EPIC Alert 28.09 – December 31, 2021

  1. FTC Signals It May Conduct Privacy, AI, & Civil Rights Rulemaking
  2. Court Rules IRS Must Disclose Trump Tax Settlements to EPIC
  3. EPIC to Ninth Circuit: Some Mass Dialing Still Illegal Post-Duguid
  4. EPIC Backs House Members’ Call for Location Data Rules
  5. Waldman, Lysyanskaya, McNamee to Join EPIC Board of Directors
  6. News in Brief
  7. EPIC in the News

1. FTC Signals It May Conduct Privacy, AI, & Civil Rights Rulemaking

The Federal Trade Commission announced this month that it is considering using its rulemaking authority “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” The disclosure came as part of the Commission’s semiannual regulatory agenda and statement of regulatory priorities.

Under the FTC Act, the Commission is empowered to issue rules that define certain trade practices—such as the misuse of personal information—as unfair or deceptive. The Commission can also establish rules to prevent businesses from engaging in those unfair or deceptive practices.

EPIC and coalition partners recently called on the FTC to initiate a rulemaking to promote civil rights and protect against abusive data practices. “The FTC’s rulemaking authority is particularly well suited to respond to the range of data harms,” the coalition wrote. “A rulemaking will enable the Commission to establish clear rules against discriminatory and abusive data practices through an open, participatory process.'”

EPIC also filed a petition last year that specifically called on the FTC to initiate a rulemaking on commercial uses of algorithmic decision-making and artificial intelligence. EPIC argued that “the absence of effective regulation has accelerated the spread of unaccountable and untrustworthy AI tools with immediate impacts on American consumers. Given the scale of commercial AI use, the rapid pace of AI development, and the very real consequences of AI-enabled decision-making for consumers, the Commission should immediately initiate a rulemaking to define and prevent consumer harms resulting from AI.”

2. Court Rules IRS Must Disclose Trump Tax Settlements to EPIC

A federal court has ruled in EPIC v. IRS II that the Internal Revenue Service must disclose any accepted offers in compromise—a type of settlement between the IRS and a taxpayer—entered into by former President Trump or his businesses. Although tax information is ordinarily confidential, federal law requires the IRS to release accepted offers in compromise because they are “affected with significant public interest” and because disclosure deters the IRS from striking generous settlements with “politically connected individuals.”

As part of its work to identify questionable financial dealings that threaten democratic institutions, EPIC filed a Freedom of Information Act request in 2018 for accepted offers in compromise and related return information concerning President Trump. The IRS refused EPIC’s request and asked the court to dismiss EPIC’s subsequent lawsuit, but the court denied the IRS’s motion on Friday. The court explained that the tax code “creates a FOIA obligation for the IRS to disclose return information to EPIC, to the extent that information is necessary to permit inspection of an accepted offer-in-compromise.”

The IRS must now conduct a search to identify any offers in compromise involving President Trump and disclose those records to EPIC. Notably, the New York Times reported last year that Trump and the Internal Revenue Service reached a tentative agreement in 2014 over a disputed $70 million tax refund—a deal that may be covered by EPIC’s FOIA request.

EPIC previously sought disclosure of President Trump’s tax returns in EPIC v. IRS I, arguing that disclosure was necessary to correct numerous factual misstatements made by the President. Last year, EPIC filed an amicus brief in Trump v. Vance urging the Supreme Court to allow the release of President Trump’s tax returns to a New York grand jury. EPIC wrote that the “longstanding practice of disclosing presidential tax returns reflects a central principle of modern democracies: privacy must sometimes yield to accountability.” The Court ultimately rejected Trump’s effort to categorically shield his tax returns from state prosecutors. EPIC’s ongoing case is EPIC v. IRS II, No. 18-902 (D.D.C.).

3. EPIC to Ninth Circuit: Some Mass Dialing Still Illegal Post-Duguid

EPIC has filed an amicus brief in Borden v. eFinancial arguing that callers who use some mass dialers without consent violate the Telephone Consumer Protection Act even after a recent Supreme Court decision cabined the law.

Earlier this year, the Supreme Court ruled in Facebook v. Duguid that the TCPA’s restriction on “automated telephone dialing systems”—also known as autodialers—only covered equipment that used a “random or sequential number generator.”

Borden sued eFinancial for sending automated text messages en masse to his and other consumers’ phones after they gave their phone numbers to the company through a misleading online form. Borden alleged that the equipment used an autodialer to mass dial the telephone numbers.The district court dismissed the case, finding that the equipment must generate random or sequential telephone numbers. Borden appealed the case to the Ninth Circuit.

EPIC’s amicus brief explains that the plain language of the statute is broader than the district court’s interpretation. EPIC also describes, from a technical perspective, what random and sequential number generators are, how they work, and how some mass dialers use them to make automated calls. EPIC often participates as amicus to explain the technology at issue in a case. EPIC also routinely files amicus briefs in Telephone Consumer Protection Act cases.

