Previous Top News: 2018


  • EPIC has filed a Freedom of Information Act lawsuit to obtain the release of the unredacted Facebook Assessments from the FTC. The FTC Consent Order. required Facebook to provide to the FTC biennial assessments conducted by an independent auditor. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, 2017 Facebook Assessments and related records. EPIC's FOIA request drew attention to a version of the 2017 report available at the FTC website. But that version is heavily redacted. EPIC is suing now for the release of unredacted report. EPIC has an extensive open government practice and has previously obtained records from many federal agencies. The case is EPIC v. FTC, No. 18-942 (D.D.C. filed April 20, 2018). (Apr. 20, 2018)

  • EPIC has obtained a redacted version of the 2017 Facebook Assessment required by the 2012 Federal Trade Commission Consent Order. The Order required Facebook to conduct biennial assessments from a third-party auditor of Facebook's privacy and security practices. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, and 2017 Facebook Assessments as well as related records. The 2017 Facebook Assessment, prepared by PwC, stated that "Facebook's privacy controls were operating with sufficient effectiveness" to protect the privacy of users. This assessment was prepared after Cambridge Analytica harvested the personal data of 87 million Facebook users. In a statement to Congress for the Facebook hearings last week, EPIC noted that FTC Commissioners represented that the Consent Order protected the privacy of hundreds of millions of Facebook users in the United States and Europe. (Apr. 20, 2018)

  • Senator Richard Blumenthal (D-CT) has called for "monetary penalties that provide redress for consumers and stricter oversight" in a letter to the Federal Trade Commission. Senator Blumenthal focused on the FTC's 2011 Consent Order that EPIC, and a coalition of consumer groups obtained, after preparing a detailed complaint in 2009. Referring to the Cambridge Analytica scandal, Senator Blumenthal wrote that "three of the FTC's claims concerned the misrepresentation of verification and privacy preferences of third-party apps." Senator Blumenthal also raised questions about the FTC's monitoring of the consent order, noting that "even the most rudimentary oversight would have uncovered these problematic terms of service." And the Senator stated, "The Cambridge Analytica matter also calls into question Facebook's compliance with the consent decree's requirements to respect privacy settings and protect private information." EPIC and other consumer groups recently urged the FTC to reopen the investigation. The FTC has confirmed that an investigation of Facebook is now underway. (Apr. 20, 2018)

  • A coalition of 14 consumer groups in Latin America has sent a letter to Facebook CEO Mark Zuckerberg, urging him to comply with the EU General Data Protection Regulation (GDPR) at a global level. The groups wrote, "The GDPR provides a solid foundation for the protection of personal data: it establishes clear responsibilities for companies that collect and process personal data and provides data subjects, Facebook users whose data your company collects and processes, with clear rights. These are protections that all users should be entitled to, regardless of where they are located." Earlier this month, the Transatlantic Consumer Dialogue (TACD), a coalition of consumer groups in North America and Europe, also sent a letter to Facebook advocating for the GDPR to be implemented as a baseline standard of data protection for all users. (Apr. 19, 2018)

  • In advance of a hearing on "Game Changers: Artificial Intelligence Part III, Artificial Intelligence and Public Policy," EPIC told the House Oversight Committee that Congress must implement oversight mechanisms for the use of AI by federal agencies. EPIC said that Congress should require algorithmic transparency, particularly for government systems that involve the processing of personal data. EPIC also said that Congress should amend the E-Government Act to require disclosure of the logic of algorithms that profile individuals. EPIC made similar comments to the UK Privacy Commissioner on issues facing the EU under the GDPR. A recent GAO report explored challenges with AI, including the risk that machine-learning algorithms may not comply with legal requirements or ethical norms. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability. In 2015, EPIC launched an international campaign for Algorithmic Transparency. (Apr. 19, 2018)

  • In advance of a hearing on "Abusive Robocalls and How We Can Stop Them" EPIC recommended reforms that would combat fraud while protecting privacy. EPIC supports regulations that would (1) allow phone providers to proactively block numbers that are unassigned, unallocated, or invalid; (2) block invalid numbers without requiring consumer consent; (3) provide strong security measures for any database of blocked numbers; and (4) prohibit spoofing with the intent to defraud or cause harm. EPIC played a leading role in the creation of the Telephone Consumer Protection Act and continues to defend the Act. (Apr. 17, 2018)

  • In advance of a hearing on the Census Bureau, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau." (Apr. 17, 2018)

  • EPIC has filed a second Freedom of Information Act lawsuit to obtain President Trump's tax records. EPIC is seeking information about IRS settlements involving the President and his businesses—information which the agency is required to disclose to the public upon request. The IRS agreed to process EPIC's request in February but has failed to release any records to date. EPIC previously sued the IRS for the release of the President's personal tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's own lawyers. That case, EPIC v. IRS, is now before the D.C. Circuit Court of Appeals. EPIC is litigating several other FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Apr. 17, 2018)

  • The Supreme Court has vacated United States v. Microsoft, a case concerning whether a U.S. communications law can be used by a U.S. law enforcement agency to obtain personal data stored outside of the U.S. While the case was pending, the Congress quickly passed the CLOUD Act, which requires internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Court then determined that there was no longer a matter to adjudicate and ended the proceeding. EPIC's amicus brief to the Supreme Court argued that human rights law and privacy standard should govern law enforcement access to personal data stored abroad. In recent comments to the UN, EPIC explained that the CLOUD Act "undermines communications privacy protections." (Apr. 17, 2018)

  • In advance of a hearing regarding IRS oversight, EPIC sent a statement to a House committee urging the release of President Trump's tax returns. As EPIC explained, "candidates for the Presidency have routinely released tax record information to the American public. Mr. Trump broke with that tradition even though he pledged to make this information publicly available." As a consequence, EPIC brought a FOIA suit for the release of the President's tax returns. EPIC recently filed the opening brief in EPIC v. IRS, now before the D.C. Circuit Court of Appeals. EPIC told the court that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"--a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC explained to the Court and to Congress, "there has never been a more compelling FOIA request presented to the IRS." (Apr. 17, 2018)

  • EPIC submitted a statement following the Senate nomination hearing on Mike Pompeo for Secretary of State. EPIC said that the US Secretary of State should uphold privacy as a fundamental human right around the world. The United States Department of State publishes an annual human rights report that covers "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements." EPIC also said that "international agreements provide the best opportunity to establish data protection standards" and urged the Secretary of State to ratify the International Privacy Convention. Privacy experts and advocates have also called for adoption of the Madrid Privacy Declaration, a comprehensive framework for data protection. (Apr. 16, 2018)

  • The Article 29 Working Party has released a statement on encryption policy. The Working Party stated "strong and efficient encryption is a necessity in order to guarantee the protection of individuals with regard to the confidentiality and integrity of their data which are the elementary underpinning of the digital economy." The Working Party found that "backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner. Any obligation aiming at reducing the effectiveness of those techniques in order to allow law enforcement access to encrypted data could seriously harm the privacy of European citizens." The Working Party is a group of leading privacy officials in the European that often issues reports and opinions on emerging privacy issues. Under the GDPR, the Working Party will become the European Data Protection Board with new legal authorities. Communications services with escrow encryption, and other similar techniques, could be prohibited under the GDPR. EPIC began in April 1994 with the first internet petition, the campaign to stop the Clipper Chip, a key escrow encryption scheme developed by the NSA. (Apr. 16, 2018)

  • EPIC has submitted extensive comments on proposed guidance for Data Protection Impact Assessments. The new European Union privacy law - the "GDPR" — requires organizations to carefully assess the collection and use of personal data. In comments to UK privacy commissioner, EPIC said that disclosure of the technique for decision making is a core requirement for Data Protection Impact Assessments. EPIC supports "Algorithmic Transparency". EPIC has pursued criminal justice FOIA cases, and FTC consumer consumer complaints to promote transparency and accountability. EPIC has warned Congress of the risks of "citizen scoring." (Apr. 13, 2018)

  • EPIC has submitted a Freedom of Information Act request to the Department of Homeland Security seeking Privacy Impact Assessments and other records related to the solicitation for "media monitoring services." The DHS posted a solicitation to compile a database of journalists and "media influencers," including bloggers and social media influencers. The DHS is seeking to identify journalists based on their beat, publication, contact information, and articles published. Agency officials plan to search lists and analyze news coverage. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that contains personally identifiable information. In a prior FOIA lawsuit, EPIC obtained Privacy Impact Assessments from the FBI that were not publicly available. And in EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year. (Apr. 13, 2018)

  • The Federal Trade Commission has strengthened its 2017 settlement with Uber because the company hid a massive data breach and bug bounty program in 2016. Under the revised settlement, Uber must submit all of its privacy audits to the FTC, and will face civil penalties if it fails to disclose another breach. In February 2018, EPIC advised Congress that "bug bounty programs do not excuse non-compliance with data breach notification laws." The FTC's 2017 settlement with Uber was the result of EPIC's 2015 complaint to the Commission detailing Uber's numerous privacy abuses. In public comments, EPIC advised the FTC to strengthen the settlement by making all of Uber's privacy audits available to the public. (Apr. 12, 2018)

  • The Irish High Court has sent eleven questions to the European Court of Justice for review in Data Protection Commissioner v. Facebook. The case considers whether Facebook's transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision Schrems v. DPC, which found that the US had insufficient privacy law to protect the personal data of Europeans. The new case examines "standard contractual clauses" and whether the US provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-US "Privacy Shield" matters. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law. (Apr. 12, 2018)

