At last month’s Champions of Freedom Awards Ceremony, EPIC honored Joy Buolamwini of the Algorithmic Justice League, Joseph Cox of MotherBoard, The Markup, and Shoshana Zuboff. Policymakers, academics, journalists, advocates, and other guests joined EPIC for an evening of celebration at the National Press Club.

EPIC established the Champions of Freedom Awards in 2004 to honor individuals and organizations that have worked to safeguard the right to privacy, open government, and democratic values with courage and integrity. The theme of this year’s ceremony was “Innovating Privacy.”

“We chose that theme in part because we reject the notion that privacy and innovation are at odds,” said EPIC Executive Director and President Alan Butler. The event featured speakers and awardees who spark change by finding new ways to draw public attention to emerging privacy issues and explore new solutions. “I do appreciate this innovation approach … because that is sort of the founding ethos of The Markup,” said Julia Angwin, founder and editor-in-chief. “We have built a newsroom around collecting data at scale in innovative ways.”

The Markup and Joseph Cox were co-recipients of the Champion of Freedom Award this year. Both have broken stories about critical privacy issues and helped to uncover data abuses by big tech, as well as by “the companies around big tech,” as Joe Cox pointed out. From data broker firms to other middlemen, “These are the ones that are really pushing the envelope … when it comes to the harvesting, the leveraging, and literally the sale of data,” he said.

Previous recipients of the Champion of Freedom Award include Senator Kirstin Gillibrand, Ambassador Stavros Lambrinidis, then-Congressmen Edward Markey, then-California Attorney General Kamala Harris, and The Guardian.

EPIC also honored Joy Buolamwini of the Algorithmic Justice League as this year’s Privacy Champion. Her groundbreaking research and organizing around algorithmic justice issues have highlighted the threats of bias and disparate treatment by face recognition and automated decision- making systems.

Privacy scholar and activist Shoshana Zuboff received the Lifetime Achievement Award. Over the course of her long career as a thought leader, she has exposed surveillance oversight threats and been a leading voice for reform. “Twenty years ago, the aim was to protect privacy and to extend privacy to every person and community,” she said. “Today, the aim must be different. The aim is to restore privacy, to wrest it back from those who have stolen it from us.”

In this regard, there has indeed been progress in restoring privacy over the past year. California, Virginia, and Colorado passed new data privacy legislation, and Senator Gillibrand reintroduced the Data Protection Act. Recently, it was announced that Facebook would be shutting down its facial recognition system and deleting the face scan data of over a billion users. EPIC has been a leading group in the effort to make these developments possible and continues to advocate for increased privacy and data protections.

“There are a lot of nonprofit groups, a lot of advocates . . . [that feel] the way they can show their value is by ‘being in the room’ or making friends with the decisionmakers,” said Rohit Chopra, Director of the Consumer Financial Protection Bureau. “That’s really not what it’s about. Really what it’s about is actually forcing those who have the tools to do it to use it. And that is [where] EPIC is a cut above so many of its peers.”
 
“We are in a unique moment because the lessons that privacy scholars and advocates have been trying to teach for more than two decades are finally getting through,” said Mr. Butler. “There are journalists, and regulators, and lawmakers, and even companies that are not only listening to our concerns, they are echoing them and amplifying them and even acting on them.”

At the event, EPIC also announced the redesign of https://epic.org, a critical online resource for those seeking to learn about emerging privacy issues. In addition to legislative and policy work, “An equally important part of EPIC’s mission is public education,” said Caitriona Fitzgerald, Deputy Director of EPIC. “We hope this new site will be an even better resource.”

Mr. Butler also emphasized there is much more work to do and ended the evening by looking to EPIC’s future: “True progress in our field means the recognition and protection of the human right to privacy,” he said. “We will not rest until we have a comprehensive privacy law in the United States.”

News in Brief

Senate Dials Back Plan to Force SSN Collection by Payment Services, As EPIC Urged

The Senate Finance Committee has significantly scaled back a proposal in the pending budget reconciliation bill to expand the mandatory reporting regime for private financial information in the United States, a move that EPIC and peer organizations previously called for. The original proposal would have required peer-to-peer apps and services to provide the IRS with Tax Identification Numbers and other data for accounts with inflows and outflows of more than $600 per year. Because most individuals do not hold a separate TIN from their Social Security Number, this plan would have forced private entities to collect the SSNs of millions of Americans. The revised proposal raises the threshold from $600 to $10,000, a significant step toward recommendations by EPIC and other privacy and consumer rights groups. “At minimum, the expanded reporting requirement should be scaled back to apply only to business accounts or individual accounts with a high de minimis threshold, adjusted for inflation over time,” the coalition wrote in its letter to the Senate Finance Committee. U.S Treasury Secretary Janet Yellen also praised the change.

