EPIC Alert 29.11 – November 29, 2022
- Giving Tuesday
- Top Updates
- Analysis From EPIC
- EPIC in the News
As we near the end of 2022, we at EPIC are thankful for all of you who support the fight to defend privacy and civil rights online. This has been a groundbreaking year for privacy advocates, with so much at stake as we work to establish rules to protect everyone from digital intrusions and unchecked surveillance online. EPIC started the year off with our successful campaign to push back on the face-scanning system being rolled out by the IRS, and we have been working hard all year to get comprehensive privacy and data minimization rules at the Federal Trade Commission, in Congress, and in states like California and Colorado. Now, we are preparing to continue this important work in 2023.
The work we do would not be possible without your support. EPIC is able to represent the interests of consumers and protect human rights online through our policy advocacy, our briefs in court, and our cutting-edge research thanks to the donations we receive from individuals all over the world. We don’t take corporate sponsorships and we never back down in the fight to rein in Big Tech. That work has never been more important, and EPIC’s voice is critical to ensure that the privacy interests of individuals don’t get drowned out by Big Tech.
So please join us in the fight to secure digital privacy rights. The time is now, when lawmakers all over the world are setting their sights on the companies that control what we see and do online. Please, go to epic.org/donate/ to defend privacy and support EPIC now.
1. EPIC to Federal Trade Commission: It is Time to Protect Consumers from Commercial Surveillance
EPIC submitted comments in response to the Federal Trade Commission’s Advanced Notice of Proposed Rulemaking regarding a Trade Regulation Rule on Commercial Surveillance and Data Security. “The FTC has the power to set rules that will limit what companies know about us, rein in harmful algorithms, crack down on digital discrimination and harms to children, secure our data, and reverse the asymmetry of power between consumers and big tech. EPIC’s comments set out a comprehensive blueprint for the FTC to do that,” said EPIC Senior Counsel John Davisson.
2. EPIC Submits Comments to Maximize Consumer Protections in Ongoing California Privacy Rulemaking
EPIC recommended edits to the California Privacy Protection Agency’s latest round of proposed rules implementing the California privacy bills, including modifications to sections on data minimization, third-party obligations to comply with consumer protection, and the obligation of companies to limit sensitive data collection and use to strictly necessary and enumerated purposes.
3. Sen. Wyden Reveals State Department Gives Law Enforcement Unfettered Access to Sensitive Data from 145 Million Americans
Senator Ron Wyden (D-OR) revealed in a letter that the U.S. State Department allows 25 federal law enforcement and intelligence agencies to freely access the Consular Consolidated Database, a key database of sensitive personal information from 145 million Americans, including names, addresses, birthdates, fingerprints, facial images, and social security numbers. Sen. Wyden’s letter expands on documents EPIC obtained in EPIC v. State Department, a Freedom of Information Act case.
Analysis From EPIC
Greater Legal Protections Needed for Phone Geolocation Data
For years, law enforcement has used location information from mobile phones to investigate and apprehend suspects and to dispatch emergency assistance. Now, with the Supreme Court decision overturning Roe v. Wade, the sharing of mobile phone location data with law enforcement and third parties has taken on renewed importance. In this blog post, EPIC Law Fellow Chris Frascella examines the inadequacies in recent efforts to safeguard Americans’ location data and emphasizes the need for Congress to enact a comprehensive privacy law.
On November 22, the Federal Communications Commission cut off a voice service provider from other networks for failing to meet the Commission’s Robocall Mitigation Database certification requirements, which are designed to protect consumers from scam robocalls and malicious Caller ID spoofing. This is the first time the Commission has exercised this authority and is a notable step. However, as EPIC explained in October, this ultimately falls far short of the systemic action needed to stem the tide of illegal robocalls.
EPIC submitted comments in response to the Federal Trade Commission’s Advanced Notice of Proposed Rulemaking regarding a Trade Regulation Rule on Commercial Surveillance and Data Security. As EPIC explains, “The unchecked spread of commercial surveillance over the last two decades has led to a data privacy crisis for consumers in the United States.” EPIC told the Commission that it should address the widespread data abuses by data brokers, targeted advertising firms, and other entities facilitating commercial surveillance by issuing comprehensive privacy rules that address the unfair trade practices that are causing substantial privacy injuries to consumers every day.
EPIC submitted comments to the California Privacy Protection Agency to recommend edits to their latest round of proposed rules implementing the California privacy bills. EPIC provided modifications to sections on data minimization, third-party obligations to comply with consumer protection, and the obligation of companies to limit sensitive data collection and use to strictly necessary and enumerated purposes. EPIC previously sent comments to the California Privacy Protection Agency throughout this process in August 2022, June 2022, and November 2021.
The Federal Communications Commission has declared ringless voicemails subject to the Telephone Consumer Protection Act’s consent rules for calls made using an artificial or prerecorded voice, meaning the Commission and private plaintiffs can now sue to enforce calls made to a wireless phone without prior express consent. As this order was effective upon release, ringless voicemails will immediately be treated as robocalls.
On November 10, EPIC and the National Consumer Law Center, joined by six other consumer advocacy and legal aid organizations, submitted comments to the Federal Communications Commission, urging the Commission to do more to protect consumers from scam robotexts than its proposal of blocking texts sent from numbers on a Do Not Originate list. The organizations also recommended that the Commission ensure industry-led efforts to prevent unwanted robotexts continue, as they seem to have some measure of positive impact on mitigating the problem.
