EPIC Alert 30.03 – March 31, 2023
- Top Updates
- Analysis From EPIC
- EPIC in the News
1. EPIC Launches Campaign to Reform or Sunset FISA Section 702
Ahead of the potential sunset of Section 702 of the Foreign Intelligence Surveillance Act at the end of 2023, EPIC has launched a campaign to significantly reform the sweeping surveillance authority or let it expire.
2. Court Cites EPIC Amicus Brief, Ruling for Plaintiffs in Voter Privacy Case
A federal judge cited EPIC’s amicus brief while ruling for the plaintiffs in National Coalition on Black Civic Participation v. Wohl, a case concerning voter intimidation and privacy.
3. EPIC, Coalition Submit Comments to California Privacy Agency
EPIC, the Center for Digital Democracy, and the Consumer Federation of America submitted comments to the California Privacy Protection Agency to recommend strong regulations implementing key provisions of the California Consumer Privacy Act.
Analysis From EPIC
TikTok is Not the Only Problem
The debate over whether a ban or restructuring of TikTok is a necessary policy intervention has taken a new twist recently with the Biden administration now demanding that TikTok be sold from its Chinese parent company to a company based in the United States or face a potential ban in the U.S. In this blog post, EPIC Deputy Director Caitriona Fitzgerald and EPIC Global Privacy Counsel Calli Schroeder examine the national security concerns voiced by the Administration and members of Congress and explain why simply forcing a ban or divestiture on TikTok in the U.S. without broader privacy rules would not solve these worries of data collection and exploitation by foreign governments.
More EPIC Analysis
Celebrating Sunshine Week with Some EPIC Open Government Wins
Enid Zhou, Senior Counsel
Two Years In, COVID-19 Relief Money Fueling Rise of Police Surveillance
Chris Baumohl, Law Fellow
What the FCC’s Safe Connections Rule Must Get Right to Support Survivors of Domestic Violence
Chris Frascella, EPIC Law Fellow; Erica Olsen, NNEDV Safety Net Project Director
“Reforming 702” Part 3: Strengthening FISA Amici
Chris Baumohl, Law Fellow
“Reforming 702” Part 4: Ensure Meaningful Avenues for Judicial Redress
Chris Baumohl, Law Fellow
“Framing the Risk Management Framework” Part 1: Actionable Instructions by NIST in their “Govern” Section
Ben Winters, Senior Counsel; Grant Fergusson, Equal Justice Works Fellow
“Framing the Risk Management Framework” Part 2: Actionable Instructions by NIST in their “Manage” Section
Ben Winters, Senior Counsel; Grant Fergusson, Equal Justice Works Fellow
AI & Human Rights
The Italian Data Protection Authority issued an order under Europe’s General Data Protection Regulation requiring OpenAI to immediately stop processing local user data, effectively blocking ChatGPT until OpenAI complies with European data protection laws. OpenAI has 20 days to respond or will face a penalty of up to €20 million ($21.7 million), or 4% of OpenAI’s annual turnover.
FCC Approves Robocall and Robotext Rules, Will Consider Resticting Sale of Consumer Contact Info in Further Rulemaking
Robocalls continue to annoy (and sometimes defraud) American phone subscribers, and the latest FCC regulations on robocalls and robotexts are unlikely to stem the flood of illegal calls, although they may reduce the illegal calls and texts that result from consumers filling out forms online.
EPIC submitted comments in response to the National Telecommunications and Information Administration’s Request for Comment on Privacy, Equity and Civil Rights, encouraging the agency to maintain its focus on harmful commercial data practices that disproportionately impact marginalized and historically excluded communities. Specifically, EPIC recommended algorithmic transparency requirements and mandatory risk and impact assessments because the “onus to avoid harms cannot rest on consumers.”