EPIC Urges CBP to Stop Collecting Unnecessary Photos from Migrants at Southern Border

EPIC Deputy Director Caitriona Fitzgerald testified last week before the Massachusetts Legislature’s Joint Committee on the Judiciary in support of “An Act to Regulate Face Surveillance.” The bill prohibits government agencies, with the exception of the Registry of Motor Vehicles, from acquiring or deploying their own face surveillance systems. “There is growing recognition that facial recognition technology simply is not ready for prime time and law enforcement should not be using it,” EPIC told the Committee. Maine and Virginia have both recently enacted state laws limiting government use of facial recognition technology.

EPIC Urges CBP to Stop Collecting Unnecessary Photos from Migrants at Southern Border

In comments to the Department of Homeland Security (DHS) and Customs and Border Protection (CBP), EPIC urged the agencies to rescind a proposed change to their pre-arrival information collection program for migrants. The new policy would require migrants to submit a photo in advance for a facial recognition identification once they reach a CBP border crossing. CBP does not need the pre-arrival photo to facilitate border crossings. EPIC has joined a number of coalitions urging a ban on facial recognition including an international letter opposing the technology, a statement of concerns on police use of facial recognition, and EPIC’s Ban Face Surveillance campaign. EPIC recently endorsed legislation that would ban federal law enforcement use of facial recognition and pressure state law enforcement to do the same.

D.C. Circuit Orders More Mueller Report Disclosures in EPIC v. DOJ Appeal

The D.C. Circuit, ruling in an appeal from EPIC v. DOJ, has ordered the Department of Justice to disclose new material from the Mueller Report. The appeal was brought by Jason Leopold and BuzzFeed, whose Freedom of Information Act suit for the Mueller Report was consolidated with EPIC’s case in the lower court. Leopold and BuzzFeed challenged the lower court’s determination that the DOJ could withhold information about individuals investigated by Special Counsel Robert Mueller but not charged with a crime. The D.C. Circuit affirmed part of the lower court’s ruling but held that the DOJ must release several passages of the Report about individuals investigated for campaign finance violations, as those sections “would show only government decisionmaking, not new private information.” As a result of EPIC’s 2019 lawsuit for the Mueller Report, the Justice Department was forced on three occasions to disclose portions of the Report that it initially withheld from the public. Judge Reggie B. Walton conducted an in camera review of the unredacted Report before ruling in the case—a step that Walton deemed necessary after determining that Attorney General Bill Barr’s redactions to the Report may have been “self-serving.” EPIC’s Freedom of Information Act case—the first in the nation for the disclosure of the Mueller Report—was captioned EPIC v. DOJ, No. 19-810.

EPIC Urges DHS to Enhance Data Privacy Protections for DACA

EPIC recently submitted comments to the Department of Homeland Security (DHS) in response to DHS’s proposed rule, Deferred Action for Childhood Arrivals (DACA). While commending DHS’s fortification of the DACA program, EPIC called for “several changes to further limit collection and disclosure of [the] biographical and biometric information” of DACA requestors, their family, and associates. EPIC urged that DHS’s privacy protection exceptions “must be narrow and limited,” especially the exceptions for criminal investigations and national security purposes. The comments also call for greater privacy protections in databases storing requestors’ information and for providing applicants with clearer privacy notices. EPIC has previously advocated for greater privacy protections under the DACA program.

European Parliament Committee Approves Final Digital Markets Act Text With New Rules for Online Platforms

The Internal Market Committee of the European Parliament has voted to approve a final compromise text of the Digital Markets Act, clearing the way for a plenary vote on the Act in December. The updated text includes tougher restrictions on use of individual data (particularly sensitive data) for ad targeting purposes, stronger consent requirements, and a complete ban on large platforms processing minors’ personal data for commercial purposes. In addition, “gatekeeper” requirements mandating access to multiple app stores and interoperability of services will now apply to several large tech companies such as Amazon, Facebook, Google, Microsoft, and Apple. Fines for violations may be up to 20% of total worldwide turnover in the previous year. The Digital Services Act, also under review by the committee, has not yet been voted on and may include additional restrictions or bans relating to tracking-based advertising. EPIC regularly fights against surveillance advertising, including working with coalitions to ban targeted advertising to children.