  • EPIC has filed suit to enforce the open government obligations of the Drone Advisory Committee, an industry-dominated committee that advises the Federal Aviation Administration on U.S. drone policy. For over a year, the Committee has conducted much of its work in secret and ignored the privacy risks posed by the deployment of drones, even after the Committee identified privacy as a top public concern. EPIC's lawsuit would force the Committee to disclose its work to the public. EPIC has a long history of promoting government transparency. EPIC's case to establish drone privacy regulations, EPIC v. FAA, No. 16-1297, is pending before the D.C. Circuit Court of Appeals. (Apr. 12, 2018)

  • In advance of a hearing regarding challenges facing the IRS, EPIC sent a statement to the Senate Finance Committee urging the release of President Trump's tax returns. EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election. EPIC recently filed the opening brief in the case before the D.C. Circuit Court of Appeals. EPIC told the court that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"--a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." (Apr. 12, 2018)

  • In response to a series of questions from Rep. Gene Green, (D-TX), Facebook CEO Mark Zuckerberg confirmed that Facebook will comply with the new European Union privacy law - "the GDPR" - in all jurisdictions. Earlier this week, the Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, sent a letter to Mr. Zuckerberg urging him to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and democratic process." (Apr. 11, 2018)

  • The Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, has sent a letter to Facebook CEO Mark Zuckerberg urging him to comply with the EU General Data Protection Regulation (GDPR) as a baseline standard, not just for EU consumers as it is required, but for all Facebook services. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and the democratic process. The GDPR provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered. These are protections that all users should be entitled to no matter where they are located." Zuckerberg will testify before the Senate and House this week on Facebook's failure to protect user data. The TransAtlantic Consumer Dialogue was established in 1998 and works to promote the consumer interest in EU and US policy making. (Apr. 9, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement for details of the agency's use of mobile forensic technology to conduct warrantless searches of mobile devices. ICE has contracts with a company called Cellebrite for techniques to unlock, decrypt, and extract data from mobile devices, including personal data stored in cloud-based accounts. Privacy complaints regarding the search of mobile devices at the border continue to increase. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact the rights of U.S. citizens. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced legislation to place restrictions on searches and seizures of electronic devices at the border. (Apr. 9, 2018)

  • EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy for the 63rd meeting of the International Working Group on Data Protection. The Working Group includes Data Protection Authorities and experts from around the world who work together to address emerging privacy challenges. The EPIC 2018 report details the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the ongoing investigation of the Russian interference in the 2016 election, federal nominees to the FTC and PCLOB, recent legislative proposals on Artificial Intelligence, and more. The 64th meeting of the IWG will take place in Queenstown, New Zealand on November 29-30. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Apr. 9, 2018)

  • In advance of a joint hearing about Facebook's failure to protect the personal data of users, EPIC has sent a comprehensive statement to the Senate Committee on the Judiciary and the Senate Committee on Commerce. EPIC is urging the Senators to focus on the 2011 Consent Order between Facebook and the Federal Trade Commission. In 2009, EPIC and a coalition of consumer groups presented the FTC with a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook. The FTC adopted a Consent Order in 2011, based on EPIC's Complaint, but failed to enforce the Order even after EPIC sued the agency in a related matter. In numerous comments to the FTC, EPIC and others urged the FTC to enforce its consent order. In the statement to the Senate this week, EPIC contends that the Cambridge Analytica debacle could have been prevented if the FTC enforced the Order. (Apr. 9, 2018)

  • EPIC has submitted input to the UN Office of the High Commissioner for Human Rights for an upcoming report on the right to privacy in the digital age. The OHCHR is soliciting information for a report to Human Rights Council on the right to privacy around the world. EPIC's comments detail shortcomings in US privacy law, including the CLOUD Act, the reauthorization of FISA Section 702, and FTC's failure to enforce consumer privacy guarantees. EPIC also highlighted the need for the Special Rapporteur on Privacy to promote fundamental privacy rights, particularly Article 12 of the Universal Declaration of Human Rights. (Apr. 6, 2018)

  • EPIC and a coalition of consumer groups have filed a complaint with the FTC, charging that Facebook's use of facial recognition techniques threaten user privacy and "in multiple ways" violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." In 2011 EPIC and consumer groups urged the FTC to investigate Facebook’s facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." EPIC President Marc Rotenberg said today, "Facebook should suspend further deployment of facial recognition pending the outcome of the FTC investigation." (Apr. 6, 2018)

  • EPIC and a coalition of consumer groups will file a complaint with the FTC on Friday charging that Facebook's use of facial recognition techniques threaten user privacy and violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." The FTC has confirmed that an investigation is now underway. The FTC said, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements." Facebook CEO Mark Zuckerberg will testify next week before the Senate Judiciary Committee and the House Commerce Committee. In 2011 EPIC urged the FTC to investigate Facebook's facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." (Apr. 5, 2018)

  • Congressional leaders have announced the establishment of the Congressional Artificial Intelligence Caucus. The Caucus will bring together experts from academics, government, and the private sector to inform policymakers of the technological, economic and social impacts of advances in AI. The Congressional AI Caucus is bipartisan and co-chaired by Congressmen John Delaney (D-MD) and Pete Olson (R-TX). This is one of several initiatives in Congress to pursue AI policy objectives. Rep. Delaney introduced the FUTURE of Artificial Intelligence Act (H.R. 4625) and Rep. Elise Stefanik (R-NY) introduced a bill (H.R. 5356) that would create the National Security Commission on AI. In 2015, EPIC launched an international campaign for Algorithmic Transparency. EPIC has also warned Congress about the growing of opaque and unaccountable techniques in automated decision-making. (Apr. 3, 2018)

  • The D.C. Circuit Court of Appeals has refused to void an earlier ruling in EPIC's case to halt the collection of state voter data by the Presidential Election Commission. Although the Commission was disbanded in January, last year's decision by a three-judge panel of the D.C. Circuit remains on the books. The panel wrongly held that EPIC, a privacy and open government organization, did not have standing to challenge the Commission's failure to conduct and publish a privacy impact assessment required by law. EPIC asked the full D.C. Circuit to take the rare step of revisiting the panel's decision, but the court declined. EPIC's lawsuit previously led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, delete the voter information that was unlawfully obtained. Many states and over 150 members of Congress opposed the Commission's efforts to collect state voter data. EPIC will continue to pursue the case, which is eligible for appeal to the U.S. Supreme Court. The case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Apr. 2, 2018)

  • EPIC has filed a consumer protection lawsuit against AccuWeather for deceptively tracking the location of subscribers who downloaded the company’s app. In papers filed in the District of Columbia, EPIC charged that AccuWeather tracked consumers even when they expressly opted out of location tracking. EPIC also charged that AccuWeather failed to disclose that it transferred location data to third-party advertisers. EPIC alleges that these practices violate the District of Columbia Consumer Protection Procedures Act. EPIC has long advocated for the privacy of location data. EPIC filed a “friend of the court” brief with the US Supreme Court in a case concerning police surveillance and a complaint with the Federal Trade Commission concerning Uber’s tracking of subscribers. EPIC also opposed Apple’s tracking of iPhone users. EPIC also maintains detailed webpages on location privacy. (Apr. 2, 2018)

  • French President Emmanuel Macron has expressed support for "Algorithmic transparency" as a core democratic principle. In an interview with Wired magazine, President Macron said that algorithms deployed by the French government and companies that receive public funding will be open and transparent. President Macron emphasized, "I have to be confident for my people that there is no bias, at least no unfair bias, in this algorithm." President Macron's statement echoed similar comments in 2016 by German Chancellor Angela Merkel, "These algorithms, when they are not transparent, can lead to a distortion of our perception, they narrow our breadth of information." EPIC has a longstanding campaign to promote transparency and to end secret profiling. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a fundamental human right. In recent comments to UNESCO, EPIC highlighted the risk of secret profiling, content filtering, the skewing of search results, and adverse decision-making, based on opaque algorithms. (Apr. 2, 2018)

  • The Consumer Product Safety Commission responded to a complaint from EPIC and a coalition of consumer groups, urging the Commission to order the recall of the Google Home Mini "smart speaker." The touchpad on the device was permanently set to "on" so that Google recorded all conversations without a consumer's knowledge or consent. The groups wrote "this is a classic manufacturing defect that places consumers at risk. The defect in Google Home Mini is well within the purview of the Consumer Product Safety Commission." In the response, the Commission claimed that it monitors the hazards of IoT but said that it does not pursue privacy or data security issues. IoT devices are frequently the target of botnet attacks. According to Hacker News, "the DDoS threat landscape is skyrocketing" and the UK National Cyber Security Centre's report has called for comprehensive safeguards for IoT devices. EPIC Senior Counsel Alan Butler has written about products liability for IoT manufacturers. (Apr. 2, 2018)

  • In a Federal Register notice released today, the State Department is proposing that all visa applicants submit social media identifiers to the federal government. EPIC previously opposed the agency’s plan, warning that "this proposal leaves the door open for abuse, mission creep, and the disproportionate targeting of Muslim and Arab Americans." Earlier this year, EPIC and a broad coalition of civil rights organizations submitted a Freedom of Information Act request seeking details of the Trump Administration’s “extreme vetting” initiative, including the collection and use of social media information. (Mar. 30, 2018)

