You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Previous Top News: 2013


  • A federal judge in New York has ruled that the NSA's telephone metadata program is legal. The ruling comes less than two weeks after a federal judge in Washington, DC issued an injunction against the telephone record collection program—calling it an "unreasonable search under the Fourth Amendment." The opinions create a split amongst the district courts as to the legality of the NSA's program. Both opinions are expected to be appealed. The President's Review Group recently released its report recommending the end of the NSA's bulk collection of telephony metadata. EPIC filed a Petition in the U.S. Supreme Court challenging the legality of the program, shortly after the disclosure earlier this summer. For more information, see In re EPIC and EPIC: FISC Verizon Order. (Dec. 30, 2013)

  • The Ninth Circuit Court has denied Google's petition for rehearing en banc in Joffe v. Google, a suit brought by individuals whose private Wi-Fi communications, including passwords and other sensitive information, were intercepted by Google. The appeals court previously found that Wi-Fi "payload" data are not exempt from protection under the Wiretap Act. EPIC filed an amicus brief in the case, arguing that Wi-Fi communications "are not 'broadcast' like traditional radio communications; they are sent from one device to another directly and there is nothing about the typical configuration of a Wi-Fi device to suggest that users expect that their communications between these devices would be 'readily accessible to the general public.'" Google recently reached a $7-million settlement with the attorneys general of 38 states and the District of Columbia over the Street View collection. For more information, see EPIC: Joffe v. Google and EPIC: Investigations of Google Street View. (Dec. 30, 2013)

  • More than 500 leading writers from around the world have endorsed the declaration "A Stand for Democracy in the Digital Age." The Writers against Mass Surveillance stated that "A person under surveillance is no longer free; a society under surveillance is no longer a democracy." The declaration was issued in December 10, 2013, International Human Rights Day. Article 12 of the Universal Declaration of Human Rights establishes privacy as fundamental right. EPIC has urged the United States to ratify Council of Europe Convention 108 — the Privacy Convention. For more information see Public Voice - The Madrid Declaration, EPIC - Council of Europe Privacy Convention. (Dec. 20, 2013)

  • Following EPIC's complaint to the Federal Trade Commission about Scholarships.com, the company has improved security on its website. Scholarships.com encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. The company claims that it uses this information to locate scholarships and financial aid. In fact, the company transfers the data to a business affiliate American Student Marketing, which in turn sells the data for general marketing purposes. EPIC's complaint to the FTC alleged that Scholarships.com’s failure to use reasonable security practices is an unfair trade practice. The company has since implemented HTTPS. For more information, see EPIC: Student Privacy. (Dec. 19, 2013)

  • The President's Review Group on Intelligence and Communications Technologies has concluded that the NSA’s collection of bulk telephone records should end. In a sweeping report "Liberty and Security in a Changing World," the review panel set out 46 recommendations, which would limit NSA surveillance, expand judicial oversight, create new transparency requirements, update federal privacy laws, and create a new privacy agency. Other recommendations include the application of the Privacy Act of 1974 to both U.S. and non-U.S. persons, support for strong encryption techniques, and the cessation of U.S. practice of stockpiling software vulnerabilities known as "zero day" exploits. Earlier this year, EPIC met with the review group and submitted extensive comments to the panel, specifically urging the end of the bulk record collection program. EPIC had earlier petitioned the Supreme Court to find the program unlawful. For more information, see EPIC: In re EPIC - NSA Telephone Record Surveillance. (Dec. 19, 2013)

  • A Senate Committee Majority Staff report released today highlights the oft-concealed practices of Data Brokers. The report finds that data brokers lack transparency and collect sensitive personal information, while individuals lack basic rights to know what data is collected or how it is used. The brokers, the report notes, prevent business customers from revealing how data is obtained. The report also exposed how personal information is often used to target the financially vulnerable. Thus far, the data broker industry has largely escaped federal regulation. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Dec. 18, 2013)

  • The 2014 Computers, Freedom, and Privacy conference will be co-chaired by EPIC's Amie Stepanovich. Stepanovich is the Director of EPIC's Domestic Surveillance Project. She is the third staff member at EPIC to co-chair CFP. The first CFP conference was held in San Francisco in 1991 under the auspices of the Computer Professional for Social Responsibility. CFP was the first conference that brought together the law enforcement and hacker communities, with technical experts, legal scholars, and policy makers to explore the world of "cyberspace." Lorrie Cranor wrote a ten-year report on CFP in 2000. A sister conference Computers, Data Protection, and Privacy takes place in Brussels in January 2014. The 2014 CFP conference will be held in Washington, DC. For more information, see Computers, Freedom, and Privacy. (Dec. 18, 2013)

  • Dictionary.com has named "privacy" the 2013 word of the year. Noting the Snowden disclosures about NSA surveillance, the release of Google Glass, and the changing privacy policies of Internet companies, Dictionary.com wrote "The discussion of privacy - what it is and what it isn’t - embodies the preeminent concerns of 2013." The major privacy events in 2013 are displayed in this Infographic. The site also noted a Time word banishment poll which found that "twerk" is the number #1 most people would like banished. Close behind were "hashtag," "selfie," and "swagger." (Dec. 17, 2013)

  • EPIC has filed a notice of appeal with the D.C. Circuit Court of Appeals in EPIC v. NSA. In that case, EPIC sought NSPD 54, a presidential policy directive outlining the scope of the NSA's authority over computer networks in the United States. A federal district court ruled that the directive is not subject to the Freedom of Information Act because it was not under "the control" of the federal agencies and officials who received it. It is the only time a federal court has ruled that presidential directives in the possession of federal agencies are not subject to the FOIA. EPIC is appealing the decision. For more information, see EPIC v. NSA: Cybersecurity Authority (Dec. 17, 2013)

  • A federal judge today issued an injunction against the NSA telephone record collection program. Judge Leon ruled that the plaintiffs "have a substantial likelihood of showing that their privacy interest outweigh the Governments interest in collecting and analyzing bulk telephony metadata and therefore the NSA's Bulk Metadata program is indeed an unreasonable search under the Fourth Amendment." Judge Leon also stressed that "While Congress has great latitude to create statutory schemes like FISA, it may not hang a cloak of secrecy over the Constitution." This is the first court opinion issued on the controversial surveillance program. EPIC filed a Petition in the U.S. Supreme Court challenging the legality of the the program, shortly after the disclosure earlier this summer. The decision of the district court will be stayed pending an appeal by the government to the DC Circuit Court of Appeals. For more information, see In re EPIC and EPIC: FISC Verizon Order. (Dec. 16, 2013)

  • The yearend report from the Inspector General at the Department of Justice points to new privacy and civil liberties concerns. The report Top Management and Performance Challenges Facing the Department of Justice - 2013 finds that "technological advances, particularly in the realm of communications technology, have vastly increased the amount of data potentially available to law enforcement agencies , . . ." The report observes that "significant public attention has been paid to programs authorizing the acquisition of national security information, but relatively less has been paid to the storing, handling, and use of that information. " The analysis concludes, "As the Department continues to acquire, store, and use national security information, these issues will arise more and more frequently, and the Department must ensure that civil rights and liberties are not transgressed." Earlier reports from the Inspector General found misuse of National Security Letter authority by the FBI. (Dec. 16, 2013)

  • EPIC has submitted comments on the National Institute of Standards and Technology's cybersecurity policy proposal. Pursuant to an Executive Order, the federal agency is charged with defining a "cybersecurity framework" for the federal government. EPIC reiterated previous comments that emphasized civilian control, adherence to the Fair Information Practices, and compliance with the Privacy Act and Freedom of Information Act. In light of revelations that the National Security Agency's has weakened key security standards, EPIC urged NIST to clarify the NSA's involvement in the development of the federal policy. For more information, see EPIC: Cybersecurity Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority). (Dec. 13, 2013)

  • The Senate confirmed the reappointment of Judge Patricia M. Wald to the Privacy and Civil Liberties Oversight Board. Judge Wald's current term was set to expire next month, but President Obama re-nominated her on March 21, 2013. Last year, EPIC recommended that the Oversight Board, consistent with its mandate, pursue a broad agenda, including (1) suspension of the Fusion Center Program ; (2) limiting closed-circuit television surveillance; (3) eliminating the use of body scanners; (4) establishing privacy regulations for drones; (5) improving Information Sharing Environment (ISE) and Suspicious Activity Reporting (SARS) Standards; and (6) Privacy Act adherence. More recently, EPIC addressed the Board at a workshop on NSA Surveillance. And in response to a public rulemaking, EPIC also provided extensive comments on a proposed rule governing the Board's Freedom of Information Act practices. The Board adopted nearly all of EPIC's recommendations on transparency. For more information, See EPIC: Foreign Intelligence Surveillance Act and EPIC: Open Government. (Dec. 13, 2013)

  • The Review Group on Intelligence and Communications Technologies, established to recommend surveillance reforms, will send a final report to the President this Sunday. According to one news article, the task force will recommend putting a civilian leader in charge of NSA, separating out the code-breaking "Information Assurance Directorate," and splitting the U.S. Cyber Command off into a separate military unit. The Review Group will also recommend new limits on the NSA’s ability to search telephone call records, proposing that telephone records be stored with a third party rather than the NSA. The group will also recommend safeguards for the data of European citizens, and restrictions on the use of National Security Letters. Earlier this year, EPIC filed a petition with the U.S. Supreme Court, supported by legal scholars and former members of the Church Committee, arguing that the NSA bulk collection program was unlawful. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Foreign Intelligence Surveillance Act Reform, and EPIC: In re EPIC. (Dec. 13, 2013)

  • EPIC has filed an extensive complaint with the Federal Trade Commission concerning the business practices of Scholarships.com. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. The company claims that it uses this information to locate scholarships and financial aid. Scholarships.com, however, transfers the data to a business affiliate American Student Marketing, which in turn sells the data for general marketing purposes. EPIC alleges that this is an unfair and deceptive trade practice. EPIC’s complaint also alleges that Scholarships.com’s failure to use reasonable security practices is an unfair trade practices. EPIC has asked the FTC to require the company to change its business practices. Earlier this year, EPIC urged Congress to restore privacy protections for student data following recent changes to the Family Educational Rights and Privacy Act. For more information, see: EPIC: Student Privacy. (Dec. 12, 2013)

  • EPIC has joined a petition to the Federal Communications Commission, organized by Public Knowledge, that asks the FCC to rule that the sale of consumer phone records to the government is a violation of the federal Communications Act. Last month, EPIC urged the FCC to determine whether AT&T violated the Communications Act when it sold private consumer call detail information to the Drug Enforcement Administration and Central Intelligence Agency. And in June, following the initial Snowden disclosure, EPIC wrote to the FCC to explain that Verizon had likely violated the Communications Act when it disclosed telephone records to the NSA. EPIC has also long supported the FCC's consumer privacy enforcement authority, filing amicus briefs in significant cases, including US West v. FCC and NCTA v. FCC, to defend the agency’s privacy regulations. For more information, see EPIC: CPNI (Customer Proprietary Network Information), EPIC: Foreign Intelligence Surveillance Act. (Dec. 11, 2013)

  • EPIC's Spotlight on Surveillance Project returns to put the spotlight on the Federal Bureau of Investigation's Next Generation Identification program. A billion dollar project to increase the Bureau's ability to collect biometric identifiers on millions of individuals in the United States. The FBI is currently adding facial, iris, and voice identification techniques that will greatly increase the Bureau’s ability to pursue mass surveillance. EPIC is pursuing a Freedom of Information Act lawsuit to learn more about the program. Many of the techniques now being deployed in the US were developed by the US Department of Defense for war zones. EPIC has urged greater Congressional oversight of the program and new privacy safeguards. See EPIC's Spotlight on Surveillance on FBI's Next Generation Identification Program. (Dec. 10, 2013)

  • The National Telecommunications and Information Administration has announced that the next privacy multistakeholder process will focus on "privacy safeguards for the use of facial recognition technology." The process was designed by the Obama Administration to apply the Consumer Privacy Bill of Rights to industry, and recently developed a voluntary code of conduct regarding mobile app transparency. In comments to the agency, EPIC recommended that the CPBR be codified in the form of comprehensive privacy legislation. For more information, see EPIC: NTIA Multistakeholder Process. (Dec. 10, 2013)

  • EPIC has filed a Freedom of Information Act lawsuit for the reports that detail the NSA's collection of call record information from US telephone companies. Citing the Department of Justice's failure to comply with EPIC original EPIC's FOIA Request and the urgency to inform the public, EPIC has also filed a motion for a preliminary injunction, asking a federal judge to rule within 20 days on EPIC’s legal claims. EPIC is seeking the reports that the Justice Department has routinely prepared for Congress but never made available to the public. The Foreign Intelligence Surveillance Court, relying on these reports, has approved the bulk, suspicionless collection of Internet and e-mail data, which is now widely debated. For more information, see EPIC: EPIC v. DOJ (Pen Register / Trap and Trace). (Dec. 9, 2013)

  • Former President of South Africa Nelson Mandela has died. He is revered in the US and around the world for helping to bring about the end of apartheid, for leading his country into a new era, and for championing the cause of human rights. Until 2008, Mr. Mandela, a member of the African National Congress and a winner of the Nobel Peace Prize, also appeared on the US "Terrorist" Watch List. Documents obtained by EPIC under the Freedom of Information Act in 2012 revealed a broad legal standard that allows the US to place someone on the Terrorist Watch List virtually forever. Mr. Mandela's name was taken off the list in 2008 by a formal act of Congress. Approximately 700,000 people are currently tracked by the US Terrorist Screening Center. For more information, see EPIC: FBI Watchlist (National Terrorist Screening Center) and EPIC: Mandela and Privacy. (Dec. 6, 2013)

  • The Obama Administration has released a preview of the Open Government National Action Plan, which sets out commitments to improve the public’s access to information and improve government information management. The report covers a wide range of topics, including efforts to improve public participation in government, proposals to modernize management of government records and update the Freedom of Information Act (FOIA), as well as plans to transform the security classification system, increase transparency of foreign intelligence surveillance activities, make privacy compliance information more accessible, and strengthen protections for whistleblowers. Regarding the FOIA, the Administration proposes to establish a FOIA modernization committee, improve training for government employees, and develop a unified online FOIA system. If adopted, the proposed commitments would clarify the records requesting process and make the FOIA more accessible to the public. EPIC joined other open government organizations to advise the Administration on modernizing the FOIA. EPIC also regularly comments on proposed changes to agency FOIA regulations. For more information, see EPIC: Open Government. (Dec. 6, 2013)

  • The Federal Trade Commission announced a settlement with the developer of a flashlight app for Android mobile devices that deceptively collected and then disclosed consumers' personal information to third parties. "Brightest Flashlight Free" secretly collected location information and unique identifiers from users and then provided that information to third parties, including advertising networks. The developer even even included a dummy privacy setting that had no actual effect. The settlement prohibits the company from misrepresentations and requires it to obtain the affirmative express consent of consumers before using and disclosing personal information. Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said the flashlight app left users "in the dark about how their information was going to be used." EPIC has previously commented on mobile privacy issues before the FTC, emphasizing the importance of the Fair Information Practices. For more information, see EPIC: Federal Trade Commission. (Dec. 5, 2013)

  • The Federal Trade Commission has announced a series of workshops on emerging consumer privacy issues. The series will "shine a light on new trends in Big Data and their impact on consumer privacy" and includes three topics: the use of mobile devices to track users in real space; predictive scoring algorithms that determine access to products and offers; and consumer-generated health data that falls outside HIPAA. The FTC has invited comments from the public on the proposed topics for the spring workshops. The FTC recently concluded a workshop on the Internet of Things, for which EPIC submitted comments. EPIC has also urged the Commission to enforce its prior consent orders, to incorporate the Consumer Privacy Bill of Rights in privacy settlements, and to respect public comments on proposed settlements. For more information, see EPIC: Federal Trade Commission. (Dec. 2, 2013)

  • Willis Ware, who helped usher in the computer age and provided the foundation for modern privacy law, passed recently at his home in Santa Monica. He was 93. An electronic engineer by training, Ware had worked with John von Neumann at Princeton on the early designs for digital processing. Fascinated by the social impact of computer technology, he turned quickly to the key challenge of privacy protection. In 1973, as the chair of an influential government committee that was wrestling with the increased automation of record keeping, Ware conceived of "Fair Information Practices", the allocation of rights and responsibilities in the collection and use of personal data. The report "Records, Computers and the Rights of Citizens" became the foundation of the Privacy Act of 1974, the most comprehensive privacy law ever enacted in the United States. Ware also served as chairman of the Security and Privacy Board, established by Congress in 1987, that helped loosen controls on the public use of cryptography in the 1990s and made possible the adoption of critical security technologies for the Internet. Ware joined the EPIC Advisory Board not long after the organization was established in 1994, and received the EPIC Lifetime Achievement Award in 2012. For more information, see EPIC: Willis Ware. (Dec. 2, 2013)

  • The European Commission released a report questioning the effectiveness of the U.S.-EU Safe Harbor framework. The Safe Harbor arrangement allows data to be transferred from EU Member States to companies in the U.S. that have promised to adhere to a set of privacy practices. The report cited "large scale access by intelligence agencies to data transferred to the US by Safe Harbour certified companies" as a key concern. The report of the European Commission recommends a variety of measures designed to strengthen Safe Harbor, such as increasing investigations into compliance, limiting the national security exception to cases that are "strictly necessary or proportionate," and facilitating access by EU citizens to alternative dispute resolution providers. EPIC has previously recommended that the US support the EU Data Protection Regulation and adopt an international framework for privacy protection. For more information, see EPIC: EU Data Protection Directive. (Nov. 27, 2013)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice's Office of Legal Counsel for the secret legal analyses that justifies the use of the NSA PRISM program. PRISM is a program that allows the FBI and NSA to collect information - including the contents of internet users' communications - directly from internet service providers, and without a warrant. Through this lawsuit, EPIC seeks to clarify which, if any, legal authority would permit such extensive domestic surveillance of personal activities. The secrecy of these opinions is of increasing concern to Open Government advocates. EPIC, joined by a coalition of FOIA organizations, recently filed an amicus brief in support of a New York Times lawsuit for opinions of the Office of Legal Counsel. For more information, see EPIC v. DOJ - PRISM. (Nov. 25, 2013)

  • In response to growing concern about the scope of electronic surveillance, the U.N. General Assembly is considering a resolution affirming that privacy is a fundamental right. Civil society organizations have long urged international organizations to update and strengthen global frameworks for privacy protection. The UN resolution now under consideration is a response to reports that the United States conducted surveillance of many foreign leaders, including Brazil's President Dilma Rousseff and German Chancellor Angela Merkel. Brazil and Germany are leading the effort at the United Nations on the privacy resolution. The European Parliament is pursuing an investigation of the "Mass Surveillance of EU Citizens." And the United States Congress is considering legislation, such as the USA FREEDOM Act, to reign in surveillance activities. For more information, see Public Voice - The Madrid Declaration. (Nov. 22, 2013)

  • EPIC has prevailed in a fee dispute with the Department of Homeland Security in an open government case concerning the government’s monitoring of social media. EPIC filed a FOIA request after the agency announced plans to gather information from "online forums, blogs, public websites, and message boards." After the DHS refused to produce documents, EPIC filed suit and obtained more than 500 pages describing the agency program. When the agency subsequently moved to dismiss the case, a federal judge ruled that EPIC had "substantially prevailed." And when the DHS sought to give EPIC a token amount in settlement, the court had harsh words for the agency. The court described EPIC's work in the case as "the sort of public benefit that FOIA was designed to promote." The case is EPIC v. DHS, No. 11-2261 (D.D.C. Nov. 15, 2013). For more information, see EPIC v. DHS: Social Media Monitoring. (Nov. 20, 2013)

  • EPIC filed a Freedom of Information Act request with the Federal Trade Commission for documents concerning the FTC's recent "investigation" of Facebook's policy changes. The investigation concerned changes to Facebook’s Data Use Policy that permit the use of the names, images, and content of Facebook users for commercial endorsement without user consent. Following announcement of the proposed change, EPIC and several several privacy groups wrote to the FTC objecting to the changes as a violation of a 2011 consent order with Federal Trade Commission. Senator Markey also expressed concern about the policy changes. The Commission opened an investigation which was then quietly closed allowing Facebook to go forward with the changes. For more information, see EPIC: Federal Trade Commission and EPIC: FOIA. (Nov. 19, 2013)

  • In a letter to Federal Communications Commission Chairman Tom Wheeler, EPIC urged the FCC to determine whether AT&T violated the Communications Act when it sold private consumer call detail information to the Drug Enforcement Administration and Central Intelligence Agency. EPIC's letter follows an earlier letter where EPIC asked the FCC to resolve whether Verizon violated the Communications Act when it released consumer call detail information to the National Security Agency. EPIC's letter also informed the Commission that the National Association of Regulatory Utility Commissioners has issued a draft resolution underscoring the crucial role of the FCC in protecting consumer information. For more information, see EPIC: In re EPIC and EPIC: Foreign Intelligence Surveillance Act. (Nov. 18, 2013)

  • Today the Supreme Court denied review of In re EPIC, a direct challenge to the NSA telephone record collection program. EPIC argued that an order of the secretive Surveillance Court that required Verizon to turn over all customer records exceeded legal authority. "It is simply not possible that every phone record in the possession of Verizon is relevant to a national security investigation," EPIC stated. EPIC asked the Supreme Court to overturn the order of the Foreign Intelligence Surveillance Court. Prominent legal scholars and members of the Church Committee who wrote the law agreed. Four groups filed amicus briefs in support and urged the Supreme Court to grant EPIC’s petition. However, the Supreme Court, without comment, declined to hear the case. For more information, see In re EPIC, In re EPIC Press Release. (Nov. 18, 2013)

  • The Maryland Attorney General Douglas Gansler, joined by attorneys general in 36 states and the District of Columbia, has reached a $17 million settlement with Google over privacy violations. Google violated state consumer protection and privacy law by placing advertising tracking cookies on Safari browsers despite telling users that it would honor the default Safari privacy settings, which prevented the placement of such cookies. The Federal Trade Commission fined Google $22.5 million last year over similar practices which violated an earlier settlement that was the result of a complaint filed by EPIC. EPIC previously objected to the Google-DoubleClick merger on privacy grounds and specifically warned that Google’s use of Doubleclick techniques would lead to impermissible tracking of Internet users. Earlier EPIC had urged the Federal Trade Commission and other consumer protection agencies to support advertising models that are not linked to actual user identity. For more information, see EPIC: Google Buzz, EPIC: Google/DoubleClick Merger. (Nov. 18, 2013)