The FTC announced an enforcement action against BetterHelp, fining the online counseling company $7.8 million and banning it from sharing consumer health data for advertising purposes. According to the complaint, BetterHelp violated Section 5 of the FTC Act by revealing health data to third parties even though BetterHelp “repeatedly promised to keep it private and use it only for non-advertising purposes” at several points in the lengthy online intake questionnaire. This settlement follows several recent FTC actions to protect consumer health data, including cases against GoodRx, Flo Health, and Kochava.
EPIC, the Center for Democracy and Technology, Privacy Rights Clearinghouse, and Public Knowledge jointly filed reply comments with the Federal Communications Commission urging the agency to prioritize protecting consumers from data breaches by explicitly naming and outlining its multiple sources of legal authority to protect privacy. The reply comments build on EPIC’s original comments to the agency in February, which noted that the trajectory of breaches and inadequate data security at telecom companies has gotten worse over time.
White House Unveils New National Cybersecurity Strategy, Supports Data Protection Legislation That Would Set ‘Clear Limits’ on Collection and Use
The White House unveiled its National Cybersecurity Strategy, including a five-part plan to work towards a more safe, reliable, and secure digital ecosystem. The strategy emphasizes that cybersecurity is essential not only for a functional economy but also for a strong democracy and to preserve both privacy and national security. Specifically, the White House commits in this strategy to support “legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.”
In comments to the White House Office of Science and Technology Policy, EPIC urged the agency to prioritize research and development of a token-based intermediated Central Bank Digital Currency, fully anonymous digital cash, and anonymous credentials. EPIC regularly works at the intersection of financial and consumer privacy to ensure that individuals are not subjected to private or government surveillance when making digital transactions.
EPIC joined Public Knowledge’s comments supporting the Federal Communications Commission addressing digital discrimination in access to communications services, recommending enforcement mechanisms the agency should use to ensure broadband for all Americans. The comments outline the history of Congressional action attempting to ensure all Americans benefit from a national communications network, to remedy chronic underinvestment in low-income and insular communities, and to regulate the market, which—left to its own profit-seeking incentives—would discontinue service to areas with low rates of return.
Democracy & Free Speech
A federal judge cited EPIC’s amicus brief while ruling for the plaintiffs in National Coalition on Black Civic Participation v. Wohl, a case brought by voters against several defendants who placed robocalls shortly before the 2020 election specifically targeting Black voters and falsely warning them that their personal information would be forwarded to debt collectors, law enforcement, and the CDC if they chose to vote by mail. The judge ruled that this constituted voter intimidation under the Ku Klux Klan Act and the Voting Rights Act, explaining that “An overarching threat that looms throughout the Robocall is the danger that a voter’s private information will become exposed if that person votes by mail. Voter privacy, as the amicus brief submitted by EPIC explains, is vital to election integrity.”
EPIC, the Center for Digital Democracy, and the Consumer Federation of America submitted comments to the California Privacy Protection Agency to recommend strong regulations implementing key provisions of the California Consumer Privacy Act. “As the agency formulates regulations concerning cybersecurity audits, risk assessments, and automated decision-making, we renew our call to ‘protect consumers’ rights’ and ‘strengthen consumer privacy’ at every opportunity, consistent with the expressed will of California voters,” the organizations wrote.
New regulations implementing the California Consumer Privacy Act have officially gone into effect following approval by the state’s Office of Administrative Law. The rules reinforce a wide range of privacy safeguards for Californians, including data minimization requirements; transparency obligations; access, correction, and deletion rights; and the ability for consumers to opt out globally from the sale or transfer of their personal data. EPIC provided extensive input on the rules in November 2021, May 2022, August 2022, and November 2022, arguing for the strongest possible construction of the CCPA to protect consumers from exploitative data practices.
The Colorado Attorney General’s Office finalized rules implementing the Colorado Privacy Act after a months-long, iterative rulemaking process. The rules address various areas of the law such as consumer personal data rights, universal opt-out mechanisms, bona fide loyalty programs, and various duties of controllers, including a duty of care. EPIC submitted comments to strengthen consumer privacy in August 2022 and January 2023 as the rulemaking process progressed.
EPIC submitted a Freedom of Information Act request to the Office of the Director of National Intelligence concerning an ODNI-led report on the government’s purchase of data, including sensitive data on Americans. On March 8, during a Senate Select Committee on Intelligence hearing, Sen. Ron Wyden revealed that the ODNI had “convened an outside panel to study and make recommendations related to the government’s purchase of data, including sensitive data on Americans” and that the panel had produced a “lengthy report” on that issue.
President Biden signed an executive order restricting the use of commercial spyware by the U.S. government, prohibiting the operational use of commercial spyware if the government determines that it poses “significant counterintelligence or security risks” to the U.S. government or if it poses “significant risks of improper use by a foreign government or foreign person.”
Ahead of the potential sunset of Section 702 of the Foreign Intelligence Surveillance Act at the end of 2023, EPIC has launched a campaign to significantly reform the sweeping surveillance authority or let it expire The campaign page includes EPIC’s major priorities for surveillance reforms as part of any reauthorization process, as well as EPIC’s blog series on Section 702 and the need for reform.
EPIC joined a coalition of civil society organizations in writing a letter to the chairmen of the Senate Judiciary Committee, the House Judiciary Committee, as well as the House and Senate Intelligence Committees, urging them to hold hearings on the need to reform FISA Section 702 and other government surveillance authorities.
Rep. Pramila Jayapal (D-WA) and Rep. Warren Davidson (R-OH) issued a joint statement calling for significant reforms to FISA Section 702, cautioning that “programs operating under Section 702 of the Foreign Intelligence Surveillance Act and claims of inherent executive authority remain a threat to Americans’ constitutional right to privacy.”
At a House Intelligence Committee hearing, Rep. Darin LaHood said the FBI unlawfully searched for information about him in databases of information collected under FISA Section 702, stating that this “egregious” violation “not only degrades the trust in FISA but is viewed as a threat to the separation of powers.” Jeramie Scott, EPIC Senior Counsel & Director of the Project on Surveillance Oversight, emphasized that Rep. LaHood’s revelation “needs to be a wakeup call for Congress to end these warrantless backdoor searches and implement comprehensive reform to rein in the surveillance state and protect Americans’ privacy and civil liberties.”
EPIC joined a diverse coalition of civil society groups to urge the DEA to end the National License Plate Reader Program, arguing that the program “is both illegal and intrudes on the rights and liberties of millions of Americans.” The coalition also pointed out the privacy, discrimination, and error risks of license plate readers.
A report by the Department of Homeland Security Office of the Inspector General revealed that the United States Secret Service and U.S. Immigration and Customs Enforcement Homeland Security Investigations illegally used cell-site simulators without a court order to obtain real-time cell phone device locations.
In a letter, EPIC and a coalition of 172 national, state, and local immigration, policy, direct services, and privacy organizations urged the Department of Homeland Security to extend an unusually short 30-day deadline for comments on a rulemaking that makes substantial changes to the process for seeking asylum in the U.S. The rulemaking’s short deadline coincides with the expiration of Title 42 restrictions on immigration at the southern border put in place in response to Covid-19.
EPIC in the News
- PBS NewsHour: Why a ban on TikTok won’t solve all data privacy concerns
- The Washington Post: The U.S.’s sixth state privacy law is too ‘weak,’ advocates say
- WHYY: Delaware County law enforcement plans to build a ‘real-time crime center’
- International Association of Privacy Professionals: A view from DC: A recap of the TikTok hearing
- CyberScoop: Here’s what to expect from lawmakers who will grill TikTok’s CEO on privacy, security and child safety
- The Wall Street Journal: U.S. State-Government Websites Use TikTok Trackers, Review Finds
- The Japan Times: Why does the U.S. still retain the biometrics of millions of Iraqis?
- NBC New York: Your NYC Supermarket May Know Your Face Better Than You Think
- WIRED: A US Congressman Says the FBI Unlawfully Targeted Him
- NBC News: White House backs bipartisan bill that could be used to ban TikTok