  • In detailed comments, EPIC advised the FTC to strengthen a proposed settlement with PayPal concerning Venmo, a mobile app for peer-to-peer payments. The FTC complaint found that Venmo made misrepresentations about privacy and security practices. EPIC recommended that the FTC require PayPal to (1) change the default setting to private, (2) require affirmative consent for subsequent changes, (3) make the privacy assessments public, (4) require multi-factor authentication, and (5) comply with Fair Information Practices. The FTC is obligated to consider public comments before finalizing a proposed settlement and must provide a “reasoned response” if it fails to modify an order. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. (Mar. 29, 2018)

  • An internal investigation has revealed the FBI was not transparent about its technical capabilities before suing Apple to unlock an encrypted iPhone. Department of Justice Inspector General reports that FBI personnel failed to communicate to agency leadership that the FBI was very close to opening the phone. Investigating the 2015 mass shooting San Bernardino, the FBI filed suit to force Apple to create custom technology to decrypt an iPhone. The Agency's case relied on the fact that it "cannot access" that phone's content. EPIC filed an amicus brief in Apple v. FBI arguing that the "security features in dispute in this case were adopted to protect consumers from crime." (Mar. 28, 2018)

  • EPIC joined Consumer Watchdog and a coalition of consumer organizations to urge Facebook to cease all campaign contributions and electioneering activity. The groups also recommended that Facebook retain Jimmy Carter and the Carter Center to audit Facebook's use of personal information for election advertisements. Last week, EPIC and a coalition of consumer groups called on the Federal Trade Commission to investigate Facebook. EPIC has also urged the Federal Election Commission to provide transparency for online political ads. EPIC is fully engaged in protecting the integrity of elections with its Project on Democracy and Cybersecurity. (Mar. 28, 2018)

  • The Department of Commerce announced that the 2020 census will include a question on citizenship status. The decennial census has not included a citizenship question since 1950. Critics argue that the question will result in unreliable data collection and skew census results. Senator Menendez (D-NJ) has introduced S. 2580, a bill that would prohibit the census from including a citizenship question. Last week EPIC submitted a Freedom of Information Act request seeking documents on the Department's consideration of the many complicated issues related to the question. The census raises significant privacy risks. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. (Mar. 27, 2018)

  • The D.C. Circuit has set the briefing schedule for the OPM Data Security Breach case, concerning a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC recently informed the Court that it will file an amicus brief, which will now be due on May 17, 2018. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies. (Mar. 26, 2018)

  • A bipartisan group of 37 State Attorneys General is investigating Facebook's business practices and lack of privacy protections. "Businesses like Facebook must comply with the law when it comes to how they use their customers' personal data," Pennsylvania Attorney General Josh Shapiro said. "State Attorneys General have an important role to play in holding them accountable." The Federal Trade Commission also announced today that it is investigating Facebook. Senate Judiciary Chairman Grassley has also said there will be hearings on the Facebook matter when Congress returns. (Mar. 26, 2018)

  • President Trump has signed the CLOUD Act, requiring internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Act also allows the executive branch to create agreements with foreign countries to provide direct access to personal data stored in the United States. EPIC submitted an amicus brief in United States v. Microsoft arguing that law enforcement access to data abroad should be resolved by international consensus and comply with human rights norms. Many organizations and privacy experts have endorsed the Madrid Privacy Declaration, which would establish international protections for personal data. (Mar. 26, 2018)

  • Through a Freedom of Information Act request, EPIC obtained records of email communications between Consumer Financial Protection Bureau staff members regarding the Equifax data breach investigation. The emails reveal that the CFPB was contacted by a Reuters reporter days before the article alleging the CFPB halted the Equifax investigation was published to confirm certain facts about the story. At that time, the CFPB did not correct the allegations in the article but instead provided the reporter a brief official statement stating they will not comment to ongoing investigations but the CFPB has the "desire, expertise, and know-how, in-house, to vigorously hypothetically pursue matters such as these." In the aftermath of the Reuters Equifax article, the CFPB exchanged emails about how to respond to the story and one staffer stated, "no more specific reaction than 'reports are incorrect.'" Acting Director Mick Mulvaney has since publicly confirmed that the CFPB's Equifax investigation is still ongoing. (Mar. 26, 2018)

  • The Federal Trade Commission has confirmed an investigation into Facebook for the company's failure to protect the personal data obtained by Cambridge Analytica. Facebook likely violated the FTC's 2011 Consent Order with the company. Last week, EPIC and a coalition of consumer organizations urged the FTC to reopen the investigation. EPIC and other consumer organizations brought the complaint that led to the FTC's 2011 Order. Thomas Pahl, the Acting Director of the FTC's Bureau of Consumer Protection stated today, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent article for Techonomy, EPIC President Marc Rotenberg emphasized that "the transfer of 50 million user records to the controversial data mining and political consulting firm could have been avoided if the Federal Trade Commission had done its job." (Mar. 26, 2018)

  • EPIC has submitted an urgent Freedom of Information Act request to the Department of Commerce seeking information about a proposed citizenship question on the 2020 census. Secretary Wilbur Ross stated today that the Department of Commerce will make a decision as to whether to include the controversial question in the 2020 census by March 31. Secretary Ross also said, “there are probably 15 or 20 different very complicated issues involved in the request.” EPIC specifically requested information about these issues. The census raises significant privacy risks. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. (Mar. 22, 2018)

  • Congresswoman Elise Stefanik (R-NY) has introduced a bill (H.R. 5356) that would create the National Security Commission on Artificial Intelligence (AI).Congresswoman Stefanik said, “It is critical to our national security but also to the development of our broader economy that the United States becomes the global leader in further developing this cutting edge technology.” The Commission would conduct a comprehensive review of AI technologies, assess the risks to national security, identity actionable items, and provide recommendations to the President and Congress. The Commission’s recommendations would also address: data and privacy, international law and ethics, competitiveness, technological advantages, cooperation and competition, investments and research, and workforce and education. In 2015, EPIC launched an international campaign for Algorithmic Transparency. EPIC has also warned Congress about the use of opaque technique in automated decision-making. (Mar. 22, 2018)

  • Through a Freedom of Information Act request, EPIC has obtained the FBI’s “Policy for Biometric Information Sharing with Domestic and International Agencies.” The documents EPIC obtained also contain details of the United States’ agreement with Iraq to exchange biometric data, including to not subject the information to any dissemination restrictions of the US or Iraq. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification” system, which includes facial IDs gathered from international conflicts. In 2007, EPIC, Privacy International, and Human Rights Watch warned the Secretary of Defense that the “system of biometric identification contravene international privacy standards and could lead to further reprisals and killings.” EPIC noted in 2010 "President Obama’s address on the end of the combat mission in Iraq has left open the question of what will happen to the massive biometric databases on Iraqis, assembled by the United States, during the course of the conflict." (Mar. 22, 2018)

  • At a Senate Intelligence Committee hearing on Election Security this week. Senator Diane Feinstein said “America is the victim and America has to know what’s wrong. And if there are states that have been attacked, America should know that.” In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents state that “[b]ecause timely victim notification has the potential to completely mitigate ongoing and future intrusions and can mitigate the damage of past attacks while increasing the potential for the collection of actionable intelligence, CyD’s policy regarding victim notification is designed to strongly favor victim notification.” However, the FBI did not follow this procedure following cyber attacks on the DNC and RNC during the 2016 Presidential Election. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several additional FOIA cases concerning Russian interference with the 2016 election, EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).
    (Mar. 22, 2018)

  • EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission, seeking the privacy assessments required by the FTC's 2012 Consent Order. Facebook is required to produce independent privacy assessments every two years for the next 20 years. Each assessment should "identify Facebook's privacy controls maintained during the reporting period, explain the appropriateness of these controlsin relation to Facebook's activities and sensitivity of information, as well as explain how these controls meet or exceed the protections" required in the 2012 Consent Order. Facebook is also required to identify an independent privacy auditor, approved by the FTC. EPIC previously obtained the 2012 Initial Compliance Report as well as the 2013 Initial Assessment through an earlier FOIA request. EPIC is now seeking the 2015 and 2017 reports which cover the period for the data transfers to Cambridge Analytica. (Mar. 20, 2018)

  • In a statement issued today, EPIC and a coalition of consumer groups have called on the Federal Trade Commission to determine whether Facebook violated a 2011 Consent Order when it facilitated the transfer of personal data of 50 million Facebook users to the data mining firm Cambridge Analytica. The groups had repeatedly urged the FTC to enforce its own legal judgements. EPIC even sued the agency in 2012 for its failure to enforce a consent order against Google. "The FTC's failure to act imperils not only privacy but democracy as well," the groups warned. Between 2009 and 2011 EPIC and other consumer groups undertook extensive work to document Facebook's privacy abuses that led to the consent order in 2011. (Mar. 20, 2018)

  • EPIC has sent a statement to the House Appropriations Committee outlining the key privacy issues facing the Secretary of Commerce. The Committee held a hearing today to discuss the FY19 budget for the Department of Commerce. EPIC stated that data protection may be "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC said the FTC is simply not doing enough to safeguard the personal data of American consumers, as evidenced by this week's report on Facebook and Cambridge Analytica. EPIC also warned that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency. (Mar. 20, 2018)