  • Senators Markey (D-MA) and Kirk (R-IL), along with Representatives Barton (R-TX) and Rush(D-IL), have introduced the Do Not Track Kids Act, comprehensive children's online privacy legislation. The bill would amend the Children's Online Privacy Protection Act by extending protection to teens ages 13-15, requiring consent for the collection of personal information, and creating an "eraser button" that allows children to delete personal information. California recently enacted a bill, which also provides for an "eraser button" that would require websites to allow minors to remove their own information. The bill would also require online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for collection of personal information. EPIC recommended similar update to COPPA in testimony before the Senate Commerce Committee in 2010. For more information, see EPIC: Children's Privacy. (Nov. 18, 2013)

  • The Government Accountability Office issued a report to Congress finding that the Transportation Security Administration's behavioral analysis program, known as "Screening of Passengers by Observation Techniques" (SPOT), is ineffective. The GAO determined that there is no scientifically valid evidence for behavior indicators, and that TSA screeners cannot reliably interpret passenger behavior. The GAO report also notes that the there have been significant concerns over racial and ethnic profiling. There are around 3,000 TSA officers currently assigned to the SPOT program, which has cost approximately $900 million since 2007. The GAO recommended the Congress reduce further funding of the program. In testimony before the 9/11 Commission in 2003, EPIC warned that "It is easy to construct a device that can determine whether a person is carrying a gun before he boards an airplane. It is much more difficult to construct a device that can probe his thoughts and determine his intent to commit a crime." Since that time, EPIC has objected to the DHS's practice of assigning threat profiles based on race, ethnicity, and gender. EPIC has also called upon the TSA to undertake a comprehensive audit of the civil rights impact of airport screening policies on racial and religious minorities. For more information, see EPIC: Passenger Profiling. (Nov. 14, 2013)

  • Consumer privacy organizations in the US have asked the Federal Trade Commission to determine whether US companies turned over private customer data to the National Security Agency. "We urge you to open an investigation to determine whether any failure by these companies to comply with the Commission's orders may have contributed to the improper disclosure of customer data," the groups wrote. The organizations, which have brought many privacy complaints to the FTC, stated that the disclosure of user data "directly implicates the jurisdiction of the Federal Trade Commission." According to the organizations, "it is inconceivable that when faced with the most significant breach of consumer data in U.S. history, the Commission could ignore the consequences for consumer privacy." EPIC previously wrote to the Federal Communications Commission regarding the unlawful provision of call detail records to the NSA. The Supreme Court is scheduled to consider EPIC's challenge to the NSA telephone record collection program at conference this week. For more information, see In re EPIC. (Nov. 13, 2013)

  • The Supreme Court is scheduled to consider EPIC's challenge to the NSA telephone record collection program at conference this week. EPIC has asked the Court to overturn an order of the Foreign Intelligence Surveillance Court that compelled Verizon to produce all of the telephone records of all of its customers to the NSA. EPIC said that this order clearly exceeded the authority of the surveillance court. The EPIC Petition was distributed to the Justices last week along with briefs by former Church committee members and prominent scholars in information law, federal jurisdiction, and constitutional law, who all urged the Supreme Court to grant the EPIC petition. For more information, see In re EPIC. (Nov. 12, 2013)

  • In a Freedom of Information Act case brought by EPIC against the Department of Homeland Security, a federal court has ruled that the DHS may not withhold the agency's plan to deactivate wireless communications networks in a crisis. EPIC had sought "Standard Operating Procedure 303," also known as the "internet Kill Switch," to determine whether the agency's plan could adversely impact free speech or public safety. EPIC filed the FOIA lawsuit in 2012 after the the technique was used by police in San Francisco to shut down cell service for protesters at a BART station, who had gathered peacefully to object to police practices. The federal court determined that the agency wrongly claimed that it could withhold SOP 303 as a "technique for law enforcement investigations or prosecutions." The phrase, the court explained, "refers only to acts by law enforcement after or during the prevention of a crime, not crime prevention techniques." The court repeatedly emphasized that FOIA exemptions are to be read narrowly. For more information, see EPIC: EPIC v. DHS (SOP 303) and EPIC: FOIA. (Nov. 12, 2013)

  • In a press release, the Federal Aviation Administration announced the "roadmap" for the integration of drones into domestic airspace. After considering numerous public comments on the privacy impact of aerial drones, the FAA proposed a regulation that requires test site operators to develop privacy policies but does not require any specific baseline privacy protections. The FAA rulemaking came about in response to an extensive petition submitted by EPIC, broadly supported by civil liberties organizations and the general public. EPIC urged the agency to require adherence to the Fair Information Practices, disclosure of data collection and minimization practices, and independent audits. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Nov. 11, 2013)

  • In response to extensive comments submitted by EPIC, the Privacy and Civil Liberties Oversight Board has issued a final rule that will govern its Freedom of Information Act, Privacy Act, and Sunshine Act practices. The Board's initial draft of the rule allowed the agency to encourage other agencies to classify information, reserved the Board's right to terminate public participation in Board meetings "at any time for any reason," and contained vague, broad definitions that would permit the oversight agency to withhold information and delay document production. In response, EPIC proposed new language for inclusion in the final rule. The Board adopted nearly all of EPIC's proposed changes. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. For example, EPIC submitted extensive comments to the Defense Logistics Agency of the Department of Defense, warning the agency not to erect new obstacles for FOIA requesters. For more information, see EPIC: APA Comments and EPIC: Open Government. (Nov. 8, 2013)

  • The Supreme Court has denied a petition for review in Marek v. Lane, a decision upholding the class action settlement of Facebook’s controversial "Beacon" Program. The settlement provided substantial fees to attorneys, no benefits to class members, and established a funding entity, controlled in part by Facebook "Cy press" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement, but concerns have been raised about the misuse of cy pres procedures. Chief Justice Roberts, focusing on the "unusual" allocation of funds in the Facebook matter, suggested that the Supreme Court would eventually need to address "fundamental concerns surrounding the use of such remedies in class action litigation" including "how to assess its fairness as a general matter; whether new entities may be established as part of such relief; if not, how existing entities should be selected; what the respective roles of the judge and parties are in shaping a cy pres remedy; [and] how closely the goals of any enlisted organization must correspond to the interests of the class." EPIC and other consumer privacy organizations have routinely raised similar concerns about abuse of the class action process. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: In re: Google Buzz. (Nov. 4, 2013)

  • Pursuant to a Freedom of Information Act lawsuit against the Education Department, EPIC has obtained documents which reveal that many private debt collection agencies maintain incomplete and insufficient quality control reports. As government contractors, debt collectors are required to follow the Privacy Act, a federal law that protects personal information. The Education Department also requires student debt collectors to submit quality control reports indicating whether the companies maintain accurate student loan information. The documents obtained by EPIC in this FOIA lawsuit reveal that many companies provide small sample sizes to conceal possible violations of the Act. The documents also show that many companies do not submit required information about Privacy Act compliance to the Education Department. EPIC has recently settled the case and obtained attorneys fees for making this information available to the public. For more information, see EPIC v. Education Department - Private Debt Collector Privacy Act Compliance. (Nov. 1, 2013)

  • The National Institute for Standards and Technologies has released the Preliminary Cybersecurity Framework. Earlier this year, President Obama directed NIST to develop a Framework for Cybersecurity. In Executive Order 13636, the President said the NIST Framework should protect individual privacy and civil liberties. EPIC submitted comments to the NIST supporting the protections for civil liberties, recommending separate treatment for computer crimes and "cyberterrorism" and official acknowledgement of the 1992 OECD Security Guidelines. In September 2013, the Guardian, the New York Times, and ProPublica reported that the National Security Agency directed NIST to reduce a key security standard. NIST has not commented on any involvement that NSA had in the development of the Framework. For more information see EPIC: Cybersecurity Privacy Practical Implications. (Nov. 1, 2013)

  • As a result of a Freedom of Information Act lawsuit against the Department of Homeland Security, EPIC has obtained documents which reveal that the Department of Defense required companies to disclose information about Internet traffic on private networks. These documents contradict Homeland Security’s assertions that companies participating in a DOD pilot project would not be compelled to transmit information to federal agencies. The documents obtained by EPIC under the FOIA also indicate that the National Security Agency, a branch of the Department of Defense, is engaging in offensive cybersecurity measures. A statement to the Senate, EPIC warned that the National Security Agency has become a "black box" for public information about cybersecurity. For more information, see EPIC v. DHS: Defense Contractor Monitoring. (Nov. 1, 2013)

  • The Democratic Chair of the Senate Judiciary Committee and the Republican author of the Patriot Act have introduced the USA FREEDOM Act, which would reform the Foreign Intelligence Surveillance Act and limit NSA surveillance activities. A bi-partisan coalition, including 17 Senators and 70 Members of Congress, have joined as original co-sponsors. Key provisions of the FREEDOM Act increase transparency of intelligence activities, prevent end-runs around the FISA Court, and improve public reporting. In 2012 EPIC testified before the House Judiciary Committee about the need to reform FISA and to improve oversight of the FISA court. The FREEDOM Act also ends the controversial bulk phone records collection program. EPIC has brought a challenge in the Supreme Court to the phone records program, explaining that it is unlawful under current law. For more information, see EPIC: In re EPIC and EPIC - Foreign Intelligence Surveillance Act. (Oct. 29, 2013)

  • EPIC joined more than one hundred organizations at the Stop Watching Us rally October 28 in Washington DC. EPIC Counsel Khaliah Barnes told the crowd, "First they ignore us, then they laugh at us, then they fight us, and then we win." The night before the rally, EPIC organized a crypto party with Public Citizen. Featured speakers included Bruce Schneier and Libertarian Presidential candidate Gary Johnson. EPIC has filed a Supreme Court challenge to the NSA telephone record collection program. For more information, see In re EPIC - NSA Telephone Records Surveillance. (Oct. 29, 2013)

  • EPIC has filed a reply brief in In re EPIC with the U.S. Supreme Court, responding to the Government's brief, which was filed after two extensions. The government argues the Supreme Court cannot hear the case. EPIC responded that it "simply cannot be correct" that the order of the Foreign Intelligence Surveillance Court, an inferior court, is not reviewable by the Supreme Court. EPIC also explained that the order is clearly unlawful. "No court has ever determined that 'relevance' permits the compelled production of such vast quantities of irrelevant personal information," EPIC said, noting that Congressman Sensenbrenner, co-author of the USA PATRIOT Act, has written that "This expansive characterization of relevance makes a mockery of the legal standard." EPIC also outlined the extraordinary impact of the NSA telephone record collection on all Americans: "These telephone records are unique and identifiable, and reveal a great deal of private information about millions of telephone users. In no instance has the Government established any individualized suspicion to support the collection of this information." For more information, see In re EPIC. (Oct. 28, 2013)

  • Senator Edward Markey has sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on student privacy rights. Among other questions, Senator Markey asks why the Department made changes to the Family Educational Rights and Privacy Act, a federal student privacy law; whether the Department "performed an assessment of the types of information" that schools disclose to third party vendors; and whether students and their families can obtain their information held by private companies. The letter states, "By collecting detailed personal information about students' test results and learning abilities, educators may find better ways to educate their students. However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children." EPIC has sent a letter to the Senate and House Committees on Education, urging Congress to restore privacy protections for student data. For more information, see EPIC: Student Privacy and EPIC: EPIC v. The Deptartment of Education. (Oct. 24, 2013)

  • A federal court has issued an opinion in EPIC v. NSA, EPIC's Freedom of Information Act lawsuit concerning the government's policy for the security of American computer networks. As a result of the lawsuit, EPIC obtained documents that the National Security Agency had withheld from the public. The documents concern NSPD 54, a presidential policy directive outlining the scope of the NSA's authority over computer networks in the US. EPIC also challenged the NSA's decision to withheld several other records including the National Security Presidential Directive 54. A federal district court has now ruled that NSPD 54 is not subject to the FOIA because it was not under "the control" of the National Security Agency and the other federal agencies and officials who received the presidential directive. The Court also ordered to the NSA to identify and release other documents to EPIC.For more information, see: EPIC v. NSA - Cybersecurity Authority. (Oct. 23, 2013)

  • EPIC, joined by a coalition of privacy, consumer rights, and civil rights organizations, has urged the Department of Defense to require the National Security Agency to comply with the federal Privacy Act, the primary law protecting personal information held by the federal government. The comments came in response to a proposed agency rule that would amend the Defense Department's privacy program. The organizations noted that the National Security Agency is a component of the Defense Department and subject to agency regulations. EPIC and the coalition stated, "The DOD must ensure that the NSA complies with the Privacy Act by publishing additional system of records notices and otherwise adhering to the Privacy Act before it can adopt its current proposal." Although the NSA has identified twenty-six Privacy Act databases, recent revelations by the Guardian suggest that there are many other databases subject to the Privacy Act that should be identified. EPIC has also petitioned the Supreme Court, challenging to the NSA's telephone record collection program. For more information, see In re EPIC. (Oct. 22, 2013)

  • The civil liberties committee of the European Parliament has voted to approve the EU Data Protection Regulation. Before voting, members of the committee inserted stronger safeguards for data transfers to non-EU countries, an explicit consent requirement, a right to erasure, and larger fines for noncomplying businesses. The regulation is a comprehensive update of the 1995 EU Data Protection Directive that sets out new enforcement powers for privacy agencies. In 2012 and 2013, over twenty US consumer, privacy, and civil liberties groups sent letters to the European Parliament in support of the new data protection law. Until the U.S. passes comprehensive privacy legislation, the groups wrote, "the European Union offers the best prospect for the protection of Internet users around the globe." EPIC spoke recently before the European Parliament in support of the initiative. For more information, see EPIC: EU Data Protection Directive. (Oct. 21, 2013)

  • In a letter to members of the European Parliament, a coalition of 23 leading U.S. consumer, privacy, and civil liberties groups expressed support for the new EU Data Protection Regulation. The coalition said although it "remain[s] optimistic that we will eventually update privacy laws in the United States," until then, "the European Union offers the best prospect for the protection of Internet users around the globe." The groups stated, "the US Congress has so far failed to take necessary steps to update US privacy law or to rein in the activities of the National Security Agency. As a consequence, consumers on both sides of the Atlantic remain at risk - our most sensitive data is too readily available for scrutiny and misuse."The Data Protection Regulation is a comprehensive update of the 1995 Data Protection Directive that harmonizes current law and sets out new enforcement powers for privacy agencies. Last year, a similar coalition of organizations wrote in support of the Regulation. For more information, see EPIC: EU Data Protection Directive. (Oct. 18, 2013)

  • Citizens for Responsibility and Ethics in Washington (CREW) has filed a "friend of the court" brief in EPIC v. DHS, a challenge to the secrecy of government documents now pending before the D.C. Circuit Court of Appeals. EPIC's is appealing a District Court decision which allowed two federal agencies to withhold factual documents, including test results, about airport body scanners. In the brief, CREW explains that "accepting the District Court's analysis would threaten the integrity of the decision making process and undermine the goals of the FOIA." Several other open government groups joined the CREW amicus brief, including the ACLU, EFF, and the OpenTheGovernment coalition. EPIC filed the opening brief in early October. The government is expected to file an opposition brief at the beginning of November. For more information, see EPIC v. DHS - Body Scanner FOIA Appeal. (Oct. 15, 2013)

  • The Solicitor General has filed a response to EPIC's challenge to the NSA's telephone record collection program. In July, EPIC petitioned the Supreme Court to vacate the order of the Foreign Intelligence Surveillance Court that requires Verizon to turn over all telephone records to the NSA. EPIC argued that the Intelligence Court exceeded its legal authority and could not compel a telephone company to disclose so much personal information unrelated to a foreign intelligence investigation. Legal scholars and former Members of Congress filed briefs in support of EPIC's petition, including privacy and national security scholars, constitutional scholars, federal courts scholars, and members of the Church Committee. Congressman James Sensenbrenner, the primary author of the Patriot Act, has said that the telephone records collection program was never authorized by Section 215. For more information, see In re EPIC. (Oct. 14, 2013)

  • Google announced changes to its Terms of Service that will allow “your Profile name, Profile photo, and actions you take on Google or on third-party applications” to be used in advertisements. The changes will not require Google to seek the affirmative consent of users before putting their personal information to commercial use. Minors, however, will not be subject to the changes. A 2011 Consent Order with the Federal Trade Commission prohibits Google from making misrepresentations and requires the company to obtain user consent before disclosing information to third parties. EPIC recently objected to similar practices by Facebook that would allow the company to routinely use the names, images, and content of Facebook users for commercial advertising without consent. For more information, see EPIC: Federal Trade Commission and EPIC: In re Google. (Oct. 11, 2013)

  • Facebook has begun removing a privacy setting that allowed users to opt-out from their name being included in its “Graph Search” feature. All users, even those who had previously decided to remove their name from searches, will now be included in Graph Search results. Facebook is currently under a 20 year consent decree from the FTC that requires express affirmative consent from users before disclosing personal information which exceeds the restrictions imposed by users' privacy settings. Facebook announced the change last year, at which point EPIC warned about the consequences of Facebook removing privacy settings for its users. In 2012, EPIC sent a letter to Facebook requesting a reversal of policy changes that automatically shared users’ private information. For more information, see EPIC: Facebook and EPIC: In re Facebook. (Oct. 11, 2013)

  • In a letter to the Senate and House Committees on Education, EPIC has asked Congress to restore privacy protections for student data. EPIC's letter follows a court opinion concerning recent changes to the Family Educational Rights and Privacy Act. EPIC has warned that the changes in the student privacy law allow the release of student records for non-academic purposes and undercut parental and student consent provisions. EPIC has urged Congress to investigate the impact of the revised regulations. "Students and families are losing control over sensitive information," EPIC wrote, "and private companies are becoming the repositories of student data and even the data maintained by the schools is far more extensive than ever before." For more information, see EPIC: Student Privacy. (Oct. 10, 2013)

  • EPIC has submitted comments to the Department of Homeland Security, objecting to the agency's plan to secretly profile U.S. air travelers and remove Privacy Act safeguards. The DHS proposed to exempt TSA PreCheck from the federal privacy law. The PreCheck database contains detailed personal information, including name, birthdate, biometric information, Social Security Number, and financial information. The TSA plans to release applicant data to federal, state, tribal, local, territorial agencies and foreign governments. However, the TSA proposes to remove the rights of PreCheck applications concerning notification, access, and correction. The agency also intends to keep secret the basis for approving PreCheck applicants. EPIC described the substantial privacy and security risks of Precheck, urged the DHS to narrow the Privacy Act exemptions, and recommended that the DHS withdraw routine use disclosures. For more information, see EPIC: Secure Flight, EPIC: Passenger Profiling, and EPIC: Air Travel Privacy. (Oct. 10, 2013)

  • A federal court has issued an opinion in EPIC v. ODNI, EPIC's Freedom of Information Act lawsuit against the Office of the Director of National Intelligence concerning possible violations of the Privacy Act. As a result of filing the lawsuit, EPIC obtained seven documents that ODNI had previously withheld from the public. The documents concerned ODNI's consolidation of databases containing detailed personal information on US persons. EPIC also challenged ODNI's withholding of 21 additional documents describing how the agency "retrieves and safeguards information from other federal agencies." The Court considered EPIC's further challenge, ordering ODNI to submit the documents to the court for review. The Court ultimately agreed with the agency that those additional documents were properly withheld. For more information, see: EPIC: EPIC v. ODNI. (Oct. 9, 2013)

  • California Governor Jerry Brown has signed several new Internet privacy bills into law. Assembly Bill 370 amends the California Online Privacy Protection Act by requiring that businesses disclose how they respond to Do Not Track signals or other mechanisms used by consumers to prevent the surreptitious collection of their browsing history. The Governor has also signed Senate Bill 568, which provides for an "eraser button" that would require websites to allow minors to remove their own information. Finally, California has enacted Senate Bill 255, which prohibits "revenge porn": the posting of explicit images or videos without the victim's consent. The passage of these laws has led many to observe that California is "driving Internet privacy policy." For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Children’s Online Privacy. (Oct. 9, 2013)

  • EPIC's Freedom of Information Act lawsuit has produced new documents about "Next Generation Identification" and the FBI's plans for facial recognition. According to the document obtained by EPIC, "NGI shall return an incorrect candidate a maximum of 20% of the time." That number is much greater than expected. Earlier this year, EPIC received documents from the FBI regarding the use of facial recognition and state DMV photos. The FBI has still not updated a 2008 Privacy Impact Assessment on facial recognition technology despite telling Congress last year that a new assessment was planned. For more information, see EPIC: EPIC v. FBI - Next Generation Identification and EPIC: Face Recognition. (Oct. 4, 2013)

  • The NSA and GCHQ have attempted to break the privacy protections of the Tor anonymity network, according to a series of documents published in The Guardian today. The documents describe the efforts of the NSA to de-anonymize Tor users by compromising their computers and Tor software with viruses. The NSA also relies on Doubleclick advertising cookies to identify Tor users. Despite their efforts, the documents reveal that the intelligence community has had limited success compromising the Tor network. One presentation, titled "Tor Stinks," concludes that they will "never be able to de-anonymize all Tor users all the time." In May 2013, EPIC filed a FOIA request seeking evidence of government interference with the Tor network. In 2000, EPIC had also filed a complaint with the FTC about Doubleclick's efforts to merge users' browsing activity with personally identifying information. And in 2007, EPIC objected to Google's acquisition of Doubleclick, warning that it would place at risk the privacy of Internet users. For more information, see EPIC v. BBG; EPIC: Privacy? Google/Doubleclick Merger. (Oct. 4, 2013)

  • In response to EPIC's Freedom of Information Act Lawsuit, the Federal Bureau of Investigation has released more than 400 pages of documents related to cell site simulator technology (commonly referred to as "Stingray"). This most recent release to EPIC includes training and promotional materials from a specialized unit within the FBI, the "Wireless Intercept & Tracking Team" that had previously been hidden from public view. According to the documents, the FBI's Tracking Team provides technical and financial support to a quickly expanding group of federal and local law enforcement agents trained to use the controversial surveillance tools. The documents reveal that the FBI believes it can use cell site simulators without a warrant, but so far only one federal court has considered the Fourth Amendment implications of these devices, including their interception of innocent users' data. For more information, see EPIC v. FBI (Stingray). (Oct. 4, 2013)

  • EPIC President Marc Rotenberg addressed the European Parliament on the issue of The Electronic Mass Surveillance of EU Citizens. The Committee on Civil Liberties, Justice, and Home Affairs has convened a series of hearings to examine reports of the monitoring and surveillance of Europeans. Mr. Rotenberg explained that there is now a vigorous debate in the United States and that there would be some changes to the Foreign Intelligence Surveillance Act concerning surveillance within the United States. But he also warned that US lawmakers were unlikely to make changes that respond to the concerns of European citizens. He urged EU lawmakers to suspend trade negotiations with the US pending an adequate resolution of the surveillance inquiry. He also suggested a review of the PNR and SWIFT data transfer arrangements, which lack Privacy Act safeguards. Finally, Mr. Rotenberg recommended the adoption of an international framework for privacy protection. (Oct. 3, 2013)