4. EPIC Backs House Members’ Call for Location Data Rules

EPIC has endorsed a letter from Rep. Katie Porter, Rep. Jamie Raskin, and 42 other House members calling on the Federal Trade Commission and Federal Communications Commission to establish rules against the collection and sale of consumers’ location data.

The letter urges the FTC to prohibit app developers engaging in the “sale, transfer, use, or purchase of precise location data collected by an app for purposes other than the essential function of the app” and to enforce the prohibition through civil penalties. The letter also calls on the FCC to reaffirm through rulemaking that location data collected by mobile carriers is subject to privacy safeguards—including data recorded when a subscriber’s mobile device is idle. “While we applaud the agencies’ commitments to consumer privacy and safety, it is clear that more needs to be done,” the letter reads. “To that end, we ask that your agencies take … steps to better protect the safety and privacy of consumers.”

EPIC has long advocated for protection of location privacy. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users’ location data, and EPIC filed an amicus brief in Carpenter v. United States, a case in which the Supreme Court held that the Fourth Amendment protects cell site location information. EPIC and coalition partners recently called on the Federal Trade Commission protect against abusive data practices, including the misuse of location data. In 2005, EPIC successfully petitioned the FCC to establish more stringent security standards for the protection of mobile subscriber data.

5. Waldman, Lysyanskaya, McNamee to Join EPIC Board of Directors

Professor Ari Ezra Waldman, Professor Anna Lysyanskaya, and Roger McNamee will join the EPIC Board of Directors in January 2022.

Ari Ezra Waldman is professor of law and computer science at Northeastern University and director of the School of Law’s Center for Law, Information and Creativity. He researches how law and technology reify traditional structures of power, focusing on privacy, online harassment, misinformation and the LGBTQ community.

Anna Lysyanskaya is professor of computer science at Brown University. Her research area is cryptography, and a key theme of her work is balancing privacy with accountability—specifically, allowing users to prove that they are authorized while not revealing any additional information about themselves.

Roger McNamee began investing in technology companies in 1982 and co-founded three different investment firms in Silicon Valley. Since April 2017, he has been an activist for reform of the tech industry. The members of the EPIC Board of Directors are chosen from the EPIC Advisory Board, distinguished experts in law, technology, and public policy.

News in Brief

EPIC Applauds CFPB’s Payment Platform Inquiry but Notes Further Investigation Necessary

EPIC has filed comments praising the Consumer Financial Protection Bureau’s inquiry into digital payment platforms yet urging the Bureau to go further. The CFPB recently ordered major tech platforms that facilitate online payments—including Google, Apple, Facebook, Amazon, Square, and PayPal—to provide information about their data practices and sought public input on the Bureau’s orders. EPIC wrote the the CFPB’s investigation “significantly advances the Bureau’s privacy, consumer protection, and competition goals.” But EPIC argued that the Bureau should also look specifically at the data minimization and data security practices of online payment platforms, closely consider the CFPB’s role where consumers have no meaningful choice of which platform will process their payments, and broaden its investigation to include data aggregators. EPIC regularly files comments and amicus briefs and provides congressional testimony on matters related to consumer privacy, big data, and data security.

Seventh Circuit Asks Illinois Supreme Court to Decide Important Biometric Rights Question, as EPIC Urged

The Seventh Circuit has asked the Illinois Supreme Court to decide when a person can sue for violations of their rights under the state’s Biometric Information Privacy Act, commonly referred to as BIPA. EPIC filed an amicus brief urging this outcome. BIPA prohibits collection or disclosure of biometrics without consent. A few years ago, in a case called Rosenbach v. Six Flags, the Illinois Supreme Court said that people are injured, and can sue, whenever someone violates their BIPA rights as defined by the plain text of the statute. They need not allege anything additional, like a harm resulting from the statutory violation. The plaintiff in this case, Cothron v. White Castle, was a White Castle employee whose fingerprints were continuously collected by White Castle and disclosed to a third party for years without consent. White Castle argues that Cothron was only injured the first time her fingerprints were collected and disclosed because that is when she “lost control” of her biometrics—a phrase not found in the statute. Because the statute of limitations has run on the first violation, White Castle argues that Cothron cannot sue for White Castle’s years of violating of her BIPA rights. EPIC filed an amicus brief in the case explaining that White Castle misconstrued Rosenbach and misapplied federal Article III standing principles to a state law statutory injury case. EPIC stressed that adopting White Castle’s atextual reading of the statute would allow long-time, repeat BIPA offenders off the hook. EPIC also said that the Illinois Supreme Court should decide the legal question. EPIC has participated as amicus in other BIPA cases, including Patel v. Facebook and Rosenbach v. Six Flags.