  • In 2009, EPIC and a coalition of US consumer privacy organizations petitioned the Federal Trade Commission to establish comprehensive privacy safeguards after Facebook changed user privacy settings and secretly transferred user data to third parties. In 2011, the FTC agreed with the privacy groups and established a far-reaching settlement with the company, that prevented such disclosures, prohibited deceptive statements, and required annual reporting. But the FTC failed to enforce its consent order, even after EPIC sued the agency and consumer groups repeatedly urged the Commission to act. This weekend the Washington Post and the New York Times reported that Facebook disclosed the personal data of 50 million users without their consent to Cambridge Analytica, the controversial British data mining firm that sought to influence the 2016 presidential election. (Mar. 19, 2018)

  • A federal appeals court ruled today in a closely watched case concerning robocalls. The rule under review in ACA International v. FCC concerned the FCC's regulations for the Telephone Consumer Protection Act. EPIC filed a friend of the court brief in the case in support of the FCC regulations. EPIC said that companies "seeking to engage in privacy-invading business practices" bear "the burden of proving consent." The court agreed that consumers could withdraw consent by all "reasonable means." However, the court vacated other aspects of the rule, including the definition of automated telephone dialing system and proposed procedures for calls to reassigned numbers. (Mar. 16, 2018)

  • EPIC has provided comments to UNESCO on a proposed framework for Internet Universality Indicators. The UNESCO framework emphasizes Rights, Openness, Accessibility, and Multistakeholder participation. UNESCO said that the framework will help guide protections for fundamental rights. EPIC also proposed "Algorithmic Transparency" as a key indicator of Internet Universality. EPIC highlighted the risk of secret profiling, content filtering, the skewing of search results, and adverse decisionmaking, based on opaque algorithms. EPIC has worked closely with UNESCO for over 20 years on Internet policy issues. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a fundamental human right. (Mar. 16, 2018)

  • EPIC has informed the D.C. Circuit Court of Appeals that it will file an amicus brief in the OPM Data Security Breach case. The case concerns a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies. (Mar. 15, 2018)

  • Today the Federal Election Commission voted unanimously, at a public meeting, to publish a proposed rule concerning transparency requirements for online political ads. The FEC noted EPIC's comments—arguing that internet companies should be held to the same standard as broadcast companies—in its proposal. The FEC will publish the proposal in the Federal Register, accept comments from the public, and then hold a public hearing on June 27, 2018. After Russian interference in the 2016 election, EPIC launched the Democracy and Cybersecurity Project to preserve the integrity of elections and democratic institutions. In comments to the FEC in November 2017, EPIC explained the "need to protect democratic institutions from foreign adversaries has never been greater...To help ensure the integrity of U.S. elections, the Federal Election Commission should not exempt technology companies from notification requirements for Internet communications." (Mar. 14, 2018)

  • In advance of the hearing on the nomination of Lieutenant General Paul M. Nakasone to be the Director of the National Security Agency, EPIC has sent a statement to the Senate Intelligence Committee. EPIC urged the Committee to ask the nominee whether he agrees with the January 2017 assessment of the Intelligence Community that the Russians interfered with the 2016 Presidential election and whether he believes that the United States has taken sufficient steps to prevent Russian meddling in the mid-term elections. In the latest FOIA gallery, EPIC highlighted four new EPIC FOIA lawsuits to uncover details of the Russian interference in the 2016 Presidential election. One EPIC's FOIA cases, EPIC v. FBI, revealed that the Bureau failed to warn the DNC and the RNC that they were targeted by a Russian cyber attack. (Mar. 14, 2018)

  • U.K. privacy officials have blocked WhatApp from transferring personal data to Facebook until the company complies with the GDPR, the new European privacy law. The Information Commissioner's Office found that WhatsApp's proposed data transfer would have violated the U.K. Data Protection Act. "People have a right to have their personal data kept safe," explained Commissioner Elizabeth Denham in a blog post. EPIC has twice urged the FTC to block WhatsApp's transfer of personal data to Facebook, but the FTC has failed to act. The FTC approved Facebook's acquisition of WhatsApp in 2014 after both companies assured the Commission and the public that they would protect users' privacy, but in 2016 WhatsApp announced that it would begin transferring the names and phone numbers of its users to Facebook. France blocked the data transfer and the EU fined Facebook $122 million for misleading European authorities about the data transfer. (Mar. 14, 2018)

  • EPIC has filed an amicus brief with the Eleventh Circuit Court of Appeals in Jackson v. McCurry, stating that teachers may not search a student's cell phone unless they have followed an explicit school policy that complies with Fourth Amendment requirements. Citing a recent Supreme Court opinion, EPIC explained, "after Riley, searches of students' cell phones require heightened privacy protections." Noting that "most teenagers today could not survive without a cellphone," EPIC wrote that searches of cell phones should be "limited to those circumstances when it is strictly necessary." EPIC previously participated as amicus curiae in Riley v. California, arguing that the search of a cellphone requires a warrant, and Commonwealth v. White, a case before the Massachusetts Supreme Judicial Court, arguing that a warrant is required before a school may turn over a student's cell phone to the police. Both cases produced favorable outcomes. (Mar. 13, 2018)

  • In advance of the Senate hearing on the Freedom of Information Act (FOIA), EPIC submitted a statement highlighting recent FOIA cases. EPIC told the committee about documents EPIC has obtained through FOIA requests and litigation, including documents obtained last week that show federal voting rights officials sought to "clean up" state voter rolls. EPIC also discussed its case against the IRS seeking the release of President Trump's tax returns. Since 2001, EPIC has produced an annual FOIA gallery in honor of Sunshine Week to feature EPIC's FOIA work over the past year. (Mar. 12, 2018)

  • In celebration of Sunshine Week, a national recognition of public access to information, EPIC has unveiled the 2018 FOIA Gallery. Since 2001, EPIC has released annual highlights of EPIC's most significant open government cases. In 2017, EPIC obtained the "victim notification procedures" that the FBI did not follow during the 2016 Presidential election, revealed that the FBI also failed to follow internal guidance for using intelligence data for criminal investigations, and uncovered problems with the border security biometric matching program. In the latest FOIA gallery, EPIC also highlighted four new EPIC FOIA lawsuits to uncover details of the Russian interference in the 2016 Presidential election and records, obtained by EPIC, revealing federal voting rights officials discussing ways to "clean" state voter rolls. (Mar. 12, 2018)

  • Officials from four different federal agencies discussed joint plans to "clean" state voter rolls last year, according to documents obtained by EPIC through a Freedom of Information Act request. The records show that the Election Assistance Commission, the Presidential Election Commission, the Department of Justice, and the Department of Homeland Security explored ways to cooperate on "cleaning" and "maintenance" of state voter registration databases. The documents also reveal that the Presidential Election Commission and the DOJ discussed "election integrity" issues just two weeks before both agencies issued sweeping requests for state election records on the same day. After EPIC brought suit against the Commission last yet to halt its unlawful gathering of personal voter data, the Commission temporarily suspended its data collection, discontinued the use of an unsafe computer server, deleted voter information that was illegally obtained, and ultimately disbanded. (Mar. 12, 2018)

  • A federal appeals court has ruled that consumers affected by a Zappos.com data breach have the right to sue the online retailer. The 2012 breach exposed the personal data of more than 24 million Zappos customers. A lower court previously held that the consumers lacked "standing" to bring a lawsuit against Zappos because their injuries were merely "conjectural." But the Ninth Circuit Court of Appeals reversed that decision and allowed the case to continue. "With each new hack comes a new hacker, each of whom independently could choose to use the data to commit identity theft," the court wrote. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN (where the Ninth Circuit also held for consumers), Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Mar. 9, 2018)

  • The International Working Group on Data Protection has adopted new recommendations to enhance the privacy of website registration data. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The "Working Paper on Privacy and Data Protection Issues with Regard to Registrant data and the WHOIS Directory" highlights privacy risks of the current registration system. When registering a new website with ICANN, the personal data of website owners is published in a widely accessible database. The Working Group recommends limitations on disclosure consistent with the purpose of registration - to provide limited contact information to resolve technical concerns. Registration data is also subject to the GDPR. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Mar. 9, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain the public release of information about the use of drones for domestic surveillance. EPIC cited a Presidential Memorandum that required all federal agencies to prepare public reports on drone deployment. EPIC's lawsuit charges that the DHS has failed to make these reports public. In a previous lawsuit against the DHS, EPIC obtained records which revealed that DHS drones had the capability to intercept electronic communications and identity humans at a distance. EPIC has also brought a lawsuit against the FAA to establish drone privacy regulations in the United States. (Mar. 9, 2018)

  • EPIC has announced the newest members of the EPIC Advisory Board. They are Professor Woodrow Hartzog, Dr. Rush D. Holt, Len Kennedy, and Roger McNamee. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy who contribute to EPIC’s work on privacy and civil liberties. The publication of the EPIC Advisory Board members are available at the EPIC Bookstore. Dr. Whitfield Diffie, Professor Harry Lewis, and Professor Jennifer Daskal recently joined the EPIC Board of Directors. The 2018 EPIC Champion of Freedom Awards will be presented on June 6, 2018 at the National Press Club. Press Release. (Mar. 6, 2018)

  • EPIC sent a statement to a House Committee on Energy and Commerce in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices. (Mar. 6, 2018)