EPIC, Coalition Tell Supreme Court to Hear Warrantless Pole Camera Surveillance Case

EPIC, along with the Electronic Frontier Foundation, Brennan Center for Justice, Center for Democracy & Technology, and National Association of Criminal Defense Lawyers, filed an amicus brief last week supporting Supreme Court review in a case concerning long-term continuous pole camera surveillance of a person’s home. In Tuggle v. United States, the Seventh Circuit held that federal agents did not need a warrant to surveil the area outside Tuggle’s home 24/7 for eighteen months using several pole-mounted cameras. In the amicus brief, the coalition explained that the capabilities of pole camera technology, video analytics technology, and camera technology in general have expanded far beyond the technologies anticipated in the Court’s previous camera surveillance cases. The costs of these technologies are also much less than the costs of a human stakeout, making long-term, round-the-clock surveillance of a person’s home affordable and efficient for law enforcement. The brief also emphasized the constitutional significance of the case. Finally, the brief argued that people should not have to build fences around their homes to shield themselves from police surveillance, and requiring as much would disproportionately burden low-income individuals, non-homeowners, and people of color. EPIC regularly advocates against police surveillance and files amicus briefs in Fourth Amendment cases.

EPIC, Coalition Urge Swift Confirmation of Alvaro Bedoya to FTC

EPIC and coalition of organizations recently urged the Senate to ensure a quick confirmation of Professor Alvaro Bedoya to the Federal Trade Commission. President Biden nominated Bedoya, the founding director of the Georgetown Center on Privacy & Technology, to serve as member of the FTC in September. “Professor Bedoya has been at the forefront of bringing the real-world harm of data exploitation and misuse to light and holding technology companies to account,” the letter reads. “We believe that it is essential he is swiftly confirmed so he can bring his significant experience and expertise on technology and civil rights to further the FTC’s mission to protect competition and consumers.” As a legal scholar and advocate, Bedoya has exposed the harms and biases of facial recognition technology and argued for legislation that would prevent predatory and discriminatory targeting of online ads. Bedoya is the author of Privacy as a Civil Right, in which he details how “the burdens of government surveillance have fallen overwhelmingly on the shoulders of immigrants, heretics, people of color, the poor, and anyone else considered ‘other’” and argues that privacy must be understood as a “shield that allows the unpopular and persecuted to survive and thrive.” Bedoya previously served as Chief Counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law. Bedoya will succeed Commissioner Rohit Chopra when confirmed by the Senate.

EPIC, NCLC Urge FCC to Hold Carriers Accountable for SIM Swapping, Port-Out Fraud

EPIC and the National Consumer Law Center have submitted comments in support of the FCC’s proposals to protect American consumers against fraudsters who wrongly seize their mobile accounts. EPIC and NCLC also urged the Commission to hold carriers responsible for consumers’ fraud-based losses. SIM swapping occurs when a fraudster convinces a mobile carrier to activate a consumer’s account on a phone belonging to the fraudster. Port-out fraud is similar but the fraudster transfers the account to another carrier. In both circumstances, the carrier’s security measures fail to protect the consumer from fraud and can result in further identity theft-related harms. EPIC and NCLC additionally recommended that carriers limit collection of consumer data and limit employee access to the data, even for identity verification purposes, as some consumers would not have been defrauded were it not for employees having access to their information. EPIC routinely participates in regulatory and legislative processes concerning telephone subscriber privacy and tech-facilitated identity theft.

EPIC, NCLC Urge FCC to Consider Voice Provider’s Track Record in Modifying Caller ID Compliance Deadline

EPIC and the National Consumer Law Center recently urged the FCC to protect the American phone network from dangerous scam calls. Illegal robocallers and other scam callers often use fake Caller ID information to make their call look like it’s coming from a local business or the IRS. Recent legislation requires all telephone providers to implement Caller ID authentication to stop Caller ID spoofing. The FCC offered small voice providers an extension to the deadline to comply with the Caller ID authentication requirements, but some providers are abusing this extension and dumping millions of scam calls into the American phone system. EPIC and NCLC urged the FCC to reduce extensions for providers with track records for allowing illegal robocall and other spam activity on their networks and to reject other efforts of such providers to avoid implementing robocall mitigation requirements. EPIC routinely participates in regulatory and legislative processes concerning robocalls and files amicus briefs in robocall cases.