  • EPIC has updated and expanded one of its most popular web pages of all time - "Practical Privacy Tools." The EPIC page includes a detailed listing of Internet Anonymizers, Proxy Servers, email encryption, secure Internet messaging, password vaults, antivirus programs, cookie cleaners, and more. Although EPIC does not endorse any particular product or service, EPIC strongly supports the widespread availability of privacy enhancing techniques. As EPIC explained in testimony to Congress on Communications Privacy in 1998, "techniques to protect privacy and anonymity should be encouraged and restrictions on encryption should be lifted." For more information, see EPIC - Practical Privacy Tools. (Oct. 3, 2013)

  • EPIC has challenged a District Court decision which allowed two federal agencies to withhold documents about airport body scanners, including test results, fact sheets, and estimates regarding radiation risks. In the opening brief to the DC Circuit Court of Appeals, EPIC argues that federal agencies may not withhold factual information under the "deliberative process privilege" in the Freedom of Information Act. EPIC said that under "under the standard adopted by the lower court, not only would the judgement of agency officials be exempt, but so too would reports or studies of any significance." For more information, see EPIC: DHS Body Scanner FOIA Appeal, EPIC v. DHS and EPIC v. TSA. (Oct. 3, 2013)

  • The Federal Aviation Administration has responded to an EPIC FOIA Request seeking documents related to applications to fly drones domestically. The FAA provided a list of nearly 200 entities within the Department of Defense, the Department of Homeland Security, the Department of Justice, and state and federal law enforcement agencies. The FAA further responded to EPIC's request for information by making the drone licenses, or "certificates," available on a public portal. EPIC has called on the FAA to maintain a searchable database of all drone operators as the Agency seeks to expand domestic drone use. For more information see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Oct. 2, 2013)

  • EPIC, joined by a coalition of consumer privacy groups, has asked the House of Representatives Privacy Task Force to open to the public meetings that are now taking place in secret in the hearing rooms of Congress. "We recognize that there is value in private meetings among Members and staff and with constituents," the group wrote, but said that "with public matters of common concern" meetings should be held "in the open, a public record should be created, and various viewpoints should be heard." The groups thanked Representatives Blackburn and Welch for examining "the enormously important issue of consumer privacy" but said “there is simply no reason for your task force to hold closed-door sessions." Last year, both the White House and the Federal Trade Commission recommended enactment of consumer privacy legislation. (Oct. 2, 2013)

  • A federal court dismissed EPIC's lawsuit against the Education Department. EPIC has challenged the agency's 2011 changes to the Family Educational Rights and Privacy Act (FERPA) which allow the release of student records for non-academic purposes and undercut parental and student consent provisions. The court held that neither EPIC nor any of its Board of Director co-plaintiffs "have standing to bring the claims asserted in the complaint." The judge did not reach EPIC's substantive claims asserted in the complaint. EPIC argued that the Education Department exceeded its authority with the changes and that the revised regulations violate the federal student privacy law. Before initiating the lawsuit, EPIC submitted extensive comments to the Education Department, opposing the unlawful regulations. EPIC intends to take further steps to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Oct. 1, 2013)

  • A federal district court has ruled that Google may have violated the federal Wiretap Act when it routinely intercepted, read, and acquired the contents of email users for advertising purposes. "The court finds that it cannot conclude that any party -- Gmail users or non-Gmail users -- has consented to Google's reading of e-mail for the purposes of creating user profiles or providing targeted advertising," Judge Lucy Koh stated. The court rejected arguments from Google that the activity occurred in the "ordinary course of business." The court said that the interception must be "instrumental" to the provision of an email service and that Google's business interest was not sufficient to meet that test. The court also found that Google had not obtained consent from users for the ad profiling practices. According to the court, "Google has cited no case that stands for the proposition that users who send emails impliedly consent to interceptions and use of their communications by other . . . than the indented recipient of the email." The ruling applies also applies to Google Apps for Education, through which Google obtains emails from educational organizations of students, faculty, staff, and alumni. For more information, see EPIC - Gmail Privacy FAQ. (Sep. 26, 2013)

  • NGO leaders, privacy experts, and government officials from around the world gathered in Warsaw, Poland for the event "Our Data, Our Lives." The Public Voice conference was held in conjunction with the 35th International Conference of Data Protection and Privacy Commissioners. Following the revelations this year of mass surveillance of US and EU citizens, there was extensive discussion of the need for greater oversight, transparency and accountability. Two NGO documents -- the Madrid Privacy Declaration and 13 International Principles on the Application of Human Rights to Communication Surveillance -- were put forward as vital policy frameworks. The Privacy Commissioners also adopted several resolutions. (Sep. 25, 2013)

  • Speaking at a conference hosted by the Georgetown University Law Center, the Chairman of the Senate Judiciary Committee called for an end "to the bulk collection of Americans' phone records." Senator Leahy said "the system set up in the 1970s to regulate the surveillance capabilities of our Intelligence Community is no longer working. We must recalibrate." Senator Leahy has introduced bipartisan legislation that would end the telephone record collection program, reduce secret law, and improve the structure of the Foreign Intelligence Surveillance Court. The Senate Judiciary Committee will hold an oversight hearing next week on the Foreign Intelligence Surveillance Act. EPIC has filed a petition with the US Supreme Court, arguing that the bulk collection of telephone toll records is unlawful. For more information, see EPIC - In re EPIC. (Sep. 25, 2013)

  • The prestigious MacArthur Foundation has asked to be removed from a controversial consumer privacy settlement. The foundation noted that it was not an appropriate cy pres recipient and asked that the funds be "redirected to other non-profit organizations engaged in the underlying issues." Consumer privacy organizations, including EPIC, have opposed the Fraley settlement stating that it violates a 2011 consent order with the Federal Trade Commission and that the cy pres allocations proposed do not reflect the interests of the class or the purpose of the litigation. A recent survey by Gigaom found that many of the named organizations are funded by Facebook and have no plans to assist class members. Public Citizen has appealed the settlement to the Ninth Circuit. The Federal Trade Commission has opened an investigation and Facebook has suspended implementation of the proposed privacy changes that would result from the settlement. For more information, see EPIC: Fraley v. Facebook. (Sep. 25, 2013)

  • Following EPIC's motion in a FOIA case against the Office of the Director of National Intelligence, the ODNI has submitted 21 disputed documents to a federal court regarding the consolidation of databases containing detailed personal information on US persons. The documents are among those EPIC requested through the Freedom of Information Act. ODNI withheld the documents and EPIC filed a lawsuit challenging the decision. EPIC is seeking the documents to determine whether the agency is complying with the Privacy Act. A federal judge ordered ODNI to produce the documents for the Court's examination. For more information, see EPIC: EPIC v. ODNI. (Sep. 25, 2013)

  • In response to a FOIA request to the BBG, EPIC has received 74 pages of documents that reveal no efforts by the NSA to undermine the security or reliability of the Tor network. Recent news reports show a concerted effort by the National Security Agency to compromise cryptographic standards set by the NIST as well as Android, iPhone, and BlackBerry encryption. The NSA and FBI have also targeted the communications of Tor users. EPIC will continue to pursue FOIA requests that shed light on the efforts of the intelligence community to undermine cryptographic standards. For more information, see EPIC v. BBG. (Sep. 25, 2013)

  • California Gov. Jerry Brown today signed a law to protect Privacy Rights for California Minors in the Digital World. The law, which goes into effect Jan. 1, 2015, sets out a broad range of rights for minors concerning the collection and use of their personal information by commercial service providers. The law does not limit the rights of minors, it seeks to regulate the practices of businesses. EPIC has long advocated for the privacy rights of children, testifying before the House in 1996 in support of the Children's Online Privacy Protection Act and again before the Senate in 2010 as new technologies and business practices emerged. EPIC also wrote comments to the FTC in 2011 supporting stronger regulations to protect the data concerning children. Some organizations, financed by Internet companies, are opposing the legislation. For more information, see EPIC: Children's Online Privacy Protection Act. (Sep. 24, 2013)

  • A bipartisan group of Senators, including the Chairman and Ranking Members of the Senate Judiciary Committee, have called for a full-scale review of the use of surveillance authorities by the intelligence community. The Senators emphasized that the findings and conclusions of this review be made public to "help promote greater oversight, transparency, and public accountability." The requested report would address activities conducted under Section 215 of the USA PATRIOT Act and Section 702 of the FISA, which includes the collection of the telephone call records of hundreds of millions of Americans. Specifically, the report would review the use and implementation of 215 and 702, the applicable minimization procedures, any improper use of the authorities, and examine the effectiveness over the 2010-2013 period. EPIC is currently challenging the order for bulk collection of domestic call records in its Petition for Writ of Mandamus in the U.S. Supreme Court. For more information, see In re EPIC and EPIC: FISA Reform. (Sep. 24, 2013)

  • Senator Al Franken has raised questions about the privacy and security implications of the fingerprint reader on Apple's new iPhone 5S. "If someone hacks your password, you can change it—as many times as you want. You can't change your fingerprints," Senator Franken wrote. He also pressed Apple for additional details on the protection available to users against law enforcement access to biometric data. In Congressional testimony, EPIC has previously warned that biometric identifiers will "allow for greater data collection and tracking of individuals." For more information, see EPIC: Biometric Identifiers. (Sep. 21, 2013)

  • The Foreign Intelligence Surveillance Court (FISC) has released an Opinion, justifying the NSA's telephone record collection program. In the Opinion, Judge Claire Eagan states that "there is no Fourth Amendment impediment to the collection" of all domestic call detail records. Judge Eagan also concluded that all domestic call detail records are "relevant" under Section 215 because "individuals associated with international terrorist organizations use telephonic systems to communicate" and because the government argued that bulk collection is 'necessary to create a historical repository of metadata' in order to identify 'known and unknown operatives. This FISC opinion was issued more than a month after EPIC filed its Mandamus Petition challenging the NSA domestic surveillance in the U.S. Supreme Court. The Eagan opinion has also been criticized by legal scholars. For more information, see In re EPIC. (Sep. 20, 2013)

  • The TSA has proposed to exempt a new TSA PreCheck database from important Privacy Act safeguards. TSA PreCheck allow the federal agency to grant expedited screening to certain travelers. The TSA PreCheck database contains personally identifiable information, including name, birthdate, biometric information, Social Security Number, and financial information. The TSA proposes to disclose TSA PreCheck applicant information to federal, state, tribal, local, territorial, and foreign governmental agencies. The TSA also proposes to exempt these records from the notification, access, and amendment provisions of the federal Privacy Act, the primary law that protects personal information held by the federal government. EPIC has previously testified before Congress that traveler screening procedures should follow all Privacy Act requirements. Comments on the proposed exemptions are due October 11, 2013. (Sep. 18, 2013)

  • The Organization for Economic Cooperation and Development has released the 2013 revisions to its privacy guidelines. The revisions build from the original guidelines, developed in 1980, and retain the core set of Fair Information Practices while updating the framework to address new challenges, such as national implementation and cross-border enforcement. The OECD explains that the revisions aim to "focus on the practical implementation of privacy protection" and to "address the global dimension of privacy through improved interoperability." EPIC Executive Director Marc Rotenberg, a member of the expert review group, has said that “the OECD Privacy Guidelines are the most influential international framework for privacy ever established.” For more information, see EPIC: International Privacy Standards. (Sep. 15, 2013)

  • Facebook is under increasing pressure to withdraw proposed changes that would allow the company to use the names, images, and content of Facebook users for advertising without consent. After EPIC and several privacy groups wrote to the Federal Trade Commission that the changes would violate a 2011 Consent Order, the Commission has opened an investigation. Senator Ed Markey also wrote to the FTC, stating that Facebook's changes "raise[] a number of questions about whether Facebook is improperly altering its privacy policy without proper user consent and, if the changes go into effect, the degree to which Facebook users will lose control over their personal information." Senator Al Franken has called on Facebook to reconsider expansion of its facial recognition activity. In a letter to Mark Zuckerberg, Senator Franken asked "How many face prints does Facebook have?" For more information, see EPIC: EPIC: Federal Trade Commission and EPIC: Facebook Privacy. (Sep. 13, 2013)

  • The Office of the Director of National Intelligence has just released new documents concerning the NSA's surveillance programs. The documents, which include numerous filings with the Foreign Intelligence Surveillance Court, date back to 2006. The documents specifically relate to the governments collection of information under Section 215 of the USA PATRIOT Act. In a Mandamus Petition to the United States Supreme Court, EPIC has argued that the FISA Court exceeded the statutory authority under Section 215 when it authorized bulk collection of American's telephone records in an Order concerning Verizon. Under Section 215, the FISA Court may order businesses to produce records that are "relevant" to an authorized national security investigation, but the Verizon Order requires production of all domestic telephone records on an ongoing basis. For more information, see EPIC: In re EPIC - NSA Telephone Records Surveillance. (Sep. 11, 2013)

  • The Court of Appeals for the Ninth Circuit has upheld a lower court ruling against Google in a case arising out of the Street View interception of private Wi-Fi communications. The lawsuit alleges that Google's ongoing interception of Wi-Fi payload data through its Street View program violated several laws, including the federal Wiretap Act. The court rejected Google's arguments that the interception was permissible. The court said that Google's interpretation could have the absurd result of rendering private communications, like email, unprotected simply because the recipient fails to encrypt their Wi-Fi network. Furthermore, the court explained that the unencrypted nature of the Wi-Fi networks did not make the data transmitted over them "readily accessible to the general public" because the data was still difficult for an ordinary person to intercept. EPIC filed a "friend of the court" brief in the case urging the court to uphold legal protections for Wi-Fi communications, and discussing both the intent of the federal law and the operation of a typical home W-Fi network. For more information, see EPIC: Ben Joffe v. Google and EPIC: Google Street View. (Sep. 10, 2013)

  • EPIC has filed a Freedom of Information Act lawsuit against the Broadcasting Board of Governors, a federal agency that oversees all U.S. civilian international media. EPIC seeks information about the federal government's interest in the Tor network. Tor is a program designed to allow encrypted, anonymized online browsing and is used by many human rights organizations. Recent news reports indicate that the National Security Agency has targeted the communications of Tor users. In a related matter, EPIC has asked the Supreme Court to halt the NSA collection of domestic telephone records. For more information, see EPIC: EPIC v. BBG - Tor. (Sep. 9, 2013)

  • EPIC President Marc Rotenberg and EPIC Advisory Board Member Steve Aftergood met today with the Review Group on Intelligence and Communication Technology. The President tasked the panel with the responsibility to assess whether the "United States employs its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while appropriately accounting for other policy considerations, such as the risk of unauthorized disclosure and our need to maintain the public trust." EPIC submitted detailed recommendations and included copies of EPIC's Supreme Court petition, arguing that the current domestic surveillance program is unlawful, as well as EPIC's Congressional testimony on the FISA Amendments Act and EPIC's 2010 letter to the Foreign Intelligence Surveillance Court concerning reform of FISA procedures. The panel will accept comments from the public until October 4, 2013. Comments are to be sent to reviewgroup@dni.gov, which oddly is the domain of the current Director of National Intelligence. (Sep. 9, 2013)

  • A recent survey by the Pew Research Center's Internet Project has discovered that 86 percent of Americans take steps to conceal their actions or identities while online. The survey also found that 21 percent had an email or social networking account compromised or taken over by someone else without permission. Furthermore, the majority of respondents believe that "current laws are not good enough in protecting people's privacy online." Other Pew surveys have found that most teens were taking steps to protect their privacy, that a majority of parents were concerned about their children's online privacy, and that users were becoming more active in managing their social media accounts. For more information, see EPIC: Public Opinion on Privacy. (Sep. 6, 2013)

  • EPIC, joined by several leading privacy and consumer protection organizations, has called on the Federal Trade Commission to enforce the terms of a 2011 settlement with Facebook. Facebook recently announced changes that would allow the company to routinely use the names, images, and content of Facebook users for commercial advertising without consent. The changes arise from a flawed class action settlement over Facebook’s Sponsored Stories program. In the letter, the privacy groups explain that Facebook’s changes violate the terms of a 2011 settlement with the FTC. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook Privacy. (Sep. 5, 2013)

  • The European Parliament will hold a hearing, "Electronic Mass Surveillance of EU Citizens," on September 5, 2013. The hearing is hosted by the Committee on Civil Liberties, Justice, and Home Affairs ("LIBE Committee"). Witnesses include journalists and the Editor-in-Chief of the Guardian as well as current and former government officials. The hearing will focus on surveillance conducted by the United States, but will also address EU-Member State surveillance. A live stream will be accessible. The hearings is the first in a series mandated by a resolution of the European Parliament. EPIC has filed a Petition for a Writ of Mandamus in the U.S. Supreme Court, calling the National Security Agency's practice of collecting U.S. person phone call information unlawful. For more information, see EPIC: In re EPIC - NSA Telephone Records Surveillance. (Sep. 4, 2013)

  • The Solicitor General of the United States has asked the clerk of the US Supreme Court for a second extension to prepare a response to EPIC's Petition, which argues that the order of the FISA Court for domestic telephone toll records was unlawful and must be overturned. EPIC filed the Petition on July 8, 2013. Subsequently, several amicus briefs in support of EPIC were filed with the Court by privacy scholars, Constitutional scholars, experts in the Court's jurisdiction, and former members of the Church Committee. The Solicitor General asked for a 30-day extension for the initial August 12, 2013 deadline which was granted. The SG has now asked for a second 30-day extension. The case is In re EPIC, Petitioner, No. 13-58. For more information, see In re EPIC - NSA Telephone Records Surveillance. (Aug. 30, 2013)

  • Two months after EPIC formally petitioned the National Security Agency to suspend the domestic surveillance program, the NSA has responded. In the petition, EPIC stated that "NSA's collection of domestic communications contravenes the First and Fourth Amendments to the United States Constitution, and violates several federal privacy laws, including the Privacy Act of 1974, and the Foreign Intelligence Surveillance Act of 1978 as amended." EPIC further stated that NSA's domestic surveillance "substantively affects the public to a degree sufficient to implicate the policy interests" that require public comment. In response to EPIC, the NSA argued "any NSA activities involving the collection of communications that may meet the description set forth in your letter, if any, would not constitute Agency actions that are subject to notice-and-comment requirements . . ." The letter from the NSA Associate Director for Policy and Records also stated the "NSA operates in accordance with the Constitution and the laws of the United States." EPIC is considering subsequent legal action. For more information, see EPIC: NSA petition. (Aug. 30, 2013)

  • The Director of National Intelligence has announced that  the Intelligence Community will release annually "aggregate information concerning" the use of national security authorities. The reports will include the use of both FISA and National Security Letter legal authorities. EPIC has previously recommended improved reporting of FISA activities, similar to the wiretap reports issued by the Administrative Office of the U.S. Courts. News reports indicate that the Intelligence Community paid Internet companies $394 m in 2011 to provide customer data to the US government.  For more information, see EPIC: FISA Reform. (Aug. 30, 2013)

  • President Obama met this week with the members of a newly formed group of experts to review intelligence and communications technologies. The group consists of computer security advisor Richard Clark, former CIA Director Michael Morell, and legal scholars Geoffrey Stone, Cass Sunstein, and Peter Swire. The White House said the group would advise the President on how "the United States can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure." This week, EPIC contacted each of the review group members to provide important materials regarding the protection of privacy and civil liberties. EPIC sent to the Review Group members copies of EPIC's Supreme Court petition, arguing that the current domestic surveillance program is unlawful, as well as EPIC's Congressional testimony on the FISA Amendments Act and EPIC's 2010 letter to the Foreign Intelligence Surveillance Court concerning reform of FISA procedures. For more information, see EPIC: FISA Reform. (Aug. 28, 2013)

  • EPIC, in collaboration with many of the world's leading privacy organizations, will host "Our Data, Our Lives" on September 24, 2013 in Warsaw, Poland. The event will feature technical experts, legal scholars, NGO representatives, and officials from the OECD, the US Privacy and Civil Liberties Oversight Board, and the Article 29 Working Party. The Public Voice conference will be held in conjunction with the 35th annual International Conference of Data Protection and Privacy Commissioners. The 2012 Public Voice conference "Privacy Rights are a Global Challenge" was held in Punta del Este, Uruguay and included more than 100 participants from 20 countries. For more information, see The Public Voice - The Madrid Declaration. (Aug. 23, 2013)

  • In response to an EPIC FOIA request, the Department of Homeland Security has produced documents revealing that the agency has failed to establish privacy safeguards for "BOSS" (the Biometric Optical Surveillance System), an elaborate system for facial recognition and individual identification. The documents obtained by EPIC indicate that none of the agency's contracts or statements of work require any data privacy or security protections for BOSS' design, production, or test implementations. The New York Times reported on EPIC's acquisition of these documents, noting also high failure rates for these systems. EPIC is also pursuing a FOIA lawsuit with the FBI over the agency's development of "Next Generation ID," which, when complete, will be the largest biometric identification database program in the world. For more information, see EPIC: Face Recognition, EPIC: EPIC Opposes DHS Biometric Collection, and EPIC - Biometric Identifiers. (Aug. 22, 2013)

  • EPIC, joined by several leading privacy and consumer protection organizations, submitted a letter to the Northern District of California regarding a proposed settlement in a class-action lawsuit against Google. The settlement was proposed by class action lawyers on behalf of Google users in a case concerning the unlawful disclosure of search terms by Google to third parties. Under the terms of the proposed settlement, Google would be allowed to continue to disclose user search terms to third parties. The letter explains that the proposed settlement "provides no benefit to Class members" because it does not require Google to change its business practices. "Furthermore," the letter states, "the proposed cy pres allocation is not aligned with the interests of the purported Class members." "Cy press" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. Under Ninth Circuit precedent, cy pres funds must be used to advance the interests of the class members. EPIC previously highlighted the dangers of improper cy pres distributions in settlements. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: Search Engine Privacy and EPIC: Google Buzz. (Aug. 22, 2013)

  • A newly released opinion by the Foreign Intelligence Surveillance Court found that the NSA violated the Fourth Amendment and the Foreign Intelligence Surveillance Act when it acquired tens of thousands of wholly-domestic Internet communications. According to the opinion of the former Presiding Judge of the FISA Court, the NSA acquired more than 250 Million Internet communications per year. Roughly 9% of these communications are obtained via "upstream collection" and more than 50,000 each year contain domestic communications. The FISC found that NSA's targeting and minimization procedures were not reasonable under the Fourth Amendment given the large number of wholly domestic communications obtained. The FISC also found that NSA's minimization procedures violated the FISA, and required that the agency adopt additional protections to ensure privacy. For more information, see EPIC: Foreign Intelligence Surveillance Court. (Aug. 22, 2013)