  • Today the Senate Armed Services Committee held a hearing that addressed concerns about Russian interference in upcoming elections. In his opening statement, the Director of National Intelligence Daniel Coats stated that Russia views its influence on the 2016 election as successful and emphasized the threat that Russian cyberattacks pose to U.S. democracy. Coats testified that the U.S.'s response has not been sufficient to deter Russia from interfering in the 2018 midterm elections, agreeing with testimony of Admiral Michael Rogers, the Commander of U.S. Cyber Command, in a hearing last week. Coats called the U.S.'s strategy to combat Russian interference a "whole government approach," but it concerned some Senators that there was no lead agency in charge of this effort, including Senator Mazie Hirono (D-HI) who said that it caused her to conclude that it is "not a top priority" for the President. EPIC launched a project on Democracy and Cybersecurity in response to Russian interference in the 2016 presidential election. (Mar. 6, 2018)

  • Senators Patrick Leahy (D-VT) and Steve Daines (R-MT) have introduced a bill that would place restrictions on searches and seizures of electronic devices at the border. The bill sets out detailed procedures for seizing electronic devices, including a warrant requirement prior to inspection of the device, data minimization, and exclusion of evidence that is obtained in violation of the Act. The bill also establishes reporting requirements to determine the scope and frequency of device searches. Senator Leahy stated that "no American should have to relinquish all of their privacy rights to their cell phones, laptops and other electronic devices, simply because they are coming home from a trip abroad." The bill would also require a warrant to use software to analyze seized electronic devices. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact citizens' rights. (Mar. 5, 2018)

  • The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security. (Mar. 5, 2018)

  • Today Rep. Lieu (D-CA) introduced two bills to safeguard consumer data: the "Protecting Consumer Information Act of 2018" and the "Ending Forced Arbitration for Victims of Data Breaches Act." The first bill will expand the Federal Trade Commission's enforcement authority over credit reporting agencies, while allowing state attorneys general to also bring enforcement actions. The second bill will prohibit entities from enforcing mandatory arbitrary clauses—which prohibit consumers from filing lawsuits—in data breach cases. In a press release announcing the legislation, Rep. Lieu said, "these bills forge a path forward that can both prevent future breaches and ensure victims can seek due process when they occur." Rep. Lieu's announcement came the same day that Equifax disclosed an addition 2.4 million people were impacted by last year's data breach, bringing the total to approximately 148 million people. EPIC President Marc Rotenberg recently testified before Congress to call for comprehensive privacy legislation and the creation of a federal data protection agency. (Mar. 1, 2018)

  • EPIC and a broad coalition of civil rights organizations submitted a Freedom of Information Act request today seeking details related to ICE's "Extreme Vetting" Initiative, including the collection and use of social media information. The federal is agency is making deportations and visa decisions based on vague and ambiguous criteria. The FOIA request seeks to make public the specific procedures and policies for Extreme Vetting. Last year, EPIC and a coalition of civil rights organizations sent a joint statement to the Acting Secretary of Homeland Security to oppose the Extreme Vetting Initiative. EPIC previously opposed a proposal to collect social media information for use in visa determinations. (Mar. 1, 2018)

  • Identity theft ranked second among all complaints submitted to the Federal Trade Commission in 2017. Although the total number of complaints dropped, consumers reported losing $63 million more to identity theft and fraud in 2017 than in 2016. EPIC has warned that "the FTC's failure to act against the growing threats to consumer privacy and security could be catastrophic." 2017 marked a record year for data breaches. EPIC urged the FTC to enforce data security standards as part of its 10 recommendations for the FTC's five-year strategic plan. EPIC President Marc Rotenberg also testified before the Senate and the House following the Equifax breach, calling for comprehensive data protection legislation. (Mar. 1, 2018)

  • This week, the Supreme Court heard arguments in United States v. Microsoft Corps., a case concerning law enforcement access to personal data stored in Ireland. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution. In an amicus brief, EPIC urged the Supreme Court to respect international privacy standards. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority." EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping). (Feb. 28, 2018)

  • A new Axios-SurveyMonkey poll found that 55% of Americans believe the government should do more to regulate tech companies such as Google and Facebook. The poll showed bipartisan support for increased regulation, with 45% of Republicans, 64% of Democrats, and 57% of Independents saying they are "more concerned" that the government will not go far enough to regulate tech. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs. (Feb. 28, 2018)

  • In a statement to Congress in advance of a hearing on the Department of Defense's cyber operations, EPIC urged lawmakers to consider the privacy impact of cyber policies. The Cybersecurity Information Sharing Act of 2015 allowed the federal government to obtain cyber threat information from the private sector—much of which concerns the activities of individual Internet users—without privacy safeguards. EPIC urged Congress to ask Michael Rogers, the Commander of U.S. Cyber Command, about the steps the Defense Department will take to reduce privacy risks. EPIC previously sued the federal government for information regarding a Department of Homeland Security program that allowed the NSA to monitor the Internet traffic of defense contractors. (Feb. 27, 2018)

  • The Northern District of California has ruled that Facebook users have standing to pursue a class action challenging Facebook's use of facial recognition software. The court said that the Illinois Biometric Information Privacy Act requires plaintiffs only to show that Facebook has unlawfully collected their biometric data without their consent. Facebook sought to dismiss the suit by arguing that the Supreme Court's decision in Spokeo v. Robins required the plaintiffs to show additional harm. EPIC submitted a friend-of-the-court brief in Spokeo, arguing that courts should not second-guess privacy laws. The Ninth Circuit Court of Appeals recently agreed with EPIC that internet users have standing when a company has disclosed their personal information in violation of the Video Privacy Protection Act. (Feb. 27, 2018)

  • EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC previously pursued a significant lawsuit against the TSA that led to the removal of x-ray body scanners from US airports. EPIC is currently seeking records from Customs and Border Protection concerning the accuracy of facial recognition. (Feb. 26, 2018)

  • The Ninth Circuit Court of Appeals has ruled in FTC v. AT&T that the Federal Trade Commission can regulate telephone and internet companies, reversing an earlier decision by a three-judge panel that stripped the FTC of its authority over "common carriers." The full Ninth Circuit held that the common carrier exemption to the FTC Act is activity-based, not status-based. This means that the FTC can regulate AT&T's data-throttling practices. The Ninth Circuit reached the result that EPIC and a coalition of consumer advocates had urged in a friend-of-the-court brief. EPIC also vigorously defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards" in an amicus brief in FTC v. Wyndham. (Feb. 26, 2018)

  • EPIC has filed the opening brief in its case to obtain President Trump's tax returns. EPIC told the D.C. Circuit Court of Appeals that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." A Quinnipiac poll released today confirms that public overwhelmingly supports (67%) the release of the President's returns. As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). Press Release. (Feb. 22, 2018)

  • The Secure and Succeed Act (S. Amdt. 1959 to H.R. 2579), sponsored by several Republican Senators, would link DACA with hi-tech border surveillance. Customs and Border Protection would use facial recognition and other biometric technologies to inspect travelers, both US citizens and non-citizens, at airports. The bill also establishes "Operation Phalanx" that instructs the Department of Defense—a military agency—to use drones for domestic surveillance. EPIC has pursued many FOIA cases on border surveillance involving biometrics, drones, and airport body scanners, In a statement to Congress, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens." (Feb. 21, 2018)

  • The Supreme Court will hear arguments this week in Dahda v. United States, a case concerning the federal Wiretap Act and the suppression of evidence obtained following an invalid wiretap order. The Wiretap Act requires exclusion of evidence obtained as a result of an invalid order, but a lower court denied suppression in the case even though the order was unlawfully broad. In an amicus brief, EPIC wrote that "it is not for the courts to create textual exceptions" to federal privacy laws. EPIC explained that Congress enacted strict and unambiguous privacy provisions in the Wiretap Act. "If the government wishes a different outcome," EPIC wrote, "then it should go to Congress to revise the statute." EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Byrd v. United States (suspicionless searches of rental cars) and Carpenter v. United States (warrantless searches of cellphone location records). (Feb. 20, 2018)

  • The Supreme Court has denied a petition for a writ of certiorari in Carefirst, Inc. v. Attias, a case concerning standing to sue in data breach cases. Consumers had sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief backing the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The federal appeals court agreed with EPIC and held that consumers may sue companies that fail to safeguard their personal data. Carefirst appealed the decision, but the Supreme Court chose not to take the case. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN, where the Ninth Circuit also held for consumers, as well as Gubala v. Time Warner Cable and In re SuperValu Customer Data Security Breach Litigation. (Feb. 20, 2018)

  • Rep. Luetkemeyer (R-MO) and Rep. Maloney (D-NY) circulated a draft bill, the "Data Acquisition and Technology Accountability and Security Act," that would set federal requirements for companies collecting personal data and require prompt breach notification. The Federal Trade Commission, which has often failed to pursue important data breach cases, and state Attorneys General would both be responsible for enforcing the law. The law would only trigger liability if the personal data breached is "reasonably likely to result in identity theft, fraud, or economic loss" and would preempt stronger state data breach laws. Earlier this week, EPIC President Marc Rotenberg testified before the House, calling for comprehensive data privacy legislation that would preserve stronger state laws. Last fall, EPIC testified at a Senate hearing on the Equifax breach, calling it one of the worst in U.S. history. (Feb. 16, 2018)