EPIC Urges FTC to Prioritize Privacy in 5-Year Strategic Plan

In comments to the Federal Trade Commission, EPIC urged the agency to include specific goals for privacy enforcement in its five year Draft Strategic Plan. EPIC argued that setting specific goals for privacy enforcement would help protect individuals from data exploitation, biased and unfair algorithmic decision-making, online scams, and data breaches. EPIC explained that prioritizing privacy would also serve the FTC’s renewed goal of addressing racial equity, as poor and minority communities are disproportionately harmed by unfair and deceptive practices online. The comments highlighted work EPIC has done to provide the FTC with tools and guidance for privacy enforcement. In March, EPIC and a coalition of groups launched a campaign to Ban Surveillance Advertising. In June, EPIC published a report on the Commission’s unused and underused statutory authorities for privacy enforcement. In August, EPIC led a coalition urging the FTC to address address exploitative commercial data practices. And in October, EPIC and a coalition urged the Commission to protect civil rights online through a new privacy rulemaking.

EPIC Supports DC Attorney General’s Legislation to Stop Algorithmic Discrimination

District of Columbia Attorney General Karl A. Racine has introduced landmark legislation to strengthen civil rights protections for DC residents and prohibit companies and institutions from using biased algorithms that lock individuals, especially members of vulnerable communities, out of critical opportunities. “At many of the most important moments of our lives—when we’re applying for jobs, housing, loans, college—we are screened and scored by opaque algorithms, often without even knowing it,” said EPIC Deputy Director Caitriona Fitzgerald. “And the algorithms often reflect judgments that reinforce bias and inequities in our society. There is little transparency on how these algorithms work, and there is rarely accountability for discriminatory outcomes. The Stop Discrimination by Algorithms Act (SDAA) will establish crucial transparency measures to safeguard against discriminatory algorithms and require explanations to individuals after adverse decisions made by these tools. Crucially, the SDAA provides for strong enforcement via both the Attorney General’s powers and a private right of action, allowing individuals to bring a claim to protect their rights. EPIC is proud to support the SDAA.”

Congress Requires State Department to Blacklist Surveillance Firms Targeting U.S., Activists, Journalists

Congress has enacted legislation requiring the State Department to provide Congress with a list of surveillance technology companies to blacklist. The law specifically targets companies which have “knowingly assisted or facilitated a cyber attack or conducted surveillance” targeting the United States, activists, journalists, politicians, or political dissidents. The legislation was passed as part of the National Defense Authorization Act and follows recent controversy generated by the spyware company NSO Group. NSO Group’s phone-hacking software Pegasus has been used to target “more than 1,000 people spanning more than 50 countries,” including politicians like Emmanuel Macron, journalists like Jamal Khashoggi, at least nine U.S. State Department officials, and other activists, lawyers, and businesspeople. In November, the Biden Administration blacklisted NSO Group, prohibiting U.S. companies from selling technology to the spyware company. EPIC’s Surveillance Oversight Project has advocated against surveillance of digital devices, and EPIC recently submitted a Freedom of Information Act request to the FBI seeking information about the Federal Government’s connections to NSO Group.

Canadian, French Privacy Authorities Order Clearview AI to Stop Collection & Use of Photos

The Office of the Information & Privacy Commissioner for British Columbia and the Commission Nationale de l’informatique et des Libertés in France have separately ordered Clearview AI to stop collecting data on individuals in their territories. The OIPC order requires Clearview to delete all images and biometric data. Clearview is also not allowed to offer its services to clients in British Columbia. The CNIL order requires Clearview to cease collection and use of the data of persons in French territory and to comply with erasure requests. The CNIL found that Clearview’s practices violated the GDPR. EPIC is currently litigating a case against ICE to obtain documents about its use of Clearview and other facial recognition services.

Grindr Fined Over Six Million Euros for Privacy Violations

The Norwegian data protection agency (Datatilsynet) has fined Grindr €6.3 million, or approximately $7.16 million, for sharing user data with third party companies without user consent. The GDPR violation was considered a “grave” infringement because the information shared with third parties—mainly online advertisers—included highly sensitive personal data such as sexual orientation. Users signing up for the app had been forced to “agree” to the company’s privacy policy but had not been specifically asked if they consented to data sharing for behavioral advertising purposes. The penalty is the largest GDPR fine issued by Datatilsynet to date. EPIC has long fought for the privacy of social media users and previously filed an amicus brief in Herrick v. Grindr LLC, a case regarding Grindr’s refusal to respond to harassment perpetuated through the platform which led to physical assault and threats.

FCC Accelerates Caller ID Deadline for Some Small Voice Service Providers

The FCC has reduced the extension to implement Caller ID protections from two years to one for a category of small voice providers that are responsible for a disproportionate amount of illegal robocall traffic. These small voice providers now have until June 30, 2022 to implement the new protection, STIR/SHAKEN. EPIC and NCLC urged the Commission to revoke extensions on a case-by-case basis, taking into account the provider’s compliance with its own robocall mitigation program and responsiveness to requests to trace robocall activities. The FCC did not “foreclose the possibility of applying [EPIC and NCLC’s proposed] obligation when appropriate on a case-by-case basis” after the FCC’s Enforcement Bureau has first notified the provider that they are a source of illegal robocall traffic. EPIC routinely participates in regulatory and legislative processes concerning robocalls and files amicus briefs in robocall cases.

EPIC in the News