  • A survey by the Pew Internet and American Life Project and the Berkman Center for Internet and Society found that while many teens report a high level of comfort with online privacy settings, "at some point, 70% of them have sought advice from someone else about how to manage their privacy online." Friends, parents, or other close family members were those most often sought out by teens for privacy advice. Other Pew surveys have found that most teens were taking steps to protect their privacy, that a majority of parents were concerned about their children’s online privacy, and that users were becoming more active in managing their social media accounts. For more information, see EPIC: Public Opinion on Privacy. (Aug. 20, 2013)

  • Can the police warrantlessly search the emails, texts, and address book on your cell phone if you are arrested? The U.S. Supreme Court is likely to address that question in the upcoming term. Two cases pending before the Court ask whether, under the Fourth Amendment, a cell phone's contents can be searched incident to an arrest without a warrant. In Riley v. California, the defendant Riley challenges a police officer's search of his smartphone. In United States v. Wurie, the Department of Justice seeks review of an appeals court's decision that warrants are necessary to search a cell phone. EPIC recently argued successfully to the New Jersey Supreme Court that a warrant is required to track a cell phone's location. The U.S. Supreme Court held last year in United States v. Jones that warrants are required to use GPS tracking devices. For more information, see EPIC: Riley v. California. (Aug. 20, 2013)

  • In a keynote speech at the Technology Policy Institute Aspen Forum, FTC Chairwoman Edith Ramirez called upon companies to "move their data collection and use practices out of the shadow and into the sunlight." Chairwoman Ramirez highlighted the risks of big data including indiscriminate collection, data breaches, and behind-the-scenes profiling. She stressed the importance of protecting consumers' privacy and said, "with big data comes big responsibility." EPIC previously testified before Congress and called for the regulation of data brokers because there is too much secrecy and too little accountability in their business practices. EPIC has also consistently recommended that the FTC enforce Fair Information Practices, such as those contained in the Administration's Consumer Privacy Bill of Rights, against commercial actors. For more information, see EPIC: Choicepoint and EPIC: Privacy and Consumer Profiling. (Aug. 19, 2013)

  • EPIC, joined by over 3,000 members of the public, leading privacy experts, and journalists, has petitioned the National Security Agency for the ninth time, urging the suspension of the NSA domestic surveillance program pending public comments. EPIC first petitioned the agency on June 17, 2013. Because the NSA has failed to respond, EPIC has renewed the petition on a weekly basis. EPIC's petition states, "NSA's collection of domestic communications contravenes the First and Fourth Amendments to the United States Constitution, and violates several federal privacy laws, including the Privacy Act of 1974, and the Foreign Intelligence Surveillance Act of 1978 as amended." The petition further states that the NSA's domestic surveillance "substantively affects the public to a degree sufficient to implicate the policy interests" that require public comment, and that "NSA's collection of domestic communications absent the opportunity for public comment is unlawful." By law, the NSA is required to respond. General Keith Alexander, NSA Director, has publicly stated that the agency is interested in receiving public comments: "Help us defend this country and protect our civil liberties and privacy. And if anybody has a better way to do it than what we are doing today, we want to hear that." EPIC intends to renew its request for a public rulemaking each week until the NSA responds. For more information and to join EPIC's petition, see EPIC: NSA petition. (Aug. 19, 2013)

  • An internal audit has revealed that the NSA violated both legal rules and privacy restrictions thousands of times each year since 2008, leading to the unauthorized surveillance of American communications. According to the 2012 report, there were 2,776 violations in the previous 12 months alone. A "large number" of calls placed from Washington DC were intercepted when its area code was confused with that of Egypt. Another document shows how NSA analysts are trained to avoid giving "extraneous information" to their "FAA overseers" when they want to target an individual. In 2006, EPIC wrote to the Senate Judiciary Committee regarding instances of intelligence gathering misconduct by the FBI that were uncovered through EPIC's Freedom of Information Act requests. EPIC is currently petitioning the NSA to suspend its domestic surveillance program pending a public comment period. EPIC has also filed a petition with the U.S. Supreme Court challenging the legal authority of the FISA Court to authorize the NSA's program. (Aug. 19, 2013)

  • The nation's leading privacy law scholars have filed a series of amici briefs with the U.S. Supreme Court supporting EPIC's challenge to the NSA domestic surveillance program. A brief by privacy and surveillance law professors argues that the bulk collection of telephone metadata is unlawful under the Patriot Act. Their brief explains that the program violates the Foreign Intelligence Surveillance Act and the Executive Order governing intelligence operations. A brief by former Church Committee members and twenty-eight law professors, submitted by constitutional expert Erwin Chemerinsky, outlines the history of domestic surveillance abuses and explains that the FISA was enacted specifically to limit such collection. Another brief by Fourth Amendment experts at the Cato Institute argues that the Verizon Order is equivalent to a "general warrant" issued in violation of the Fourth Amendment, and that the Supreme Court's recent decision in United States v. Jones shows that "EPIC has a legal and constitutional interest in data about its telephone calls." Finally, a brief filed by Professors James Pfander and Stephen Vladeck, leading experts in federal courts, argues that the Supreme Court has jurisdiction to grant EPIC's petition and that the legal question is properly before the Court. For more information, see In re EPIC. (Aug. 13, 2013)

  • The Solicitor General requested on Friday an extension to file a response to EPIC's Mandamus Petition in In re EPIC. The Court granted the extension, and the Solicitor's response is due on September 11, 2013. In the Mandamus Petition, EPIC argues that the FISA Court exceeded the statutory authority under Section 215 of the USA PATRIOT Act when it authorized bulk collection of American's telephone records. Under Section 215, the FISA Court may order businesses to produce records that are "relevant" to an authorized national security investigation, but the Verizon Order requires production of millions of private records unrelated to any investigation. The Administration recently argued that bulk collection meets the relevance standard, but it has scant legal authority to support that proposition. For more information, see In re EPIC. (Aug. 13, 2013)

  • The administration released a white paper outlining its legal argument for why the Patriot Act Section 215 authorizes the NSA to collect all Americans' telephone records. The government also released a NSA memo discussing the agency's program. At a press conference on Friday, President Obama outlined proposals that would address some, but not all, problems with the domestic surveillance programs, such as appointing a special advocate to argue in favor of civil liberties before the FISA Court. EPIC has brought a lawsuit in the Supreme Court challenging the legal authority for the NSA telephone surveillance program. For more information, see In re EPIC. (Aug. 12, 2013)

  • The National Institutes of Health has agreed to safeguard Henrietta Lacks's family genetic privacy while still allowing research on the famous HeLa cells. During her fight against an aggressive form of cervical cancer in the 1950s, Henrietta Lacks's cells were given to scientists, without her consent, for experimentation because of their ability to replicate in a lab setting. Her cells are still used today for scientific research. EPIC previously submitted comments to the Department of Health and Human Services and argued for stronger privacy protections for genetic data. More recently, EPIC filed a friend of the court brief with the Supreme Court in Maryland v. King arguing for limited law enforcement access to DNA. For more information, see EPIC: Maryland v. King and EPIC: Genetic Privacy. (Aug. 12, 2013)

  • The Transportation Security Administration has expanded its Visible Intermodal Prevention and Response (VIPR) program to perform warrantless searches at various locations, including festivals, sporting events, and bus stations. The VIPR program uses "risk-based" profiling and "behavior detection" to search and detain individuals. Members of Congress have opposed these searches, and the GAO has questioned the validity of TSA's behavior detection and dispelled behavior detection effectiveness. Last year, EPIC prevailed in a lawsuit against the TSA that revealed the agency's plan to deploy body scanners outside of the airport at bus stations, train stations, and elsewhere. For more information, see EPIC: EPIC v. DHS (Mobile Body Scanners FOIA Lawsuit). (Aug. 8, 2013)

  • The Director of National Intelligence has published the "Primary Order" from the FISA Court which describes the scope of the NSA's data analysis activities for telephone call records. The order details the procedures the NSA is expected to follow when reviewing data, but is heavily redacted. The order does not include a legal analysis of the surveillance laws being applied. The government also released past reports on the NSA's domestic surveillance program. For more information, see In re EPIC - NSA Telephone Records Surveillance and EPIC: NSA Petition. (Jul. 31, 2013)

  • EPIC has joined with leading human rights organizations and privacy experts in support of the "International Principles on the Application of Human Rights to Communications Surveillance." The Principles were adopted in response to growing concern about the surveillance of Internet communications by governments and private companies. Among the key principles in the framework document are Necessity, Adequacy, Proportionality, Competent Judicial Authority, Due Process, User Notification, Transparency, Public Oversight, and Safeguards Against Illegitimate Access. (Jul. 31, 2013)

  • The Court of Appeals for the Second Circuit ruled today in Gordon v. Softech that under the Driver Privacy Protection Act data brokers may be liable for the use of personal information that they obtain from DMVs and then sell to others. "Based on the language of the statute, its structure, and its legislative history, we conclude that the DPPA imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records," the federal appeals court announced. The court cited the sensitivity of the personal information available through motor vehicle records, including social security numbers, medical or disability information, and home addresses. In reversing the decision of the lower court, the appeals court said It is not enough for a reseller to simply provide a "drop down list" of permissible purposes. EPIC filed an amicus brief arguing that strict liability was necessary to ensure that resellers take adequate precautions to avoid impermissible downstream uses of sensitive personal data that individuals are required to provide to obtain a drivers license. The court essentially adopted a position between the lower court decision and the position urged by EPIC. For more information, see EPIC: Gordon v. Softech Int'l, Inc. (Jul. 31, 2013)

  • Senator Patrick Leahy said in an oversight hearing that the NSA's domestic telephone surveillance program should be terminated. "This program is not effective. It has to end," said the Chairman of the Senate Judiciary Committee. Senator Leahy has also introduced the FISA Accountability and Privacy Protection Act, to strengthen oversight of the government surveillance programs. Representatives from the NSA and Justice Department testified about the legality of the NSA's collection of all telephone records in the United States. But both Democratic and Republican Committee members expressed concern about the scope and secrecy of the program. EPIC has filed a petition with the U.S. Supreme Court challenging the legal authority of the FISA Court to authorize the NSA's program. For more information, see In re EPIC - NSA Telephone Records Surveillance. (Jul. 31, 2013)

  • In a surprisingly close vote, the House of Representatives voted 217 to 205 not to suspend funding for the controversial NSA program that has resulted in the collection of all call records of all American telephone customers. The outcome followed intense lobbying by the Administration and leaders of the intelligence community. The measure was introduced by Justin Amash (R-MI) and John Conyers (D-MI). EPIC has filed a petition with the US Supreme Court, charging that the program violates section 215 of the Patriot Act. A decision by the Court is expected in early October. For more information, see EPIC - In re Electronic Privacy Information Center. (Jul. 25, 2013)

  • On July 24, EPIC President Marc Rotenberg and EPIC Administrative Law Counsel Khaliah Barnes will present arguments in federal district court in Washington, DC in support of student privacy. In EPIC v. Dept. of Education, No. 12-327, EPIC is challenging recent changes to the Family Educational Rights and Privacy Act (FERPA) that allow the release of student records for non-academic purposes and undercut parental consent provisions. In 2011, EPIC submitted extensive comments to the agency opposing the changes. After the Education Department failed to modify the proposed regulation, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jul. 23, 2013)

  • According to the Director of National Intelligence, on July 19, 2013 the Government "filed an application with the Foreign Intelligence Surveillance Court seeking renewal of the authority to collect telephony metadata in bulk, and that the Court renewed that authority." In a separate filing, in a July 18 response to a challenge brought by the ACLU, the Department of Justice said that a federal district court in New York could not overturn the order of the FISA court. And in a July 16 letter to Congressman Sensenbrenner the Department asserts that "because the telephony metadata must be available in bulk to allow the NSA to identify records of terrorist communications, there are 'reasonable grounds to believe' that the data is relevant to an authorized investigation. EPIC has recently filed a petition with the US Supreme Court, challenging the lawfulness of the NSA domestic surveillance program. For more information, see EPIC - In re Electronic Privacy Information Center. (Jul. 22, 2013)

  • A study by researchers at Carnegie Mellon University has found that the mobile app short-form notice currently proposed by participants in the Department of Commerce's privacy multistakeholder process creates confusion among consumers. The draft notice contains a list of data categories for which mobile apps must provide notice, but the study surveyed 800 individuals and found that "participants had low agreement on how different data and entities should be categorized." EPIC has previously pointed out the flaws in privacy notices, recommending last year that the FTC focus on substantive privacy protections instead of notice. For more information, see EPIC: NTIA Multistakeholder Process. (Jul. 19, 2013)

  • Today the Supreme Court of New Jersey held that individuals have a reasonable expectation of privacy in their cell phone location data under the NJ state constitution. In State v. Earls, the New Jersey high court found that "cell-phone location information, which users must provide to receive service, can reveal a great deal of personal information about an individual." This decision is the first to establish a Constitutional right in location data since the U.S. Supreme Court decided United States v. Jones, a GPS tracking case in which several Justices expressed concern about the collection of location data. EPIC participated as amicus curiae in Earls. The New Jersey Supreme Court noted that "EPIC offered helpful details about the current state of cell-phone technology." For more information, see EPIC: State v. Earls and EPIC: Locational Privacy. (Jul. 18, 2013)

  • The World Wide Web Consortium has rejected a Do Not Track standard proposed by the online advertising industry. The industry proposal would have allowed advertising companies to continue to collect data about the browsing activities of consumers, but would have limited the way companies could characterize users based on that data. The group stated that industry's proposal was "less protective of privacy and user choice than their earlier initiatives." Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. EPIC has previously recommended to Congress that an effective Do Not Track initiative would need to ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Profiling. (Jul. 17, 2013)

  • EPIC has sent a letter to the House Judiciary Committee describing EPIC's response to the NSA domestic surveillance program in anticipation of a hearing on FISA oversight. "In our view, the secret court simply lacks the legal authority to authorize this program of domestic surveillance," EPIC writes. EPIC has filed a petition with the U.S. Supreme Court challenging the Verizon Order issued by the Foreign Intelligence Surveillance Court. EPIC is also petitioning the NSA to create public rules governing its surveillance authorities. For more information, see In Re EPIC and EPIC: NSA Petition. (Jul. 16, 2013)

  • The Department of Justice has issued a report outlining the department's revised rules for obtaining records from journalists. The change in policy comes after the controversy concerning the Justice Department's subpoena of Associated Press calling records. The new rules establish a presumption that reporters will be notified when their records are sought and also raises the legal standard for access under the [3]Privacy Protection Act of 1980[/3], a law that is intended to protect journalists' records from government access. Following the AP controversy, EPIC filed a Freedom of Information Act request seeking the legal basis for the Justice Department's subpoena of reporters' phone records. For more information, see EPIC: Free Flow of Information Act and EPIC: Privacy Protection Act. (Jul. 16, 2013)

  • EPIC, joined by over 2,000 members of the public, leading privacy experts, and journalists, has again petitioned the National Security Agency, urging the suspension of the NSA domestic surveillance program pending public comments. EPIC, joined by leading privacy experts including James Bamford, Whitfield Diffie, and Bruce Schneier, first petitioned the agency on June 17, 2013. Because the NSA has failed to respond, EPIC has renewed the petition on a weekly basis. EPIC's petition states "NSA's collection of domestic communications contravenes the First and Fourth Amendments to the United States Constitution, and violates several federal privacy laws, including the Privacy Act of 1974, and the Foreign Intelligence Surveillance Act of 1978 as amended." EPIC's petition further states that NSA's domestic surveillance "substantively affects the public to a degree sufficient to implicate the policy interests" that require public comment, and that "NSA's collection of domestic communications absent the opportunity for public comment is unlawful." By law, the NSA is required to respond. EPIC intends to renew its request for a public rule making each week until the NSA responds. For more information and to join EPIC’s petition, see EPIC: NSA Petition also #NSApetition. (Jul. 15, 2013)

  • In extensive comments, EPIC has urged the Privacy and Civil Liberties Oversight Board not to weaken the Freedom of Information Act (FOIA) and Sunshine Act as the agency has proposed. According to EPIC, the Board proposes to adopt vague, broad, and otherwise unlawful definitions that would permit the oversight agency to withhold information and delay document production. The proposed regulations would also allow the Board to encourage other agencies to classify information. The Board proposes to terminate public participation in Board meetings "at any time for any reason." EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. In 2011, EPIC submitted extensive comments to the Department of Justice, warning the agency not to erect new obstacles for FOIA requesters. For more information, see EPIC: Open Government. (Jul. 15, 2013)

  • EPIC filed a complaint with the Federal Trade Commission against Samsung, the publisher of a mobile app for Jay-Z's new album "Magna Carta Holy Grail." The Magna Carta App collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users phones. The Magna Carta app also includes hidden spam techniques that force users to promote the album. Well known music critic John Pareles wrote "Jay-Z Is Watching, and He Knows Your Friends." EPIC asked the Commission to require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights. Previously, EPIC filed an FTC complaint against Snapchat, the publisher of a mobile app that falsely claimed to delete photos and videos "forever." For more information, see EPIC: Federal Trade Commission and EPIC: Samsung "JAY-Z Magna Carta" App. (Jul. 14, 2013)

  • EPIC, in a prepared statement, addressed the Privacy and Civil Liberties Oversight Board regarding NSA surveillance under the Patriot Act and the Foreign Intelligence Surveillance Act at day long workshop. Retired Judge James Robertson, who served on the FISA Court, told the panel that he was "stunned" by the news that the government was collecting all of the telephone records of Americans. EPIC, which has recently filed a challenge to the domestic surveillance program with the Supreme Court, recommended increased public reporting for FISA and new limitations on the authority of the FISA court. EPIC previously provided recommendations to the Board for future work. Several of the recommendations were incorporated in the Board's semi-annual report. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: NSA Petition. (Jul. 10, 2013)

  • EPIC has filed a Petition with the U.S. Supreme Court, asking the Court vacate an unlawful order by the Foreign Intelligence Surveillance Court that enables the collection of all domestic phone record by the NSA. The order, directed to Verizon, requires the production of all "call detail records" for calls made "wholly within the United States, including local telephone calls." EPIC said "It is simply not possible that every phone record in the possession of a telecommunications firm could be relevant to an authorized investigation. . . . Such an interpretation of [the law] would render meaningless the qualifying phrases contained in the provision and eviscerate the purpose of the Act." For more information, see In re Electronic Privacy Information Center. (Jul. 8, 2013)

  • Privacy International, a leading privacy organization based in London, filed a legal complaint today with a UK tribunal about the recently disclosed surveillance programs. Privacy International asserts that the NSA and its United Kingdom counterpart, GCHQ, have been conducting dragnet surveillance of American and British citizens, without any public accountability. PI also charges that by accessing the NSA's information pool, the British government is acting outside the rule of law. EPIC today filed a petition in the US Supreme Court, alleging that the Foreign Intelligence Surveillance Court exceeded its legal authority when it issued the order to Verizon to turn over all of the phone records of its customers. For more information, see EPIC: NSA Petition and EPIC: NSA - Verizon Phone Record Monitoring. (Jul. 8, 2013)

  • The European Parliament has voted overwhelmingly (483 to 98, with 65 abstentions) to investigate "PRISM" and other surveillance programs of the US National Security Agency. (Press release.) The investigation with be undertaken by the influential Committee on Civil Liberties, Justice, and Home Affairs ("LIBE"). Members of Parliament also urged European representatives to reexamine current arrangements that allow the transfer of banking and travel data from EU countries to the United States. The resolution was adopted as the European Union is considering a new trade deal with the United States and a proposal to strengthen privacy protections is pending. EPIC has appeared several times before the European Parliament to urge the adoption of a comprehensive privacy framework to safeguard the transatlantic transfer of personal information. For more information, see EPIC - EU Data Protection Directive, and Madrid Privacy Declaration. (Jul. 5, 2013)

  • The Senate has passed an expansive immigration bill that includes employment verification by the federal government for all U.S. employees -- "E-Verify" -- within five years. In testimony before Congress, EPIC warned of inaccurate employment determinations in the E-Verify system and said that Privacy Act safeguards must be strengthened to ensure fairness and accountability. In June 2011, EPIC filed comments with the Department of Homeland Security in opposition to the expansion of E-Verify. For more information, see EPIC: E-Verify and Privacy and EPIC: Spotlight on Surveillance - E-verify System. (Jul. 5, 2013)

  • Almost 2,000 members of the public have joined EPIC's petition to the National Security Agency, urging the suspension of the NSA domestic surveillance program pending public comment. EPIC, joined by leading privacy experts including James Bamford, Whitfield Diffie, and Bruce Schneier, first petitioned the agency on June 17, 2013. EPIC's petition states "NSA's collection of domestic communications contravenes the First and Fourth Amendments to the United States Constitution, and violates several federal privacy laws, including the Privacy Act of 1974, and the Foreign Intelligence Surveillance Act of 1978 as amended." EPIC's petition further states that NSA's domestic surveillance "substantively affects the public to a degree sufficient to implicate the policy interests" that require public comment, and that "NSA's collection of domestic communications absent the opportunity for public comment is unlawful." EPIC intends to renew its request each week until the NSA responds. For more information and to join EPIC’s petition, see EPIC: NSA Petition. (Jun. 28, 2013)

  • The Administrative Office of the United States Courts has issued the the 2012 Wiretap Report. The annual report, provides comprehensive data on all federal and state wiretap applications, including the types of crimes investigated, as well as the costs involved and whether arrests or convictions resulted. In contrast, the annual report from the Foreign Intelligence Surveillance Court provides almost no information about a surveillance authority that is routinely directed toward the American public. According to the 2012 Wiretap Report, 3,395 intercept orders were issued in 2012. Of these orders, 3,292 (97%) targeted "portable devices" and 7 were "roving" taps to target individuals using multiple devices. The vast majority (87%) of wiretaps were issued in narcotics investigations, though some involved multiple offenses. In 2012, installed wiretaps were in operation for an average of 39 days, 3 days below the average in 2011. Encryption was reported for 15 wiretaps in 2012 and for 7 wiretaps conducted during previous years. In four of these wiretaps, officials were unable to decipher the plain text of the messages. This is the first time that jurisdictions have reported that encryption prevented officials from obtaining the plain text of the communications since the Administrative Office began collecting encryption data in 2001.There were 3,743 arrests related to these intercepts, which resulted in 455 (12%) convictions. EPIC maintains a comprehensive index of the annual wiretap reports and FISA reports. For more information, see EPIC: Title III Wiretap Orders - Stats, EPIC: Wiretapping, and EPIC: Foreign Intelligence Surveillance Act. (Jun. 28, 2013)