  • Special Counsel Robert Mueller has indicted thirteen Russian nationals and three Russian entities for interfering in the 2016 U.S. presidential election. "Beginning as early as 2014" the defendants began operations "to interfere with the U.S. political system" and "sow discord," the indictment explains. They also posed as U.S. persons online, reaching "significant numbers of Americans" on social media. EPIC first sought details of the Russians' "multifaceted" influence campaign in January 2017, pursuing release of the complete Intelligence Community assessment on Russian meddling. EPIC President Marc Rotenberg recently highlighted the role of the Russian Internet Research Agency, named in the Mueller indictment, explaining, "Facebook sold advertising to Russian troll farms working to undermine the American political process." EPIC launched a new project on Democracy an Cybersecurity in early 2017 to help preserve democratic institutions. (Feb. 16, 2018)

  • The Congressional Task Force on Election Security today released its final report detailing vulnerabilities in U.S. election systems. The report includes many recommendations, purchasing voting systems with paper ballots, post-election audits, and funding for IT support. The report also proposes a national strategy to counter efforts to undermine democratic institutions. Election experts have said that Congress has not done enough to safeguard the mid-term elections. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). (Feb. 14, 2018)

  • In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google. (Feb. 13, 2018)

  • The Senate Intelligence Committee held a hearing today with top officials from all U.S. intelligence agencies: Office of the Director of National Intelligence, CIA, NSA, Defense Intelligence Agency, FBI, and the National Geospatial-Intelligence Agency. The officials unanimously agreed that Russia interfered in the 2016 election and will interfere in the 2018 election, noting that they have already observed attempts to influence upcoming elections. Director of National Intelligence Dan Coats said: "There should be no doubt that Russia perceived that its past efforts as successful and views the 2018 U.S. midterm elections as a potential target for Russian influence operations." EPIC launched the Project on Democracy and Cybersecurity, after the 2016 presidential election, to safeguard democratic institutions. EPIC is currently pursuing several FOIA cases concerning Russian interference, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). EPIC also provided comments to the Federal Election Commission to improve transparency of election advertising on social media. (Feb. 13, 2018)

  • EPIC President Marc Rotenberg will testify before the House Financial Services Committee this week. Rotenberg will say that "Data breaches pose enormous challenges to the security of American families, as well as our country's national security." EPIC will call for comprehensive data protection legislation and the creation of a federal data protection agency. EPIC also challenged the decision of the CFPB Director to drop the investigation into the Equifax data breach. EPIC has repeatedly urged Congress to address the data protection crisis in the United States, warning that it endangers national security and international trade. Last year EPIC testified before the Senate in the wake of the Equifax breach, emphasizing the growing risks to American consumers. (Feb. 12, 2018)

  • The IRS acknowledged that it will fulfill EPIC's FOIA request seeking certain tax records of President Trump and the President's businesses. It marks the first time, to EPIC's knowledge, that the IRS has agreed to process a third-party FOIA request for the President's tax information. EPIC is seeking tax records relating to settlements with the IRS, which the agency is required to disclose to the public upon request. EPIC previously sued the IRS for the release of the President's personal tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's own lawyers. That case, EPIC v. IRS, is now before the D.C. Circuit Court of Appeals. EPIC is litigating several other FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). (Feb. 12, 2018)

  • EPIC filed a Freedom of Information Act request to the Department of Homeland Security seeking records about DHS's investigation of state voter fraud. Since the termination of the Presidential Advisory Commission on Election Integrity, President Trump suggested that the DHS investigate voter fraud, which falls outside the agency's jurisdiction. The agency has stated that its top priority is securing election systems from cyberattacks. This week, the DHS admitted that Russian hackers successfully penetrated election systems in the 2016 Presidential Election. EPIC had earlier submitted a statement to Congress seeking assurances that DHS will not continue the work of the disbanded Commission. (Feb. 9, 2018)

  • EPIC and other leading open government organizations urged Congress to promote transparency and accountability of the Intelligence agencies. The groups called for the release of annual public reports, all significant opinions by the Foreign Intelligence Surveillance Court, and an accounting on the number of Americans subject tp foreign intelligence surveillance. EPIC previously called on lawmakers to require federal agencies to obtain a warrant before searching information about Americans in foreign intelligence databases. Through a Freedom of Information Act lawsuit, EPIC obtained a report detailing the FBI's failure to follow procedures regarding the use of foreign intelligence data for a domestic criminal investigation. EPIC has also testified in Congress on reforms to the Foreign Intelligence Surveillance Act. (Feb. 9, 2018)

  • A group of 31 Senators wrote to Acting Director Leandra English and Director Mick Mulvaney of the Consumer Financial Protection Bureau about the agency's failure to pursue the probe of the 2017 Equifax breach. The Senators wrote that "the CFPB has a clear duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers, and bring enforcement actions as necessary." Earlier this week, EPIC urged the Senate Banking Committee to investigate the CFPB. EPIC also filed a FOIA request seeking records about Mulvaney's decision to halt the CFPB's Equifax investigation. (Feb. 8, 2018)

  • EPIC has filed an urgent Freedom of Information Act request for records about Acting Director Mulvaney's decision to shut down the CFPB investigation of Equifax. The 2017 data breach, likely undertaken by a foreign adversary, compromised the personal data of 143 million Americans. Last year CFPB warned that US servicemembers were at particular risk as a result of the Equifax breach. EPIC is seeking communication between Mulvaney and Equifax officials, as well as records of meetings and any related memos regarding the decision to close the investigation. In a letter to the Senate Banking Committee yesterday, EPIC recommended that the Committee undertake a thorough investigation of the CFPB's recent decision regarding the investigation. (Feb. 7, 2018)

  • According to recent reports, the Consumer Financial Protection Bureau has shut down the investigation of the 2017 Equifax data breach that exposed the personal data of 145.5 million Americans. CFPB Acting Director Mulvaney failed to seek subpoenas or obtain sworn testimony from Equifax executives. Mr. Mulvaney also ended plans to test Equifax’s security systems, and rejected offers from regulators to assist with the investigation. EPIC urged the Senate Banking Committee to investigate, stating: “If the reports are accurate, Director Mulvaney’s failure to pursue a thorough investigation of the Equifax matter verges on malfeasance.” Last fall, EPIC President Marc Rotenberg testified at a Senate hearing on the Equifax breach. EPIC described the data breach as one of the worst in U.S. history. EPIC’s Christine Bannan also proposed steps to strengthen data protection safeguards for American consumers.

    (Feb. 6, 2018)

  • EPIC submitted a statement to the Senate in advance of a hearing to examine the October 2016 Uber breach and the value of bug bounty programs. Last fall, Uber admitted that hackers stole the data of 57 million Uber customers and drivers and that the company paid the hackers $100,000 to delete the data. This has raised legal questions about Uber's failure to notify those affected by the breach and about "bug bounty" programs, where companies pay hackers that bring vulnerabilities to their attention. EPIC explained to the Senate that, "bug bounty programs do not excuse non-compliance with data breach notification laws." EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other similar transportation companies. (Feb. 5, 2018)

  • EPIC has filed a new Freedom of Information Act request with the IRS, seeking tax-related records for President Trump's businesses. The new EPIC request follows EPIC's pending lawsuit for the release of Trump's personal tax returns. The request seeks the release of tax records concerning settlements with the IRS, which the agency is required to disclose to the public upon request. EPIC previously called on the IRS to release the President's tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's lawyers. EPIC v. IRS, which is now before the D.C. Circuit Court of Appeals, is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election. EPIC is also litigating EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). (Feb. 5, 2018)

  • EPIC has filed an amicus brief with a federal appeals court urging the court to reject a proposed class action settlement over Facebook's practice of scanning private messages. EPIC challenged the settlement because it did not require Facebook to stop scanning private messages. In fact, the company can continue scanning messages by simply burying a notice on its website. Also, there was no compensation to Internet users for the prior violation of federal and state laws. EPIC is dedicated to class action fairness in privacy cases and has objected to many similar settlements that failed to provide actual benefits to Internet users. EPIC recently opposed a settlement with Google that allows the company to continue tracking web users. EPIC also opposed a settlement with Facebook in 2014 that allowed the company to continue an unlawful practice. (Feb. 2, 2018)

  • Senators Jerry Moran (R-KS) and Richard Blumenthal (D-CT) wrote Federal Trade Commission Acting Chair Maureen Ohlhausen to urge the FTC to investigate companies that use fraudulent automated accounts to influence social media. The techniques, known as "amplification bots," follow, retweet, and like social media content to boost a client's visibility. The Senators' letter follows a recent New York Times report on Devumi, a company engaged in such practices. Devumi's bots often steal identities, using the photos and personal information of real people, some of whom are minors. The Senators called these practices a "unique kind of social identity theft" that "have the effect of distorting the online marketplace and creating a false sense of celebrity, credibility, or importance in people, companies, or institutions that may not deserve it." The practice also violates state privacy laws concerning "the right of publicity," which EPIC has defended. (Feb. 1, 2018)

  • In response to a white paper on data protection from the Indian government, EPIC provided detailed comments, backing comprehensive legislation. The white paper analyzes data protection laws from around the world, comparing the approaches of different countries. The Indian government proposes a data protection framework based on seven principles: (1) technology agnosticism, (2) holistic application, (3) informed consent, (4) data minimization, (5) controller accountability, (6) structured enforcement, and (7) deterrent penalties. In comments on the proposal, EPIC backed India's efforts to adopt data protection legislation, and recommended also a private right of action and breach notification. Last year, the Supreme Court of India ruled that privacy is a fundamental right. EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world. (Jan. 31, 2018)