A recent class action filed in Washington alleges that Amazon used dark patterns to make cancelling customers’ Prime subscriptions more difficult. The lawsuit cites to EPIC’s 2021 complaint to the D.C. Attorney General’s office, which explains how Amazon’s deceptive cancellation interface effectively prevents Prime subscribers from ending their memberships, leads to further subscription fees, and allows the company to continue collecting, retaining, and using the personal data of misdirected subscribers.
Two U.S. House committees recently revealed that identity verification vendor ID.me deliberately underestimated how long people had to wait for virtual interviews to access government benefits and massively overestimated the extent of welfare fraud during the pandemic. Earlier this year, an EPIC-led coalition of privacy and civil liberties groups urged federal and state agencies to end their use of ID.me and other face verification services.
The Department of Transportation is planning to develop a system that will give assisted-driving equipped and autonomous cars advance notice when pedestrians and other vulnerable road users enter crosswalks. EPIC submitted comments urging the agency to foreground privacy in the design of this new system by (1) considering the privacy impacts of high-tech camera systems on privacy, (2) choosing the most privacy-protective technologies and implementing privacy-by-design principles, and (3) avoiding any technology that collects pedestrians’ cell phone data.
Sen. Wyden Reveals State Department Gives Law Enforcement Unfettered Access to Sensitive Data from 145 Million Americans
Senator Ron Wyden revealed in a letter and announced by Yahoo! News that the U.S. State Department allows 25 federal law enforcement and intelligence agencies to freely access a key database of personal information, the Consular Consolidated Database (CCD). Data in the CCD is pulled from applications for visas, passports, and American Citizen Services, and includes names, addresses, birthdates, fingerprints, facial images, social security numbers, and more. Sen. Wyden’s letter expands on documents EPIC obtained in EPIC v. State Department, a Freedom of Information Act case revealing how the State Department allows many agencies access to the CCD.
Sen. Wyden called for the State Department to implement reforms to (1) develop a policy to limit access to the CCD to legitimate purposes, (2) provide notice when the State Department disseminates information to other agencies, (3) publish annual statistics on outside agency use of the CCD, and (4) engage with agencies with more privacy expertise to align use of the CCD with privacy best practices.
On November 14, the Italian Data Protection Authority issued a moratorium under the GDPR on the use of facial recognition technology that will last at least until the end of 2023 and may be extended if laws regulating facial recognition are not enacted. The Authority also announced an investigation into, and a moratorium on, the use of smart infrared glasses in Arezzo, where police planned to start using the technology to read license plates at night and interface the glasses with drivers’ license databases to verify drivers’ identities.
In comments on the Privacy and Civil Liberties Oversight Board’s Oversight Project examining section 702 of the Foreign Intelligence Surveillance Act, EPIC urged the Board to recommend that Congress prohibit “abouts” collection and warrantless backdoor searches. EPIC also urged the Board to recommend new and enhanced safeguards, including the codification of protections for non-U.S. persons and more robust notice requirements for criminal defendants. EPIC has been a proponent of empowering the Board to conduct meaningful oversight of government surveillance since its inception.
The New York Times has reported that the FBI explored using the phone-hacking technology “Pegasus” in its criminal investigations, despite the FBI’s prior assertions that it had only purchased a Pegasus license for research and development. Earlier this year, EPIC submitted a Freedom of Information Act request to the FBI seeking information about its use of Pegasus spyware, which has reportedly been used to target thousands of people and to spy on French President Emmanuel Macron, Dubai’s Princess Latifa, Saudi journalist Jamal Khashoggi, and many prominent activists, academics, and journalists.
In a memorandum released September 30, Attorney General Merrick Garland detailed new guidelines for when the Department of Justice will invoke the state secrets privilege to withhold evidence or to seek dismissal of a case or claim. The U.S. government has previously used the controversial privilege to stymie plaintiffs challenging government mass surveillance. While the guidelines include new Executive Branch safeguards—including a process for revisiting the necessity of the privilege once invoked—the privilege remains a threat to meaningful accountability in the absence of legislative reform.
A newly released 2016 report by the National Security Agency Office of Inspector General revealed that an experienced NSA analyst had “acted with reckless disregard” in collecting communications from people and organizations within the United States, in violation of agency regulations and potentially statutory law governing surveillance programs. The heavily redacted report, which arose out of internal NSA whistleblower reports just before the Edward Snowden disclosures in 2013, was released by the U.S. government in response to a Freedom of Information Act request.
EPIC in the News
- FCW: Login.gov is getting new anti-fraud tools, but privacy advocate raises concerns
- Fox 6: Law enforcement drones; privacy questions over ‘eye in the sky’
- Law360: FTC Urged To Stop ‘Unfair’ Tactics That Keep Kids Online
- GCN: How to reduce citizen harm from automated decision systems
- The Wall Street Journal: Google Reaches $391.5 Million Settlement With States Over Location Tracking Practices
- Quartz: Elon Musk might have already broken Twitter’s agreement with the FTC
- Motherboard: Police Use DNA Phenotyping to Limit Pool of Suspects to 15,000
- Law360: Midterms Open Up Path For Stalled Federal Data Privacy Law
- WIRED: Algorithms Quietly Run the City of DC—and Maybe Your Hometown
- WTOP News: Report on ‘automated decision making’ in DC raises questions about accuracy, fairness, equity