  • The Federal Communications Commission has ruled telecommunications carriers must follow the safeguards for Consumer Proprietary Network Information for information stored on mobile devices. "When a telecommunications carrier collects CPNI using its control of its customers' mobile devices, and the carrier or its designee has access to or control over the information, the carrier is responsible for safeguarding that information," the Commission wrote. Chairwomen Clyburn wrote that "[p]rotecting consumer privacy is a key component of our mission to serve the public interest," while Commissioner Rosenworcel urged the Commission to take note of the growing "market incentives to keep our data and slice and dice it to inform commercial activity." EPIC participated in the agency review and filed comments urging the Commission to require mobile carriers to implement fair information practices and to adopt techniques for encryption. EPIC has also asked the FCC to investigate Verizon for unlawfully disclosing the telephone records of millions of Americans in response to an invalid order from the Foreign Intelligence Surveillance Court. For more information, see EPIC: Customer Proprietary Network Information. (Jun. 28, 2013)

  • The International Working Group on Data Protection released a white paper on online behavioral advertising. The group of leading privacy experts from around the world noted that web tracking allows companies to "monitor every single aspect of the behavior of an identified user across websites." The Working Group also observed that the current efforts of the W3C to develop a DNT track standard could "remain a sugar pill instead of being a proper cure and would such be useless." The Working Group recommended "the default setting should be such that the user is not tracked" and that there be no invisible tracking of users. Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Federal Trade Commission. (Jun. 28, 2013)

  • EPIC has joined a coalition of civil society groups in support of the Washington Statement - a declaration in support of strong international standards for privacy protection. The Washington Statement was released in conjunction with the annual Computers, Freedom, and Privacy conference held in Washington, DC. The conference brought together activists and representatives of government, civil society, and academia. The Statement provides, "privacy is a basic human right set out in Articles 17 and 19 of the International Covenant on Civil and Political Rights and Article 12 of the Universal Declaration of Human Rights." The signers call on US policymakers to end unlawful surveillance of Internet communications, and urge EU policymakers to move forward with an updated legal framework for data protection. For more information, see Madrid Privacy Declaration and EPIC: the Public Voice. (Jun. 27, 2013)

  • According to a Central Intelligence Agency Inspector General's report obtained by EPIC under the Freedom of Information Act, the CIA collaborated with the New York Police Department in domestic surveillance efforts. The CIA is prohibited from participating in domestic surveillance, but the report finds that the agency had embedded four officers within the NYPD over the past decade and that collaboration with the NYPD was fraught with "irregular personnel practices," that it lacked "formal documentation in some important instances," and that "there was inadequate direction and control" by agency supervisors. The Inspector General's Report was prepared in response to an investigation by the Associated Press which showed that the NYPD and the CIA had collaborated on a program of domestic surveillance targeting Muslims and persons of Arab descent. The CIA originally claimed that there was "no evidence that any part of the agency's support to the NYPD constituted 'domestic spying,'" a statement that is contradicted by the Inspector General's Report obtained by EPIC. A front-page story in the New York Times discusses the findings in more detail. The case is EPIC v. CIA, Case No. 12-02053 (D.D.C. filed Dec. 20, 2012). For more information see: EPIC: EPIC v. CIA - Domestic Surveillance and EPIC: Open Government. (Jun. 27, 2013)

  • EPIC has submitted extensive comments opposing the TSA's decision to deploy body scanners in US airports. The D.C. Circuit Court of Appeals forced TSA to accept public comment on the controversial screening program following EPIC's lawsuit in EPIC v. DHS. In that case, EPIC successfully challenged the TSA's unlawful deployment of the body scanners which rendered images of air travelers stripped naked. More than 5,000 comments were submitted by the public, many on behalf of organizations and associations, and almost all opposed the agency's decision. EPIC's comments described the lack of adequate privacy safeguards for the backscatter x-ray scanners, the ineffectiveness of the devices, and the potential health risks to travelers. EPIC urged the agency to end the body scanner program and instead use noninvasive walk through metal detector and explosive trace detection devices. The agency has already removed hundreds of backscatter devices from US airports. EPIC brought the lawsuit after earlier EPIC FOIA lawsuits uncovered documents that revealed the devices were capable of storing and recording images of naked air travelers. For more information, see EPIC: Comment on the TSA Nude Body Scanner Proposal. (Jun. 25, 2013)

  • Senator Patrick Leahy (D-VT), joined by several other Senators, has introduced a bill that will amend certain provisions of the USA PATRIOT ACT and the FISA Amendments Act to address recent revelations about domestic surveillance by the National Security Agency. The provisions of the bill will increase the threshold for the NSA to obtain domestic metadata and require court-approved minimization procedures. In addition, the bill will move up expiration dates on surveillance authorities to June 2015. In a statement, Senator Leahy said, "these are all commonsense, practical improvement that will ensure that the broad and powerful surveillance tools being used by the Government are subject to appropriate limitations, transparency, and oversight." EPIC recommended similar proposals in testimony last year before the House Judiciary Committee. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: NSA Petition. (Jun. 25, 2013)

  • Senator Rand Paul issued a letter to FBI Director Robert Mueller seeking answers about the FBI's domestic use of drones. In a Senate Judiciary Committee hearing on FBI oversight, Director Mueller admitted that the FBI uses drones for domestic surveillance. Mueller also stated there were no guidelines in place to regulate the FBIs use of drones and protect the privacy of Americans. EPIC petitioned the Federal Aviation Administration last year to conduct a public rulemaking to address the threat to privacy and civil liberties the domestic use of drones pose. EPIC also petitioned the Bureau of Customs and Border Protection this year to establish privacy regulations for its use of drones. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Jun. 21, 2013)

  • The Guardian has posted the procedures used by the National Security Agency to target non-US citizens under the Foreign Intelligence Surveillance Act, as well as the minimization procedure for information collected about US citizens. The documents indicate that "[a] person whose location is not known will be presumed to be a non-United States person," and that the NSA maintains databases of the telephone numbers, email accounts, and other identifiers of US citizens. EPIC recently petitioned the NSA to suspend its domestic surveillance pending public comment. Last year, in testimony for the House Judiciary Committee, EPIC urged Congress not to reauthorize the FISA Amendments Act until adequate oversight procedures were in place. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: NSA Petition. (Jun. 21, 2013)

  • EPIC has submitted comments to the Department of Homeland Security, staunchly opposing the agency's border biometric collection, facilitated through the Office of Biometric Identity Management program. Since at least 2004, DHS has collected fingerprint and facial photos from individuals entering the United States. DHS then disseminates this information to DHS agency components, other federal agencies, and "federal, state, and local law enforcement agencies," and the "federal intelligence community." Currently, at least 30,000 individuals from federal, state, and local governments access the data contained obtained by DHS's biometric collection program. DHS shares this biometric data with foreign governments, including Canada, Australia, and the United Kingdom. In its comments, EPIC urged the agency to cease collecting biometric information without proper privacy safeguards in place. Should the agency continue to collect this sensitive information, EPIC recommends that DHS: (1) impose strict information security safeguards on its biometric information collection and limit its dissemination of biometric information; (2) conduct a comprehensive privacy impact assessment on the biometric collection program; (3) grant individuals Privacy Act rights before collecting additional biometric information; and (4) adhere to international privacy standards. For more information, see EPIC: US-VISIT and EPIC: Biometric Identifiers. (Jun. 21, 2013)

  • In comments to the National Institutes of Health, an agency component of Health and Human Services, EPIC urged the agency to safeguard personally identifiable information following natural disasters. The agency proposes to use the PEOPLE LOCATOR system and related mobile app ReUniteâ„¢ to reunite "family and friends who are separated during a disaster." The PEOPLE LOCATOR system allows third parties to enter highly sensitive information about each missing or located individual, which in turn is accessed by the public. The system stores disaster survivor information including name, location, date of birth, race, religion, health status, address, and photographs. EPIC recommended that the agency: (1) limit its data collection to relevant information, (2) protect the security of the system by implementing data access control and establishing data quality standards; (3) define a record retention and disposal schedule; and (4) establish guidelines, which adhere to the Fair Information Practices, for disclosures to third parties like Google. For more information, see EPIC: Locational Privacy. (Jun. 20, 2013)

  • European data protection authorities have ordered Google to comply with data protection law or face fines. The French Data Protection Authority, which led the investigation into Google's consolidation of user data, said that "Google has not implemented any significant compliance measures" and gave the company three months to comply with its requirements. The decision follows an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google’s changes in business practices. Google's consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Jun. 20, 2013)

  • Over thirty privacy officials, including the Privacy Commissioner of Canada and the Chairman of the Article 29 Working Party, have written to Google demanding information on Google Glass. "[W]e would strongly urge Google to engage in a real dialogue with data protection authorities about Glass," they wrote, and listed eight specific questions, including how Glass complies with privacy laws and how Google intends to use the information collected by Glass. Recently, members of the Bi-Partisan Privacy Caucus wrote to Google with similar questions about Glass. Following the letter, Google announced that it would not approve any facial recognition apps for Glass. For more information, see EPIC: Google Glass. (Jun. 19, 2013)

  • Today, EPIC joined a coalition of over 100 civil liberties organizations and Internet companies to demand that Congress initiate a full-scale investigation into the National Security Agency's surveillance programs. In the letter sent to Congress this morning, the coalition emphasized the need for public transparency and an end to dragnet surveillance: "This type of blanket data collection by the government strikes at bedrock American values of freedom and privacy." EPIC is also leading a petition to the NSA to suspend its program of collecting information on all individuals in the United States. EPIC intends to renew its request to the Agency every week until the NSA responds. For more information see EPIC: NSA Petition. (Jun. 19, 2013)

  • Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs. The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs. EPIC also obtained the Standard Operating Procedure for the program and a Privacy Threshold Analysis that indicated that a Privacy Impact Assessment must be performed, but it is not clear whether one has been completed. EPIC is currently suing the FBI to learn more about its development of a vast biometric identification database. For more information, see EPIC: Face Recognition and EPIC: Biometric Identifiers. (Jun. 17, 2013)

  • The Supreme Court ruled on Monday that attorneys cannot use DMV records to solicit clients. In Maracich v. Spears, the Court ruled that solicitation is not a permissible use of state motor vehicle records under the Driver's Privacy Protection Act. State DMV records contain a huge amount of sensitive personal information, including Social Security Numbers and medical information. EPIC filed a "friend of the court" brief discussing the wide range of personal information contained in DMV records and the risks of identity theft. For more information, see EPIC: Maracich v. Spears and EPIC: Driver's Privacy Protection Act. (Jun. 17, 2013)

  • EPIC, joined by leading privacy experts including James Bamford, Whitfield Diffie, and Bruce Schneier, has petitioned the National Security Agency to suspend its domestic surveillance program pending public comment. EPIC's petition states "NSA's collection of domestic communications contravenes the First and Fourth Amendments to the United States Constitution, and violates several federal privacy laws, including the Privacy Act of 1974, and the Foreign Intelligence Surveillance Act of 1978 as amended." EPIC's petition further states that NSA’s domestic surveillance "substantively affects the public to a degree sufficient to implicate the policy interests" that require public comment, and that "NSA's collection of domestic communications absent the opportunity for public comment is unlawful." EPIC intends to renew its request each week until the NSA responds. For more information and to join EPIC’s petition, see: EPIC: NSA Petition. (Jun. 17, 2013)

  • European Justice Commissioner Viviane Reding has demanded that U.S. Attorney General Eric Holder explain the scope of US data collection about EU citizens. "Direct access of US law enforcement to the data of EU citizens on servers of US companies should be excluded unless in clearly defined, exceptional and judicially reviewable situations," the Commissioner wrote. The Commissioner's request is similar to that made by other European officials, such as German Justice Minister Sabine Leutheusser-Schnarrenberger, who also stated that "all facts must be put on the table." Recent reports indicate that United States lobbied the European Commission to weaken a comprehensive data protection law now pending in the European Parliament. Earlier this year, EPIC joined a coalition of leading US consumer and civil liberties organizations that expressed concern about the role of US officials in the development of European privacy law. The letter stated that "without exception," members of the European Parliament reported that the US government was "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." For more information, see EPIC: EU Data Protection Regulation. (Jun. 13, 2013)

  • In a letter to Federal Communications Commission Chairwoman Mignon Clyburn, EPIC urged the FCC to determine whether Verizon violated the Communications Act when it released consumer call detail information to the National Security Agency. In response to an unprecedented Foreign Intelligence Surveillance Court order which focused on solely domestic communications, Verizon released telephone customer information to the NSA, including telephone numbers and time and call duration. Congress explicitly charged the Commission with investigating unauthorized disclosures of consumer call detail information. EPIC's letter stated that Verizon violated legal protections for consumer phone records when it disclosed consumer information in response to a facially invalid order. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act. (Jun. 12, 2013)

  • A bipartisan group of senators, led by Senator Jeff Merkley (D-OR) and Senator Mike Lee (R-UT), has proposed a bill that would declassify the opinions of the Foreign Intelligence Surveillance Court. In 2012 testimony before the House Judiciary Committee, EPIC recommended the publication of Foreign Intelligence Surveillance Court Opinions prior to the renewal of the FISA Amendments Act. Last week, EPIC charged the Foreign Intelligence Surveillance Court with acting outside of its authority. In a letter to Congress, EPIC stated, "The Foreign Intelligence Surveillance Court ordered an American telephone company to disclose to the NSA records of wholly domestic communications. The FISC lacks the legal authority to grant this order." EPIC asked Congress to conduct hearings and determine whether the specialized court, charged with overseeing the collection of foreign intelligence, may also authorize surveillance of solely domestic communications. EPIC has also filed Freedom of Information Act request a with the Department of Justice, seeking the agency's justification for the NSA domestic surveillance program. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty, and EPIC: USA Patriot Act. (Jun. 12, 2013)

  • In comments to the Department of Health and Human Services, EPIC underscored the importance of medical privacy, particularly concerning mental illness. In response to President Obama's plan to reduce gun violence, the federal agency is considering allowing states to report certain mental illness information to the FBI for inclusion in National Instant Criminal Background Check System. EPIC warned that the proposal could result in incorrect determinations and may also discourage people from receiving medical care. EPIC recommended that the federal agency: (1) require that states be held accountable for disclosing excess medical information; (2) requires that states notify the FBI of incorrect or outdated mental illness record; and (3) encourage states to maintain mental health record accuracy. For more information, see EPIC: Medical Privacy and EPIC: Gun Owners' Privacy . (Jun. 11, 2013)

  • Presidential Policy Directive 20 orders the creation of potential targets for Offensive Cyber Effects Operations by the NSA. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ." The Directive was signed last October and EPIC immediately filed a Freedom of Information request seeking public release of the policy as it implicates the privacy of domestic communications. The NSA refused to release the Directive. The White House released a summary of the Directive, but failed to disclose information about the NSA's proposed cyberattacks. PPD-20 was made available to the public in a post to the Guardian by Glenn Greenwald. For more information, see EPIC: Presidential Directives and Cybersecurity, EPIC: EPIC v. NSA - Cybersecurity Authority and EPIC: Cybersecurity Privacy Practical Implications. (Jun. 8, 2013)

  • EPIC has filed a Freedom of Information Act request with the Department of Justice, seeking the agency's justification for the NSA domestic surveillance program. The Department of Justice authorized a request for "all call detail records or 'telephony metadata' created by Verizon for communications . . . (ii) wholly within the United States, including local telephone calls." By statute, the scope of the Foreign Intelligence Surveillance Court is limited to investigations concerning the collection of foreign intelligence. The Department of Justice and the President have been acknowledged that the Department conveyed information about the program to Congress. EPIC has asked Congress to determine whether the special court exceeded its authority when it compelled Verizon to turn over the records of millions of telephone customers. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act. (Jun. 7, 2013)

  • Following the revelation of that the National Security Agency is monitoring domestic communications, members of Congress are initiating new oversight proceedings. The Senate Intelligence Committee will review the program's legal authority. Members of the House Judiciary Committee wrote to President Obama, saying, "We believe this type of program is far too broad and inconsistent with our nation's founding principles." During a hearing of the Senate Appropriations Committee, Sen. Mark Kirk (R-IL)asked Attorney General Eric Holder whether the NSA has spied on members of Congress. EPIC has sent a letter to leaders in Congresscalling for an investigation into the NSA's activities, and alleging that the FISC's authorization of the Verizon search was unlawful. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act.
    (Jun. 7, 2013)

  • EPIC has sent a letter to Congress charging that the National Security Agency's demand for domestic telephone records is unlawful. EPIC stated, "The Foreign Intelligence Surveillance Court ordered an American telephone company to disclose to the NSA records of wholly domestic communications. The FISC lacks the legal authority to grant this order." EPIC's letter calls on Congress to conduct hearings and determine whether the specialized court, charged with overseeing the collection of foreign intelligence, may also authorize surveillance of solely domestic communications. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act. (Jun. 7, 2013)

  • An unprecedented order from the Foreign Intelligence Surveillance Court indicates that the FBI and the NSA obtained vast amounts of data on Verizon customers without any ties to a foreign intelligence investigation. Last year, in testimony for the House Judiciary Committee, EPIC urged Congress not to renew the Foreign Intelligence Surveillance Act without first establishing appropriate oversight mechanisms. EPIC warned "there is simply too little known about the operation of the FISA today to determine whether it is effective and whether the privacy interests of Americans are adequately protected." For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act. (Jun. 6, 2013)

  • A deeply divided Supreme Court ruled Monday that law enforcement may warrantlessly collect DNA samples from people arrested, but not yet convicted, of crimes. In Maryland v. King, the Court held that when the police have probable cause to arrest someone, the collection of DNA is analogous to fingerprinting or photographing. The decision was 5-4. Writing in dissent, Justice Scalia, joined by Justice Ginsburg, Kagan, and Sotomayor, stated "Make no mistake about it: . . . your DNA can be taken and entered into a national database if you are ever arrested, rightly or wrongly, and for whatever reason." EPIC wrote a "friend of the court" brief arguing against warrantless DNA searches. EPIC's brief described the rapid expansion of DNA collection in the United States and the lack of sufficient safeguards for private genetic information. For more information, see EPIC: Maryland v. King and EPIC: Genetic Privacy. (Jun. 3, 2013)

  • Google announced that it will not approve any facial recognition apps for Google Glass, pending the development of privacy safeguards. "[W]e won't add facial recognition features to our products without having strong privacy protections in place," the company said in a blog post. In comments on facial recognition to the Federal Trade Commission last year, EPIC recommended that the Federal Trade Commission enforce Fair Information Practices against commercial actors when collecting, using, or storing facial recognition data. "In the absence of guidelines and legal standards, EPIC recommends a moratorium on the commercial deployment of facial recognition techniques," EPIC wrote to the FTC in early 2012. For more information, see EPIC: Facial Recognition and EPIC: Federal Trade Commission. (Jun. 3, 2013)

  • EPIC has submitted comments to the Federal Trade Commission in advance of a workshop on the Internet of Things. The "Internet of Things" refers to the growing capacity of devices to communicate via the Internet. EPIC’s comments listed several privacy and security risks posed by the Internet of Things, such as the collection of data about sensitive behavior patterns and an increase in the power imbalance between consumers and service providers. EPIC then made several recommendations, such as requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information see EPIC: Federal Trade Commission. (Jun. 3, 2013)

  • The TSA has completed removal of the x-ray body scanners from US airports. The devices revealed detailed images of a person's naked body and have been described as "digital strip searches." The TSA action follows an Act of Congress and several lawsuits by EPIC. The TSA was forced to remove the machines after Congress required that the devices produce only generic image. And as result of EPIC v. TSA the TSA is currently required to accept public comments on its airport screening procedures. The public has until June 24, 2013 to voice its opinions. The millimeter wave devices remain in US airports. For more information, see: EPIC: Comment on the TSA Nude Body Scanner Proposal and EPIC: ATR lawsuit.

    Backscatter x-ray machines show detailed images of a person's naked body and have been described as "digital strip searches."

    (May. 30, 2013)

  • The Texas legislature has passed H.B. No. 2268, a bill that creates a warrant requirement for law enforcement access to stored electronic communications and customer data. The law, which was presented to Governor Rick Perry this week, is the first successful state effort to establish an across-the-board warrant requirement for stored communications. Congress is considering similar changes to the federal Electronic Communications Privacy Act. Others have proposed more sweeping privacy reforms, and there are bills in both the House and Senate that would establish location privacy protections. EPIC testified before the Texas Legislature on H.B. 1608, a location privacy companion to H.B. 2268. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (May. 29, 2013)

  • The Federal Trade Commission has reportedly opened a new antitrust investigation into Google’s display advertising business. The Commission is investigating whether Google used its dominant position in the display advertising market, following the acquisition of Doubleclick, to harm competition. EPIC previously opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. Earlier this year, the Commission closed an antitrust investigation into Google’s search practices. For more information, see EPIC: Federal trade Commission and EPIC: Google/DoubleClick. (May. 29, 2013)

  • Senator Rand Paul (R-Ky) has introduced the Fourth Amendment Preservation and Protection Act of 2013, which would prohibit the warrantless collection of information about individuals held by third parties. The law would overturn the "third party doctrine," which has been widely criticized by courts and legal scholars. The bill has been referred to the Senate Judiciary Committee. Senator Paul will receive a 2013 EPIC Champion of Freedom Award in Washington, DC on June 3. For more information, see EPIC: Awards Dinner and EPIC: Electronic Communications Privacy Act. (May. 28, 2013)

  • A survey by the Pew Internet and American Life Project and the Berkman Center for Internet and Society found that while teens are disclosing more personal information on social media, the vast majority are actively taking steps to protect their privacy. 60 percent of teen Facebook users keep their profiles private and visible only to a select group of friends, and 56 percent felt confident in their ability to manage Facebook’s privacy settings. Most teens also reported deleting or blocking users on social media sites, or obscuring the content of their messages through inside or coded references. Other polls by Pew have found that a majority of parents were concerned about their children’s online privacy and that users were becoming more active in managing their social media accounts. For more information, see EPIC: Public Opinion on Privacy. (May. 21, 2013)

  • EPIC Administrative Law Counsel Khaliah Barnes testified before the Colorado State Board of Education on privacy issues concerning inBloom and other companies that acquire student information. In response to public outcry over a pilot program which grants these companies access to sensitive student data, the Colorado Board of Education hosted a public session. Representatives from inBloom, the Colorado Attorney General's Office, a local school district, and EPIC participated. EPIC recommended that Colorado ensure that students and parents have access to education records maintained by third party providers, and that students and their parents should be able to limit disclosure to third parties. In 2012, EPIC sued the Education Department for issuing regulations that failed to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (May. 21, 2013)

  • EPIC filed a complaint with the Federal Trade Commission against Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. The company represents that users can make photos and videos "disappear forever." In fact, the photos can be retrieved by others after they should have vanished. The EPIC complaint implicates Privacy Enhancing Technologies, which if properly implemented would minimize or eliminate the collection of personally identifiable information. The FTC described similar methods in a 2012 privacy report. Previously, EPIC filed a complaint at the FTC against AskEraser, which falsely represented that search queries would be deleted when in fact they were retained by the company and made available to law enforcement agencies. For more information, see EPIC: Federal Trade Commission. (May. 17, 2013)

  • Members of the bipartisan Privacy Caucus sent a letter to Google seeking answers to questions about Glass, a wearable computer that routinely records video and audio, and gathers locational data. Among several questions, the Members of Congress asked "how Google plans to prevent Google Glass from unintentionally collecting data about the user/non-user without consent?" and whether Glass would be able to use facial recognition technology. Recently, Attorneys general for 38 states and the District of Columbia reached a $7 million settlement with Google over the unauthorized collection of data from wireless networks, including private WiFi networks of residential Internet users. Early last year, Google collapsed its privacy policies, prompting objections from EPIC state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Glass and Wearable Computers. (May. 17, 2013)

  • Following the controversy concerning the Justice Department’s subpoena of Associated Press calling records, the Obama administration announced support for a media shield law. The White House has asked Senator Charles E. Schumer to reintroduce the Free Flow of Information Act, a bill that would limit government access to information about confidential sources and would allow journalists to move to quash subpoenas of their phone records. EPIC is currently seeking the legal basis for the Justice Department’s subpoena of phone records through a Freedom of Information Act request. For more information, see EPIC: Free Flow of Information Act. (May. 16, 2013)

  • The Senate Judiciary Committee has approved an Amendment to the immigration bill to limit the range of drones surveillance in the United States. The immigration bill grants the Bureau of Customs and Border Protection authority to operate surveillance drones continuously within the border region. Senator Dianne Feinstein's (D-CA) Amendment reduces the patrol area of surveillance drones from 100 miles around the border to 25 miles. More than two-thirds of the US population lives within 100 miles of the border. In February 2013, EPIC petitioned the Bureau of Customs and Border Protection to suspend the border drone surveillance program pending the establishment of concrete privacy regulations. The petition followed the production of documents to EPIC under the Freedom of Information Act demonstrating that the border drones had the ability to intercept electronic communications and identify human targets. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (May. 15, 2013)

  • For the House Judiciary Committee hearing on Oversight of the United States Department of Justice, EPIC has sent a letter to Committee Members regarding the surveillance of Associated Press reporters. EPIC asked the Committee to determine whether the Justice Department complied with regulations on news media subpoenas, which were enacted in 1980 after passage of the Privacy Protection Act. For more information, see EPIC: Privacy Protection Act of 1980 and EPIC: Warrantless Surveillance Program. (May. 15, 2013)

  • EPIC has filed a Freedom of Information Act request with the Department of Justice Office of Legal Counsel, seeking documents explaining the DOJ's legal authority to search the electronic communications of reporters. Following news reports that the DOJ seized the telephone records of the Associated Press, EPIC's request seeks to discover the legal basis for the action as well as whether the DOJ could obtain the email or text messaging records of journalists. In 2005, EPIC filed the first FOIA request concerning the government's "warrantless wiretapping". EPIC eventually obtained emails and a memo (pdf) from a former high-level Justice Department official expressing doubt about the government's argument in favor of the legality of the program. EPIC also obtained internal messages (pdf) from the NSA's director to agency staff, defending the NSA's warrantless eavesdropping and discouraging employees from discussing the issue with the news media. For more information, see EPIC: Open Government, EPIC: New York Times v. DOJ. (May. 14, 2013)

  • EPIC has announced the recipients of the 2013 EPIC Champion of Freedom Awards. They are Senator Rand Paul, Senator Ron Wyden, and AP Reporter Martha Mendoza. Susan Grant will receive the EPIC Privacy Advocate award and David Flaherty will receive the EPIC Lifetime Achievement Award. The awards are given annually to courageous individuals who have defended privacy, open government, and democratic values. Previous recipients include federal judges, members of Congress, journalists, litigators, advocates, and philanthropists. The first EPIC Champion of Freedom Award was given to Senator Patrick Leahy in 2004. The 2013 award recipients will be honored at the EPIC Champion of Freedom Awards dinner in Washington, DC, Monday June 3, 2013. Tickets available. (May. 14, 2013)

  • EPIC has submitted comments to the U.S. Trade Representative addressing the Transatlantic Trade and Investment Partnership, a proposed trade agreement between the US and the European Union. In its comments, EPIC recommended that the TTIP negotiations exclude consumer privacy and data policy. Mindful of the US' progress in recent years on developing the Consumer Privacy Bill of Rights and the EU's General Data Protection Regulation, EPIC cautioned the USTR that an attempt to harmonize existing privacy regulations would not end well. If provisions about cross-border data flows arises, EPIC urged the USTR to ensure that consumers are given the highest level of privacy protections. EPIC also recommended that all drafts of negotiating texts be made publicly available since previous negotiating documents in similar trade agreement negotiations have been kept secret. EPIC has recently begun a new FOIA project to obtain information about the statements of US officials who participate in international negotiations concerning privacy and data protection. For more information, see EPIC: TTIP. and EPIC: Open Government. (May. 10, 2013)

  • The President issued an Executive Order and memorandum this week outlining the administration's new "Open Data Policy." According to the White House, the goal is to make information "accessible, discoverable, and usable by the public" and to "promote interoperability and openness." The Executive Order states that agencies should also "safeguard individual privacy, confidentiality, and national security." The White House has launched Project Open Data, a collection of code, tools, and case studies to help agencies adopt the open data policy. An article in Foreign Policy this week "Think Again: Big Data" raises provocative questions about the actual value of "Big Data." For more information on Open Government issues, see: EPIC: Open Government and EPIC: Privacy Act. (May. 10, 2013)

  • A federal court in Arizona has denied a motion to suppress evidence gathered by "StingRay" surveillance technology. The court in United States v. Rigmaiden held that investigators did not violate the Fourth Amendment. The court also held that the government's use of a cell site simulator or StingRay device was supported by a "mobile tracking device" warrant. EPIC recently argued that users have a reasonable expectation of privacy in the location of their mobile devices, and has also received hundreds of pages of documents related to the FBI's use of StingRay technology. For more information, see EPIC v. FBI: StingRay and EPIC: State v. Earls. (May. 10, 2013)

  • Numerous organizations across the political spectrum have urged Congress to reduce the error rate for the employment verification system "E-Verify". A bill now pending in Congress will mandate employer verification of an all employees’ eligibility to work in the United States. In testimony before Congress in 2007, EPIC warned of inaccurate employment determinations in the E-Verify system. EPIC also cautioned against straining the resources of the Social Security Administration and the aggregation of employment data into a central location. In June 2011, EPIC filed comments with the Department of Homeland Security in opposition of the proposed expansion of E-Verify. For more information, see EPIC: E-Verify and Privacy and EPIC: Spotlight on Surveillance - E-verify System. (May. 9, 2013)

  • Objecting to business efforts to block updates to European Union data protection laws, a coalition of European Internet rights, freedom and privacy organizations have launched the Naked Citizen campaign. The organizations stated, "The campaign is a response to the unprecedented lobbying from tech companies, the US Government and the advertising industry. They are all trying to weaken the Regulation and make it easier for companies to use personal information in opaque, unaccountable ways." The groups published a new report -- "Don't let corporation strip citizens of their right to privacy" -- which describes the need to adopt stronger data protection rights. US consumer organizations have expressed support for the effort to modernize European Union privacy law. EPIC also supports US ratification of the Council of Europe Privacy Convention. For more information, see EPIC - EU Data Protection Directive and EPIC - Council of Europe Privacy Convention. (May. 8, 2013)

  • Today the Senate voted to confirm David Medine as the Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), an agency established to review executive branch actions and to protect privacy and civil liberties after 9/11. EPIC urged the creation of an independent privacy agency after 9/11. At the first meeting of the agency in 2012, EPIC set out several priorities for PCLOB, including (1) suspension of the fusion center program, (2) limitations on CCTV surveillance, (3) removal of airport body scanners, (4) establishing privacy regulation for drones, (5) updating data disclosure standards, and (6) ensuring Privacy Act adherence. For more information, see EPIC: The 9/11 Commission Report and EPIC: The Sui Generis Privacy Agency. (May. 7, 2013)

  • The Federal Trade Commission has rejected an effort by several trade groups to delay implementation of the Children’s Online Privacy Protection Act Rule, currently scheduled to take effect on July 1. In voting unanimously to retain the date, the FTC noted that it had given covered entities at least 6 months to prepare for the Rule and that industry had "not raised any concrete facts to demonstrate that a delay is necessary." The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or cookies), and prevents third-party advertisers from secretly collecting children's personal information without parental consent for behavioral advertising purposes. EPIC joined a coalition of consumer, privacy, and children's advocates in urging the FTC to keep the original implementation date. EPIC also commented in support of both the proposed rule, and a revised version introduced in August 2012. The revised rule follows a report by the FTC finding that many child-directed mobile apps did not disclose their data practices. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (May. 6, 2013)

  • According to the 2012 Foreign Intelligence Surveillance Act (FISA) Report, the Department of Justice submitted 1,856 applications to the Foreign Intelligence Surveillance Court (FISC), a 6.4% increase over 2011. Of the 1,856 search applications, 1,789 sought authority to conduct electronic surveillance. The FISC did not deny any of the applications, although one was withdrawn by the Government. However, the FISC did make modifications to 40 of the applications, including one from the 2011 reporting period. In addition to the FISA orders, the FBI sent 15,229 National Security Letter requests for information concerning 6,223 different U.S. persons. This is a modest decrease from the 16,511 requests sent in 2011. Almost no information is available about FISA surveillance beyond the figures contained in the annual FISA letter, sent to the Senate each year by the Department of Justice, Office of Legislative Affairs. EPIC has recommended greater reporting of FISC applications and opinions, similar to what is disclosed in the Federal Wiretap Reports. For more information, see EPIC: Foreign Intelligence Surveillance Act Court Orders 1979-2012 and EPIC: Foreign Intelligence Surveillance Act. (May. 2, 2013)

  • The Supreme Court ruled today that Virginia's freedom of information law, which allows only Virginia residents to pursue open government requests, does not violate the U.S. Constitution. Petitioners argued that the law impermissibly burdened out-of-state residents ability to provide open records services to clients, to purchase and transfer Virginia property, to access Virginia court proceedings, and to access important public information. But the Court found in McBurney v. Young that the majority of state records were available to non-residents in some form and that there was no fundamental "right to access public information" at the time the Constitution was adopted. EPIC and other open government groups filed a amicus brief arguing that residents-only provisions limit public access to information necessary for political advocacy. In 2008, EPIC obtained documents from Virginia revealing an agreement to limit oversight of a state fusion center. For more information, see EPIC: McBurney v. Young and EPIC v. Virginia Department of State Police: Fusion Center Secrecy Bill. (Apr. 29, 2013)

  • EPIC has submitted Freedom of Information Act requests for the release of the privacy assessments of Facebook and MySpace submitted to the Federal Trade Commission. As a result of privacy violations, both companies are required to implement comprehensive privacy programs and submit to independent, biennial evaluations for 20 years. Previously, EPIC obtained a copy of Google's initial privacy assessment that redacted information about the standards by which the assessment was completed, the test procedures used to assess the effectiveness of Google's privacy controls, the procedures Google uses to identify privacy risks, and the types of personal data Google collects from users. The FTC settlements with Facebook and Google arose from complaints brought by EPIC and other consumer organizations. In comments to the agency on the proposed settlements, EPIC recommended that the privacy assessments be publicly available. For more information, see EPIC: Federal Trade Commission and EPIC: Open Government. (Apr. 26, 2013)

  • The House Subcommittee on Crime, Terrorism, Homeland Security, and Investigations today heard testimony today on proposed Geolocation Privacy safeguards for the collection and use of location data generated by cellphones and other devices. As EPIC recently noted in a letter to the House Judiciary committee, and testimony before the Maryland House of Delegates and Texas House of Representatives on similar bills, ECPA does not protect location records; courts are divided on whether such records are protected by the Fourth Amendment. For more information, see EPIC: Locational Privacy. (Apr. 26, 2013)

  • The Senate Judiciary Committee has approved a bill that would update the Electronic Communications Privacy Act, a 1986 law that provides privacy protections for email and digital communications. The update, sponsored by Senator Patrick Leahy (D-VT) and co-sponsored by Senator Mike Lee (R-UT), would extend protections to communications that are stored in the cloud. Earlier this year, the Supreme Court declined to review a decision by the South Carolina Supreme Court which held that ECPA does, protect emails stored on remote computer servers. EPIC, joined by 18 national organizations filed an amicus brief, urging the Supreme Court to clarify the scope of e-mail privacy protections. In March, EPIC sent a letter to the House Judiciary Committee, recommending a comprehensive review of the law. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Jennings v. Broome. (Apr. 26, 2013)

  • The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority. (Apr. 24, 2013)

  • New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority. (Apr. 24, 2013)

  • EPIC has submitted comments to the Federal Aviation Administration, urging the agency to mandate minimum privacy standards for drone operators. In 2012, Congress told the Agency to implement a comprehensive plan to integrate drones into the National Airspace. Shortly after, EPIC, joined by over 100 other organizations, experts, and members of the public, petitioned the agency to address privacy in the integration process. EPIC's petition noted, "drones greatly increase the capacity for domestic surveillance." In February 2013, the Agency responded to EPIC's petition, announcing it would "address [privacy issues] through engagement and collaboration with the public." As a result, the FAA published a Notice with proposed privacy requirements for drone operators. EPIC recommended that the FAA mandate the proposed privacy standards, which are based on Fair Information Practices, and maintain a public database of all drone operators. For more information, see EPIC: Domestic Unmanned Aerial Vehicles and Drones. (Apr. 23, 2013)

  • Polls conducted by Fox News and the Washington Post following the bombing in Boston last week show little support for changes in the scope of government surveillance. According to Fox News, when asked "Would you be willing to give up some of your personal freedom in order to reduce the threat of terrorism?" for the first time since before 9/11, more said they would not (45%) as compared with those who said they would (43%). A Washington Post poll indicated that the public was more concerned (48%) that the government would go too far to investigate terrorism than that it would not go far enough (41%). A Rassmusen Poll conducted of likely voters found that more than half of the respondents — 54 percent — said economic threats were a greater danger to the country than terrorism. According to 538, that is "almost unchanged from a Rasmussen survey conducted in late January, more than two months before the bombs were detonated in Boston near the marathon finish line." For more information, see EPIC, Public Opinion on Privacy. (Apr. 23, 2013)

  • EPIC has announced the 2013 members of the EPIC Advisory Board. They are Michael Froomkin, Distinguished Professor of Law at the University of Miami School of Law; Sheila Kaplan, student privacy advocate and founder of Education New York; Eugene Spafford, a/k/a/ "Spaf," professor of Computer Science at Purdue University; and Tim Wu, professor at Columbia Law School and author of "The Master Switch." The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy. Joining the EPIC Board of Directors in 2013 are current Advisory Board members David Farber, Joi Ito, and Jeff Jonas. For more information, see EPIC: EPIC Advisory Board. (Apr. 23, 2013)

  • Following a court mandate that the Transportation Security Administration receive public comment on airport body scanners, the public overwhelmingly opposes invasive nude body scanners. The court mandate was in response to EPIC's lawsuit in EPIC v. DHS, where EPIC successfully challenged the TSA's unlawful deployment of airport body scanners. The TSA will accept comments until June 24, 2013. The public has submitted almost 2,000 comments noting various problems with the scanners, including privacy violations, potential health risks, and the machine's inability to accurately detect threats. EPIC has recently filed appeals in two Freedom of Information Act cases seeking documents related to airport body scanner radiation risks and threat detection software. For more information, see EPIC: Comment on the TSA Nude Body Scanner Proposal, EPIC: Radiation Risks lawsuit, and EPIC: ATR lawsuit. (Apr. 23, 2013)

  • EPIC, joined by seven open government organizations, has filed a "friend of the court" brief urging a federal appeals court to order the government to disclose the legal authority for drone strikes. The case, New York Times v. Department of Justice, asks whether the administration is required, under the Freedom of Information Act, to disclose legally binding opinions from the DOJ's Office of Legal Counsel. EPIC's brief argues that these opinions cannot be withheld under the FOIA. "By withholding these legal opinions, which direct the actions of the government and impact private parties, the Department is establishing secret law that is antithetical to democratic governance." For more information, see EPIC: New York Times v. DOJ and EPIC: Open Government. (Apr. 23, 2013)

  • A group of consumer, privacy, and children's advocates wrote to the Federal Trade Commission to oppose an industry effort to delay implementation of the new Children's Online Privacy Protection Act rule. The groups noted that two-and-a-half years have passed since the Commission proposed the updates to COPPA. They said there was no "compelling reason for giving the industry more time to comply with the law." The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or cookies), and prevents third-party advertisers from secretly collecting children's personal information without parental consent for advertising purposes. EPIC previously commented in support of the proposed rule and a revised version. The new safeguards follow a report by the FTC finding that many child-directed mobile apps conceal their data collection practices. For more information, see EPIC: FTC and EPIC: Children’s Online Privacy. (Apr. 23, 2013)

  • The White House has released an unclassified summary of Presidential Policy Directive 20. The Policy Directive sets out the cybersecurity authority of the National Security Agency in the United States and has raised concerns about government surveillance of the Internet. The existence of the Directive was detailed in a story in the Washington Post in 2012, and EPIC immediately pursued the public release of the document. According to the White House, PPD-20 "established principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools." EPIC is still pursuing the release of the full document. For more information see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (NSPD 54). (Apr. 19, 2013)

  • EPIC has filed appeals in two Freedom of Information Act cases seeking documents related to airport body scanners from the Department of Homeland Security and the Transportation Security Administration. EPIC filed FOIA requests with the agencies seeking records related to radiation risks from body scanners and the threat detection software the machines use. The TSA is currently developing formal rules for the use of body scanners in response to a court order in one of EPIC's previous cases. Body scanners allow routine digital strip searches of individuals who are not suspected of any crime. For more information, see EPIC: Radiation Risks lawsuit and EPIC: ATR lawsuit, and EPIC: Suspension of Body Scanner Program. (Apr. 16, 2013)

  • In a Statement of Administration Policy, the White House threaten to veto the controversial Cyber Intelligence Sharing and Protection Act (CISPA) unless more robust privacy and civil liberties protections are added and newly authorized information sharing goes through a civilian agency. EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process for CISPA. The markup for CISPA remained closed, and currently as drafted, CISPA would allow companies to disclose vast amounts of customer and client information to other companies and the government, including the National Security Agency, for "cybersecurity purposes." EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority. (Apr. 16, 2013)

  • The Department of Homeland Security has issued a Privacy Impact Assessment, updating information on its controversial social media monitoring program. As part of the program, DHS scours social media sites, including Twitter, Facebook, and Youtube, for public posts that contain words such as "cops," "police," "airport," "hacktivist," and "zombie." DHS then disseminates social media information it has collected to "federal, state, local, and foreign government and private sector partners." Although the Privacy Impact Assessment states DHS should only collect "relevant" social media information, the document also states that "any information posted publicly can be used by [DHS] in providing situational awareness and establishing a common operating picture." Recently, EPIC obtained a court order and an opinion in a Freedom of Information Act lawsuit against DHS, requiring the agency to turn over more documents about the monitoring of social media and Internet media organizations. For more information, see: EPIC: EPIC v. Department of Homeland Security: Media Monitoring. (Apr. 16, 2013)

  • Responding to growing interest in privacy and "big data," representatives of the data protection agencies in Europe have issued an opinion on the purpose limitation principles in the context of big data. The Article 29 Working Party recommends that personal data should be collected for "specified, explicit and legitimate purposes" and that personal data not be "further processed in a way incompatible with those purposes." The group also recommended that the proposed EU data protection regulation incorporate a list of factors to aid in determining compatible uses. Last fall, EPIC Executive Director Marc Rotenberg testified in support of the proposed reform before the European Parliament, and a group of transatlantic consumer organizations wrote a letter expressing their support. For more information, see EPIC: EU Data Protection Directive. (Apr. 16, 2013)

  • Speaking at the annual conference of the National Association of Attorneys General, EPIC President Marc Rotenberg said that the state AG's cannot sit on the sidelines as consumers face increasing risks of identity theft, security breaches, and secretive profiling. Rotenberg said the onus shouldn’t be on consumers to keep up with every-changing policy practices. “There is no reason that a customer should have to go back and check their privacy settings when a company changes its business practice." The Attorneys General recently fined Google $7 m for violating state consumer protection laws when the companies vehicles, loaded with Internet packet sniffers, intercepted private residential communications. EPIC has also launched a promotional video "Good to Really Know" with information for consumers about online privacy. For more information, see EPIC: Consumer Privacy Bill of Rights and EPIC: Consumer Privacy. (Apr. 16, 2013)

  • The Federal Trade Commission has released its annual report for the period from April 2012-2013. The report begins with a description of the FTC’s accomplishments on consumer privacy, and lists the data-breach lawsuit against Wyndham, Google’s $22.5 million fine for tracking Safari users, settlements with the data brokers Equifax and Spokeo, and a survey of the credit reporting industry. EPIC has previously recommended that the FTC enforce its consent orders with Google and Facebook, require adoption of the Consumer Privacy Bill of Rights, and modify proposed settlements in response to public comment. For more information, see EPIC: Federal Trade Commission. (Apr. 16, 2013)

  • In an order today, the U.S. Supreme Court has declined to review a decision concerning e-mail privacy. In Jennings v. Broome, the South Carolina Supreme Court held that the federal Electronic Communications Privacy Act (ECPA) does not protect emails stored on remote computer servers. As a result of this case, users in South Carolina have lesser privacy protections than those in California where a federal court reached the opposite conclusion. EPIC, joined by 18 national organization filed an amicus brief, urging the US Supreme Court to clarify the scope of e-mail privacy protections. For more information, see EPIC: Jennings v. Broome and EPIC: Electronic Communications Privacy Act. (Apr. 15, 2013)