  • Professor Jennifer Daskal, Dr. Whitfield Diffie and former Dean Harry Lewis have joined the EPIC Board of Directors. Daskal is an Associate Professor at the Washington College of Law and a leading expert in criminal law, national security law, and constitutional law. Diffie is an American cryptographer, one of the pioneers of public-key cryptography, and a recipient of the Turing Award, the most prestigious award in the field of computer science. Lewis is a professor of computer science at Harvard University, former dean of Harvard College, and the author of several books on technology and education. The members of the EPIC Board of Directors are chosen from the EPIC Advisory Board, distinguished experts in law, technology, and public policy. (Jan. 31, 2018)

  • EPIC, the Center for Commercial Free Childhood, and others have urged Mark Zuckerberg to shutter Facebook's "Messenger Kids" app. The groups cited rising concern about social media among adolescents and wrote it is irresponsible to encourage preschoolers to use Facebook products. Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have questioned Facebook about the Messenger Kids app. EPIC recently backed a campaign that led Mattel to cancel a device that spies on young children. EPIC also led efforts to require Facebook to respect the privacy rights of WhatsApp users. (Jan. 30, 2018)

  • In advance of a hearing on "Protecting Privacy, Promoting Policy: Evidence-Based Policymaking and the Future of Education," EPIC wrote a statement to the House committee, expressing support for both evidence-based policy and student privacy. EPIC explained that privacy enhancing technologies are necessary to protect student data, because even where data has been de-identified it may still possible to extract personal data. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy. EPIC also testified before the Commission on Evidence-Based Policymaking, and recommended innovative privacy techniques to protect personal data that also enable informed public policy decisions. (Jan. 30, 2018)

  • The Court of Justice of the European Union, following an advisory opinion, has determined that Max Schrem's class action in Austria cannot proceed against Facebook, but individual privacy claims can. The Court granted Schrems standing, recognizing that "the activities of publishing books, giving lectures, operating websites," and similar activities does not entail the loss of "a user's status as a 'consumer.'" However, the Court found that "the consumer forum cannot be invoked" in "claims assigned by other consumers." The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges that Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. Max Schrems recently launched NYOB to pursue class actions under the General Data Protection Regulation. In 2013, Max Schrems received the EPIC International Champion of Freedom Award. (Jan. 30, 2018)

  • Rep. Ros-Lehtinen (R-FL) and Rep. Schneider (D-IL) introduced the Defending Elections from Threats by Establishing Redlines Act of 2018 to deter foreign interference in U.S. elections. The bipartisan legislation stipulates that if the Director of National Intelligence determines that the Russian government knowingly interfered in a U.S. election, the President is required to impose sanctions on Russia's aerospace, banking, defense, energy, intelligence and mining industries. The bill is a direct response to Russian interference in the 2016 Presidential election. EPIC is currently pursuing several related FOIA cases, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). (Jan. 29, 2018)

  • 2017 marked the "worst year ever" for data breaches, according to a pair of reports by Thales and the Online Trust Alliance. Data breaches nearly doubled from 2016 to 2017, and 73% of all U.S. companies have now been breached. Noteworthy were the data security failures of Equifax and Uber. In testimony before the Senate Banking Committee following the Equifax breach last year, EPIC called on Congress to enact meaningful reforms, including default credit freezes and prompt data breach notification. Two years ago, EPIC launched the DataProtection2016 campaign to promote stronger privacy safeguards in the U.S. (Jan. 25, 2018)

  • EPIC presented the 2018 International Privacy Champion Award to Gus Hosein, director of Privacy International, and Professor Artemi Rallo, the former chair of the Spanish Data Protection Agency. The award to Hosein recognized his work, "defending privacy in the UK and around the world." The award to Rallo described him as a "constitutional scholar, data protection advocate, friend of civil society." Announcement. Photo. The 2018 EPIC Champion of Freedom Awards will be held at the National Press Club in Washington, DC on June 6, 2018. (Jan. 25, 2018)

  • The U.S. Court of Appeals for the D.C. Circuit will hear arguments this week in EPIC v. FAA, a lawsuit concerning the FAA's failure to establish privacy rules for commercial drones. EPIC's case is based on an Act of Congress requiring a "comprehensive plan" for drone deployment in the United States and a petition, backed by more than one hundred organizations and privacy experts, calling for privacy safeguards. As EPIC argued in a brief to the Court, "It is not possible to address the hazards associated with drone operations without addressing privacy in the final rule for small commercial drones." Arguments will be held Thursday morning at the American University Washington College of Law. EPIC Senior Counsel Alan Butler will argue the case. EPIC's case is EPIC v. FAA, No. 16-1297 (D.C. Cir.). (Jan. 24, 2018)

  • EPIC submitted a statement to the Senate Armed Services Committee in advance of a hearing on "Global Challenges and U.S. National Security Strategy." Last year, the White House released a National Security Strategy report that laid out the administration's goals. EPIC supports many of the goals stated in the report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the committee to seek assurances that those goals will remain priorities for this administration. EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time." (Jan. 24, 2018)

  • In advance of a hearing on self-driving cars, EPIC submitted a statement to the Senate on the privacy and security risks of autonomous vehicles. Researchers have been able to hack connected cars, and the vehicles have caused several accidents. EPIC told the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has worked extensively on the privacy and data security implications of connected cars, having testified on "The Internet of Cars" and submitted numerous comments to the National Highway and Transportation Safety Agency. In a recent amicus brief to the Supreme Court, EPIC underscored the privacy risks of modern vehicles, which collect vast troves of personal data. (Jan. 24, 2018)

  • In advance of a hearing on the nomination of Adam Klein to the Privacy and Civil Liberties Oversiight Board, EPIC urged the Senate to oppose the nomination. EPIC explained that "PCLOB plays a vital role safeguarding the privacy rights of Americans and ensuring oversight and accountability of the Intelligence community." EPIC also said that the nominee "does not appreciate the full extent of the privacy interests at stake in many of the most significant debates about the scope of government surveillance authority." EPIC has a particular interest in the work of the PCLOB. In 2003 EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out priorities for the PCLOB and spoke at the first meeting of the Oversight Board in 2013. (Jan. 24, 2018)

  • In a decision that could jeopardize relations with Europe, Congress has renewed "Section 702" of the Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The FISA Amendment Reauthorization Act also permits government surveillance of Americans and restarts the controversial "about" collection program. Congress rejected updates, including limits on data collection, that would preserve a privacy agreement between Europe and the United States. The European Court of Justice will also soon decide whether to allow data transfers from Ireland to the United States. EPIC served as the US NGO amicus curiae in that case. (Jan. 18, 2018)

  • In advance of a hearing on Internet of Things, EPIC urged Congress to consider the privacy and safety risks of internet-connected devices. EPIC told Congress that the Internet of Things "poses risks to physical security and personal property" because data "flows over networks that are not always secure, leaving consumers vulnerable to malicious hackers." EPIC said that Congress should protect consumers. EPIC is a leader in the field of the Internet of Things and consumer protection. EPIC has advocated for strong standards to safeguard American consumers and testified before Congress on the "Internet of Cars." (Jan. 18, 2018)

  • EPIC has filed an amicus brief in United States v. Microsoft, a case before the US Supreme Court concerning law enforcement access to personal data stored in Ireland. EPIC urged the Supreme Court to respect international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping). (Jan. 18, 2018)

  • In response to request for comments from the Maryland legislature, EPIC submitted a statement in support of a bill to prohibit law enforcement from obtaining data recorded by a smart meter without a warrant. Smart meters collect personal data about the use of utility services that can reveal when a person is at home and what they are doing. EPIC stated that "the routine collection of this data, without adequate privacy safeguards, would enable ongoing surveillance of Maryland residents without regard to any criminal suspicion." EPIC said that HR 56 is a "model privacy law that enables innovation while safeguarding personal privacy." EPIC has testified in Congress and submitted comments to NIST and the state of California on smart grid privacy. EPIC has also submitted amicus briefs on Fourth Amendment cases before the Supreme Court, including Carpenter v. United States and Byrd v. United States. (Jan. 16, 2018)

  • At a Senate hearing today, DHS Secretary Kristjen Nielsen stated that DHS would not undertake a new investigation of voter fraud. EPIC submitted a statement in advance of the hearing, asking Senators to seek assurances that DHS would not pursue the work of the recently disbanded Presidential Advisory Commission on Election Integrity, as former Vice Chair Kris Kobach had suggested. In response to a question from Senator Kamala Harris, Nielsen answered that Kobach does not have any role at DHS. Although Nielsen stated that DHS would not pursue any new work, she indicated that the agency would continue to work with states pursuing voter fraud investigations. EPIC recently filed a FOIA lawsuit against DHS seeking communications with the Commission regarding the transfer of personal voter data. The Commission, facing a lawsuit by EPIC, was terminated earlier this month. EPIC's lawsuit led the Commission last year to suspend the collection of voter data. (Jan. 16, 2018)