Facebook to Limit Ad Targeting for ‘Sensitive’ Characteristics, But Targeted Ads to Remain

Facebook has announced that it will limit advertisers’ ability to target ads based on users’ history of interacting with political, religious, health-related, and certain other content on the platform. By January 2022, the company plans to restrict “detailed targeting” options “that relate to topics people may perceive as sensitive, such as options referencing causes, organizations, or public figures that relate to health, race or ethnicity, political affiliation, religion, or sexual orientation.” But the move falls well short of remedying Facebook’s longstanding practice of targeting ads based on personal data. For example, the new rules will still allow advertisers to target “custom audiences” of “people [who] have already shown direct interest in and engaged with the advertiser’s cause or brand.” EPIC has long advocated for increased transparency of Facebook’s data practices to protect the privacy of Facebook users.

Bellingham, WA Bans Government Use of Facial Recognition, Predictive Policing Tech

A ballot initiative passed recently in Bellingham, Washington bans city officials, including police officers, from obtaining or using facial recognition technology, or any information derived from facial recognition. The measure also bans contracting for third party facial recognition services and the use of predictive policing technologies. The ballot initiative passed by a 10-point margin despite opposition from the Bellingham City Council. EPIC recently sought records on the use of Clearview AI and other surveillance software by the U.S. Postal Service’s Internet Covert Operations Program. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries.

FTC Issues New Policy Statement on Dark Patterns

The Federal Trade Commission has published a new policy statement warning companies “against deploying illegal dark patterns that trick or trap consumers into subscription services” and free-to-pay trials. The policy statement sets out guidance on what constitutes disclosure of “material terms” in a clear and conspicuous manner, how “negative option” sellers can attain express informed user consent, and how to provide simple, reasonable means for consumers to cancel contracts and subscriptions. The Commission’s policy statement follows numerous complaints from consumers and advocacy organizations, including EPIC, demonstrating “prevalent, unabated consumer harm in the marketplace” from dark patterns. Earlier this year, EPIC filed a complaint with the D.C. Attorney General highlighting how Amazon employs dark patterns when customers attempt to cancel their Amazon Prime subscriptions, effectively preventing them from ending their memberships, charging users recurring fees, and continuing to collect, retain, and use the personal data of misdirected subscribers. EPIC also signed onto a coalition letter urging the FTC to investigate Amazon’s use of dark patterns.

EEOC Announces Initiative on AI and Algorithmic Fairness

The U.S. Equal Employment Opportunity Commission is launching an initiative to ensure that Artificial Intelligence used in employment decisions complies with federal civil rights laws. In a statement, EEOC Chair Charlotte A. Burrows explained that algorithmic decision-making tools “may mask and perpetuate bias or create new discriminatory barriers to jobs” and that the EEOC “must work to ensure that these new technologies do not become a high-tech pathway to discrimination.” The initiative will examine how AI changes the way employment decisions are made and will offer guidance to employees, employers, and technology vendors to ensure that any use of AI in employment settings is consistent with federal employment laws. EPIC has advocated for the regulation of AI hiring tools and filed a complaint with the FTC alleging that HireVue, a recruiting company, engaged in unfair and deceptive practices through its use of opaque AI and of facial recognition technology. HireVue abandoned its reliance on facial recognition technology after EPIC’s complaint. EPIC also advocates for transparent, equitable, and commonsense AI policy and regulations.

FTC Unveils Updates to Safeguards Rule

The Federal Trade Commission has announced a series of updates to the Safeguards Rule intended to strengthen the security of customer information used by non-bank financial institutions. The revised rule specifies measures that institutions must use to protect personal data, including encryption, access controls, and multifactor authentication. The new rule also mandates that each financial institutions appoint a single qualified individual to oversee its information security program, reporting on efforts and acting as a contact point for oversight authorities. The FTC first sought public input on the changes in 2019 and followed up with a 2020 public workshop on the Safeguards Rule. EPIC previously submitted comments on the proposed changes and has consistently called for a data protection agency in the U.S.

EPIC, Coalition Urge FTC to Issue Rules Protecting Consumers Against Data Abuse & Discrimination

EPIC and a coalition of 44 consumer advocacy, civil rights, and media democracy groups recently urged the Federal Trade Commission to initiate a rulemaking to promote civil rights and protect against abusive data practices. “Companies use personal data to enable and even perpetuate discriminatory practices against people of color, women, members of the LGBTQIA+ community, religious minorities, persons with disabilities, persons living on low income, immigrants and other marginalized groups,” the letter explains. The letter calls for a rulemaking that would address the collection, use, management, retention, and deletion of personal data. “This country faces a deepening crisis of data abuse and discrimination,” John Davisson, Senior Counsel at EPIC. “But the FTC has the power to set industry-wide rules that will rein in exploitative data practices and protect privacy and civil rights. We join the president and members of Congress in urging the FTC to use that power as soon as possible.” EPIC has frequently challenged the FTC over its failure to address consumer privacy harms, has filed a rulemaking petition with the FTC on commercial AI use, and has long advocated for the creation of a U.S. Data Protection Agency. EPIC also published a report on the FTC’s unused statutory authorities, What the FTC Could Be Doing (But Isn’t) to Protect Privacy, in June.

EPIC, NCLC Encourage FCC to Impose Specific Requirements on VoIP Providers to Reduce Illegal Robocalls

EPIC and the National Consumer Law Center recently urged the FCC to demand more robust and explicit commitments from voice over internet protocol (VoIP) service providers to protect American consumers from unwanted robocalls. Callers launching robocall campaigns often rely upon VoIP networks to do so. The advocacy groups’ comments to the FCC outline a series of specific actions the Commission should require VoIP providers to take, including detecting and responding to indicators of suspicious activity on their networks and increasing transparency to consumers of potential robocall threats. EPIC routinely participates in regulatory and legislative processes concerning robocalls and files amicus briefs in robocall cases.

EPIC Applauds FTC SpyFone Ban, Urges Similar Remedies in Future Privacy Cases

EPIC has filed comments with the Federal Trade Commission asking the agency to finalize a proposed Consent Order that would permanently ban SpyFone from the surveillance business and require the stalkerware company to delete the personal data that it stole. According to an FTC complaint, SpyFone sold surveillance tools that would allow purchasers to install software on another person’s device and surveil their victim surreptitiously. SpyFone also lied about its data security practices and its response to a 2018 data breach. Under a settlement announced by the FTC, SpyFone would be required to notify all affected users, delete any illegally collected personal information, and permanently refrain from selling, licensing, or marketing monitoring products in the future. In its comments, EPIC urged the FTC to finalize the proposed order and to impose similar requirements and bans in the future to protect consumer privacy. EPIC has frequently challenged the FTC over its failure to address consumer privacy harms and has long advocated for the creation of a U.S. Data Protection Agency. EPIC also published a report on the FTC’s unused statutory authorities, What the FTC Could Be Doing (But Isn’t) to Protect Privacy, in June.

California Enacts Genetic Information Privacy Act

Governor Gavin Newsom recently signed the California Genetic Information Privacy Act, which was passed unanimously by the California State Legislature in September. The Act requires direct-to-consumer genetic testing companies to provide consumers with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data. The law imposes civil penalties for a violations, enforced by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor. EPIC tracks state genetic privacy laws through its State Policy Project.

European Parliament Calls for Ban on Facial Recognition, Social Scoring

The European Parliament has adopted a resolution calling for (1) a ban on law enforcement use of facial recognition and other biometric mass surveillance, (2) a ban on private facial recognition databases like Clearview AI, and (3) a ban on predictive policing and social scoring systems. The resolution approved of the Parliament’s 2020 report on AI in criminal law and is a step towards a ban in proposed legislation. EPIC has joined a number of coalitions urging a ban on facial recognition including: an international letter opposing the technology, a statement of concerns on police use of facial recognition, and EPIC’s Ban Face Surveillance campaign.

EPIC Joins Coalition Urging FCC Not to Permit Unfettered Ringless Voicemails

EPIC has joined a coalition of consumer groups led by the National Consumer Law Center to urge the FCC to reject a proposal that would make it legal for callers to drop voicemails directly into people’s phones without their consent. The groups explained that allowing such “ringless voicemail” would clog consumers’ voicemail boxes with spam, scams, and debt collection notices. More than 90,000 consumers signed a petition urging the FCC to reject the proposal, and thousands of others, including small businesses and medical professionals, have filed comments with the FCC registering their concern with the harms presented by ringless voicemail. EPIC routinely participates in regulatory and legislative processes concerning robocalls and files amicus briefs in robocall cases.

EPIC Urges National AI Research Resource to Empower Developers to Design Fair and Accountable AI

In comments to the newly established National Artificial Intelligence Research Resource Task Force, EPIC called on the Task Force to prioritize privacy, civil rights, and civil liberties by creating resources for companies to develop purposeful, accountable, transparent, and fair AI. EPIC also urged the Task Force to provide regulators with the resources required to enforce civil rights and consumer protection laws against companies that deploy AI systems. EPIC recently submitted comments to the Office of Management and Budget and the National Security Commission on Artificial Intelligence advising both agencies to follow the Universal Guidelines for AI and to push for actionable legal rights to protect against algorithmic harms.

EPIC in the News