  • In response to a request for comments, EPIC submitted comments on the National Institute of Standards and Technology’s review to develop a cybersecurity framework. Pursuant to Executive Order 13636, the agency is charged with defining a cybersecurity framework for the federal government. EPIC supports civilian control of cybersecurity and privacy protections based on the Fair Information Practices. In the comments to NIST, EPIC emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act. For more information, see EPIC: Cybersecurity Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority). (Apr. 12, 2013)

  • The Transportation Security Administration was forced to disclose additional information regarding the Agency's controversial body scanner program after EPIC prevailed in a lawsuit against the Agency. In March 2013, Judge Royce Lamberth held that the Agency had unlawfully redacted certain information from records released to EPIC under the Freedom of Information Act containing details on software modifications made to the scanners. In response to a separate lawsuit filed against the Department of Homeland Security regarding the Agency's authority to deploy the devices, the TSA has initiated a process to allow the public to comment on the program. EPIC is recommending that the TSA adopt more effective screening procedures. For more information, see and EPIC v. DHS (Suspension of Body Scanner Program). (Apr. 10, 2013)

  • EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition. (Apr. 8, 2013)

  • EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority. (Apr. 4, 2013)

  • EPIC has submitted comments to the Federal Trade Commission, supporting several of the agency's changes to its FOIA regulations. EPIC applauded the agency for reducing fees for requesters. EPIC also urged the Committee to: (1) update its definition for news media representative; (2) clarify which documents are public information and ensure that hyperlinks to those records work properly; (3) disclose private sector contract rates for FOIA processing; (4) refrain from prematurely closing FOIA requests; and (5) adopt alternative dispute resolution or arbitration when resolving delinquent FOIA fees. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. Last year, EPIC submitted extensive comments to theDepartment of Defense, warning the agency not to erect new obstacles for FOIA requesters. For more information, see EPIC: Open Government. (Apr. 4, 2013)

  • The D.C. Circuit Court reversed a lower court decision and sided with the Citizens for Responsibility and Ethics in Washington in a case concerning an agency's obligation to respond to a Freedom of Information Act request. CREW argued that the Federal Election Commission's response to its FOIA request did not meet the statutory obligations of a "determination" under the Act. The federal appeals court held that an agency must make and communicate its determination whether to comply with a FOIA request, and which exemptions if any it will claim with respect to any withheld documents, within 20 working days of receiving the request, or within 30 days in exceptional circumstances. EPIC joined five other prominent open government groups in a "friend of the court" brief in support of CREW. For more information, see EPIC: Open Government. (Apr. 4, 2013)

  • Data protection agencies in six European countries have announced enforcement actions against Google. The agencies acted after Google ignored recommendations to comply with European data protection law. "It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation," the French data protection authority said. The enforcement action follows from Google's March 2012 decision to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's revised privacy policies also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Apr. 2, 2013)

  • A federal judge in Washington, DC today issued an Opinion denying the FBI's motion to delay the release of records sought under the Freedom of Information Act. The decision follows from a lawsuit filed by EPIC against the FBI for records about the agency's use of cell-site simulator technology, commonly referred to as "StingRay." These devices track cell phones and collect a vast amount of data from telephone customers. The Court found that the FBI was not facing the "exceptional circumstances" necessary to justify its proposed two-year delay. The Court ordered the agency to produce all records, except those subject to classification review, by August 1, 2013. For more information, see EPIC v. FBI - StingRay. (Mar. 28, 2013)

  • EPIC's Appellate Advocacy Counsel Alan Butler testified before the Texas State Assembly on a privacy bill for telephone location data. The House bill, would establish a warrant requirement for location data and a comprehensive reporting requirement, similar to the federal wiretap reports. Mr. Butler discussed the need for clear rules governing location surveillance that satisfy Fourth Amendment standards, as well as the importance of public reporting and accountability. He also testified at a Senate Committee hearing on the proposal. EPIC recently submitted amicus briefs in State v. Earls and In re U.S. (5th Cir.) regarding location privacy. For more information, see EPIC: Locational Privacy. (Mar. 28, 2013)

  • The Supreme Court ruled today in Florida v. Jardines that the use of a drug-sniffing dog to investigate the front door of a home was a “search” within the meaning of the Fourth Amendment. “That the officers learned what they learned only by physically intruding on Jardines’ property to gather evidence is enough to establish that a search occurred,” Justice Scalia concluded. Justice Kagan, joined by Justices Ginsburg and Sotomayor, wrote a concurrence that explained that the case could have also been resolved by examining Jardines’ privacy interests. In Justice Kagan’s view, the use of device “not in general public use” to “explore the details of the home” violates a reasonable expectation of privacy and is therefore a search. EPIC filed an amicus brief in a related Supreme Court case, decide earlier this year. For more information, see EPIC: Florida v. Jardines and EPIC: Florida v. Harris. (Mar. 26, 2013)

  • The TSA announced today that it will begin a public comment process on its airport screening procedures. The action follows from a 2011 court order in EPIC v. DHS. In that case, the Federal Appeals Court for the DC Circuit found that the agency unlawfully deployed body scanners in US airports. In a proposed two-sentence change to the agency's extensive regulations, the TSA seeks to grant itself authority to continue to deploy Nude Body Scanners ("NBS") without establishing privacy safeguards. EPIC, which brought the successful challenging to the TSA program, is urging public comment on the agency proposal. EPIC is recommending that the TSA adopt more effective screening procedures. If the TSA continues with Nude Body Scanner program, EPIC said the agency should make clear the right of individuals to opt-out as well as require privacy filters for all devices. For more information, see EPIC v. DHS (Suspension of Body Scanner Program). (Mar. 26, 2013)

  • EPIC, joined by thirty organizations and more than a thousand individuals, has petitioned the Bureau of Customs and Border Protection to suspend the domestic drone surveillance program, pending the establishment of concrete privacy regulations. The petition states that "the use of drones for border surveillance presents substantial privacy and civil liberties concerns for millions of Americans across the country." The petition follows the revelation that the drones deployed by the federal agency are equipped with technology for signals interception and human identification. For more inform at ion, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Mar. 22, 2013)

  • At a Senate Judiciary Committee hearing on "the Future of Drones in America," EPIC Domestic Surveillance Project Director Amie Stepanovich testified in support of new privacy safeguards prior to the deployment of drones in the United States. Also testifying at the hearing were Professor Ryan Calo, and representatives of law enforcement and the drone industry. The hearing was well attended and Senators across the committee expressed support for the development of new privacy legislation. Documents obtained by EPIC under the Freedom of Information Act indicate that the federal government has deployed domestic drones with the ability to intercept electronic communication and to identity human targets. In response to the revelations, EPIC has petitioned the Bureau of Customs and Border Protection, demanding the suspension of the drone program pending the development of privacy regulations. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Mar. 21, 2013)

  • Congressman Markey has introduced the "Drone Aircraft Privacy and Transparency Act of 2013." The Bill sets out comprehensive transparency requirements for drone operators to protect privacy from unregulated drone surveillance. Under the terms of the bill, drone operators would be required to submit a detailed data collection and data minimization statement prior to obtaining a license to operate drones in the United States. The bill also states that surveillance by law enforcement agencies will require a warrant or extreme exigent circumstances.Congressman Markey said that privacy legislation is necessary to "prevent flying robots from becoming spying robots." For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Mar. 19, 2013)

  • Over thirty privacy and consumer groups wrote to the FTC Chair Edith Ramirez, urging her to appoint a Director of the Bureau of Consumer Protection who is "independent of industry" and has a "well-established consumer rights and public interest background." The letter comes after the departure of former director David Vladeck. EPIC has also urged the Commission to require compliance with the Consumer Privacy Bill of Rights for companies that violate consumer privacy. For more information, see EPIC: Federal Trade Commission. (Mar. 19, 2013)

  • In response to a request from the House Judiciary Committee, EPIC has recommended a comprehensive review of the federal communications privacy law. Congress will begin hearings this week on ECPA Part 1: Lawful Access to Stored Content. EPIC's letter to the Committee noted the recent settlement by the state Attorneys General with Google in the Street View matter and the reluctance of federal officials to pursue a similar investigation. EPIC also noted growing confusion in the lower courts about the application of the federal privacy law. Finally, EPIC pointed out that the current law provides inadequate protection for private location records. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (Mar. 18, 2013)

  • Amie Stepanovich, the Director of EPIC's Domestic Surveillance Project, will testify this week before the Senate Judiciary Committee on "the Future of Drones in America." The hearing will feature expert testimony from EPIC Advisory Board member Professor Ryan Calo. Documents recently obtained by EPIC under the Freedom of Information Act indicate that the Bureau of Customs and Border Protection has deployed drones in the United States with the ability to intercept electronic communication and to identity human targets. As a consequence, EPIC has launched a petition urging the agency to suspend the drone program pending the establishment of comprehensive privacy regulations. Following a similar petition from EPIC, the FAA recently agreed to establish privacy rules for drone deployment. For more information, see EPIC: Domestic Unmanned Aerial Vehicles and Drones. (Mar. 18, 2013)

  • EPIC has filed a Freedom of Information Act lawsuit against the Education Department, following the agency's failure to release documents about private debt collection and compliance with federal privacy law. The Department has contracts with at least twenty-three private debt collectors who obtain sensitive personal information, including contact information, loan status, income, Social Security number, and credit history. The Department is expected to publish a procedures manual that instructs debt collectors on privacy safeguards. The Department is also supposed to require debt collectors to submit compliance reports to the agency. EPIC's sought release of the procedures manual and compliance reports for the last three years. After the Department failed to disclose any records in response to the FOIA request, EPIC sued. For more information, see EPIC: Open Government and EPIC: Student Privacy. (Mar. 18, 2013)

  • The Social Security Administration seeks public comment on a proposal to assign new Social Security numbers to children age 13 and under. Currently, the agency may assign new SSNs only if it has evidence that "a third party has improperly used an adult's or child's SSN, the number holder was not at fault, and the number holders was recently disadvantaged by the misuse." Under the proposed policy, the agency would issue a new SSN to a child if: (1) the child's Social Security card is stolen in transit from the agency to the child's address; (2) the SSA erroneously discloses a child's SSN through the SSA's Death Master File; or (3) a third party misuses the child's SSN. The agency would no longer require evidence that the child was disadvantaged due to misuse in any of these situations. EPIC favors the proposed rule change. Public comments on the proposal are due April 12, 2013. EPIC has previously warned Congress about SSN fraud and the growing problem of identity theft. For more information, see EPIC: Social Security Numbers. (Mar. 18, 2013)

  • The Court of Appeals for the DC Circuit has ruled that the CIA must respond to an ACLU open government request for records pertaining to drone strikes. The CIA had said it could “neither confirm nor deny that it had responsive documents." The appeals court found that the agency itself had acknowledged it had such document. In EPIC v. NSA, a similar challenge to the "Glomar" response , the federal appeals court found that the agency had not acknowledged existence of documents responsive to a FOIA request even tough there were widespread news reports of a partnership between Google and the NSA. For more information, see EPIC: EPIC v. NSA: Google/NSA Relationship. (Mar. 15, 2013)

  • Attorneys general for 38 states and the District of Columbia today reached a "$7 Million Settlement" with Google over consumer protection and privacy claims. The company engaged in the unauthorized collection of data from wireless networks, including private WiFi networks of residential Internet users. A detailed Assurance of Voluntary Compliance, setting out the terms of the settlement, is now available. In 2010, EPIC urged the Federal Communication Commission to investigate the Google Street View program after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. EPIC subsequently pursued FOIA requests regarding the FCC and the Department of Justice investigations. Federal wiretap claims concerning Street View are still pending in federal court. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google. (Mar. 12, 2013)

  • In celebration of Sunshine Week, EPIC has published the 2013 EPIC FOIA Gallery. The gallery highlights key documents obtained by EPIC in the past year, such as previously secret documents about cell phone traffic monitoring, domestic drones that identify human targets and intercept electronic communications, Google's interception of WiFi transmissions, DHS monitoring of Twitter, technology that can scan crowds at a molecular level, and the government's use of license plate datas. EPIC regularly files Freedom of Information Act requests and pursues lawsuits to force disclosure of government documents that impact privacy. EPIC also publishes the authoritative FOIA litigation manual. For more information, see EPIC: Open Government and EPIC Bookstore: FOIA. (Mar. 12, 2013)

  • A federal judge has granted EPIC victories in two Freedom of Information Act cases involving the controversial airport body scanners. Judge Royce Lamberth in Washington, DC held that the Department of Homeland Security must turn over two safety reports detailing radiation output by the scanners and a set of power point slides containing details on automated target recognition software. The agency previously claimed it was not required to release the documents to EPIC. EPIC has pursued several related Freedom of Information Act cases as a challenge to the deployment of the devices. In 2011, the DC Circuit of Appeals ruled in EPIC v. DHS that the agency must receive public comments on the decision to deploy body scanners for primary screening. For more information see: EPIC: Whole Body Imaging Technology and EPIC v. DHS (Suspension of Body Scanner Program). (Mar. 8, 2013)

  • EPIC has published a petition to the Bureau of Customs and Border Protection, demanding the suspension of the drone program pending the development of privacy regulations for the use of drones in US airspace. Documents recently obtained by EPIC under the Freedom of Information Act indicate that the drones are equipped with technology for signals interception and human identification. The agency currently operates ten Predator B drones along the border region, an area that encompasses more than two-thirds of the U.S. population. EPIC is urging individuals and organizations to Sign the Petition before March 18. Under federal law, the agency is required to respond to public petitions. For more information see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones and EPIC: Drone Petition to Customs and Border Protection. (Mar. 4, 2013)

  • EPIC has obtained a court order and an opinion in a Freedom of Information Act lawsuit against the Department of Homeland Security, requiring the agency to turn over more documents about the monitoring of social media and Internet media organizations. EPIC had previously obtained several hundred pages of documents, revealing that the agency monitors the internet for reports that “reflect adversely” on the agency or the federal government. EPIC also obtained a list of very broad search terms used by the agency to monitor social media. As a result of EPIC’s findings, Congress held a hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy." For more information see: EPIC: EPIC v. Department of Homeland Security: Media Monitoring. (Mar. 4, 2013)

  • EPIC Appellate Advocacy Counsel Alan Butler testified before the Maryland House Judiciary Committee on H.B. 887, a location privacy bill that will establish a search warrant requirement for the collection of private location information. Mr. Butler discussed the current state of location tracking and privacy under the state and federal constitutions. The Maryland bill will require a warrant for location tracking and an annual report on electronic surveillance reports, similar to the federal wiretap reports. EPIC recently submitted amicus briefs in State v. Earls and In re US regarding location privacy. For more information, see EPIC: Locational Privacy and EPIC: State v. Earls. (Feb. 28, 2013)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security, following the agency's failure to produce any documents about the "Emergency Wireless Protocols," (Standard Operating Procedure 303 or "SOP 303"). SOP 303 describes the process that DHS would follow in order to execute a communications shutdown in the event of a national crisis. DHS has stated publicly under SOP 303 an agency component "will function as the focal point for coordinating any actions leading up to and following the termination of private wireless network connections, both within a localized area, such as a tunnel or bridge, and within an entire metropolitan area." But in response to EPIC's FOIA request, DHS wrote that it was "unable to locate or identify any responsive records." For more information, see EPIC: Open Government. (Feb. 28, 2013)

  • New records obtained by EPIC under the Freedom of Information Act indicate that the Bureau of Customs and Border Protection is operating drones in the United States capable of intercepting electronic communications. The records also suggest that the ten Predator B drones operated by the agency have the capacity to recognize and identify a person on the ground. Approximately, 2/3 of the US population is subject to surveillance by the CBP drones. The documents were provided in response to a request from EPIC for information about the Bureau's use of drones across the country. The agency has made the Predator drones available to other federal, state, and local agencies. The records obtained by EPIC raise questions abut the agency's compliance with federal privacy laws and the scope of domestic surveillance. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Feb. 28, 2013)

  • The Ninth Circuit has refused to hear an appeal in a case involving a class-action lawsuit over Facebook’s Beacon program, which disclosed personal information without user consent. "Cy pres" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. Courts typically provide cy pres awards that reflect the reason for the litigation and are aligned with the interests of class members. In the Facebook case the court chose instead to provide the funds to a new foundation created by Facebook, which was appealed. Six judges dissented from the denial, writing that "the majority in this case creates a significant loophole in our case law that will confuse litigants and judges, while endorsing cy pres settlements that in no way benefit class members." EPIC previously highlighted the dangers of improper cy pres distributions in settlements. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: In re: Google Buzz. (Feb. 28, 2013)

  • The Supreme Court ruled today in Clapper v. Amnesty Int'l USA that a constitutional challenge to the Foreign Intelligence Surveillance Act (FISA) cannot go forward. A group of attorneys and journalists alleged that the U.S. government could be intercepting their communications with their foreign contacts, in violation of the Fourth Amendment. In a divided 5-4 decision, Justice Alito wrote that the group's alleged injuries were too speculative to be considered. Justice Breyer, joined by Justices Ginsburg, Kagan, and Sotomayor, dissented and said that the Court's "certainly impending" standard was inconsistent with prior decisions. Justice Breyer also cited EPIC's "friend of the court" brief which described the extraordinary capacity of the NSA to capture private communications. For more information, see EPIC: Clapper v. Amnesty Int'l USA and EPIC: FISA. (Feb. 27, 2013)

  • The Federal Trade Commission adopted a proposed settlement with Compete, Inc., over allegations that Compete failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its toolbar and survey panel would collect. The FTC also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The settlement requires Compete to obtain consumers' express consent before collecting any data through its software, to delete personal information already collected, and to provide directions for uninstalling its software. In comments to the agency, EPIC recommended that the FTC also require the Compete to implement Fair Information Practices similar to those contained in the Consumer Privacy Bill of Rights, and develop a best practices guide to de-identification techniques. The FTC declined to adopt EPIC’s recommendations, stating that it "does not provide specific technical guidance in areas like [anonymization], which are constantly changing," and "may not impose additional obligations that are not reasonably related to such conduct or preventing its recurrence." For more information, see EPIC: Federal Trade Commission and EPIC: Re-Identification. (Feb. 26, 2013)

  • Today the U.S. Supreme Court will arguments on whether the Fourth Amendment allows warrantless, suspicion less DNA collection from anyone arrested, but not convicted, of a "serious crime." In Maryland v. King, Maryland will argue that states should be permitted to use DNA to investigate cold cases even when the arrestee is not a suspect. King will explain that the Fourth Amendment requires a probable cause warrant for routine law enforcement investigations. EPIC filed a "friend of the court" brief, joined by the 27 technical experts and legal scholars, that describes how DNA collection and use "has grown dramatically and unpredictably over time." EPIC has asked the U.S. Supreme Court to affirm the decision of the Maryland Supreme Court, which held that a warrant is required for the collection of a DNA sample. For more information, see EPIC: Maryland v. King and EPIC: Genetic Privacy. (Feb. 26, 2013)

  • The Department of Homeland Security has released a previously internal memo regarding the establishment of a working group to "Safeguard Privacy, Civil Rights, and Civil Liberties in the Department's Use and Support of Unmanned Aerial Systems" (drones). The memo states, "[t]he overarching goal of the working group is to determine what policies and procedures are needed to ensure that protections for privacy, civil rights, and civil liberties are designed into DHS and DHS-funded [drone] programs." DHS has developed a program to explore the expansive use of small drones for law enforcement. Customs and Border Protection currently operates 10 Predator B drones in the United States. In testimony before Congress in July 2012, EPIC said that federal agencies operating drones should adopt privacy regulations. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Feb. 21, 2013)

  • EPIC, along with more than 40 transparency organizations, thanked the House Committee on Oversight for sending a letter to the Department of Justice about the importance of the Freedom of Information Act. The open government organizations said "outdated FOIA regulations, excessive fee assessments, growing FOIA backlogs, and the misuse of exemptions are issues that continually frustrate FOIA requesters" and expressed hope that the Committee would share the Department of Justice's responses with the public. EPIC also joined more than two dozen transparency groups in a letter to President Obama, asking him to renew his commitment to transparency and FOIA. The President issued a memorandum on Transparency and Open Government in 2009.For more information see: EPIC: Open Government. (Feb. 20, 2013)

  • The Supreme Court ruled today in Florida v. Harris that the police may use drug detection dogs to conduct searches without a warrant even when the dog finds drugs they are not trained to detect. The Florida Supreme Court had ruled that the search was unlawful because the State failed to provide field performance records to establish the dog's reliability. The U.S. Supreme Court unanimously reversed in an opinion written by Justice Elena Kagan, rejecting the Florida court's "inflexible checklist" of necessary evidence in favor of a more flexible, "common-sensical standard." EPIC filed an amicus curiae brief in the case, arguing that "investigative techniques should be used based on research, testing, and data indicating reliability." EPIC cited a recent National Academy of Sciences report highlighting the lack of reliable standards for investigative techniques. Late last week, the Department of Justice announced a new initiative to improve forensics reliability. For more information, see EPIC: Florida v. Harris. (Feb. 19, 2013)

  • The French Data Protection Commissioner, acting on behalf of the European Union, announced it will take action against Google after the company failed to reply to questions about its handling of user information. In October 2012, officials representing 24 countries in Europe sent a letter requiring Google to comply with European data protection laws, and give users greater control over their personal information. The action followed an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google. Google’s policy consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Feb. 19, 2013)

  • EPIC has opposed the Department of Justice's reliance on secret legal authority in a Freedom of Information Act lawsuit. In EPIC v. DOJ et. al, EPIC is seeking information about government surveillance of individuals who have exercised their First Amendment rights and expressed interest in WikiLeaks, an Internet-based media organization. The Department of Justice has withheld from disclosure certain information responsive to the EPIC request but will not reveal the legal basis for its decision. In opposing the government filing, EPIC said that secret law "poses unique concerns to democratic governance and undermines the purpose of the FOIA." For more information, see EPIC: EPIC v. DOJ (Wikileaks) and EPIC: Open Government. (Feb. 19, 2013)

  • In response to an EPIC FOIA request, the Department of Homeland Security has released documents about the use of body scanners by the US Secret Service. EPIC sought information about the types of images that body scanners capture, the length of time the images can be stored, and safeguards for maintaining the integrity and security of the captured images. EPIC also asked about radiation body scanner radiation risks. EPIC received the contract of sale between the Government and Rapiscan, the body scanner manufacturer; and the Secret Service’s training manuals for instructing new recruits on the operation of body scanners. The training materials make no mention of data privacy. For more information, see EPIC: EPIC v. DHS and EPIC: Body Scanners. (Feb. 15, 2013)

  • As a result of a Freedom of Information Act lawsuit, EPIC has obtained previously secret training slides from the Office of the Director of National Intelligence detailing the agency's guidelines for collection, dissemination, and retention of information about United States citizens. EPIC had sued the agency after it failed to respond to several FOIAt requests about the agency’s plan to increase data collection on Americans. The documents just obtained by EPIC as a result of the lawsuit outline policies for collecting data and shed light on the legal standard to retain data indefinitely. The guidelines allow for unlimited retention of information about U.S. persons if there is a "reasonable and articulable suspicion" that the information is terrorism information. The agency concedes that "there is no requirement that the analyst's wisdom be rock solid or infallible" and allows retention "even if the facts individually appear innocent in nature." EPIC is still seeking documents about the agency's information sharing agreements, privacy protections, and mechanisms to correct errors in databases. For more information, see EPIC v. ODNI. (Feb. 15, 2013)

  • Congressman Poe (R-TX) and Congresswoman Zoe Lofgren (D-CA) have introduced the "Preserving American Privacy Act of 2013," targeted at providing individual privacy protections in regard to drone surveillance. The bill would require all drone operators to submit a public data collection statement that includes a description of the drone's purpose and intended operations. The bill also would require a warrant in order for drone surveillance information to be received as evidence and includes a ban on equipping drones with firearms. EPIC has twice (1, 2) asked Congress to protect individual privacy against increased use of domestic drones. EPIC, joined by over 100 organizations, experts, and members of the public, petitioned the FAA to establish privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Feb. 15, 2013)

  • In response to an extensive petition submitted by EPIC, the Federal Aviation Administration (FAA) has announced it will begin a public rulemaking on the privacy impact of aerial drones. The EPIC petition, joined by over 100 organizations, experts, and members of the public, urged the FAA to develop privacy standards for drone operators. In a letter to EPIC President Marc Rotenberg, the FAA Chief Counsel stated, "the FAA recognizes that increasing the use of [drones] raises privacy concerns. The agency intends to address these issues through engagement and collaboration with the public." The FAA's announcement comes exactly one year after President Obama signed the FAA Modernization and Reform Act of 2012, which directed the FAA to loosen restrictions on government and commercial drone flights in the United States. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Feb. 14, 2013)

  • In conjunction with the 2013 State of the Union, President Obama has signed a public Executive Order on cybersecurity and "critical infrastructure." The Order grants new powers to federal agencies to share cybersecurity information with private companies. Affected federal agencies will "conduct regular assessments of privacy and civil liberties impacts." The President also issued Presidential Policy Directive 21, which directs the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a secret directive that grants cybersecurity authority to the National Security Agency. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority). (Feb. 13, 2013)

  • At the 2013 State of the Union, President Obama announced an Executive Order that grants new authority to federal agencies to share information with private companies. President Obama further urged Congress to act to "pass legislation to give our government a greater capacity to secure our networks and deter attacks." A new Presidential Directive was also published today, directing the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a prior directive that grants additional, secret cybersecurity authority to the National Security Agency. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority). (Feb. 13, 2013)

  • EPIC, joined by a coalition of privacy, consumer rights, and civil rights organizations, and members of the public, urged the National Highway Traffic Safety Administration to protect driver privacy and establish privacy safeguards for "event data recorders." The agency has proposed mandatory installation of "black boxes" in all cars and small trucks by 2014. Thirteen states have passed laws that limit the use of EDRs. EPIC recommended that the agency: (1) restrict the amount of data that EDRs collect; (2) conduct a comprehensive privacy impact assessment; (3) uphold Privacy Act protections; (4) require security standards for EDR data; and (5) establish best practices to fully protect the privacy rights of vehicle owners and operators. EPIC argued that it is contrary to reasoned decisionmaking for the agency to mandate massive data collection and not fully amend its current regulations to protect individual privacy. For more information, see EPIC: Event Data Recorders and Privacy and EPIC: The Drivers Privacy Protection Act (DPPA) and the Privacy of Your State Motor Vehicle Record. (Feb. 12, 2013)

  • In the fifth interim release of documents in EPIC v. FBI, a Freedom of Information Act lawsuit, the agency has turned over nearly 300 pages about the surveillance technique directed toward users of mobile phones. The documents obtained by EPIC reveal that agents have been using "cell site simulator" technologies, also known as "StingRay," "Triggerfish," or "Digital Analyzers" to monitor cell phones since 1995. Internal FBI e-mails, also obtained by EPIC, reveal that agents went through extensive training on these devices in 2007. In addition, a presentation from the agency's Wireless Intercept and Tracking Team argues that cell site simulators qualify for a low legal standard as a "pen register device," an interpretation that was recently rejected by a federal court in Texas. For more information, see EPIC v. FBI (StingRay). (Feb. 12, 2013)

  • Oregon became the most recent state to consider limits on the deployment of drones in the United States. A new bill sets out licensing requirements for drone use in Oregon and would fine those who use unlicensed drone to conduct surveillance. New limitations are also proposed for federal evidence collected by drone use in a state court. Florida, North Dakota, and Missouri are among the other states that are also considering laws that limit drone use within their jurisdiction. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Feb. 7, 2013)

  • In a letter to the director of the Office of Information Policy, a Congressional oversight committee has asked a series of question, challenging the government's compliance with the FOIA. The Office of Information Policy is tasked with "encouraging agency compliance with the Freedom of Information Act (FOIA) and for ensuring that the President's FOIA Memorandum and the Attorney General's FOIA Guidelines are fully implemented across the government." The letter from Chairman Issa (R-CA) and Ranking Member Cummings (D-MD) called on the Justice Department to address concerns about "outdated FOIA regulations, exorbitant and possibly illegal fee assessments, FOIA backlogs, the excessive use and abuse of exemptions, and dispute resolution services." EPIC makes frequent use of the FOIA to obtain information from the government about surveillance and privacy policy. EPIC has also raised concerns in comments to federal agencies and to the Office of Government Information Services about systemic problems with FOIA compliance. For more information, see EPIC: Open Government and EPIC: FOIA Litigation Docket. (Feb. 7, 2013)

  • The National Highway Traffic Safety Administration has proposed regulations for event data recorders (EDR) that will become mandatory in all cars and small trucks by 2014. Building on state privacy laws, EPIC has urged the federal agency to adopt comprehensive privacy safeguards for vehicle owners and operators, including driver ownership of data, limitations on disclosure, and better security for the data collected. EPIC has also launched a national campaign to encourage public comments to the federal agency. To support EPIC’s comments Tweet: "@EPICprivacy [Your Name] supports EPIC’s EDR Comments #EDRprivacy" or email EDRprivacy@epic.org with Your Name and the subject line "I support EPIC’s EDR Comments." The public can also submit comments directly to the agency. For more information, see EPIC: Event Data Recorders and Privacy. (Feb. 6, 2013)

  • EPIC has joined a coalition of leading US consumer and civil liberties organizations who have expressed concern about the role of US officials in the development of European privacy law. In a letter to the US Secretaries of State, Justice, and Commerce, the groups wrote to seek a meeting to ensure that US lobbying efforts in Europe "are not averse to the views expressed by the president." The letter states that "without exception," members of the European Parliament reported that US governmental agencies and businesses were "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." The letter, endorsed by 18 US NGOss, emphasizes the President's commitment to protecting privacy, set out in the Consumer Privacy Bill of Rights. Last fall, EPIC Executive Director Marc Rotenberg testified in support of a proposed EU privacy reform before the European Parliament, and a groups of transatlantic consumer organizations wrote a letter expressing their support for the EU effort to update and modernize privacy law. For more information, see EPIC: EU Data Protection Directive. (Feb. 5, 2013)

  • EPIC has filed a "friend of the court" brief in Maryland v. King, arguing that law enforcement's warrantless collection of DNA is unconstitutional. EPIC's brief describes the "dramatic and unpredictable" expansion of the government's DNA collection over the past decade. In the brief for the U.S. Supreme Court, EPIC said that the Fourth Amendment limits "the otherwise unbounded collection and use of the individual's DNA sample by government." The EPIC brief was joined by 26 technical experts and legal scholars.EPIC has previously filed amicus briefs in several DNA cases before federal and state courts. For more information, see EPIC: Maryland v. King and EPIC: Genetic Privacy. (Feb. 4, 2013)

  • The Federal Trade Commission announced a settlement with the social networking app Path over charges that the app secretly collected information from mobile users' address books without their consent. The FTC also fined the company $800,000 for violating the Children's Online Privacy Protection Act, which prohibits the collection of personal information from a children without obtaining parental consent. The consent order requires Path to implement a comprehensive privacy program and to submit to independent privacy assessments for the next 20 years. The FTC has released a series of reports documenting privacy problems with mobile apps that collect the personal information of children. Recently, EPIC submitted comments supporting the FTC’s proposed improvements to the children’s online privacy rule, which the agency ended up adopting. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (Feb. 1, 2013)

  • A new report[ from the Congressional Research Service -- "Integration of Drones into Domestic Airspace: Selected Legal Issues" -- states that "perhaps the most contentious issue concerning the introduction of drones into U.S. airspace is the threat that this technology will be used to spy on American citizens." Last year, EPIC warned Congress that "there are substantial legal and constitutional issues involved in the deployment of aerial drones by federal agencies." EPIC, joined by over 100 organizations, experts, and members of the public, has petitioned the Federal Aviation Administration to begin a rule making to establish privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones. (Jan. 31, 2013)

  • The New Jersey Supreme Court will hear arguments on Tuesday in State v. Earls, an important case regarding the privacy of cell phone location information. At issue is whether real-time location data should be disclosed by a cell phone provider without a warrant or a court order. EPIC Appellate Advocacy Counsel Alan Butler will present oral argument along with counsel for the Defendant and amici ACLU-NJ. In response to the Court's request for supplemental briefing, EPIC's brief outlined the current state of location tracking technology and argued that cell phone users have a reasonable expectation of privacy under both the Federal and State constitutions. For more information, see EPIC: State of NJ v. Earls and EPIC: In re Historical CSLI. (Jan. 28, 2013)

  • The Office of the Director of National Intelligence released an information paper describing the civil liberties and privacy protections incorporated into the National Counterterrorism Center Guidelines. The ODNI is the top intelligence agency in the United States, coordinating the activities of the CIA, the FBI, the DHS, and other federal agencies. An updated version of the Guidelines was approved by Attorney General Holder in March of 2012 and allows the Center to copy databases across the federal government for retention for up to five years. EPIC filed a FOIA lawsuit to uncover, among other things, any data accuracy and security safeguard documentation that covered the updated Guidelines. The Information Paper comes about six months after EPIC filed suit for more details about the program. The Paper details various provisions, including the requirement that a "reasonable belief" that a dataset contains terrorism information is needed to copy a database, the implementation of accuracy and error correction measures, and a prohibition on monitoring U.S. persons purely for engaging in First Amendment protected activities. The ODNI is expected to make its final production of documents to EPIC in the FOIA case on February 12, 2013. For more information, see EPIC: EPIC v. ODNI. (Jan. 28, 2013)

  • The Ponemon Institute has released the 2012 version of a report listing the companies that consumers trust the most with respect to the handling of their personal data. Out of 217 organizations rated, American Express ranked as the most trusted. In general, consumers rated companies in the healthcare and banking industries higher than social media companies and charities. The report also found that “the importance of privacy has steadily trended upward over seven years.” The rankings were generated from a final sample of 6,704 respondents. For more information, see EPIC: Public Opinion on Privacy. (Jan. 28, 2013)

  • Senator Patrick Leahy, Chairman of the Senate Judiciary Committee, today issued a statement in commemoration of January 28, International Data Privacy Day. International privacy day marks the adoption of the Council of Europe Privacy Convention, the first global framework for privacy protection. Senator Leahy said, "In the Digital Age, Americans face new threats to their digital privacy and security as consumers and businesses alike collect, share and store more and more information in cyberspace. Data Privacy Day is an important reminder about the need to improve data privacy as we reap the many benefits of new technologies." EPIC has urged the United States to ratify the Privacy Convention. For more information, see EPIC: Electronic Communications Privacy Act, EPIC: International Privacy Day, and EPIC - Facebook, International Privacy Day. (Jan. 28, 2013)

  • EPIC has given the 2013 International Privacy Champion Award to Max Schrems, the organizer of Europe v. Facebook. (Support). EPIC called Max "an innovative and effective spokesperson for the right to privacy." EPIC cited his work to obtain his personal information collected by Facebook, which has inspired more than 40,000 users around the world to make similar access requests, helping to ensure greater transparency of Internet companies. Previous award recipients include Canadian Privacy Commissioner Jennifer Stoddart, European Parliamentarian Sophie In't Veld, Australian Jurist Michael Kirby, and Constitutional Law Scholar Stefano Rodotà. The award is given by EPIC annually in recognition of January 28, International Privacy Day. (Jan. 24, 2013)

  • In documents filed with a federal court in Washington, DC, EPIC is challenging changes to the Family Educational Rights and Privacy Act (FERPA). The revised regulations, issued by the Education Department, allow the release of student records for non-academic purposes and undercut parental consent provisions. The rule change also promotes the public use of student IDs that enable access to private educational records. In 2011, EPIC submitted extensive comments to the agency, opposing the changes and arguing for the need to safeguard privacy. After the Education Department failed to make necessary changes, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors and Advisory Board Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jan. 22, 2013)

  • In response to a FOIA request filed by EPIC, the Federal Trade Commission has stated that there are no records of "communications . . . between the White House and the FTC regarding the Commission's antitrust inquiry into Google." In a closely watched proceeding, the Federal Trade Commission announced in early January that it had closed an antitrust inquiry into Google's business practices. EPIC has previously expressed concern about anticompetitive practices by Internet firms. In 2000, EPIC filed a complaint with the Federal TradeCommission regarding the proposed merger of Doubleclick, an Internet advertising company and Abacus, a catalog database firm. In 2007, EPIC opposed Google's acquisition of DoubleClick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. In 2011, EPIC wrote to the FTC about Google's use of YouTube search rankings to give preferential treatment to its proprietary content over non-Google content. EPIC has also testified before the Senate Judiciary Committee regarding growing market concentration of essential Internet services. For more information, see EPIC: Open Government and EPIC: Federal Trade Commission. (Jan. 18, 2013)

  • The US Transportation Security Administration will end the contract for backscatter x-ray devices. As a consequence, all devices that produce a detailed naked image of air travelers will be removed from US airports. Beginning in 2005, EPIC and then a coalition of privacy advocates, scientists, legal experts and lawmakers urged the TSA not to deploy the devices. The groups petitioned DHS Secretary Napolitano to suspend the program pending a thorough review. The agency went forward and EPIC sued. In EPIC v. DHS, the DC Circuit held that the devices could be used as long as passengers were able to opt-out. The federal appeals court also ordered the agency to "promptly" begin a public rulemaking. That process will likely begin in March 2013. For more information, see EPIC: EPIC v. DHS and EPIC: Body Scanners. (Jan. 18, 2013)

  • A recent paper published in Science reveals that deidentified DNA sequences collected for research purposes can be used to identify the subjects under certain circumstances. According to the article, the information posted by the 1,000 Genomes Project - age, state of residence, and full DNA sequence - used in combination with publicly available genealogy data was enough to narrow the search to a few likely individuals. A Science Policy Forum article concludes that this "reveals the need to re-examine the current paradigms for managing the potential identifiability of genomic and other 'omic'-type data." The President's Commission for the Study of Bioethical Issues recently reviewed the ethical and privacy implications of the use and collection of genetic data. And the Supreme Court is set to hear a case next month involving the warrantless collection and use of genetic information by law enforcement agencies. For more information, see EPIC: Maryland v. King and EPIC: Genetic Privacy. (Jan. 17, 2013)

  • On January 16, 2013, Georgetown University Law School hosted Senator Patrick Leahy (D-VT), the chairman of the Senate Judiciary Committee. Leahy set out the agenda of the Judiciary Committee in the 113th Congress, vowing to commit the Committee to addressing "out most fundamental rights, and our most basic freedoms." Updates to key legislation, including laws on e-mail privacy and cybersecurity, are included in the Committee's agenda. The Chairman explained that the Committee would also address the need for oversight of US counterterrorism programs as well as privacy issues involved with the growing use of domestic surveillance drones. Furthermore, Senator Leahy emphasized the importance of open government as an American value, promising to "continue to fight for transparency that keeps the government accountable to the people." For more information, see EPIC: Electronic Communications Privacy Act, EPIC: Open Government, and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Jan. 17, 2013)

  • The TSA is considering the use of commercial data to screen passengers, a controversial practice that was previously blocked in Washington. In 2005 Congress suspended funding for Secure Flight, a program that relied on the use of commercial data, after EPIC, the General Accounting Office, and others identified security and privacy vulnerabilities. TSA's current effort also comes as the Federal Trade Commission is studying the practices of the data broker industry. For more information, see EPIC: Secure Flight and EPIC: Passenger Profiling. (Jan. 17, 2013)

  • On January 15, 2013 EPIC hosted "Drones and Domestic Surveillance," at the National Press Club in Washington, DC. The symposium brought together experts in law, technology, and public policy to discuss the expanding use of unmanned vehicles in the United States. The event featured Representative Ted Poe (R-TX) as the keynote speaker and was moderated by EPIC's Executive Director, Marc Rotenberg. Congressman Poe announced his plans to introduce a bill in 2013, co-sponsored by Congresswoman Zoe Lofgren (D-CA) to protect privacy against increased drone use. Panelists at the event included technologist Bruce Schneier, privacy scholars Laura Donohue and Orin Kerr, CATO fellow Julian Sanchez, EPIC's Amie Stepanovich, and Gretchen West of AUVSI. EPIC, and a coalition of experts and organizations, have petitioned the Federal Aviation Administration to develop privacy regulations for drone use. For more information, see EPIC: Drones and Domestic Surveillance and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Jan. 15, 2013)

  • California Attorney General Kamala Harris has issued a report describing best practices for mobile application privacy. The report, "Privacy on the Go," recommends that app developers implement safeguards such as privacy-by-design and notice, but stops short of setting forth a comprehensive set of Fair Information Practices. The report follows a law that requires all service providers doing business in California, such as mobile app developers, to have a privacy policy available to consumers. The report also occurs while the White House's privacy multistakeholder process is attempting to develop a voluntary code of conduct for mobile app transparency. For more information, see EPIC: Mobile and Location Privacy. (Jan. 10, 2013)

  • A federal judge has vacated provisions in a prior order that would have limited the ability of FOIA requesters to disseminate information to the public. EPIC filed a Freedom of Information Act lawsuit against the Department of Homeland Security after the agency failed to respond to a request for documents about a plan to monitor internet traffic. In arguments before the court, the Department of Justice contended that EPIC should agree to a protective order that would prevent EPIC from disclosing documents obtained in the case. EPIC challenged this argument, stating that it was contrary to FOIA law and that the use of protective orders in FOIA cases would make it more difficult for the public to obtain information about government activities. Judge Kessler agreed with EPIC and discarded the protective order requirement. She also chastised the agency for its repeated delays in processing EPIC's FOIA request. The case is EPIC v. DHS, 12-333. For more information see: EPIC v. DHS - Defense Contractor Monitoring. (Jan. 9, 2013)

  • The Supreme Court is set to hear arguments in Maracich v. Spears, a case involving the Drivers' Privacy Protection Act. The Court agreed to hear the case after a lower could ruled that impermissible uses of personal data held by DMVs were "inextricably intertwined" with permissible uses. The Supreme Court previously said that the law "establishes a regulatory scheme that restricts the States' ability to disclose a driver's personal information without the driver's consent." EPIC filed an amicus curiae brief in support of the Petitioners, urging that the Court overturn the lower court's judgment. EPIC's brief details the staggering amount of personal information contained in driver records, particularly as a consequence of the REAL ID regulations. EPIC argues that "changes in technology have increased the risk of the underlying harm that Congress sought to address. Therefore, the Court should narrowly construe the statutory exceptions." The EPIC amicus brief is joined by twenty-seven technical experts and legal scholars. For more information, see EPIC: Maracich v. Spears, EPIC: The Driver's Privacy Protection Act, and EPIC: National ID and REAL ID. (Jan. 8, 2013)

  • The European Parliament has indicated strong support for a proposal put forward by the European Commission to update European Union privacy law. In reports on the the New Directive and New Regulation, the Parliament recommends greater power for data protection agencies and new rights for data subjects. The comprehensive update of the 1995 EU Data Protection Directive simplifies compliance procedures and also creates new incentives for anonymized and psuedonymized data to help protect privacy. Last fall, EPIC President Marc Rotenberg testified before the European Parliament in support of the proposed reform. More than 20 US consumer organizations have expressed support for the European privacy initiative. For more information, see EPIC: EU Data Protection Directive. (Jan. 8, 2013)

  • The Federal Trade Commission announced that it had concluded its investigation into allegedly anticompetitive practices by Google. The Commission reached a settlement with Google that would give competitors access to patents necessary to make smart phones, laptops, and other devices, and Google voluntarily agreed to stop borrowing others' content for use in its own services. On the issue of search bias, however, the Commission decided to close the investigation without taking action. Despite finding some evidence that changes to the company's search algorithm harmed competitors, the Commission said that these changes "could be plausibly justified as innovations that improved Google's product and the experience of its users." In 2011, EPIC wrote to the Commission about Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. EPIC had also opposed Google's acquisition of online advertiser Doubleclick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. EPIC later testified before the Antitrust committee on Google's growing dominance of essential Internet services. For more information, see EPIC: Federal Trade Commission and EPIC: Google/DoubleClick. (Jan. 3, 2013)

  • The Interior Department has issued a final rule amending its FOIA regulations. In November 2012, EPIC submitted comments regarding the agency's proposed amendments, urging the Interior Department not to weaken the FOIA as it had proposed. The final rule incorporates several of EPIC's recommendations. For example, the Interior Department will provide examples of how FOIA requesters can reasonably describe the records they seek, and notify requesters in advance before charging them direct costs of converting records to a requested format. Additionally, the Interior Department clarified ambiguous language that would negatively impact FOIA requesters' rights. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. EPIC recently submitted extensive comments to the Defense Logistics Agency of the Department of Defense, warning the agency not to erect new obstacles for FOIA requesters. For more information, see EPIC: Open Government. (Jan. 3, 2013)

  • The NSA has turned over documents on the controversial "Perfect Citizen" program to EPIC in response to a FOIA request. "Perfect Citizen" is an NSA program that monitors private networks in the United States. The redacted documents obtained from the federal agency by EPIC state that "[t]he prevention of a loss due to a cyber or physical attack [on Sensitive Control Systems, like large-scale utilities], or recovery of operational capability after such an event, is crucial to the continuity of the [Department of Defense] , the [Intelligence Community], and the operation of SIGNIT systems." The NSA claims that Perfect Citizen is merely a research and development program. The documents obtained by EPIC suggest that the program is operational. For more information, see EPIC: Perfect Citizen. (Jan. 2, 2013)

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security