  • EPIC sent a statement to the Senate Judiciary Committee in advance of a DHS Oversight Hearing, to seek assurances that "the DHS will not continue the activities of the Presidential Advisory Commission on Election Integrity." After the Commission was disbanded in the wake of EPIC’s lawsuit, the former Vice Chair told reporters that he intended to continue the work of the Commission at the DHS. But EPIC told the Senate committee that the Commission has no authority to transfer the voter data and warned that the DHS would be subject to federal lawsuits if it assembled a database of voter information. EPIC also urged the Senate to confirm that the personal data provided by DACA applicants will not be misused by DHS, and that DHS biometric programs will not be expanded until transparency obligations are fulfilled and privacy safeguards are established. The EPIC letter follows a statement last week from civil rights and government oversight organizations to the DHS Secretary, seeking assurance that there will be no transfer or collection of state voter data. (Jan. 15, 2018)

  • EPIC has asked the D.C. Circuit Court of Appeals to void last month's ruling in which the Court refused to order the Presidential Election Commission to conduct a Privacy Impact Assessment. The Commission, which unlawfully sought to collect state voter data on hundreds of millions of Americans, was disbanded last week by President Trump. The Commission's sudden demise unfairly prevents EPIC from appealing the Court's legal reasoning because there is no "live" dispute left for a higher court to consider. EPIC's lawsuit led the Commission to suspend the collection of voter data last year, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. EPIC's case against the Commission is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). EPIC filed a separate lawsuit on Monday for communications between the Department of Homeland Security and the Commission regarding the transfer of personal voter data. (Jan. 11, 2018)

  • Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced legislation to hold credit reporting agencies accountable for data breaches. The Data Breach Prevention and Compensation Act establishes an office of cybersecurity within the FTC to give it direct supervisory authority over the credit reporting industry and imposes mandatory penalties for breaches involving consumer data at credit reporting agencies. The bill is a direct response to the Equifax data breach last year that exposed the sensitive personal information of over 145 million Americans. "Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers," said EPIC President, Marc Rotenberg. EPIC testified before Congress last year following the Equifax breach, urging legislation to give consumers more control over their credit reports. Senators Warren and Brian Schatz (D-HI) also introduced a bill last year that would allow consumers to freeze and unfreeze their credit reports for free. (Jan. 10, 2018)

  • As the result of a Freedom of Information Act lawsuit EPIC v. NSD, EPIC has obtained a report from the Department of Justice National Security Division detailing the FBI's use of foreign intelligence data for a domestic criminal investigation. Section 702 of the Foreign Intelligence Surveillance Act authorizes the surveillance of foreigners located abroad. However, the FBI can also use this data to investigate Americans. The report obtained by EPIC also shows that the FBI analyst failed to follow internal guidance to notify superiors of the search, raising questions about whether the FBI is accurately reporting these searches. The USA Rights Act, now pending in Congress, would require a federal agency to obtain a warrant to search foreign surveillance data for information on Americans. (Jan. 9, 2018)

  • The Federal Trade Commission released a brief report summarizing a June 2017 workshop, co-hosted with the National Highway Traffic Safety Administration, on connected vehicles. While the report acknowledges consumer privacy interests, the report offers no concrete proposals for how the FTC will address the privacy and safety risks of connected cars. EPIC submitted comments to the FTC and NHTSA and gave a presentation at the FTC workshop, calling for national safety standards for connected cars. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data. The Senate is currently considering a bill on connected cars and the NHTSA recently released revised guidance for connected cars, but both lack mandatory safety standards and encourage industry self-regulation. (Jan. 9, 2018)

  • In response to a request for comments, EPIC has urged the FBI to expand its use of name-based — rather than fingerprint-based — background checks for noncriminal purposes, such as employment. The FBI currently uses fingerprints, stored in the Next Generation Identification (NGI) database, to conduct non-criminal background checks. "Names checks" were only conducted for individuals whose fingerprints failed the NGI matching requirements. EPIC told the FBI that the "name-based background check accomplishes the same purpose as the fingerprint-based background check without requiring the collection of sensitive biometric information." EPIC has opposed the expansion of the NGI system for non-law enforcement purposes. EPIC has also pursued a series of Freedom of Information Act requests to assess the reliability of the NGI system. (Jan. 9, 2018)

  • EPIC has filed a lawsuit against the Department of Homeland Security for communications between the agency and the Presidential Commission on Elections regarding the transfer of personal voter data. EPIC filed a Freedom of Information Act request with the DHS after the Commission tried to collect records from federal agencies to match against state voter records, but the agency failed to respond to EPIC's request. Last year, EPIC filed a lawsuit against the Commission that led to the suspension of the collection of voter data. EPIC v. Commission is still pending in federal court. EPIC filed the recent suit after President Trump said he asked DHS "to determine the next course of action" after he dissolved the Commission. (Jan. 9, 2018)

  • The Supreme Court will hear arguments in Byrd v. United States, concerning the warrantless search of a rental vehicle. EPIC filed an amicus brief in the case urging the Supreme Court to recognize that a modern car collects vast troves of personal data. EPIC explained cars today "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC pointed to the routine collection of cell phone contents with a Bluetooth connection, data which is stored in the car even after "deletion." EPIC also emphasized that the status of the driver has no bearing on Fourth Amendment privacy interests. EPIC's Natasha Babazadeh prepared an explainer video of the case. (Jan. 8, 2018)

  • Through a Freedom of Information Act request, EPIC has obtained former Secretary of Homeland Security John Kelly's notes for an interview with NPR about border security. The notes include talking points about southwest border security and the construction of the southwest border wall. During the interview, Mr. Kelly also described DHS's plans to increase vetting of immigrants and coordination with the White House, despite the fact these issues were not included in the talking points. EPIC previously warned the House Oversight Committee that enhanced surveillance at the border will impact the rights of U.S. citizens. As a result of an earlier FOIA lawsuit, EPIC found that the Customs and Borders Protection is already deploying drones with facial recognition technology near the border. (Jan. 8, 2018)

  • EPIC and ten civil rights and government oversight organizations have sent a letter to DHS Secretary Nielsen, urging her not to accept any personal data from the now defunct Presidential Advisory Commission on Election Integrity. The groups explained that the Commission lacks legal authority to transfer personal data to the Commission. The groups also warned that the DHS would be subject to numerous federal laws if it were to acquire state voter data. EPIC and the organizations brought several lawsuits against the Commission. EPIC's lawsuit led the Commission to suspend the collection of voter data in July 2017. President trump disbanded the Commission on January 3, 2018. However, former Vice Chair Kris Kobach told reporters that he intends to resume the work of the Commission at the Department of Homeland Security. (Jan. 8, 2018)

  • The Center for Class Action Fairness has asked the U.S. Supreme Court to decide whether a settlement that awards funds to certain organizations and fails to compensate injured class members is fair. The settlement involved Google's tracking of Internet users in violation of users' privacy settings but resulted in no change in business practices or payment to class members. Some of the organizations that received class settlement funds are separately funded by Google. EPIC recently filed an amicus brief opposing a similar settlement in a related class action against Google. EPIC has also opposed settlements against Facebook and Google that failed to compensate class members or change business practices. EPIC President Marc Rotenberg has proposed an objective basis to evaluate settlement proposals. The Supreme Court has yet to address cy pres fairness, but Chief Justice John Roberts, in Marek v. Lane concerning Facebook's Beacon program, echoed the concerns of EPIC when he wrote that the "vast majority of Beacon's victims" got nothing. (Jan. 8, 2018)

  • The Federal Trade Commission announced a settlement with VTech Electronics over charges that the company collected personal information from children without parental consent and failed to provide data security. In 2015, Senators Edward Markey (D-MA) and Joe Barton (R-TX) inquired about VTech's privacy practices after the toy company was hacked, exposing the personal information of millions of children. EPIC and a coalition of consumer organizations recently renewed their call to the FTC to take action on toys that spy, one year after the groups filed a complaint with the FTC regarding dangerous internet-connected toys. The Children's Online Privacy Act (COPPA) sets forth strict requirements for the collection of information from children. In a recent interview with NBC Nightly News, EPIC's Sam Lester highlighted the dangers these toys pose from hackers. EPIC has supported numerous efforts to oppose toys that spy, including a successful effort in 2017 to recall Mattel's Aristotle. (Jan. 8, 2018)

  • The Presidential Election Commission, which unlawfully sought to collect state voter data on hundreds of millions of Americans, was disbanded Wednesday by President Trump. The Commission had faced an ongoing lawsuit by EPIC over its failure to conduct and publish a Privacy Impact Assessment before collecting personal data, as required by law. EPIC’s lawsuit led the Commission to suspend the collection of voter data last year, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. Many states and over 150 members of Congress opposed the Commission’s efforts to collect state voter data. In a statement, the President said that he had asked the Department of Homeland Security “to determine next courses of action.” EPIC has a pending Freedom of Information Act request to the DHS for records concerning the federal government’s collection of personal data on voters. EPIC’s case against the Commission, which remains open, is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Jan. 3, 2018)

  • The Federal Trade Commission has given final approval to a settlement with Lenovo over its practice of pre-installing adware onto consumers' laptops. The complaint alleged that the adware transmitted consumers' personal information to third parties and made consumer' laptops vulnerable to cyberattacks. The settlement prohibits Lenovo from misrepresenting any pre-installed software, but imposes no fines and allows Lenovo to continue pre-installing adware onto consumers' laptops. EPIC has routinely urged the FTC to strengthen its privacy settlements, and recently emphasized the need for the FTC to step up its data protection in comments on the FTC's five-year strategic plan. (Jan. 3, 2018)

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy